Need help with Spam - Spam Assassin

knguyen · 07-18-2008, 05:12 PM

* Wide-spectrum: SpamAssassin uses a wide variety of local and network tests to identify spam signatures. This makes it harder for spammers to identify one aspect which they can craft their messages to work around.
* Free software: it is distributed under the same terms and conditions as other popular open-source software packages such as the Apache web server.
* Easy to extend: Anti-spam tests and configuration are stored in plain text, making it easy to configure and add new rules.
* Flexible: SpamAssassin encapsulates its logic in a well-designed, abstract API so it can be integrated anywhere in the email stream. The Mail::SpamAssassin classes can be used on a wide variety of email systems including procmail, sendmail, Postfix, qmail, and many others.
* Easy Configuration: SpamAssassin requires very little configuration; you do not need to continually update it with details of your mail accounts, mailing list memberships, etc. Once classified, site and user-specific policies can then be applied against spam. Policies can be applied on both mail servers and later using the user's own mail user-agent application.

Source:SpamAssassin: Welcome to SpamAssassin

knguyen · 07-18-2008, 05:13 PM

According to the Spamassassin documentation the Bayes system is not activated until a certain number of ham (non-spam) and spam has been learned. The default is 200 of each ham and spam messages. It means that Spamassassin begins to filter mails (according to your trainings) after 200 spam mails and 200 none spam mails were learned. This statistics is needed to distinguish spam mails.

This default value could be changed in /etc/mail/spamassassin/local.cf by using the following spamassassin options:

bayes_min_ham_num 100
bayes_min_spam_num 100

Spamassassin can be trained per mailbox basis on Mailname->Spam Filter->Training page in Plesk CP.

Source:Mail::SpamAssassin::Conf - SpamAssassin configuration file

knguyen · 07-18-2008, 05:27 PM

First of all make sure that all domains have 'Mail to nonexistent user' set to 'Reject' but not to bounce. This can be changed for all domains using "Group Operations" on the "Domains" page in Plesk CP. 'Reject mail to nonexistent user' feature is available since Plesk 7.5.3.

Also, make sure that there are no untrusted IPs and networks in white list.

Check how many messages there are in Qmail queue with:

# /var/qmail/bin/qmail-qstat
messages in queue: 27645
messages in queue but not yet preprocessed: 82

If the queue has too many messages, try to find where the SPAM is coming from.

If the mail is being sent by authorized user, but not from the PHP script, you can find what user sent most of the messages with the command below (since Plesk 8), note that 'SMTP authorization' should be enabled on the server to see these records:

# cat /usr/local/psa/var/log/maillog |grep -I smtp_auth |grep -I user |awk '{print $11}' |sort |uniq -c |sort -n

The path to 'maillog' may be differ depending the OS you use.

The next step is `qmail-qread` utility that can be used for the messages headers reading:

# /var/qmail/bin/qmail-qread
18 Jul 2005 15:03:07 GMT #2996948 9073 <user@domain.com> bouncing
done remote user1@domain1.com
done remote user2@domain2.com
done remote user3@domain3.com
....

It shows messages' sender and recipients. If the message has too many recipients, then it is mostly SPAM. Now try to find this message in queue by it's ID #2996948:

# find /var/qmail/queue/mess/ -name 2996948

look into the message and find the first from the end "Received" line to find where it was initially sent from, for example if you find something like:

Received: (qmail 19514 invoked by uid 10003); 13 Sep 2005 17:48:22 +0700

It means that this message was sent via some CGI script by user with UID 10003. Using this UID you can find a corresponding domain:

# grep 10003 /etc/passwd

If 'Received' line contains UID of 'apache' user (for example "invoked by uid 48") - it means that the SPAM was sent via some PHP script. In this case you can try to find the spammer using information from the spam mails (from/to addresses, subjects or anything else). But usually it is very hard to find SPAM source in this case. If you are sure that at the current moment some script is sending SPAM (queue grows very fast), you can use this little script to find out what PHP scripts are running in real-time:

# lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep vhosts | grep php

Also you may apply to the article 1711 that describes how to find out domains mail is sent via PHP scrips from.

Received lines like:

Received: (qmail 19622 invoked from network); 13 Sep 2005 17:52:36 +0700
Received: from external_domain.com (192.168.0.1)

means that the message was accepted for delivery via SMTP and the sender is an authorized mail user.

NOTE: how to rebuild Qmail queue you can find above.

SBennett · 07-18-2008, 06:12 PM

Just for some extra help / information on Spam Assassin.
This is the tutorial for using Spam Assassin through cPanel.
cpanel_x3_spamassassin

07-18-2008, 05:12 PM	#1 (permalink)
knguyen Junior Member Join Date: Jun 2008 Location: San Diego, CA Posts: 15	Need help with Spam - Spam Assassin * Wide-spectrum: SpamAssassin uses a wide variety of local and network tests to identify spam signatures. This makes it harder for spammers to identify one aspect which they can craft their messages to work around. * Free software: it is distributed under the same terms and conditions as other popular open-source software packages such as the Apache web server. * Easy to extend: Anti-spam tests and configuration are stored in plain text, making it easy to configure and add new rules. * Flexible: SpamAssassin encapsulates its logic in a well-designed, abstract API so it can be integrated anywhere in the email stream. The Mail::SpamAssassin classes can be used on a wide variety of email systems including procmail, sendmail, Postfix, qmail, and many others. * Easy Configuration: SpamAssassin requires very little configuration; you do not need to continually update it with details of your mail accounts, mailing list memberships, etc. Once classified, site and user-specific policies can then be applied against spam. Policies can be applied on both mail servers and later using the user's own mail user-agent application. Source:SpamAssassin: Welcome to SpamAssassin

07-18-2008, 05:13 PM	#2 (permalink)
knguyen Junior Member Join Date: Jun 2008 Location: San Diego, CA Posts: 15	When does Spamassassin begin to use the Spam filter database for filtering mails? According to the Spamassassin documentation the Bayes system is not activated until a certain number of ham (non-spam) and spam has been learned. The default is 200 of each ham and spam messages. It means that Spamassassin begins to filter mails (according to your trainings) after 200 spam mails and 200 none spam mails were learned. This statistics is needed to distinguish spam mails. This default value could be changed in /etc/mail/spamassassin/local.cf by using the following spamassassin options: bayes_min_ham_num 100 bayes_min_spam_num 100 Spamassassin can be trained per mailbox basis on Mailname->Spam Filter->Training page in Plesk CP. Source:Mail::SpamAssassin::Conf - SpamAssassin configuration file

07-18-2008, 05:27 PM	#3 (permalink)
knguyen Junior Member Join Date: Jun 2008 Location: San Diego, CA Posts: 15	The server is overloaded with SPAM. There are many messages in queue. Mail is deliver First of all make sure that all domains have 'Mail to nonexistent user' set to 'Reject' but not to bounce. This can be changed for all domains using "Group Operations" on the "Domains" page in Plesk CP. 'Reject mail to nonexistent user' feature is available since Plesk 7.5.3. Also, make sure that there are no untrusted IPs and networks in white list. Check how many messages there are in Qmail queue with: # /var/qmail/bin/qmail-qstat messages in queue: 27645 messages in queue but not yet preprocessed: 82 If the queue has too many messages, try to find where the SPAM is coming from. If the mail is being sent by authorized user, but not from the PHP script, you can find what user sent most of the messages with the command below (since Plesk 8), note that 'SMTP authorization' should be enabled on the server to see these records: # cat /usr/local/psa/var/log/maillog \|grep -I smtp_auth \|grep -I user \|awk '{print $11}' \|sort \|uniq -c \|sort -n The path to 'maillog' may be differ depending the OS you use. The next step is `qmail-qread` utility that can be used for the messages headers reading: # /var/qmail/bin/qmail-qread 18 Jul 2005 15:03:07 GMT #2996948 9073 <user@domain.com> bouncing done remote user1@domain1.com done remote user2@domain2.com done remote user3@domain3.com .... It shows messages' sender and recipients. If the message has too many recipients, then it is mostly SPAM. Now try to find this message in queue by it's ID #2996948: # find /var/qmail/queue/mess/ -name 2996948 look into the message and find the first from the end "Received" line to find where it was initially sent from, for example if you find something like: Received: (qmail 19514 invoked by uid 10003); 13 Sep 2005 17:48:22 +0700 It means that this message was sent via some CGI script by user with UID 10003. Using this UID you can find a corresponding domain: # grep 10003 /etc/passwd If 'Received' line contains UID of 'apache' user (for example "invoked by uid 48") - it means that the SPAM was sent via some PHP script. In this case you can try to find the spammer using information from the spam mails (from/to addresses, subjects or anything else). But usually it is very hard to find SPAM source in this case. If you are sure that at the current moment some script is sending SPAM (queue grows very fast), you can use this little script to find out what PHP scripts are running in real-time: # lsof +r 1 -p `ps axww \| grep httpd \| grep -v grep \| awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` \| grep vhosts \| grep php Also you may apply to the article 1711 that describes how to find out domains mail is sent via PHP scrips from. Received lines like: Received: (qmail 19622 invoked from network); 13 Sep 2005 17:52:36 +0700 Received: from external_domain.com (192.168.0.1) means that the message was accepted for delivery via SMTP and the sender is an authorized mail user. NOTE: how to rebuild Qmail queue you can find above.

07-18-2008, 06:12 PM	#4 (permalink)
SBennett Cari.net Staff Join Date: May 2008 Location: San Diego Posts: 58	cPanel Spam Assassin Tutorial Just for some extra help / information on Spam Assassin. This is the tutorial for using Spam Assassin through cPanel. cpanel_x3_spamassassin __________________ Shawn Bennett Account Executive Cari.net sbennett@cari.net CLICK HERE TO CHAT WITH ME LIVE 888 221 5902 Ext 106

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode