Topic: Spam headers not inserted in mail header

[DeMan]

Hi list,

Could someone point me to the right direction to have Spam headers inserted in mail headers?

I have a SME 7.4 mailserver with default installation and I added fetchmail, zarafa and smeserver-qpsmtpd-spamassassinlevelstars rpms.

Below you find a header of a spam mail, yes I still receive spam:

Received: (qmail 23219 invoked by alias); 18 Apr 2009 04:02:07 -0000
Delivered-To: alias-localdelivery-bob@stoutenstorm.be
Received: (qmail 23216 invoked by uid 453); 18 Apr 2009 04:02:07 -0000
X-Virus-Checked: Checked by ClamAV on stoutenstorm.be
Received: from samba.stoutenstorm.be (HELO localhost) (192.168.99.253)
by stoutenstorm.be (qpsmtpd/0.40) with ESMTP; Sat, 18 Apr 2009 06:02:07 +0200
X-Original-To: bob@stoutenstorm.be
Delivered-To: stoutenstormbe@stoutenstorm.be
Received: from mail39.hostbasket.com
by localhost with POP3 (fetchmail-6.2.5)
for bob@stoutenstorm.be (multi-drop); Sat, 18 Apr 2009 06:02:07 +0200 (CEST)
Received: from mailout01-01.mx.hostbasket.com (unknown [192.168.179.111])
by mail39.hostbasket.com (mail39) with ESMTP id 22C4B14000A9
for <bob@stoutenstorm.be>; Sat, 18 Apr 2009 06:00:43 +0200 (CEST)
Received: from unknown (HELO OSRXUURW) ([222.222.160.118])
by avas-i-01.hostbasket.com with ESMTP; 18 Apr 2009 06:00:25 +0200
Message-ID: <000d01c9bfd8$2b6b4020$6400a8c0@impressedcg>
From: "Shana Groves" <impressedcg@theambientecollection.com>
To: <bob@stoutenstorm.be>
Subject: Fast And effective weight loss solutuion, Acai diet available now !
Date: Sat, 18 Apr 2009 11:45:51 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C9BFD8.2B6B4020"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

The spamd logging shows always the same result info... . 0, something is misconfigured.

@4000000049e8fece2fd1b10c [13151] info: spamd: connection from localhost [127.0.0.1] at port 34773
@4000000049e8fece2fd1b8dc [13151] info: spamd: checking message <20090417221219.22768.qmail@stoutenstorm.be> for qpsmtpd:1005
@4000000049e8fecf17886fdc [13151] info: spamd: clean message (0.0/4.0) for qpsmtpd:1005 in 0.6 seconds, 750 bytes.
@4000000049e8fecf178abdb4 [13151] info: spamd: result: . 0 - scantime=0.6,size=750,user=qpsmtpd,uid=1005,required_score=4.0,rhost=localhost,raddr=127.0.0.1,rport=34773,mid=<20090417221219.22768.qmail@stoutenstorm.be>,autolearn=disabled

Please advice

Kind regards,

Bob

[mmccarn]

http://wiki.contribs.org/Email#X-Spam-Level_Header_in_Email_Messages

[DeMan]

Hi,

Thank you for your reply, I already did configure smeserver-qpsmtpd-spamassassinlevelstars but still no spam headers.

I'll send you more details about the configuration:

spamassassin=service
    BayesAutoLearnThresholdNonspam=0.10
    BayesAutoLearnThresholdSpam=4.00
    DNSAvailable=yes
    MessageRetentionTime=90
    OkLanguages=all
    OkLocales=all
    RejectLevel=12
    ReportSafe=0
    Sensitivity=custom
    SkipRBLChecks=0
    SortSpam=enabled
    Subject=[SPAM]
    SubjectTag=enabled
    TagLevel=4
    UseBayes=0
    status=enabled

spamd=service
    status=enabled

A manually test with spamassassin works correct:

