Spam emails have SA score=0/5

leksand

Member
Aug 28, 2020
75
0
11
37
Spam emails have SA score=0/5, autolearn=ham is also specified. How to make these emails get into spam? They definitely should not have a score of 0.

Jun 22 14:08:34 mail pmg-smtp-filter[10699]: C225B62B2F82EA7346: SA score=0/5 time=4.090 bayes=0.00 autolearn=ham autolearn_force=no hits=AWL(2.400),BAYES_00(-1.9),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),DNSBL_SPAMHAUS(2),KAM_INFOUSMEBIZ(0.75),KAM_MANYTO(0.2),KAM_SHORT(0.001),RCVD_IN_DNSWL_HI(-5),RCVD_IN_ZEN_BLOCKED_OPENDNS(0.001),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),T_SCC_BODY_TEXT_LINE(-0.01),URIBL_BLOCKED(0.001),URIBL_DBL_BLOCKED_OPENDNS(0.001),URIBL_ZEN_BLOCKED_OPENDNS(0.001)
Jun 22 14:08:34 mail postfix/smtpd[10627]: connect from localhost.localdomain[127.0.0.1]

Jun 22 14:04:43 mail pmg-smtp-filter[10631]: C225A62B2F7476B75A: SA score=0/5 time=4.006 bayes=0.00 autolearn=ham autolearn_force=no hits=AWL(0.311),BAYES_00(-1.9),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DNSBL_SORBS(2),DNSBL_SPAMHAUS(2),HEADER_FROM_DIFFERENT_DOMAINS(0.25),HTML_FONT_LOW_CONTRAST(0.001),HTML_IMAGE_RATIO_04(0.001),HTML_MESSAGE(0.001),KAM_SHORT(0.001),MAILING_LIST_MULTI(-1),MIME_HTML_ONLY(0.1),RCVD_IN_DNSWL_HI(-5),RCVD_IN_ZEN_BLOCKED_OPENDNS(0.001),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_SCC_BODY_TEXT_LINE(-0.01),URIBL_BLOCKED(0.001),URIBL_DBL_BLOCKED_OPENDNS(0.001),URIBL_ZEN_BLOCKED_OPENDNS(0.001)
Jun 22 14:04:43 mail postfix/smtpd[10627]: connect from localhost.localdomain[127.0.0.1]
 
Provide the spam mail raw format.
These emails passed antispam and went to the user. I don't have access to the user's mailbox - I can collect all the data from PMG, there was no useful information in the mail server logs.

Jun 22 14:04:39 mail postfix/smtpd[10407]: connect from myyp20.news.ozon.ru[185.235.29.20]
Jun 22 14:04:39 mail postfix/smtpd[10407]: 4CBE0C2257: client=myyp20.news.ozon.ru[185.235.29.20]
Jun 22 14:04:39 mail postfix/cleanup[10545]: 4CBE0C2257: message-id=<20220622140437.0.20220622140437_pe_@3866964415210463096.ozon.pg>
Jun 22 14:04:39 mail postfix/qmgr[806]: 4CBE0C2257: from=<gluck-pg-3866964415210463096-ozon@mail.sendsay.ru>, size=190054, nrcpt=1 (queue active)
Jun 22 14:04:39 mail postfix/smtpd[10407]: disconnect from myyp20.news.ozon.ru[185.235.29.20] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Jun 22 14:04:39 mail pmg-smtp-filter[10631]: C225A62B2F7476B75A: new mail message-id=<20220622140437.0.20220622140437_pe_@3866964415210463096.ozon.pg>#012
Jun 22 14:04:43 mail pmg-smtp-filter[10631]: C225A62B2F7476B75A: SA score=0/5 time=4.006 bayes=0.00 autolearn=ham autolearn_force=no hits=AWL(0.311),BAYES_00(-1.9),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DNSBL_SORBS(2),DNSBL_SPAMHAUS(2),HEADER_FROM_DIFFERENT_DOMAINS(0.25),HTML_FONT_LOW_CONTRAST(0.001),HTML_IMAGE_RATIO_04(0.001),HTML_MESSAGE(0.001),KAM_SHORT(0.001),MAILING_LIST_MULTI(-1),MIME_HTML_ONLY(0.1),RCVD_IN_DNSWL_HI(-5),RCVD_IN_ZEN_BLOCKED_OPENDNS(0.001),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_SCC_BODY_TEXT_LINE(-0.01),URIBL_BLOCKED(0.001),URIBL_DBL_BLOCKED_OPENDNS(0.001),URIBL_ZEN_BLOCKED_OPENDNS(0.001)
Jun 22 14:04:43 mail postfix/smtpd[10627]: connect from localhost.localdomain[127.0.0.1]
Jun 22 14:04:43 mail postfix/smtpd[10627]: B9510C225B: client=localhost.localdomain[127.0.0.1], orig_client=myyp20.news.ozon.ru[185.235.29.20]
Jun 22 14:04:43 mail postfix/cleanup[10411]: B9510C225B: message-id=<20220622140437.0.20220622140437_pe_@3866964415210463096.ozon.pg>
Jun 22 14:04:43 mail postfix/qmgr[806]: B9510C225B: from=<gluck-pg-3866964415210463096-ozon@mail.sendsay.ru>, size=192462, nrcpt=1 (queue active)
Jun 22 14:04:43 mail pmg-smtp-filter[10631]: C225A62B2F7476B75A: accept mail to <name@mydomain.com> (B9510C225B) (rule: default-accept)
Jun 22 14:04:43 mail postfix/smtpd[10627]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Jun 22 14:04:43 mail pmg-smtp-filter[10631]: C225A62B2F7476B75A: processing time: 4.367 seconds (4.006, 0.238, 0)
Jun 22 14:04:43 mail postfix/lmtp[10426]: 4CBE0C2257: to=<name@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.6, delays=0.18/0/0.01/4.4, dsn=2.5.0, status=sent (250 2.5.0 OK (C225A62B2F7476B75A))
Jun 22 14:04:43 mail postfix/qmgr[806]: 4CBE0C2257: removed
Jun 22 14:04:48 mail postfix/smtp[10601]: B9510C225B: to=<name@mydomain.com>, relay=my_ip[my_ip]:25, delay=4.9, delays=0.06/0.01/1.1/3.7, dsn=2.0.0, status=sent (250 44225528 message accepted for delivery)
Jun 22 14:04:48 mail postfix/qmgr[806]: B9510C225B: removed
 
