1

Topic: Email from whitelisted sender tagged as spam

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Linux/BSD distribution name and version: FreeBSD 11.1-RELEASE-p6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

This server is setting "X-Spam-Flag: YES" for email from a single address listed in the systemwide whitelist. This particular email has an X-Spam-Score of 0.52, while the configured threshold is 6.0.

Possibly relevant is that this system runs the Mailman mailing list manager, and the sender is posting to a list managed by Mailman. However, (a) I think spam classification happens before handoff to Mailman and (b) the system is not tagging other list users' messages as spam.

Thanks in advance for clues on getting the system not to classify mail from this whitelisted sender's address as spam.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Email from whitelisted sender tagged as spam

You can check Amavisd log to check the matched SpamAsassin rules and scores, it will help you locate the issue.

3

Re: Email from whitelisted sender tagged as spam

Sorry for the delay in responding.

Here's an amavisd log entry for a message from paloaltonetworks.com. I've obfuscated the recipient to be someuser@example.com. The global spam threshold is 6.0 and this mail's score was 3.887, but it still ended up in the user's junk folder. This particular source domain was not whitelisted at the time (it is now), but I am getting false positives below 6.0 from other domains that are whitelisted.

Mar  6 10:13:47 mail8 amavis[56103]: (56103-09) Passed SPAM {RelayedTaggedInbound}, [50.31.63.248]:42151 [199.167.52.254] <bounces+574567-8e71-someuser=example.com@email.paloaltonetworks.com> -> <someuser@example.com>, Queue-ID: 49F4C5E649D, Message-ID: <O5uDaJwgTI6V6OGOFu5yLQ@ismtpd0006p1sjc2.sendgrid.net>, mail_id: EOzTIoEaXrwI, Hits: 3.887, size: 5190, queued_as: 206155E678C, dkim_sd=smtpapi:paloaltonetworks.com, 2357 ms, Tests: [BAYES_50=0.8,DCC_CHECK=1.1,DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,HTML_IMAGE_ONLY_28=1.404,HTML_MESSAGE=0.001,HTML_MIME_NO_HTML_TAG=0.377,MIME_HTML_ONLY=0.723,MISSING_HEADERS=1.021,RCVD_IN_MSPIKE_H4=-0.01,RCVD_IN_MSPIKE_WL=-0.01,RP_MATCHES_RCVD=-1.418,SPF_PASS=-0.001]

How to ensure stuff ranked below 6.0 doesn't go into the Junk folder? Thanks.

4

Re: Email from whitelisted sender tagged as spam

cvcvelo wrote:

... Hits: 3.887, ...
BAYES_50=0.8
DCC_CHECK=1.1
DKIM_SIGNED=0.1
DKIM_VALID=-0.1
DKIM_VALID_AU=-0.1
HTML_IMAGE_ONLY_28=1.404
HTML_MESSAGE=0.001
HTML_MIME_NO_HTML_TAG=0.377
MIME_HTML_ONLY=0.723
MISSING_HEADERS=1.021
RCVD_IN_MSPIKE_H4=-0.01
RCVD_IN_MSPIKE_WL=-0.01
RP_MATCHES_RCVD=-1.418
SPF_PASS=-0.001

This email got 3.887 score, and it's passed.

According to the detailed rules and scores, seems the message generated by Mailman (or some other program/mua) was not follow RFC documents strictly.

But back to the issue, which sender/ip/domain did you whitelist?

5

Re: Email from whitelisted sender tagged as spam

1. "This email got 3.887 score, and it's passed."

This example was regular email, not a Mailman message, and it didn't pass -- it ended up in the Junk folder even though its score was < 6.0. Are you saying that messages lower than 6.0 will still be classified as Junk if they are considered RFC violations?

2. Getting back on subject, here is a message to a Mailman mailing list. It was classified as spam even though its score is just 1.92 and even though its sender (sender@sbcglobal.net) is whitelisted.

