Topic: Spamassassin Settings Question

[gbentley]

Hi All - my email is now routed straight to SME as my primary MX - some users have complained about a lot more spam / marketing crap since switching over the MX - which I assume was previously sorted by the domain host mail setup.

This is what I have;

Spam Filter = Enabled
Spam sensitivity = Custom
Custom spam tagging = 5
Custom spam rejection = 9
Sort spam into junkmail = Yes

[root@mail ~]# config show qpsmtpd
qpsmtpd=service
    Bcc=disabled
    BccMode=cc
    BccUser=maillog
    DNSBL=disabled
    LogLevel=6
    MaxScannerSize=25000000
    RBLList=bl.spamcop.net:dnsbl-1.uceprotect.net:dnsbl-2.uceprotect.net:psbl.surriel.com:zen.spamhaus.org
    RHSBL=disabled
    RelayRequiresAuth=disabled
    SBLList=multi.surbl.org:black.uribl.com:rhsbl.sorbs.net
    TlsBeforeAuth=1
    access=public
    qplogsumm=disabled
    status=enabled

From the wiki here https://wiki.contribs.org/Email#Spam

"the server first tests for RBL and DNSBL listings, if enabled" - and shows you how to do that further down under "Real-time Blackhole List (RBL)"

I ran the following in the hope of reducing some of the crud;

[root@mail ~]# config setprop qpsmtpd DNSBL enabled RHSBL enabled
[root@mail ~]# signal-event email-update

[root@mail ~]# config show qpsmtpd
qpsmtpd=service
    Bcc=disabled
    BccMode=cc
    BccUser=maillog
    DNSBL=enabled
    LogLevel=6
    MaxScannerSize=25000000
    RBLList=bl.spamcop.net:dnsbl-1.uceprotect.net:dnsbl-2.uceprotect.net:psbl.surriel.com:zen.spamhaus.org
    RHSBL=enabled
    RelayRequiresAuth=disabled
    SBLList=multi.surbl.org:black.uribl.com:rhsbl.sorbs.net
    TlsBeforeAuth=1
    access=public
    qplogsumm=disabled
    status=enabled

In the section of the wiki "The Default spamassassin behaviour put spams in the inbox which is very convenient for users in case of false positive, but it is not practical for learning, and especially it does not facilitate the life of the user" - I am uncertain of the meaning of "it does not facilitate the life of the user" nor the comment about "learning" ??

I wonder if this [learning] is related to the section under the heading Testing which states "You can check the auto-learning statistics with this command. You will be able to note the accumulation of the spam tokens (or not). Note that the Bayesian filtering must receive 200 spam messages before it starts to function, so don't expect instantaneous results." - but then notice that this section precedes the one on Bayesian Filtering?

[Q1] Is email marked as spam and dropped into junkmail for any specific function other than not annoying users OR for Greylisting/Bayesian Filtering learning IF that is enabled?

[Q2] Is the comment "Many will argue what's best, some say the SME defaults are too aggressive" under the section on RBL's still relevant for the above lists shown in my config?

[Q3] I am running 'Server Only' and am behind Microwave providers router with a fixed IP and port forward 25 - will this be of significance / consequence as suggested under https://wiki.contribs.org/Email#Server_Only

Thanks

[mmccarn]

[Q1] Is email marked as spam and dropped into junkmail for any specific function other than not annoying users OR for Greylisting/Bayesian Filtering learning IF that is enabled?

Email flagged as spam by spamassassin will have a header indicating the spam score.

If you want the subject changed you need to adjust the settings for spamassassin.  According to the release notes for SME8, you can enable and customize the "spam" subject modification in server-manager.

Placing SPAM in the junkmail folder is a separate setting, also accessible if you click "change e-mail filtering settings" under "E-mail" in server-manager.

[Q2] Is the comment "Many will argue what's best, some say the SME defaults are too aggressive" under the section on RBL's still relevant for the above lists shown in my config?

You always need to be careful of the services you select for RBLList and SBLList.  The "uce-protect" (listed in your services) is frequently felt to be too aggressive (blocking email from clients or vendors who don't know how to manage their own mail servers)...

