Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Over the threshold, but not marked as spam (No allow rule cited)
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
In the constant battle against spam, I review some of the Spam Assassin rule hits to see about modifying the local.cf file to better catch what we are receiving. This is the first time I have seen where a spam is over my threshold limit of 5, but is not marked as spam in the subject line. Mail headers are below.

I don't have logging turned on for the spam filter since it would end up being huge. Kind of wish I did so that I could see what happened with this email.

Any ideas why it wasn't marked???

==================
Return-Path: <broilinghqn8<_at_>rsi.com>
X-Envelope-To: markk<_at_>mydomain.com
X-Spam-Status: Yes, hits=5.1 required=5.0
tests=RDNS_NONE: 0.5,T_URIBL_BLACK_OVERLAP: 0.01,T_URIBL_SEM: 0.2,
T_URIBL_SEM_RED: 0.2,URIBL_BLACK: 2,URIBL_WS_SURBL: 2.2,
TOTAL_SCORE: 5.110,autolearn=no
Received: from [14.32.244.153] ([14.32.244.153])
by mail.mydomain.com
for markk<_at_>mydomain.com;
Mon, 11 Mar 2013 01:08:52 -0700
Received: from 14.32.244.153(helo=mydomain.com)
by mydomain.com with esmtpa (Exim 4.69)
(envelope-from )
id 1MM6VV-8500qo-CO
for <markk<_at_>mydomain.com>; Mon, 11 Mar 2013 17:08:52 +0900
From: <markk<_at_>mydomain.com>
To: <markk<_at_>mydomain.com>
Subject: Earn up to 257$ per day
Date: Mon, 11 Mar 2013 17:08:52 +0900
MIME-Version: 1.0
Content-Type: text/plain;
charset="windows-1250"
Content-Transfer-Encoding: 7bit
X-Mailer: zevrkgwr 69
Message-ID: <8963128531.YGPUL1TX359152<_at_>wqwlaydxyd.aycctg.org>
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Since the From: address is yours (ie. from your domain) then probably a mail filter rule for spam (moving the message to the Junk E-mail) didn't match because it is set so - it ignores senders, which are in your contacts.
You can either change the rule, or, enable Caller-ID spam check (and, of course, publish your own Caller-ID record in you DNS).
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
Isn't the Spam Assassin processing and the mail server's "reach tag score access limit" adding "**SPAM**" to the subject line all happening before any of my local rules in Outlook?
  •  
freakinvibe

Messages: 1553
Karma: 62
Send a private message to this user
Yes, the KC Spamassassin processing is done first, then client processing. But you could still have server-side rules that impact spam processing.

Your headers look a bit strange to me. For example I don't see any Bayes nor any AWL entry which I have in each mail (Ham or Spam). Can you elaborate what you have changed in the config, which additional spam rules you have created etc. These may be the root cause of the strange behaviour.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
In Spam Assassin, I have only edited the local.cf file and added entries to the end to increase the scores of the rules that I see being hit but score ridiculously low, such as 0.01 for being on multiple black lists.

My custom rules in KC
I have several rejects based on From, Subject, or Body Text, but those aren't being hit here.

I have a number of Allows based on From and the domain name, but there is NOT an allow based on mydomain.com. First thing I checked, even though when there is an allow rule for that, the spam check headers will list that the ALLOW rule was used. That isn't listed here.

I have two Allow rules that use the Received header and a substring search, but that is not found here either. Again, if it was, the ALLOW would of been noted in the headers.

My Outlook does not have any rules setup in it that would change SPAM handling. The only rule there is the default one to clear categories. But I have other emails that get marked as spam, so I don't understand why that would affect this email. And again, SPAM marking all happens before the email is delivered to the mailbox, and clearing a category would not remove characters "**SPAM** " from the subject line.

I was going to say the headers look normal to me, but taking a quick look at a marked spam, this email is missing the headers
X-Spam-Flag: YES
X-Spam-Level: *****

Hopefully this was just a fluke. I have gotten the email again, but this time from a different email address and different email server and it did not rate high enough to be marked.
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
I have posted my Spam Assassin local.cf changes here before. I know that Kerio does not endorse making changes to that file, but that is the purpose of that file in Spam Assassin, configuring the system for the spam you are receiving locally.

