spamassassin not working?

Discussion in 'ISPConfig 3 Priority Support' started by craig baker, Sep 26, 2014.

  1. craig baker

    craig baker Member HowtoForge Supporter

    still getting bounced messages - help :)

    I'm still sending messages like this back - but surely spamassassin should not be doing this!
    what can I check?? and where are the config files that ISPConfig uses anyway?
    if they are in an SQL base need to look at them???
    cdb.


    still getting messages like this:
    CO 4823 648 1 0 4823T1412345509 302833Acreate_time=1412345509Arewr[email protected]ns9.cdbsystems.comSAlog_client_name=unknownAlog_client_address=127.0.0.1Alog_client_port=46156A%log_message_origin=unknown[127.0.0.1]Alog_helo_name=localhostAlog_protocol_name=ESMTPAclient_name=unknownAeverse_client_name=unknownAclient_address=127.0.0.1Aclient_port=46156Ahelo_name=localhostAprotocol_name=ESMTPAclient_address_type=2A/dsn_orig_rcpt=rfc822;[email protected]@[email protected]: from localhost (unknown [127.0.0.1])N: by ns9.cdbsystems.com (Postfix) with ESMTP id 4A44F1A140DNH for <[email protected]>; Fri, 3 Oct 2014 14:11:49 +0000 (UTC)N<Content-Type: multipart/report; report-type=delivery-status;N* boundary="----------=_1412345509-16485-0"NContent-Transfer-Encoding: 7bitNMIME-Version: 1.0N!Subject: BANNED contents from youN7 (.exe,.exe-ms,transact_store/transact_e5ebfdsd621.exe)NDIn-Reply-To: <[email protected]>N/Message-ID: <[email protected]>NLFrom: "Content-filter at ns9.cdbsystems.com" <[email protected]>N To: <[email protected]>N+Date: Fri, 3 Oct 2014 10:11:49 -0400 (EDT)NN.This is a multi-part message in MIME format...NN ------------=_1412345509-16485-0N)Content-Type: text/plain; charset="UTF-8"Nontent-Disposition: inlineNContent-Transfer-Encoding: 7bitNNBANNED CONTENTS ALERTNNOur content checker foundNE banned name: .exe,.exe-ms,transact_store/transact_e5ebfdsd621.exeNN9in email presumably from you <[email protected]>No the following recipient:N-> [email protected]ur internal reference code for your message is 16485-16/L2bsSftsCMqTNNDFirst upstream SMTP client IP address: [37.252.90.120]:41451 unknownN*Received from: 37.252.90.120 < 61.35.32.52NN)Return-Path: <[email protected]>N0From: "Tech Server" <[email protected]>NCMessage-ID: <[email protected]>NISubject: Alert Transactions Report by users from 2014-09-28 to 2014-09-28NN"Delivery of the email was stopped!NN<The message has been blocked because it contains a componentN4(as a MIME part or nested within) with declared nameN:eek:r MIME type or contents type violating our access policy.NN=To transfer contents that may be considered risky or unwantedNBby site policies, or simply too large for mailing, please considerNBpublishing your content on the web, and only sending an URL of theNdocument to the recipient.NNBDepending on the recipient and sender site policies, with a littleNAeffort it might still be possible to send any contents (includingN,viruses) using one of the following methods:NN7- encrypted using pgp, gpg or other encryption methods;NNC- wrapped in a password-protected or scrambled container or archiveN9 (e.g.: zip -e, arj -g, arc g, rar -p, or other methods)NN;Note that if the contents is not intended to be secret, theN>encryption key or password may be included in the same messageNfor recipient's convenience.NNAWe are sorry for inconvenience if the contents was not malicious.NNGThe purpose of these restrictions is to cut the most common propagationNHmethods used by viruses and other malware. These often exploit automaticNEmechanisms and security holes in more popular mail readers (MicrosoftNHmail readers and browsers are a common target). By requiring an explicitNDand decisive action from the recipient to decode mail, t
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    If you run a ispconfig server, then spamassassin is not used directly. A ispconfig 3 server uses amavisd and amavisd loads the spamassassin libraries internally. So the files that you are seeking are the config files from amavisd and not the ones from spamassassin.

