I keep getting spam

Spam arrives in mailboxes and is not identified and moved.
Not even if I log in with Usermin.
Only when I open Thunderbird does the spam move.

The final server installation was just a few days ago.
Maybe we just have to wait a few more days, but I’d like to check that everything is okay.

Are the two aliases spamtrap and hamtrapp visible somewhere or am I the one who should send the emails to spamtrap@domain?
Is the reason the spam isn’t filtered because I haven’t forwarded anything yet?

You need to look in the log to know what’s going on. SpamAssassin mostly works without any user involvement. It can be trained, but it includes a variety of rules by default.

Look in the journal for the postfix unit (journalctl -u postfix) to make sure mail is being passed to procmail-wrapper, and then check the procmail.log for whether it’s being processed through SpamAssassin.

Then look at the headers of a received mail to see what spam rating it has.

Checking the last message received last night:

• in procmail.log

Time:1714243132 From:noreplyhere@aol.com To:My-EMail User:My-EMail Size:1547 Dest:/home/VSERVER/homes/USER/Maildir/new/1714243132.35555_0.DOMAIN Mode:None
From aichildrens@kagrowth.org Sat Apr 27 21:28:53 2024
  Subject: Profit from children's books + AI
   Folder: /home/VSERVER/homes/USER/Maildir/new/1714246134.45402_ 2916

In Postfix I didn’t find a reference to this email, but still all the logs are the same like this:

Apr 27 18:39:21 DOMAIN systemd[1]: Starting postfix.service - Postfix Mail Transport Agent...
Apr 27 18:39:21 DOMAIN systemd[1]: Finished postfix.service - Postfix Mail Transport Agent.
Apr 27 21:55:32 DOMAIN systemd[1]: postfix.service: Deactivated successfully.
Apr 27 21:55:32 DOMAIN systemd[1]: Stopped postfix.service - Postfix Mail Transport Agent.

In email Header

Return-Path: <aichildrens@kagrowth.org>
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on
	DOMAIN
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=5.0 tests=HTML_MESSAGE,MIME_HTML_ONLY,
	NO_RELAYS,URIBL_BLOCKED,URIBL_DBL_BLOCKED_OPENDNS autolearn=no
	autolearn_force=no version=4.0.0

Spammers are at war with SA and vice versa. Note that email scored 0.1 of a required 5.0 to be considered spam.

The header shows SA is running and a spammer was able to sneak this one through.

is this not saying that the blocklist is not available because of OpenDNS

I don’t remember if this is a default but if it is not adding this to the header makes using the filter easier. Spam chasing is a ongoing challenge. The Status and Report line gives you the filters that have been tripped for that specific email.

Screenshot 2024-04-28 at 7.56.03 AM1600×580 32.3 KB

Screenshot 2024-04-28 at 7.57.20 AM2416×1038 343 KB

Screenshot 2024-04-28 at 8.17.45 AM1272×862 91.6 KB

Caught spam below you can see I have changed the weight of a lot of filters. I add specific Header Body checks for lots of spam that keeps getting through repeatedly enough to bother.

Screenshot 2024-04-28 at 8.34.18 AM1072×1266 203 KB

I don’t understand who is blocking OpenDNS, my server? How?
I also don’t understand if SpamAssasin already filters spam now or if instead I have to forward the emails to spamtrap@domain first.

just a guess, but I mentioned it because it just said it in the code you posted. I am not a Linux expert there are some other on here that are. I have not got to setting up my spam filters yet

I think you’re looking at some early logs, maybe when you were first installing tinkering with stuff? That’s not an active Postfix server, and you would see log entries if you’re receiving mail. Unless you’ve switched to some other MTA, Postfix has to be receiving the mail if they’re coming into your mailbox.

Mail delivery looks like this in the journal for postfix:

Apr 27 00:51:06 n1.virtualmin.com postfix/local[3059309]: 537BB380025: to=<joe@n1.virtualmin.com>, orig_to=<joe@virtualmin.com>, relay=local, delay=4.4, delays=0.12/0.01/0/4.3, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)

The post is from April 28th, the log I showed shows the 27th. The log is not old.
Even running now journalctl -u postfix I still see blocks of those 4 lines.
Yet last night I received a new spam email.

Since yesterday a second mail server has been active, but even on this one the journal -u postfix command only shows those 4-line blocks.

None of us have changed the Postfix configuration or replaced it with something else.
It is the standard virtualmin configuration, installed with the official script.
For all the (few) changes made, the official documentation and the answers to my questions on this forum were used.

Should we start worrying?

Don’t make guesses this can send a thread off in the totally wrong direction but for reference

it's referring to the dns server you're using not being allowed to do an RBL request to the the RBL servers.

Most RBL servers use a "free for some" method, where as long as a given DNS server isn't doing too many requests, it's allowed.  But for a dns server that is too busy, (eg: 8.8.8.8 is very busy), it will be blocked from doing RBL queries, since it no longer qualifies as the "Free for some" method, and would then fall under the category where payment is required to do that volume of RBL queries.

Oh, I guess that means Debian still has a mail.log. Look there instead (/var/log/mail.log).

Does not exist

VAR-LOG 2024-04-29 0750361136×835 75.7 KB

There is no mail.log in a standard install of deb 12

On Ubuntu I only got 4 entries using

journalctl -u postfix

but I did get the full output using

journalctl  |grep postfix |more

maybe something has changed with journalctl ?

I’m also starting to have doubts that journalctl isn’t working correctly, but, I repeat again, no one changes the configuration unless the documentation says so.
Nobody here remembers ever changing the log configuration.

The server was restarted approximately 21 hours ago.
If I type journalctl -u postfix --since “1200 min ago” I get --no entries–
With journalctl -u postfix there are 15 entries.

what do you get with

journalctl  |grep postfix

?

I was checking.
There’s a lot more here.
I generated a file that I moved to the PC to check better.

This is for email spam

Apr 28 21:59:52 MY-SRV postfix/anvil[159170]: statistics: max connection rate 1/60s for (smtp:172.116.51.241) at Apr 28 21:55:02
Apr 28 21:59:52 MY-SRV postfix/anvil[159170]: statistics: max connection count 1 for (smtp:172.116.51.241) at Apr 28 21:55:02
Apr 28 21:59:52 MY-SRV postfix/anvil[159170]: statistics: max cache size 2 at Apr 28 21:55:10
Apr 28 22:15:07 MY-SRV postfix/pickup[158326]: AAE2517CEACD: uid=1007 from=<evoke@earnmorenow.info>
Apr 28 22:15:07 MY-SRV postfix/cleanup[165495]: AAE2517CEACD: message-id=<B3Jllr1bhuEf7nG7EuxeRXceV0qKHKtWBcAx7H8oSw4@MY-DOMAIN>
Apr 28 22:15:07 MY-SRV postfix/qmgr[1772]: AAE2517CEACD: from=<evoke@earnmorenow.info>, size=3131, nrcpt=2 (queue active)
Apr 28 22:15:08 MY-SRV postfix/local[165498]: AAE2517CEACD: to=<"MY-MAILBOX@MY-DOMAIN"@MY-SRV>, orig_to=<MY-MAILBOX@MY-DOMAIN>, relay=local, delay=0.71, delays=0.02/0/0/0.68, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)
Apr 28 22:15:09 MY-SRV postfix/smtp[165497]: AAE2517CEACD: to=<evoke@earnmorenow.info>, relay=inbound-smtp.us-west-2.amazonaws.com[52.43.162.244]:25, delay=2.1, delays=0.02/0.01/1.5/0.65, dsn=2.0.0, status=sent (250 OK n3ihbff63ue572mo7s46793uogipcftcccgr5301)
Apr 28 22:15:09 MY-SRV postfix/qmgr[1772]: AAE2517CEACD: removed
Apr 28 22:23:13 MY-SRV postfix/smtpd[166260]: warning: hostname waffles.scanf.shodan.io does not resolve to address 164.92.114.247
Apr 28 22:23:13 MY-SRV postfix/smtpd[166260]: connect from unknown[164.92.114.247]
Apr 28 22:23:18 MY-SRV postfix/smtpd[166265]: warning: hostname waffles.scanf.shodan.io does not resolve to address 164.92.114.247
Apr 28 22:23:18 MY-SRV postfix/smtpd[166265]: connect from unknown[164.92.114.247]
Apr 28 22:23:18 MY-SRV postfix/smtpd[166265]: warning: TLS library problem: error:0A0000F5:SSL routines::unexpected record:../ssl/record/rec_layer_s3.c:1742:
Apr 28 22:23:18 MY-SRV postfix/smtpd[166265]: lost connection after CONNECT from unknown[164.92.114.247]
Apr 28 22:23:18 MY-SRV postfix/smtpd[166265]: disconnect from unknown[164.92.114.247] commands=0/0
Apr 28 22:23:21 MY-SRV postfix/smtpd[166265]: warning: hostname waffles.scanf.shodan.io does not resolve to address 164.92.114.247

Meanwhile I see that there are frequent foreign accesses.
I hope they are blocked by Fail2ban or something else.

Apr 27 11:43:28 MY-SRV postfix/smtpd[449836]: connect from unknown[196.0.107.190]
Apr 27 11:43:35 MY-SRV postfix/smtpd[449839]: connect from unknown[221.163.227.238]
Apr 27 11:43:37 MY-SRV postfix/smtpd[449839]: lost connection after CONNECT from unknown[221.163.227.238]
Apr 27 11:43:37 MY-SRV postfix/smtpd[449839]: disconnect from unknown[221.163.227.238] commands=0/0
Apr 27 11:43:38 MY-SRV postfix/smtpd[449836]: warning: unknown[196.0.107.190]: SASL LOGIN authentication failed: authentication failure, sasl_username=anabell
Apr 27 11:43:41 MY-SRV postfix/smtpd[449836]: lost connection after AUTH from unknown[196.0.107.190]
Apr 27 11:43:41 MY-SRV postfix/smtpd[449836]: disconnect from unknown[196.0.107.190] ehlo=1 auth=0/1 commands=1/2

Apr 29 05:33:02 MY-SRV postfix/smtpd[273585]: connect from unknown[unknown]
Apr 29 05:33:02 MY-SRV postfix/smtpd[273585]: SSL_accept error from unknown[unknown]: Connection reset by peer
Apr 29 05:33:02 MY-SRV postfix/smtpd[273585]: lost connection after CONNECT from unknown[unknown]
Apr 29 05:33:02 MY-SRV postfix/smtpd[273585]: disconnect from unknown[unknown] commands=0/0
Apr 29 05:33:33 MY-SRV postfix/smtpd[273585]: warning: hostname donut.scanf.shodan.io does not resolve to address 64.226.86.7
A

Attempts also with real users’ boxes

Apr 29 05:10:09 MY-SRV postfix/smtpd[263502]: connect from unknown[94.156.8.201]
Apr 29 05:10:11 MY-SRV postfix/smtpd[263502]: warning: unknown[94.156.8.201]: SASL LOGIN authentication failed: authentication failure, sasl_username=My-MAILBOX@MY-DOMAIN
Apr 29 05:10:11 MY-SRV postfix/smtpd[263502]: disconnect from unknown[94.156.8.201] ehlo=2 starttls=1 auth=0/1 quit=1 commands=4/5

I also see

Apr 29 02:00:18 MY-SRV postfix/smtpd[218705]: connect from unknown[159.89.124.112]
Apr 29 02:00:18 MY-SRV postfix/smtpd[218705]: improper command pipelining after CONNECT from unknown[159.89.124.112]: \026\003\001\001E\001\000\001A\003\003\322-X6\rVQ\373U=1|e\236\245x\322\200\355\350\231U\220\314;G\334\273\302\211\312, W\324-\315\266V%\267\270\206\357\300&\v^\177\230\240\005\222\302\300\t\330\300\334\v\330G\332)\301\000>\023\002\023\003\023\001\300,\3000\000\237\314\251\314\250\314\252\300+\300/
Apr 29 02:00:18 MY-SRV postfix/smtpd[218705]: lost connection after CONNECT from unknown[159.89.124.112]
Apr 29 02:00:18 MY-SRV postfix/smtpd[218705]: disconnect from unknown[159.89.124.112] commands=0/0

Apr 29 00:26:49 MY-SRV postfix/smtpd[196650]: connect from unknown[193.86.95.34]
Apr 29 00:26:49 MY-SRV postfix/smtpd[196650]: improper command pipelining after CONNECT from unknown[193.86.95.34]: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"49CYQrmrqP2LyHQdMY26JGiq3M9cxFkiSU9PyfSE
Apr 29 00:26:49 MY-SRV postfix/smtpd[196650]: warning: non-SMTP command from unknown[193.86.95.34]: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"49CYQrmrqP2LyHQdMY26JGiq3M9cxFkiSU9PyfSE
Apr 29 00:26:49 MY-SRV postfix/smtpd[196650]: disconnect from unknown[193.86.95.34] unknown=0/1 commands=0/1

For that spam email, the headers are:

I know that the battle against spam and other various attacks is endless, but we expect the system to at least put us in a position to have a first defense.
So, we expect that with firewall, Fail2Ban, ClamAV and SpamAssasin we already have a good initial security coverage.
In the CMS we have already activated a web firewall which is already giving us excellent results.
Later we will activate mod_security to protect those Apache portals where it is not possible to activate a web firewall.
SSH accesses occur with a key and the password is however complex.
We will also enable 2FA for Webmin logins.
We have backups with rotation Hours, Days, Weeks, Months.

But, I repeat, we take it for granted that the “front line” is already safe.
That’s why we’re testing everything.
With Fail2ban we found almost 7000 ( ) failed accesses to DNS in a few days, over 100 to postfix, 20 to FTP.
With FirewallD we see another 500 attacks rejected.

Spam, instead, does not appear to be filtered.