Delete spam if score is above not working

m_a_s · January 6, 2026, 7:42pm

SYSTEM INFORMATION
OS type and version	Ubuntu 24.04.3
Webmin version	2.610
Virtualmin version	7.50.2 pro
Webserver version	Apache 2.4.58
Related packages	Postfix 3.8.6, Procmail 3.24, SpamAssasin 4.0.0

Recently I enabled the “Delete spam if score is above” option for two virtual domains. (under Mail Options / Spam and Virus Delivery)

Unfortunately spam that has scores that are above the threshold still make it into the spam folder.

For example, I set the threshold to 99 in order to remove items flagged as USER_IN_BLOCKLIST, which is set at 100 pts. But messages with 106 or higher are still showing up.

Any thoughts? Do I need to restart something? Set something? Or does this not actually delete the emails?

stefan1959 · January 6, 2026, 8:24pm

I didn’t even know that was available, I just set mine to 10 and I will let you know if its working on my system.

ID10T · January 6, 2026, 8:28pm

Been working for a couple years now on mine.

stefan1959 · January 6, 2026, 8:55pm

Working on mine as well, added a yahoo address I have in spamassin denied address and it scores 100 and it was deleted.

m_a_s · January 6, 2026, 10:42pm

Everyone, thanks for the updates.

I think, for the most part, that it is working since enabling the filter. Seemed fine for about a day. But this morning I had a spate of spam that hit some of the users, including me. Granted, many were coming from the same address (Jenny(at)GSD(dot)com, about 50 in my spam folder, alone) but there were others.

Then, about 2 hours after I posted, they seemed to have stopped. But that could be a coincidence. So, I will monitor and update.

m_a_s · January 7, 2026, 4:40am

After 5 hours, the occasional email is still getting delivered to the spam folder, despite scores of 113 (threshold still set at 99).

Can someone explain how this setting works? How is SpamAssasin sending it back to Virtualmin to see if it should be delivered or not?

Or does it even work this way? What really is the mechanism for taking a post SpamAssasin-scored message and deleting it?

What would be interesting is finding a way to get Postfix to filter emails that are in the blocklist.

shoulders · January 7, 2026, 9:57am

Here are some links that might be helpful

Spamassassin - Create mail filters per mailbox
Anti Spam Strictness - #6 by stefan1959
Cannot delete emails with spam at the server level, on at virtual server level · Issue #818 · virtualmin/virtualmin-gpl · GitHub
This should be fixed?
I think you can only spam filter on the domain level.

shoulders · January 7, 2026, 10:01am

I seem to remember that the point used for SpammAssassain in some places are 0-10, other 0-100, maybe this is an issue

m_a_s · January 8, 2026, 4:51am

Perhaps, but I don’t quite understand how the messages get deleted after Spamassasin scores them. I don’t think it’s SpamAssasin, itself. And the SpamAssasin output shows it’s own total.
Need to do more research, I suppose.

Regardless, as far as I know, there have not been any more spam messages that should have been blocked showing up in the past 20 or so hours.

shoulders · January 8, 2026, 11:30am

it is not spamassassain that deletes the email, it justs adds the spam score. It is procmail i believe that actually deletes the email based on the score if this feature is enabled.

m_a_s · January 8, 2026, 1:14pm

Okay. So procmail gives the email to Spamassasin. The message gets analyzed and scored, and then procmail somehow evaluates the Spamassasin header.

I know very little about procmail, and I it isn’t obvious to me what filter actually does the deleting.

However, I noticed something. I received an email in my spam folder that should have been filtered (score of 117.2 points). It was not in the /var/log/procmail.log while the other spam messages filtered (but put in the spam folder) were logged.

I almost wonder, are the email messages with high scores that got through not getting checked by procmail that second time after being sent to Spamassasin?

Edit: Well, I found that the filters are stored in separate files, one for each domain. The rule for filtering the spam is:

:0

^X-Spam-Level: ***************************************************************************************************
/dev/null

And the X-Spam-Status line in the header is:

X-Spam-Status: Yes, score=117.2 required=5.0 tests=BAYES_99,BAYES_999,

So, why did it not get filtered?

Edit 2: I think it’s quite bizarre how Procmail needs 99 “*” for a score of 99

urthllc · January 8, 2026, 7:24pm

I was getting these same emails and my system wouldn’t block them at first. I think maybe I forgot to Apply Changes after configuring the deny address field. I think there is a Save button and a Apply Changes. Apparently ole Jenny likes to target Virtualmin users

m_a_s · January 8, 2026, 11:31pm

I can see that they are, for the most part, being blocked—along with a lot of other items that are in the blocklist. It’s just that some do make it through.

Glad you got it sorted out on your end.

ADDISON74 · January 9, 2026, 8:19am

I’ve used this code for years to separate spam with procmail. File location is /etc/webmin/virtual-server/procmail/[your_server_number]

SPAM_SCORE="[0-9-]"
SPAM_VALUE=10

DROPPRIVS=yes
:0fw
| /usr/bin/spamassassin --siteconfigpath /etc/webmin/virtual-server/spam/[your_server_number]
SPAMMODE=1

:0
* $ ^X-Spam-Status: Yes, score=\/$SPAM_SCORE+
* $ ? /usr/bin/test $MATCH -ge $SPAM_VALUE
$HOME/Maildir/.Trash/

:0
* ^X-Spam-Status: Yes
$HOME/Maildir/.spam/
SPAMMODE=0

Based on the SPAM_VALUE, some emails are going to the spam folder as usual, others to the Trash. I created a cronjob to delete the Trash folder periodically. Just adjust the value to your needs.

In my tests this did not worked:

SPAM_LEVEL="\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*"

:0
* $ ^X-Spam-Level: $SPAM_LEVEL
$HOME/Maildir/.Trash/

ADDISON74 · January 9, 2026, 9:38am

Also you can add into your spamassassin configuration /etc/webmin/virtual-server/spam/[your_virtualserver_number]/virtualmin.cf the following

header   LR_RCVD_IN_UCEPROTECT_1 eval:check_rbl_txt('uceprotect1-lastexternal','dnsbl-1.uceprotect.net.')
describe LR_RCVD_IN_UCEPROTECT_1 Sender listed in UCEPROTECT Level 1
tflags   LR_RCVD_IN_UCEPROTECT_1 net
score    LR_RCVD_IN_UCEPROTECT_1 2.5

header   LR_RCVD_IN_UCEPROTECT_2 eval:check_rbl_txt('uceprotect2-lastexternal','dnsbl-2.uceprotect.net.')
describe LR_RCVD_IN_UCEPROTECT_2 Sender listed in UCEPROTECT Level 2
tflags   LR_RCVD_IN_UCEPROTECT_2 net
score    LR_RCVD_IN_UCEPROTECT_2 2.5

header   LR_RCVD_IN_UCEPROTECT_3 eval:check_rbl_txt('uceprotect3-lastexternal','dnsbl-3.uceprotect.net.')
describe LR_RCVD_IN_UCEPROTECT_3 Sender listed in UCEPROTECT Level 3
tflags   LR_RCVD_IN_UCEPROTECT_3 net
score    LR_RCVD_IN_UCEPROTECT_3 2.5

header   LR_RCVD_IN_SPAMRATS_ALL eval:check_rbl('spamrats-lastexternal','all.spamrats.com.')
describe LR_RCVD_IN_SPAMRATS_ALL Sender listed in SpamRATS!
tflags    LR_RCVD_IN_SPAMRATS_ALL net
score    LR_RCVD_IN_SPAMRATS_ALL 5

header   LR_RCVD_IN_SPF_BL eval:check_rbl('spfbl-lastexternal','dnsbl.spfbl.net')
describe LR_RCVD_IN_SPF_BL Sender listed in Spam Firewall Blacklist
tflags   LR_RCVD_IN_SPF_BL net
score    LR_RCVD_IN_SPF_BL 5

header   LR_RCVD_IN_GBUDB eval:check_rbl('gbudb', 'truncate.gbudb.net.', '127.0.0.2')
describe LR_RCVD_IN_GBUDB Sender listed in truncate.gbudb.net
tflags   LR_RCVD_IN_GBUDB net
score    LR_RCVD_IN_GBUDB 5

header   __LR_RCVD_IN_HOSTKARMA eval:check_rbl('HOSTKARMA-lastexternal','hostkarma.junkemailfilter.com.')
describe __LR_RCVD_IN_HOSTKARMA Sender listed in JunkEmailFilter
tflags   __LR_RCVD_IN_HOSTKARMA net

header   LR_RCVD_IN_HOSTKARMA_W eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.1')
describe LR_RCVD_IN_HOSTKARMA_W Sender listed in HOSTKARMA-WHITE
tflags   LR_RCVD_IN_HOSTKARMA_W net
score    LR_RCVD_IN_HOSTKARMA_W -5

header   LR_RCVD_IN_HOSTKARMA_BL eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.2')
describe LR_RCVD_IN_HOSTKARMA_BL Sender listed in HOSTKARMA-BLACK
tflags   LR_RCVD_IN_HOSTKARMA_BL net
score    LR_RCVD_IN_HOSTKARMA_BL 2.5