    ISPConfig does not use any special config files, it uses the default files of your Linux Distribution.

    For Debian and Ubuntu, thats /etc/amavis/conf.d/*
    and for Centos, thats either /etc/amavisd.conf or /etc/amavis/amavisd.conf depending on the version.
     
  3. craig baker

    craig baker Member HowtoForge Supporter

    spamassassin

    Indeed, spamassassin should not be doing this - but clearly someone is - and I'm getting more of these kinds of errors and surely folks are going to get annoyed by bounced spam. I obviously do NOT want to send any reply on something that is marked spam!
    how do I get a handle on this and stop it?
    and are there ANY things I can do to reduce spam in my setup??

    also on a different note I did an upgrade to current ISPConfig3 and got a fatal dovecot error complaining about some unknown option:
    ssl_protocols = !SSLv2 !SSLv3

    I had to comment out the line to get dovecot back up. mail seems to be working.

    any ideas? Centos 6.5 etc etc
    oh - can I change my subscription to come off a credit card? paypal for some utterly unknown reason declined a 5 EURO charge. and I want to keep supporting you!

    cdb.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    On Debian and Ubuntu, add a new file:

    /etc/amavis/conf.d/90-custom

    with the following content:

    Code:
    use strict;
    
    $final_virus_destiny = D_BOUNCE;
    $final_spam_destiny = D_DISCARD;
    $final_banned_destiny = D_BOUNCE;
    $final_bad_header_destiny = D_PASS;
    
    #------------ Do not modify anything below this line -------------
    1;  # insure a defined return
    
    For other distributions you have to edit /etc/amavis/amavisd.conf file and set the final_* settings accordingly.

    Then ensure that you set allpolicys to pass banned content as well in ispconfig.

    The dovecot version is too old for this directive. we fixed that already in GIT.

    Thank you very much for your support! Please login to paypal and cancel your subscription there. Then go to the subscription page and order a new subscription, choose RBS Worldpay this time. RBS worldpay is a Credit card processor, so you can do the payment with all major credit cards trough them.
     
  5. craig baker

    craig baker Member HowtoForge Supporter

    dovecot error

    so it was sufficient to just comment it out? apparently all is working but want to make sure.

    also on the bounced mail I already have these settings in amavisd.conf - but the message I quoted above clearly is for some BANNED content - and the

    $final_banned_destiny is set to D_BOUNCE - so that would be returned....
    since I'm getting this kind of problem maybe the virus and banned should be set to DISCARD instead...

    find any stronger anti-spam settings other than 'normal'. should I try to maybe drop the numerical thresholds?
    I thought I saw something in another post about some stricter anti-spam settings....
     
    Last edited: Oct 20, 2014
  6. craig baker

    craig baker Member HowtoForge Supporter

    YIKES! WhatsApp Messaging! what to do???

    I'm getting a lot of these emails trying to go to yahoo etc:
    they appear to come from a legitimate customer of mine how can I filter these before yahoo gets REALLY pissed at me??
    cdb.


    --snip--
    CO 3157 610 1 0 3157T1413834228 704071Acreate_time=1413834228Arewrite_cencoding=7bitAlog_client_name=unknownAlog_client_address=127.0.0.1Alog_client_port=41018A%log_message_origin=unknown[127.0.0.1]Alog_helo_name=localhostAlog_protocol_name=ESMTPAclient_name=unknownAeverse_client_name=unknownAclient_address=127.0.0.1Aclient_port=41018Ahelo_name=localhostAprotocol_name=ESMTPAclient_address_type=2A)dsn_orig_rcpt=rfc822;[email protected]@[email protected]: from localhost (unknown [127.0.0.1])N: by ns9.cdbsystems.com (Postfix) with ESMTP id AC3F91A5A6FNBfor <[email protected]>; Mon, 20 Oct 2014 19:43:48 +0000 (UTC)N2X-Virus-Scanned: amavisd-new at ns9.cdbsystems.comN/Received: from ns9.cdbsystems.com ([127.0.0.1])NH by localhost (ns9.cdbsystems.com [127.0.0.1]) (amavisd-new, port 10024)N7 with ESMTP id 2YN53g4GgqCR for <[email protected]>;N& Mon, 20 Oct 2014 15:43:48 -0400 (EDT)NgReceived: from [192.168.228.211] (173-12-139-157-jacksonville.hfc.comcastbusiness.net [173.12.139.157])N7 (Authenticated sender: [email protected])N; by ns9.cdbsystems.com (Postfix) with ESMTPA id 74C5A1A59FANB for <[email protected]>; Mon, 20 Oct 2014 15:43:45 -0400 (EDT)N$Content-Type: multipart/alternative;N0 boundary="===============7384938529843539593=="NMIME-Version: 1.0N5Message-ID: <[email protected]>N%Date: Mon, 20 Oct 2014 22:44:46 +0300N;From: "WhatsApp Messaging" <[email protected]>Nubject: 2 New Voicemail(s)NTo: [email protected]&--===============7384938529843539593==N,Content-Type: text/plain; charset="us-ascii"NMIME-Version: 1.0NContent-Transfer-Encoding: 7bitNWhatsAppNN N NYou have a new voicemail!NN
    **Details:**NN$Time of Call: Oct-18 2014 06:16:26 NLenth of Call: 40sec N NNA[Play](http://kinheim.net/gallery.php?rec=TicdhfH69ihSoQGT/XjmiA)NN9*If you cannot play, move message to the "Inbox" folder. NN2014 WhatsApp IncNNN&--===============7384938529843539593==N+Content-Type: text/html; charset="us-ascii"NMIME-Version: 1.0NContent-Transfer-Encoding: 7bitNFormat: FlowedNN<!doctype html>N<html>N5<body style="font-family:Arial, Tahoma, sans-serif;">N(<div style="width:500px; height:274px;">NE<div style="margin:0px; padding:0px; height:85px; background:#27262b;NWline-height:75px; font-size:26px; color:#FFFFFF; padding-left:82px; font-weight:bold;">WhatsAppN</div>N\<div style="position:ralative;top:100px;background:#34af23; height:8px; width:500px;"></div>N9<div align="center" style="font-size:18px;color:#5b5f62">N<br>N<br>NYou have a new voicemail!N</div>Ndiv style="padding:20px;">N,<font color="#40a9d8"><b>Details:</b></font>Ndiv style="padding:10px;">NB<font color="#00000">Time of Call:</font> Oct-18 2014 06:16:26<br>N4<font color="#00000">Lenth of Call:</font> 40sec<br>N<br>N</div>N</div>NC<div style="margin:0px; padding:0px; height:180px;" align="center">ND<a href="http://kinheim.net/gallery.php?rec=TicdhfH69ihSoQGT/XjmiA" NBstyle="display:block; width:167px; height:41px; line-height:41px; NCfont-size:26px; color:#ffffff; text-align:center; font-weight:bold;NHborder-radius:20px; -moz-border-radius:20px; -webkit-border-radius:20px;N3background:#67c332; text-decoration:none;">Play</a>NB<div style="height:67px; margin:0px; padding:10px;font-size:12px">N<font color="#5b5f62">N8*If you cannot play, move message to the "Inbox" folder.N</font>N</div>N<<p style="height:30px;margin:0px;padding:10px;color:#FFFFFF;N#background:#3encoding=7bitE[[email protected] A]# WhatsApp IncN</p>N</div>N</div>N</body>N</html>N(--===============7384938529843539593==--XA
    [[email protected] A]# dir -al
    --snip--
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Do not comment the settings out, you have to change them instead as commenting out means to set the defaults again.

    You can lower the tag2 level in the spamassassin policy to get better filter results.

    When a customer account gets hacked and is used for spam sending, then fhange the password of the account to stop that and inform the customer that either his password is misused by spammers or his computer has a virus or trojan that sends spam.
     

Share This Page