It could be that because Mailman rewrites the sender address with the list address, the message still gets tagged as Junk. I've added the list address to the whitelist, but I still don't why _any_ message with a score below 6.0 ends up tagged as spam.

Thanks in advance for helping understand this.

Return-Path: <mylist-bounces@lists.potrzebie.org>
Delivered-To: someuser@example.com
Received: from mail8.networktest.com (localhost [127.0.0.1])
    by mail8.networktest.com (Postfix) with ESMTP id 434C05E6944
    for <someuser@example.com>; Tue,  6 Mar 2018 11:31:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at mail8.networktest.com
X-Spam-Flag: YES
X-Spam-Score: 1.92
X-Spam-Level: *
X-Spam-Status: Yes, score=1.92 tagged_above=0 required=0 tests=[BAYES_05=-0.5,
    DKIM_SIGNED=0.1, FORGED_MUA_MOZILLA=2.309, HTML_MESSAGE=0.001,
    RCVD_IN_DNSWL_NONE=-0.0001, T_DKIM_INVALID=0.01]
    autolearn=no autolearn_force=no
Authentication-Results: mail8.networktest.com (amavisd-new);
    dkim=fail (2048-bit key) reason="fail (message has been altered)"
    header.d=sbcglobal.net
Received: from mail8.networktest.com ([127.0.0.1])
    by mail8.networktest.com (mail8.networktest.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id DMCZVfkjZm9Z for <someuser@example.com>;
    Tue,  6 Mar 2018 11:31:10 -0800 (PST)
Received: from mail8.networktest.com (localhost [IPv6:::1])
    by mail8.networktest.com (Postfix) with ESMTP id E5ABC5E678C;
    Tue,  6 Mar 2018 11:31:09 -0800 (PST)
Delivered-To: mylist@mail8.networktest.com
Received: from mail8.networktest.com (localhost [127.0.0.1])
by mail8.networktest.com (Postfix) with ESMTP id E26775E649D
for <mylist@mail8.networktest.com>; Tue,  6 Mar 2018 11:31:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at mail8.networktest.com
Received: from mail8.networktest.com ([127.0.0.1])
by mail8.networktest.com (mail8.networktest.com [127.0.0.1]) (amavisd-new,
port 10024)
with ESMTP id 0WeD6Rh7y0fy for <mylist@mail8.networktest.com>;
Tue,  6 Mar 2018 11:31:06 -0800 (PST)
Received: from sonic312-24.consmr.mail.bf2.yahoo.com
(sonic312-24.consmr.mail.bf2.yahoo.com [74.6.128.86])
by mail8.networktest.com (Postfix) with ESMTPS id 587AB5E60BF
for <mylist@lists.potrzebie.org>; Tue,  6 Mar 2018 11:31:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sbcglobal.net; s=s2048;
t=1520364653; bh=1KddQPDQOeuJG/zkgNa+XrCh2XT2qCCg/i724cpZOYE=;
h=Date:From:Reply-To:To:Subject:References:From:Subject;
b=odEJWobeva1j7aafJTklhjdb4851XERWxYqcOGYTBDIGQ7wDqdPC9kkjbAhwCddH2DefSE+I1+WZHbb76hD/236BssM1taLQhagii7/+28X6r1ksbRQyv+sh7X+D5bpHcp5O3hR0yXCWpJAlyseyf2aenIJW1Pg3tllXZpfH58WtGmpRFqoppXJFR0bXpF68GRkMSRWku0ZOMO4B0OingaGsubQvzLcQ5zozKmVV8HBd/PXgo5M0cnLFKEPm8PUgaavjlVTD16FJhXJJuB9yA7wj7zGZ4cK+QTnxzDMWzo87z+QVhw/Nbf+k1lnhpjF7U1cO6BfbHE0bON4gtCQopw==
X-YMail-OSG: vWfZe1kVM1nnhRldtrEmd0X0jkpuqtZn93ERBO5d1C351X.yuzVpUvnHP0HYZv1
1B7cqdGoxpSpqnFSvg.fZQz_STvLb2sUrPjY8N9REHXy9RUu8m.E9iiVF.AMkwkYjBwJO0Uwt9Qw
