Spamassassin does not modify headers on ispconfig Debian 7

Discussion in 'Installation/Configuration' started by paranoico, May 27, 2015.

  1. paranoico

    paranoico New Member HowtoForge Supporter

    Cotinuing the thread where I originally asked:
    https://www.howtoforge.com/communit...modify-headers-on-ispconfig-centos-7-1.70164/

    Spamassassin seams like not been working since email messages headers are not modified and not blocking spam email, for instance, the following email is Spam for sure (confirmed at http://spamcheck.postmarkapp.com/ with Spam Score of 5.2):

    From - Tue May 26 09:12:50 2015
    X-Account-Key: account3
    X-UIDL: 000000b55546d392
    X-Mozilla-Status: 0000
    X-Mozilla-Status2: 00000000
    X-Mozilla-Keys:
    Return-Path: <[email protected]ewsletter.cluboferting.net>
    Delivered-To: [email protected]
    Received: from localhost (localhost [127.0.0.1])
    by ns1.domain.mx (Postfix) with ESMTP id 7153F450BC
    for <[email protected]>; Tue, 26 May 2015 07:15:31 -0500 (CDT)
    X-Virus-Scanned: Debian amavisd-new at ns1.domain.mx
    Received: from ns1.domain.mx ([127.0.0.1])
    by localhost (ns1.domain.mx [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id rojtlvklhSIe for <a.b.com>;
    Tue, 26 May 2015 07:14:53 -0500 (CDT)
    Received: from evo1mta1a97.emstechnology2.net (evo1mta1a97.emstechnology2.net [178.248.184.97])
    by ns1.domain.mx (Postfix) with ESMTP id 6C1804503F
    for <[email protected]>; Tue, 26 May 2015 07:14:22 -0500 (CDT)
    DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=20132014; d=newsletter.cluboferting.net;
    h=From:Reply-To:To:Message-ID:Date:Subject:MIME-Version:Content-Type; i=[email protected];
    bh=bG9h5IwuAewctLsRnnZRzLrf5ug=;
    b=YNU/D/90Vu4KToo+2zX1t4esTL6LGhm+Q5DQ1VKpOAJk9Tj4TBgtPc4jc821KiDc76I9vfFs88N2
    bzMp+vGytIoLb0NiAFF6rypVR9li+MXaZY1wV58d1yH1eg875unONH2S7E8CFFT6eNP5TX1h5+bX
    pP0ccHLjkQSVBLea9eGSnULw6vRRoedMpc2YQhGfyzPvK8gPGeYkBvFGZ87oU+39gTQEl/6L39Bh
    4fFaP8HOi+rxFdr/8Q8DmJmEV2p+eF1LUm0EV48UqlnlwRnr/wn6JwLsDgLazi7K+LuVJF1zOGTC
    2C21wOAJUqpIqZXgNdoq1vIo+7fDkV31taMnQg==
    Received: by evo1mta1a96.emstechnology2.net id hchhrq18c0kd for <[email protected]>; Tue, 26 May 2015 14:14:21 +0200 (envelope-from <[email protected]ewsletter.cluboferting.net>)
    DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=20132014; d=newsletter.cluboferting.net;
    h=From:Reply-To:To:Message-ID:Date:Subject:MIME-Version:Content-Type; i=[email protected];
    ...
    ...

    Both domain and email addresses spam have filter policy set to Normal since weeks. And Normal policy was updated with following Tag-Levels values:

    SPAM tag level 3
    SPAM tag2 level 4.5
    SPAM kill level 5
    SPAM modifies subject YES
    SPAM subject tag2 ***SPAM***

    So, as I said, it seems to be some kind of error since server was configured using Perfect Server guide.

    Thanks in advance.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    This line means that the emailw as scanned by spamassassin, as spamassassin is part of amavisd.

    The above email is most likely not reaching the spam tag level, so no headers get written into the mail header.

    set:

    SPAM tag level -100
    SPAM tag2 level 3
     
  3. paranoico

    paranoico New Member HowtoForge Supporter

    Thanks Till,
    Changes made, give me some days, i will see if Spam is blocked now.
     
  4. paranoico

    paranoico New Member HowtoForge Supporter

    Hello Till,
    I am afraid that settings do not work.
    Have a new email message, a lot worst with Spam Socore of 13.9 points. And SpamAssassin still does not block it.
    Is there some way to check some log or how do I know what is exactly SpamAssassin or Amavis doing?

    What else can we do?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    When you see a spam score, then spamassassin is working correctly, as this score is assigned by spamassassin.
     
  6. paranoico

    paranoico New Member HowtoForge Supporter

    What?????
    Are you even trying to read my post and understand it?
    Is anybody else who can help me with this please?o_O

    Perfect Server guide seems to be wrong about Amavis and Spamassassin setup, or may be it is something we did, but have no clue how to identify it.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Please post the exact amavis line of that messag from mail.log.

    And you can set the amavis log level to a higher value t get more output in the log.

    The perfect server guide has no error in the amavis setup, asl long as you follow it to the letter and did not any manual changes in the mail setup, then the resulting server will work out of the box.
     
  8. paranoico

    paranoico New Member HowtoForge Supporter

    After digging on Debian machine and looking for some clues, it looked like there was some kind of virus, and found this:
    http://serverfault.com/questions/483650/how-to-find-which-script-on-my-server-is-sending-spam-emails

    After following the solution, spam was stoped and Spamassassin started to work flowlessly. In matter of fact, it has been adding
    X-Spam flags on headers since then.

    The only thing i wonder is how the Virus could get in the server, it is supposed to be a very secure setup.

    Thanks anyway.
     
    Last edited: Jun 8, 2015
  9. DDArt

    DDArt Member HowtoForge Supporter

    Do you use it for hosting? Do you host any CRMs like WPress or Drupal, Joomla and so on.. There are so many ways to get in when software is not updated or patched. I'm glad you found a solution but remember if you use "maldet" make sure you change the config to alert and show you where the problem is and not quarantine the files/remove them because you'll run in more trouble.

    I'm sure we're all curious if it was a CMS and which plugin was the issue, or was it a user upload?
     
  10. paranoico

    paranoico New Member HowtoForge Supporter

    Hello,
    Yes, we use our servers for hosting but now not using Joomla nor any other CRM. We are planning to start using Jommla by the end of the year.
    Most of content is static but PHP is heavy used for several systems on that server.
    I read at some page that the error could mean a problem with PHP precisely. But for now we have not changed anything else.
    The maldet output on that time was:

    After that we removed the threat using maldet -q ...
    We have fixed also logjam problem.
    And planning to do several things in following months:
    1. Install clamav or maldet to monitor server automatically from time to time.
    2. Also, we are going to place a pfSense firewall in front of all our internet servers.
    I have to say that nothing like this happened to us before when using CentOS + Virtualmin.
    Thanks for your input DDArt and greetings.
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Your issue is nt related to the sue of a specific controlpanel nor OS. Its a issue in the cms system, so the same woul have happened under Centos, Opensuse, virtualmin, ispconfig or cpanel.
     
  12. paranoico

    paranoico New Member HowtoForge Supporter

    As I pointed out weeks ago, there is no such CSM system now on any of our internet servers. So that could not caused the problem since there is no Joomla, Wordpress, etc. installed at the moment on any server.

    Also, we never saw this behavior before when using CentOS + Virtualmin.
     

Share This Page