Here are my current settings -

Code: [Select]

...
 RBLList=zen.zpamhaus.org:bl.spamcop.net:truncate.gbudb.net:ix.dnsbl.manitu.net
...
 SBLList=dbl.spamhaus.org:badconf.rhsbl.sorbs.net:nomail.rhsbl.sorbs.net
I use several commands that I've added to the "email" wiki page that I find useful for monitoring the effectiveness of my spam filter settings:
https://wiki.contribs.org/Email_Statistics#Useful_Commands

I found the services listed for RBLList above through trial and error -- adjust my settings, wait for spam, then use http://mxtoolbox.com/blacklists.aspx to research the IP address that delivered the spam email to my server.  "ix.dnsbl.manitu.net" is a bit aggressive, and has required me to whitelist some of the people that my users need to talk to.

I found "dbl.spamhaus.org" to be a very useful addition to SBLList for one location (identifying spam 4 - 12 hours before the sending server appears on one of the RBLList services), but next to worthless for others.

Additionally, I find the Barracuda Networks block list to be quite effective, but enabling it requires you to jump through some extra hoops:
https://forums.contribs.org/index.php?topic=50941.0

[Q3] I am running 'Server Only' and am behind Microwave providers router with a fixed IP and port forward 25 - will this be of significance / consequence as suggested under https://wiki.contribs.org/Email#Server_Only

I've (almost) always run server-only, and have never seen any evidence of effective spam attacks using the "helo a.b.c.d" method mentioned at that location.

[gbentley]

Helpful answer - thanks. Glad I took the time to address this

The "uce-protect" (listed in your services) is frequently felt to be too aggressive

Do you think I would be better served removing it - but leaving other as is?

[mmccarn]

You've got two basic approaches - which one you choose depends on you, your users, and your mutual relationship...

1. Wait for users to complain
-> wait for users to tell you about specific people whose email gets bounced, then do some research to find out why the email was bounced and address each instance directly

2. Allow more spam now while you evaluate DNSBL services
-> use the script from this section of the wiki to test new DNSBL services before implementing them:
https://wiki.contribs.org/Email_Statistics#Display_messages_that_would_have_been_blocked_via_DNSBL

- place the code from the code box in the wiki on your clipboard
- paste it into a 'putty' session
You'll be prompted for how many days of log files to scan (default is 1), and for the DNSBL service to test
- review the output for any email addresses belonging to people your users must be able to communicate with
- decide whether to add the new service to RBLList and manage the exceptions using whitelisting, or deal with the SPAM that the new service would block that is otherwise getting through...

Testing my home server against dnsbl-1.uceprotect.net for the last 7 days shows 11 messages that were 'queued' that might have been blocked (I say "might" because it's also possible that the sending host wasn't added to dnsbl-1.uceprotect.net until after the spam emails were received).  I prefer to deal with 11 spams per week rather than have my wife freak out when someone she's used to emailing gets their server added to dnsbl-1.uceprotect.net -- (which, if I recall correctly, happens to gmail, hotmail, mailchimp, and some other major email providers from time to time...)

[holck]

Here are my settings for qpsmtpd:

Code: [Select]

/sbin/e-smith/db configuration show qpsmtpd
qpsmtpd=service
    A_Record_RBL=b.barracudacentral.org: Blocked - see <http://bbl.barracudacentral.com/q.cgi?ip=%IP%>
    Bcc=disabled
    BccMode=cc
    BccUser=maillog
    DNSBL=enabled
    LogLevel=4
    MaxScannerSize=50000000
    RBLList=bl.spamcop.net:dnsbl-1.uceprotect.net:dnsbl-2.uceprotect.net:psbl.surriel.com:zen.spamhaus.org
    RHSBL=enabled
    RelayRequiresAuth=enabled
    SBLList=multi.surbl.org:black.uribl.com:rhsbl.sorbs.net:dbl.spamhaus.org
    TlsBeforeAuth=1
    access=public
    qplogsumm=disabled
    status=enabledAnd here are some statistics, showing the number of denied and queued messages, and also the reasons for the denials. As you can see, spamassassin has very little effect for me.

