So I've been tasked with researching an issue with the mail server at work. We use Spamassassin and at present, it's not blocking some pretty obvious spam, largely from the domain qq.com. Basically email is slipping through, being bounced back at the end receiving server, then our server tries to bounce back to qq.com, which doesn't exist at that point and we get a bounce message. Hundreds of these suckers are coming through daily.
It looks like 1. The spam filter learning (BAYES_*) algorithm is failing to learn these messages, even with manual help. 2. The blacklist checks (*BL) are not running on these messages, though they are running on other messages. Even when the message is manually learned and the domain in question is blacklisted, these messages are getting through. Below is a sample of one of the message headers with a slight edit (to hide our server and clients address). Everything pertinent should be in there. My question is basically, why would BAYES be failing to learn, and what could be wrong that even manual blacklisting isn't stopping the email from coming through our servers in the first place? Return-Path: <1016127...@qq.com> Received: from ciasi.net (unknown [222.185.137.152]) by <ourserver> (Postfix) with SMTP id 0CBE73B78 for <clientemail>; Wed, 19 Sep 2018 20:41:27 -0400 (EDT) Received: from ciasi.net (unknown (133.107.2.163]) by ciasi.net with SMTP id 5e0effce-4536-49de-bc6a-72d3e686fe4d; for <1016127...@qq.com>;Wed, 19 Sep 2018 03:29:20 +08:00 Message-ID: <d619820560a7dfc823c408dd331cb...@qq.com> From: "=?utf-8?B?5YWz6JST?=" <1016127...@qq.com> To: <clientemail> Subject: [SPAM] =?utf-8?B?5aiBIE4gU+OAkDMzNTQxOOeCuUNPTeOAkeWFqOeQg+acgOWkp0IgQyDpm4blm6LvvIzmvrM=?= =?utf-8?B?6Zeo5Yqg5YWl54uC5qyi6IqC77yM5Li7562W6LWg6aS4MTg46Iqr77yM?= =?utf-8?B?5q+P5pyI5Lq/5ZyG6Y655Yiw5L2g5pq05a+ML+iLjeepueenkeaKgA==?= =?utf-8?B?6LWE6K6v44CQMTEwNC50ZWNo44CRWUMzSmZhQXdBbDg0VQ==?= Date: Wed, 19 Sep 2018 03:29:20 +0800 MIME-Version: 1.0 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable Disposition-Notification-To: 1016127...@qq.com X-Spam-Flag: YES X-Spam-Status: Yes, score=7.9 required=5.0 tests=BAYES_05,DATE_IN_PAST_06_12, DIGEST_MULTIPLE,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FROM_EXCESS_BASE64, HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,PYZOR_CHECK, RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,UNPARSEABLE_RELAY autolearn=no version=3.3.2 X-Spam-Report: * 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider * (1016127695[at]qq.com) * 1.5 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date * 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in * digit (1016127695[at]qq.com) * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * -0.5 BAYES_05 BODY: Bayes spam probability is 1 to 5% * [score: 0.0113] * 1.9 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% * [cf: 100] * 0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) * 1.4 PYZOR_CHECK Listed in Pyzor * (https://pyzor.readthedocs.io/en/latest/) * 0.3 DIGEST_MULTIPLE Message hits more than one network digest check * 0.4 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag * 1.0 FROM_EXCESS_BASE64 From: base64 encoded unnecessarily * 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines X-Spam-Level: ******* X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on <ourserver> -- Sent from: http://spamassassin.1065346.n5.nabble.com/SpamAssassin-Users-f3.html