Re: Logwatch from local machine being flagged as spam
On 2017-08-06 10:37, Scott wrote: > Centos7 > Posftfix 3.2.2 > Amavisd 2.11.0 > spamassassin-3.4.0 > To: r...@mail2.myserver.com > From: logwa...@mail2.myserver.com Since these are locally submitted messages (i.e. not SMTP), IMO the best and cleanest way to deal with it is to tell the MTA not to pass them to amavisd, if you can. This is easy to do with Exim, for example - I'm not sure about Postfix. Then you don't have to care about the IP addresses or domains. -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. Do obvious transformation on domain to reply privately _only_ on Usenet.
Re: Logwatch from local machine being flagged as spam
On Sun, 6 Aug 2017 10:37:36 -0700 (MST) Scott wrote: > Centos7 > Posftfix 3.2.2 > Amavisd 2.11.0 > spamassassin-3.4.0 > > I have a logwatch output that gets mailed to me daily. Spamassassin > is scoring it high enough as exceed my threshold for whacking it as > spam. > > While this is not good, I'm concerned I have something fundamental > misconfigured where it would flag anything internal at all. Bayes is > not being used yet (tokens <200). What is the proper way to allow > messages form the server itself to not get flagged by SA? > > I have the server's IP address (y.y.y.y) in my lists of trusted and > internal as so: > trusted_networks xx.xx.xx.xx > trusted_networks y.y.y.y > trusted_networks z.z.z.z > > internal_networks xx.xx.xx.xx > internal_networks y.y.y.y > internal_networks z.z.z.z > > I don't see that that made any difference. Shouldn't it have? > > Header of intercepted message: > > From MAILER-DAEMON Sun Aug 6 04:02:19 2017 > Return-Path: <> > X-Original-To: s...@myserver.com > Delivered-To: s...@myserver.com > X-Envelope-From:> X-Envelope-To: > X-Envelope-To-Blocked: > X-Quarantine-ID: > X-Spam-Flag: YES > X-Spam-Score: 7.332 > X-Spam-Level: *** > X-Spam-Status: Yes, score=7.332 tag=- tag2=5 kill=6.4 > tests=[NORMAL_HTTP_TO_IP=0.001, NO_RELAYS=-0.001, > URIBL_ABUSE_SURBL=1.948, URIBL_BLACK=1.7, URIBL_DBL_SPAM=2.5, > URIBL_GREY=1.084, URIBL_SBL_A=0.1] autolearn=no What's happening here is that SA is picking-up spammer domains in the text. SA is seeing no Received headers so whitelist_from_rcvd isn't going to work and your internal/trusted networks are irrelevant. What you could do is meta NO_RELAYS with a rule that's a suitable identifier for this kind of mail. Check that you aren't seeing NO_RELAYS in any spam.
Re: Logwatch from local machine being flagged as spam
On 08/06/2017 05:10 PM, msxc wrote: I have a logwatch output that gets mailed to me daily. Spamassassin is scoring it high enough as exceed my threshold for whacking it as spam. Please subscribe to the list for future posts. However, I would argue that this is expected behavior because your logwatch notice almost certainly contains lots of information about spam emails. You'll want to look at whitelisting/exempting it from scanning. KAM, thanks. Re subscribe, I am, I may have my sending address crossed up as I migrate to a new server. I'll try to get that straightened out. Sorry about that. I understand/agree whit your point. If it smells like spam, tag it if asked to analyze it. Perhaps I incorrectly assumed it shouldn't be smelling for trusted networks. :) Anyway, I found a potential cause, or at least a misconfiguration. I've got Amavisd calling SA and I missed a primary IP in its mynetworks setting. If that doesn't clear it I'll see about whitelisting. As Alex already mentioned, the mynetworks setting isn't about whitelisting. That only controls the ALL_TRUSTED rule hit and some other RBL checks based on last_external. Basically it provides a little trust based on IP reputation and has nothing to do with content-based rules that are most likely the problem with logwatch emails. I would and have setup a whitelist_from_rcvd entry something like: whitelist_from_rcvd root@* [ip.ad.dr.ess] or whitelist_from_rcvd root@* mycompany.com Note the second one is going going to be useful if you have setup correct FCrDNS which is not common on internal RFC 1918 network space so I would recommend the IP address version. -- David Jones
RE: Logwatch from local machine being flagged as spam
