Emails sent by third party server always blocked as spam

[kerb]

Hello,

I'm the cPanel/WHM server admin for a client of mine, who have many of their own clients hosted on the server. My client is using a third party service, bitrix24.com, which sends out emails. Bitrix24 works with mail by requiring you to enter the details of your own SMTP server (including username and password so it can authenticate), and uses that to send its mail, so it basically acts as an SMTP client to our mail server, rather than its own mail server that delivers directly.

The problem we're having is that any mail sent that has a non-local destination gets blocked by SpamAssassin when it tries to leave our server (we scan outgoing mail for spam). If the recipient is local, it is accepted fine. If the destination is non-local, it is accepted by Exim from Bitrix24, but is scanned again by SpamAssassin on the way out of our server and is always blocked. Since there's no SpamAssassin report for outgoing scans, there's no way to tell why they are failing. /var/log/exim_rejectlog doesn't include the SpamAssassin report.

I grabbed a copy of such an email from a local account that it was also delivered to, and ran that through SpamAssassin manually. I don't know if doing it this way is identical to the scan done on outgoing mail, but it reported the two biggest issues as: HELO_DYNAMIC_IPADDR and RDNS_DYNAMIC. I understand what these are about, but most of the internet says the solution is "Fix your mail server's name" and "Trust your dynamic subnets" ... but that doesn't apply to us, since it's a third party mail server that initiates the message and we have no control over their server names or subnets.

The relevant headers (with some names changed for privacy):

Return-path: <[email protected]>
Received: from mta-us-002.bitrix24.com ([50.19.124.94]:51416)
        by myserver.mydomain.com with esmtpsa  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        (Exim 4.93)
        (envelope-from <[email protected]>)
        id 1jnNPr-0002aM-SF; Mon, 22 Jun 2020 10:27:20 -0400
Received: from ip-10-149-184-16.ec2.internal ([10.149.184.16] helo=ec2-3-83-161-87.compute-1.amazonaws.com)
        by mta-us-002.bitrix24.com with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        (Exim 4.93)
        (envelope-from <[email protected]>)
        id 1jnNPr-0000zn-HX; Mon, 22 Jun 2020 17:27:19 +0300
Received: from localhost ([127.0.0.1] helo=ec2-3-83-161-87.compute-1.amazonaws.com)
        by ec2-3-83-161-87.compute-1.amazonaws.com with smtp (Exim 4.93)
        (envelope-from <[email protected]>)
        id 1jnNPr-0000ge-GM; Mon, 22 Jun 2020 17:27:19 +0300
Received: (from [email protected])
        by ec2-3-83-161-87.compute-1.amazonaws.com (mini_sendmail/1.3.9 23Oct2019);
        Mon, 22 Jun 2020 17:27:19 MSK
        (sender [email protected])

So I can see above that HELO_DYNAMIC_IPADDR and RDNS_DYNAMIC could certainly apply, as the mail hopped through a couple of Bitrix24's AWS servers before coming to us. But I don't understand why it passes the first spam check (when it comes into our server) but not the second (when outgoing to a non-local recipient). I also don't want to tell Bitrix24 that the problem is with them, until I'm sure it is. It's hard to believe we'd be the first Bitrix24 customer to have this issue, but at the same time, we have no issues with other outgoing mail getting blocked as spam (unless it really is spam).

I'm wondering if anyone has any recommendations on where to go from here - either how to troubleshoot Exim/SpamAssassin further and get it to allow these through, OR determine that the problem really is with Bitrix24 so I can start discussion with them. Thanks in advance for any help!

 

[cPanelLauren]

The inbound scanning and outbound scanning rules are different - you should be able to see the rules that it matches in /var/log/maillog which is where outbound Spamassassin logs its findings

 

[kerb]

The inbound scanning and outbound scanning rules are different - you should be able to see the rules that it matches in /var/log/maillog which is where outbound Spamassassin logs its findings

Thank you Lauren. That does show the same result I found when scanning the mail manually. I'm still not sure what to do about it from here.
Below are the lines from /var/log/exim_mainlog. It's interesting that at first it says it's detected as NOT spam, then later says it can't be forwarded because it is spam. A forwarder isn't even involved here.

