emails being delivered to spam folder, but don't know why

[keat63]

I've had a larger than normal number of emails delivered to a users spam folder, but for the life of me can't figure out why.

The headers would indicate a spam score of say 0.9 with the threshold configured for 5.0, so marked in the header as Spam = No.

I have no user or account level filter that would have delivered them to the spam folder.

2016-05-31 09:01:01 1b7ebk-0005l1-Jc H=mail1.bemta12.messagelabs.com [xxx.xx.251.14]:60780 Warning: Message has been scanned: no virus or other harmful content was found

2016-05-31 09:01:02 1b7ebk-0005l1-Jc H=mail1.bemta12.messagelabs.com [xxx.xx.251.14]:60780 Warning: "SpamAssassin as mydomainukltd detected message as NOT spam (0.9)"

2016-05-31 09:01:02 1b7ebk-0005l1-Jc <= [email protected] H=mail1.bemta12.messagelabs.com [xxx.xx.251.14]:60780 P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=99222 [email protected].com T="Purchase Order Modine 406357 45366106" for [email protected]

2016-05-31 09:01:02 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1b7ebk-0005l1-Jc

2016-05-31 09:01:02 1b7ebk-0005l1-Jc => /home/mydomainukltd/mail/mydomain.org.uk/sales/.spam/ <[email protected]> R=virtual_user_filter T=address_directory

2016-05-31 09:01:02 1b7ebk-0005l1-Jc Completed

any thoughts why this went to spam.

 

[keat63]

Just one thing I did notice in the headers on two of the emails before I delivered them to the inbox, They both had reference to being listed on Pyzor.
I'm aware that /etc/mail/spamassassin/local.cf has reference to Pyzor.
Could it be related ?

 

[keat63]

Got another one this morning. Any thoughts please ?

Subject: Emailing - A060616092605BEA0569084P06_01_1.pdf
Thread-Topic: Emailing - A060616092605BEA0569084P06_01_1.pdf
Thread-Index: AdG/zLs3vf93eeLoSpy0TVo16lSNsw==
Date: Mon, 6 Jun 2016 08:23:40 +0000
Message-ID: <[email protected]>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [xx.0.0.xxx]
Content-Type: multipart/mixed;
    boundary="_004_F97550822F01D646BD976FA949841F5201532EB1ARMEGSRV01xxxxx_"
MIME-Version: 1.0
X-Spam-Status: No, score=2.4
X-Spam-Score: 24
X-Spam-Bar: ++
X-Ham-Report: Spam detection software, running on the system "host.myserver.co.uk",
has NOT identified this incoming email as spam.  The original
message has been attached to this so you can view it or label
similar future email.  If you have any questions, see
root\@localhost for details.

Content preview:  [...]

Content analysis details:   (2.4 points, 5.0 required)

  pts rule name              description
---- ---------------------- --------------------------------------------------
  1.1 KAM_COUK               Scoring .co.uk emails higher due to poor registry security.
  0.0 HTML_MESSAGE           BODY: HTML included in message
-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                             [score: 0.0000]
  0.4 MIME_HTML_MOSTLY       BODY: Multipart message mostly text/html MIME
  1.8 PYZOR_CHECK            Listed in Pyzor (http://pyzor.sf.net/)
  0.0 FSL_BULK_SIG           Bulk signature with no Unsubscribe
  0.0 TVD_SPACE_RATIO        No description available.
  1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
                             anti-forgery methods
X-Spam-Flag: NO

2016-06-06 09:29:58 1b9pv3-0004KU-O5 H=gmy2-mh807.smtproutes.com [xx.xxx.xxx.xx]:50639 Warning: Message has been scanned: no virus or other harmful content was found

2016-06-06 09:29:58 1b9pv3-0004KU-O5 H=gmy2-mh807.smtproutes.com [xx.xxx.xxx.xx]:50639 Warning: "SpamAssassin as mydom detected message as NOT spam (2.4)"

2016-06-06 09:29:59 1b9pv3-0004KU-O5 <= [email protected] H=gmy2-mh807.smtproutes.com [xx.xxx.xxx.xx]:50639 P=esmtp S=58497 [email protected]er.local T="Emailing - A060616092605BEA0569084P06_01_1.pdf" for [email protected]

2016-06-06 09:29:59 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1b9pv3-0004KU-O5

2016-06-06 09:29:59 1b9pv3-0004KU-O5 => /home/mydom/mail/mydom.com/sales/.spam/ <[email protected]> R=virtual_user_filter T=address_directory

2016-06-06 09:29:59 1b9pv3-0004KU-O5 Completed

 

[keat63]

OK, so I think I found it, but could now do with understanding why this just started happening.

99.99999% of all email which has the words 'Unsubscribe' is generally considered unsolicited spam. (certainly for the mailbox concerned anyway)
Why should I have to unsubscribe from something i never subscribed to, to begin with.
So for over 12 months (maybe more), we've had a filter rule, which goes along the lines.

'If body or header contains 'Unsubscribe' then send to spam.'

The headers on this email states the following
'0.0 FSL_BULK_SIG Bulk signature with no Unsubscribe'

I guess this is why it was sent to spam.
Where did this come from, is this a new feature of Spam Assasin. ?

 

[cPanelMichael]

'If body or header contains 'Unsubscribe' then send to spam.'

The headers on this email states the following
'0.0 FSL_BULK_SIG Bulk signature with no Unsubscribe'

I guess this is why it was sent to spam.
Where did this come from, is this a new feature of Spam Assasin. ?

Hello,

SpamAssassin updates their default rules to help stop new SPAM techniques. I suggest modifying the existing filter rule you are using to take that header entry into consideration when filtering emails. For example, you may want to edit the filter rule so it only applies to the message body.

Thank you.

 

[keat63]

For the time being, I deleted the rule so I can monitor the spam folder.
Thanks