/usr/bin/spamassassin -tD < /tmp/email.txt
[21142] dbg: logger: adding facilities: all
...
[21142] dbg: rules: running uri tests; score so far=13.792
[21142] dbg: rules: compiled uri tests
[21142] dbg: rules: running rawbody tests; score so far=13.792
[21142] dbg: rules: compiled rawbody tests
[21142] dbg: rules: running full tests; score so far=13.792
[21142] dbg: rules: compiled full tests
[21142] dbg: rules: running meta tests; score so far=13.792
[21142] dbg: rules: compiled meta tests
[21142] dbg: check: is spam? score=13.792 required=4
[21142] dbg: check: tests=HTML_IMAGE_ONLY_08,HTML_MESSAGE,HTML_SHORT_LINK_IMG_1,MIME_BASE64_TEXT,MIME_HTML_MOSTLY,MPART_ALT_DIFF,PYZOR_CHECK,SARE_URI_LET_DIG_PIC,URIBL_GREY,URIBL_WS_SURBL
[21142] dbg: check: subtests=__BOUNCE_CTYPE,__BOUNCE_FROM_DAEMON,__BOUNCE_UNDELIVERABLE_ML,__CT,__CTYPE_HAS_BOUNDARY,__DOS_HAS_ANY_URI,__DOS_RCVD_SAT,__DOS_RELAYED_EXT,__DOS_SINGLE_EXT_RELAY,__FB_NUM_PERCNT,__HAS_ANY_EMAIL,__HAS_ANY_URI,__HAS_MSGID,__HAS_RCVD,__HAS_SUBJECT,__HIGHBITS,__HTML_IMG_ONLY,__HTML_LENGTH_0000_1024,__HTML_LINK_IMAGE,__IMG_ONLY,__LAST_UNTRUSTED_RELAY_NO_AUTH,__LOANURIFVGT,__LOCAL_PP_NONPPURL,__MIME_BASE64,__MIME_HTML,__MIME_VERSION,__MISSING_REF,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NAKED_TO,__NONEMPTY_BODY,__SANE_MSGID,__SARE_BODY_BLANKS_5_100,__SARE_BODY_BLNK_5_100,__SARE_HAS_FG_COLOR,__SARE_HEAD_MIME_VALID,__SARE_HTML_HAS_A,__SARE_HTML_HAS_BR,__SARE_HTML_HAS_FONT,__SARE_HTML_HAS_IMG,__SARE_HTML_HAS_TITLE,__SARE_META_MURTY3,__SARE_URI_ANY,__SARE_URI_LET_DIG_PIC,__SARE_WHITELIST_FLAG,__TAG_EXISTS_BODY,__TAG_EXISTS_HEAD,__TAG_EXISTS_HTML,__TAG_EXISTS_META,__TOCC_EXISTS,__TVD_BODY,__TVD_MIME_ATT_TP
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
        samba.stoutenstorm.be
X-Spam-Level: *************
X-Spam-Status: Yes, score=13.8 required=4.0 tests=HTML_IMAGE_ONLY_08,
        HTML_MESSAGE,HTML_SHORT_LINK_IMG_1,MIME_BASE64_TEXT,MIME_HTML_MOSTLY,
        MPART_ALT_DIFF,PYZOR_CHECK,SARE_URI_LET_DIG_PIC,URIBL_GREY,URIBL_WS_SURBL
        autolearn=disabled version=3.2.5
X-Spam-Report:
        *  0.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME
        *  0.0 HTML_MESSAGE BODY: HTML included in message
        *  2.4 HTML_IMAGE_ONLY_08 BODY: HTML: images with 400-800 bytes of words
        *  1.1 MPART_ALT_DIFF BODY: HTML and text parts are different
        *  2.8 MIME_BASE64_TEXT RAW: Message text disguised using base64 encoding
        *  2.8 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
        *  2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
        *      [URIs: member-loan.co.kr]
        *  0.2 URIBL_GREY Contains an URL listed in the URIBL greylist
        *      [URIs: webplus.com.cn]
        *  1.2 SARE_URI_LET_DIG_PIC Suspicious file name for graphic
        *  1.1 HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image
Received: from infoweb.rus.unistuttgart.de (infoweb.rus.unistuttgart.de [198.168.1.0])
        by skylla.rus.unistuttgart.de (Postfix) with ESMTP id E847621240F
        for <zqwchtnirj@empalvicp.net>; Sat,  7 May 2005 10:32:23 +0200 (CEST)
Received: by infoweb.rus.unistuttgart.de (Postfix)
        id 75243F3A93; Sat,  7 May 2005 10:32:17 +0200 (CEST)
Date: Sat,  7 May 2005 10:32:17 +0200 (CEST)
From: MAILER-DAEMON@infoweb.rus.unistuttgart.de (Mail Delivery System)
Subject: [SPAM] Undelivered Mail Returned to Sender
To: zqwchtnirj@empalvicp.net
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
        boundary="6D17DF389F.1115454737/infoweb.rus.unistuttgart.de"
Message-Id: <20050507083217.75243F3A93@infoweb.rus.unistuttgart.de>
X-Spam-Prev-Subject: Undelivered Mail Returned to Sender

This is a MIME-encapsulated message.

--6D17DF389F.1115454737/infoweb.rus.unistuttgart.de
Content-Description: Notification
Content-Type: text/plain

This is the Postfix program at host infoweb.rus.unistuttgart.de.

I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the message returned below.