2020-06-22 10:27:19 1jnNPr-0002aM-SF H=mta-us-002.bitrix24.com [50.19.124.94]:51416 Warning: Message has been scanned: no virus or other harmful content was found
2020-06-22 10:27:20 1jnNPr-0002aM-SF H=mta-us-002.bitrix24.com [50.19.124.94]:51416 Warning: "SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT spam (8.4/100)"
2020-06-22 10:27:20 1jnNPr-0002aM-SF <= [email protected] H=mta-us-002.bitrix24.com [50.19.124.94]:51416 P=esmtpsa X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=dovecot_login:[email protected] S=3980 [email protected] T="Re: FW: 2018 Suzuki GSX-S1000FZ ABS" for [email protected] [email protected]
2020-06-22 10:27:20 1jnNPr-0002aM-SF Sender identification U=turnkey D=mydomain.com [email protected]
2020-06-22 10:27:20 1jnNPr-0002aM-SF SMTP connection outbound 1592836040 1jnNPr-0002aM-SF mydomain.com [email protected]
2020-06-22 10:27:20 1jnNPr-0002aM-SF ** [email protected] R=reject_forwarded_mail_marked_as_spam: This mail cannot be forwarded because it was detected as spam.
2020-06-22 10:27:20 1jnNPr-0002aM-SF => anotheruser <[email protected]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> +JmuFMi/8F5RIQAATdD/dw Saved"
2020-06-22 10:27:20 1jnNPr-0002aM-SF Completed

And from /var/log/maillog, although it doesn't say what weight it put on each item, I expect the two biggest are still HELO_DYNAMIC_IPADDR and RDNS_DYNAMIC:

Jun 22 10:27:19 dns1 spamd[489]: spamd: connection from localhost [127.0.0.1]:49044 to port 783, fd 6
Jun 22 10:27:19 dns1 spamd[489]: spamd: setuid to cpaneleximscanner succeeded
Jun 22 10:27:19 dns1 spamd[489]: generic: trusted_networks doesn't contain internal_networks entry '0/0'
Jun 22 10:27:19 dns1 spamd[489]: spamd: checking message <[email protected]> for cpaneleximscanner:991
Jun 22 10:27:20 dns1 spamd[489]: spamd: identified spam (8.4/5.0) for cpaneleximscanner:991 in 0.4 seconds, 4131 bytes.
Jun 22 10:27:20 dns1 spamd[489]: spamd: result: Y 8 - FROM_EXCESS_BASE64,HELO_DYNAMIC_IPADDR,HTML_IMAGE_ONLY_16,HTML_MESSAGE,KAM_DMARC_STATUS,RDNS_DYNAMIC,SPF_SOFTFAIL,UNPARSEABLE_RELAY scantime=0.4,size=4131,user=cpaneleximscanner,uid=991,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=49044,mid=<[email protected]>,autolearn=no autolearn_force=no,shortcircuit=no

I'm still trying to determine if there's something I can do here, or if this really is a problem with Bittrix24 that I need to take up with them. I'm not sure how else to lower the spam score, and I don't understand why it first says it's NOT spam, then won't send because it thinks it is. Thanks again for any assistance you can provide.

 

[cPanelLauren]

Well the rules it's hitting outpbound are:

Jun 22 10:27:20 dns1 spamd[489]: spamd: result: Y 8 - FROM_EXCESS_BASE64,HELO_DYNAMIC_IPADDR,HTML_IMAGE_ONLY_16,HTML_MESSAGE,KAM_DMARC_STATUS,RDNS_DYNAMIC,SPF_SOFTFAIL,UNPARSEABLE_RELAY

You could do a few things here but i think the best thing would be to whitelist this domain since it's something you're sending to on purpose:

Only-verify-recipient [?]
Hosts or IP addresses that should be exempt from all spam checks at SMTP time, except recipient verification. Hosts or IP addresses you enter here are stored in /etc/trustedmailhosts.

