Email Oddities in Past Few Weeks (FYI)

OS: Rocky 8.7
Virtualmin Pro (latest)
Related Packages: Postfix, SpamAssassin, Procmail; possibly Dovecot

I began noticing a few email oddities a few weeks ago, one of which was the absolute elimination of spam. I also stopped getting certain routine mail, including payment notices from Stripe and deposit notices from my credit union. But I was getting other mail from Stripe and from the credit union.

Most legit mail from gmail users (including my mother and my godson) also disappeared.

I noticed these problems on accounts hosted on multiple servers, but was too busy to pay it much attention. A drop in spam doesn’t trigger the same response in me as an increase in spam would have.

When two users made similar complaints about missing mail this past weekend, I poked my nose into the config files and noticed a few oddities:

• local.cf (server-wide) was corrupted. Manual rules in particular were mixed up, with the rules and descriptions no longer corresponding to each other.
• auto_learn had disappeared. Not set to 0, just disappeared.
• required_score had been changed to 5, which I always considered too aggressive. I use 6.5 with a lot of custom rules.
• Procmail Mail Delivery had been reset to Throw Away.
• All of the spam boxes, therefore, were empty.

I checked all the servers and found substantially-similar issues on all of them.

I’m not sure how this happened, but the timing suggests an update to one or more of the mail components may have had something to do with it. My guess would be Postfix or SpamAssassin, but I haven’t researched the update history.

I don’t think it had anything to do with Webmin or Virtualmin.

It may be worth poking nose into the SpamAssassin configuration if you start experiencing weird mail complaints, particularly false positives or the spam boxes being empty.

I manually rewrote the files and reset the settings and rules to where I usually put them, and all is well. I also manually whitelisted legit gmail users. I have a hunch that SpamAssassin increased the points assigned to freemail addresses at some point, which created false positives with required_score at 5. (It hasn’t at 6.5, but I whitelisted the legit senders anyway).

All appears to be working properly now, so there’s no problem to solve. This is just an FYI.

That is all. Carry on.

Richard

By way of an update…

Part of the problem was my fault. I’d increased the score for SPF_NONE to 3, figuring that no legit mailer wouldn’t have SPF enabled. I was wrong. I was flabbergasted to learn how many well-known companies don’t have SPF. So I backed that off to 1 and set SPF_FAIL to 3.

I also added the .bio TLD to the rules for spammy TLD’s, which has a score of 6. The high score is because I have yet to receive a legit mail from anyone with a domain on the list of spammy TLD’s.

If you’re interested, here’s that rule:

header SPAMMY_TLD From =~ /@[a-z0-9\-\.]+\.(bid|bio|buzz|club|cyou|fit|fun|ga|gdn|icu|ooo|rest|sex|top|wiki|win|work|xyz)/i
describe SPAMMY_TLD From address uses a TLD popular with spammers
score SPAMMY_TLD 6.0

Those changes, with the overall spam threshold set to 6.5, and the rest of my custom rules unchanged, resulted in only two or three spams slipping through, hundreds being detected and banished to the Junk folder, and only one false positive (from a gmail user that I hadn’t yet whitelisted).

The next step will be tidying up the rules. Some of them are duplicative and can be combined into single, more-concise rules.

Richard

Forwarded emails are also problematic with SPF. I still have my first ‘permanent’ email account on another machine but have it forward to me. I ran into trouble trying to do a hard fail on SPF.

I can see how that would be a problem depending on how the mail is forwarded.

I ran into that with a client who needs all mail from a certain sender forwarded to his employees’ phones as MMS. I had to add a few lines to the Procmail recipe to rewrite the From address to one on his own domain in order for it to get through.

Richard

This morning’s junk.

spam1215×827 272 KB

Two or three slipped through, but no false positives.

Richard

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.