Hallo zusammen,
ich habe das Problem, dass die empfangenen eMails mehrfach durch Spammassassin laufen und jeweils unterschiedlich bewertet werden. Leider wird beim zweiten Durchlauf die eMail z.T. deutlich besser bewertet als beim ersten, sodass dennoch viele Spamnachrichten (markiert) durchkommen.
Eine Test-Spam-Mail sieht dann wie folgt aus:
NB: Die Zeichenkette "XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X" macht eine eMail zu Spam!
Was sagt (beispielhaft) das Log (/etc/log/mail.log) dazu:
und der Auszug aus der procmail.log:
Nun zu meinen configs...
/etc/spamassassin/local.cf:
/etc/procmailrc:
/etc/postfix/master.cf:
/etc/postfix/main.cf:
/home/filter/sc/filter.sh:
Ich arbeite mit einem Debian (2.6.26-2-amd64) System, auf dem Confixx 3.3 eingerichtet ist.
Nun zu meinen Fragen:
- Fehlen noch Informationen, um das Problem zu lokalisieren?
- Wieso werden die eMails mehrfach getestet und an welchem Regler muss man dies abschalten?
ich habe das Problem, dass die empfangenen eMails mehrfach durch Spammassassin laufen und jeweils unterschiedlich bewertet werden. Leider wird beim zweiten Durchlauf die eMail z.T. deutlich besser bewertet als beim ersten, sodass dennoch viele Spamnachrichten (markiert) durchkommen.
Eine Test-Spam-Mail sieht dann wie folgt aus:
Code:
Received: from localhost by XXXXXXXXX
with SpamAssassin (version 3.2.5);
Fri, 28 May 2010 23:42:10 +0000
From: s <nix@XXXXXXXXXX.de>
To: Bernhard Borsch<bernhard@XXXXXXXXXX.de>
Subject: *****SPAM***** Das ist SPAM!
Date: Sat, 29 May 2010 01:29:58 +0200
Message-Id: <4C0051F6.6040007@XXXXXXXXXX>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
m125.magenta.fastwebserver.de
X-Spam-Level: **************************************************
X-Spam-Status: Yes, score=1000.4 required=5.0 tests=AWL,GTUBE,RDNS_NONE
autolearn=disabled version=3.2.5
X-Spam-Report:
* 1000 GTUBE BODY: Generic Test for Unsolicited Bulk Email
* 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS
* 0.3 AWL AWL: From: address is in the auto white-list
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_4C0054D2.EE950797"
This is a multi-part message in MIME format.
------------=_4C0054D2.EE950797
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "XXXXXXXXXX", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Spam detection software, running on the system "XXXXXXXXXX",
has identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see the administrator of
that system for details. [...]
Content analysis details: (1000.4 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1000 GTUBE BODY: Generic Test for Unsolicited Bulk Email
0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS
0.3 AWL AWL: From: address is in the auto white-list
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
------------=_4C0054D2.EE950797
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit
Return-Path: <nix@XXXXXXX>
X-Original-To: web4p1@XXXXXXXXXX.de
Delivered-To: web4p1@XXXXXXXXXX.de
Received: from localhost (localhost [127.0.0.1])
by mail.XXXXXX (Postfix) with ESMTP id E3B5418B4094
for <web4p1@XXXXXXXXXX>; Fri, 28 May 2010 23:41:53 +0000 (UTC)
Received: from mail.XXXXXXXXXX ([XXXXXXXXXX)
by localhost (XXXXXXXXXX [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id kDtjmLPSJFcQ for <web4p1@XXXXXXXXXX>;
Fri, 28 May 2010 23:41:53 +0000 (UTC)
Received: by mail.XXXXXXXXXX (Postfix, from userid 1098)
id 7F2F818B4086; Fri, 28 May 2010 23:30:23 +0000 (UTC)
Received: from localhost by XXXXXXXXXX
with SpamAssassin (version 3.2.5);
Fri, 28 May 2010 23:30:23 +0000
From: s <nix@XXXXXXXXXX>
To: Bernhard XXXXX<bernhard@XXXXXXXXXX>
Subject: *****SPAM***** Das ist SPAM!
