Amavis doesn't mark mail as spam, and doesn't set spam headers

[chaouche yacine]

  
Dear list,

I received an email for raybans, which was 300% spam (14.0 score, threshold set 
at 5.0), and it didn't get marked by amavis.

Here's how amavis is configured : 

 
 root@messagerie[10.10.10.19] /etc/amavis/conf.d # removeblanks 50-user
use strict;
$myhostname = "mailhost.mytld.";
$virus_admin = "it_sys\@$mydomain";
$sa_tag_level_deflt  = -999;  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 999; # triggers spam evasive actions
$sa_dsn_cutoff_level = 5.0;   # spam level beyond which a DSN is not sent
$final_spam_destiny       = D_PASS;
$final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)
1;  # ensure a defined return
root@messagerie[10.10.10.19] /etc/amavis/conf.d #   In particular, this line 
caught my attention : 

 
 $sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that levelI also 
have grepped for SPAM to check where amavis rewrites the subject and found this 
line in 20-debian_defaults : root@messagerie[10.10.10.19] /etc/amavis/conf.d # 
grep SPAM *
...
20-debian_defaults:$sa_spam_subject_tag = '***SPAM*** ';
...
root@messagerie[10.10.10.19] /etc/amavis/conf.d # So reading this configuration 
files it seems that amavis is supposed to 
1) add a spam detected headers ("at that level" I don't know what that means)
2) add a ***SPAM*** tag in the subject



Here's my spamassassinroot@messagerie[10.10.10.19] /etc/spamassassin # 
removeblanks local.cf
rewrite_header Subject *****SPAM*****
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
endif # Mail::SpamAssassin::Plugin::Shortcircuit
root@messagerie[10.10.10.19] /etc/spamassassin # It also seems, reading from 
this config file, that spamassassin should add a *****SPAM***** tag in the 
subject.


Here are the mail logs : Nov 28 16:33:14 messagerie postfix/smtpd[42277]: 
738D73A80088: client=unknown[101.55.71.90]
Nov 28 16:33:14 messagerie postfix/cleanup[46611]: 738D73A80088: 
message-id=<bf680addabf683575f7cc153be8a9094@101.55.71.3>
Nov 28 16:33:15 messagerie postfix/qmgr[37877]: 738D73A80088: 
from=<bounce-3308-19491836-3512-...@frdww.com>, size=46200, nrcpt=1 (queue 
active)
Nov 28 16:33:16 messagerie postfix/smtpd[42277]: disconnect from 
unknown[101.55.71.90]
Nov 28 16:33:16 messagerie postfix/smtpd[46615]: connect from 
localhost[127.0.0.1]
Nov 28 16:33:16 messagerie postfix/smtpd[46615]: 6609E3A8008E: 
client=localhost[127.0.0.1]
Nov 28 16:33:16 messagerie postfix/cleanup[46611]: 6609E3A8008E: 
message-id=<bf680addabf683575f7cc153be8a9094@101.55.71.3>
Nov 28 16:33:16 messagerie postfix/smtpd[46615]: disconnect from 
localhost[127.0.0.1]
Nov 28 16:33:16 messagerie postfix/qmgr[37877]: 6609E3A8008E: 
from=<bounce-3308-19491836-3512-...@frdww.com>, size=46717, nrcpt=1 (queue 
active)
Nov 28 16:33:16 messagerie amavis[46130]: (46130-07) Passed SPAMMY 
{RelayedOpenRelay}, [101.55.71.90]:53783 [101.55.71.90] 
<bounce-3308-19491836-3512-...@frdww.com> -> <a.chaou...@mydomain.tld>, 
Queue-ID: 738D73A80088, Message-ID: 
<bf680addabf683575f7cc153be8a9094@101.55.71.3>, mail_id: lBrIu_4QeHCa, Hits: 
11.386, size: 46197, queued_as: 6609E3A8008E, 736 ms
Nov 28 16:33:16 messagerie postfix/smtp[46612]: 738D73A80088: 
to=<a.chaou...@mydomain.tld>, relay=127.0.0.1[127.0.0.1]:10024, delay=2, 
delays=1.2/0.01/0/0.74, dsn=2.0.0, status=sent (250 2.0.0 from 
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 6609E3A8008E)
Nov 28 16:33:16 messagerie postfix/qmgr[37877]: 738D73A80088: removed
Nov 28 16:33:16 messagerie postfix/pickup[45522]: 6AD523A80092: uid=1001 
from=<bounce-3308-19491836-3512-...@frdww.com>
Nov 28 16:33:16 messagerie postfix/cleanup[46611]: 6AD523A80092: 
message-id=<bf680addabf683575f7cc153be8a9094@101.55.71.3>
Nov 28 16:33:16 messagerie postfix/qmgr[37877]: 6AD523A80092: 
from=<bounce-3308-19491836-3512-...@frdww.com>, size=47174, nrcpt=1 (queue 
active)
Nov 28 16:33:16 messagerie postfix/lmtp[46616]: 6609E3A8008E: 
to=<a.chaou...@mydomain.tld>, relay=mailhost.tl[dprivate/dovecot-lmtp], 
delay=0.03, delays=0/0/0/0.02, dsn=2.0.0, status=sent (250 2.0.0 
<a.chaou...@mydomain.tld> uTNQGbyBHVrKtQAArJM0yg Saved)
Nov 28 16:33:16 messagerie postfix/qmgr[37877]: 6609E3A8008E: removed
In particular, we have this line :

