Too many emails blocked tagged with spam since spamassassin update

General eFa discussion
Post Reply
FAP-RTI
Posts: 4
Joined: 04 Nov 2020 12:03

Too many emails blocked tagged with spam since spamassassin update

Post by FAP-RTI » 23 Aug 2021 14:41

Hello there,

recently we have found that eFa e tagging too many messages for spam. Apparently some clean emails are being blocked. This started to happen since the last update and i cant find what changed since then.
Looking for some help.

This is the summary email from the update itself:

Installing:
spamassassin_eFa x86_64 3.4.6-1.eFa.el7 eFa4 1.1 M
replacing spamassassin.x86_64 3.4.4-2.eFa.el7
Updating:
dcc x86_64 1:2.3.167-2.eFa.el7 eFa4 985 k
eFa noarch 1:4.0.4-18.eFa.el7 eFa4 118 k

Does anyone have any clue?
Thanks

User avatar
shawniverson
Posts: 3456
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Too many emails blocked tagged with spam since spamassassin update

Post by shawniverson » 25 Aug 2021 14:51

I'm sure there were substanial spamassassin rule updates.

Do you have a spam report sample you could share?

FAP-RTI
Posts: 4
Joined: 04 Nov 2020 12:03

Re: Too many emails blocked tagged with spam since spamassassin update

Post by FAP-RTI » 09 Sep 2021 16:15

Hello,

sorry for the late reply.
Here are 3 sample spam reports from 3 emails that shouldn't be blocked.
SpamAssassin Score: 4.54
Spam Report:
Score Matching Rule Description
0.00 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED
0.10 DKIM_INVALID DKIM or DK signature exists, but is not valid
0.10 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
0.00 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
0.25 GMD_PRODUCER_GPL PDF producer was GPL Ghostscript
0.00 HTML_MESSAGE HTML included in message
1.20 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list
-0.00 RCVD_IN_DNSWL_NONE Sender listed at https://www.dnswl.org/, no trust
-0.00 RCVD_IN_MSPIKE_H2 Average reputation (+2)
1.27 RDNS_NONE Delivered to internal network by a host with no rDNS
0.92 SPF_FAIL SPF: sender does not match SPF record (fail)
1.38 SPOOFED_FREEMAIL
0.00 SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS
0.10 TO_IN_SUBJ To address is in Subject
-0.80 TXREP Score normalizing based on sender's reputation
0.01 T_FREEMAIL_DOC_PDF MS document or PDF attachment, from freemail
SpamAssassin Score: 4.30
Spam Report:
Score Matching Rule Description
0.10 DKIM_INVALID DKIM or DK signature exists, but is not valid
0.10 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
1.19 FORGED_HOTMAIL_RCVD2 hotmail.com 'From' address, but no 'Received:'
0.00 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
1.28 HTML_IMAGE_ONLY_24 HTML: images with 2000-2400 bytes of words
0.00 HTML_MESSAGE HTML included in message
-0.00 RCVD_IN_DNSWL_NONE Sender listed at https://www.dnswl.org/, no trust
-0.00 RCVD_IN_MSPIKE_H2 Average reputation (+2)
1.27 RDNS_NONE Delivered to internal network by a host with no rDNS
0.92 SPF_FAIL SPF: sender does not match SPF record (fail)
0.00 SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS
-0.57 TXREP Score normalizing based on sender's reputation
SpamAssassin Score: 6.40
Spam Report:
Score Matching Rule Description
0.00 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED
0.10 DKIM_INVALID DKIM or DK signature exists, but is not valid
0.10 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
0.00 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
1.00 FREEMAIL_REPLY From and body contain different freemails
1.50 HTML_FONT_TINY_NORDNS Font too small to read, no rDNS
0.00 HTML_MESSAGE HTML included in message
0.64 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
0.10 MIME_HTML_ONLY Message only has text/html MIME parts
1.20 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list
-0.00 RCVD_IN_DNSWL_NONE Sender listed at https://www.dnswl.org/, no trust
-0.00 RCVD_IN_MSPIKE_H2 Average reputation (+2)
1.27 RDNS_NONE Delivered to internal network by a host with no rDNS
0.92 SPF_FAIL SPF: sender does not match SPF record (fail)
0.00 SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS
-0.45 TXREP Score normalizing based on sender's reputation
0.01 T_FREEMAIL_DOC_PDF MS document or PDF attachment, from freemail
0.01 T_REMOTE_IMAGE Message contains an external image
0.00 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/Dns ... nsbl-block for more information.

User avatar
shawniverson
Posts: 3456
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Too many emails blocked tagged with spam since spamassassin update

Post by shawniverson » 10 Sep 2021 03:11

On second thought....

1.27 RDNS_NONE Delivered to internal network by a host with no rDNS

These senders are breaking a basic rule of email that a reverse dns record must be present. If you want these emails you should consider adjusting your scores for these senders.

FAP-RTI
Posts: 4
Joined: 04 Nov 2020 12:03

Re: Too many emails blocked tagged with spam since spamassassin update

Post by FAP-RTI » 10 Sep 2021 08:34

Hi there,

thanks for the fast reply.
Could you elaborate a bit more on that rule and what exactly it means? I'm new to this platform and my understanding about spamassassin is not very good.
And wich files i have to edit to change the values for each rule individually?

Thanks once again.

User avatar
Aryfir
Posts: 7
Joined: 04 Sep 2020 13:52

Re: Too many emails blocked tagged with spam since spamassassin update

Post by Aryfir » 10 Sep 2021 17:42

Put on local.cf eg:
score RDNS_NONE 0.0

But like shawn wrote above and i fully agree that "These senders are breaking a basic rule of email that a reverse dns record must be present"

What i suggest is just whitelist those senders domain, so another domain that do not have RDNS still get trap by spamassassin

henk
Posts: 490
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Too many emails blocked tagged with spam since spamassassin update

Post by henk » 11 Sep 2021 09:51

Take a look at your report.
This one:
The "URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked"
It would make sense, to solve this asap..

Search this forum for

Code: Select all

URIBL_BLOCKED
There will be quite some hits, but for a starter:

viewtopic.php?t=2565
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams

Post Reply