Date: Sat, 29 May 2010 01:29:58 +0200
Message-Id: <4C0051F6.6040007@XXXXXXXXXX>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
XXXXXXXXXX
X-Spam-Level: **************************************************
X-Spam-Status: Yes, score=1001.2 required=5.0 tests=ALL_TRUSTED,AWL,GTUBE,
RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CHECK
autolearn=disabled version=3.2.5
X-Spam-Report:
* -1.4 ALL_TRUSTED Passed through trusted hosts only via SMTP
* 1000 GTUBE BODY: Generic Test for Unsolicited Bulk Email
* 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
* above 50%
* [cf: 100]
* 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
* 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
* [cf: 100]
* 0.1 AWL AWL: From: address is in the auto white-list
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_4C00520F.4F9EDFB0"
This is a multi-part message in MIME format.
------------=_4C00520F.4F9EDFB0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "XXXXXXXXXX", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
[...]
Content analysis details: (1001.2 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-1.4 ALL_TRUSTED Passed through trusted hosts only via SMTP
1000 GTUBE BODY: Generic Test for Unsolicited Bulk Email
1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
above 50%
[cf: 100]
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
0.1 AWL AWL: From: address is in the auto white-list
------------=_4C00520F.4F9EDFB0
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Received: from [192.168.XXX.XXX] (g230070102.adsl.XXXXXXXXXX.de [92.XXX.XXX.102])
by mail.XXXXXXXXXX (Postfix) with ESMTPA id 0D92918B4078
for <bernhard@XXXXXXXXXX>; Fri, 28 May 2010 23:30:07 +0000 (UTC)
Message-ID: <4C0051F6.6040007@XXXXXXXXXX>
Date: Sat, 29 May 2010 01:29:58 +0200
From: s <nix@XXXXXX>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: Bernhard <bernhard@XXXXXXXXXX>
Subject: Das ist SPAM!
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 7bit
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
------------=_4C00520F.4F9EDFB0--
------------=_4C0054D2.EE950797--NB: Die Zeichenkette "XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X" macht eine eMail zu Spam!
Was sagt (beispielhaft) das Log (/etc/log/mail.log) dazu:
Code:
May 29 10:47:49 m125 postfix/smtpd[19434]: connect from gXXXXXX235.adsl.XXX.de[92.XXX.XXX.235]
May 29 10:47:50 m125 postfix/smtpd[19434]: 0CA5E18B410F: client=gXXXXXX235.adsl.XXXXX.de[92.XXX.XXX.235], sasl_method=PLAIN, sasl_username=web4p1
May 29 10:47:50 m125 postfix/cleanup[19438]: 0CA5E18B410F: message-id=<4C00F0CE.1090908@borsch-it.de>
May 29 10:47:50 m125 postfix/qmgr[15997]: 0CA5E18B410F: from=<nix@XXXXXXXX>, size=663, nrcpt=1 (queue active)
May 29 10:47:50 m125 spamd[15589]: spamd: connection from localhost [127.0.0.1] at port 53511
May 29 10:47:50 m125 spamd[15589]: spamd: setuid to filter succeeded
May 29 10:47:50 m125 postfix/smtpd[19434]: disconnect from gXXXXXXXX235.adsl.XXXX.de[92.XXX.XXX.235]
May 29 10:47:50 m125 spamd[15589]: spamd: processing message <4C00F0CE.1090908@XXXXXX> for filter:1098
May 29 10:48:03 m125 spamd[15589]: spamd: identified spam (1001.2/5.0) for filter:1098 in 12.9 seconds, 697 bytes.
