Single quoted spam

antioch · April 4, 2023, 3:29pm

SYSTEM INFORMATION
OS type and version	ubuntu 20.04
Webmin version	1.991
Virtualmin version	7.0-4
Related packages	SUGGESTED

for whatever reason spam whose sender name is encased in single quotes just flies through the filters like theyre not even there. so my question is why, when i setup a filter to scan the from header for starts with the regex /^'.+'/ it cant find any matches though the box is full of 'em?

Joe · April 4, 2023, 3:57pm

You’d want to look at the headers to make sure what you think is happening is actually what’s happening (i.e. is it actually being processed through your filters…are they SpamAssassin rules or procmail or something else?).

antioch · April 8, 2023, 1:35am

yup, says SpamAssassin. cant use both?

Joe · April 8, 2023, 1:54am

I don’t understand the question. Virtualmin uses procmail for mail processing and delivery, including scanning with SpamAssassin and/or ClamAV. It’s not either procmail or SpamAssassin, it is procmail always, SpamAssassin if you have enabled spam scanning.

I asked where you created the rule that’s supposed to block based on that regex. It could be in procmail or SpamAssassin; both are able to make decisions based on regular expressions. And, I suggested you look in the headers of a delivered mail to make sure you see evidence it was processed with the tool you are using to check for that regex.

antioch · April 8, 2023, 10:31am

sorry, let me be more clear. the regex filter is in the user’s procmail. im also running sa, as u can now see below. but i dont see any procmail references?

ive also modified the filter to /^'.+'.{1,}/. it still doesnt pick up existing spam when i hit show matching email in folder: inbox.

Return-Path: <>
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
	lamp1.domain.tld
X-Spam-Level: **
X-Spam-Status: No, score=2.7 required=5.0 tests=ADMITS_SPAM,DKIM_ADSP_NXDOMAIN,
	FROM_DOMAIN_NOVOWEL,HTML_MESSAGE,MIME_HTML_ONLY,MIME_QP_LONG_LINE,
	RDNS_NONE,SPF_HELO_NONE,T_KAM_HTML_FONT_INVALID,URIBL_PH_SURBL
	autolearn=no autolearn_force=no version=3.4.4
X-Original-To: mailbox@domain.tld
Delivered-To: mailbox-domain.tld@domain.tld
Received: from smtp.domain.tld (localhost [127.0.0.1])
	by smtp.domain.tld (Postfix) with ESMTP id 3BDB3404A20C
	for <mailbox@domain.tld>; Fri,  7 Apr 2023 15:52:37 -0500 (CDT)
Received-SPF: none (sips-atos.com: No applicable sender policy available) receiver=lamp1.domain.tld; identity=helo; helo=sips-atos.com; client-ip=116.204.182.242
Received: from sips-atos.com (unknown [116.204.182.242])
	by smtp.domain.tld (Postfix) with ESMTP id CC713404A1B7
	for <mailbox@domain.tld>; Fri,  7 Apr 2023 15:52:36 -0500 (CDT)
Received: from 127.0.0.1 (localhost [127.0.0.1]) by compute-1.amazonaws.com (amazon) with ESMTP id 4KFZrB364GzNCd908 for <mailbox@domain.tld>; Fri, 07 Apr 2023 22:52:21 +0200
To: "mailbox@domain.tld" <mailbox@domain.tld>
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Date: Fri, 07 Apr 2023 22:52:21 +0200
X-Priority: 1 (Normal)
Message-ID: <rBltag2MqUIO3CEKmxGFvxn48uO-jLhiavoiRGafDQsfDpQKzOJrESL-cadf-4b64-ba5d-13abc51dd070-000000@.amazonses.com>
X-SES-Outgoing: Fri, 07 Apr 2023 22:52:21 +0200
Subject: Discounts for Seniors! We've found the best deals for you!
From: 'Senior Perks' <info-bPr@untdstatdropromuniflamtionpcTTGWnFO.com>
X-MS-Exchange-Message-Is-Ndr:Content-Language: en-US
In-Reply-To: <jLhiavoiRGafDQsfDpQKzOJrESL.mw2y30v3q3o4wg4k@amazonses.com>
References: <1611112436.jLhiavoiRGafDQsfDpQKzOJrESL@amazonses.com>
Auto-Submitted: auto-replied
X-MS-PublicTrafficType: mailbox
X-MS-TrafficTypeDiagnostic: rBltag2MqUIO3CEKmxGFvxn48uO:
X-Microsoft-Antispam-PRVS:<AM6PR0302rBltag2MqUIO3CEKmxGFvxn48uOMB34792C3585847800D85595A5B8A20@amazonses.com>
X-MS-Exchange-SenderADCheck: 77667
X-Microsoft-Antispam: BCL:0;mailbox
X-Virus-Scanned: ClamAV using ClamSMTP

Joe · April 8, 2023, 3:31pm

If you haven’t modified things to send mail through SpamAssassin in some other way, it has to be going through procmail (that’s how Virtualmin sets up AV/spam scanning), but user procmail is optional. You can check what procmail is doing with it in the procmail.log.

antioch · April 8, 2023, 9:44pm

found these lines in procmail.log for the latest spam to slip through.

From MAILER-DAEMON  Sat Apr  8 12:29:57 2023
 Subject: RE:associates Congrats! You've received a Kohls reward You have been 
  Folder: /home/domain.tld/homes/mailbox/Maildir/new/168097499	  13161
Time:1680974998 From:info-pmc@untdstatdropromuniflamtionsKSXzbQsU.com To:mailbox@domain.tld User:mailbox-domain.tld Size:13206 Dest:/home/domain.tld/homes/mailbox/Maildir/new/1680974998.3478285_0.machine.domain2.tld Mode:None

antioch · April 9, 2023, 12:11pm

did some updating.

antioch · April 9, 2023, 2:47pm

went hunting for procmail for usermin settings, despite it already appearing to be available there. found it unchecked in webmin-webmin-usermin configuraion-available modules. check it?

jimr1 · April 9, 2023, 2:54pm

hmm so you are trying to set this up in usermin ? if so have you set this :-

antioch · April 9, 2023, 3:08pm

currently set to yes.

system · June 8, 2023, 3:08pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.