Code: [Select]

Queued:      2763 (104 marked as spam)
Denied:      6312
  DNSBL:                    3068 (49 %)
  RHSBL:                    1646 (26 %)
  Failed Authentication:     977 (15 %)
  Relaying Denied:           344 ( 5 %)
  Invalid Host:              146 ( 2 %)
  Early Talker:               95 ( 2 %)
  SMEOptimizer:               18 ( 0 %)
  Spamassassin:               11 ( 0 %)
  TLS negotiation failed:      5 ( 0 %)
  Virus:                       0 ( 0 %)

Blacklists (DNSBL & RHSBL):
  Spamhaus:          2745 (58 %)
  Surbl:             1026 (22 %)
  Barracudacentral:   415 ( 9 %)
  Uceprotect:         313 ( 7 %)
  Uribl:              149 ( 3 %)
  Spamcop:             63 ( 1 %)
  Psbl.org:             3 ( 0 %)

[gbentley]

@holck - the Barracuda stuff looks interesting - what is the config line to setup A_Record_RBL and is anything else needed?

Also, how to get the stats in your second code box?

Thanks

[mmccarn]

The barracuda blocklist works well, but support isn't completely integrated.

The info you need to get it working can be found in this bug:
https://bugs.contribs.org/show_bug.cgi?id=8484

There's a version of smeserver-qpsmtpd that will let you set up barracuda's blocklist without creating any custom templates, but I don't know if that version gets installed by default.

[edit]grammar

[gbentley]

@mmccarn - Thanks!

Last one for tonight - is it worth it in any way to register with any whitelists like emailreg.org - who seem to be associated with Barracuda? A lot of blog posts seem to have these 'pay for' whitelists down as some kind of evil scam.

[mmccarn]

I've never looked at emailreg.org.  That looks like it's more about getting your email delivered to others than it is about blocking spam you might be receiving.

I try to make sure I have SPF and (if the mail server supports it) DKIM are set up correctly.

[gbentley]

I've never looked at emailreg.org

Neither had I until I looked up the Barracuda Central URL in your config. Since then I have driven myself dizzy trying to plough through the deluge of info on this subject, trying to figure out if there is actually any benefit at all [being whitelisted] over just keeping your operation clean?

I googled emailreg.org which appears strongly associated with Barracuda and whitelisted.org which is associated uceprotect.net

Opinions range from accusing these operations as nothing more than scammers & pay-to-spam operations [often by people who have been blacklisted by the same] to people who have tested the white lists with their systems and have found them helpful.

As I am a complete novice in this area I would welcome any opinions on the subject... maybe I should have started another thread?

[janet]

gbentley

One of the main issues with keeping your sme "mail" server reputable is to do with your public WAN IP.
If you send mail directly to other mail servers, then all the various protocol & checking rules will be applied, & you need to conform to spf etc etc etc.
If your IP is in a range or block of numbers, & another IP in the range becomes blacklisted, then your server is potentially blacklisted.
All you can do is request to have your individual static IP removed from the external blacklist, most reputable list maintainers will respond to your request, as long as you demonstrate that you have your records configured correctly (spf etc) & as required these days.

That might be a case where your individual IP being on a whitelist could help, but there are many black or block lists out there , so probably difficult to ensure your server IP would be on all whitelists. I am not sure using such services or lists is a great idea or necessary. Existing procedures seem to cater OK, as long as you carefully implement them, see below.

If you maintain your servers reputation, by ensuring internal policy controls, good passwords, preventing unauthorised access to the smtp mail server by outsiders, preventing viruses on your internal network & prevent viruses on your mail clients, & prevent unauthorised bulkmail spamming etc etc, then you stand a good chance of preventing your sme server IP from being blacklisted.

Alternatively if you are a smaller player, you can send your mail via your ISPs mail server, configure this in server manager, & then you rely on the bona fides of your ISP & hope they maintain their reputation between their mail server(s) & other mail servers. The ISP will then configure spf & other necessary records for your server using your static (I assume) WAN IP.
I would only be chooosing a good quality or known reliable ISP in this case. Some small ISPs can be quite good, & vice versa some larger ones are problematic & prevent you using a mail server or are prone to allowing users to abuse the system thus leading to blacklisting etc, so you need to select ISP carefully.