You could also modify the user_prefs file for outbound mail here: /var/cpanel/userhomes/cpaneleximscanner/.spamassassin/user_prefs and add the domain to the whitelist there too or set customizations for the rules

 

[kerb]

You could do a few things here but i think the best thing would be to whitelist this domain since it's something you're sending to on purpose:

You could also modify the user_prefs file for outbound mail here: /var/cpanel/userhomes/cpaneleximscanner/.spamassassin/user_prefs and add the domain to the whitelist there too or set customizations for the rules

Thanks for the response, Lauren. If you're referring to the recipient domain, unfortunately we can't really whitelist that because it could be any recipient on any domain. I'm also hesitant to add Bitrex24's mail servers to our trusted networks, since they have a number of mail servers and there's no guarantee the same one will always be used or that they won't add new ones in the future.

I guess I will contact Bitrex24 and ask them if they can rename their internal mail servers from Amazon's default to see if it will then pass HELO_DYNAMIC_IPADDR. Thank you for the help.

 

[cPanelLauren]

Oh no I meant Bitrix! See if whitelisting their domain resolves the issue, they're your mail service and when your server is scanning mail that is being sent to them it's flagging it as spam which it shouldn't be doing.

 

[kerb]

Oh no I meant Bitrix! See if whitelisting their domain resolves the issue, they're your mail service and when your server is scanning mail that is being sent to them it's flagging it as spam which it shouldn't be doing.

Thanks for the clarification. However, we're not sending mail to Bitrix. They are acting as an SMTP client to our mail server, authenticating to our mail (cPanel) server and sending mail to external recipients from that authenticated account. I tried adding the IP/hostname of their mail server to "Only-verify-recipient" but it did not help.

Interestingly enough, I found that if I create a brand new email on Bitrix (they have a webmail-like interface), it sends fine to a test gmail account. However, if I reply to an email that has come in from the same gmail account, the reply always gets blocked as spam when it attempts to leave the cPanel server.

Lines from exim_mainlog for a brand new email:

2020-07-02 14:32:19 SMTP connection from [50.19.124.94]:59978 (TCP/IP connection count = 13)
2020-07-02 14:32:19 H=mta-us-002.bitrix24.com [50.19.124.94]:59978 Warning: Sender rate 2.0 / 1h
2020-07-02 14:32:19 1jr40R-0003ct-Io H=mta-us-002.bitrix24.com [50.19.124.94]:59978 Warning: Message has been scanned: no virus or other harmful content was found
2020-07-02 14:32:19 1jr40R-0003ct-Io H=mta-us-002.bitrix24.com [50.19.124.94]:59978 Warning: "SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT spam (7.7/100)"
2020-07-02 14:32:19 1jr40R-0003ct-Io <= [email protected] H=mta-us-002.bitrix24.com [50.19.124.94]:59978 P=esmtpsa X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=dovecot_login:[email protected] S=2163 [email protected] T="Test again" for [email protected]
2020-07-02 14:32:19 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1jr40R-0003ct-Io
2020-07-02 14:32:19 SMTP connection from mta-us-002.bitrix24.com [50.19.124.94]:59978 closed by QUIT
2020-07-02 14:32:20 1jr40R-0003ct-Io Sender identification U=turnkey D=ourdomain.com [email protected]
2020-07-02 14:32:20 1jr40R-0003ct-Io SMTP connection outbound 1593714740 1jr40R-0003ct-Io ourdomain.com [email protected]
2020-07-02 14:32:20 1jr40R-0003ct-Io => [email protected] R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [173.194.206.26] X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK  1593714740 h4si6457296qvr.38 - gsmtp"
2020-07-02 14:32:20 1jr40R-0003ct-Io Completed

Lines from exim_mainlog for a reply to an email:

