[SOLVED] SA Negative Score in logs

Dec 27, 2020
108
16
23
44
Is there a reason why SA score are not shown lower than 0/zero or in decimals?

I would like to make adjustments and would be great if it showed the negative values so that I can determine its overall score without having to calculate the scores?

For example this log score is -6.772:

SA score=0/5 time=4.341 bayes=0.00 autolearn=ham autolearn_force=no hits=AWL(1.634),BAYES_00(-1.9),DCC_REPUT_13_19(-0.1),DKIM_SIGNED(0.1),DKIM_VALID(-1.5),DKIM_VALID_AU(-1),DKIM_VALID_EF(-1),FREEMAIL_FROM(0.001),HTML_MESSAGE(0.001),MIME_QP_LONG_LINE(0.001),RCVD_IN_DNSWL_LOW(-0.7),RCVD_IN_MSPIKE_H4(-2.3),RCVD_IN_MSPIKE_WL(0.001),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_SCC_BODY_TEXT_LINE(-0.01)

MSPIKE is currently marking more emails as legit despite being spam and I am evaluating whether to drop MSPIKE evaluations or not.

Here is an example - without MSPIKE it would have been quarantined:

SA score=2/5 time=2.704 bayes=0.00 autolearn=no autolearn_force=no hits=AWL(1.015),BAYES_00(-1.9),DCC_CHECK(1.1),DCC_REPUT_99_100(5),DKIM_SIGNED(0.1),DKIM_VALID(-1.5),DKIM_VALID_AU(-1),DKIM_VALID_EF(-1),HTML_MESSAGE(0.001),MIME_HTML_MOSTLY(0.1),MPART_ALT_DIFF(0.79),RCVD_IN_MSPIKE_H4(-2.3),RCVD_IN_MSPIKE_WL(0.001),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_KAM_HTML_FONT_INVALID(0.01),T_SCC_BODY_TEXT_LINE(-0.01),URIBL_ABUSE_SURBL(2.2)
 
Last edited:
Its related to spamassassin. Also why it always show x/5.

MSPIKE have a whitelist for servers with good reputation but if one server get hacked or a account from this server then you need other checks to verify the mail.
 
Thanks @BJ78945 , after further reviews, I noticed that RCVD_IN_MSPIKE_H4 seems to be marking SPAM emails as good, but this does not seem to happen with the H3 or H5 scores (no known false-negatives so far) - what you said could explain being different servers affected.

This only affects I think ~5 emails daily, however its enough to annoy 1-2 people plus me as DCC and SURBL defines them as SPAM and MSPIKE reduced the score to pass.
 
H5, H4, … are different level of reputation. H5 ist best. Spam lower the reputation to H4, then H3, …

You could also use some META rules in spamassassin custom.cf to give extra score when Mailspike Whitelis AND some Blacklist are hit together.

In general it is usefull to block most on MTA Level. Whitelisted Server shouldn’t be blocked on mta level. On spamassassin level you don‘t need whitelist anymore or you can lower score for whitelist. Then spam detection would be much better. But look that you doesn‘t use the blacklist from MTA level again. Their already have no hits because the mail passed MTA level. SpamAssassin should concentrate on the message itself (url blacklist, bayes, dcc, etc.)
 
You could also use some META rules in spamassassin custom.cf to give extra score when Mailspike Whitelis AND some Blacklist are hit together.
Thank you, I didnt think of creating a META to join a BL + WL together and create a new score.

In general it is usefull to block most on MTA Level. Whitelisted Server shouldn’t be blocked on mta level. On spamassassin level you don‘t need whitelist anymore or you can lower score for whitelist. Then spam detection would be much better. But look that you doesn‘t use the blacklist from MTA level again. Their already have no hits because the mail passed MTA level. SpamAssassin should concentrate on the message itself (url blacklist, bayes, dcc, etc.)
Sorry, if you have time, can you please explain more as I did not really understand the second part regarding "dont use BL..." are you suggesting that I remove MSPIKE from rules and use it only as a DNSBL?
 
