On 8/5/07, Jordi Espasa <[EMAIL PROTECTED]> wrote: > Hi folks, > > I use Amavisd-new with ClamAV and Spamassassin in CentOS+Postfix > environment. > > Recently I've seen some spam mails have passed through Amavisd-new > filter without problems. I wonder exactly why and how these mails have > done it.
It's not all that hard to create messages that get low SpamAssassin scores. It happens because spammers are very much aware of how spamassassin works and thay spend time creating messages that get low scores. > First of all I've modify the $log_level configuration variable > to high value (5) in amavis.conf file to extract more info. > That will not tell you much about this type of issue. You need to debug spamassassin using 'amavisd debug-sa' or preferably by using spamassassin at the command line, e.g.: su vscan -c 'spamassassin -tD <email.txt' > The headers of one junk mail are the next: > > Return-Path: <[EMAIL PROTECTED]> > X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on KarlPC.Demmedio > X-Spam-Level: * > X-Spam-Status: No, score=1.9 required=5.0 tests=AWL,UNCLAIMED_MONEY > autolearn=no version=3.1.8 The headers above are not created by amavisd-new so we really don't know what the spamassassin that amavisd-new is calling would have scored this message. It's possible this message was scanned by SA more than once. Once by amavisd-new and once again afterwards. Scanning twice is not very efficient. > X-Original-To: [EMAIL PROTECTED] > Delivered-To: [EMAIL PROTECTED] > Received: from localhost (tartarus [127.0.0.1]) > by mail (Intergrid MailServer) with ESMTP id 0374ED50283 > for <[EMAIL PROTECTED]>; Fri, 3 Aug 2007 18:17:49 +0200 (CEST) > X-Virus-Scanned: amavisd-new at opengea.org > Received: from mail ([127.0.0.1]) > by localhost (tartarus.opengea.org [127.0.0.1]) (amavisd-new, > port 10024) > with ESMTP id JhwwDFKkot72 for <[EMAIL PROTECTED]>; > Fri, 3 Aug 2007 18:17:48 +0200 (CEST) > Received: from mx-out.strefa.interia.pl (mx-out.strefa.interia.pl > [217.74.66.53]) > by mail (Intergrid MailServer) with ESMTP id 9AE7FD50278 > for <[EMAIL PROTECTED]>; Fri, 3 Aug 2007 18:17:48 +0200 (CEST) > Received: by scol3.st.interia.pl (Postfix, from userid 1235) > id 265D73EFDC; Fri, 3 Aug 2007 18:17:47 +0200 (CEST) > Received: from mx.strefa.interia.pl (mx-out.strefa.interia.pl > [217.74.66.59]) > by scol3.st.interia.pl (Postfix) with ESMTP id D91893E29F; > Fri, 3 Aug 2007 18:17:44 +0200 (CEST) > Received: by mx.strefa.interia.pl (Postfix, from userid 65534) > id AEC0A3EB8; Fri, 3 Aug 2007 18:17:44 +0200 (CEST) > Received: from new.st.interia.pl (new.st.interia.pl [217.74.66.42]) > by system.wewnetrzny (Postfix) with ESMTP id 68588F0; > Fri, 3 Aug 2007 18:17:44 +0200 (CEST) > Date: 03 Aug 2007 18:17:44 +0200 > From: rosemarry_van <[EMAIL PROTECTED]> > Subject: File For Claim Of Fund. > To: [EMAIL PROTECTED] > MIME-Version: 1.0 > Content-Type: TEXT/plain; > CHARSET=ISO-8859-2 > Content-Transfer-Encoding: QUOTED-PRINTABLE > X-EMID:e6740acc > X-ORIGINATE-IP:24.132.107.23 > Organization: INTERIA.PL S.A. > Message-Id: <[EMAIL PROTECTED]> > X-Length: 5685 > X-UID: 24 > > <SPAM BODY DATA HERE> > > The more unpleasant thing is the junk mails are sended to ALL users in > my domains. > > ¿Any clues to improve SA effectivity? Maybe I should to set up > required_hits variable value lower than current value (5) in the > local.cf spamassassin conf file... > When the threshold is at 5.0, lowering the threshold is not the answer IMHO. Just so you know, amavisd-new does not use required_hits in local.cf (but you are using it when SpamAssassin runs for what is probably the second time). Amavisd-new should be using something like $sa_tag2_level_deflt in amavisd.conf to provide this function. See: http://www.ijs.si/software/amavisd/#faq-spam Improving SpamAssassin is really more of a SpamAssassin question than an amavisd-new question but it looks like you could benefit from the botnet plugin (but I personally would lower the score from 5.0 to something closer to 2.0): http://people.ucsc.edu/~jrudd/spamassassin/Botnet-0.7.tar and p0f. Search for 'passive operating-system fingerprinting' and p0f in: http://www.ijs.si/software/amavisd/release-notes.txt You can also search the mailing list archives for p0f. Also consider adding SARE rules: http://rulesemporium.com/rules.htm http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt Where (when) rule sets are numbered: *0.cf *1.cf *2.cf etc. The 'file 0' rules are the safest and therefore are the ones I can recommend. Don't forget to run sa-update on a regular basis (once a day is fine). Gary V ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
