Topic: Spamfilter seems to have stopped working!

[dave simmons]

I don't know if I should post here, or if it's a bug, but the spamfilter seems to have stopped working.

It was working perfectly until this weekend (24/8/07).  I have set the server up to mail me when updates are available.  On Friday I received a mail that there were updates available, so I installed them (one update I think).  I didn't change anything else, just the update and a reboot, and then this morning - bam - loads of spam in the mailboxes.  The spam filter hadn't caught anything since Friday's update - everything is coming through!

I didn't look closely at what was being update - I trust the machine and just apply the updates - but I don't think it was anything to do with Spam.

My questions are the following:

1. Is anyone else seeing this?
2. Did this update break spamassassin somehow?
3. Or is it coincidence -I don't really know how the filter works (I've never needed to)
4. How can I easily (and safely) remove the last update to see if the problem goes away - or is this impossible?

Grateful for any suggestions or comments.

[brianr]

Can you see the spamassassin text in the email headers?  - perhaps your could copy and paste one of your email headers here?

cheers

B.

[dave simmons]

Hello Brian,

Thanks for taking the time to reply.  Here is what I think you were asking:

X-Spam-Status: No, hits=1.4 required=4.0
   tests=SARE_ADULT2
X-Spam-Check-By: ********.be

If I understand this correctly, Spamassassin has awarded only 1.4 value and needs 4 to reject.  Are the spammers getting better? (and will the problem then go away automatically as spamassassin catches up?)

The weird thing is that before Friday everything was working perfectly here - the spam filter was catching about 100 spams per user per day (6 users) and letting maybe 3 or 4 spams per user through.  Nearly no false positives.  Unfortunatley our housekeeping is maybe too good because we have deleted all the old junk mails via web mail (so I can't check the headers etc.) - the server is not too powerful or large capacity so we try to clean up regularly.

If you need more info, please ask.

Thanks again,

Dave

[brianr]

Suggest you run

sa-update

and see what happens.

If you get some messages about a gpg key being wrong, then do what the message says, and then run sa-update again.

B.

[dave simmons]

I have just received a spam email - a classic spam text, which I know spamassassin has caught many times before:

"Hello! I am tired today. I am nice girl that would like to chat with you. Email me at pqxh@BestOnset.info only, because I am writing not from my personal email. Would you mind if I share some of my pictures with you?"

The spam header today is:
X-Spam-Status: No, hits=0.0 required=4.0
   tests=

I have looked back through the webmail (one of our guys is on holiday and therefore his junk mail has built up a bit).  I can find the same message (of course from a different address:  On 17 August the spam header (on the same machine) was:

"Hello! I am tired today. I am nice girl that would like to chat with you. Email me at a@mailmessageonline.info only, because I am writing not from my personal email. Will send some of my pictures "

X-Spam-Flag:  YES
X-Spam-Status:  Yes, hits=5.9 required=3.0 tests=DATE_IN_FUTURE_06_12,PYZOR_CHECK

Maybe this will give additional info.

I've just received a message that there's a new post, but will post this anyway in case it helps.

[dave simmons]

Sorry, I should have added, as far as I'm aware I haven't made any changes - certainly not manually or via the web interface.  Only applied updates.

[dave simmons]

Brian - will follow your suggestion and post results.

Thank you.

[dave simmons]

Brian, have followed your suggestion.  Indeed had the message about GPG...

Followed instructions on screen, and now have a command prompt.  Do I need to do the signal-event post-upgrade or reboot, or will it take care of itself?

[brianr]

Do I need to do the signal-event post-upgrade or reboot, or will it take care of itself?

no, you have just updated the SA rules. just stand back and wait for the spam..

B.

[dave simmons]

OK.  The spam's still flooding in.  Is this normal?

Sorry to ask - maybe they're stupid questions, but the beauty of the SME is that is has always just worked, so I have'nt really had to learn anything about the system.  I've been using it since version 5.6, and this is the first time it's done anything weird.

BTW.  The machine has not had a series of upgrades.  It was a new install of 7.? followed by an upgrade to 7.2 follwoing the instructions elsewhere on this site.

[brianr]

Look at the headers now..

{edit} perhaps you'd better try a post-upgrade and reboot, just incase..

B.

[dave simmons]

Here aer examples of the last 3 (since upgrade and a restart):

X-Spam-Status: No, hits=1.7 required=4.0
   tests=SARE_HTML_USL_OBFU

X-Spam-Status: No, hits=1.7 required=4.0
   tests=SARE_HTML_USL_OBFU

(above 2 x the same mail from different addresses - Cialis/Viagra)

X-Spam-Status: No, hits=0.0 required=4.0
   tests=
(this one is for Penis enlargement)

I'm searching through the junk mail file of my colleague to see if there are examples of the same ones, but they are very common spam mail.  If spamassassin can't catch this, there must be a problem.

Maybe my machine has been hacked?  How can I see this?

[dave simmons]

I don't know if this will give any further ideas, I found a command on the forum to show the spamassassin status, and this is what it gives:

BayesAutoLearnThresholdNonspam=0.10
BayesAutoLearnThresholdSpam=4.00
DNSAvailable=yes
MessageRetentionTime=90
OkLanguages=all
OkLocales=all
RejectLevel=12
ReportSafe=0
Sensitivity=custom
SkipRBLChecks=0
SortSpam=enabled
Subject=[SPAM]
SubjectTag=enabled
TagLevel=4
UseBayes=1
status=enabled

Am also doing a fresh install on an old server, and will try replacing the machine.

[brianr]

did you try a re-boot? and you did re-run sa-update after importing the gpg key?

B.

[dave simmons]

Have done reboot (twice).  Also did the signal-event post-upgrade before the reboot.

Spam is coming in about 1 every couple minutes.  Classic spam - Cialis/Viagra/penis enlargement etc. 

Must be something seriously wrong with installation/configuration of Spamassassin - this is very basic stuff.

Have already reinstalled 7.2 on our old server, and am restoring a backup.  Hopefully that will sort it out.

The only thing that worries me is what to do with the updates.  I am sure that I didn't change anything on the server - I only applied the updates via the server-manager.  But it can't be the updates which have caused this otherwise there would be other users with the same problem?