Bug 1380793

Summary: Spamass-milter/postfix accepts some spam messages as ham
Product: [Fedora] Fedora Reporter: Lars Bjorndal <lars>
Component: spamass-milterAssignee: Paul Howarth <paul>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 23CC: paul
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-13 16:06:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Lars Bjorndal 2016-09-30 14:44:19 UTC 
Description of problem: I'm in process on moving from using postfix and spamassassin through amavisd-new to spamassassin through spamass-milter. After enabling spamass-milter and before removeing amavisd, I notice that some mail messages still is cought by amavisd.

To demonstrate the problem, I paste the headers of a message in question, where I've replaced the actual local user by testuser.

Code:
From MAILER-DAEMON Fri Sep 30 07:55:02 2016
Return-Path: <>
Delivered-To: spam-quarantine
X-Envelope-From:
	<bounce-a414-6785-6787-testuser=lamasti.net=4>
X-Envelope-To: <testuser>
X-Envelope-To-Blocked: <testuser>
X-Quarantine-ID: <7uibeJIOzTnR>
X-Spam-Flag: YES
X-Spam-Score: 8.295
X-Spam-Level: ********
X-Spam-Status: Yes, score=8.295 tag=2 tag2=6.2 kill=6.9
	tests=[DKIM_SIGNED=0.1, HTML_IMAGE_ONLY_24=1.282, HTML_MESSAGE=0.001,
	MIME_HTML_ONLY=1.105, RAZOR2_CF_RANGE_51_100=0.365,
	RAZOR2_CF_RANGE_E8_51_100=2.43, RAZOR2_CHECK=1.729, RDNS_NONE=1.274,
	SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: dalen.lamasti.net (amavisd-new);
	dkim=fail (1024-bit key)
	reason="fail (OpenSSL error: data too large for modulus)"
	header.d=select76.com
Received: from dalen.lamasti.net ([127.0.0.1])
	by localhost (dalen.lamasti.net [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 7uibeJIOzTnR for <testuser>;
	Fri, 30 Sep 2016 09:55:02 +0200 (CEST)
X-Greylist: delayed 3063 seconds by postgrey-1.36 at dalen.lamasti.net; Fri, 30 Sep 2016 09:55:01 CEST
Received: from relay578.mysmtp.mobi (unknown [93.90.122.170])
	by dalen.lamasti.net (Postfix) with ESMTP id 7328B2403B
	for <testuser>; Fri, 30 Sep 2016 09:55:01 +0200 (CEST)
Received: from relay578.mysmtp.mobi (relay578.mysmtp.mobi [93.90.122.47]) 
	by relay578.mysmtp.mobi (Postfix) with ESMTPSA id 54DEB140A54
	for <testuser>; Fri, 30 Sep 2016 09:03:57 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=select76.com;
	s=default; t=1475219037;
	bh=+6XoX5TqaDLcnr255zE4ksdr6dMpKOpScHHOmzqiqL4=;
	h=Subject:From:To:Reply-To:Date:List-Unsubscribe;
	b=vsbJZYKprCn6ZQKTBn3Ye6Xum4TQlQHNusBXnEerNKa57rh9J2g9feHpli4QxHn7e
	 D7IpUVg5np09d8c3MjKVPssjP7Rf1JkIcgWF61ciCB7kzTFoXaatXR2NdkBPXg7Imv
	 6L00b/hc3dZ+Gk6z2rx2b5Vw76voTXyj0W9uoBKk=
Received: (GreenArrow 28954 invoked by uid 410); 30 Sep 2016 07:03:57 -0000
Subject: Lav rente fra bare 6,99%
From: =?UTF-8?B?Tnl0dCBsw6Vu?= <info>
To: testuser
Sender: info
Reply-To: reply
Date: 30 Sep 2016 07:03:57 -0000
List-Unsubscribe: <http://select76.com/ga/unsubscribe/2-129809957-414-3545-6787-53adb8bbbd3de5b-9ad1e46ca8>,
 <bounce-a414-6785-6787-testuser=lamasti.net=4u>
X-CampaignID: s4:6785-ae5feb6d57c786ca
Message-ID: <mid-846bb2c8c3ada579e237486e47d94634>
X-Mailer-Info: 4.QY0EDN.gN3gTN.wahJXauImavJnbkFGbAxWYtF2c0lmLuVGd.gN3gzN
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Flag: YES
X-Spam-Status: Yes, score=6.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HTML_IMAGE_ONLY_24,HTML_MESSAGE,MIME_HTML_ONLY,
	RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.1
X-Spam-Report: 
	* -0.0 SPF_PASS SPF: sender matches SPF record
	*  1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
	*  0.0 HTML_MESSAGE BODY: HTML included in message
	*  1.3 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes of words
	* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
	*       domain
	*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
	*      valid
	*  0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
	*      [cf: 100]
	*  1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
	*  2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
	*      above 50%
	*      [cf: 100]
X-Spam-Level: ******
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on dalen.lamasti.net
Status: O
Content-Length: 2390
Lines: 47

As you can see, there is two different score values from spamassassin. As I understand, one with score 8.x from spamassassin through amavisd and 6.x from spamassassin through spamass-milter.

