Users messages marked as spam

[AndraX2000]

I have ART spamassassin, clamav, and qmail-scanner installed. I do not have psa-spamassassin installed.

My problem is that some of my authenticated users' mail is being marked as spam before it is sent out.
1. The user connects to the SMTP server from his home, using authentication.
2. ****SPAM**** LOW * is added to the subject line
3. The email is then delivered in this state to it's destination at gmail.

This doesn't seem quite right to me. Is there a way to prevent spamassassin from scanning outgoing email from authenticated users? Or perhaps to mark all email from all (or better yet just some) authenticated users as ham?

Code: Select all

Delivered-To: XXXXX@gmail.com
Received: by 10.86.52.5 with SMTP id z5cs279037fgz;
        Thu, 20 Dec 2007 15:08:46 -0800 (PST)
Received: by 10.141.206.13 with SMTP id i13mr373363rvq.100.1198192125181;
        Thu, 20 Dec 2007 15:08:45 -0800 (PST)
Return-Path: <XXXXX@XXXXX.net>
Received: from server4.XXXXX.com (server4.XXXXX.com [72.XX.XX.XX])
        by mx.google.com with ESMTP id f36si443695rvb.4.2007.12.20.15.08.43;
        Thu, 20 Dec 2007 15:08:45 -0800 (PST)
Received-SPF: neutral (google.com: 72.XX.XX.XX is neither permitted nor denied by best guess record for domain of XXXXX@XXXXX.net) client-ip=72.XX.XX.XX;
Authentication-Results: mx.google.com; spf=neutral (google.com: 72.XX.XX.XX is neither permitted nor denied by best guess record for domain of XXXXX@XXXXX.net) smtp.mail=XXXXX@XXXXX.net
Received: (qmail 31553 invoked by uid 2525); 20 Dec 2007 23:08:43 +0000
Received: from 69.47.139.228 by server4.XXXXX.com (envelope-from <XXXXX@XXXXX.net>, uid 2020) with qmail-scanner-2.01st 
 (clamdscan: 0.91.2/5186. spamassassin: 3.2.3. perlscan: 2.01st.  
 Clear:RC:0(69.47.139.228):SA:1(7.6/7.0):. 
 Processed in 3.809655 secs); 20 Dec 2007 23:08:43 -0000
X-Spam-Status: Yes, hits=7.6 required=7.0
X-Spam-Level: +++++++
Received: from d47-69-228-139.nap.wideopenwest.com (HELO bourbon) (69.47.139.228)
  by server4.XXXXX.com with (RC4-MD5 encrypted) SMTP; 20 Dec 2007 23:08:38 +0000
From: "XXXXX" <XXXXX@XXXXX.net>
To: <XXXXX@gmail.com>
Subject: ****SPAM**** LOW *  email accts
Date: Thu, 20 Dec 2007 18:08:33 -0500
Message-ID: <000c01c8435d$3ecf1f40$0501a8c0@bourbon>

[scott]

Id start by looking at the logs to see which tests are firing on those messages. 7.6 is amazingly high for a false positive, it takes a lot of rules to get something to score to that level.

What you want to keep in mind is that its highly likely that other people using spamassassin will also score your messages that high (I delete at 7 for example), so disabling it from your side will have no effect.

[AndraX2000]

Dec 20 23:08:39 server4 spamd[19186]: spamd: checking message <000c01c8435d$3ecf1f40$0501a8c0@bourbon> for qscand:110
Dec 20 23:08:41 server4 spamd[19186]: spamd: identified spam (7.6/7.0) for qscand:110 in 2.3 seconds, 2084 bytes.
Dec 20 23:08:41 server4 spamd[19186]: spamd: result: Y 7 - BAYES_20,DYN_RDNS_SHORT_HELO_HTML,HTML_MESSAGE,
MIME_HTML_MOSTLY,PYZOR_CHECK,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,
RDNS_DYNAMIC,TVD_SPACE_RATIO scantime=2.3,size=2084,user=qscand,uid=110,required_score=7.0,
rhost=localhost,raddr=127.0.0.1,rport=/tmp/spamd_full.sock,
mid=<000c01c8435d$3ecf1f40$0501a8c0@bourbon>,bayes=0.120042,autolearn=no

I'm new to interpretting these things, so correct me if I'm wrong:

• BAYES_20 Bayesian probability of spam 20%

• DYN_RDNS_SHORT_HELO_HTML Sent from dynamic IP, HELO doesn't contain a domain, and message has HTML

• HTML_MESSAGE Message has HTML

• MIME_HTML_MOSTLY Message is mostly HTML

• PYZOR_CHECK Someone else has gotten a similar message and marked it as spam

• RCVD_IN_PBL The IP is in the Spamhaus PBL

• RCVD_IN_SORBS_DUL Sent from dynamic IP in Sorbs list

• RDNS_DYNAMIC Sent from a dynamic IP

• TVD_SPACE_RATIO The ratio of whitespace to text is low, indicating vertical words.