7ovIZX3sPGP.Wa24LYzdRzH8kbVvlCvYqFbdX5ctcx4X41.DZB_vyhAXpZqMOwDwp4P2fYrT6xUX
svS0a5iozUBiBQqCU2MuELTSkdu6MthOWkVRpStEOLQcXWJS0y4bY2MEQC1c73xMXJC911SyR9_a
A4vjLFUQ9h_Nt.TkKdEoB73dKEZLKypmU7h26P4kXrkdb2P42PYVnb9lkPSTHDauP0n_MeC0UmyJ
gcSCgkNie2XY8eqGe3slDesrZR2LPvJyPKaDkS2t4tpfbpzZ11lP.6V6WyhcDSMIcMkcjpsP77bt
369Xl13X1dTrliKeUVuJ_wwReGLrsK8PTJBQciirFr0k7MpUEy.oTbEUmhkUIKoQRnZSZ
Received: from sonic.gate.mail.ne1.yahoo.com by
sonic312.consmr.mail.bf2.yahoo.com with HTTP; Tue, 6 Mar 2018 19:30:53 +0000
Date: Tue, 6 Mar 2018 19:30:15 +0000 (UTC)
To: mylist <mylist@lists.potrzebie.org>
Message-ID: <1725193591.12081750.1520364615089@mail.yahoo.com>
MIME-Version: 1.0
References: <1725193591.12081750.1520364615089.ref@mail.yahoo.com>
X-Mailer: WebService/1.1.11419 YahooMailNeo Mozilla/5.0 (Windows NT 10.0; WOW64;
Trident/7.0; rv:11.0) like Gecko/20100101 Firefox/12.0
Subject: ***Spam*** [mylist] This is a post to a Mailman list
X-BeenThere: mylist@lists.potrzebie.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: mylist <mylist.lists.potrzebie.org>
List-Unsubscribe: <http://lists.potrzebie.org/mailman/options/mylist>,
<mailto:mylist-request@lists.potrzebie.org?subject=unsubscribe>
List-Archive: <http://lists.potrzebie.org/mailman/private/mylist/>
List-Post: <mailto:mylist@lists.potrzebie.org>
List-Help: <mailto:mylist-request@lists.potrzebie.org?subject=help>
List-Subscribe: <http://lists.potrzebie.org/mailman/listinfo/mylist>,
<mailto:mylist-request@lists.potrzebie.org?subject=subscribe>
From: Mr. Sender via mylist <mylist@lists.potrzebie.org>
Reply-To: mylist@lists.potrzebie.org
Cc: Mr. Sender <sender@sbcglobal.net>
Content-Type: multipart/mixed; boundary="===============3002529418111934572=="
Errors-To: mylist-bounces@lists.potrzebie.org
Sender: "mylist" <mylist-bounces@lists.potrzebie.org>

6

Re: Email from whitelisted sender tagged as spam

cvcvelo wrote:

its sender (sender@sbcglobal.net) is whitelisted.

How did you whitelist it? With iRedAdmin-Pro? Could you please capture a screenshot of the whitelist page for me to understand it?

Also, did you see the spamassassin rule "FORGED_MUA_MOZILLA=2.309"? Yahoo webmail includes web browser info in the 'X-Mailer:', and this triggered 2.309 points.

7

Re: Email from whitelisted sender tagged as spam

I think I found the problem: Mailman has a munge-headers option that is very good for fighting list spam, but also changes the from the final From: header to the list address. The list address was not whitelisted, and so some things were getting classified as spam regardless of the original From: address.

Since whitelisting the list address, the server has not classified any more list email as spam.

There's a separate issue I still don't understand, which is why the server classifies as spam email with an X-Spam-Score: below the spam threshold. OK to close this thread; I'll open a separate thread on that topic.

Thanks as always, ZHB, for your help!