2020-07-02 14:36:09 SMTP connection from [50.19.124.94]:32768 (TCP/IP connection count = 15)
2020-07-02 14:36:09 H=mta-us-002.bitrix24.com [50.19.124.94]:32768 Warning: Sender rate 2.8 / 1h
2020-07-02 14:36:09 1jr449-00040i-8K H=mta-us-002.bitrix24.com [50.19.124.94]:32768 Warning: Message has been scanned: no virus or other harmful content was found
2020-07-02 14:36:09 1jr449-00040i-8K H=mta-us-002.bitrix24.com [50.19.124.94]:32768 Warning: "SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT spam (9.1/100)"
2020-07-02 14:36:09 1jr449-00040i-8K <= [email protected] H=mta-us-002.bitrix24.com [50.19.124.94]:32768 P=esmtpsa X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=dovecot_login:[email protected] S=2600 [email protected] T="Re: Test from my gmail" for [email protected]
2020-07-02 14:36:09 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1jr449-00040i-8K
2020-07-02 14:36:09 SMTP connection from mta-us-002.bitrix24.com [50.19.124.94]:32768 closed by QUIT
2020-07-02 14:36:09 1jr449-00040i-8K Sender identification U=turnkey D=ourdomain.com [email protected]
2020-07-02 14:36:09 1jr449-00040i-8K SMTP connection outbound 1593714969 1jr449-00040i-8K ourdomain.com [email protected]
2020-07-02 14:36:09 1jr449-00040i-8K ** [email protected] R=reject_forwarded_mail_marked_as_spam: This mail cannot be forwarded because it was detected as spam.

Lines from maillog for the failed reply:

Jul  2 14:36:09 dns1 spamd[14988]: spamd: connection from localhost [127.0.0.1]:45210 to port 783, fd 6
Jul  2 14:36:09 dns1 spamd[14988]: spamd: setuid to cpaneleximscanner succeeded
Jul  2 14:36:09 dns1 spamd[14988]: generic: trusted_networks doesn't contain internal_networks entry '0/0'
Jul  2 14:36:09 dns1 spamd[14988]: spamd: checking message <[email protected]> for cpaneleximscanner:991
Jul  2 14:36:09 dns1 spamd[14988]: spamd: identified spam (9.1/5.0) for cpaneleximscanner:991 in 0.4 seconds, 2708 bytes.
Jul  2 14:36:09 dns1 spamd[14988]: spamd: result: Y 9 - FROM_EXCESS_BASE64,HELO_DYNAMIC_IPADDR,HTML_IMAGE_ONLY_08,HTML_MESSAGE,KAM_DMARC_STATUS,RDNS_DYNAMIC,SPF_SOFTFAIL,UNPARSEABLE_RELAY scantime=0.4,size=2708,user=cpaneleximscanner,uid=991,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=45210,mid=<[email protected]>,autolearn=no autolearn_force=no,shortcircuit=no

I can't think of why the reply would be considered spam, but not the original. Thanks again for looking, I appreciate it!

 

[cPanelLauren]

I understand what you're using bitrix for but I'm looking at this:

Jun 22 10:27:19 dns1 spamd[489]: spamd: checking message <[email protected]> for cpaneleximscanner:991

Note that it checks this message as a bitrix email. Furthermore in the last few messages I see the following:

Jul  2 14:36:09 dns1 spamd[14988]: spamd: checking message <[email protected]> for cpaneleximscanner:991

The sender ID is being shown ONLY as btirix.

In the instance of the reply, the reply is being authenticated by a local user initially:

2020-07-02 14:36:09 1jr449-00040i-8K <= [email protected] H=mta-us-002.bitrix24.com [50.19.124.94]:32768 P=esmtpsa X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=dovecot_login:[email protected] S=2600 [email protected] T="Re: Test from my gmail" for [email protected]

When it's being forwarded you're back to ONLY the bitrix address:

Jul  2 14:36:09 dns1 spamd[14988]: spamd: checking message <[email protected]> for cpaneleximscanner:991

The function that handles forwarded mail is:
Do not forward mail to external recipients if it matches the Apache SpamAssassin™ internal spam_score setting
or
Do not forward mail to external recipients based on the defined Apache SpamAssassin™ score (Minimum: 0.1; Maximum: 99.9)

In the exim configuration manager.

