Anti-Spam Not Deleting Emails

Use this forum for discussions about SpamAssassin and anti-spam in general.
Post Reply
drakakistours
Normal user
Normal user
Posts: 49
Joined: 2017-10-22 08:23

Anti-Spam Not Deleting Emails

Post by drakakistours » 2018-02-01 13:05

Hi All

I have an issue where over the past week some spam with scores of 14+ have been getting through. They are still being marked as spam, just not being deleted.

Here are my settings

[code]2018-02-01 Hmailserver: 5.6.6-B2383
----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL SPAM TESTS Score SPAMASSASSIN
Spam Mark: 5 Use SPF: True - 3 Use Spamassassin: True
Add X-HmailServer-Spam: True Check HELO host: True - 2 Hostname: localhost
Add X-HmailServer-Reason: True Check MX records: True - 2 Port: 783
Add X-HmailServer-Subject: True Verify DKIM: False Use SA score: False - 3
Subject Text: "[SPAM]"
Spam delete threshold: 8 Maximum message size: 0

DNSBL ENTRIES:
zen.spamhaus.org Score: 5 Result: 127.0.0.2-8|127.0.0.10-11
bl.spamcop.net Score: 5 Result: 127.0.0.2
b.barracudacentral.org Score: 5 Result: 127.0.0.2
cbl.abuseat.org Score: 5 Result: 127.0.0.2
dnsbl-1@uceprotect.net Score: 5 Result: 127.0.0.2
blacklist.woody.ch Score: 5 Result: 127.0.0.2
ubl.unsubscore.com Score: 5 Result: 127.0.0.2
dnsbl.sorbs.net Score: 5 Result: 127.0.0.2
rhsbl.sorbs.net Score: 3 Result: 127.0.0.2

SURBL ENTRIES:
multi.surbl.org Score: 9

GREYLISTING:
Greylisting: False

WHITELISTING
0.0.0.0 to 255.255.255.255 info[@t]livepay[dot]gr
0.0.0.0 to 255.255.255.255 *[@t]autounion[dot]gr
-----------------------------------------------------------------------------------------------

ANTIVIRUS

GENERAL:
When found - Delete email. Notify Sender: True, Notify Receiver: True

Max Message Size: 0
CLAM AV: True Hostname: localhost Port: 3310
CLAMWIN: False
CUSTOMAV: False

Block Attachments: False
-----------------------------------------------------------------------------------------------


[/code]
Generated by HMSSettingsDiagnostics v1.88, Hmailserver Forum.

Here is one of the emails:
Spam detection software, running on the system "drakakis-mail.drakakis.local", has identified this incoming email as possible spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see it@drakakistours.com for details.

Content preview: Greetings to you and your family. My name is Mr. Noble Abbott,
the director general with the bank, Africa Develop bank (ADB) Ouagadougou,
Burkina Faso, in West Africa. I am contacting you to seek our honesty and
sincere cooperation in confidential manner to transfer the sum of 20.5 (Twenty
million five hundred thousand Dollars) to your existing or new bank account.
[...]

Content analysis details: (16.2 points, 5.0 required)

pts rule name description
---- ----------------------
--------------------------------------------------
1.2 MISSING_HEADERS Missing To: header
0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is
CUSTOM_MED
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
provider
(abbttnb002[at]gmail.com)
0.4 NO_RDNS_DOTCOM_HELO Host HELO'd as a big ISP, but had no rDNS
0.3 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit
(abbttnab20[at]gmail.com)
0.9 URG_BIZ BODY: Contains urgent matter
2.2 HK_SCAM_N2 BODY: No description available.
2.7 UNCLAIMED_MONEY BODY: People just leave money laying around
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/,
no
trust
[66.163.184.215 listed in list.dnswl.org]
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK
signature
0.0 LOTS_OF_MONEY Huge... sums of money
1.9 REPLYTO_WITHOUT_TO_CC No description available.
1.3 RDNS_NONE Delivered to internal network by a host with
no rDNS
1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain
different
freemails
1.2 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing
list
0.0 T_MONEY_PERCENT X% of a lot of money for you
0.4 MONEY_FRAUD_8 Lots of money and very many fraud phrases
2.5 ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money
Any ideas on what the issue may be?

Cheers
Jonathan

User avatar
mattg
Moderator
Moderator
Posts: 20231
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Anti-Spam Not Deleting Emails

Post by mattg » 2018-02-01 13:37

It is because you don't use SpamAssassin scores, and mark spam found by Spamassassin a score of 3

Try using the spamassassin score instead
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 8157
Joined: 2011-09-08 17:48

Re: Anti-Spam Not Deleting Emails

Post by jimimaseye » 2018-02-01 13:57

drakakistours wrote:Hi All

I have an issue where over the past week some spam with scores of 14+ have been getting through. They are still being marked as spam, just not being deleted.

