I started receiving loads more spam a few weeks ago. Something changed somewhere because it went from occasional to loads in one instant and has not stopped.
Spamassassin is running on the server.
I have updated the server with yum, so assume that should update it all.
So I added the following rules to my /etc/mail/spamassassin/local.cf file but as you can see in the mail headers below, the rules are not working on all emails, because the IP address 89.34.26.114 IS on a lot of the blacklists which I am adding into my rules. So looks like spamassassin is not filtering them as default anyway, then my rules not working.
On the other hand I can see some spam in my spam folder which do have the rules below in the header, so it may be working for some bit not others. The ones I receive below are forwarders, so sent to me at one domain, then forwarded to my new domain.
Anyone know why?
/etc/mail/spamassassin/local.cf file
These values can be overridden by editing ~/.spamassassin/user_prefs.cf
(see spamassassin(1) for details)
These should be safe assumptions and allow for simple visual sifting
without risking lost emails.
required_hits 5
report_safe 0
rewrite_header subject [SPAM2]
add_header all Report REPORT
CUSTOM SCORES OVERRIDES
score RCVD_IN_BRBL_LASTEXT 4
score URIBL_DBL_SPAM 5
score URIBL_DBL_ABUSE_SPAM 4
score URI_WP_HACKED 4
score URIBL_ABUSE_SURBL 4
header RCVD_IN_BARRACUDACEN eval:check_rbl(‘bbarracuda-lastexternal’, ‘b.barracudacentral.org.’)
describe RCVD_IN_BARRACUDACEN Relay is listed in b.barracudacentral.org
tflags RCVD_IN_BARRACUDACEN net
score RCVD_IN_BARRACUDACEN 4.0
header RCVD_IN_SBLSPAMHAUS eval:check_rbl(‘sblspamhaus-lastexternal’, ‘sbl.spamhaus.org.’)
describe RCVD_IN_SBLSPAMHAUS Relay is listed in sbl.spamhaus.org
tflags RCVD_IN_SBLSPAMHAUS net
score RCVD_IN_SBLSPAMHAUS 4.0
header RCVD_IN_ZENSPAMHAUS eval:check_rbl(‘zenspamhaus-lastexternal’, ‘zen.spamhaus.org.’)
describe RCVD_IN_ZENSPAMHAUS Relay is listed in zen.spamhaus.org
tflags RCVD_IN_ZENSPAMHAUS net
score RCVD_IN_ZENSPAMHAUS 4.0
header RCVD_IN_BL_SPAMCOP_NET eval:check_rbl_txt(‘spamcop-lastexternal’, ‘bl.spamcop.net.’, ‘(?i:spamcop)’)
describe RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net
tflags RCVD_IN_BL_SPAMCOP_NET net
score RCVD_IN_BL_SPAMCOP_NET 4.0
header RCVD_IN_RBL_DNS eval:check_rbl_txt(‘dnsrbl’,‘dnsrbl.org.’)
describe RCVD_IN_RBL_DNS Entries listed in dnsrbl.org RBL
tflags RCVD_IN_RBL_DNS net
score RCVD_IN_RBL_DNS 4.0
header RCVD_IN_ANONMAILS eval:check_rbl(‘anonmails-lastexternal’, ‘spam.dnsbl.anonmails.de.’)
describe RCVD_IN_ANONMAILS Relay is listed in spam.dnsbl.anonmails.de
tflags RCVD_IN_ANONMAILS net
score RCVD_IN_ANONMAILS 4.0
header RCVD_IN_PSBL eval:check_rbl(‘psbl-lastexternal’, ‘psbl.surriel.com.’)
describe RCVD_IN_PSBL Received via a relay in PSBL
tflags RCVD_IN_PSBL net
score RCVD_IN_PSBL 4.0
header RCVD_IN_WPBL eval:check_rbl(‘wpbl-lastexternal’,‘db.wpbl.info.’,‘127.0.0.2’)
describe RCVD_IN_WPBL Listed in db.wpbl.info
tflags RCVD_IN_WPBL net
score RCVD_IN_WPBL 4.0
Message Headers:
Return-Path: <14318-20883-391829-3821-me=mydomain.co.uk@mail.acraforfre.xyz>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
mail.mydomain.co.uk
X-Spam-Level: ***
X-Spam-Status: No, score=3.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,HTML_MESSAGE,RDNS_NONE,SPF_PASS,URIBL_ABUSE_SURBL,URIBL_BLOCKED
autolearn=no version=3.3.1
X-Original-To: me@mydomain.co.uk
Delivered-To: me.mydomain@mail.mydomain.co.uk
Received: by mail.mydomain.co.uk (Postfix)
id 225DC4831; Mon, 4 Feb 2019 11:51:16 +0000 (GMT)
Delivered-To: me.mydomain@mail.mydomain.co.uk
Received: from gamma.acraforfre.xyz (unknown [89.34.26.114])
by mail.mydomain.co.uk (Postfix) with ESMTP id 96F5E4865
for ; Mon, 4 Feb 2019 11:51:13 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=acraforfre.xyz;
h=Mime-Version:Content-Type:Date:From:Reply-To:Subject:To:Message-ID; i=GiftIdeas@acraforfre.xyz;
bh=KVleqPcsaSlhinYuooQHuyYOsRA=;
b=dc7B8R49U0qqHislu776kEpYX25nYscA1D+XYOiN7j5VMTZY0lNSwWigfpzGc2dekmj+VnO1Y5Qn
lHjybseo4myH0XzZDobSbJFcvURY8MjUukWZGP7FiJQSEbowYE8Lw1S+1dzl8lt7z6NPwr6+3W3V
lgIGl4fahLEBband5Yw=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=acraforfre.xyz;
b=YBK/0y98mNfOg8bp62AjsDcBpjTUDwxYPmYRTlYgMYdwzRkewhckflZfnYoXQU6VH4qhAAyezkAk
NjTRgouzVV6OaQuVTS0c2V8ejphHa86qgulW7Kd4qX21tP80z8JDgdkDR7WwlWy9XGvE7aODRUZk
w9FiqxoplLE/HmCA8PA=;
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="f373de478e17074275dc84bc628d208c_5193_5fa95"
Date: Mon, 4 Feb 2019 12:50:30 +0100
From: "Gift Ideas"
Reply-To: "Gift Ideas"
Subject: Personalized Frames, Canvas Art, Teddy Bears, Cards and More
To:
Message-ID: <1q9jeoen88zhr2sp-kc8zupkgtt3qac7s-5193-5fa95@acraforfre.xyz>
Here are the headers in another message I received that have the checks in:
X-Spam-Level: ********
X-Spam-Report: 4.0 RCVD_IN_WPBL RBL: Listed in db.wpbl.info * [173.232.227.166 listed in db.wpbl.info] * 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. * See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block * for more information. * [URIs: specifitethos.icu] * -0.0 SPF_PASS SPF: sender matches SPF record * 4.0 RCVD_IN_RBL_DNS RBL: Entries listed in dnsrbl.org RBL * [DNSRBL Active Listing – For More Details Visit:] [https://dnsrbl.org/lookup.cgi?ip=173.232.227.166] * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.7 MPART_ALT_DIFF BODY: HTML and text parts are different * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author’s * domain * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily * valid * 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS