KAM_FROM_URIBL_PCCC and spam block lvl 3

[WebGreg]

Hello

Some of legitimate mails are blocked by lvl3:

Mar 20 10:24:03 mx pmg-smtp-filter[180780]: 2132564182632B2EC7: SA score=7/5 time=0.999 bayes=undefined autolearn=no autolearn_force=no hits=ClamAVHeuristics(3),AWL(-8.905),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),HTML_MESSAGE(0.001),KAM_BODY_URIBL_PCCC(9),KAM_FROM_URIBL_PCCC(9),RCVD_IN_DNSWL_HI(-5),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),T_FILL_THIS_FORM_SHORT(0.01),URIBL_BLOCKED(0.001)
Mar 20 10:24:03 mx pmg-smtp-filter[180780]: 2132564182632B2EC7: block mail to <xxxxxxxxxxxxxx> (rule: Block Spam (Level 3))


Would someone be kind to explain to me what it is, why it trigger, and is there any way to fix it?

 

[Stoiko Ivanov]

KAM_BODY_URIBL_PCCC has a description in the cf file (when downloading updates, like most PMG instances these are in /var/lib/spamassassin/3.004006/kam_sa-channels_mcgrail_com/KAM.cf):

describe KAM_BODY_URIBL_PCCC Body contains URI listed in PCCC WILD RBL (https://raptor.pccc.com/RBL)

so one url in the mail is listed at pccc.com

additionally it seems that requests to uribl are blocked:

URIBL_BLOCKED(0.001)

Check out the getting started guide in the pmg wiki for a sensible setup:
https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway
including all of the linked pages such as:
https://pmg.proxmox.com/wiki/index.php/DNS_server_on_Proxmox_Mail_Gateway

I hope this helps!

 

[WebGreg]

Hi @Stoiko Ivanov

Thank you very much for your quick and clear answer.
I checked address on https://raptor.pccc.com/RBL and looks clear.

additionally it seems that requests to uribl are blocked:

Does it work like this if requests to uribl are blocked then high scores are automatically assigned?

From another log:
Mar 20 12:39:48 mx pmg-smtp-filter[184176]: 2132F641846020ED85: SA score=0/5 time=2.254 bayes=undefined autolearn=ham autolearn_force=no hits=AWL(0.009),DKIM_SIGNED(0.1 ),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),FUZZY_CREDIT(1.413),HTML_MESSAGE(0.001),MIME_HTML_ONLY(0.1),RCVD_IN_DNSWL_HI(-5),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),T_REMOTE_IMAGE(0.0 ),URIBL_BLOCKED(0.001)

But here the PCCC did not appear.

Sorry for my English. Thank you for the documentation links, but for the same reason I have a problem to quickly find the cause/solution in it.

 

[Stoiko Ivanov]

Does it work like this if requests to uribl are blocked then high scores are automatically assigned?

No - but you miss the results from uribl - which is a very good indicator for spam.

checked address on https://raptor.pccc.com/RBL and looks clear.

which address? - this list would be used against links _inside_ the mail body

 

[WebGreg]

So, as I thought, two separate problems - limit, and indexing on the list.

which address? - this list would be used against links _inside_ the mail body

The sender's mail server IP. The body of the message contained only the text "test".

Edit - found it. It's a bit inconvenient to find:
1. From "Tracking Center" I saw only: "Rejected for policy reasons (2132564182632B2EC7)" - maybe it's a good thing, because the sender also sees it, so why does he need the names of my rules.
2. Syslog I see more - policy name and hit ex. KAM_FROM_URIBL_PCCC
3. I saw the best stuff in the message header, but I had to change the block action to accept:
KAM_BODY_URIBL_PCCC 9 Body contains URI listed in PCCC WILD RBL (https://raptor.pccc.com/RBL) [domain listed]
At this level, I have everything you wrote about - that it checks the links in the body and most importantly - what entry is the problem.

 

[heutger]

However, I would follow up on that, KAM_BODY_URIBL_PCCC has many false positives on my side. Anyone else has this issues? I was required to adjust the score to 0.

 

[abzsol]

However, I would follow up on that, KAM_BODY_URIBL_PCCC has many false positives on my side. Anyone else has this issues? I was required to adjust the score to 0.

Hello, I've noticed the same, lots of domains of banks are inside it.
I think I've to add a custom score for it.

 

[creeble]

Wondering if this thread is monitored by former posters?

I'm having trouble with various KAM scores, and being new to Proxmox, I don't know if this post is still valid:

https://forum.proxmox.com/threads/spamassassin-kam-module-adjust-score.59768/

Or does adding a Custom rule score (which I note can't be done by someone with Administrator privileges, ugh) actually correctly override the KAM rules now in 8.0?

 

[heutger]

I opened a new thread here:

https://forum.proxmox.com/threads/h...uribl_pccc-as-of-many-false-positives.133059/

I tried the solution and it works. Need to be done by root account of the system (unsure about which Administrator you mentioned alternatively, this is Linux, here are only root (privileges)c Administrators are only on Windows).