Last edited:
just looking at the SA score, the IP is listed in DNSWL that why it hit -5 score, so it do make sense.

Code:
hits=AWL(0.311),BAYES_00(-1.9),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DNSBL_SORBS(2),DNSBL_SPAMHAUS(2),HEADER_FROM_DIFFERENT_DOMAINS(0.25),HTML_FONT_LOW_CONTRAST(0.001),HTML_IMAGE_RATIO_04(0.001),HTML_MESSAGE(0.001),KAM_SHORT(0.001),MAILING_LIST_MULTI(-1),MIME_HTML_ONLY(0.1),RCVD_IN_DNSWL_HI(-5),RCVD_IN_ZEN_BLOCKED_OPENDNS(0.001),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_SCC_BODY_TEXT_LINE(-0.01),URIBL_BLOCKED(0.001),URIBL_DBL_BLOCKED_OPENDNS(0.001),URIBL_ZEN_BLOCKED_OPENDNS(0.001)

1655898074550.png

Either disable RCVD_IN_DNSWL_HI by set custom scores of 0 or use mail filter rules to filter by mail header like from/to/subject.
 
  • Like
Reactions: Stoiko Ivanov
just looking at the SA score, the IP is listed in DNSWL that why it hit -5 score, so it do make sense.

Code:
hits=AWL(0.311),BAYES_00(-1.9),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DNSBL_SORBS(2),DNSBL_SPAMHAUS(2),HEADER_FROM_DIFFERENT_DOMAINS(0.25),HTML_FONT_LOW_CONTRAST(0.001),HTML_IMAGE_RATIO_04(0.001),HTML_MESSAGE(0.001),KAM_SHORT(0.001),MAILING_LIST_MULTI(-1),MIME_HTML_ONLY(0.1),RCVD_IN_DNSWL_HI(-5),RCVD_IN_ZEN_BLOCKED_OPENDNS(0.001),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_SCC_BODY_TEXT_LINE(-0.01),URIBL_BLOCKED(0.001),URIBL_DBL_BLOCKED_OPENDNS(0.001),URIBL_ZEN_BLOCKED_OPENDNS(0.001)

View attachment 38263

Either disable RCVD_IN_DNSWL_HI by set custom scores of 0 or use mail filter rules to filter by mail header like from/to/subject.
Set the value to custom.cf DNSWL score = 0 or in another place?
Is it possible to specify a different value, for example, instead of 0 > -1. To reduce exactly the negative value?

Is it possible to write whitelists here that will reduce the score level as well as DNSWL? For example:
wl.mailspike.net
score.senderscore.com
ips.whitelisted.org
reputation-ip.rbl.scrolloutf1.com
 
Last edited:
Set the value to custom.cf DNSWL score = 0 or in another place?
Is it possible to specify a different value, for example, instead of 0 > -1. To reduce exactly the negative value?

Is it possible to write whitelists here that will reduce the score level as well as DNSWL? For example:
wl.mailspike.net
score.senderscore.com
ips.whitelisted.org
reputation-ip.rbl.scrolloutf1.com
Set custom scores under Spam Detectors.
You have to check with the respective DNSWL site on how to incorporate to postfix.
 
  • Like
Reactions: Stoiko Ivanov
Is it possible to reset or adjust the values of ALL (Auto Whitelist) - some advertising mailings have a value of -2?
In my experience AWL does not help too much/causes more problems than it helps - I'd disable it completely (also explained in the linked wiki-page)

if you disable and re-enable it - your current entries will be deleted and you'll start fresh

I hope this helps!
 
As spamassassin already have default score for mailspike, set custom scores.
Check /usr/share/spamassassin-extra/KAM.cf for the spamassassin rules.
I didn't find any mentions in the KAM.cf about mailspike.cf
It is there, but you need to add it to the custom rule? Is it possible to save so that the values from their database are used, and not fixed ones - there are from -5 to +5
 
Last edited:
I didn't find any mentions in the KAM.cf about mailspike.cf
It is there, but you need to add it to the custom rule? Is it possible to save so that the values from their database are used, and not fixed ones - there are from -5 to +5
Sorry, the spamassissin score at /usr/share/spamassassin/20_mailspike.cf
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!