 
 Nov 28 16:33:16 messagerie amavis[46130]: (46130-07) Passed SPAMMY 
{RelayedOpenRelay}, [101.55.71.90]:53783 [101.55.71.90] 
<bounce-3308-19491836-3512-...@frdww.com> -> <a.chaou...@mydomain.tld>, 
Queue-ID: 738D73A80088, Message-ID: 
<bf680addabf683575f7cc153be8a9094@101.55.71.3>, mail_id: lBrIu_4QeHCa, Hits: 
11.386, size: 46197, queued_as: 6609E3A8008E, 736 msSo we know amavis detected 
that the email was spammy, but didn't rewrite the subject ! here are the 
headers :
 
Return-Path: <bounce-3308-19491836-3512-...@frdww.com>
Delivered-To: <a.chaou...@mydomain.tld>
Received: from messagerie.mydomain.tld
        by messagerie.mydomain.tld (Dovecot) with LMTP id uTNQGbyBHVrKtQAArJM0yg
        for <a.chaou...@mydomain.tld>; Tue, 28 Nov 2017 16:33:16 +0100
Received: from localhost (localhost [127.0.0.1])
        by messagerie.mydomain.tld (Postfix) with ESMTP id 6609E3A8008E
        for <a.chaou...@mydomain.tld>; Tue, 28 Nov 2017 16:33:16 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at messagerie.mydomain.tld
Received: from messagerie.mydomain.tld ([127.0.0.1])
        by localhost (messagerie.mydomain.tld. [127.0.0.1]) (amavisd-new, port 
10024)
        with ESMTP id lBrIu_4QeHCa for <a.chaou...@mydomain.tld>;
        Tue, 28 Nov 2017 16:33:15 +0100 (CET)
Received: from 9.frdww.com (unknown [101.55.71.90])
        by messagerie.mydomain.tld (Postfix) with ESMTP id 738D73A80088
        for <a.chaou...@mydomain.tld>; Tue, 28 Nov 2017 16:33:14 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=frdww; d=frdww.com;
 
