thank you for your further investigation, mate.
this system is sadly ubuntu 14 lts (but you already know that looking at my former post) and it was initially set up with ZCS 8.6, Patched with Patch 7, then upgraded to ZCS 8.7 RC2 and then upgraded to ZCS 8.7 GA (all as open source edition). The system did only get test usage from 8.7 RC2 state onwards.
all services are running:
Code: Select all
zimbra@mail:~$ zmcontrol status
Host mail.space4.local
amavis Running
antispam Running
antivirus Running
ldap Running
logger Running
mailbox Running
memcached Running
mta Running
opendkim Running
proxy Running
service webapp Running
snmp Running
spell Running
stats Running
zimbra webapp Running
zimbraAdmin webapp Running
zimlet webapp Running
zmconfigd Running
the headers posted of the mail are not complete, because i was simply too lazy to redact company sensitive information. here is the whole thing (sorry for leaving out the essential part before)
Code: Select all
Return-Path: Miles.6716@littlemoonhills.co.uk
Received: from myzimbra.myinternaldom.local (LHLO externalhost.publicdomain.com) (192.168.0.190) by
myzimbra.myinternaldom.local with LMTP; Sat, 23 Jul 2016 03:48:17 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
by externalhost.publicdomain.com (Postfix) with ESMTP id 2D717342720
for <realuser@mydomain.de>; Sat, 23 Jul 2016 03:48:17 +0200 (CEST)
X-Virus-Scanned: amavisd-new at space4.local
X-Spam-Flag: NO
X-Spam-Score: 4.504
X-Spam-Level: ****
X-Spam-Status: No, score=4.504 required=6.6 tests=[BAYES_99=3.5,
BAYES_999=0.2, HTML_MESSAGE=0.001, RDNS_NONE=0.793,
T_SPF_TEMPERROR=0.01] autolearn=no autolearn_force=no
Received: from externalhost.publicdomain.com ([127.0.0.1])
by localhost (myzimbra.myinternaldom.local [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id DDBTUOHEa6nW for <realuser@mydomain.de>;
Sat, 23 Jul 2016 03:48:01 +0200 (CEST)
Received: from [1.47.203.144] (unknown [1.47.203.144])
by externalhost.publicdomain.com (Postfix) with ESMTP id DDDE734270B
for <some_alias@mydomain.ch>; Sat, 23 Jul 2016 03:47:56 +0200 (CEST)
To: some_alias@mydomain.ch
From: "Nadia Miles" <Miles.6716@littlemoonhills.co.uk>
Subject: sales report
Organization: Rathbone Brothers
Message-ID: <5403adc6-f44c-3397-8468-25217425af15@seminar-experts.ch>
Date: Sat, 23 Jul 2016 08:45:43 +0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0)
Gecko/20100101 Thunderbird/45.1.0
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="------------E683C7CF4152C2FA455B0BDA"
This is a multi-part message in MIME format.
--------------E683C7CF4152C2FA455B0BDA
Content-Type: multipart/alternative;
boundary="------------11DA6D95A8AAD537306BC46D"
--------------11DA6D95A8AAD537306BC46D
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
I am truly sorry that I was not available at the time you called me yesterday.
I attached the report with details on sales figures.