My changes have worked pretty well for me. Each change gets researched to help make sure that it isn't set too high to interfere with good email. Happy to share my settings here if anyone is interested.
  •  
freakinvibe

Messages: 1553
Karma: 62
Send a private message to this user
Have you switched off Bayes? I am still puzzeled that you have no Bayes and now AWL entry in your headers.

How big is the mail in question? SpamAssassin only processes mails up to a certain size (specified in mailserver.cfg)

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
I have not switched off the Bayes filtering. The email size is not over the limit, which shows that it went through the Spam Assassin since the rule hits are listed.

I have another spam that shows as being from me to me and it is lacking the same Bayes and other spam filter headers. So apparently KC is not giving the email the full spam treatment if the From address is listed as being from my domain.

I'm looking at Caller ID option in KC, having it log to the Security log only. So far, it hasn't logged anything after a couple of days. Trying to change the settings for it.
  •  
clan

Messages: 236
Karma: 22
Send a private message to this user
Are you sure that the headers are added by KC? I seem to remember cases from other mail servers where Spamassassin skipped scanning because the headers where already present. The debug log allows logging Spamassassin activity, maybe that sheds some light on this.
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
The values listed on the cited rules are my custom values, values that I have put in the local.cf file. So I doubt they are forged headers, otherwise they are really, really good guesses at what I would have.

I have been hesitant to turn on the debug log for spam filtering since there is so much of it. I will turn it on now, since I got another 2 or 3 of these yesterday.
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
So I still have forged spams that appear to be from me to me getting through. I have setup my DNS SPF record and it is out on the WWW DNS servers.

Spam log:
Message detected as spam with score: 5.40, threshold 5.00, From: countrywomenon870@ilchildcare.org, To: markk<_at_>mydomain.com, Sender IP: 186.144.108.200, Subject: Casino online for USA players, Message size: 787

Mail Headers:
Return-Path: <countrywomenon870<_at_>ilchildcare.org>
X-Envelope-To: markk<_at_>mydomain.com
X-Spam-Status: Yes, hits=5.4 required=5.0
tests=DNSBL_B.BARRACUDACENTRAL.ORG: 4.90,RDNS_NONE: 0.5,TOTAL_SCORE: 5.400,autolearn=no
Received: from Dynamic-IP-186144108200.cable.net.co ([186.144.108.200])
by mail.mydomain.com
for markk<_at_>mydomain.com;
Wed, 27 Mar 2013 15:10:18 -0700
Received: from 186.144.108.200(helo=mydomain.com)
by mydomain.com with esmtpa (Exim 4.69)
(envelope-from )
id 1MMW8L-5476ae-71
for <markk<_at_>mydomain.com>; Wed, 27 Mar 2013 17:10:17 -0500
From: <markk<_at_>mydomain.com>
To: <markk<_at_>mydomain.com>
Subject: Casino online for USA players
Date: Wed, 27 Mar 2013 17:10:17 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: rjrdrvljdt-97
Message-ID: <5285811638.HITK9REO097358<_at_>affbphowpbpbbbd.fnwpcohhwemq.su >


My spam marking threshold is 5.0, which this message exceeded but did not mark the subject line as ***spam***. Bayes is not turned off. SPF and CallerID are both turned on. I don't see any headers for any of those three.
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
Still forged spams that are getting through the filter. I had another one, but this one didn't score high enough to be marked, BUT I had the spam processing debug turned on this time.

