Spam/malware getting through

[Justin]

Hi there,

I currently have some ossues with spam getting through:

Someone sends an email, which tries to show itself as office@domain.nl

Code: Select all

X-Greylist: whitelisted by SQLgrey-1.8.0
Received: from dnvrco-oedge-vip.email.rr.com (dnvrco-outbound-snat.email.rr.com [107.14.73.231])
     (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
     (No client certificate requested)
     by mx01.bodis.nl (Postfix) with ESMTPS id 8539C120181
     for <dijkman@domain.nl>; Wed, 19 Oct 2016 17:32:12 +0200 (CEST)
Received: from [24.219.76.69] ([24.219.76.69:34584] helo=pyxihad)
     by dnvrco-omsmta01 (envelope-from <botanicbarn@nycap.rr.com>)
     (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ESMTP
     id FC/7E-11795-5F197085; Wed, 19 Oct 2016 15:32:10 +0000
Message-ID: <0CC344E8960B1844245C05A9D3BF8886@pyxihad>
From: "office" <office@domain.nl>
To: <dijkman@domain.nl>
Subject: parking ticket
Date: Wed, 19 Oct 2016 16:29:16 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
     boundary="----=_NextPart_000_0003_01D22A35.4511BF70"
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Unsent: 1
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
X-RR-Connecting-IP: 107.14.64.6:2525

He is sending from: botanicbarn@nycap.rr.com
Pretends to be: office@domain.nl

For some reason it does not get marked as spam, scores are:

Code: Select all

Spamassassin Score:	3.85
Spam Report:	
-0.00	BAYES_40	 
1.95	DATE_IN_FUTURE_06_12	 
1.10	DCC_CHECK	 
0.00	HEADER_FROM_DIFFERENT_DOMAINS	 
1.35	RCVD_IN_BL_SPAMCOP_NET	 
-0.00	RCVD_IN_DNSWL_NONE	 
-0.55	RP_MATCHES_RCVD	 
-0.00	SPF_PASS

Does SPF_PASS 0.00 mean it gets passed the SPF check? Ifso, there must be something wrong because it's sending from a different IP then my SPF list.
Any idea to prefect this kind of nonsense, before one of my clients get infected?

Running 3.0.1.1 at the moment

[ovizii]

what's the actual domain so we can check the SPf record please or is it actually domain.nl?
'cause if it is domain.nl then I must say that your recor spf:domain.nl looks like this: v=spf1 -all and always matches.

apart from that, not sure what you are expecting, do you want stricter treatment of SPAM?

[Justin]

what's the actual domain so we can check the SPf record please or is it actually domain.nl?
'cause if it is domain.nl then I must say that your recor spf:domain.nl looks like this: v=spf1 -all and always matches.

apart from that, not sure what you are expecting, do you want stricter treatment of SPAM?

Sorry for the late response, have been very busy.
Sadly enough i cannot supply the domainname due to privacy reasons.

SPF records contains the following
v=spf1 ip4:xx.xx.xx.xx/24 ip4:xx.xx.xx.xx/24 ip6:xx.xx.xx.xx::/64 ~all

The IP which is in the mail above, does not match one of the 3 addresses.
Any idea if i can set spf even sharper?

[pdwalker]

Interesting question. Short answer, I don't know exactly.

SPF can have three settings for all:
+all - don't care about SPF, accept everything
-all - only accept from SPF defined entries, reject anything else
~all - only SPF defined servers is acceptable, but accept anything else but call it a SoftFail

Now the spamassassin plugin provides multiple functions for spf checks in /var/lib/spamassassin/3.004001/updates_spamassassin_org/25_spf.cf and the scores are set in 50_scores.cf

so, from what I understand, the SPF_PASS should not be triggered from those headers, instead it should be SPF_SOFTFAIL.

I've looked at the SPF.pm code /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/ and I cannot work out why this is happening.

The spamassassin module has lots of debug messages, so it might be a good idea to run spamassassin in debug mode to test that one message to see what's happening. You can do that with these commands:

Code: Select all

cd /var/spool/MailScanner/quarantine/<DATE>/nonspam/
spamassassin -D -t < <MESSAGEID 2>&1 |less

or

Code: Select all

spamassassin -D -t < <MESSAGEID 2>&1 |vim -

depending on whether you prefer vim / less to view the results

The message ID of the message can be obtained from the mailwatch interface - basic. It'll be in the message details like this:

Code: Select all

ID:	2912818005D.A8ECB

you can search the debug messages for "spf: " to find the related spf debug messages - that may help you work out why the SPF checks are passing.