                        The Postfix program

<owner-security-announce@listserv.unistuttgart.de>: unknown user:
    "owner-security-announce"

--6D17DF389F.1115454737/infoweb.rus.unistuttgart.de
Content-Description: Delivery error report
Content-Type: message/delivery-status

Reporting-MTA: dns; infoweb.rus.unistuttgart.de
Arrival-Date: Sat,  7 May 2005 10:32:17 +0200 (CEST)

Final-Recipient: rfc822; owner-security-announce@listserv.unistuttgart.de
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; unknown user: "owner-security-announce"

--6D17DF389F.1115454737/infoweb.rus.unistuttgart.de
Content-Description: Undelivered Message
Content-Type: message/rfc822

Received: from skylla.rus.unistuttgart.de (skylla.rus.unistuttgart.de [141.58.231.9])
        by infoweb.rus.unistuttgart.de (Postfix) with ESMTP id 6D17DF389F
        for <owner-security-announce@listserv.unistuttgart.de>; Sat,  7 May 2005 10:32:17 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
        by skylla.rus.unistuttgart.de (Postfix) with ESMTP id 60AD4210C8A
        for <owner-security-announce@listserv.unistuttgart.de>; Sat,  7 May 2005 10:32:17 +0200 (CEST)
Received: from skylla.rus.unistuttgart.de ([127.0.0.1])
 by localhost (skylla [127.0.0.1]) (amavisd-new, port 10024) with LMTP
 id 14942-01-74 for <owner-security-announce@listserv.unistuttgart.de>;
 Sat,  7 May 2005 10:32:13 +0200 (CEST)
Received: from 222.68.11.10 (unknown [222.68.11.10])
        by skylla.rus.unistuttgart.de (Postfix) with SMTP id A8692214279
        for <owner-security-announce@listserv.unistuttgart.de>; Sat,  7 May 2005 10:32:05 +0200 (CEST)
Received: from 214.103.108.93 by ; Sat, 07 May 2005 10:31:26 +0200
Message-ID: <IFDAALCCGHCFKZGIXGCOCA@yahoo.com>
From: "▒▒▒▒ī▒▒ݸ▒" <zqwchtnirj@empalvicp.net>
Reply-To: "ī▒忬ü▒▒▒▒" <zqwchtnirj@empalvicp.net>
To: owner-security-announce@listserv.unistuttgart.de
Subject: *****SPAM***** =?iso-8859-1?Q?=B9=AB=BC=AD=B7=F9_=B4=E7=C0=CF=C4=AB=B5=E5=B4=EB=C3=E2!!_?= =?iso-8859-1?Q?=C4=AB=B5=E5=C0=DA=B1=DD_=B0=ED=B9=CE=C7=CF=BD=C5=B4=C2_?= =?iso-8859-1?Q?=BA=D0=C0=BA_=BB=E7=B5=CE=B8=A3=BC=BC=BF=E4=2E?=
Date: Sat, 07 May 2005 13:27:26 +0500
X-Mailer: Microsoft Outlook Express 6.00.2462.0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="--8335512931510948"
X-Priority: 3
X-MSMail-Priority: Normal
X-Virus-Scanned: by amavisd-new at skylla.rus.unistuttgart.de
X-Amavis-Alert: BAD HEADER Non-encoded 8-bit data (char C3 hex) in message header 'From': From: "\303\326\300\372\304\253\265\345\261\335\270\256" <z...
X-Spam-Status: Yes, hits=41.693 tagged_above=-999 required=5 tests=BAYES_99,
 DCC_CHECK, DIGEST_MULTIPLE, FORGED_MUA_OUTLOOK, FORGED_OUTLOOK_HTML,
 FROM_ILLEGAL_CHARS, HEAD_ILLEGAL_CHARS, HTML_50_60, HTML_IMAGE_ONLY_08,
 HTML_MESSAGE, MIME_BASE64_TEXT, MIME_BOUND_DD_DIGITS, MIME_HTML_ONLY,
 MIME_HTML_ONLY_MULTI, MISSING_MIMEOLE, MPART_ALT_DIFF, MSGID_SPAM_CAPS,
 MSGID_YAHOO_CAPS, RAZOR2_CF_RANGE_51_100, RAZOR2_CHECK, RCVD_IN_XBL,
 RCVD_NUMERIC_HELO, SUBJ_ILLEGAL_CHARS, URIBL_SC_SURBL
X-Spam-Level: .........................................
X-Spam-Flag: YES

----8335512931510948
Content-Type: text/html;
Content-Transfer-Encoding: base64

PGh0bWw+DQo8aGVhZD4NCjx0aXRsZT5VbnRpdGxlZCBEb2N1bWVudDwvdGl0bGU+DQo8bWV0
YSBodHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNl
dD1ldWMta3IiPg0KPC9oZWFkPg0KPGJvZHkgbGVmdG1hcmdpbj0iMCIgdG9wbWFyZ2luPSIw
Ij4NCjxhIGhyZWY9Imh0dHA6Ly93d3cubWVtYmVyLWxvYW4uY28ua3IvZGIvZGF0YV9pbnB1
dF9jLmFzcD9NY29kZT0yNiIgdGFyZ2V0PSJibGFuayI+PGltZyBzcmM9Imh0dHA6Ly92aXJ0
dWFsaG9zdC53ZWJwbHVzLmNvbS5jbi9mYXN0bG9hbi9jOC5qcGciIGJvcmRlcj0iMCI+PGJy
Pg0KPGZvbnQgc2l6ZT0zIGNvbG9yPWJsdWU+qOcgxKu15bTrs7MvxKu15b+sw7wvxKu15bTr
w+Igx/ax3bytuvG9uiAxMLrQwMcxILHduK4hITxicj4gqOggvcPB38C6x+C6uLTZIMD6t8XH
0SCx3biut84gwOWx4sfSus6068PitbUgsKG0ycfVtM+02S48YnI+qOkgsbmzu8PWwPogxKu1
5bHduK4gyK69x7q4wOUhISDAzsXNs90gvcXDu7ytIMDbvLq4uMC4t84gvK23+cHYuvEgs6Eh
PGJyPqjqILPrvPfA2i+5q8H3wNovwPy+98HWus4gtKmxuLbztbUguau8rbf5ILTnwM8xMDAl
wNSx3SE8YnI+DQo8YnI+PGI+os8gxKu15bTrw+IgMTAwJSC058DPIL3CwM4gudcgwNSx3S0t
LVu9xcO7x8+x4l08L2I+DQo8YnI+PGJyPjxicj48L2ZvbnQ+PC9hPg0KPC9ib2R5Pg0KPC9o
dG1sPg0K

----8335512931510948--


--6D17DF389F.1115454737/infoweb.rus.unistuttgart.de--
Spam detection software, running on the system "samba.stoutenstorm.be", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  This is the Postfix program at host infoweb.rus.unistuttgart.de.
   I'm sorry to have to inform you that the message returned below could not
   be delivered to one or more destinations. For further assistance, please
  send mail to <postmaster> [...]

Content analysis details:   (13.8 points, 4.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.0 MIME_HTML_MOSTLY       BODY: Multipart message mostly text/html MIME
 0.0 HTML_MESSAGE           BODY: HTML included in message
 2.4 HTML_IMAGE_ONLY_08     BODY: HTML: images with 400-800 bytes of words
 1.1 MPART_ALT_DIFF         BODY: HTML and text parts are different
 2.8 MIME_BASE64_TEXT       RAW: Message text disguised using base64 encoding
 2.8 PYZOR_CHECK            Listed in Pyzor (http://pyzor.sf.net/)
 2.1 URIBL_WS_SURBL         Contains an URL listed in the WS SURBL blocklist
                            [URIs: member-loan.co.kr]
 0.2 URIBL_GREY             Contains an URL listed in the URIBL greylist
                            [URIs: webplus.com.cn]
 1.2 SARE_URI_LET_DIG_PIC   Suspicious file name for graphic
 1.1 HTML_SHORT_LINK_IMG_1  HTML is very short with a linked image

Any hint is welcome.

Kind regards,

Bob

[cactus]

A manually test with spamassassin works correct:

/usr/bin/spamassassin -tD < /tmp/email.txt

Was this test done with the actual message from your first post or just some random one?

[DeMan]

Hi,

This is a test message downloaded from /usr/bin/wget http://www200.pair.com/mecham/email.txt

Messages on my mailserver are stored in a mysql database, remember I use Zarafa.

Kind regards,

Bob

[cactus]

Messages on my mailserver are stored in a mysql database, remember I use Zarafa.

Sorry, I am unfamiliar with the internals of Zarafa, was not aware it stored all mail in MySQL.

[kruhm]

the message is coming from your FETCHMAIL. AFAIK, these messages skip SA checking.

[DeMan]

Hi,

That could explain this behavior.

How can I force SA checking for incoming message from fetchmail?

Kind regards,

Bob

[CharlieBrady]

How can I force SA checking for incoming message from fetchmail?

That's off-topic for this forum:

Discussion of the use of *ONLY* the components and features included on the SME Server 7.x CD.

[DeMan]

Hi,

I understand, I drop this question on the contrib forum

[cactus]

I understand, I drop this question on the contrib forum

Don't botter we can move it there.

Moving this topic to SME 7.x Contribs as it is more appropriate there.