spamassasin/clamAV not working

Discussion in 'Installation/Configuration' started by Daisy, Jan 5, 2007.

  1. falko

    falko Super Moderator

    Looks ok.

    What's in the .procmailrc file of the web3_spamtrap user?
     
  2. Daisy

    Daisy New Member

    MAILDIR=$HOME/Maildir/
    DEFAULT=$MAILDIR
    ORGMAIL=$MAILDIR

    INCLUDERC=/var/www/web3/user/web3_spamtrap/.mailsize.rc
    ## INCLUDERC=/var/www/web3/user/web3_spamtrap/.quota.rc
    ## INCLUDERC=/var/www/web3/user/web3_spamtrap/.antivirus.rc
    INCLUDERC=/var/www/web3/user/web3_spamtrap/.local-rules.rc
    INCLUDERC=/var/www/web3/user/web3_spamtrap/.html-trap.rc
    ## INCLUDERC=/var/www/web3/user/web3_spamtrap/.spamassassin.rc
    ## INCLUDERC=/var/www/web3/user/web3_spamtrap/.autoresponder.rc
    ~
     
  3. falko

    falko Super Moderator

    Please disable Mailscan in that user's ISPConfig settings. I'm not sure, but it is possible that Mailscan deletes the Eicar test virus.
     
  4. edge

    edge HowtoForge Supporter

    Daisy,

    Small note on your main.cf (postfix),

    remove:
    Code:
    reject_rbl_client relays.ordb.org,
    
    ordb.org is no more (gone)!
     
  5. Daisy

    Daisy New Member

    Thanks for all the tips. Everything seems to be working well now. I've actually gotten complaints about it being TOO strict from friends who's stupid ISP's have gotten their mailservers blacklisted.

    One last question, I opted to have the subject rewritten but, instead of just getting a changed subject, I get a whole new email with the old email as an attachment. If I try to forward this on to my account at spamcop, they can't find the headers. Should the headers be changed so? What's going on?
     
  6. falko

    falko Super Moderator

    That's strange. :confused: Did you disable Mailscan?
     
  7. Daisy

    Daisy New Member

    Yep. mailscan and antivirus are disabled. only spamfilter, Rewrite Subject, and Use URIBL are checked. I just disabled all my rbl client rejects so I'll grab the next spam that comes in and post the headers. to show you what I mean.
     
  8. Daisy

    Daisy New Member

    ok, so here's what I get:
    Code:
    Received: from localhost by mysite.com
    	with SpamAssassin (version 3.1.7);
    	Wed, 24 Jan 2007 07:03:06 -0600
    From: "CSS" <mlijghev@co.th>
    To: me@mysite.com
    Subject: ***SPAM*** All you favorite games 
    Date: Wed, 24 Jan 2007 20:05:03 -0700
    Message-Id: <27F12A03C4C9013.E79BA94F3A@co.th>
    X-Spam-Flag: YES
    X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on mysite.com
    X-Spam-Level: *******************************
    X-Spam-Status: Yes, score=31.6 required=5.0 tests=DATE_IN_FUTURE_12_24,
    	DCC_CHECK,DIGEST_MULTIPLE,HELO_DYNAMIC_IPADDR,HTML_FONT_BIG,
    	HTML_MESSAGE,MIME_HTML_ONLY,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,
    	RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,
    	RCVD_IN_NJABL_DUL,URIBL_AB_SURBL,URIBL_JP_SURBL,URIBL_OB_SURBL,
    	URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=spam version=3.1.7
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="----------=_45B7590A.A8B2BAE2"
    
    This is a multi-part message in MIME format.
    
    ------------=_45B7590A.A8B2BAE2
    Content-Type: text/plain
    Content-Disposition: inline
    Content-Transfer-Encoding: 8bit
    
    Spam detection software, running on the system "mysite.com", has
    identified this incoming email as possible spam.  The original message
    has been attached to this so you can view it (if it isn't spam) or label
    similar future email.  If you have any questions, see
    the administrator of that system for details.
    
    Content preview:  Only from the most noble of all casinos you could except
      such a Regal gift: 300% Bonus on your First Deposit!!! Deposit 100 €/$
      and Play with 400 €/$!!! And on top of that, a service at such a level
      you would not find in the best Royal Families of Europe. [...] 
    
