Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Genuine Human Emails appearing in Junk folder

Discussion in 'E-mail Discussion' started by martin MHC, May 8, 2018.

  1. martin MHC

    martin MHC Well-Known Member

    Joined:
    Sep 14, 2016
    Messages:
    97
    Likes Received:
    12
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    This has suddenly started happening to a Client account and is hard for me to figure out, so hoping for some guidance from those who know WHM better:

    Events:

    - Client gets in touch via email telling me that various emails from 3rd parties (written by humans) are ending up in their account Junk Folder.

    - I reply to client; my email (localhost; different accounts on the same server) also appears in their Junk folder.

    - I log in to their account and this is a server decision rather than an email program on the clients machines.

    - I have checked SpamAssassin and this doesn't apply to internal emails and no external emails that are marked as "junk" are at all spam (spam threshold is -5.5; emails score +1.6 for example).

    - Both the Sending (ie my) and receiving domains (ie client) have fully working and fully operational DKIM, SPF and DMARC records as assessed by (3rd party) MXToolbox.

    - I have not been aware of any server setting changes and have not seen any similar behaviour on other accounts.

    - GreyListing is enabled but this doesn't appear to be the cause.

    - I have checked Exim Mail Logs for internal reasons for mail to be marked as junk and the result is seemingly negatory:

    Code:
    2018-05-08 21:58:28 SMTP connection from [123.45.678.90]:55389 (TCP/IP connection count = 1)
    2018-05-08 21:58:28 1fG9gq-0004mY-GF H=([192.168.1.10]) [123.45.678.90]:55389 Warning: Message has been scanned: no virus or other harmful content was found
    2018-05-08 21:58:28 1fG9gq-0004mY-GF <= [EMAIL]martin@mydomain.co.uk[/EMAIL] H=([192.168.1.10]) [123.45.678.90]:55389 P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no A=dovecot_plain:martin@mydomain.co.uk S=18890 id=bf31f774-364a-9ced-fdaf-de1eb5240ec3@mydomain.co.uk T="Re: Query from Client" for [EMAIL]info@client-domain.co.uk[/EMAIL]
    2018-05-08 21:58:28 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1fG9gq-0004mY-GF
    2018-05-08 21:58:28 SMTP connection from ([192.168.1.10]) [123.45.678.90]:55389 closed by QUIT
    2018-05-08 21:58:28 1fG9gq-0004mY-GF => info <info@client-domain.co.uk> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <info@client-domain.co.uk> eG9KMnQP8lrZRwAA5Ca53Q Saved"
    2018-05-08 21:58:28 1fG9gq-0004mY-GF Completed[/FONT]
    
    
    ================================

    EXTERNAL MAIL:

    Here is the full header of another external mail as received into the clients junk folder:


