E-mails being treated as spam despite having negative SA score

I'm at a complete loss on this one and the client is getting really upset about e-mails ending up in their spam account. It only seems to happen with messages from one specific domain, but it's an important one they need to be receiving e-mail from. The domain is even in SA's white list but the messages are still getting redirected to their spam account

Running WHM 11.28.86 the accounts are setup with SpamAssassin, box trapper was running but has been disabled since we initially thought it was somehow to blame. They have 8 filters setup to catch spam and redirect them to a gmail account used for collecting spam. The 6 of the 8 filters look for the words "acai" "viagra" "pfizer" in the subject or header and redirect to the spam address if found. The other two filters check the X-Spam-Status and X-Spam-Bar fields and also redirect to the spam address if found.

I've used the "Filter Test" on the account level filtering cpanel page (they have no user level filters configured, I double checked.) and the messages that are getting redirected come up as "Normal Delivery" showing that they don't match any of the filters. Yet for some reason when they initially come in they are getting redirected.

The only thing odd I see in the headers are two X-Spam-Status lines:

At the very top of the headers between two "Received:" headers and before the From: Sender: To: and Cc: headers. Then lower down where I expect to find them:

(Private information redacted in the content preview and our server name replaced with "OUR SERVER" for privacy)

So bottom line is I can't find anything configured on this account that should be forwarding these messages to their spam account instead of normal delivery. But they keep ending up in the spam account instead of the users inbox.

Any help would be greatly appreciated as the client is getting very anxious. We even tried moving them from an older server, with an older version of WHM/Cpanel, to a new server with this version. In large part because they were using box trapper on some accounts and the old server had a bug that was putting /'s into the addresses in their boxtrapper white lists causing them not to be detected. But due to these issues they've disabled boxtrapper entirely in cause it was contributing to the problem.

 

Sorry for the slow reply, I had notifications enabled but never saw one that there had been a reply.

Today I was able to determine which filter is being triggered. Since the filters forward to a gmail box I added some + addressing to be able to determine which filter was causing messages to forward. And confirmed it's the one checking the X-Spam-Status:

It shows up on the account level filtering page as:

$h_X-Spam-Status: contains Yes

It has one rule setup: "Spam Status" "Contains" "yes" Redirect to ACCOUNT+ss@gmail.com

(with the actual account name replaced by ACCOUNT)

What's odd though is sending that same message through the filter test it doesn't trigger the filter and says it would be delivered normally, which makes sense since neither "X-Spam-Status" line contains "Yes". Though I do see the Filter Trace saying "Warning: no message headers read" even though the message headers are being pasted into the input box.

Spam Status header that appears before the normal message headers:

Spam Status header from our server in the normal location:

Ok, little update. I was able to get the Filter Trace to work. There was a blank line at the top of the message I was pasting which apparently was causing it to not detect any headers. With the blank line removed the Filter trace returns:

However neither X-Spam-Status line actually does contain "Yes" The one that's being added before the message gets to our server does contain "BAYES" which has yes within it.

So I guess the new question is how to rewrite that filter so it won't trigger on "BAYES"

 

I would have assumed that equals would require the entire header to match. Live and learn. I changed it to "starts with" which is what I noticed most of our other clients were using since the yes/no is always the first thing.