I have the Barracudda blocklist options configured on sme server & get minimal spam.
I also configure & block most mail attachment types (on sme server) & that really does cut out the receiving of a lot of spam & virus laden messages as the source senders are effectively rejected.

[gbentley]

@janet - thanks for your detailed answer.

I suspect that good admins would say that if you keep a clean well maintained system there is no real reason to pay for any listing service at all, especially when SA etc can be carefully and effectively configured to deal with the majority of bad mail and, with good practice there is no reason also to get your ip blacklisted.

In this case, Barracuda charging for such a service appears more than a little self serving.

https://www.barracuda.com/support/knowledgebase/50160000000Ha2hAAC

[gbentley]

And here are some statistics, showing the number of denied and queued messages, and also the reasons for the denials. As you can see, spamassassin has very little effect for me.

Code: [Select]

Queued:      2763 (104 marked as spam)
Denied:      6312
  DNSBL:                    3068 (49 %)
  RHSBL:                    1646 (26 %)
  Failed Authentication:     977 (15 %)
  Relaying Denied:           344 ( 5 %)
  Invalid Host:              146 ( 2 %)
  Early Talker:               95 ( 2 %)
  SMEOptimizer:               18 ( 0 %)
  Spamassassin:               11 ( 0 %)
  TLS negotiation failed:      5 ( 0 %)
  Virus:                       0 ( 0 %)

Blacklists (DNSBL & RHSBL):
  Spamhaus:          2745 (58 %)
  Surbl:             1026 (22 %)
  Barracudacentral:   415 ( 9 %)
  Uceprotect:         313 ( 7 %)
  Uribl:              149 ( 3 %)
  Spamcop:             63 ( 1 %)
  Psbl.org:             3 ( 0 %)

@holck any chance of sharing the script that generated these stats?

[holck]

You are welcome to see and use my script. It's a small Perl-program, and will almost certainly need to be edited to work for others...

Code: [Select]

#!/usr/bin/perl
# use strict;
#
# The script analyzes a log-file from qpsmtpd. Run it like
# $ sudo test.pl < /var/log/qpsmtpd/current
#
# Sample, standard deny-line from qpsmtpd/current:
#
# @4000000057e971280f9518fc 7923 logging::logterse plugin (deny): ` 192.241.146.6 mta-wk-2.mk1.enchantitect.com   mta-wk-2.mk1.enchantitect.com   <c736fb27-sio-2IEpgeKf9g1V1Z0D@mk1.enchantitect.com>     rhsbl   901     Blocked, enchantitect.com on lists [abuse], See: http://www.surbl.org/lists.html        msg denied before queued

# SMEOptimizer works by forcing a high spam score:
#
# @40000000582033e43560c98c 28003 smeoptimizer plugin (deny): SMEOptimizer SA hit: BAYES_00,DIGEST_MULTIPLE,HTML_MESSAGE,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_DNSWL_NONE,SMEOPTI_URI_SPAM,SPF_HELO_PASS,SPF_PASS
# @40000000582033e43560d92c 28003 logging::logterse plugin (deny): ` 46.21.172.157 vserver3.axc.nl ashwinbihari.nl <freja_olsen@ashwinbihari.nl> <bg@skibsgaarden.dk> spamassassin 901 spam score exceeded threshold (#5.6.1) Yes, hits=13.1 required=3.0_
#
# @4000000058207d3c2be3f834 8548 smeoptimizer plugin (queue): SMEOptimizer SA hit: BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,RCVD_IN_DNSWL_NONE,RCVD_IN_IADB_DK,RCVD_IN_IADB_LISTED,RCVD_IN_IADB_RDNS,RCVD_IN_IADB_SENDERID,RCVD_IN_IADB_SPF,RCVD_IN_IADB_VOUCHED,RP_MATCHES_RCVD,SMEOPTI_URI_SPAM,SPF_PASS
# @4000000058207d3c2be40fa4 8548 logging::logterse plugin (queue): ` 91.235.232.1 smtp2-1.mailmailmail.net smtp2-1.mailmailmail.net <return-b6984-b202471-helge.petersen=skibsgaarden.dk@mailmailmail.net> <helge.petersen@skibsgaarden.dk> queued <72249250c81f557c67e6e65e6472b009@client2.mailmailmail.net> Yes, hits=4.6 required=3.0_
       
