The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

emails being delivered to spam folder, but don't know why

Discussion in 'E-mail Discussions' started by keat63, Jun 3, 2016.

Tags:
  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I've had a larger than normal number of emails delivered to a users spam folder, but for the life of me can't figure out why.

    The headers would indicate a spam score of say 0.9 with the threshold configured for 5.0, so marked in the header as Spam = No.

    I have no user or account level filter that would have delivered them to the spam folder.

    Code:
    2016-05-31 09:01:01 1b7ebk-0005l1-Jc H=mail1.bemta12.messagelabs.com [xxx.xx.251.14]:60780 Warning: Message has been scanned: no virus or other harmful content was found
    
    2016-05-31 09:01:02 1b7ebk-0005l1-Jc H=mail1.bemta12.messagelabs.com [xxx.xx.251.14]:60780 Warning: "SpamAssassin as mydomainukltd detected message as NOT spam (0.9)"
    
    2016-05-31 09:01:02 1b7ebk-0005l1-Jc <= r.l.field@customer.com H=mail1.bemta12.messagelabs.com [xxx.xx.251.14]:60780 P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=99222 id=ADR410000001019830100017A477141C1EE689E0B59F2B3A60F0@eu.zzzzz.com T="Purchase Order Modine 406357 45366106" for sales@mydomain.org.uk
    
    2016-05-31 09:01:02 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1b7ebk-0005l1-Jc
    
    2016-05-31 09:01:02 1b7ebk-0005l1-Jc => /home/mydomainukltd/mail/mydomain.org.uk/sales/.spam/ <sales@mydomain.org.uk> R=virtual_user_filter T=address_directory
    
    2016-05-31 09:01:02 1b7ebk-0005l1-Jc Completed
    
    any thoughts why this went to spam.
     
    #1 keat63, Jun 3, 2016
    Last edited: Jun 3, 2016
  2. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Just one thing I did notice in the headers on two of the emails before I delivered them to the inbox, They both had reference to being listed on Pyzor.
    I'm aware that /etc/mail/spamassassin/local.cf has reference to Pyzor.
    Could it be related ?
     
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Got another one this morning. Any thoughts please ?

    Code:
    Subject: Emailing - A060616092605BEA0569084P06_01_1.pdf
    Thread-Topic: Emailing - A060616092605BEA0569084P06_01_1.pdf
    Thread-Index: AdG/zLs3vf93eeLoSpy0TVo16lSNsw==
    Date: Mon, 6 Jun 2016 08:23:40 +0000
    Message-ID: <F97550822F01D646BD976FA949841F5201532EB1@ARMEGSRV01.xxxx.local>
    Accept-Language: en-US
    Content-Language: en-US
    X-MS-Has-Attach: yes
    X-MS-TNEF-Correlator:
    x-originating-ip: [xx.0.0.xxx]
    Content-Type: multipart/mixed;
        boundary="_004_F97550822F01D646BD976FA949841F5201532EB1ARMEGSRV01xxxxx_"
    MIME-Version: 1.0
    X-Spam-Status: No, score=2.4
    X-Spam-Score: 24
    X-Spam-Bar: ++
    X-Ham-Report: Spam detection software, running on the system "host.myserver.co.uk",
    has NOT identified this incoming email as spam.  The original
    message has been attached to this so you can view it or label
    similar future email.  If you have any questions, see
    root\@localhost for details.
    
    Content preview:  [...]
    
    Content analysis details:   (2.4 points, 5.0 required)
    
      pts rule name              description
    ---- ---------------------- --------------------------------------------------
      1.1 KAM_COUK               Scoring .co.uk emails higher due to poor registry security.
      0.0 HTML_MESSAGE           BODY: HTML included in message
    -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                                 [score: 0.0000]
      0.4 MIME_HTML_MOSTLY       BODY: Multipart message mostly text/html MIME
      1.8 PYZOR_CHECK            Listed in Pyzor (http://pyzor.sf.net/)
      0.0 FSL_BULK_SIG           Bulk signature with no Unsubscribe
      0.0 TVD_SPACE_RATIO        No description available.
      1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
                                 anti-forgery methods
    X-Spam-Flag: NO
    
    
    Code:
    2016-06-06 09:29:58 1b9pv3-0004KU-O5 H=gmy2-mh807.smtproutes.com [xx.xxx.xxx.xx]:50639 Warning: Message has been scanned: no virus or other harmful content was found
    
    2016-06-06 09:29:58 1b9pv3-0004KU-O5 H=gmy2-mh807.smtproutes.com [xx.xxx.xxx.xx]:50639 Warning: "SpamAssassin as mydom detected message as NOT spam (2.4)"
    
    2016-06-06 09:29:59 1b9pv3-0004KU-O5 <= j.offler@customer.co.uk H=gmy2-mh807.smtproutes.com [xx.xxx.xxx.xx]:50639 P=esmtp S=58497 id=F97550822F01D646BD976FA949841F5201532EB1@customerSRV01.customer.local T="Emailing - A060616092605BEA0569084P06_01_1.pdf" for sales@mydom.com
    
    2016-06-06 09:29:59 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1b9pv3-0004KU-O5
    
    2016-06-06 09:29:59 1b9pv3-0004KU-O5 => /home/mydom/mail/mydom.com/sales/.spam/ <sales@mydom.com> R=virtual_user_filter T=address_directory
    
    2016-06-06 09:29:59 1b9pv3-0004KU-O5 Completed
    
     
    #3 keat63, Jun 6, 2016
    Last edited: Jun 6, 2016
  4. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    OK, so I think I found it, but could now do with understanding why this just started happening.

    99.99999% of all email which has the words 'Unsubscribe' is generally considered unsolicited spam. (certainly for the mailbox concerned anyway)
    Why should I have to unsubscribe from something i never subscribed to, to begin with.
    So for over 12 months (maybe more), we've had a filter rule, which goes along the lines.

    'If body or header contains 'Unsubscribe' then send to spam.'

    The headers on this email states the following
    '0.0 FSL_BULK_SIG Bulk signature with no Unsubscribe'

    I guess this is why it was sent to spam.
    Where did this come from, is this a new feature of Spam Assasin. ?
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    SpamAssassin updates their default rules to help stop new SPAM techniques. I suggest modifying the existing filter rule you are using to take that header entry into consideration when filtering emails. For example, you may want to edit the filter rule so it only applies to the message body.

    Thank you.
     
  6. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    For the time being, I deleted the rule so I can monitor the spam folder.
    Thanks
     
Loading...

Share This Page