>> I have a logwatch output that gets mailed to me daily. Spamassassin is >> scoring it high enough as exceed my threshold for whacking it as spam. >Please subscribe to the list for future posts. > >However, I would argue that this is expected behavior because your >logwatch notice almost certainly contains lots of information about spam >emails. You'll want to look at whitelisting/exempting it from scanning. KAM, thanks. Re subscribe, I am, I may have my sending address crossed up as I migrate to a new server. I'll try to get that straightened out. Sorry about that. I understand/agree whit your point. If it smells like spam, tag it if asked to analyze it. Perhaps I incorrectly assumed it shouldn't be smelling for trusted networks. :) Anyway, I found a potential cause, or at least a misconfiguration. I've got Amavisd calling SA and I missed a primary IP in its mynetworks setting. If that doesn't clear it I'll see about whitelisting. Thanks, Scott
Re: Logwatch from local machine being flagged as spam
Hi, > I have the server's IP address (y.y.y.y) in my lists of trusted and internal > as so: > trusted_networks xx.xx.xx.xx > trusted_networks y.y.y.y > trusted_networks z.z.z.z > > internal_networks xx.xx.xx.xx > internal_networks y.y.y.y > internal_networks z.z.z.z > > I don't see that that made any difference. Shouldn't it have? No, I don't believe that is its purpose. trusted/internal networks is intended to define the demarc between you and the outside world to, for example, know at which point the headers are trustworthy, not to automatically stop scanning. Since you're using amavisd, add something like this to your config: $policy_bank{'TRUSTED'} = { originating => 1, bypass_virus_checks_maps => [1], bypass_spam_checks_maps => [1], bypass_banned_checks_maps => [1], bypass_header_checks_maps => [1], }; Then add the IPs you wish to bypass scanning to your client_ipaddr_policy: @client_ipaddr_policy = ( [qw( 1.2.3.4/32 )] => 'TRUSTED', [qw( 5.6.7.8/32 )] => 'TRUSTED', [qw( 4.3.2.0/24 )] => 'TRUSTED', ); Restart/reload amavisd or just wait for it to do that itself periodically. Look up amavisd policy banks for more info.
Re: Logwatch from local machine being flagged as spam
On 8/6/2017 1:37 PM, Scott wrote: I have a logwatch output that gets mailed to me daily. Spamassassin is scoring it high enough as exceed my threshold for whacking it as spam. Please subscribe to the list for future posts. However, I would argue that this is expected behavior because your logwatch notice almost certainly contains lots of information about spam emails. You'll want to look at whitelisting/exempting it from scanning. Regards, KAM
Logwatch from local machine being flagged as spam
Centos7 Posftfix 3.2.2 Amavisd 2.11.0 spamassassin-3.4.0 I have a logwatch output that gets mailed to me daily. Spamassassin is scoring it high enough as exceed my threshold for whacking it as spam. While this is not good, I'm concerned I have something fundamental misconfigured where it would flag anything internal at all. Bayes is not being used yet (tokens <200). What is the proper way to allow messages form the server itself to not get flagged by SA? I have the server's IP address (y.y.y.y) in my lists of trusted and internal as so: trusted_networks xx.xx.xx.xx trusted_networks y.y.y.y trusted_networks z.z.z.z internal_networks xx.xx.xx.xx internal_networks y.y.y.y internal_networks z.z.z.z I don't see that that made any difference. Shouldn't it have? Header of intercepted message: >From MAILER-DAEMON Sun Aug 6 04:02:19 2017 Return-Path: <> X-Original-To: s...@myserver.com Delivered-To: s...@myserver.com X-Envelope-From: <r...@mail2.myserver.com> X-Envelope-To: <r...@mail2.myserver.com> X-Envelope-To-Blocked: <r...@mail2.myserver.com> X-Quarantine-ID: X-Spam-Flag: YES X-Spam-Score: 7.332 X-Spam-Level: *** X-Spam-Status: Yes, score=7.332 tag=- tag2=5 kill=6.4 tests=[NORMAL_HTTP_TO_IP=0.001, NO_RELAYS=-0.001, URIBL_ABUSE_SURBL=1.948, URIBL_BLACK=1.7, URIBL_DBL_SPAM=2.5, URIBL_GREY=1.084, URIBL_SBL_A=0.1] autolearn=no autolearn_force=no To: r...@mail2.myserver.com From: logwa...@mail2.myserver.com Subject: Logwatch for mail2.myserver.com (Linux) Auto-Submitted: auto-generated Precedence: bulk Content-Type: text/plain; charset="iso-8859-1" Date: Sun, 6 Aug 2017 04:02:03 -0500 (CDT) -- View this message in context: http://spamassassin.1065346.n5.nabble.com/Logwatch-from-local-machine-being-flagged-as-spam-tp137946.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.