Spamassassin 正在过滤受信任的账户

tag-icon tag-icon spamassassin
Spamassassin 正在过滤受信任的账户

为了对付那些试图发送伪造邮件的坏人领域包括@我的域名.tld,我曾经在以下地方制定过这些规则spamassassin/local.cf

trusted_networks   my.ip.add.ress
score    ALL_TRUSTED           -100
header   FAKE_LOCAL_SENDERS    From =~ /\@mydomain.tld/
score    FAKE_LOCAL_SENDERS    10

最近我将邮件服务器移到了一台新设备上,该设备搭载的是 Centos 8。
从那时起,从(没有 SMTP 身份验证)发送的合法电子邮件127.0.0.1就被过滤了。
经过调查,我发现当 ALL_TRUSTED 分数不适用时,FAKE_LOCAL_SENDERS 分数仍然适用。

值得一提的是:

  • 根据日志和标头,检测到的客户端确实是127.0.0.1
  • 我查找了其他.cf文件,/etc但没有找到任何相关内容
  • 我也寻找过 ALL_TRUSTED 字符串,但没有找到其他情况

展望文档,我甚至找不到有关这个 ALL_TRUSTED 符号名称的任何信息。

我发现它仅通过 SMTP 为受信任的主机提供, 在测试执行 v3.3.x。但我找不到适用于我的 spamassassin 版本 (v3.4.2) 的相同文档。

也许还有其他方法可以过滤伪造,我不知道。
如果有人知道如何实现这一点,我将不胜感激。

编辑:既然我已经被问到了,这里有更详细的信息。

Postfix 日志

Jul  9 14:58:46 mail postfix/pickup[21731]: 981041958: uid=0 from=<root>
Jul  9 14:58:46 mail postfix/cleanup[21766]: 981041958: message-id=<[email protected]>
Jul  9 14:58:46 mail opendkim[21646]: 981041958: DKIM-Signature field added (s=mydomain.tld, d=mydomain.tld)
Jul  9 14:58:46 mail postfix/qmgr[21732]: 981041958: from=<[email protected]>, size=313, nrcpt=1 (queue active)
Jul  9 14:58:47 mail postfix/10025/smtpd[21774]: connect from localhost[127.0.0.1]
Jul  9 14:58:47 mail postfix/10025/smtpd[21774]: 2997053: client=localhost[127.0.0.1]
Jul  9 14:58:47 mail postfix/cleanup[21766]: 2997053: message-id=<[email protected]>
Jul  9 14:58:47 mail opendkim[21646]: 2997053: DKIM-Signature field added (s=mydomain.tld, d=mydomain.tld)
Jul  9 14:58:47 mail postfix/qmgr[21732]: 2997053: from=<[email protected]>, size=1514, nrcpt=1 (queue active)
Jul  9 14:58:47 mail amavis[21734]: (21734-01) Passed SPAM {RelayedTaggedInbound,Quarantined}, [127.0.0.1] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: fr9Pzi3DYtmO, Hits: 10.9, size: 705, queued_as: 2997053, 556 ms
Jul  9 14:58:47 mail postfix/amavis/smtp[21771]: 981041958: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.86, delays=0.17/0.13/0/0.55, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 2997053)
Jul  9 14:58:47 mail postfix/qmgr[21732]: 981041958: removed
Jul  9 14:58:47 mail dovecot[21781]: lda([email protected]): sieve: msgid=<[email protected]>: stored mail into mailbox 'Junk'
Jul  9 14:58:47 mail postfix/pipe[21780]: 2997053: to=<[email protected]>, orig_to=<[email protected]>, relay=dovecot, delay=0.38, delays=0.21/0.01/0/0.16, dsn=2.0.0, status=sent (delivered via dovecot service)
Jul  9 14:58:47 mail postfix/qmgr[21732]: 2997053: removed