You have 2 Level of scanning. First Postfix second SpamAssassin. Postfix (MTA Level) should block as much as possible. Sadly PMG offers very poor configuration for this. I will post a new tutorial howto create a template with better functions tomorrow. I will link that. At MTA Level you can check Helo, Reverse DNS, Greylisting, DNS Blocklists/Blacklists and also Whitelists. Every connection not passing RFC standards should be blocked. Then every on whitelist should be passed. At least everything on DNSBL should be blocked. All this can be done on MTA Level and extremely reduce SPAM. In my case I would say >99%.

Next the spamassassin level. Here you don‘t need to check thinks from mta level again because it was already checked. Here you can check the content and also some other things which is not possible on MTA Level. One thing would be URIBL or Bayes, etc. Also Virus Scan is a Level 2 Scan.

If you configure your system right, you can stop most spam. Only good done spam or spear phishing from hacked accounts with good reputation is really difficult to block. Here I use an own blacklist where users can report a mail which help other users to be protected. But without reporting there is no chance.

I received a few times Mails based on conversations with real persons from there hacked account. This mails are really complicate to identify.
 
  • Like
Reactions: zolthar
https://github.com/BJ48965156/pmg-adjustments

At the moment it's in German only. If you have questions then ask me.

I also want to share some more things but at the moment I'm busy, so it will takes a longer time to the next update.
Thank you - I will review this weekend and if I have any questions, will message.

Thank you for taking the time and effort to create such a guide - very much appreciated.
 
Wie machst du das, das beim pmgconfig sync die Datei v320.pre nicht überschrieben wird?
 
Dateien in diesem Verzeichnis werden mit pmgconfig sync überschrieben?? Testen / sehen und dann schreiben
 
Laut Unterlagen:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html
4.10. Benutzerdefinierte SpamAssassin-Konfiguration

Um Ihre benutzerdefinierte Konfiguration hinzuzufügen, müssen Sie eine neue Datei namens custom.cf (in /etc/mail/spamassassin/) erstellen und dort Ihre Konfiguration hinzufügen. Stellen Sie sicher, dass Sie die richtige SpamAssassin-Regelsyntax verwenden, und testen Sie sie mit:

# spamassassin -D --lint

Entschuldigung, mein Fehler, die falschen Informationen angegeben zu haben. Deshalb sollten die Leute immer auf die Dokumentationen verweisen :)
 
https://github.com/BJ48965156/pmg-adjustments

At the moment it's in German only. If you have questions then ask me.

I also want to share some more things but at the moment I'm busy, so it will takes a longer time to the next update.

Thank you for the share - helped me configure additional services.

One question is regarding MTA - TLDR, I didnt go into the Postfix Deep-dive as it was too long:

In your example:

Code:
[%- IF pmg.mail.rejectunknownsender %] reject_unknown_sender_domain[% END %]
        reject_rhsbl_sender         PRIVATEKEY.dbl.dq.spamhaus.net=127.0.1.[2..99]
        reject_rhsbl_helo           PRIVATEKEY.dbl.dq.spamhaus.net=127.0.1.[2..99]
        reject_rhsbl_reverse_client PRIVATEKEY.dbl.dq.spamhaus.net=127.0.1.[2..99]
        reject_rhsbl_sender         PRIVATEKEY.zrd.dq.spamhaus.net=127.0.2.[2..24]
        reject_rhsbl_helo           PRIVATEKEY.zrd.dq.spamhaus.net=127.0.2.[2..24]
        reject_rhsbl_reverse_client PRIVATEKEY.zrd.dq.spamhaus.net=127.0.2.[2..24]
        reject_rhsbl_client         PRIVATEKEY.dblack.mail.abusix.zone
        reject_rhsbl_helo           PRIVATEKEY.dblack.mail.abusix.zone
        reject_rhsbl_sender         PRIVATEKEY.dblack.mail.abusix.zone

Does the email go through the entire list sequentially and then gets blocked by the first reject or if it hits a reject from top-down (eg. rhsbl_helo for dbl.spamhaus) it stops there and doesnt continue with any additional checks?

Because thats a lot of hits to spamhaus if you include zen.spamhaus also for a single email.
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!