Over the last few months I've seen a lot of spam being generated with the From: address being my own email address.
Any email that uses this seems to just slip through Spamassassign with no problem at all and I have no idea how to block / stop this from happening. (I'm a photographer who likes running their own web / email server - so I'm no SysAdmin wizard!)
I've religously checked that I'm not an "open relay" etc.
Any suggestions at all would be greatly appreciated. Example oh header supplied at end.
Nigel Aves.
Suse 11.1 / Virtualmin GPL / sendmail / spamassassign / razor / dovecot / Apache . his-web-site - just substituded my real domain name.
Return-Path: nigel@his-web-site.com
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on apache-web-server.his-web-site.com
X-Spam-Level:
X-Spam-Status: No, score=-90.6 required=3.0 tests=AWL,HTML_IMAGE_RATIO_04, HTML_MESSAGE,MIME_HTML_ONLY,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100, RAZOR2_CHECK,RCVD_IN_PBL,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL, URIBL_SC_SURBL,URIBL_WS_SURBL,URI_HEX,USER_IN_WHITELIST autolearn=no version=3.2.5
Received: from c-151-27.fox.com.br (c-151-27.fox.com.br [189.28.151.27] (may be forged)) by apache-web-server.his-web-site.com (8.14.3/8.14.3/SuSE Linux 0.8) with ESMTP id n6TLrNvQ019285 for nigel@his-web-site.com; Wed, 29 Jul 2009 15:53:24 -0600
Date: Wed, 29 Jul 2009 15:53:23 -0600
From: "Stepnowski Michelina" nigel@his-web-site.com
Subject: Your order details
Content-Type: text/html; charset="utf-8"
MIME-Version: 1.0
Message-Id: YSZKGD31814.9F42965@c-151-27.fox.com.br
Howdy,
The AWL (auto-whitelist) test is likely allowing those to slip though.
Seeing the above -- SpamAssassin is seeing a ton of issues with it, but the AWL test is weighted pretty heavily by default.
The AWL test takes whatever spam score SpamAssassin has given that email, and reduces it by some large amount. The AWL is trying to account for addresses it thinks are known good, but that doesn't always work as desired :-)
Note that your spam score is -90.6 (in the X-Spam-Status header), which is saying "I'm really certain it's not spam".
To fix that, I'd do one of:
Disable auto whitelisting. You can do that by editing your spamassassin local.cf file, and set "use_auto_whitelist 1".
Change the auto whitelist score. To do that, you'd edit the local.cf, and add something like "score AWL -5". That makes it alter the score by 5, rather than by nearly 100.
With either of the above, you'd need to restart SpamAssassin after making those changes.
-Eric
some users including me are using postgrey. it is easy to install, just works and reduces spam down to almost nill (on my boxes anyways).
Yeah, in addition to whatever changes you may make for the auto-whitelisting, I definitely agree with Ronald that greylisting can make a huge difference.
-Eric
Eric,
I've used your advice as a starter and have auto-whitelisting turned Off. I guess tomorrow I'll have better idea as to what this has done and the impact it has made.
Ronald,
I'm running Suse 11.1 and Sendmail. Sadly, postgrey is available but it only works with Postfix (When I built this server I did first try postfix but it so confussed me I gave up and went back to sendmail).
I've found milter-greylist as source only. I just don't have the expertize to get the install to work. I did attempt it (loaded gcc) but it dies with an error message I have no clue how to fix.
Anyways Guys,
Thanks very much for pointing me in all the right directions.
Nigel.
After discovering that I needed to set use_auto_whitelist "0" not "1" - I checked this morning via webmin and no entries are in or have been added to the auto_whitelist.
There does seem to be a reduction of spam messages but I am still getting this happening. I've churned through all the config files for spamassassign / sendmail and can not find anywhere were I have allowed nigel@hiswebsite.com to get a whitelist score of -100 + I also added the score AWL -5 but that should be totally redundant.
So after making the above changes I'm still getting this happening.
Return-Path: stowez1@siloam96.org
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on apache-web-server.hiswebsite.com
X-Spam-Level:
X-Spam-Status: No, score=-93.8 required=3.0 tests=HTML_IMAGE_ONLY_28, HTML_MESSAGE,MIME_HTML_ONLY,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100, RAZOR2_CHECK,RCVD_IN_PBL,USER_IN_WHITELIST autolearn=disabled version=3.2.5 Received: from 189106097147.user.veloxzone.com.br (189106153209.user.veloxzone.com.br [189.106.153.209] (may be forged))
Received: from 189.106.153.209 by mx00-dom.earthlink.net; Thu, 30 Jul 2009 13:33:27 -0300
Date: Thu, 30 Jul 2009 13:33:27 -0300
From: nigel@hiswebsite.com
X-Mailer: The Bat! (v3.81.14 Beta) Educational
Reply-To: stowez1@siloam96.org
X-Priority: 3 (Normal)
Message-ID: 450872411.11336124927291@siloam96.org
To: nigel@hiswebsite.com
Subject: You have new message!
MIME-Version: 1.0
Content-Type: text/html;
charset=Windows-1252
Content-Transfer-Encoding: 7bit
After discovering that I needed to set use_auto_whitelist "0" not "1" - I checked this morning via webmin and no entries are in or have been added to the auto_whitelist.
Yikes! I'm very sorry, I meant to say "0" :-)
As far as what's going on here -- it looks like "USER_IN_WHITELIST" is being triggered, which is different than the auto-whitelist that we disabled.
In poking through the SpamAssassin docs, looks like a common cause for that to be triggered is using the "whitelist_from" directive in the config.
So you might check to see if you have that anywhere. However, you can also just change how much it's being scored, by adding something like this to the local.cf:
score USER_IN_WHITELIST -2
Andrey,
I have no idea what was causing this to skew everything but lowering that number to "score USER_IN_WHITELIST -2" did the trick! Thank You. (One of downsides with Webmin is you never get to see all the settings! and the three that yu pointed me too seem important.)
I've played around with some of the scoring as well, especially with Razor, they seemed very low in comparison to other spamassassin scores. If memory serves me well all of them where set to .1 so I increased dramatically and ended up with the main ones being 2.5 That too has made a big difference and so far only spam has been caught by Razor.
Once again, I'm very appreciative of your help. If you ever get to Colorado, beers on me!
Nigel
Hi Nigel:
I'm relatively new to VM, so I am still in the poking around stage, and boy, is there a lot to poke around in!
I was having the same problem as you: my own address forged in the From field being whitelisted. I finally found the whitelisted addresses at Virtualmin > [domain] > Services > SpamAssassin > Allowed Addresses. I removed the addresses and saved. On a Centos 5 system, this info is stored in file /etc/webmin/virtual-server/spam/[big number associated with domain]/virtualmin.cf.
Edit: I just discovered that when you enable spam filtering (spamassassin), your addresses are automatically added to Allowed Addresses. There is probably someplace where this feature can be disabled, but I haven't looked yet.
Hope this helps.
John
Howdy,
I just discovered that when you enable spam filtering (spamassassin), your addresses are automatically added to Allowed Addresses. There is probably someplace where this feature can be disabled, but I haven't looked yet.
You're right, you can indeed disable that!
To do that, you'd go into System Settings -> Module Config -> Spam Filtering Options, and from there you can tweak "Default spam whitelist option".
Have a good one,
-Eric
Hi Nigel,
From what you are describing it appears you are having a classic case of "backscatter". If you google the term "backscatter spam" you should get plenty of hits and descriptions of the problem. Some of my customers had these backscatter issues and it drove me crazy until I implemented a watermark system for outgoing emails. I accomplished this using an excellent package called MailScanner. http://www.mailscanner.info Setup of MailScanner is a bit time consuming but fairly easy and the documentation is very good. Check out the section on watermarking messages. Basically the scenerio is that any message you send out of your server gets a watermark in the header. Any message coming back in claiming to originate from your server gets checked against the known watermark. If there is no watermark or the watermarks don't match, the email gets flagged as spam. There are other ways of handling this sort of thing but I have found the MailScanner solution to be easiest to implement. Hope this helps.
Max