How to check forwarded email for spam?

I would like to solve this long running issue. You can see previous posts on this topic below.

I have an old email address which I forward to my new email address, on the same Virtualmin run mail server.

I get a LOT of spam in my new email inbox. They are all sent to my old email.

I believe they are not being checked for spam, or being on a blacklist at least, due to them being a forwarder. Most of the senders I check are on blacklists like Spamhaus.

I have set Postfix to check Spamhaus and a few others, but it does not seem to work unless its emailed to my new email account direct.

I also setup a spamassassin local.cf file with rules to check spam databases, but that seems to be ignored also, as per one of the old threads I list below.

There are spamassassin header scores, so spamassassin must be doing something, but its not checking these blacklists, and so the score is not high enough. It doesn’t seem to use local.cf.

So perhaps the issue is, Postfix not checking forwarded emails, and spamassassin not using local.cf on forwarded emails?

So how can I spam filter these forwarded emails for spam, seen as they are on blacklists?

It is my opinion all email arriving into the server should be checked regardless of it being forwarded or not.

Also, the forwarder has been tried from the user settings in Virtualmin, and then the user doing it within Usermin, so both dont work.

https://forum.virtualmin.com/t/forwarding-of-some-but-not-all-emails/45938/17

SYSTEM INFORMATION
OS type and version CentOS Linux 6.10
Webmin version 1.984
Virtualmin version 6.17
Related packages Postfix version 2.6.6, SpamAssassin version 3.3.1

Here is some specific info about the checks and an email.

I received spam from a domain corporate-route.site. This is on Spamhaus, see Network Tools: DNS,IP,Email

This is postfix check which includes reject_rbl_client zen.spamhaus.org
smtpd_recipient_restrictions = permit_mynetworks, permit_inet_interfaces, permit_sasl_authenticated, reject_unauth_pipelining, reject_unknown_recipient_domain, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit

This is the spamassassin local.cf which scores 4 if on spamhaus:

header		RCVD_IN_SBLSPAMHAUS		eval:check_rbl('sblspamhaus-lastexternal', 'sbl.spamhaus.org.')
describe	RCVD_IN_SBLSPAMHAUS		Relay is listed in sbl.spamhaus.org :(
tflags		RCVD_IN_SBLSPAMHAUS		net
score		RCVD_IN_SBLSPAMHAUS		4.0

header		RCVD_IN_ZENSPAMHAUS		eval:check_rbl('zenspamhaus-lastexternal', 'zen.spamhaus.org.')
describe	RCVD_IN_ZENSPAMHAUS		Relay is listed in zen.spamhaus.org :(
tflags		RCVD_IN_ZENSPAMHAUS		net
score		RCVD_IN_ZENSPAMHAUS		4.0

But its in my inbox after being forwarded from my old email.

Here are the email spam headers, no mention of spamhaus:

X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	mail.amitywebsolutions.co.uk
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HTML_IMAGE_RATIO_02,HTML_MESSAGE,MAILING_LIST_MULTI,
	RAND_MKTG_HEADER,RCVD_IN_DNSWL_HI,T_SCC_BODY_TEXT_LINE,URIBL_ABUSE_SURBL
	autolearn=ham version=3.3.1
X-Spam-Report: 
	* -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/, high
	*      trust
	*      [146.59.254.35 listed in list.dnswl.org]
	*  1.9 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL
	*      blocklist
	*      [URIs: news-connekt.co]
	*  0.0 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area
	*  0.0 HTML_MESSAGE BODY: HTML included in message
	* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
	*       domain
	* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
	*      valid
	*  1.5 RAND_MKTG_HEADER Has partially-randomized marketing/tracking
	*      header(s)
	* -0.0 T_SCC_BODY_TEXT_LINE T_SCC_BODY_TEXT_LINE
	* -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list
	*      manager

there’s no “RCVD_IN_ZENSPAMHAUS” in spamassassin result, so it’s not working.
sender MX is also on dnswl which is a allowlist, that’s why you get -5 in score.
you can reduce RCVD_IN_DNSWL_HI score, but that includes many legit senders like gmail, outlook, etc… specific ip is from OVH, but anyway if you fix/add/adjust other SA filters you can even “workaround” dnswl allowlist.