/var/lib/spamassassin/3.004004/updates_spamassassin_org/50_scores.cf:score FROM_EXCESS_BASE64 0.001
/var/lib/spamassassin/3.004004/updates_spamassassin_org/50_scores.cf:score HELO_DYNAMIC_IPADDR 2.633 3.243 3.680 1.951
/var/lib/spamassassin/3.004004/updates_spamassassin_org/50_scores.cf:score HELO_DYNAMIC_IPADDR2 2.815 3.888 3.728 3.607
/var/lib/spamassassin/3.004004/updates_spamassassin_org/50_scores.cf:score RDNS_DYNAMIC 2.639 0.363 1.663 0.982
/var/lib/spamassassin/3.004004/updates_spamassassin_org/50_scores.cf:score HTML_IMAGE_ONLY_08 0.585 1.781 1.845 1.651
/var/lib/spamassassin/3.004004/updates_spamassassin_org/50_scores.cf:score HTML_MESSAGE 0.001
/var/lib/spamassassin/3.004004/updates_spamassassin_org/50_scores.cf:score UNPARSEABLE_RELAY 0.001
/var/lib/spamassassin/3.004004/updates_spamassassin_org/50_scores.cf:score SPF_SOFTFAIL 0 0.972 0 0.665 # n=0 n=2
/var/lib/spamassassin/3.004004/updates_spamassassin_org/50_scores.cf:# score RDNS_DYNAMIC  0 0.5 0 0.5

[[email protected] public_html]# egrep -r 'FROM_EXCESS_BASE64|HELO_DYNAMIC_IPADDR|HTML_IMAGE_ONLY_08|HTML_MESSAGE|KAM_DMARC_STATUS|RDNS_DYNAMIC|SPF_SOFTFAIL|UNPARSEABLE_RELAY' /usr/local/cpanel/etc/mail/spamassassin/ |grep -i score
/usr/local/cpanel/etc/mail/spamassassin/CPANEL.cf:score SPF_SOFTFAIL 1.5
/usr/local/cpanel/etc/mail/spamassassin/CPANEL.cf:score RDNS_DYNAMIC 2.6
/usr/local/cpanel/etc/mail/spamassassin/deadweight.cf:score BUG6919_RDNS_DYNAMIC 0
/usr/local/cpanel/etc/mail/spamassassin/deadweight.cf:score RCD_RDNS_DYNAMIC_CLEAN 0
/usr/local/cpanel/etc/mail/spamassassin/KAM.cf:      score    KAM_DMARC_STATUS 0.01

The weights of the scores you're receiving

/var/lib/spamassassin/3.004004/updates_spamassassin_org/50_scores.cf:score FROM_EXCESS_BASE64 0.001
/var/lib/spamassassin/3.004004/updates_spamassassin_org/50_scores.cf:score HELO_DYNAMIC_IPADDR 2.633 3.243 3.680 1.951
/var/lib/spamassassin/3.004004/updates_spamassassin_org/50_scores.cf:score HTML_IMAGE_ONLY_08 0.585 1.781 1.845 1.651
/var/lib/spamassassin/3.004004/updates_spamassassin_org/50_scores.cf:score HTML_MESSAGE 0.001
/var/lib/spamassassin/3.004004/updates_spamassassin_org/50_scores.cf:score UNPARSEABLE_RELAY 0.001
/var/lib/spamassassin/3.004004/updates_spamassassin_org/50_scores.cf:score SPF_SOFTFAIL 0 0.972 0 0.665 # n=0 n=2
/usr/local/cpanel/etc/mail/spamassassin/CPANEL.cf:score SPF_SOFTFAIL 1.5
/usr/local/cpanel/etc/mail/spamassassin/CPANEL.cf:score RDNS_DYNAMIC 2.6

 

[kerb]

I understand what you're using bitrix for but I'm looking at this:

Jun 22 10:27:19 dns1 spamd[489]: spamd: checking message <[email protected]> for cpaneleximscanner:991

Note that it checks this message as a bitrix email. Furthermore in the last few messages I see the following:

Jul  2 14:36:09 dns1 spamd[14988]: spamd: checking message <[email protected]> for cpaneleximscanner:991

The sender ID is being shown ONLY as btirix.