I don't know if this is related, but when spamass-milter starts with the debug flag, I get the following message:

Code:
Could not retrieve sendmail macro "i".   Please add it to confMILTER_MACROS_ENVFROM for better spamassassin results


Postconf |grep milter_connect_macro outputs

Code:
milter_connect_macros = j {daemon_name} v {if_name} _


I tried to insert an "i" into this line, at the beginning, but that didn't change anything.

Version-Release number of selected component (if applicable): 0.4.0


How reproducible:


Steps to Reproduce:
1. Setup postfix to use spamasassin through amavisd, and then add the spamass-milter 
2.
3.

Actual results:
After enabling spamass-milter, there are still some messages cought by spamassassin through amavisd.

Expected results:
No messages should be cought by spamassassin through amavisd, if the threshold is the same.

Additional info:
Comment 1 Paul Howarth 2016-09-30 15:15:18 UTC 
(In reply to Lars Bjorndal from comment #0)
> Description of problem: I'm in process on moving from using postfix and
> spamassassin through amavisd-new to spamassassin through spamass-milter.
> After enabling spamass-milter and before removeing amavisd, I notice that
> some mail messages still is cought by amavisd.
> 
> To demonstrate the problem, I paste the headers of a message in question,
> where I've replaced the actual local user by testuser.
> 
...
> X-Spam-Status: Yes, score=8.295 tag=2 tag2=6.2 kill=6.9
> 	tests=[DKIM_SIGNED=0.1, HTML_IMAGE_ONLY_24=1.282, HTML_MESSAGE=0.001,
> 	MIME_HTML_ONLY=1.105, RAZOR2_CF_RANGE_51_100=0.365,
> 	RAZOR2_CF_RANGE_E8_51_100=2.43, RAZOR2_CHECK=1.729, RDNS_NONE=1.274,
> 	SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
...
> Received: from relay578.mysmtp.mobi (unknown [93.90.122.170])
> 	by dalen.lamasti.net (Postfix) with ESMTP id 7328B2403B
> 	for <testuser>; Fri, 30 Sep 2016 09:55:01 +0200 (CEST)
...
> X-Spam-Status: Yes, score=6.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
> 	DKIM_VALID_AU,HTML_IMAGE_ONLY_24,HTML_MESSAGE,MIME_HTML_ONLY,
> 	RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,SPF_PASS
> 	autolearn=no autolearn_force=no version=3.4.1
> X-Spam-Report: 
> 	* -0.0 SPF_PASS SPF: sender matches SPF record
> 	*  1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
> 	*  0.0 HTML_MESSAGE BODY: HTML included in message
> 	*  1.3 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes of words
> 	* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
> 	* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
> 	*       domain
> 	*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
> 	*      valid
> 	*  0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
> 	*      [cf: 100]
> 	*  1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
> 	*  2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
> 	*      above 50%
> 	*      [cf: 100]
...
> As you can see, there is two different score values from spamassassin. As I
> understand, one with score 8.x from spamassassin through amavisd and 6.x
> from spamassassin through spamass-milter.

Looking at the individual spamassassin scores from amavisd and spamass-milter, most of the difference (1.274) comes from the RDNS_NONE rule. This appears to have been due to a temporary name resolution error, as the spamass-milter invocation didn't have this problem and the IP address 93.90.122.170 does resolve back to relay263.mysmtp.mobi for me now.

The other 0.2 of score difference came from spamass-milter being able to validate the sender's DKIM signature, whereas amavis could not (the "OpenSSL error: data too large for modulus" message in the Authentication-Results: header may be related to this).

So I don't think spamass-milter is doing anything wrong here, and in fact the problems are on the amavis side, causing it to score the message as more spammy that it actually is.

> I don't know if this is related, but when spamass-milter starts with the
> debug flag, I get the following message:
> 
> Code:
> Could not retrieve sendmail macro "i".   Please add it to
> confMILTER_MACROS_ENVFROM for better spamassassin results
> 
> 
> Postconf |grep milter_connect_macro outputs
> 
> Code:
> milter_connect_macros = j {daemon_name} v {if_name} _
> 
> 
> I tried to insert an "i" into this line, at the beginning, but that didn't
> change anything.

There's some discussion of that here:
https://bugzilla.redhat.com/show_bug.cgi?id=1368645
Comment 2 Paul Howarth 2016-10-04 14:56:06 UTC 
I'm inclined to close this as NOTABUG; any objections?