Thanks for your reply. What does this mean please:
“there’s no “RCVD_IN_ZENSPAMHAUS” in spamassassin result, so it’s not working.”

So if we get this working it should improve my spam filter.

it means that filter in local.cf is not working… (if ip is indeed listed on zen.spamhaus.org that is…).
if it did work, you’d see it in message headers along with other filters listed in X-Spam-Report & X-Spam-Status.
still there are ways to improve your anti-spam. suggestion, if you’ve got some time try/read about postscreen. much lighter for MX, saves you from using SpamAssassin “beast” for each message.

Yes its not working, it was one of the other posts I made a couple of years ago. So a hoping we can find a way to get it working?

1 Like

i use rbls in postfix level, not spamassassin. for spamassassin you probably need something like this : https://github.com/spamhaus/spamassassin-dqs

looking again at original post, it seems that rbl is included in postfix too, but not working there either…(?) do you have any “ip listed in rbl…” messages in mail.log? if it was working, it would be blocked there, never reaching spamassassin… so check your postfix settings first, not sure about “permit_inet_interfaces”, i’ve never used it, it would allow anything i think…
with an older setup i used : >

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, check_policy_service inet:127.0.0.1:10023, permit

policy service in :10023 above is postgrey, a good way to save your MX a few more spam too…
in general play around with these rules… if spamhaus works in postfix level, you don’t need to use it in spamassassin too… just a waste of resources…

If postfix isn’t triggering on spamhaus, I’d check the resolvers in use on the system.
Spamhaus and most other blacklists have rate limits in place so if you use a public resolver like Google or Cloudflare, they will likely not work at all.

@toreskev Normally I see the rate limit block messages in the headers though, when I used to use a service that has rate limits. So wouldn’t spamhaus rate limit message also be added to the headers?

If I search my mail log files for spamhaus there is nothing. So wouldn’t it log a rate limit block somewhere?

@dimitrist Yes thats an issue too… so spamassassin is not using local.cf on forwarding, and Postfix is also not using its checks on forwarding. They all work OK when mail arrives direct in an inbox but dont seem to work when its forwarded to another mailbox.

No messages in the log reference “ip listed in rbl” or even “rbl”.

Since it’s just an outgoing DNS request, I don’t think it’s visible anywhere.
You will get a response from Spamhaus no matter what, but what they respond depends on whether you’ve reached the limits or not.

As for postfix, it will show this in the logs:
postfix/postscreen[1416242]: NOQUEUE: reject: RCPT from [167.99.228.1]:56128: 450 4.7.1 Service unavailable; client [167.99.228.1] blocked using zen.spamhaus.org; from=

AFAIK it should trigger on forwards also, but I haven’t actually tested it. Might do that later though to confirm.

Edit: but which resolver do you use on the server?

Do you mean the servers to lookup hostnames? I think we use Google 8.8.8.8 and 8.8.4.4 but I cant confirm because I have another issue now… when I click Network Configuration its loading my CSF settings :pensive:. But am sure its Google.

There are no messages about spamhaus in the logs though, so assume it means its not even being used let alone getting a block or error.

Check /etc/resolv.conf, it should tell you.

If you are in fact using Google’s resolvers you won’t see those messages (and postfix will only tell you if it in fact blocks a connection).
See also this and this for Spamhaus reasoning :slight_smile:

Yes we are using Google:
nameserver 8.8.8.8
nameserver 8.8.4.4

Do you recommend any others?

Is it possible to disable the built in dnswl check? Because I just checked another spam email, and it is on several spam lists, but dnswl is giving it -4 score so it gets through. Although I do not know if the lists are important, see Network Tools: DNS,IP,Email

I have switched back to using my hosting provider resolvers. My servers are with Linode.com. I dont know if they would also be blocked or not but will try. I had some issues some years ago with them hence switching to Google, cant recall what it was though.

But a lot of the spam I receive is all on the dnswl, so I it seems a pointless check in which case it would be good to disable it.

Well, unless you’ve disabled bind, why not use 127.0.0.1?

As for the domains listed in dnswl, I’ve never really experienced that so don’t know how to help there.

We have disabled BIND. We dont use the local server for nameservers.

I found a site where I can just override scores in the local.cf so see if that works.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.