ClamAV and Anti-Spam

[exi1ed0ne]

Depending on load, I find it useful to explicitly reject (during the SMTP connection only!) everything spammy regardless of how high the score. I've had a few legit emails that had the incredible bad luck to hit high scoring rules to get up that high. You find out about it quick if the sender gets a reject message rather than silently dropping. Of course I include a URL to a webform in the reject message that they can report the issue with just to make it a bit more friendly.

It's mostly wasted on bots, but for that 1% sending a reject is is worth it IMHO. Besides, if load is that much of an issue they should be configuring the shortcut rules in SA anyway.

[breun]

Backscatter is a growing problem though and by rejecting you're contributing to that problem.

[exi1ed0ne]

It's not backscatter if it is done during the SMTP connection, rather than after - I did make that distinction. That is the only time you are ever sure of delivering your reject to the host that sent the message in the first place.

[breun]

You're right.

[benji]

Hi, I'm not getting any files on my "SPAMDIR", i've been running with this config for 2 days, and not getting any file in spamdir, its strange 'couse there should be mails that are between 7 and 10 score reaching this server.

Do you know where could i check out if everything is working ok? havent found the spamassassin action log, where is it?

Thansk and sorry for being a real begginer on all of this.

[benji]

Benji, the clue to understanding the settings in /etc/qmail-scanner.ini is required_hits + the value entered for quarantine and/or deletion.

In /etc/mail/spamassassin/local.cf
Your current SA required_score is 7

Edit /etc/qmail-scanner.ini:
To quarantine message with a score of 10:
SA_QUARANTINE="3" (7+3)
To delete message with a score of 20:
SA_DELETE="13" (7+13)

Note: SA_DELETE value must be greater than SA_QUARANTINE.

Make sure your /etc/qmail-scanner.ini quarantine directory is correct if using the quarantine, mine needed to be altered as follows:
SPAMDIR="/var/spool/qscan/quarantine/spam" <- wrong
SPAMDIR="/spam" <- works


You can learn a lot more about SA and MySQL related settings at: http://wiki.apache.org/spamassassin/
Or google spamassassin + the value in the cf/ini file... there's a lot of information out there.

Hi,

Ive tried both,
SPAMDIR="/var/spool/qscan/quarantine/spam" <- wrong
SPAMDIR="/spam" <- works

And none of them work, nothing writeen on those dirs. , what should I check? anyone could tell me where the spamassassin log file is? havent found it googling... i just feel lost without the log file...

[breun]

Also check whether you have that SPAMDIR actually exists and if its ownership and permissions are set up correctly. Check your maillog (/usr/local/psa/var/log/maillog on RPM-based Plesk installs) for spamd's messages.

[benji]

Thanks breun,

seems like something is not working...

Code: Select all

Apr  7 05:02:05 tila qmail: 1207537325.120116 end msg 268468361
Apr  7 05:03:19 tila relaylock: /var/qmail/bin/relaylock: mail from 123.190.98.120:47874 (not defined)
Apr  7 05:03:50 tila relaylock: /var/qmail/bin/relaylock: mail from 190.186.11.173:2606 (dynamic-ip-adsl-190.186.11.173.cotas.com.bo)
Apr  7 05:03:52 tila spamc[22899]: connect to spamd on 127.0.0.1 failed, retrying (#1 of 3): Connection refused
Apr  7 05:03:53 tila spamc[22899]: connect to spamd on 127.0.0.1 failed, retrying (#2 of 3): Connection refused
Apr  7 05:03:54 tila spamc[22899]: connect to spamd on 127.0.0.1 failed, retrying (#3 of 3): Connection refused
Apr  7 05:03:55 tila spamc[22899]: connection attempt to spamd aborted after 3 retries

Any clues?

[exi1ed0ne]

spamd running?

[benji]

Ok, now that it's started... i'm not seeing any spamd logs on the maillog file...

Only this (from my manual "service spamassassin restart" i guess...)

Code: Select all

Apr  7 16:37:44 tila spamd[5822]: spamd: server killed by SIGTERM, shutting down
Apr  7 16:37:48 tila spamd[9397]: logger: removing stderr method
Apr  7 16:38:08 tila spamd[9401]: spamd: server started on port 783/tcp (running version 3.2.4)
Apr  7 16:38:08 tila spamd[9401]: spamd: server pid: 9401
Apr  7 16:38:08 tila spamd[9401]: spamd: server successfully spawned child process, pid 9436
Apr  7 16:38:08 tila spamd[9401]: spamd: server successfully spawned child process, pid 9437
Apr  7 16:38:08 tila spamd[9401]: prefork: child states: II

I've waited for serveral minutes... nothing logged on maillog from spamd, is there any way to see what decisions is tacking from the mails as they arrive?

Like, ok, clean, pass, 10 pints, is spam, i delete it...

Or it actually should appear on maillog file?, then... probably something is not working ok

[Kalimari]

Definitely seems as if there's something more to the problem than QS/SA settings.

There may be further clues in: /var/spool/qscan/qmail-queue.log
Do you have any entires in: /var/spool/qscan/quarantine.log and does /var/spool/qscan/quarantine/spam/new exist? What are the permissions/ownership?

Try: tail -f /var/spool/qscan/qmail-queue.log /usr/local/psa/var/log/maillog
This will show you all incoming connections and the decisions/thresholds for the actions in real-time...

[breun]

If spamd wasn't running when qmail-scanner-reconfigure was run then SpamAssassin is not in the loop. Rerun qmail-scanner-reconfigure when you are sure clamd and spamd are running.

[benji]

Definitely seems as if there's something more to the problem than QS/SA settings.

There may be further clues in: /var/spool/qscan/qmail-queue.log
Do you have any entires in: /var/spool/qscan/quarantine.log and does /var/spool/qscan/quarantine/spam/new exist? What are the permissions/ownership?

Try: tail -f /var/spool/qscan/qmail-queue.log /usr/local/psa/var/log/maillog
This will show you all incoming connections and the decisions/thresholds for the actions in real-time...

Hi kalimari,

Code: Select all

[root@tila spam]# pwd
/var/spool/qscan/quarantine/spam
[root@tila spam]# ls -l
total 0
drwxr-xr-x 2 qscand qscand 6 Aug 27  2007 cur
drwxr-xr-x 2 qscand qscand 6 Aug 27  2007 new
drwxr-xr-x 2 qscand qscand 6 Aug 27  2007 tmp
[root@tila spam]#

So directories exist

Also found some lines on log files like this:

Code: Select all

Apr  7 15:22:05 tila qmail-scanner[29534]: Perlscan:Spam_Viagra:RC:0(189.43.43.2):SA:0(?/?): 3.271908 812 effeminacyexc@wasatchsleep.com hugo.morelli@oneclientofmine.com $89.95_Viagra_(Sildenafil)_50mg_x_30_pills <01c89899$349a3a00$022b2bbd@effeminacyexc> 1207574521.29536-0.tila.myserver.net:89

Also found some lines in quarantine.log like:

Code: Select all

Mon, 07 Apr 2008 17:24:40 CEST  organizers2@aspel.net   jm.arteaga@oneclientofminedomain.com    US $ 99.95 Viagra (Sildenafil) 100mg x 30 pills price   Spam Viagra     perlscan: 2.01st.

Does that mean that SA is working ok?

Then, why is not putting correctly the mails on the quarantine dir:

Code: Select all

[root@tila spam]# pwd
/var/spool/qscan/quarantine/spam
[root@tila spam]# du -h
0       ./cur
0       ./new
0       ./tmp
0       .
[root@tila spam]#

[benji]

If spamd wasn't running when qmail-scanner-reconfigure was run then SpamAssassin is not in the loop. Rerun qmail-scanner-reconfigure when you are sure clamd and spamd are running.

i think that did it

now i've got

Code: Select all

Mon, 07 Apr 2008 17:42:10 CEST:15759: SA: yup, this smells like SPAM - hits=23.3/7.0/20 - message deleted ...
Mon, 07 Apr 2008 17:42:10 CEST:15759: SA: finished scan in 5.326063 secs - hits=23.3/7.0
Apr  7 17:42:10 tila qmail-scanner[15759]: SA:SPAM-DELETED:RC:0(85.54.180.186):SA:1(23.3/7.0): 0 912 theronassiduouskline@pagat.com miquel@mailofmyclient.com Visit_and_start_seeing_the_dollars_coming. 1160701c898c5$e9ccee00$1b01a8c0@pcd4dffbf6ef16 tila.myserver.net120758292576315759-unpacked:912
Mon, 07 Apr 2008 17:42:15 CEST:15770: SA: yup, this smells like SPAM - hits=34.2/7.0/20 - message deleted ...
Mon, 07 Apr 2008 17:42:15 CEST:15770: SA: finished scan in 3.903345 secs - hits=34.2/7.0
Apr  7 17:42:15 tila qmail-scanner[15770]: SA:SPAM-DELETED:RC:0(220.124.59.248):SA:1(34.2/7.0): 0 774 chalicedominique@advantisgva.com cleint@mailofmyclient.com NoPrescripitonNeeded_-_OnlinePharmaccy_...___ <60762207.2820747287865.JavaMail.nfsnobody@ridge.com> tila.myserver.net120758292976315770-unpacked:774
Apr  7 17:42:15 tila qmail-scanner[15770]: SA:SPAM-DELETED:RC:0(220.124.59.248):SA:1(34.2/7.0): 0 774 chalicedominique@advantisgva.com dibrok@dibrok.com NoPrescripitonNeeded_-_OnlinePharmaccy_...___ <60762207.2820747287865.JavaMail.nfsnobody@ridge.com> tila.myserver.net120758292976315770-unpacked:774
Mon, 07 Apr 2008 17:42:16 CEST:15775: SA: yup, this smells like SPAM - hits=33.0/7.0/20 - message deleted ...
Mon, 07 Apr 2008 17:42:16 CEST:15775: SA: finished scan in 4.03368 secs - hits=33.0/7.0
Apr  7 17:42:16 tila qmail-scanner[15775]: SA:SPAM-DELETED:RC:0(78.37.148.251):SA:1(33.0/7.0): 0 919 suctionkn439@whatageek.com ernesto.gascon@mailofmyclient.com AutoCAD <01c898df$148d6980$fb94254e@suctionkn439> tila.myserver.net120758293176315775-unpacked:919

So, i cannot restart spamassassin or clamd without doing qmail-scanner-reconfigure right after it right?

But still not seeing quarantined messages in place, what should i do?
Lots of this messages appear:
Mon, 07 Apr 2008 17:46:27 CEST SA: yup, this smells like SPAM - hits=18.3/7.0/8 - message quarantined ...

Where is it quarantining them? omg

[breun]

Yup. Those first spam messages got caught by perlscan, which is integrated in qmail-scanner. But having SpamAssassin in there probably helps.