Topic: Identical messages scored differently by SA
==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.8 MARIADB
- Deployed with iRedMail Easy or the downloadable installer?: Installer
- Linux/BSD distribution name and version: CentOS 7.8
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro?: Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
I'm going to post this question and partial answer, partially as an example of why it helps to write a question methodically and carefully, because writing it out often (for me anyway) leads to the answer. However, it's only a partial answer, as I'm still looking for information.
Here's the original post:
I am having an issue with two copies of the same email (same "Message-Id") being scored by SA differently. The copy that does not go through Sieve is not scored as spam, but the copy that does go through Sieve is classed as spam. (My cut-off is 3.5 points, not the default of 5.) The difference is that the copy that goes through Sieve gets 3.558 points from RCVD_IN_SBL_CSS. The copy that goes through Sieve never leaves the server; it is delivered locally.
I understand what the RCVD_IN_SBL_CSS check does, and I've read a bunch of mailing list emails that suggest that IP addresses go in and out of the Spamhaus blacklists; I know that, but not within milliseconds of the two instances being scanned, and this happens consistently. When I check the IP manually at Spamhaus it is consistently not in the SBL or CSS lists; those checks obviously don't happen at the exact same moment, but like I say, they do almost simultaneously when the message comes in.
The server in question doesn't actually send email to the public anyway (just me, root), and the IP has been under my control for about six months.
When obfuscating the original emails (below) I finally realised that the listing was for the IPv6 address, not the IPv4, which was not listed. Spamhaus even mentions Linode specifically with this issue, and Linode is where I host this VPS.
QUESTION: It's still not clear to me why one copy of the message, which goes straight to an account on the receiving server (not through Sieve), does not get tagged with RCVD_IN_SBL_CSS, but the copy that goes through Sieve does get tagged with RCVD_IN_SBL_CSS. Any ideas?
Craig
Copy that is not marked as spam:
Return-Path: <root@server1.example.com>
Delivered-To: notices.server@example.net
Received: from server2.example.com (localhost.localdomain [127.0.0.1]) by
server2.example.com (Postfix) with ESMTP id 907CB28C0DA for
<notices.server@example.net>; Fri, 2 Oct 2020 16:22:01 +0000 (UTC)
X-Virus-Scanned: amavisd-new at server2.example.com
X-Spam-Flag: NO
X-Spam-Score: 0.002
X-Spam-Level:
X-Spam-Status: No, score=0.002 tagged_above=-999 required=3.5
tests=[SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from server2.example.com ([127.0.0.1]) by server2.example.com
(server2.example.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id
wbKBkpvPXKe8 for <notices.server@example.net>; Fri, 2 Oct 2020 16:21:47
+0000 (UTC)
Received: from server1.example.com (server1.example.com
[IPv6:2600:x::x:x:x:x]) by server2.example.com (Postfix) with
ESMTPS id 0234228C0EC for <notices@example.net>; Fri, 2 Oct 2020 16:21:46
+0000 (UTC)
Received: by server1.example.com (Postfix, from userid 0) id D04745B0A;
Fri, 2 Oct 2020 16:21:33 +0000 (UTC)
Date: Fri, 02 Oct 2020 16:21:33 +0000
To: notices@example.net
Subject: ALERT: Root Access (SERVER1)
User-Agent: Heirloom mailx 12.5 7/5/10
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20201002162133.D04745B0A@server1.example.com>
From: root@server1.example.com (root)
Root shell access to SERVER1 on Fri Oct 2 16:21:33 UTC 2020 by user pts/1 2020-10-02 16:21 (REVERSE_DNS)Copy that is marked as spam:
Return-Path: <root@server1.example.com>
Delivered-To: craig@example.net
Received: from server2.example.com (localhost.localdomain [127.0.0.1]) by
server2.example.com (Postfix) with ESMTP id 9E1FE28C0DA for
<craig@example.net>; Fri, 2 Oct 2020 16:22:15 +0000 (UTC)
X-Virus-Scanned: amavisd-new at server2.example.com
X-Spam-Flag: YES
X-Spam-Score: 3.558
X-Spam-Level: ***
X-Spam-Status: Yes, score=3.558 tagged_above=-999 required=3.5
tests=[RCVD_IN_SBL_CSS=3.558] autolearn=no autolearn_force=no
Received: from server2.example.com ([127.0.0.1]) by server2.example.com
(server2.example.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id
hVLulRyS6oqb for <craig@example.net>; Fri, 2 Oct 2020 16:22:01 +0000
(UTC)
Received: by server2.example.com (Postfix, from userid 2000) id A120328C0F1;
Fri, 2 Oct 2020 16:22:01 +0000 (UTC)
X-Sieve: Pigeonhole Sieve 0.4.24.2 (aaba65b7)
X-Sieve-Redirected-From: notices.server@example.net
Delivered-To: notices.server@example.net
Received: from server2.example.com (localhost.localdomain [127.0.0.1]) by
server2.example.com (Postfix) with ESMTP id 907CB28C0DA for
<notices.server@example.net>; Fri, 2 Oct 2020 16:22:01 +0000 (UTC)
X-Virus-Scanned: amavisd-new at server2.example.com
Received: from server2.example.com ([127.0.0.1]) by server2.example.com
(server2.example.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id
wbKBkpvPXKe8 for <notices.server@example.net>; Fri, 2 Oct 2020 16:21:47
+0000 (UTC)
Received: from server1.example.com (server1.example.com
[IPv6:2600:x::x:x:x:x]) by server2.example.com (Postfix) with
ESMTPS id 0234228C0EC for <notices@example.net>; Fri, 2 Oct 2020 16:21:46
+0000 (UTC)
Received: by server1.example.com (Postfix, from userid 0) id D04745B0A;
Fri, 2 Oct 2020 16:21:33 +0000 (UTC)
Date: Fri, 02 Oct 2020 16:21:33 +0000
To: notices@example.net
Subject: ***Spam*** ALERT: Root Access (SERVER1)
User-Agent: Heirloom mailx 12.5 7/5/10
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20201002162133.D04745B0A@server1.example.com>
From: root@server1.example.com (root)
Root shell access to SERVER1 on Fri Oct 2 16:21:33 UTC 2020 by user pts/1 2020-10-02 16:21 (REVERSE_DNS)----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.