Spam Headers:
Return-Path: <reconnoiterede2<_at_>4dorganising.com>
X-Envelope-To: markk<_at_>mydomain.com
X-Spam-Status: No, hits=2.4 required=5.0
tests=AXB_HELO_HOME_UN: 0.018,FSL_HELO_DEVICE: 0.001,HELO_LH_HOME: 2.023,
T_URIBL_SEM: 0.2,T_URIBL_SEM_RED: 0.2,TOTAL_SCORE: 2.442,autolearn=no
X-Spam-Level: **
Received: from device.lan ([187.137.53.130])
by mail.mydomain.com
for markk<_at_>mydomain.com;
Fri, 29 Mar 2013 14:57:29 -0700
Received: from [129.82.137.64] (account reconnoiterede2<_at_>4dorganising.com HELO gnyruwt.xukcxislp.va)
by device.lan (CommuniGate Pro SMTP 5.2.3)
with ESMTPA id 864414254 for markk<_at_>mydomain.com; Fri, 29 Mar 2013 15:57:27 -0600
From: <markk<_at_>mydomain.com>
To: <markk<_at_>mydomain.com>
Subject: Casino for USA players
Date: Fri, 29 Mar 2013 15:57:27 -0600
MIME-Version: 1.0
Content-Type: text/plain;
charset="windows-1250"
Content-Transfer-Encoding: 7bit
X-Mailer: ldgfn 31
Message-ID: <8164979173.G9YJ08FK734064<_at_>hcsoyptbvjmpwg.jnetasbogtigmw.com >

Debug log from Spam Filter, SPF Record Lookup, and Spam Assassin processing:
[29/Mar/2013 14:57:30] [13992] {spam} Spam Filter: calculating spam rating for message 51560e49-00002b8b from <reconnoiterede2@4dorganising.com> to <markk<_at_>mydomain.com>...
[29/Mar/2013 14:57:30] [13992] {spam} SpamAssasin plug-in scanning of E:\Kerio\MailServer\store/queue/21/51560e49-00002b8b.eml failed: Send operation has failed
[29/Mar/2013 14:57:30] [13992] {spam} killServer() server is killed
[29/Mar/2013 14:57:30] [13992] {spam} ClientDispatcher::restart()server killed
[29/Mar/2013 14:57:30] [13992] {spam} forkServer() going tocreateserver process
[29/Mar/2013 14:57:30] [13992] {spam} forkServer() server processcreated, waiting for connection with server
[29/Mar/2013 14:57:30] [13992] {spam} forkServer() server is running, creating send and recv. thread
[29/Mar/2013 14:57:35] [13992] {spam} Quarantine checking has started.
[29/Mar/2013 14:57:40] [13992] {spam} Quarantine scanning E:\Kerio\MailServer\store/queue/21/51560e49-00002b8b.eml (5412) - verdict: OK
[29/Mar/2013 14:57:40] [13992] {spam} Quarantine checking has finished.
[29/Mar/2013 14:57:40] [13992] {spam} sendThread() is already stopped
[29/Mar/2013 14:57:40] [13992] {spam} SpamAssassin result string for message file E:\Kerio\MailServer\store/queue/21/51560e49-00002b8b.eml, intrinsic time 56762.17s, total time 9.95s: No, 2.442,5,AXB_HELO_HOME_UN: 0.018,FSL_HELO_DEVICE: 0.001,HELO_LH_HOME: 2.023,T_URIBL_SEM: 0.2,T_URIBL_SEM_RED: 0.2,autolearn=no
[29/Mar/2013 14:57:40] [13992] {spam} Spam Filter: SpamAssassin check finished, adding score 2.44
[29/Mar/2013 14:57:40] [13992] {spam} Spam Filter: Custom spam rules check finished, adding score 0.00
[29/Mar/2013 14:57:40] [13992] {spam} Spam Filter: Message5.16E+089-00002b8b from <reconnoiterede2@4dorganising.com> to <markk<_at_>mydomain.com> got 2.44 hits, total spam score is 2.442


What I don't understand is what caused the failure?
SpamAssasin plug-in scanning of {filename}.eml failed: Send operation has failed

Looking through the log, I see a few of these.

Any ideas?
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
MarkK wrote on Wed, 27 March 2013 23:59
So I still have forged spams that appear to be from me to me getting through. I have setup my DNS SPF record and it is out on the WWW DNS servers.

My spam marking threshold is 5.0, which this message exceeded but did not mark the subject line as ***spam***. Bayes is not turned off. SPF and CallerID are both turned on. I don't see any headers for any of those three.


Caller-ID does not seem to be configured properly, otherwise the test result should be visible in the email headers.
Previous Topic: Mail going into Spam mailbox
Next Topic: Flood entries of {DELETE} Protocol: HTTP/ActiveSync for same calendar event.
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Nov 21 09:05:30 CET 2017

Total time taken to generate the page: 0.00482 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.