    Content analysis details:   (31.6 points, 5.0 required)
    
     pts rule name              description
    ---- ---------------------- --------------------------------------------------
     3.4 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname (IP addr
                                1)
     2.3 DATE_IN_FUTURE_12_24   Date: is 12 to 24 hours after Received: date
     0.0 HTML_MESSAGE           BODY: HTML included in message
     0.3 HTML_FONT_BIG          BODY: HTML tag for a big font size
     0.0 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
     1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
                                above 50%
                                [cf: 100]
     1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
                                above 50%
                                [cf: 100]
     0.5 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
     0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                                [cf: 100]
     2.8 PYZOR_CHECK            Listed in Pyzor (http://pyzor.sf.net/)
     1.4 DCC_CHECK              Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
     1.7 RCVD_IN_NJABL_DUL      RBL: NJABL: dialup sender did non-local SMTP
                                [124.120.75.104 listed in combined.njabl.org]
     1.1 URIBL_SBL              Contains an URL listed in the SBL blocklist
                                [URIs: royal-casinos.net]
     3.3 URIBL_AB_SURBL         Contains an URL listed in the AB SURBL blocklist
                                [URIs: royal-casinos.net]
     3.4 URIBL_JP_SURBL         Contains an URL listed in the JP SURBL blocklist
                                [URIs: royal-casinos.net]
     1.5 URIBL_WS_SURBL         Contains an URL listed in the WS SURBL blocklist
                                [URIs: royal-casinos.net]
     2.6 URIBL_OB_SURBL         Contains an URL listed in the OB SURBL blocklist
                                [URIs: royal-casinos.net]
     3.6 URIBL_SC_SURBL         Contains an URL listed in the SC SURBL blocklist
                                [URIs: royal-casinos.net]
     0.2 DIGEST_MULTIPLE        Message hits more than one network digest check
    
    The original message was not completely plain text, and may be unsafe to
    open with some email clients; in particular, it may contain a virus,
    or confirm that your address can receive spam.  If you wish to view
    it, it may be safer to save it to a file and open it with an editor.
    
    
    ------------=_45B7590A.A8B2BAE2
    Content-Type: message/rfc822; x-spam-type=original
    Content-Description: original message before SpamAssassin
    Content-Disposition: attachment
    Content-Transfer-Encoding: 8bit
    
    Return-Path: <mlijghev@co.th>
    X-Original-To: me@mysite.com
    Delivered-To: me@mysite.com
    Received: from ppp-124.120.75.104.revip2.asianet.co.th (ppp-124.120.75.104.revip2.asianet.co.th [124.120.75.104])
    	by mysite.com (Postfix) with ESMTP id 6D93728812D
    	for <me@mysite.com>; Wed, 24 Jan 2007 07:02:54 -0600 (CST)
    From:	"CSS" <mlijghev@co.th>
    To: me@mysite.com
    Subject: All you favorite games 
    Date:	Wed, 24 Jan 2007 20:05:03 -0700
    MIME-Version: 1.0
    Content-Type: multipart/related;
    	boundary="----=_NextPart_000_0004_01C73FF2.EF359450"
    X-Mailer: Microsoft Office Outlook, Build 11.0.5510
    Thread-Index: Acc/8u81fpkgH5tzTVSodtW9OyefTg==
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
    Message-Id: <27F12A03C4C9013.E79BA94F3A@co.th>
    
    ------=_NextPart_000_0004_01C73FF2.EF359450
    Content-Type: text/html;
    	charset="us-ascii"
    Content-Transfer-Encoding: quoted-printable
    
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <HTML><HEAD>
    <META http-equiv=3DContent-Type content=3D"text/html; charset=3Dus-ascii">
    <META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
    <STYLE></STYLE>
    
    </HEAD>
    <BODY><p align=3D"center"><font face=3D"Arial, Helvetica, sans-serif"><b>
    <font size=3D"+1" color=3D"#00CC00" face=3D"Courier New, Courier, mono">Only from the most noble of all<br>
    casinos you could except such a Regal gift:</font><br><br>
    
    <font size=3D"+2" color=3D"#FF0000">300% Bonus on your <font color=3D"#0000FF">First Deposit!!!</font></font><br><br>
    
    <font style=3D"font-size:13pt" color=3D"#000000">Deposit 100 €/$ and Play with 400 €/$!!!</font><br>
    And on top of that, a service at such a<br>
    level you would not find in the best<br>
    Royal Families of Europe.<br><br>
    
    <a href=3D"http://royal-casinos.net"> Come and play at Royal VIP Casino!!! </a></b></font><br><br>
    
    If you didn’t sign up click <a href=3D"http://royal-casinos.net/unsub.php">here</a>
    </p>
    </BODY></HTML>
    