4 of these seem to be related to him sending the email from a dynamic ip at his home. The 3 HTML ones are because he uses Outlook with default settings.

The emails he sends that get marked as spam are of two types. Sometimes he sends short messages to me asking questions about his hosting or email. He has notoriously bad spelling, punctuation, and grammar. I'm not concerned about these being marked, because they are coming to me.

The other type that get marked are orders for play-by-email Diplomacy.

For now, I've explained to him how to send emails as text.

But the real question is, what are the advantages of scanning authenticated user's emails? All my users are trusted, I'm not a public web host, and I have no concern that any of them will start sending spam.

[AndraX2000]

Digging around the internet, it seems that this is all because qmail doesn't implement RFC 3848. All email that is sent by my users from their home computers get at least 4 points added. If they log in to the webmail interface to send them, they come from localhost, so they don't get those 4 extra points.

Ironically, if the receiving address uses spamassassin, it won't score the DYNABLOCK points, because those tests are conducted top down. The newly-rewritten X-Spam-Status header will have a much lower score. In one test, the email scored 4.0 on my server, but -2.7 at the destination.

I found a lot of this info at:
http://wiki.apache.org/spamassassin/DynablockIssues

[scott]

Well the fact that its in Pyzor as spam is pretty suspect, it takes a lot of independent people to mark a message as spam for it to show up there.

[AndraX2000]

One message marked with PYZOR_CHECK was in it's entirety (minus the html stuff outlook added):

my email acct sez mailbox full what that mean

Which does look pretty spammy.

Several others marked with PYZOR_CHECK were DPJudge formated diplomacy orders. Not all of these were marked as spam, just a few.
These look something like this:

A LON H
A PAR H
F NWG C A NWY - EDI
F LVP S A EDI
F IRI - MAO
F MAO - IRI
F WAL S F MAO - IRI
A YOR - LON

Regardless of the PYZOR_CHECK problem, the Dynamic IP Problem is bigger. All email sent from home computers (including my own) automatically gets a +4. I really don't want to be sending an invoice or other important email from my home computer and have it marked as spam by my own server before it gets sent on to the recipient.

Is there a way to prevent checking email by authenticated users?
If not, is there a way to prevent checking all outgoing mail?

The only outgoing mail is from authenticated users, localhost (such as users using webmail), php scripts I wrote, and email forwards set up in plesk. I trust all of these sources.

[exi1ed0ne]

One thing I do is add a negative score to SMTPS email that has my host in a received header. The negative score is proportional to the average historic rules that were fired by my users sending messages. This works well, but you need to change the default Plesk DNS setup (PTR Records) for your vhosts to get it to work consistently.

You could always change the scoring on the Dynablock rules I suppose, or remove qscan from the smtp chain for smtps. Those options are a bit drastic though, since they have a lot of value IMHO.

[nforde]

As mentioned above "Digging around the internet, it seems that this is all because qmail doesn't implement RFC 3848."

I've also been digging around, and that's the same conclusion I came to.

I think your email headers should mention 'with ESMTPA' (A meaning Authenticated) as specified in RFC 3848 rather than just 'with ESMTP'.

It seems like Qmail (at least the version used by Plesk) is not fully RFC 3848 compliant, so Spamassassin can't figure out if an email is coming from someone who has been authenticated.

To fix this you need to install a Qmail authentication patch.

Here is some info about the patch from the patch author (at http://www.fehcom.de/qmail/smtpauth.html) -

RFC 3848 requires a different notation, which is incorporated in my most recent SMTP authentication patches for qmail:

Received: from xdsl-81-173-228-159.netcologne.de (HELO mail.fehnet.de) (erwin@fehcom.de@81.173.228.159)
by hamburg134 with ESMTPA; 23 Jan 2005 13:32:13 -0000

The keyword EMSTPA denotes "ESMTP Authentication" and thus the information presented can be clearly interpreted. However, the quality of this information can neither be verified nor estimated, if it does not originate from the last receiving host.
Some Anti-Spam programs, like SpamAssassin begin to use this information...

The latest patch is available here - http://www.fehcom.de/qmail/smtpauth.html#PATCHES
(it's currently version 0.6.8 and I think it combines the previous versions listed below it).

This is where my expertise ends. I'm not confident enough to install this patch myself. Good luck!

[exi1ed0ne]

Or wait until Plesk puts in Postfix - I believe that feature has the same release date as Duke Nukem Forever.

[scott]

Ive been told by a bunch of people that postfix will be in 8.4. If it doesn't, I might give a psa compatible qmail rpm another shot.