Whitelist messages still SA score higher than 0 = makes statistics invalid

poetry

Active Member
May 28, 2020
206
57
33
Hello,

Is it possible to configure the filter to set SA score to 0 if the message is whitelisted? Right now the whitelist messages still score SA higher then 0 even if they are whitelisted and that messes up the statistics.

Thanks.
 
Could you share the logs of such a mail (should help us getting a better picture) - thanks!
 
Could you share the logs of such a mail (should help us getting a better picture) - thanks!

Here example if I search for SA score=9/5 we have one server whitelisted as you see from the log the message is send from the server that is whitelisted:

Code:
Sep 13 08:02:48 server postfix/smtpd[346904]: connect from ptr[1.2.3.4]
Sep 13 08:02:49 server postfix/smtpd[346904]: Anonymous TLS connection established from ptr[1.2.3.4]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Sep 13 08:02:49 server postfix/smtpd[346904]: NOQUEUE: client=ptr[1.2.3.4]
Sep 13 08:02:49 server pmg-smtp-filter[347396]: 120FA7613EE98914932: new mail message-id=<8-9NIWhMQG2Gd6dvUycBlQ@geopod-ismtpd-1-0>#012
Sep 13 08:02:52 server pmg-smtp-filter[347396]: 120FA7613EE98914932: SA score=9/5 time=2.536 bayes=undefined autolearn=disabled hits=DKIMWL_WL_MED(-0.001),DKIM_SIGNED(0.1),DKIM_VALID(-0.5),DKIM_VALID_EF(-0.1),HEADER_FROM_DIFFERENT_DOMAINS(1),HTML_MESSAGE(0.001),KAM_DMARC_NONE(1),KAM_REALLYHUGEIMGSRC(0.5),KAM_SENDGRID(1.5),KAM_SHORT(1),SENDGRID_REDIR(0.957),SPF_HELO_NONE(0.001),SPF_SOFTFAIL(2.5),URIBL_GREY(1.084)
Sep 13 08:02:52 server postfix/smtpd[347306]: connect from localhost.localdomain[127.0.0.1]
Sep 13 08:02:52 server postfix/smtpd[347306]: 16D3812126A: client=localhost.localdomain[127.0.0.1], orig_client=ptr[1.2.3.4]
Sep 13 08:02:52 server postfix/cleanup[346969]: 16D3812126A: message-id=<8-9NIWhMQG2Gd6dvUycBlQ@geopod-ismtpd-1-0>
Sep 13 08:02:52 server postfix/qmgr[294738]: 16D3812126A: from=<sender@example.com>, size=158982, nrcpt=1 (queue active)
Sep 13 08:02:52 server postfix/smtpd[347306]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Sep 13 08:02:52 server pmg-smtp-filter[347396]: 120FA7613EE98914932: accept mail to <reciver@example.com> (16D3812126A) (rule: Whitelist)
Sep 13 08:02:52 server pmg-smtp-filter[347396]: 120FA7613EE98914932: processing time: 3.014 seconds (2.536, 0.428, 0)
Sep 13 08:02:52 server postfix/smtpd[346904]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (120FA7613EE98914932); from=<sender@example.com> to=<reciver@example.com> proto=ESMTP helo=<server.example.com>
Sep 13 08:02:52 server postfix/smtpd[346904]: disconnect from ptr[1.2.3.4] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Sep 13 08:02:52 server postfix/smtp[346379]: 16D3812126A: to=<reciver@example.com>, relay=192.168.1.2[192.168.1.2]:25, delay=0.04, delays=0.02/0/0.01/0.01, dsn=2.6.0, status=sent (250 2.6.0 Ok, message saved <Message-ID: <8-9NIWhMQG2Gd6dvUycBlQ@geopod-ismtpd-1-0>>)
Sep 13 08:02:52 server postfix/qmgr[294738]: 16D3812126A: removed

If I look at the log tracer I can see 11 records 1 from those is whitelisted. The quarantine records are not counted in the statistics.
1631533949830.png

If you look at the statistics for this day it counts 12 records but it should count only 11:
1631533827744.png
 
If you configure the whitelist in mail filter, try make sure it os set higher priority then the Modify Spam Level rules.
It should remove the SA score.
 