May 29 10:48:03 m125 spamd[15589]: spamd: result: Y 1001 - ALL_TRUSTED,AWL,GTUBE,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CHECK scantime=12.9,size=697,user=filter,uid=1098,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=53511,mid=<4C00F0CE.1090908@XXXXXXXXX>,autolearn=disabled,shortcircuit=no
May 29 10:48:03 m125 postfix/pickup[19350]: 08F8C18B4111: uid=1098 from=<nix@XXXXXXXXXX>
May 29 10:48:03 m125 postfix/pipe[19439]: 0CA5E18B410F: to=<web4p1@XXXXXXXX>, orig_to=<bernhard@XXXXXXXXX>, relay=filter, delay=13, delays=0.1/0/0/13, dsn=2.0.0, status=sent (delivered via filter service)
May 29 10:48:03 m125 postfix/qmgr[15997]: 0CA5E18B410F: removed
May 29 10:48:03 m125 postfix/cleanup[19438]: 08F8C18B4111: message-id=<4C00F0CE.1090908@XXXXXXXXXXXx>
May 29 10:48:03 m125 postfix/qmgr[15997]: 08F8C18B4111: from=<nix@XXXXXXXXXXXx>, size=3641, nrcpt=1 (queue active)
May 29 10:48:03 m125 spamd[15587]: prefork: child states: II
May 29 10:48:18 m125 postfix/local[19450]: 08F8C18B4111: to=<web4p1@XXXXXXXXXXXXXXXXX>, relay=local, delay=15, delays=0.04/0.01/0/15, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail)
May 29 10:48:18 m125 postfix/qmgr[15997]: 08F8C18B4111: removedund der Auszug aus der procmail.log:
Code:
Folder: //home/email/web4p1/Maildir/.Junk/new/1275118782.18287_1.m12 10595
procmail: [19451] Sat May 29 10:48:03 2010
procmail: Match on "< 256000"
procmail: Executing "/usr/bin/spamassassin"
procmail: [19451] Sat May 29 10:48:18 2010
procmail: Match on "^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*"
procmail: Assigning "LASTFOLDER=//home/email/web4p1/Maildir/.Spam-lernen/new/1275130098.19451_0.m125.XXXXXXXXXXXX"
procmail: Notified comsat: "web4p1@0://home/email/web4p1/Maildir/.Spam-lernen/new/1275130098.19451_0.XXXXXXXXXXXXXXX"
From nix@XXXXXXXXXXXX Sat May 29 10:48:03 2010
Subject: *****SPAM***** Das ist SPAM!
Folder: //home/email/web4p1/Maildir/.Spam-lernen/new/1275130098.1945 6259Nun zu meinen configs...
/etc/spamassassin/local.cf:
Code:
