Mail from internal networks being flagged as spam

I am trying to figure out what to do here. I have a lot of mail that is from my internal server infrastructure (multiple sources inside) which is either on the same /24 as my MIAB or at least locally routed from another private network and mostly being delivered to my own email addresses on MIAB domains. I have an internal DNS A record to point things directly to the box without directing traffic out to the internet and back.

Some of this is being flagged as spam. Mostly it’s because you’re not supposed to add RFC1918 addresses to SPF, so anything internal is reporting SPF failure, but also SpamAssassin is flagging some content as spam, even though I have dumped hundreds of messages into other folders to train it. (Fail2Ban notifications from another server, for example. Content is exactly the same, except the reported IP in the message changes.) I also have a website which users are filling forms to send to me, and after some changes which fixed delivery from there to my gmail address which was my backup, I am now seeing those going to spam intermittently internally. Apparently I have some issues with the code intermittently malforming the from header, but that’s a different topic. SPF failures are what is putting it all over the edge though, assigning 5 points to the messages.

Is there a way I can whitelist a few source IPs or /24 networks so messages aren’t flagged by SpamAssassin, or otherwise validate these messages? I have zero concern that any real spam will come from these networks.

I also just saw that it says autolearn=no in my message headers, so does that mean I can’t train my filter by moving messages with the default MIAB setup? I was one of the very first spam assassin users decades ago, but it’s been a long time and I don’t know where I am supposed to configure its settings with the MIAB setup.

Maybe this will help, take a look at “trusted_networks” setting in:

/etc/spamassassin/local.cf
1 Like

In the event that trusted_networks option doesn’t get the job done, you might want to try the “whitelist_from” option.
https://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html

1 Like

Thank you, I will check that.

Thanks, I will look into these. I can probably also find out about the Bayesian filtering config there too.

Setup problems - rejecting everything - #3 by KiekerJan might help you as well (although it duplicates some of what was said above)

Awesome! Looking at that I can tweak the score for my internal stuff once I add the hosts or subnets to trusted networks. I might just assign -5 or -10 to trusted and that would probably be good for me.

Thanks! I didn’t see this thread when I searched before posting.

Just an update. We’re on the right track here, and these posts have been helpful, but I made changes to local.cf and it did not seem to take effect. For anyone seeing this later, this is because SpamAssassin is parsing multiple config files doing the old school UNIX config file parsing where the higher numbered config files are taking precedence over default configurations, likely the files in /usr/share/spamassassin. I am going to have to parse the files to find the settings I want. score ALL_TRUSTED is set somewhere to a setting I want to change, which should fix my issue.

Edit - Or maybe not. those configs are defaults. Opened a file and it said to edit local.cf instead. I only tried the one in /etc/spamassassin (which appears to be symlink to or from /etc/mail/spamassassin.) I will have to try changing the local.cf in /usr/share/spamassassin and test.

Weird, I tried changing the score for ALL_TRUSTED in multiple config files, and I can’t seem to get it. I have restarted the spamassassin service after each change, but it still scores ALL_TRUSTED -1 instead of my setting. I will keep looking when I get a chance and try to remember to update this when I figure it out. My immediate issue is taken care of, but I would like to learn this to better optimize my setup. I’m pretty sure I was doing this with MS Exchange 2000 the last time I got into SpamAssassin configs. :joy:

Some remarka that might help:

  • The spamassassin service is not used by MiaB. Any changes you make to configuration should be used directly.
  • I use a file named /etc/spamassasain/90_name.cf Any .cf file in that directory is included in the configuration. No need to edit other files.
  • You should be able to look at the headers of a mail to see which rules are triggered.
  • Thus point I’m not sure on, but it might be the case that if you have shortcircuit ALL_TRUSTED that the score for ALL_TRUSTED is never added, because the short circuit means it stops processing the mail at that point.
  • You can add some debugging info by changing file /etc/default/spampd. Change ADDOPTS="--debug --log-rules-hit" This will probably give more log output in the spampd service logging