outgoing mail taged as spam

[Troy McClure]

That's just it. These are being submitted through the submission port (587) which is supposed to skip those checks. Is that right? Is there a way to turn off spamassasin on port 587 temporarily while I figure out why this is happening?

[breun]

It doesn't look like those checks are skipped when using the submission port, but I haven't looked into it.

[Troy McClure]

Thanks. I added "skip_rbl_checks 1" to my local.cf to skip the DNSBL checks and it still scored 6.2 with these results.

Code: Select all

AWL,BAYES_60,DOS_OE_TO_MX,DYN_RDNS_SHORT_HELO_HTML,HTML_MESSAGE,RDNS_DYNAMIC,TVD_SPACE_RATIO

Is it normal for it to score DOS_OE_TO_MX on a authenticated user?

[biggles]

Might the AWL add points?

[mikeshinn]

You can look up all these rules on the spamassassin wiki:

http://wiki.apache.org/spamassassin/Rules

DOS_OE_TO_MX means Outlook Express sent mail directly to your MX. OE is dead, you shouldnt see it - although you may have a user thats running a REALLY out of date system thats probably owned from ear to ear. Your users, if they care about their systems not being owned, shouldnt use OE so when you see it - its either fake or your user REALLY needs to upgrade. You cant even use OE to access hotmail, so even Microsoft bans it.

TVD_SPACE_RATIO means the space to text ratio in the message is WAY off - which usually means either the user is writing some weird stuff or its spam.

BAYES_60 means there is a 60% chance its spam based on your systems bases tables as learned from the mail thats processed by your system.

DYN_RDNS_SHORT_HELO_HTML Sent from dynamic IP, HELO doesn't contain a domain, and message has HTML - also signs of spam. All email clients should send a domain in the HELO client - so check the email, it may be spam.

Also, I wouldnt turn off the RBLs. If mail is being mislabed spam - check the email by hand and see what it is. It may be spam - and if its not, use the bayes system to train your system that its Ham. Turning off the RBLs will mean that more spam will get thru.

[Troy McClure]

Thanks Mike for the detailed response and insite. I do know they shouldn't be using OE, but you know how people are. They don't want to change or don't want to spend money to upgrade. I actually have quite a few users that still use OE. I don't handle their systems, just their email and website. This message was just a test message, so all that was in the body was a short line and I had a custom subject so I could find it in the logs easily. Basically, all my users that use dynamic ips end up having this happen. I have to whitelist their email addresses to get around it. It starts out ok, but eventually it happens. It may be the combo of OE and dynamic that does it, I haven't gotten that far yet. Has anyone else had problems with this when using only smtp auth? Since I have whitelisted all their email addresses I will probably go ahead and turn RBLs back on.

[mikeshinn]

That shouldnt happen. If you use the submission port in plesk you should be good to go. We dont touch the spamassassin settings on any of our servers and don't have any problems like what you describe - so I think something else may be going on with your system.

[Troy McClure]

This is using the submission port. It happens with both ports. Do you think I need to kill my bayes db?

[breun]

If you use the submission port in plesk you should be good to go.

Are you sure that SpamAssassin doesn't kick in when using the submission port? My tests seem to indicate that qmail-scanner is scanning mail regardless of whether I'm using port 25 or 587. If that's right, is there any way to disable scanning for outgoing mail for any of these methods?

[scott]

yeah since it lives in the queue its always going to see it (both directions), that being said it might be possible to exclude. I found this in the wiki:

http://www.atomicorp.com/wiki/index.php ... il-scanner

maybe that will help

[breun]

You mean something like setting env = QS_SPAMASSASSIN="off" in /etc/xinetd.d/submission_psa?

For now it looks like we'll get by by whitelisting one address/domain in SpamAssassin's configuration.

[scott]

Worth a shot, you could try that on the submission port

[Troy McClure]

This doesn't seem to work for me. Anyone else try it?

[breun]

The qmail-scanner FAQ says:

Why are some mails not scanned by SpamAssassin?. Qmail-Scanner will only pass the message to SpamAssassin if it originates from an external (non-local) SMTP client. This is defined by whether or not the standard Qmail RELAYCLIENT environment variable is set. i.e. if the mail originates locally, it isn't scanned by SA. This is done for performance reasons and to cut down on false positives (i.e. your local users will never complain that their email is being classified as spam :-) If you explicitly want to scan some/all local SMTP clients email too, then set QS_SPAMASSASSIN="1" within the tcpserver rules file.