Are emails sent to spam before mailsieve?

andrewnewby · October 14, 2024, 6:30am

Hi,

While not specifically related to Hestia, I’m trying to get emails that have a certain flag set to move directly into a test folder so I can check the rules work (eventually, I’ll just delete any emails with super high scores). So I have:

# rule:[XSpamScore90]
if allof (header :is "X-Spam-Highscore" "Yes")
{
	fileinto "Spam/test junk before delete";
	stop;
}

The emails headers include:

X-Report-Abuse: Please report any spam or abuse to: [email protected]
X-Kmail-Ops: 01HXDWVXP7E3TGC5T5NEYKK8AN
X-Kmail-Message: 01J9Y7YY6C3C2HB2W8GVV27FHW
CFBL-Address: [email protected]; report=arf
Message-ID: mid-139354648452506310959568171725278434886@k3.send.theduabrand.com
X-Spam-Score: 1021
X-Spam-Bar: +++++++++++++++++++++++++++++++++++++++++++++++++++
X-Spam-Report: Spam detection software, running on the system “sky.newbyhost.com”,
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.

Content preview: October Prime Sale - LAST CALL
October Prime Sale - DUA DESIGNER LINE
October Prime Sale - 20 New Scents

Content analysis details: (102.1 points, 3.0 required)

pts rule name description

0.0 USER_IN_BLOCKLIST From: address is in the user’s block-list
100 USER_IN_BLACKLIST DEPRECATED: See USER_IN_BLOCKLIST
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
5.0 LOCAL_FROM_TLD4 From: contains theduabrand.com
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
identical to background
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
-1.0 DKIMWL_WL_MED DKIMwl.org - Medium trust sender
X-Spam-Status: Yes
X-ACL-Warn: SpamAssassin detected spam (from bounce-kl_28456123501-kl_101101j9y7yy6c3c2hb2-h-51a735a840=2@k3.send.theduabrand.com to [email protected]).
X-Spam-Highscore: Yes
Subject: *** SPAM *** =?utf-8?b?8J+aqCBGSU5BTCBDQUxMOiBPY3RvYmVyIFByaW1lIFNhbGUgRW5kcyBTb29uIOKAkyBPcmRlciBOT1chIPCfk6Lwn4yf?=

So X-Spam-Highscore: Yes matches. I’m trying to work out why the rule doesn’t work. Are spam emails sent directly into the Spam folder, without passing through managesieve? I added some rules into the exim4.conf.template:

.ifdef SPAMASSASSIN
 warn    set acl_m1    = no
         set acl_m3    = no
 warn    condition     = ${if exists {/etc/exim4/domains/$domain/antispam}{yes}{no}}
         set acl_m1    = yes
 warn    condition     = ${if exists {/etc/exim4/domains/$domain/reject_spam}{yes}{no}}
         set acl_m3    = yes
 warn
        condition = ${if >{$spam_score_int}{200}}
        add_header = X-High-Spam-Score: Yes
.endif

Could the last rule maybe reject te emails outright?

Cheers

Andy

eris · October 14, 2024, 7:26am

Yes if spamscore default > 100 it get rejected … But it should be a setting in Hesita

sahsanu · October 14, 2024, 7:30am

Yes, that’s right and this is the conf that moves the email message directly to Spam folder:

localuser_spam:
  driver = accept
  transport = local_spam_delivery
  condition = ${if eq {${if match{$h_X-Spam-Status:}{\N^Yes\N}{yes}{no}}} {${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}{yes}{no_such_user}}}}
[...]
local_spam_delivery:
  driver = appendfile
  maildir_format
  maildir_use_size_file
  user = ${extract{2}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}} 
  group = mail
  create_directory
  directory_mode = 770
  mode = 660
  use_lockfile = no
  delivery_date_add
  envelope_to_add 
  return_path_add
  directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}/${lookup{$local_part}dsearch{${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}}}/.Spam"
  quota = ${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}M
  quota_directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}/${lookup{$local_part}dsearch{${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/${lookup{$domain}dsearch{/etc/exim4/domains/}}/passwd}}}}/mail/${lookup{$domain}dsearch{/etc/exim4/domains/}}}}"
  quota_warn_threshold = 75%

andrewnewby · October 14, 2024, 7:49am

Thanks @eris - where would that setting be? I see:

I see this in the mail domain:

But that just rejects all of them (which I don’t want to do, as sometimes genuine mails end up in spam)

eris · October 14, 2024, 8:03am

Mail domain reject spam rejects but in exim config already places it in the spamfolder before it goes to sieve…

So Exim → SpamAssign → Sieve → Dovecot

andrewnewby · October 14, 2024, 8:30am

Thanks. Is there a way to auto bounce it if over a certain score? I was hoping to use managesieve, but as you say, its bypassed due to exim moving the email into the spam folder, and bypassing managesieve. I have this as a test:

SPAM_REJECT_SCORE = 900

Then:

.ifdef SPAMASSASSIN
 warn   !authenticated = *
        hosts          = !+relay_from_hosts
        condition      = ${if < {$message_size}{100240K}}
        condition      = ${if eq{$acl_m1}{yes}{yes}{no}}
        spam           = debian-spamd:true/defer_ok
        add_header     = X-Spam-Score: $spam_score_int
        add_header     = X-Spam-Bar: $spam_bar
        add_header     = X-Spam-Report: $spam_report
        set acl_m2     = $spam_score_int

 warn   condition      = ${if !eq{$acl_m2}{} {yes}{no}}
        condition      = ${if >{$acl_m2}{SPAM_SCORE} {yes}{no}}
        add_header     = X-Spam-Status: Yes
        message        = SpamAssassin detected spam (from $sender_address to $recipients).

  warn  condition = ${if >{$spam_score_int}{800}}
        add_header = X-Spam-Highscore: Yes

  # Deny spam at high score if spam score > SPAM_REJECT_SCORE and delete_spam is enabled
  deny   message        = This message scored $spam_score spam points
         spam           = debian-spamd:true
         condition      = ${if eq{$acl_m3}{yes}{yes}{no}}
         condition      = ${if >{$spam_score_int}{SPAM_REJECT_SCORE}{1}{0}}
.endif

(I have it set to 900, as I have custom rules that put certain spammers on a large 100 score for being on our custom blacklist, which effectivly means I don’t want to see their emails ever again ;))