    ------=_NextPart_000_0004_01C73FF2.EF359450--
    
    
    ------------=_45B7590A.A8B2BAE2--
    if I click on the attachment and view that email, it shows this:
    Code:
    Return-Path: <mlijghev@co.th>
    X-Original-To: me@mysite.com
    Delivered-To: me@mysite.com
    Received: from ppp-124.120.75.104.revip2.asianet.co.th (ppp-124.120.75.104.revip2.asianet.co.th [124.120.75.104])
    	by mysite.com (Postfix) with ESMTP id 6D93728812D
    	for <me@mysite.com>; Wed, 24 Jan 2007 07:02:54 -0600 (CST)
    From:	"CSS" <mlijghev@co.th>
    To: me@mysite.com
    Subject: All you favorite games 
    Date:	Wed, 24 Jan 2007 20:05:03 -0700
    MIME-Version: 1.0
    Content-Type: multipart/related;
    	boundary="----=_NextPart_000_0004_01C73FF2.EF359450"
    X-Mailer: Microsoft Office Outlook, Build 11.0.5510
    Thread-Index: Acc/8u81fpkgH5tzTVSodtW9OyefTg==
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
    Message-Id: <27F12A03C4C9013.E79BA94F3A@co.th>
    
    ------=_NextPart_000_0004_01C73FF2.EF359450
    Content-Type: text/html;
    	charset="us-ascii"
    Content-Transfer-Encoding: quoted-printable
    
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <HTML><HEAD>
    <META http-equiv=3DContent-Type content=3D"text/html; charset=3Dus-ascii">
    <META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
    <STYLE></STYLE>
    
    </HEAD>
    <BODY><p align=3D"center"><font face=3D"Arial, Helvetica, sans-serif"><b>
    <font size=3D"+1" color=3D"#00CC00" face=3D"Courier New, Courier, mono">Only from the most noble of all<br>
    casinos you could except such a Regal gift:</font><br><br>
    
    <font size=3D"+2" color=3D"#FF0000">300% Bonus on your <font color=3D"#0000FF">First Deposit!!!</font></font><br><br>
    
    <font style=3D"font-size:13pt" color=3D"#000000">Deposit 100 €/$ and Play with 400 €/$!!!</font><br>
    And on top of that, a service at such a<br>
    level you would not find in the best<br>
    Royal Families of Europe.<br><br>
    
    <a href=3D"http://royal-casinos.net"> Come and play at Royal VIP Casino!!! </a></b></font><br><br>
    
    If you didn’t sign up click <a href=3D"http://royal-casinos.net/unsub.php">here</a>
    </p>
    </BODY></HTML>
    
    ------=_NextPart_000_0004_01C73FF2.EF359450--
    I forwarded both as an attachment to spamcop and the first, the one that had been altered got me the "No source IP address found, cannot proceed." error message from spamcop that I've been getting. The second parsed ok. Now, I'm thinking that having to open the email (not using a preview pane) and then opening an attached email, and then forwarding the now opened attachment of the email is a bit of a hassle. Is this working right or do I have some setting wrong?
     

    Attached Files:

  9. falko

    falko Super Moderator

    I've never had this problem, so I don't know why it isn't working for you. Maybe some kind of encoding problem?
     
  10. Daisy

    Daisy New Member

    ? encoding?
     
  11. cambo

    cambo New Member

    Hi Till
    I am not getting X-Spam headers and spam is ot being filtered.
    Spamassassin is on in ISPConfig.
    You mentioned that the path is -
    My install is not in that path but is this one -
    /home/admispconfig/ispconfig/tools/spamassassin/usr/local/bin/spamassassin
    Would that be why my Spamassassin is not working? If so, how do I fix it?
    If not, any suggestions as to what to check?
    One other thing. I am a bit confused as to whether a Spamassassin daemon should be running?? I get the impression it shouldn't be and that Spamassassin is called when an email arrives and needs to be scanned. Is that right?
    Thanks
    Cambo
     
  12. till

    till Super Moderator

    Please open the file /root/ispconfig/isp/conf/spamassassin.rc.master and change the path to spamassassin from /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin to /home/admispconfig/ispconfig/tools/spamassassin/usr/local/bin/spamassassin

    Then edit your mailuser in ISPConfig (eg. change the quota valuse) and hit save so ISPConfig rewrites the user configuration with the new spamassassin.rc file. Then test if Spamassassin works now for you.
     
    Last edited: Feb 15, 2007
  13. cambo

    cambo New Member

    Hi Till

    Your solution was the correct one (as usual). :)
    I am not sure why my Spamassassin path was differerent as I just followed the Perfect Install, however it all works now, so its all good.
    Thanks for your help.
    Cambo
     

Share This Page