################### CONFIXX SPAMASSASSIN CONFIG FILE #####################
# created at Tue Feb 9 14:17:02 2010
#
# !!! Do not make any changes in this file !!!
# All your changes will be lost after the file is auto updated next time.
#
# If you want to add here any custom directive, you should include it
# to '/root/confixx/safe/spamassassin.inc' file. Its content will be automatically
# included during the file is autoupdated.
##########################################################################
# START CUSTOM INCLUSION (see /root/confixx/safe/spamassassin.inc)
# SpamAssassin config file for version 3.x
# How many hits before a message is considered spam.
required_score 5.0
# Whether to change the subject of suspected spam
rewrite_header subject *****SPAM*****
# Encapsulate spam in an attachment
report_safe 1
# Add report into headers
add_header spam Report _REPORT_
# Enable the Bayes system
use_bayes 1
# Enable Bayes auto-learning
bayes_auto_learn 0
# Enable or disable network checks
skip_rbl_checks 0
use_razor2 1
use_dcc 1
use_pyzor 1
# Mail using languages used in these country codes will not be marked
# as being possibly spam in a foreign language.
ok_languages all
# Mail using locales used in these country codes will not be marked
# as being possibly spam in a foreign language.
ok_locales all
# END OF CUSTOM INCLUSION
# START CONFIXX GENERATED SECTION
###
allow_user_rules 1
user_scores_dsn DBI:mysql:confixx:localhost;mysql_socket=/var/lib/mysql/mysql.sock
user_scores_sql_username confixx
user_scores_sql_password ganzGeheim
user_scores_sql_custom_query SELECT preference, value FROM spampref WHERE (username = _USERNAME_ OR username = '@GLOBAL') AND server_id='050xXXXXXXXXXXXXXx9a50f' ORDER BY username ASC
# END OF CONFIXX GENERATED SECTION/etc/procmailrc:
Code:
DEFAULT=/$HOME/Maildir/
DROPPRIVS=YES
SHELL=/bin/sh
LOGFILE=$HOME/procmail.log
#LOGFILE="/var/log/procmail.log"
VERBOSE=on
:0 fw
* < 256000
| /usr/bin/spamassassin
# Mails with a score of 15 or higher are almost certainly spam (with 0.05%
# false positives according to rules/STATISTICS.txt). Let's put them in a
# different mbox. (This one is optional.)
:0H
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
{
:0
$DEFAULT.Spam-lernen/
}
# Mails mit X-Spam-Status Flag in Spambox leiten
:0H:
* ^X-Spam-Status: Yes
$DEFAULT.Junk/
:0c
$DEFAULT.No-Spam-lernen/
# Work around procmail bug: any output on stderr will cause the F in From
# to be dropped. This will re-add it.
:0 H
* ! ^From[ ]
* ^rom[ ]
{
LOG='*** Dropped F off From_ header! Fixing up. '
:0 fhw
| sed -e 's/^rom /From /'
}/etc/postfix/master.cf:
Code:
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd -d -v
smtp inet n - n - - smtpd -o content_filter=filter
#submission inet n - - - - smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - - - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
# SPAMASSASIN
filter unix - n n - - pipe
flags=Fq user=filter argv=/home/filter/sc/filter.sh -f ${sender} -- ${recipient}
#amavis
smtp-amavis unix - - - - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=no
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
# -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks/etc/postfix/main.cf:
Code:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
delay_warning_time = 2h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = mail.XXXXXXXXXX
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = XXXXXXXXXxx, localhost.XXXXXXXXXXXX, , localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = /usr/bin/procmail
mailbox_size_limit = 0
recipient_delimiter = +
disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destination
inet_interfaces = all
#amavis
#content_filter = smtp-amavis:[127.0.0.1]:10024
smtp_bind_address = XXX.XXX.XXX.XXX
### CONFIXX POSTFIX ENTRY ###
virtual_maps = hash:/etc/postfix/confixx_virtualUsers, hash:/etc/postfix/confixx_localDomains
### /CONFIXX POSTFIX ENTRY ###/home/filter/sc/filter.sh:
Code:
#!/bin/sh
INSPECT_DIR=/var/spool/filter
SENDMAIL=/usr/sbin/sendmail
SPAMASSASSIN=/usr/bin/spamc
# Exit codes from <sysexits.h>
EX_TEMPFAIL=75
EX_UNAVAILABLE=69
cd $INSPECT_DIR || { echo $INSPECT_DIR does not exist; exit $EX_TEMPFAIL; }
# Clean up when done or when aborting.
trap "rm -f in.$$; rm -f out.$$" 0 1 2 3 15
# Parameter for $SPAMASSASSIN
# -P Pipe message, don't deliver
# -x Disable user config files
# -a Use auto-whitelists
cat | $SPAMASSASSIN > out.$$ || { echo Message content rejected; exit $EX_UNAVAILABLE; }
$SENDMAIL -i "$@" < out.$$
exit $?Ich arbeite mit einem Debian (2.6.26-2-amd64) System, auf dem Confixx 3.3 eingerichtet ist.
Nun zu meinen Fragen:
- Fehlen noch Informationen, um das Problem zu lokalisieren?
- Wieso werden die eMails mehrfach getestet und an welchem Regler muss man dies abschalten?
Last edited by a moderator: