So I've been tasked with researching an issue with the mail server at work.
We use Spamassassin and at present, it's not blocking some pretty obvious
spam, largely from the domain qq.com. Basically email is slipping through,
being bounced back at the end receiving server, then our server tries to
bounce back to qq.com, which doesn't exist at that point and we get a bounce
message. Hundreds of these suckers are coming through daily.
It looks like
1. The spam filter learning (BAYES_*) algorithm is failing to learn these
messages, even with manual help.
2. The blacklist checks (*BL) are not running on these messages, though they
are running on other messages.
Even when the message is manually learned and the domain in question is
blacklisted, these messages are getting through. Below is a sample of one of
the message headers with a slight edit (to hide our server and clients
address). Everything pertinent should be in there. My question is basically,
why would BAYES be failing to learn, and what could be wrong that even
manual blacklisting isn't stopping the email from coming through our servers
in the first place?
Return-Path: <1016127...@qq.com>
Received: from ciasi.net (unknown [222.185.137.152])
by <ourserver> (Postfix) with SMTP id 0CBE73B78
for <clientemail>; Wed, 19 Sep 2018 20:41:27 -0400 (EDT)
Received: from ciasi.net (unknown (133.107.2.163])
by ciasi.net with SMTP id 5e0effce-4536-49de-bc6a-72d3e686fe4d;
for <1016127...@qq.com>;Wed, 19 Sep 2018 03:29:20 +08:00
Message-ID: <d619820560a7dfc823c408dd331cb...@qq.com>
From: "=?utf-8?B?5YWz6JST?=" <1016127...@qq.com>
To: <clientemail>
Subject: [SPAM]
=?utf-8?B?5aiBIE4gU+OAkDMzNTQxOOeCuUNPTeOAkeWFqOeQg+acgOWkp0IgQyDpm4blm6LvvIzmvrM=?=
=?utf-8?B?6Zeo5Yqg5YWl54uC5qyi6IqC77yM5Li7562W6LWg6aS4MTg46Iqr77yM?=
=?utf-8?B?5q+P5pyI5Lq/5ZyG6Y655Yiw5L2g5pq05a+ML+iLjeepueenkeaKgA==?=
=?utf-8?B?6LWE6K6v44CQMTEwNC50ZWNo44CRWUMzSmZhQXdBbDg0VQ==?=
Date: Wed, 19 Sep 2018 03:29:20 +0800
MIME-Version: 1.0
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Disposition-Notification-To: 1016127...@qq.com
X-Spam-Flag: YES
X-Spam-Status: Yes, score=7.9 required=5.0
tests=BAYES_05,DATE_IN_PAST_06_12,
DIGEST_MULTIPLE,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FROM_EXCESS_BASE64,
HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,PYZOR_CHECK,
RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,UNPARSEABLE_RELAY autolearn=no
version=3.3.2
X-Spam-Report:
* 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
provider
* (1016127695[at]qq.com)
* 1.5 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date
* 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends
in
* digit (1016127695[at]qq.com)
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* -0.5 BAYES_05 BODY: Bayes spam probability is 1 to 5%
* [score: 0.0113]
* 1.9 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
* [cf: 100]
* 0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
* 1.4 PYZOR_CHECK Listed in Pyzor
* (https://pyzor.readthedocs.io/en/latest/)
* 0.3 DIGEST_MULTIPLE Message hits more than one network digest check
* 0.4 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
* 1.0 FROM_EXCESS_BASE64 From: base64 encoded unnecessarily
* 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay
lines
X-Spam-Level: *******
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on <ourserver>
--
Sent from: http://spamassassin.1065346.n5.nabble.com/SpamAssassin-Users-f3.html