Here are my settings

[code]2018-02-01 Hmailserver: 5.6.6-B2383
----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL SPAM TESTS Score SPAMASSASSIN
Spam Mark: 5 Use SPF: True - 3 Use Spamassassin: True
Add X-HmailServer-Spam: True Check HELO host: True - 2 Hostname: localhost
Add X-HmailServer-Reason: True Check MX records: True - 2 Port: 783
Add X-HmailServer-Subject: True Verify DKIM: False Use SA score: False - 3
Subject Text: "[SPAM]"
Spam delete threshold: 8 Maximum message size: 0

DNSBL ENTRIES:
zen.spamhaus.org Score: 5 Result: 127.0.0.2-8|127.0.0.10-11
bl.spamcop.net Score: 5 Result: 127.0.0.2
b.barracudacentral.org Score: 5 Result: 127.0.0.2
cbl.abuseat.org Score: 5 Result: 127.0.0.2
dnsbl-1@uceprotect.net Score: 5 Result: 127.0.0.2
blacklist.woody.ch Score: 5 Result: 127.0.0.2
ubl.unsubscore.com Score: 5 Result: 127.0.0.2
dnsbl.sorbs.net Score: 5 Result: 127.0.0.2
rhsbl.sorbs.net Score: 3 Result: 127.0.0.2

[/code]
Generated by HMSSettingsDiagnostics v1.88, Hmailserver Forum.


Any ideas on what the issue may be?

Cheers
Jonathan

You have taken the sttings from my guide (viewtopic.php?f=21&t=28133). But in order for those settings to be effective you must complete the guide and ensure you have the RULES set as stated. (There is a rule to move or delete such emails).

2, Set a GLOBAL RULE:

Name: "ExternalScore7"
if:
X-Spam-Level (custom header) ...contains..... ******* <<-- 7 asterix
action:
Move to IMAP Folder...... Trash (or whatever your normal trash folder is on your accounts (you may choose a dedicated 'Spam' folder instead). Alternatively you can simply 'DELETE EMAIL' but that never gives you chance to review.)

Note: I also have an additional IF clause as
OR
Subject REGULAR EXPRESSION (?i:^Virus found:.*$)

this works to also remove any emails being found to contain malware by the inbound Antivirus check.

HOWEVER.... if you have that rule in place be aware that there still can be occasional times where a SPAM record (by SA) does not get deemed as spam by HMS. From the guide:
It works like this: if spamassassin scores over 3 it will consider it spam and apply the score in the subject eg "[3.4]..". HMS will also see SA has called it spam and therefore will mark it spam (scoring it internally as '5') with an additional "[SPAM]" eg so subject now reads "[SPAM] [3.4]..." This helps you see the score and how definitive it is.

HMS will then apply its own further checks. If it finds any itself another (minimum of) 2 will be added internally (making 7). If it hits 8 with its tests it will simply be deleted without a trace.

If, however, HMS doesnt score it any more, and it's only SA that marked it and if SA scored it 7 or more it will simply be deleted/moved to Trash/Spam folder to give you chance to see it. (The above included screenshot is from the Trash folder and shows such cases).

If it was marked as Spam by SA but did not reach either SA 7 or HMS 8 it will remain in your mail just marked as spam ("[SPAM] [4.5] Subject....") and requiring review. I RARELY get this situation.
So if you have the rules then the emails will either be deleted or at least moved to your trash folder.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

drakakistours
Normal user
Normal user
Posts: 49
Joined: 2017-10-22 08:23

Re: Anti-Spam Not Deleting Emails

Post by drakakistours » 2018-02-05 11:57

Thanks guys, I must have missed that bit.

It's strange though that i'm not getting anywhere near the spam that we used to get, and the ones that are getting through seem to be very high scores. Is the hMail antispam deleting these, and the ones that it's not deleting were only identified as spam by SpamAssassin?

Will ticking the use scores from SpamAssissin stop using the hMail anti-spam, or will they run concurrently?

If not, then I should setup the additional rules, yes?

User avatar
mattg
Moderator
Moderator
Posts: 20231
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Anti-Spam Not Deleting Emails

Post by mattg » 2018-02-05 12:34

drakakistours wrote:Will ticking the use scores from SpamAssissin stop using the hMail anti-spam, or will they run concurrently?
Concurrent

Just instead of a standard score in hMailserver for a SpamAssassin rejection (3) it will use whatever Spamassassin comes up with.

My record high scoring spam is currently 184
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

drakakistours
Normal user
Normal user
Posts: 49
Joined: 2017-10-22 08:23

Re: Anti-Spam Not Deleting Emails

Post by drakakistours » 2018-02-05 12:39

184!!

Was it a Nigerian prince selling viagra by asking you to sign into your bank whilst letting you know you had missed a UPS delivery?

User avatar
mattg
Moderator
Moderator
Posts: 20231
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Anti-Spam Not Deleting Emails

Post by mattg » 2018-02-05 13:10

LOL

To be honest I don't know, I autobanned that IP, and bounced the message back to the sender
I suspect to reach that high it had to have a at least one known trojan in an attachment, and probably many dodgy URLs in the message...
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply