Spam filter, false positive... Please help...
I followed this guide
to configure my spam filter.
Anyway I have the feel that there are some false positive that never reach my spam folder.
Is there a way to test for false positive?
Some site that send us dozens of email and let us checks how many email arrived on our inbox?
Please help.
/etc/postfix/main.cf
> # HELO restrictions:
smtpddelayreject = yes
smtpdhelorequired = yes
smtpdhelorestrictions =
permit_mynetworks,
permitsaslauthenticated
rejectnonfqdnhelohostname,
rejectinvalidhelo_hostname,
permit
Sender restrictions:
smtpdsenderrestrictions =
permit_mynetworks,
permitsaslauthenticated
rejectnonfqdn_sender,
rejectunknownsender_domain,
permit
Recipient restrictions:
smtpdrecipientrestrictions =
permit_mynetworks,
permitsaslauthenticated
rejectunauthpipelining,
rejectnonfqdn_recipient,
rejectunknownrecipient_domain,
rejectunauthdestination,
checksenderaccess
hash:/etc/postfix/sender_access,
rejectrblclient zen.spamhaus.org,
rejectrblclient bl.spamcop.net,
checkpolicyservice unix:postgrey/socket,
permit
master.cf
> amavisfeed unix - - n - 2 lmtp
-o lmtpdatadone_timeout=1200
-o lmtpsendxforward_command=yes
-o disablednslookups=yes
-o max_use=20
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o smtpddelayreject=no
-o smtpdclientrestrictions=permit_mynetworks,reject
-o smtpdhelorestrictions=
-o smtpdsenderrestrictions=
-o smtpdrecipientrestrictions=permit_mynetworks,reject
-o smtpddatarestrictions=rejectunauthpipelining
-o smtpdendofdatarestrictions=
-o smtpdrestrictionclasses=
-o mynetworks=127.0.0.0/8
-o smtpderrorsleep_time=0
-o smtpdsofterror_limit=1001
-o smtpdharderror_limit=1000
-o smtpdclientconnectioncountlimit=0
-o smtpdclientconnectionratelimit=0
-o receiveoverrideoptions=noheaderbodychecks,nounknownrecipientchecks,nomilters,noaddress_mappings
-o localheaderrewrite_clients=
-o smtpd_milters=
-o localrecipientmaps=
-o relayrecipientmaps=
smtp inet n - n - - smtpd
43 Replies
In my experience it's far better to simply reject borderline mail at SMTP time. That way, the sender gets an immediate notice that it didn't go through and why. If such mail instead went into a spam folder, it could languish unnoticed for days or weeks or forever, while the sender believes it got through. Such silent failure is the worst-case scenario.
@Xan:
I don't have an answer to your specific question, but I would like to recommend against having a spam folder.
In my experience it's far better to simply reject borderline mail at SMTP time. That way, the sender gets an immediate notice that it didn't go through and why. If such mail instead went into a spam folder, it could languish unnoticed for days or weeks or forever, while the sender believes it got through. Such silent failure is the worst-case scenario.
Thanks for your reply.
My problem is that I think that some mail doesn't reach the spam folder at all because the mail is discarded before they reach the folder.
> Don't think. Know. Check your SMTP logs for the mails you "think" are being rejected. Find out why. Adjust your rules accordingly.
Having faced exactly this question–is something I don't want to miss being rejected?--I created the following script to dump in /etc/cron.daily. It parses /var/log/maillog to provide a daily summary of different events, so I can see what's being rejected. It's already helped me find a misconfigured Postfix virtualhost.
I still need to install logtail, so I can ONLY check new errors each day, instead of getting all errors since last rotation.
I'd also recommend using warnifreject for a while when adding new restrictions.