h=Date:To:From:Reply-to:Subject:Message-ID:List-Unsubscribe:MIME-Version:Content-Transfer-Encoding:Content-Type;
 i=he...@frdww.com;
 bh=SQsVo8OmiXaSIiVx4P9ctCKthwM=;
 b=EqbkxLTMUduPOzVBULrkN48h5yST8A3MkVUuI+u1XQh+gyFszmY2GKS4a6b2kNzTbqVvU/OAdfM0
   85J8m/+N0h/AwGnp2W2bXQ5QPoJGrYk/npL98xfx2FWxETrd+9l/NankuuI4pdW3CWshSVNv3q1+
   yqNN1S1bHfq1aQjiBx4=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=frdww; d=frdww.com;
 b=HIA8xB9FoklljU9NDxZjwSZRCVNiBSWnpvt3yH75Am9K82UMiWEEbEb/XtPYz3FncjOxSrXAKwVl
   HRSy6qqPtm+Y+UYeVRS9mwgR7zL/j48IX6zNhBL1RbtKMzMzdPND5HzSCuugoBhrHuqBOG8hPBps
   cgic2UZJJ/pgPaMFXCQ=;
Received: by 9.frdww.com id h3nove0e97c0 for <a.chaou...@mydomain.tld>; Tue, 28 
Nov 2017 09:32:31 -0500 (envelope-from 
<bounce-3308-19491836-3512-...@frdww.com>)
Date: Tue, 28 Nov 2017 09:32:31 -0500
To: "a.chaou...@mydomain.tld" <a.chaou...@mydomain.tld>
From: Ray Ban <he...@frdww.com>
Reply-to: Ray Ban <he...@frdww.com>
Subject: [Black Friday] Ray Ban Sunglasses 2017 New Styles. 89% Off All Sales.
Message-ID: <bf680addabf683575f7cc153be8a9094@101.55.71.3>
X-Priority: 3
X-Mailer: frdww.com
X-Complaints-To: he...@frdww.com
List-Unsubscribe: <http://rb3.frdww.com/oem/u.php?p=s8/rs/22hw/s9/s8/rs>
X-MessageID: 
MTZ8fHx8OTU1NDh8fHx8YS5jaGFvdWNoZUBhbGdlcmlhbi1yYWRpby5kenx8fHwxN3x8fHwxfHx8fDA%3D
X-Report-Abuse: 
<http://rb3.frdww.com/oem/report_abuse.php?mid=MTZ8fHx8OTU1NDh8fHx8YS5jaGFvdWNoZUBhbGdlcmlhbi1yYWRpby5kenx8fHwxN3x8fHwxfHx8fDA%3D>
X-frdww.com: frdww.com
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"



Here's what spamc says about the email :root@messagerie[10.10.10.19] 
/etc/amavis/conf.d # cat /tmp/spamreport
14.1/5.0
Spam detection software, running on the system "messagerie.algerian-radio.dz",
has identified this incoming email as possible spam.  The original
message has been attached to this so you can view it or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  Untitled document SHOP ONLINE AVIATOR WAYFARER CUSTOMIZE 
PRESCRIPTION
   SUN Back with a hero's welcome, General is the latest iconic style to the
   revived by Ray-Ban. SHOP NOW RAY-BAN CUSTOMER CARE 12 Harbor Park Drive Port
   Washington, NY 11050 [...]

Content analysis details:   (14.1 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 2.7 RCVD_IN_PSBL           RBL: Received via a relay in PSBL
                            [101.55.71.90 listed in psbl.surriel.com]
 2.5 URIBL_DBL_SPAM         Contains a spam URL listed in the DBL blocklist
                            [URIs: rbwayn.com]
 1.3 URI_HEX                URI: URI hostname has long hexadecimal sequence
 1.1 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
 0.0 HTML_IMAGE_RATIO_06    BODY: HTML has a low ratio of text to image area
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to
                            background
 1.6 RCVD_IN_BRBL_LASTEXT   RBL: No description available.
                            [101.55.71.90 listed in bb.barracudacentral.org]
 1.9 URIBL_ABUSE_SURBL      Contains an URL listed in the ABUSE SURBL blocklist
                            [URIs: frdww.com]
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily 
valid
-0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from 
author's
                            domain
-0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
 1.7 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
                            [URIs: rbwayn.com]
 1.3 RDNS_NONE              Delivered to internal network by a host with no rDNS

root@messagerie[10.10.10.19] /etc/amavis/conf.d # 
Any tips on how to troubleshoot this appreaciated.

Yassine.