I am still confused about what you have done to your system (or the nature of your domains - or their web content) that is attracting so much spam. I have 5 VMs located in several countries (including China and Russia) all running pretty much vanilla Virtualmin with a current total of 46 domains. Sure they do attract a certain amount of spam but it is in the low 100’s per day - nothing overwhelming.
I too would probably be worried by those numbers - and probably be looking to isolate the culprit domain.
I wrote it in every post and in every answers. We used the official installation script, and did the configurations using only the official documentation.
Spam is currently limited.
Since the new mail server has been installed there have been a few dozen, but none have been filtered. I asked 3 times (without response) if we should instruct SpamAssasin by sending spam to smaptrap.
The other values are not spam, but intrusion attempts.
I find them in Jail Status.
Spamassassin won’t discard that email as it is below the score of 5.0,
This looks like the email originated on your own server, check your website’s contact us page (if you have one) for sending messages that could be spam and get through.
Or have you set up some prefiltering of mail that is stripping out headers in the email message ?
However from the postfix log entry you posted I don’t even see spamassassin scanning the message are there any entries in your logs something like
Apr 29 09:42:02 server postfix/qmgr[521889]: 85CFE1DEC38: from=<phporyx@server.phporyx.co.uk>, size=706, nrcpt=1 (queue active)
Apr 29 09:42:03 server spamd[497793]: spamd: connection from 127.0.0.1 [127.0.0.1]:60266 to port 783, fd 6
Apr 29 09:42:03 server spamd[497793]: spamd: setuid to my@email address succeeded
Apr 29 09:42:03 server spamd[497793]: spamd: processing message <20240429084202.85CFE1DEC38@server.MY-SRV> for my@email address:6666
Apr 29 09:42:03 server spamd[497793]: spamd: clean message (-0.2/5.0) for my@email address:6666 in 0.1 seconds, 1382 bytes.
Apr 29 09:42:03 server spamd[497793]: spamd: result: . 0 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NO_RELAYS,URIBL_BLOCKED scantime=0.1,size=1382,user=my@email
address,uid=6666,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=60266,mid=<20240429084202.85
CFE1DEC38@server.MY-SRV>,autolearn=ham autolearn_force=no
Note the is an internal email so NO_RELAYS is in play here.
@DarkCorner did you see this reply from @jimr1 ?
You need to make sure you’re not using a public DNS resolver on your system, otherwise most queries to any of the popular blacklists (including those checked in SpamAssassin) will be blocked.
Virtualmin installs BIND by default and it should be listening on localhost.
I can accept that a bot found an email address on a web page.
In my opinion it didn’t happen because none of the addresses present received spam emails.
However, what I understood from your comment is that the bot sends spam from my mail server and I don’t find this acceptable because it should be authorized to do so and my server should prevent it from anyone who doesn’t have authorization.
Forgive my frankness, but I also get tired of repeating that no one has configured anything different from what is officially documented.
Which is what I’ve been wondering since the opening comment: Is SpamAssasin working?
I don’t understand this.
I see an email
from: evoke@earnmorenow.info
to: MY-MAILBOX@MY-DOMAIN"@MY-SRV
orig_to: MY-MAILBOX@MY-DOMAIN relay=inbound-smtp.us-west-2.amazonaws.com[52.43.162.244]:25
I’m no expert, but to me it looks like an external email masquerading as coming from my address and sent to this same address.
But I could be wrong, because I’m not an expert.
One hint. It drove me nuts at first but some spam was getting through and there were no spam headers. The default is to NOT check emails over 512K so spammers, probably knowing this, were padding their emails to get over the limit. I upped mine to 1M and stopped getting emails without spam headers.
Yeah. I noted that in post 4. It is still possible to NOT see headers so I wanted to put that in just in case that issue arises. Not seeing headers doesn’t mean SA isn’t running. There is one possible bypass that I know of.
systemctl status spamd.service
● spamd.service - Perl-based spam filter using text analysis
Loaded: loaded (/lib/systemd/system/spamd.service; enabled; preset: enabled)
Active: active (running) since Sun 2024-04-28 11:52:41 CEST; 1 day 4h ago
Process: 277150 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
Main PID: 581 (perl)
Tasks: 3 (limit: 38345)
Memory: 233.5M
CPU: 20.469s
CGroup: /system.slice/spamd.service
├─ 581 /usr/bin/perl -T -w -I /etc/perl -I /usr/lib/x86_64-linux-gnu/perl5/5.36 -I /usr/share/perl5 -I /usr/lib/x86_64-linux-gnu/perl-base -I /usr/lib/x86_64-linux-gnu/perl/5.36 -I /usr/share/perl/5.36 /usr/sbin/spamd --pi>
├─277156 "spamd child"
└─277157 "spamd child"
Apr 29 15:21:21 MY-SRV spamd[277156]: spamd: clean message (-5.0/5.0) for My-MBOX@MyDOMAIN:1011 in 0.6 seconds, 117360 bytes.
Apr 29 15:21:21 MY-SRV spamd[277156]: spamd: result: . -4 - DKIM_SIGNED,DKIM_VALID,DMARC_MISSING,HTML_MESSAGE,MIME_QP_LONG_LINE,RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_NONE,URIBL_BLOCKED,URIBL_DBL_BLOCKED_OPENDNS scantime=0.>
Apr 29 15:21:21 MY-SRV spamd[581]: prefork: child states: II
Apr 29 15:41:59 MY-SRV spamd[277156]: spamd: connection from localhost [::1]:57232 to port 783, fd 5
Apr 29 15:41:59 MY-SRV spamd[277156]: spamd: setuid to My_MBOX@My-DOMAIN succeeded
Apr 29 15:41:59 MY-SRV spamd[277156]: spamd: processing message <jP2ATxXDpQoOqjHrjd7ehtZXvQk124AA4xgbb8ThmI@My-DOMAIN> for My_MBOX@My-DOMAIN:1018
Apr 29 15:41:59 MY-SRV spamd[277156]: check: dns_block_rule URIBL_BLOCKED hit, creating /root/.spamassassin/dnsblock_multi.uribl.com (This means DNSBL blocked you due to too many queries. Set all affected rules score to>
Apr 29 15:41:59 MY-SRV spamd[277156]: spamd: clean message (2.6/5.0) for My-Box@My-Domain:1018 in 0.2 seconds, 2191 bytes.
Apr 29 15:41:59 MY-SRV spamd[277156]: spamd: result: . 2 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FROM_SUSPICIOUS_NTLD,FROM_SUSPICIOUS_NTLD_FP,HEADER_FROM_DIFFERENT_DOMAINS,NO_RELAYS,TO_IN_SUBJ,URIBL_BLOCKED,URIBL_DBL_BL>
Apr 29 15:41:59 MY-SRV spamd[581]: prefork: child states: II
lines 1-23/23 (END)
For information, the email reported in SystemCtl is an alert that the system sent because someone logged into the system.
So, it is correct that this mail was sent from our server to an email on our server.
Virtualmin is a very complex software with a steep learning curve which handles even more complex software. As you are finding out. It isn’t an out of the box substitute for experience. Your posts show a high expectation for that “out of the box” solution. It sets up a very complete “out of the box” environment you probably could not. I know I could not.
It is very easy to mess up configuration while thinking you are not messing it up which makes any issues even harder to fix and figure out.
What does none have been filtered mean to you?
Out of the box you have SpamAssassin working. X-Spam-Status: indicates that.
I have 400 or so (*.offending.domain and *@.offending.domain) in denied addresses form.
I have 30 custom header rules and 70-80 with increased or lowered values that are already used by SpamAssassin. Decisions made by watching what was triggered in headers. Read up on SpamAssassin if you want it to work for you.
If you have [recidive] enabled ( not a default ) with low threshold and long ban time it will funnel repeat offenders from all active filters to that jail and ban all ports. I have no tolerance for repeat offenders so I have all jails set to 2 matches. Make sure you fill in IP addresses to never ban!
If i see IPs from the same block showing up I put a permanent drop rule in firewallID for that block.
None of this is out of the box and shouldn’t be.
You have only posted one email header showing only a couple of tests that had low scores so not spam. Is that characteristic of your spam?
A lot of senders know how to set up their system to not trip filters so they have to be caught by specific words or combos in custom header rules carefully made to not block legit mail.
Hosting email IS NOT TRIVIAL. I’ve worked for one hosting company that simply wouldn’t take it on. People spend years learning this stuff. I have over 20. I can assure you, the default set up, while not bullet proof, is still pretty damned good with the one exception I mentioned above.
Spammers are like COVID. They will morph. Worse yet, the resources they make you use up allows the more sophisticated bad actors to operate under their cover.
I know that we had our own mail (not that of customers), on our own server (not one managed by others), but with Plesk.
The only thing we had done was to create the mailboxes and assign the password. End! Stop!
We read the mail with Thunderbird and all we had to do was enter the email parameters and account credentials. End! Stop!
Immediately the mail arrived and all the outgoing mail went out.
When spam arrived, 90% ended up in the spam folder without doing anything, with Thunderbird already configured to use SpamAssassin.
For the web we already had Mod_Security installed and all we had to do was choose which rules.
Half a day of work and we were ready to go.
Our Linux experiences were used to configure our web applications, not to configure Postfix, or SpamAssasin.
Instead (now, here, with Virtualmin) I know that we bought 4 servers on March 23rd and today, on April 29th, we are still here to understand why the emails go in fits and starts and why all the spam (100%) is not filtered and remains in the inbox folder.
Then we launch Thunderbird and (Magic!) it is moved to Spam Folder, but because Thunderbird’s SpamAssasin worked, not Virtualmin’s.
About Fail2Ban, we have activated Jail “Recidive” and set bans for 10 days in each Jail.
We are not complaining about how Fail2ban works.
The abnormal number of reports is perhaps due to the fact that the previous provider had its own active firewall upstream of the connectivity, while this one did not.
We’ve been told by many that Virtualmin already provides good security on its own, and we’re trusting them. We haven’t made any changes and are just checking the logs.
Having said that, I will no longer insist on this topic.
No, I don’t have high expectations for an “out of the box” solution.
I just didn’t expect all these difficulties.
Gotta ask why did you leave Plesk? Obviously Plesk requires less roll up your sleeves research and admin background.
Perhaps you don’t realize how your posts sound like a constant comparison to some expectation not met and at the same time a lack of knowledge of how to do it.
The only unmet expectation in this is seeing someone answer a simple question: In Virtualmin should SpamAssasin be trained by sending emails to spamtrap@domain?
You’ve led me around on a thousand other topics.
All interesting and I drew ideas for other tests, but no one answered the question.
I have been using Webmin for years and always only to consult the status of an installation which is always done manually, from a terminal via SSH.
From the creation of virtual servers to the installation of Fail2Ban; from firewall configuration to selecting individual packages to update. Everything from the terminal.
I proposed Plesk on the new servers as a valid alternative of which I remain convinced.
In a different context I would confirm the adoption of Virtualmin.
Plesk has Nginx as a reverse proxy to Apache and I didn’t want to have to worry about managing it.
But if we talk about “Out of the Box” solutions, without a doubt this is Plesk, not Virtualmin.
How did you install webmin/virtualmin ? I have never had to do that. I would guess you didn’t use the virtualmin install script, if you had everything would have been installed and given a set of working settings. However if you installed webmin then installed the virtualmin module none of this takes place. Which instillation route did you follow ?
Forgive me, did you read my question?
Because it’s a very simple question and you’re still taking me to another plane of problems.
I asked the same question (one and a half rows) to technical support and I was given an answer (also one and a half rows) within a few hours.
Here, we are on the third day and after 37 comments we are still talking about something else.
Your comments, from all of you, were very helpful to me, I’m sincere.
They allowed me to approach other things from a different point of view, but they have nothing to do with my question.
Yes, I have always used the official scripts and before scripts existed I used the commands as detailed by the official documentation.
And, again yes, the settings are working, but that wasn’t my question.
From my experience, you dont have to train spamassassin - for me, it worked out of the box, tho, I have made afew changes that resulted in better spam resolution.
First of all, you say that thunderbird is moving out of nowhere spam positive emails to spam folder - My guess, dont you use some kind of antivirus on client PC? Antiviruses often come with some kind of antispam feature, which works together with thunderbird / outlook.
If you resolve the issue with blocked DNS queries being blocked, you should be good to go.