use warnings;

my @denial = (
  [0, "SMEOptimizer", qr/SMEOptimizer SA hit/],   # Smeopti must be the first
  [0, "Failed Authentication",   qr/authcvm/],
  [0, "Relaying Denied",  qr/relaying/],
  [0, "DNSBL",  qr/\sdnsbl\s/],
  [0, "RHSBL",  qr/\srhsbl\s/],
  [0, "Invalid Host",   qr/believe that you are/],
  [0, "Spamassassin",   qr/exceeded threshold/],
  [0, "Virus",  qr/virus::clamav/],
  [0, "Early Talker",  qr/earlytalk/],
  [0, "TLS negot. failed", qr/Negotiation Failed/]
);

my %bl;    # Hash - key is the blacklist name, value is the count
my $queued = 0; my $unknown = ""; my $spam = 0;
my ($line, $denied, $check, $smeoptimizer_plugin);

sub count_black_lists  {
  my $list = shift @_;
  $list =~ s!.*https?://!!;  # The blacklist's name is taken from the URL returned to the sender
  $list =~ s!/.*!!;
  $list =~ s!\w+\.(\w+)\..*!$1!;
 
  $bl{$list} ||= +0;
  $bl{$list}++;
}
 

Check: while ($line = <>) {
  chomp $line;

  if ($line =~ /smeoptimizer plugin/) {
    $smeoptimizer_plugin = 1;   # Remember this and read the next line
    $line = <>;
    chomp $line
  } else {
    $smeoptimizer_plugin = 0
  }
 
  $queued++ if ($line =~ /\(queue\)/);
  if ($line =~ /\(deny\)/) {
    $denied++;
    $ip = (split "`", $line)[1];
    $ip =~ s/^\s+//;
    $ip =~ s/\s.*//;
   
    unless ($ip =~ /\d/) {
      print "Line = $line\nIP = $ip\n";
      die
    }
    $attempts{$ip} ||= 0;
    $attempts{$ip}++;

    if ($smeoptimizer_plugin) {
      $check = $denial[0];
      $check->[0]++;
      next Check
    } else {
      foreach $check (@denial) {
        if ($line =~ $check->[2]) {
          $check->[0]++;
          if ($check->[1] =~ /BL/) {
            count_black_lists($line)
          }
          next Check
        }
      }
    }
    $line =~ s/.*`//;
    $unknown .= "  $line\n"  # Unidentified reason for deny
  } elsif ($line =~ /\(queue\)/) {
    if ($line =~ 'Yes, ') {
      $spam++     # Queued but marked as spam
    }
  }
   
}
print "\n\n";
printf "%-12s%5d",   "Queued:", $queued;
print " ($spam marked as spam)\n";
printf "%-12s%5d\n", "Denied:", $denied;

# foreach $check (@denial) {
foreach $check (sort { $b->[0] <=> $a->[0]}  @denial) {
  printf "  %-25s%5d (%2d %%)\n",  $check->[1].":", $check->[0], int(0.5 + $check->[0] / $denied * 100)
}

$bl_total = 0;
foreach $list (keys %bl) {
  $bl_total += $bl{$list}
}

print "\nBlacklists:\n";
foreach $list (sort {$bl{$b} <=> $bl{$a}} keys %bl) {
  printf "  %-18s%5d (%2d %%)\n", ucfirst($list).":", $bl{$list}, int(0.5 + $bl{$list} / $bl_total * 100)
}

print "\nMost active IP addresses:\n";
$n = 1;
foreach $ip (sort { $attempts{$b} <=> $attempts{$a} } keys %attempts) {
#  @bytes = split (/\./, $ip);
  printf "  %3d\.%3d\.%3d\.%3d", split(/\./, $ip);
  printf ": %5d\n", $attempts{$ip};
  $n++;
  last if ($n > 10)
}

print "\n\nUnknown reason for deny:\n", $unknown;


[Jean-Philippe Pialasse]

You are welcome to see and use my script. It's a small Perl-program, and will almost certainly need to be edited to work for others...

you will have some work to adapt it after the next upgrade of qpsmtpd.