I get lots of spam with kopano

UCS - Univention Corporate Server
#1

I do not think that the spam filter works form me, I get 100s of spam emails a day … it is bad.
It seems like spamd, amavis are running.
I have installed kopano-spamd with inotify-spamlearn but it does not seem to do anything.
I get an entry in the log indicating that its learned this as spam, but the same email will get through next time.
INFO Processing [Inotify] /var/lib/kopano/spamd/spam/872A8024DACF4E43B30D9C300C23C033.eml: Learned tokens from 1 message(s) (1 message(s) examined)

How do I start debugging/testing it?
Any pointers would be greatly appreciated.

#2

Hi @augustynr,

you should check the mail headers if the message was processed by Amavis and what spam score it has gotten.

#3

Hi,
I have sent the test spam assasin message and it end up in junk though if I look at the mail.log I see:

Apr 17 09:32:19 mail postfix/qmgr[2674]: 77960E19591: from=<testuser@gmail.com>, size=4542, nrcpt=1 (queue active)
Apr 17 09:32:19 mail amavis[50418]: (50418-03) Passed SPAM {RelayedTaggedInbound}, [209.85.167.44]:36600 [209.85.167.44] <testuser@gmail.com
> -> <test@mydomain.com>, Queue-ID: B7F7AE12FB4, Message-ID: <CAGkGLBsC2dfuBijK=E5i_oKnpytCSrbh9E9=Jzru9feG58BCRw@mail.gmail.com>, mail_id: 
jHhbyNE71WCK, Hits: 1000.052, size: 3659, queued_as: 77960E19591, 3468 ms
Apr 17 09:32:19 mail postfix/smtp[77667]: B7F7AE12FB4: to=<test@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.8, delays=0.29/0/0.
01/3.5, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 77960E19591)
Apr 17 09:32:19 mail postfix/qmgr[2674]: B7F7AE12FB4: removed

If I export that email to eml from webapp this is what I get:

Return-Path: <testuser@gmail.com>
Received: from mail.linqone.com (127.0.0.1:55928) by mail (kopano-dagent) 
 with LMTP; Fri, 17 Apr 2020 09:32:19 -0400
Received: from localhost (localhost [127.0.0.1])  by mail.linqone.com
 (Postfix) with ESMTP id 77960E19591 for <test@mydomain.com>; Fri, 17 Apr
 2020 09:32:19 -0400
Received: from mail.linqone.com ([127.0.0.1]) by localhost (mail.linqone.com
 [127.0.0.1])  (amavisd-new, port 10024)  with ESMTP id jHhbyNE71WCK for
 <test@mydomain.com>; Fri, 17 Apr 2020 09:32:16 -0400
Received: from mail-lf1-f44.google.com (mail-lf1-f44.google.com
 [209.85.167.44])  by mail.linqone.com (Postfix) with ESMTPS id B7F7AE12FB4
 for <test@mydomain.com>; Fri, 17 Apr 2020 09:32:15 -0400
Received: by mail-lf1-f44.google.com with SMTP id w145so1812521lff.3 for
 <test@mydomain.com>; Fri, 17 Apr 2020 06:32:16 -0700
Subject: Test spam mail (GTUBE)
From: "Robert Augustyn" <testuser@gmail.com>
To: "Robert Augustyn" <test@mydomain.com>
Date: Fri, 17 Apr 2020 13:32:02 +0000
Mime-Version: 1.0
Content-Type: multipart/alternative; 
 boundary="=_v0rCW6qPmFbdrgmJtyOLIJR0RZMpjFY9BY0lAoAHYlKvA+23"
Message-Id: <CAGkGLBsC2dfuBijK=E5i_oKnpytCSrbh9E9=Jzru9feG58BCRw@mail.gmail.com>

This is a multi-part message in MIME format. Your mail reader does not
understand MIME message format.
--=_v0rCW6qPmFbdrgmJtyOLIJR0RZMpjFY9BY0lAoAHYlKvA+23
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


This is the GTUBE, the
        Generic
        Test for
        Unsolicited
        Bulk
        Email

If your spam filter supports it, the GTUBE provides a test by which you
can verify that the filter is installed correctly and is detecting incoming
spam. You can send yourself a test mail containing the following string of
characters (in upper case and with no white spaces and line breaks):

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

You should send this test mail from an account outside of your network.

--=_v0rCW6qPmFbdrgmJtyOLIJR0RZMpjFY9BY0lAoAHYlKvA+23
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><pre style=3D"color:rgb(0,0,0);white-space:pre-wrap">Thi=
s is the GTUBE, the
=09Generic
=09Test for
=09Unsolicited
=09Bulk
=09Email

If your spam filter supports it, the GTUBE provides a test by which you
can verify that the filter is installed correctly and is detecting incomi=
ng
spam. You can send yourself a test mail containing the following string o=
f
characters (in upper case and with no white spaces and line breaks):

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

You should send this test mail from an account outside of your network.
</pre><br class=3D"gmail-Apple-interchange-newline"></div>

--=_v0rCW6qPmFbdrgmJtyOLIJR0RZMpjFY9BY0lAoAHYlKvA+23--

So I do not see that the email is evaluated by spamassasin.

#4

If you use code blocks the text would be easier to read. This forum uses markdown for formatting, you learn more about Markdown at https://commonmark.org/help/

But yes, your email is missing some headers. A mail delivered to my Univention testsystem has the following:

X-Virus-Scanned: by amavisd-new-2.10.1 (20141025) (Debian) at
	my-univention.com
X-Spam-Flag: NO
X-Spam-Score: -0.998
X-Spam-Level:
X-Spam-Status: No, score=-0.998 tagged_above=-1000 required=5
	tests=[ALL_TRUSTED=-1, HTML_MESSAGE=0.001, URIBL_BLOCKED=0.001]
	autolearn=disabled
#5

Thank you,
So how do I go about resolving it?
How do I verify/reinitialize postfix/amavis/spamassasin cofiguration?

#6

Update, I have run: ucr set mail/antispam/requiredhits=“5.0” and couple of config files got recreated.
I do get following now:

X-Virus-Scanned: by amavisd-new-2.10.1 (20141025) (Debian) at mydomain.com
X-Spam-Flag: NO
X-Spam-Score: 4.38
X-Spam-Level: ****
X-Spam-Status: No, score=4.38 tagged_above=-1000 required=5
	tests=[DKIM_INVALID=0.1, DKIM_SIGNED=0.1, FROM_SUSPICIOUS_NTLD=0.5,
	FROM_SUSPICIOUS_NTLD_FP=0.396, HTML_FONT_LOW_CONTRAST=0.001,
	HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, PDS_OTHER_BAD_TLD=1.999,
	RDNS_NONE=1.274, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
	T_KAM_HTML_FONT_INVALID=0.01] autolearn=disabled

Though the spam seems to go through. Any pointers on improving it?

#7

Your “required score” is set to 5.0, but the example you want to block only has a score of 4.38. You could lower your score.

Mastodon