I thought this was just the message ID, I didn't realize this was relevant, since the mail isn't sent to nor is coming from any such address.

In the instance of the reply, the reply is being authenticated by a local user initially:

The first message that wasn't a reply was also authenticated by the same local user. I'm still not clear on why that one went through without a problem, as it was sent to the same address as the reply that failed.

When it's being forwarded you're back to ONLY the bitrix address:

Jul  2 14:36:09 dns1 spamd[14988]: spamd: checking message <[email protected]> for cpaneleximscanner:991

I looked at a few raw sample messages, and the "[email protected]24.com" bit only appears in the message ID. I guess I'm just not sure where I would whitelist this or how it would help, as no mail is ever routed through or sent to/from that domain. None of the SpamAssassin results are related to message ID. All the whitelist-like options I've looked at (such as "Only-verify-recipient" as you earlier suggested) want the IP or hostname of a mail server.

Thank you once again for your time and your response.

 

[Techguy45]

What's the actual difference between second party and third party email servers?

 

[kerb]

Just following up, I noticed a couple things I'm unsure about:

In both cases above (an original new message, and a reply), we see:

SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT spam

and indeed if I look at the headers of the mail in question, I see:

X-OutGoing-Spam-Status: No, score=9.1

and yet the message that is a reply still fails. This score of 9.1 is for the reply; the brand new email was scored 7.7. Both cases have an outgoing spam status of No, even though both are above the 5.0 threshold.

The reply that fails says it can't be "forwarded" ... but there is no forwarder involved in either the case of the new message or the reply (in both cases, the recipient is my @gmail address). Perhaps something about the reply is causing it to be seen as a forwarded message, even though it's not, and the "don't forward spam" rule is triggered and overrides the outgoing spam status? I'm thinking the real issue might be that the reply is somehow treated differently than a brand new message, but I'm not sure why that would be.

I don't want to post the raw emails here, but I could provide them privately if that would help.

 

[cPanelLauren]

You know, I think I know exactly what's happening here. I didn't notice that it was flagging the email as NOT spam - the score of 9.1 just automatically said spam to me.

So the two settings I listed earlier:

The function that handles forwarded mail is:
Do not forward mail to external recipients if it matches the Apache SpamAssassin™ internal spam_score setting
or
Do not forward mail to external recipients based on the defined Apache SpamAssassin™ score (Minimum: 0.1; Maximum: 99.9)

In the exim configuration manager.

Are different than the ones that scan outgoing mail for spam. What I'd assume is, that you've set the spam score fairly high for "scan outgoing mail for spam" and you've set the do not forward mail to external recipients if it matches the Apache SpamAssassin score lower or used the internal score setting.


I wonder if either of the two here would be helpful for you:
Enable Sender Rewriting Scheme (SRS) Support
or
EXPERIMENTAL: Rewrite From: header to match actual sender

 

[kerb]

You know, I think I know exactly what's happening here. I didn't notice that it was flagging the email as NOT spam - the score of 9.1 just automatically said spam to me.

So the two settings I listed earlier:



Are different than the ones that scan outgoing mail for spam. What I'd assume is, that you've set the spam score fairly high for "scan outgoing mail for spam" and you've set the do not forward mail to external recipients if it matches the Apache SpamAssassin score lower or used the internal score setting.


I wonder if either of the two here would be helpful for you:
Enable Sender Rewriting Scheme (SRS) Support
or
EXPERIMENTAL: Rewrite From: header to match actual sender

You are correct about the spam scores, although I'm still unclear as to why the forwarder rule is being triggered, since it's just normal outgoing mail, not going through a forwarder. I think the real issue is still with Bitrix24, since their mail server naming seems to be what is contributing the most to the spam score with HELO_DYNAMIC_IPADDR and RDNS_DYNAMIC. For now, I've raised our forwarder spam threshold and that's allowing the mail to go through, but I consider this more of a workaround. It will work for now, while I see if I can work with Bitrix24 to get the actual spam score down.

Thank you again for your time and your help, it is appreciated!