More spam since a few months

sander-schippers · March 9, 2023, 8:48pm

Hello,

Since a few months a lot of mail passes spam assassin.

It seems it passes the GreyList, but they are listed in blacklists.
What parameters can I tune to get rid of these messages

It never reaches a spam-score from 5 or higher

I’m using 57a

X-Spam-Level: *
X-Greylist: delayed 602 seconds by postgrey-1.36 at box.business-mail.nl; Thu, 09 Mar 2023 20:53:21 CET
X-Spam-Report: *  1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist *      [URIs: collectproduce.shop] *  1.2 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL *      blocklist *      [URIs: collectproduce.shop] * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% *      [score: 0.0000] *  0.1 DMARC_NONE DMARC record not found * -0.1 SPF_PASS SPF check passed * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record *  0.0 HTML_MESSAGE BODY: HTML included in message *  0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts *  0.4 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML *      tag
X-Spam-Status: No, score=1.5 required=5.0 tests=BAYES_00,DMARC_NONE, HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,SPF_HELO_PASS, SPF_PASS,URIBL_ABUSE_SURBL,URIBL_BLACK autolearn=no autolearn_force=no version=3.4.2
Content-Type: text/html; charset=ISO-8859-1
X-Spam-Score: 1.5

sugumaranv · March 10, 2023, 2:08pm

Did the spam mail get into your personal mailbox? If yes, then just mark them so they end up in your “junk” mail folder that exists in the web mail interface of Mail In A Box.

This is what I like about Mail In A Box. Its easy to install and has a very good web mail interface that equals to Gmail and Outlook. So, all spam can be sent to the junk mail folder.

sander-schippers · March 10, 2023, 6:57pm

I know that trick. My issue is that mail servers on the blocking lists doesn’t get blocked

In the - default - config file is a line:

smtpd_sender_restrictions=reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch,reject_rhsbl_sender dbl.spamhaus.org
smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_rbl_client zen.spamhaus.org,reject_unlisted_recipient,check_policy_service inet:127.0.0.1:10023

so I should expect it isn’t even offered to spam-assassin

First it’s grey listed - as expected

Mar 10 07:43:04 box postgrey[1044]: action=greylist, reason=new, client_name=episodecostume.shop, client_address=195.133.39.178/32, sender=backyardmiraclefarm@episodecostume.shop, recipient=xxxxx@doofpot.nl
Mar 10 07:43:04 box postfix/smtpd[23107]: NOQUEUE: reject: RCPT from episodecostume.shop[195.133.39.178]: 450 4.2.0 <xxxxx@doofpot.nl>: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/doofpot.nl.html; from=<backyardmiraclefarm@episodecostume.shop> to=<xxxxx@doofpot.nl> proto=ESMTP helo=<episodecostume.shop>

a next time, the mail is offered

Mar 10 07:54:58 box postfix/smtpd[24477]: connect from episodecostume.shop[195.133.39.178]
Mar 10 07:54:58 box postfix/smtpd[24477]: warning: restriction `reject_authenticated_sender_login_mismatch' ignored: no SASL support
Mar 10 07:54:58 box postgrey[1044]: action=pass, reason=triplet found, delay=601, client_name=episodecostume.shop, client_address=195.133.39.178/32, sender=backyardmiraclefarm@episodeco
stume.shop, recipient=xxxxx@doofpot.nl
Mar 10 07:54:58 box postfix/smtpd[24477]: AC77DE4D41: client=episodecostume.shop[195.133.39.178]
Mar 10 07:54:58 box postfix/cleanup[24483]: AC77DE4D41: message-id=<2oU906ytqF21mvBk9hZovsc3rYPEs4_l0cIQT_a3m88.RSxpo0mHarLj0hkjA8E8ehMjo6Zh6bf6geK12UqQkoM@episodecostume.shop>
Mar 10 07:54:58 imap(gerard@houdijk.eu): Info: Logged out in=5597 out=13841
Mar 10 07:54:58 box opendmarc[764]: implicit authentication service: box.business-mail.nl
Mar 10 07:54:58 box opendmarc[764]: AC77DE4D41: SPF(mailfrom): backyardmiraclefarm@episodecostume.shop pass
Mar 10 07:54:58 box opendmarc[764]: AC77DE4D41: episodecostume.shop none
Mar 10 07:54:59 box postfix/qmgr[30361]: AC77DE4D41: from=<backyardmiraclefarm@episodecostume.shop>, size=25428, nrcpt=1 (queue active)
Mar 10 07:54:59 lmtp(24542): Info: Connect from 127.0.0.1
Mar 10 07:54:59 box spampd[15838]: processing message <2oU906ytqF21mvBk9hZovsc3rYPEs4_l0cIQT_a3m88.RSxpo0mHarLj0hkjA8E8ehMjo6Zh6bf6geK12UqQkoM@episodecostume.shop> for <xxxxx@doofpot.nl>
Mar 10 07:54:59 box postfix/smtpd[24477]: disconnect from episodecostume.shop[195.133.39.178] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

by the way, I changed the recipient email address

KiekerJan · March 10, 2023, 7:26pm

Which blacklist did you use? How did you configure that?

sander-schippers · March 11, 2023, 7:17am

That’s default configuration.

The question is: why is spam in a blacklist past trough to postgrey and not rejected at all

KiekerJan · March 11, 2023, 1:22pm

Ah, you mean the bit about:

1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist *      [URIs: collectproduce.shop] *  
1.2 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL *

So, the way this works: spamassassin has a massive amount of rules. Each rule can result in a positive or negative score. The score of each rule is summed, resulting in your case in X-Spam-Score: 1.5 When the score is above a threshold (usually 5) it is declared spam by spamassassin and moved in to the SPAM folder.
In your case there are two rules triggered. These rules indicate there’s a URL in the mail that is on a blacklist (not necessarily that the whole mail should be blacklisted). The result is a score of 1.7 and 1.2. There is also a BAYES_00 rule giving a score of -1.9, which means according to that rule it is probably not spam.
Because the total score is 1.5, which is below 5, spamassassin does not yet rule this message as spam.
What you can do easily yourself is create a blacklist of your own. Create a blacklist file, e.g. /etc/spamassassin/90_local.cf and fill it with e.g.

# blacklist everyone at sparkingwire.com:
blacklist_from *@sparkingwire.com

This will give all emails from sparkingwire.com an additional score of 10, usually enough to be judged as spam. Is there a constant in the spam mails that might help you create such a filter?

(Specifically for your situation, internet tells me that triggering rule BAYES_00 on obvious spam would mean that the spamassassin bayes filtering has not been trained enough or correctly. This might be solved by moving all spam into the spam/junk folder, as sugumaranv already mentioned.)

sander-schippers · March 12, 2023, 7:55am

Thanks for the reactions.

I’ll first do an update to the latest version (next week) and see if that fixes something.