How can I turn on more detailed logging of SpamAssassin? Specifically, configure it to include the X-Spam-Report header which breaks down the individual scores that led to the overall spam score for a message. I’m getting some false positives so I’d like to narrow down why these legitimate mails are getting caught. The only header I get is X-AxigenSpam-Level which just gives an overall score. The closest I can get is to look at /var/log/mail which has the detail to tell me which tests matched a message, but then I need to combine those test names with the dozens of .cf files that are in /var/lib/spamassassin/3.004005/updates_spamassassin_org to determine the test score values. So it’s pretty tedious and not really practical.
A proper Spam-Report would look like this and quickly tells you why the message was flagged. And it’s included with the email headers so you don’t need to go matching up email timestamps with log entries.
X-Spam-Report: SpamAssassin headers added by tigertech.net. Test details:
* 0.6 HTML_WEB_BUGS BODY: Image tag intended to identify you
* 0.5 HTML_20_30 BODY: Message is 20% to 30% HTML
* 1.5 HTML_IMAGE_ONLY_04 BODY: HTML: images with 200-400 bytes of words
* 3.0 NO_RDNS_DOTCOM_HELO Host HELO'd as a big ISP, but had no rDNS
* 3.0 FORGED_RCVD_NET_HELO Host HELO'd using the wrong IP network
* 0.5 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers
By default, the Axigen service does not preserve any changes that SpamAssassin may do to the email message - the filter is executed only to obatain SpamAssassin’s spam score, which is then used to compute the value of X-AxigenSpam-Level.
This is needed in order for the AntiSpam thresholds to work in a consistent manner with different AntiSpam filter applications.
You may alter this behavior by specifying a different protocol file for the SpamAssassin filter - we provide the “spamassassin-bin.afsl” protocol file specifically for this purpose (when using this file Axigen will preserve SpamAssassin’s changes/added headers, instead of computing X-AxigenSpam-Level).
The required steps are:
Create a backup copy of the current /var/opt/axigen/run/axigen.cfg file
open the /var/opt/axigen/run/axigen.cfg file in a text editor and locate the following section: { name = "AV:SpamAssassin" address = "inet://127.0.0.1:783" protocolFile = "afsl/spamassassin.afsl" idleTimeout = 300 actionOnMatch = pass maxConnections = 10 maxMessageSize = 10240 }
change the protocolFile parameter into: protocolFile = "afsl/spamassassin-bin.afsl"
save the changes to the axigen.cfg file
signal Axigen to reload configuration or simply restart the Axigen service
From this point, Axigen will no longer compute X-AxigenSpam-Level as a result of SpamAssassin integration, but instead it will preserve all changes done to the message by SpamAssassin. To add the X-Spam-Report header you need to configure SpamAssassin appropriately, i.e. by adding the following parameter to it’s local.cf file: add_header all Report _REPORT_
Note: since the X-AxigenSpam-Levelheader will no longer be added, this means that the AntiSpam threshold actions found in Security & Filtering → AntiVirus & AntiSpam → AntiSpam Configuration will no longer have any effect.
Thanks so much for the detailed response, I’ll try it out. Since the Axigen spam thresholds will no longer work, how would I still move emails to the spam folder? Only avenue I can see would be to create a custom incoming mail rule that references the spamassassin header. But those rules seem pretty rudimentary and I don’t see a way it can parse a decimal score from spamassassin and act on it. For instance, if I wanted to say all scores above 3.7 go to spam, I’m not sure how that could be done.
Finally, would making this change break other features like the built-in blacklist and whitelists or the DNSBL capability?
From our understanding only the whitelist capability may be influenced if you made your own spam filter based on the header added by spamassassin-bin filter (but only if you do not take into consideration the whitelist_match variable like below)
Because the requested header is provided (by changing the received message) only when using spamassassin REPORT command and because this command will not provide same output like CHECK command (details here) we see no other options to have both data but executing both commands (and not only one) for each received message.
If you are not afraid of this performance penalty please let us know so we could try to “mix” both AFSL filters and see if we could produce anything in line with your specific requests.
