Resolved Spam Filter Whitelist Not Working 100%

[David Jimenez]

We have Spamassassin set to 3 for the server and 3 for each individual mailbox. I was told that the individual settings override the server settings; however, we still see items that are whitelisted on an individual mailbox showing up in that mailbox's junk folder. Here is an example:

Whitelist: *@*voltlighting.com

Junk folder caught: [email protected]

Since the server whitelist only seems to want network IP addresses, the only whitelists are those for each mailbox.

Any thoughts on why we get whitelisted items still put into the junk folders? Ultimately, we would like to just reject all spam items but don't want to do that until we know the whitelists are working correctly.

Thanks in advance for any advice.

 

[danami]

> We have Spamassassin set to 3 for the server and 3 for each individual mailbox.

I think that your spamassassin is not configured correctly. I've never seen any situation where you would be setting your spam score that aggressive. The lowest I would recommend is 5 or 6.

> Since the server whitelist only seems to want network IP addresses, the only whitelists are those for each mailbox.

I think you are looking in the wrong place (You are looking at the MTA whitelists ). Spamassassin global whitelists are available at: Tools & Settings -> Spam Filter -> Whitelist

 

[David Jimenez]

> We have Spamassassin set to 3 for the server and 3 for each individual mailbox.

I think that your spamassassin is not configured correctly. I've never seen any situation where you would be setting your spam score that aggressive. The lowest I would recommend is 5 or 6.

> Since the server whitelist only seems to want network IP addresses, the only whitelists are those for each mailbox.

I think you are looking in the wrong place (You are looking at the MTA whitelists ). Spamassassin global whitelists are available at: Tools & Settings -> Spam Filter -> Whitelist

I did some reading on the topic and also talked to our service provider and they indicated that 3 was a good balance for aggressive spam filtering. We aren't finding a lot of real email in our junk folder in webmail, so it seems to be about right for us.

Yes, the server-side white list is where you indicated and we have also duplicated all the individual whitelists on the server spam filter whitelist, including the one in my example. So, they are in two whitelists but still end up in the junk folder of the intended recipient.

 

[danami]

> I did some reading on the topic and also talked to our service provider and they indicated that 3 was a good balance for aggressive spam filtering
When things are configured correctly then spamassassin should be producing much higher scores.

> Yes, the server-side white list is where you indicated and we have also duplicated all the individual whitelists on the server spam filter whitelist, including the one in my example. So, they are in two whitelists but still end up in the junk folder of the intended recipient.

What is the syntax of your whitelists? Normally any whitelisted email gets a -100 to its spam store so there is no way it should be going to your spam folders.

 

[David Jimenez]

Here is the syntax for my example:

server whitelist is the actual email address: [email protected]
the mailbox whitelist uses wildcards: *@*voltlighting.com

 

[danami]

grep your maillogs for the email. Eveything spamsassassin is doing should be logged there including its spam score:

grep voltlighting.com /var/log/maillog | grep spamd

 

[David Jimenez]

I'm not an expert on SSH, but if I use the exact term (grep voltlighting.com /var/log/maillog | grep spamd) and logging in as root, that command returned nothing.

 

[danami]

It may have been log rotated:

zgrep <email you want to search for> /var/log/maillog* | grep spamd

Its just an example.

 

[David Jimenez]

Thanks. Log rotation was the case. Looks like it knows the incoming email address was whitelisted???

/var/log/maillog.processed:Jul 4 11:15:13 helios spamd[18013]: spamd: processing message <hmz973bm5ujo88xecr93shzhdlxvgr1m.r1m.1499192160@connect.voltlighting.com> for (email address removed for privacy).com:30
/var/log/maillog.processed:Jul 4 11:15:13 helios spamd[18013]: spamd: result: Y 5 - BAYES_99,BAYES_999,BODYDOG,BODY_SPAMSIG3,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,EMAILLIST1,GENERIC_SPAM33,GENERIC_SPAM43,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_NONE,SUBJ_COMMERCIAL,SUBJ_PERCENT,UNSUBSCRIBE1,URI_MULTINUM1,URI_SPAMMY1,URI_SPAMMY2,URI_SPAMMY3,USER_IN_WHITELIST,UTF8_SUBJECT scantime=1.5,size=53522,user=(email address removed for privacy),uid=30,required_score=3.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=33041,mid=<hmz973bm5ujo88xecr93shzhdlxvgr1m.r1m.1499192160@connect.voltlighting.com>,bayes=1.000000,autolearn=spam autolearn_force=no

 

[danami]

No its not recognizing your whitelist:

spamd: result: Y 5 -

The Y means it was classified as spam with a score of 5.

 

[David Jimenez]

OK, I would have thought the line item of "USER_IN_WHITELIST" was a recognition of the match in the whitelist. I guess I will have to get someone to look harder at the spamassassin setup. Thanks.

 

[danami]

Spamassassin rules should apply a -100 for the rule : USER_IN_WHITELIST. I'm thinking that your rules are messed up somehow. Make sure that USER_IN_WHITELIST isn't set to zero or disabled in /etc/mail/spamassassin/local.cf

 

[danami]

> OK, I would have thought the line item of "USER_IN_WHITELIST" was a recognition of the match in the whitelist.

It is recognizing that the user is in your whitelist its just not applying the -100 score to it which it should be.

 

[David Jimenez]

Thanks. I will check on things and report back my findings.

 

[David Jimenez]

Turns out that whitelist items were not being given the -100 score as a starting point.