Question Spamassassin scoring spam 0 or negative

[augusto_wagner]

Server operating system version

Ubuntu 18.04.6 LTS

Plesk version and microupdate number

Plesk Obsidian 18.0.68 Update #2

Hi all,

We're currently experiencing a high amount of spam reaching our inboxes (some users with over 20 spam emails per day).
Currently our spam score limit is 2.

Looking into the spamd logs I've noticed that a lot of spam emails are being scored 0 or in the negatives, allowing them to reach the user's inboxes.

E.g.:
spamd: result: . 1 - BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,SPF_PASS,URIBL_ABUSE_SURBL,URIBL_DBL_SPAM scantime=1.9,size=7163,user=[email protected],uid=30,required_score=2.0,rhost=::1,raddr=::1,rport=53964,mid=<[email protected]>,bayes=0.000000,autolearn=no autolearn_force=no

spamd: result: . -2 - BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,SPF_PASS,T_KAM_HTML_FONT_INVALID scantime=2.4,size=1098760,user=[email protected],uid=30,required_score=2.0,rhost=::1,raddr=::1,rport=49916,mid=<[email protected]>,bayes=0.000000,autolearn=unavailable autolearn_force=no

I've asked users to report these emails as spam to help with the spamassassin autolearning, but it hasn't impacted on it.

Would you have any suggestions?

 

[Kaspar]

Are you using the Plesk Email Security extension or just the plain default SpamAssassin component?

In any case, IMHO using spam score threshold of 2 is really low. Instead of lowering the score threshold, you get much better results if you customize your SpamAssassin configuration. These are some posts that might help you better understand SpamAssassin:

Question - Possible to optimize SpamAssassin?

Hello out there, independent of plugins like Magic Spam and Plesk Email Security I am wondering how you optimize your SpamAssassin configuration? Are you using external databases eg.? Thx Manni

talk.plesk.com

Issue - Plesk Email Security seems not to learn spam properly

Since we switched to paid version, we receive a lot more spam mails. I knew that it might take some time for some training to take effect. But unfortunately it only to seems to be getting worse. I have included some headers that were detected as spam and some not - the ones that haven't been...

talk.plesk.com

If you don't like or want to manually configure SpamAssassin, I recommend using the Warden Anti-spam and Virus Protection extension for Plesk. Which is a paid extension, but by far the best anti-spam option for Plesk in my option.

 

[augusto_wagner]

Hi Kaspar,
I am using the Plesk Email Security extension on an almost default state, only some blacklisted domains & blocking list added.

Thank you for the documentation! I will look into custom spamassassin rules & keep the Warden extension in mind.

 

[Kaspar]

I am using the Plesk Email Security extension on an almost default state, only some blacklisted domains & blocking list added.

In that case I do want to point out that daily spam training is limited to the paid version of the Plesk Email Security extension. Just in case you weren't aware

 

[ChristophRo]

I've seen a similar thing on at least one of our servers and I'm still investigating it.
lately a LOT of emails have huge negativ scores (-3 to -8 points) on various "_VALIDITY_" as well as "DEF_DKIM_WL" and "DEF_SPF_WL" checks...

so far I could not find out WHY these checks score so massive negativ points, as all the configuration files for these checks have -0.01 or 0 score defined for these.
as for why these mails even manage to somehow trigger these checks, that's another matter I'm looking into.

For me it seems almost like spammers/scammers managed to infiltrate the Spamassassin projekt, manipulated the rulesets and found a way to tag their mails with attributes that will force these "no spam" scores...