#!/bin/bash
#
# Script to parse postfix logs for issues to report
# Created: 2009-12-30
# Changed: 2009-12-31 Added more detail: relaying, RBLs
LOGFILE=${logfile:-/var/log/maillog}
echo "Checking for relaying"
relay=`egrep "postfix\/smtpd?\[[0-9]*\]: [NOQUA-F]+:" ${LOGFILE} | egrep -v "due to listing in|Sender address rejected|Client host rejected|Recipient address rejected" | sed '/Relay access denied/s/^\(.*\) postfix\/smtpd.*from=\([^ ]*\) to=\([^ ]*\) proto=.*/From: \2 To: \3 On: \1/' | sed -e 's/ To:/\nTo:/g' -e 's/ On:/\nOn:/g'`
echo "Relaying denied from:"
echo "$relay" | grep "^From: " | sed 's/^From: //g' | sort | uniq -c | sort -rn
echo "Relaying denied to:"
echo "$relay" | grep "^To: " | sed 's/^To: //g' | sort | uniq -c | sort -rn
rbl=`egrep "postfix\/smtpd?\[[0-9]*\]: [NOQUA-F]+:" ${LOGFILE}\
| egrep -v "Relay access denied|Sender address rejected|Client host rejected|Recipient address rejected" \
| sed '/due to listing in/s/.*due to listing in \([^:]*\):.*from=\([^ ]*\).* to=\([^ ]*\).*/From: \2 To: \3 RBL: \1/g' \
| sed -e 's/ To:/\nTo:/g' -e 's/ RBL:/\nRBL:/g'`
echo -n "Total RBL blocks: "
echo "$rbl" | grep "^To: " | wc -l
echo "RBL blocked email to:"
echo "$rbl" | grep "^To: " | sed 's/^To: //g' | sort | uniq -c | sort -rn
echo "RBLs:"
echo "$rbl" | grep "^RBL: " | sed 's/^RBL: //g' | sort | uniq -c | sort -rn
echo "Checking for new postfix errors"
egrep "postfix\/smtpd?\[[0-9]*\]: NOQUEUE:" ${LOGFILE} | egrep -v "Relay access denied|due to listing in|Sender address rejected|Client host rejected|Recipient address rejected" || echo " none."
echo "Statistics"
egrep 'postfix\/smtpd' ${LOGFILE} | egrep -v 'NOQUEUE:|connect from|client=' | sed -e 's/.*smtpd\[[0-9]*\]: //' -e 's/lost connection.*/lost connection/' -e 's/warning.*/warning/' -e 's/timeout.*/timeout/' -e 's/too many errors.*/too many errors/' -e 's/.*reject.*/other reject/' | sort | uniq -c | sort -rg
Checking for relaying
Relaying denied from:
3 <spamery@tiscali.it>1 <mytestaddress@mydom.ain>Relaying denied to:
3 <spamery@tiscali.it>1 <anothertest@mydom.ain>Total RBL blocks: 372
RBL blocked email to:
212 <200403130913.36483.lfs-user@mydom.ain>
57 <mailinglistuser@mydom.ain>29 <info@mydom.ain>28 <bikedc@mydom.ain>20 <user@mydom.ain>6 <200403140926.46641.lfs-user@mydom.ain>
3 <jumanji@choicemedical.be>2 <zz@mail2000.com.tw>2 <sseenndd0622@yahoo.com.hk>2 <fedora-user@mydom.ain>1 <superedm001@yahoo.com.tw>1 <servicemagic-customer@mydom.ain>1 <poi@mail2000.com.tw>1 <lfs-user@mydom.ain>1 <myself@mydom.ain>1 <53363.lfs-user@mydom.ain>
1 <41.lfs-user@mydom.ain>
1 <200403141011.00740.lfs-user@mydom.ain>
1 <200403122212.03348.lfs-user@mydom.ain>
1 <200403122137.06415.lfs-user@mydom.ain>
1 <200403122118.53363.lfs-user@mydom.ain>
RBLs:
371 zen.spamhaus.org
1 dul.dnsbl.sorbs.net
Checking for new postfix errors
none.
Statistics
163 lost connection
89 warning
2 timeout</myself@mydom.ain></lfs-user@mydom.ain></poi@mail2000.com.tw></servicemagic-customer@mydom.ain></superedm001@yahoo.com.tw></fedora-user@mydom.ain></sseenndd0622@yahoo.com.hk></zz@mail2000.com.tw></jumanji@choicemedical.be></user@mydom.ain></bikedc@mydom.ain></info@mydom.ain></mailinglistuser@mydom.ain></anothertest@mydom.ain></spamery@tiscali.it></mytestaddress@mydom.ain></spamery@tiscali.it>
@Dahak:
> Don't think. Know. Check your SMTP logs for the mails you "think" are being rejected. Find out why. Adjust your rules accordingly.
Using your script I can't find any false positive.
I will check for a week to see better if some false positive is catched.
Thanks for your help.
PS: What do you think about zen.spamhaus.org ???
Is it good to use it?
@node_tux:
Take a look at Logwatch. It provides detailed information re: postfix from your syslog.
I often seen my logwatch but I never founded a false positive.
The strange things is that I often loss forums thread reply notifications also if there is no trace on logwatch of flase positive.
SpamAssassin will bump up the spam score of any email dated this year.
@node_tux:
Take a look at Logwatch. It provides detailed information re: postfix from your syslog.
Unfortunately, I haven't figured out how to fix logwatch's parsing of postfix logs. I get a megabuttload of Unmatched Entries like
NOQUEUE: reject: RCPT from 118-168-138-33.dynamic.hinet.net[118.168.138.33]: 554
5.7.1 Mail from 118-168-138-33.dynamic.hinet.net[118.168.138.33] rejected based on
Client host due to listing in zen.spamhaus.org:
http://www.spamhaus.org/query/bl?ip=118.168.138.33; from= <t8.t8@msa.hinet.net>to= <poi@mail2000.com.tw>proto=SMTP helo=<70.85.16.115></poi@mail2000.com.tw></t8.t8@msa.hinet.net>
instead of a useful summary of errors; hence the quick'n'dirty script as a stopgap. BTW, I've updated it some more if anybody is interested.
@sblantipodi:
What do you think about zen.spamhaus.org ???
Is it good to use it?
When I was looking into blacklists, that's the one that appeared the best, and the stats seem to show it. Zero false positives so far (3 months), and very few get past it to be caught by one of the other BLs I have configured (dul.dnsbl.sorbs.net, and warning on dsn.rfc-ignorant.org & bl.spamcop.net).
smtpdclientrestrictions = warnifreject rejectrblclient 1634435237.geobl.spameatingmonkey.net,
permitmynetworks,
rejectunauthpipelining,
rejectrblclient bl.spameatingmonkey.net,
rejectrbl_client zen.spamhaus.org
````
I get maybe 1 or 2 false negatives, and an undetectable number of false positives.
I don't want to disable spam filter but I don't want to lose email in this way.
Can you help me with a lighter settings?
What is the incriminated value of this false positive?
In my experience the two HELO checks you can doing will generate a lot of false positives. I also found that spamcop generated an occasional false positive, and rarely caught anything that spamhaus missed.
There are no perfect solutions though. At the end of the day you will always have to balance the amount of spam coming through against the risk of false positives. You just have to decide your own personal preference as to how much of each you want to live with.
@Xan:
It's been my experience that the HELO checks work beautifully. And if an emailer sends a bad HELO, I'd be hard pressed to call that a false positive in any case.
You'd change your tune when emails from your wife's workplace weren't getting through;)
Or maybe not…
I agree that anyone who can't set their HELO greeting properly doesn't deserve to be running an email server, but I have had several cases where email I wanted to receive was rejected by HELO checks. That is how I define a false positive.
to make a try…
The emails continues to go into spam folder…
How this is possible?
Please help.
@sblantipodi:
I have disabled all the REJECT option in MAIN.CF file
to make a try…
The emails continues to go into spam folder…
How this is possible?
Please help.
Reject lines have nothing to do with a spam folder - they are two completely different things.
If you reject a message, it goes nowhere - the sender may get a reject notice, but you will receive nothing.
The spam folder is a result of your content filter. You haven't posted any details of it's settings, but that is where you should look.
I'm using amavisd-new with spamassassin,
where I need to see ?
@sblantipodi:
I'm using amavisd-new with spamassassin,
Get rid of those. Set proper postfix checks as detailed here and elsewhere. Live with the few SPAM emails that still get through.
Then start again with those things if you MUST have them.
Good luck.
@kangaby:
@sblantipodi:I'm using amavisd-new with spamassassin,
Get rid of those. Set proper postfix checks as detailed here and elsewhere. Live with the few SPAM emails that still get through.Then start again with those things if you MUST have them.
Good luck.
so your suggestion is to not use Spamassassin with amavsd-new check for spam?
do you think that postfix is enough to trash spam with the lowest false postive?
@Xan:
Spam filtering isn't going to be perfect.
If it were, then forum messages like "bump" and "please help" would be automatically rejected.
Oh wait, we were talking about email
You can't have it both ways. Well maybe you can, with an extreme amount of work, I don't know. If this is what you want, expect to do a serious amount of research on your own, that involes more than asking questions on a forum. I don't believe anyone here has a 5 minute answer to get this result. I know I don't.
in /etc/amavisd.conf I have deleted the comments from this line
@bypassspamchecks_maps
it seems that false positive has been reduced a lot.
Can you tell me how it is possible that some mail continue to go to spam folder also if I disabled it in this way?
Thanks.
Spam filtering isn't going to be perfect.
) in amavisd.conf
why I got spam in the spam folder?
who put the spam in that folder since?
my configuration uses:
Postfix,
dovecot,
amavisd-new,
spamassassin
Unfortunately I have no idea how amavis works.
this is the email that my brother received from my server when he try to send me an email on my server.
How can I disable the CBL abuseat?
554 5.7.1 Service unavailable; Client host [151.81.11.38] blocked using cbl.abuseat.org; Blocked - see
In short, there's two problems here: you're enabling DNSBLs without understanding the implications, and your brother's computer has been taken over by criminals. That said, if I had to pick one or the other, I'd say your problem is easier to fix than his
@hoopycat:
You can either tell your mail server to not check the cbl.abuseat.org DNSBL by removing any mention of it from your mail server config (usually /etc/postfix/main.cf), or he can read what that page says about 151.81.11.38 being hijacked and fix the problem.
In short, there's two problems here: you're enabling DNSBLs without understanding the implications, and your brother's computer has been taken over by criminals. That said, if I had to pick one or the other, I'd say your problem is easier to fix than his
:-)
it seems that the problem isn't mine and isn't of my brother but is related to the SMTP that my brothers is using since it got the same error also when sending email to gmail…
I had to use it to whitelist a Xerox scanner at a school that sends you what you scanned in your email. It somehow ended up on zen.spamhaus.org. It works beautifully.
Other than that, I will reiterate what others have said, SpamAssassin and RBL's are not going to be perfect. The only false positive I have ever had using SpamAssassin + SpamHaus is that Xerox scanner, which probably wasn't a "false" positive to begin with.
It sounds like you are also still learning quite a bit about how to properly configure a mail server and its spam scanners and RBL's. I would recommend perhaps gutting your server and installing Virtualmin from scratch (
In short, it will make your life easier.
I have just setted up something similar.
In my main.cf I got:
checksenderaccess
hash:/etc/postfix/file
your guide told us to put:
checkclientaccess
hash:/etc/postfix/file
what is the difference between this two lines?
A sender is who sent the mail, for example
A client is what machine they sent it from, for example mail.example.com.
@Stever:
http://www.postfix.org/postconf.5.html A sender is who sent the mail, for example
user@example.com .A client is what machine they sent it from, for example mail.example.com.
ok, thanks
@sblantipodi:
Ok Xan but if I have disabled spam filtering (@bypassspamchecks_maps
) in amavisd.conf
why I got spam in the spam folder?
who put the spam in that folder since?
my configuration uses:
Postfix,
dovecot,
amavisd-new,
spamassassin
I requote this question since I got other spam in spam folder…