If you configure the whitelist in mail filter, try make sure it os set higher priority then the Modify Spam Level rules.
It should remove the SA score.
Tested and completely the same. Also rebooted the server but the SA score still added to the message even when priority of the rules changed.
 
Tested and completely the same. Also rebooted the server but the SA score still added to the message even when priority of the rules changed.
This is expected - if you have one 'Spam Level' what object in your rules the mail is checked by SpamAssassin and has it's score assigned

This is also the information used for the statistics. (as according to SpamAssassin the mail content looks like spam):
Sep 13 08:02:52 server pmg-smtp-filter[347396]: 120FA7613EE98914932: SA score=9/5 time=2.536 bayes=undefined autolearn=disabled hits=DKIMWL_WL_MED(-0.001),DKIM_SIGNED(0.1),DKIM_VALID(-0.5),DKIM_VALID_EF(-0.1),HEADER_FROM_DIFFERENT_DOMAINS(1),HTML_MESSAGE(0.001),KAM_DMARC_NONE(1),KAM_REALLYHUGEIMGSRC(0.5),KAM_SENDGRID(1.5),KAM_SHORT(1),SENDGRID_REDIR(0.957),SPF_HELO_NONE(0.001),SPF_SOFTFAIL(2.5),URIBL_GREY(1.084)
Sep 13 08:02:52 server postfix/smtpd[347306]: connect from localhost.localdomain[127.0.0.1]

Is DNS setup correctly (the SPF_SOFTFAIL seems a bit odd - but maybe the sending domain needs to adapt it's record

Else you could adapt the spamassassin configuration to provide a large negative score for mails coming from that particular domain.

I hope this helps!
 
Thanks @Stoiko Ivanov it's all fine we are just forwarding email for that domain to our servers that is why the SPF is fail. They have their own filter we just host email from them and we use pmg to forward their email to our server.

I will have to do spamassassin configuration also for AWL because of this whitelist I had invalid AWL scores because of that.
 
Tested and completely the same. Also rebooted the server but the SA score still added to the message even when priority of the rules changed.
I tested it and the spam score is missing from the email source. But still show up in syslog.

1631581027638.png

Code:
Return-path: <user1@gmail.com>
Received: from pmg.mydomain.com ([192.168.40.106])
    by mail.mydomain.com with ESMTP; Tue, 14 Sep 2021 09:27:03 +0800
Received: from pmg.mydomain.com (localhost.localdomain [127.0.0.1])
    by pmg.mydomain.com (Proxmox) with ESMTP id 8FC9D421A4
    for <user1@mydomain.com>; Tue, 14 Sep 2021 09:26:59 +0800 (+08)
Received-SPF: pass (gmail.com ... _spf.google.com: Sender is authorized to use 'user1@gmail.com' in 'mfrom' identity (mechanism 'include:_netblocks.google.com' matched)) receiver=pmg.mydomain.com; identity=mailfrom; envelope-from="user1@gmail.com"; helo=mail-ej1-f51.google.com; client-ip=209.85.218.51
Received: from mail-ej1-f51.google.com (mail-ej1-f51.google.com [209.85.218.51])
    by pmg.mydomain.com (Proxmox) with ESMTP
    for <user1@mydomain.com>; Tue, 14 Sep 2021 09:26:53 +0800 (+08)
Received: by mail-ej1-f51.google.com with SMTP id kt8so25051692ejb.13
        for <user1@mydomain.com>; Mon, 13 Sep 2021 18:26:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:from:date:message-id:subject:to;
        bh=488NJMoVys2aUzfFY39jOVYInY0n3KKNUYfza9DI3zM=;
        b=eTAOSWsWrPMPcZOWNusP1HVs1bYssT4/+/hwURqktbck46SesBGoR9IA54UEf7U2t8
         pfwR+Acq9EKmwABYSt1R85iX8+EevvZfJqjXhTkkrBQ3LvkvjJadgbBkxhY0U6gsFWCJ
         UZBgLIozujhsN3F1jdxYzQof970o5hA1y/p2hR7LM/U2QGMyB+MVCX0YDUjxudqGRwW7
         AV3BsNHo8BgyUdnnb62vJ1UhS8Vs5z1Lbef7dn2G13LHiTwsmVo9832QcIcMW1Ke4pAi
         sVkuS1ajvIoKyjmn8LD0ekXibhwciTaiX5GR9htOT71kkcx7SQ9x5ScJb5RXGRDOxiiF
         kwuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=488NJMoVys2aUzfFY39jOVYInY0n3KKNUYfza9DI3zM=;
        b=1r0YAMV8GfSfd+2sIuu/y5psNwBO3VkHwOLgRJViZem4r7jvtgy8AkfQmG23XyEwM6
         MBejU33kMvtazAYw0PDgkrvITsdCSfTwM8JjbdMAfKd4BHxNU0U816NFRLib/i3n2a9j
         UkzJoltIHYRQYEHixT2E2CKYeLaUPDOhecxpDDs9YxShclpBK9D50k0oUUalEF8L4d6J
         3tan0IJ4tMzOxSX4tS0atWqMjLY7++VFW6nLkWSAb7C5OInf8FLGeFKlDQjE1QoVxpSd
         4ivxN8ZcKSxFfq9vpfIazVQ6QXkr2oi9c83CKcUBzV85NKy20nZsY7roNxkHqB6jz6eg
         PDJA==
X-Gm-Message-State: AOAM531scl7+9dIb6qHbiDbVH8aEatynREObEpx6kroSv4YNx9rJUFP2
    PUuL2Hz970nfh2PFSVxJULbE50WeBODp8R7mem7fj2UWkuM=
X-Google-Smtp-Source: ABdhPJxgf9PtuyVi7hwWKi+zG7i5slVyO8XMo/1nx3YtRxL9PKwj0YLxtTet4TTup2CbudWNEDHH4UoSgCxN3NLiwwM=
X-Received: by 2002:a17:906:bce5:: with SMTP id op5mr4922804ejb.59.1631582811675;
 Mon, 13 Sep 2021 18:26:51 -0700 (PDT)
MIME-Version: 1.0
From: user1 <user1@gmail.com>
Date: Tue, 14 Sep 2021 09:26:39 +0800
Message-ID: <CAKETK8FAFJTrFiXHjwA8d_QT4F4vy8=te3rDhQsMOccnAcXAbg@mail.gmail.com>
Subject: testing
To: "user1" <user1@mydomain.com>
Content-Type: multipart/alternative; boundary="000000000000e95d6305cbea79a3"

--000000000000e95d6305cbea79a3
Content-Type: text/plain; charset="UTF-8"

Dear Friend,
I find your email address with EmailFerret (freeware) which have access to
Bigfoot, Exite, Four11, WhoWhere?, Yahoo etc. If you want to download this
program go to http://www.ferretsoft.com

Now read this letter carefully:

THIS WINDOW OF OPPORTUNITY WON'T STAY OPEN LONG!

********************************************************************

After many attempts of trying to make money on the internet I decided to
give
this one a try!

I have been through this program once already.  You have no idea how
profitable it is!  It is definitely the fastest thing available.  We are
talking about thousands of dollars in 2 weeks' time...send it to as many
people as you can (even though it says 20...trust me).
GOOD LUCK...you can't lose!!

Don't JUDGE TOO quickly,
this might be the answer to all of your problems!


click here

--000000000000e95d6305cbea79a3
Content-Type: text/html; charset="UTF-8"

<div dir="ltr">
<pre>Dear Friend,
I find your email address with EmailFerret (freeware) which have access to
Bigfoot, Exite, Four11, WhoWhere?, Yahoo etc. If you want to download this
program go to <a href="http://www.ferretsoft.com">http://www.ferretsoft.com</a>

Now read this letter carefully:   

THIS WINDOW OF OPPORTUNITY WON&#39;T STAY OPEN LONG!

********************************************************************

After many attempts of trying to make money on the internet I decided to
give
this one a try!

I have been through this program once already.  You have no idea how
profitable it is!  It is definitely the fastest thing available.  We are
talking about thousands of dollars in 2 weeks&#39; time...send it to as many
people as you can (even though it says 20...trust me).
GOOD LUCK...you can&#39;t lose!!

Don&#39;t JUDGE TOO quickly,
this might be the answer to all of your problems!
</pre>

<div><br></div><div>click here<br></div></div>

--000000000000e95d6305cbea79a3--
Code:
Sep 14 09:26:52 pmg postfix/smtpd[2975]: connect from mail-ej1-f51.google.com[209.85.218.51]
Sep 14 09:26:53 pmg postfix/smtpd[2975]: NOQUEUE: client=mail-ej1-f51.google.com[209.85.218.51]
Sep 14 09:26:53 pmg pmg-smtp-filter[3389]: 41E4E613FFA5D16088: new mail message-id=<CAKETK8FAFJTrFiXHjwA8d_QT4F4vy8=te3rDhQsMOccnAcXAbg@mail.gmail.com>#012
Sep 14 09:26:59 pmg pmg-smtp-filter[3389]: 41E4E613FFA5D16088: SA score=2/5 time=6.456 bayes=0.49 autolearn=no autolearn_force=no hits=AWL(-1.725),BAYES_50(0.8),CLICK_BAIT(1),DEAR_FRIEND(2.577),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),FREEMAIL_FROM(0.001),HTML_MESSAGE(0.001),RCVD_IN_DNSWL_NONE(-0.0001),RCVD_IN_MSPIKE_H3(-0.01),RCVD_IN_MSPIKE_WL(-0.01),SPF_PASS(-0.001),T_SPF_HELO_TEMPERROR(0.01)
Sep 14 09:26:59 pmg postfix/smtpd[2942]: connect from localhost.localdomain[127.0.0.1]
Sep 14 09:26:59 pmg postfix/smtpd[2942]: 8FC9D421A4: client=localhost.localdomain[127.0.0.1], orig_client=mail-ej1-f51.google.com[209.85.218.51]
Sep 14 09:26:59 pmg postfix/cleanup[2943]: 8FC9D421A4: message-id=<CAKETK8FAFJTrFiXHjwA8d_QT4F4vy8=te3rDhQsMOccnAcXAbg@mail.gmail.com>
Sep 14 09:26:59 pmg postfix/qmgr[1131]: 8FC9D421A4: from=<user1@gmail.com>, size=4859, nrcpt=1 (queue active)
Sep 14 09:26:59 pmg postfix/smtpd[2942]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Sep 14 09:26:59 pmg pmg-smtp-filter[3389]: 41E4E613FFA5D16088: accept mail to <user1@mydomain.com> (8FC9D421A4) (rule: Whitelist)
Sep 14 09:26:59 pmg pmg-smtp-filter[3389]: 41E4E613FFA5D16088: processing time: 6.506 seconds (6.456, 0.022, 0)
Sep 14 09:26:59 pmg postfix/smtpd[2975]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (41E4E613FFA5D16088); from=<user1@gmail.com> to=<user1@mydomain.com> proto=ESMTP helo=<mail-ej1-f51.google.com>
Sep 14 09:26:59 pmg postfix/smtpd[2975]: disconnect from mail-ej1-f51.google.com[209.85.218.51] ehlo=1 mail=1 rcpt=1 bdat=1 quit=1 commands=5
Sep 14 09:27:04 pmg postfix/smtp[2040]: 8FC9D421A4: to=<user1@mydomain.com>, relay=remote.mydomain.com[192.168.40.230]:25, delay=5.3, delays=0.01/0/5.3/0, dsn=2.0.0, status=sent (250 Ok)
Sep 14 09:27:04 pmg postfix/qmgr[1131]: 8FC9D421A4: removed
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!