收到的邮件标题

Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from localhost (localhost [127.0.0.1])
    by mail.mydomain.tld (Postfix) with ESMTP id 2997053
    for <[email protected]>; Thu,  9 Jul 2020 14:58:47 +0700 (+07)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.mydomain.tld 2997053
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mydomain.tld;
    s=mydomain.tld; t=1594281527;
    bh=Pb3GbVbRabH8he07wAoFCdFxIXnMcJZfD3IMOd8OwIU=;
    h=Subject:Date:From:From;
    b=4aenJY5Qg8lKtX7amYiCHKuile4cEaO5gRk+HzdInYH5BIl96FY+SwVwyYdCFUUSJ
     MR/UsQM47wmxJSafYFF7xE1BNxXqe/DtejiQjuumvZG9OhgJRo79kPJ3Or/J7yvETs
     OLq6Bk3nbj3JsK3dcUxPBcC2E6WPfyFbw+2o6zQk=
X-Virus-Scanned: amavisd-new at mydomain.tld
X-Spam-Flag: YES
X-Spam-Score: 10.9
X-Spam-Level: **********
X-Spam-Status: Yes, score=10.9 tagged_above=2 required=6.2
    tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
    DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FAKE_LOCAL_SENDERS=10,
    MISSING_HEADERS=3, NO_RELAYS=-0.001, URIBL_BLOCKED=0.001]
    autolearn=no autolearn_force=no
Received: from mail.mydomain.tld ([127.0.0.1])
    by localhost (mail.mydomain.tld [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id fr9Pzi3DYtmO for <[email protected]>;
    Thu,  9 Jul 2020 14:58:46 +0700 (+07)
Received: by mail.mydomain.tld (Postfix, from userid 0)
    id 981041958; Thu,  9 Jul 2020 14:58:46 +0700 (+07)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.mydomain.tld 981041958
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mydomain.tld;
    s=mydomain.tld; t=1594281526;
    bh=Pb3GbVbRabH8he07wAoFCdFxIXnMcJZfD3IMOd8OwIU=;
    h=Subject:Date:From:From;
    b=vnht27+6RxYrr/uoq2kJUzWPNIwzHoE6yqVWuQ4eyXGcoBqhQlb7I8fLNuW+OlT3C
     P0rPqWxVGGxigDyPMH9m/t0VLoF9drO9RA3NYc2FgF6S8J4XBcA3+z3GogzAJ82vto
     pFMXVGyqHlFsEPDkhuQz8V2P/AHduKzkg//L13HY=
Subject: ***Spam*** Test mail
Message-Id: <[email protected]>
Date: Thu,  9 Jul 2020 14:58:46 +0700 (+07)
From: root <[email protected]>

spamassassin/local.cf

# These values can be overridden by editing ~/.spamassassin/user_prefs.cf 
# (see spamassassin(1) for details)

# These should be safe assumptions and allow for simple visual sifting
# without risking lost emails.

required_hits 5
report_safe 0
rewrite_header Subject [SPAM]

## MY CONF
use_bayes 1
bayes_path /var/spool/amavisd/.spamassassin/bayes

header   __RCVD_IN_HOSTKARMA eval:check_rbl('HOSTKARMA-lastexternal','hostkarma.junkemailfilter.com.')
describe __RCVD_IN_HOSTKARMA Sender listed in JunkEmailFilter
tflags   __RCVD_IN_HOSTKARMA net

header   RCVD_IN_HOSTKARMA_W eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.1')
describe RCVD_IN_HOSTKARMA_W Sender listed in HOSTKARMA-WHITE
tflags   RCVD_IN_HOSTKARMA_W net nice
score    RCVD_IN_HOSTKARMA_W -5

header   RCVD_IN_HOSTKARMA_BL eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.2')
describe RCVD_IN_HOSTKARMA_BL Sender listed in HOSTKARMA-BLACK
tflags   RCVD_IN_HOSTKARMA_BL net
score    RCVD_IN_HOSTKARMA_BL 3.0

header   RCVD_IN_HOSTKARMA_BR eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.4')
describe RCVD_IN_HOSTKARMA_BR Sender listed in HOSTKARMA-BROWN
tflags   RCVD_IN_HOSTKARMA_BR net
score    RCVD_IN_HOSTKARMA_BR 1.0

header   RCVD_IN_BL_SPAMCOP_NET   eval:check_rbl_txt('spamcop', 'bl.spamcop.net.', '(?i:spamcop)')
describe RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net
tflags   RCVD_IN_BL_SPAMCOP_NET   net
#reuse    RCVD_IN_BL_SPAMCOP_NET
score    RCVD_IN_HOSTKARMA_BR 3.0

## testing
score    MISSING_FROM   5.0
score    MISSING_DATE   5.0
score    MISSING_HEADERS 3.0
score    PDS_FROM_2_EMAILS 3.0
score    EMPTY_MESSAGE 5.0
score    FREEMAIL_DISPTO 2.0
score    FREEMAIL_FORGED_REPLYTO 3.5
score    DKIM_ADSP_NXDOMAIN 5.0
score    FORGED_GMAIL_RCVD 2.5

# from mydomain.tld
header   FAKE_LOCAL_SENDERS  From =~ /\@mydomain.tld/
score    FAKE_LOCAL_SENDERS  10
trusted_networks my.ip.add.ress
score    ALL_TRUSTED     -100

注意:我只编辑了域名和IP地址。

您可能会注意到,有一个命令:

rewrite_header Subject [SPAM]

标题中的最后一个主题以 为前缀***Spam***,这会被 dovecot 覆盖。

$sa_spam_subject_tag = '***Spam*** ';

相关内容