----- Yours truly, Nadia Miles
Rathbone Brothers Phone: +1 (672) 660-64-63 Fax: +1 (672) 660-64-14
--------------11DA6D95A8AAD537306BC46D
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
<html>
<head>
<meta http-equiv="content-type" content="text/html;
charset=windows-1251">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<big>I am truly sorry that I was not available at the time you
called me yesterday.<br>
I attached the report with details on sales figures.</big><br>
<br>
<address> <small>----- </small></address>
<address><small> </small></address>
<address><small> Yours truly,</small></address>
<address><small> Nadia Miles</small></address>
<address><small> </small></address>
<address><small> <br>
Rathbone Brothers</small></address>
<small>Phone: +1 (672) 660-64-63</small>
<address><small> Fax: +1 (672) 660-64-14 </small></address>
</body>
</html>
--------------11DA6D95A8AAD537306BC46D--
--------------E683C7CF4152C2FA455B0BDA
Content-Type: application/x-compressed;
name="stefano.conti_086FF.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="stefano.conti_086FF.zip"
Another spam mail that got flagged as SPAM numerous times and is still getting delivered is this (shouldn't the TO-field have the name of the recipient too ?):
Code: Select all
Return-Path: konto-aktualisierung@s19395345.onlinehome-server.info
Received: from zimbra.internaldomain.local (LHLO mymail.externaldom.com) (192.168.0.190) by
zimbra.internaldomain.local with LMTP; Sat, 23 Jul 2016 18:42:03 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
by mymail.externaldom.com (Postfix) with ESMTP id 303B43426AA
for <realuser@mydomain.de>; Sat, 23 Jul 2016 18:42:03 +0200 (CEST)
X-Virus-Scanned: amavisd-new at space4.local
X-Spam-Flag: NO
X-Spam-Score: 0.004
X-Spam-Level:
X-Spam-Status: No, score=0.004 required=6.6 tests=[BAYES_40=-0.001,
HTML_EXTRA_CLOSE=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_BL=0.01,
RCVD_IN_MSPIKE_L5=0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001,
WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Received: from mymail.externaldom.com ([127.0.0.1])
by localhost (zimbra.internaldomain.local [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id oGfL_iHGO2uh for <realuser@mydomain.de>;
Sat, 23 Jul 2016 18:42:02 +0200 (CEST)
Received: from s19395345.onlinehome-server.info (s19395345.onlinehome-server.info [82.165.42.2])
by mymail.externaldom.com (Postfix) with ESMTP id 98DC43425A4
for <aliasuser@mydomain.ch>; Sat, 23 Jul 2016 18:42:02 +0200 (CEST)
Received: from s19395345.onlinehome-server.info ([127.0.0.1]) by s19395345.onlinehome-server.info with Microsoft SMTPSVC(7.5.7601.17514);
Sat, 23 Jul 2016 18:34:11 +0200
Content-Type: multipart/alternative; boundary="===============0396095131=="
MIME-Version: 1.0
Subject: =?utf-8?q?Sch=C3=BCtzen_Sie_Ihre_Amazon=2Ede_Konto?=
To: Recipients <konto-aktualisierung@s19395345.onlinehome-server.info>
From: "Amazon.de" <konto-aktualisierung@s19395345.onlinehome-server.info>
Date: Sat, 23 Jul 2016 18:34:11 +0200
Message-ID: <S19395345vpvDtDJd5I0000637c@s19395345.onlinehome-server.info>
X-OriginalArrivalTime: 23 Jul 2016 16:34:11.0535 (UTC) FILETIME=[0ADB25F0:01D1E500]
You will not see this in a MIME-aware mail reader.
--===============0396095131==
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Description: Mail message body
Guten Tag, =
Wir informieren Sie, dass Ihre Amazon ID wurde deaktiviert. =
Klicken Sie einfach den untenstehenden Link und loggen Sie sich mit Ihrer =
Amazon-ID : =
Klicken Sie hier =
Kundenservice Amazon.de=20
--===============0396095131==
Content-Type: text/html; charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Description: Mail message body
<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; charset=
=3Diso-8859-1"/></head>Guten Tag,
</p></p>
Wir informieren Sie, dass Ihre Amazon ID wurde deaktiviert.
</p></p>
Klicken Sie einfach den untenstehenden Link und loggen Sie sich mit Ihrer A=
mazon-ID :
</p></p>
<a href=3D"http://host-141-173.cybees.com:88/24070141" target=3D"_blank"><s=
trong>Klicken Sie hier</strong> </a>
</p></p>
Kundenservice Amazon.de </html>
how do i actually check that the spam assassin rules get updated ?
i set the two values as recommended (see my first post) and restarted the services.
Code: Select all
zimbra@mail:~$ zmlocalconfig antispam_enable_rule_updates
antispam_enable_rule_updates = true
zimbra@mail:~$ zmlocalconfig antispam_enable_restarts
antispam_enable_restarts = true
is there a way to actually check that? i only set those values today, so if this is actually the culprit then it is definitely my fault for expecting spam assassing learning to be active by default. if so, i apologize for wasting your time.
EDIT:
a very big question for me is, when is actually the point in time that a mail will be available to spam assassins training ? is it enough to only flag it as spam or do i need to flag it as spam and then purge the spam-folder ? how do i flag something as ham ?