header   LR_RCVD_IN_HOSTKARMA_BR eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.4')
describe LR_RCVD_IN_HOSTKARMA_BR Sender listed in HOSTKARMA-BROWN
tflags   LR_RCVD_IN_HOSTKARMA_BR net
score    LR_RCVD_IN_HOSTKARMA_BR 1.25

header   LR_RCVD_IN_SORBS_AGG eval:check_rbl('sorbs-lastexternal','dnsbl.sorbs.net.')
describe LR_RCVD_IN_SORBS_AGG Sender listed in SORBS Aggregated
tflags   LR_RCVD_IN_SORBS_AGG net
score    LR_RCVD_IN_SORBS_AGG 1.25

header   LR_RCVD_IN_SORBS_DUL eval:check_rbl('sorbs-lastexternal','dul.dnsbl.sorbs.net.')
describe LR_RCVD_IN_SORBS_DUL Sender listed in SORBS DUL
tflags   LR_RCVD_IN_SORBS_DUL net
score    LR_RCVD_IN_SORBS_DUL 1.5

header   LR_RCVD_IN_SORBS_SPAM eval:check_rbl('sorbs-lastexternal','spam.dnsbl.sorbs.net.')
describe LR_RCVD_IN_SORBS_SPAM Sender listed in SORBS Spam
tflags   LR_RCVD_IN_SORBS_SPAM net
score    LR_RCVD_IN_SORBS_SPAM 1.25

header   LR_RCVD_IN_SORBS_SPAM_NEW eval:check_rbl('sorbs-lastexternal','new.spam.dnsbl.sorbs.net.')
describe LR_RCVD_IN_SORBS_SPAM_NEW Sender listed in SORBS New Spam
tflags   LR_RCVD_IN_SORBS_SPAM_NEW net
score    LR_RCVD_IN_SORBS_SPAM_NEW 1

header   LR_RCVD_IN_SORBS_SPAM_RCNT eval:check_rbl('sorbs-lastexternal','recent.spam.dnsbl.sorbs.net.')
describe LR_RCVD_IN_SORBS_SPAM_RCNT Sender listed in SORBS Recent Spam
tflags   LR_RCVD_IN_SORBS_SPAM_RCNT net
score    LR_RCVD_IN_SORBS_SPAM_RCNT 1

header   LR_RCVD_IN_WPBL eval:check_rbl('wpbl-lastexternal','db.wpbl.info.','127.0.0.2')
describe LR_RCVD_IN_WPBL Sender listed in WPBL
tflags   LR_RCVD_IN_WPBL net
score    LR_RCVD_IN_WPBL 5

header   LR_RCVD_IN_DRONEBL eval:check_rbl('dronebl','dnsbl.dronebl.org.')
describe LR_RCVD_IN_DRONEBL Sender listed in DroneBL
tflags   LR_RCVD_IN_DRONEBL net
score    LR_RCVD_IN_DRONEBL 5

Then you can check with your email client (Roundcube) the spam folder content.

ADDISON74 · January 9, 2026, 9:50am

Based on this topic, I would like to suggest considering in Virtualmin the use of blacklist_from_rcvd in SpamAssassin configuration instead of (or in addition to) blacklist_from.

Currently, blacklist_from only checks the From: header in the email. While useful, this can be easily spoofed by spammers, allowing malicious emails to bypass the filter if the envelope (MAIL FROM) comes from a different source.

Using blacklist_from_rcvd provides additional security because it verifies both the envelope sender and the sending IP address. This significantly reduces the chance of spam bypassing the filter through header forgery and ensures more reliable blocking of unwanted senders.

Example:

# Less secure, checks only the From: header
blacklist_from spammer@example.com

# More secure, checks envelope and sending IP
blacklist_from_rcvd spammer@example.com

In my opinion, this approach maintains flexibility while improving protection against spoofed or forged emails.

m_a_s · January 9, 2026, 2:45pm

@ADDISON74 This is interesting. I may have to try your procmail script and /dev/null the ones above our threshold.

shoulders · January 9, 2026, 3:00pm

I also have every test turned on on postfix that validate the emails authenticity.

ADDISON74 · January 9, 2026, 3:26pm

Indeed hardening Postfix is crucial to not distribute spam. Using RBL lists in spamassassin (e.g. spamrats) is again a good solution.

However it must be done with caution so that important messages do not disappear. Postfix can be secured through tables so that certain addresses, including wildcard addresses, pass through. For example, you have an important partner and you do not have to delete his messages (you can move them with procmail to a specific folder if you want).

Webmin offers a solid administration/configuration base, but an advanced administrator should not limit himself to using the UI interface.

shoulders · January 9, 2026, 6:06pm

I have my postfix setup perfect.

see: My Virtualmin Notes | QuantumWarp
The postfix GUI in virtualmin is very buggy.

also

I use pfsense and it’s blocklists.