    ================================

    Code:
    Return-Path: <someone@live.co.uk>
    Delivered-To: info@client-domain.co.uk
    Received: from mail.mydomain.co.uk
       by mail.example.co.uk with LMTP id AF9KM04E8lriHQAA5Ca53Q
       for <info@client-domain.co.uk>; Tue, 08 May 2018 21:10:54 +0100
    Return-path: <someone@live.co.uk>
    Envelope-to: info@client-domain.co.uk
    Delivery-date: Tue, 08 May 2018 21:10:54 +0100
    Received: from mail-oln040092069100.outbound.protection.outlook.com ([40.92.69.100]:31772 helo=EUR02-VE1-obe.outbound.protection.outlook.com)
       by mail.example.co.uk with esmtps (TLSv1.2:ECDHE-RSA-AES256-SHA384:256)
       (Exim 4.89_1)
       (envelope-from <someone@live.co.uk>)
       id 1fG8wj-0001zB-Sq
       for info@client-domain.co.uk; Tue, 08 May 2018 21:10:54 +0100
    Received: from AM5EUR02FT032.eop-EUR02.prod.protection.outlook.com
     (10.152.8.55) by AM5EUR02HT077.eop-EUR02.prod.protection.outlook.com
     (10.152.9.127) with Microsoft SMTP Server (version=TLS1_2,
     cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.735.16; Tue, 8
     May 2018 20:10:48 +0000
    Received: from DB5PR09MB0453.eurprd09.prod.outlook.com (10.152.8.56) by
     AM5EUR02FT032.mail.protection.outlook.com (10.152.8.109) with Microsoft SMTP
     Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
     15.20.735.16 via Frontend Transport; Tue, 8 May 2018 20:10:48 +0000
    Received: from DB5PR09MB0453.eurprd09.prod.outlook.com
     ([fe80::ad78:89f8:7f05:5a67]) by DB5PR09MB0453.eurprd09.prod.outlook.com
     ([fe80::ad78:89f8:7f05:5a67%14]) with mapi id 15.20.0735.016; Tue, 8 May 2018
     20:10:48 +0000
    From: Nikki Person <someone@live.co.uk>
    To: Green Client <info@client-domain.co.uk>
    Subject: Re: Availability for 2018
    Thread-Topic: Availability for 2018
    Thread-Index: AQHTiKyvdJfartz3ZkWGBfa+dZul7qNqkpIAgARrBzGAAyvrAIAOFPEqgAHgKgCAPrIAmoABUemAgFmyAcWAAB/BgIAI5b/GgAIlkICAAABbTQ==
    Date: Tue, 8 May 2018 20:10:48 +0000
    Message-ID: <DB5PR09MB0453FAAD4C4E0C14A06A2527DF9A0@DB5PR09MB0453.eurprd09.prod.outlook.com>
    References: <AM5PR0902MB21455FB0FDEE3A2504E749C1DF130@AM5PR0902MB2145.eurprd09.prod.outlook.com>
     <30abcd69-1f89-8aa4-0e1a-9b3c2dd10040@client-domain.co.uk>
     <AM5PR0902MB2145BAC9E881632FD38F84E8DF160@AM5PR0902MB2145.eurprd09.prod.outlook.com>
     <003b01d38c9d$7068b220$513a1660$@client-domain.co.uk>
     <AM5PR0902MB2145BE4FC2616D28CE20AC46DFEC0@AM5PR0902MB2145.eurprd09.prod.outlook.com>,<d27b71ce-b216-471e-05e5-96b6d319d638@client-domain.co.uk>
     <AM5PR0902MB2145CB35B42F14D84297451FDFDB0@AM5PR0902MB2145.eurprd09.prod.outlook.com>,<002701d3b499$f25a3370$d70e9a50$@client-domain.co.uk>
     <DB5PR09MB0453D4D0EF2093D2F2128A2CDF810@DB5PR09MB0453.eurprd09.prod.outlook.com>,<000b01d3e182$d33f3790$79bda6b0$@client-domain.co.uk>
     <DB5PR09MB0453C7FCE8042AC49618C236DF9B0@DB5PR09MB0453.eurprd09.prod.outlook.com>,<003401d3e708$7a2b9eb0$6e82dc10$@client-domain.co.uk>
    In-Reply-To: <003401d3e708$7a2b9eb0$6e82dc10$@client-domain.co.uk>
    Accept-Language: en-GB, en-US
    Content-Language: en-US
    X-MS-Has-Attach: yes
    X-MS-TNEF-Correlator:
    x-incomingtopheadermarker: OriginalChecksum:9524D9CB42DBBC0ED5A3BAED69975A284B2B7ACB211E52FF2933D97485E4660D;UpperCasedChecksum:BCBC273429922CC8BBB0FBD44E2F743269B7EEE8A27414B158413D4316C00E32;SizeAsReceived:7960;Count:46
    x-ms-exchange-messagesentrepresentingtype: 1
    x-tmn: [YjStu1U4S7/UN5YXjeScjiF0yxonr1Fr]
    x-ms-publictraffictype: Email
    x-microsoft-exchange-diagnostics: 1;AM5EUR02HT077;7:CMyHh1v22NAllWDgHy8x4okps6f/rEFdw5GN/DoBsVFC14aDqjTQ62/7ZhUrK5vI+443GK/pKPG0UZklt28c9WDpwpqIxGuGrsfYHu7URHGHLSHZPhmwOJI2hQW7whoUssvRUnmkKaWBv9St1XmFO5brUo/tEfHMPungrJIzPZw26rtCYorVKHrgpEQfuIHn1F0fL6EjR45DPGg8IpUtWZXTCm66PfCiiEfcobn4YaQ3m2XQg4JHOBKgygqw1xmi
    x-incomingheadercount: 46
    x-eopattributedmessage: 0
    x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(201702061078)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322404)(1601125420)(1603101448)(1701031045);SRVR:AM5EUR02HT077;
    x-ms-traffictypediagnostic: AM5EUR02HT077:
    x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(444000031);SRVR:AM5EUR02HT077;BCL:0;PCL:0;RULEID:;SRVR:AM5EUR02HT077;
    x-forefront-prvs: 0666E15D35
    x-forefront-antispam-report: SFV:NSPM;SFS:(7070007)(66544003)(199004)(189003)(44832011)(486006)(8676002)(7696005)(59450400001)(6506007)(53546011)(82202002)(102836004)(8936002)(74316002)(26005)(6346003)(99286004)(97736004)(68736007)(7116003)(76176011)(104016004)(11346002)(446003)(6916009)(81156014)(86362001)(476003)(5660300001)(93886005)(106356001)(3280700002)(2900100001)(733005)(99936001)(6436002)(45080400002)(54556002)(1250700005)(9686003)(14454004)(74482002)(966005)(236005)(54896002)(6306002)(53386004)(606006)(6246003)(345774005)(33656002)(105586002)(55016002)(3660700001)(25786009)(229853002)(5250100002)(53946003)(21314002);DIR:OUT;SFP:1901;SCL:1;SRVR:AM5EUR02HT077;H:DB5PR09MB0453.eurprd09.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:;
    received-spf: None (protection.outlook.com: live.co.uk does not designate
     permitted sender hosts)
    authentication-results: spf=none (sender IP is )
     smtp.mailfrom=someone@live.co.uk;
    x-microsoft-antispam-message-info: zsDKilepxdUoXCc/Zh9KdKiVn+ahXpWYXRirNXaj+9xetEqXEWMkd7n18NN1TgiY9VNZiRKQNU3uVRL+KtEf/2wQixYeqeoMkxJQBXHT2K9fICyxBMs16t7OiFvGfDfWgFE2TvJIsErzu391hKMgAkpCh9mPxdgVLdiMkms8yI03/qlFSQhkWyG8mC4xDRIk
    Content-Type: multipart/related;
       boundary="_007_DB5PR09MB0453FAAD4C4E0C14A06A2527DF9A0DB5PR09MB0453eurp_";
       type="multipart/alternative"
    MIME-Version: 1.0
    X-MS-Office365-Filtering-Correlation-Id: 08d34282-b274-4193-918f-08d5b51fca17
    X-OriginatorOrg: outlook.com
    X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: f12efbb0-867f-4c93-8261-502eceebfafa
    X-MS-Exchange-CrossTenant-Network-Message-Id: 08d34282-b274-4193-918f-08d5b51fca17
    X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: f12efbb0-867f-4c93-8261-502eceebfafa
    X-MS-Exchange-CrossTenant-originalarrivaltime: 08 May 2018 20:10:48.1167
     (UTC)
    X-MS-Exchange-CrossTenant-fromentityheader: Internet
    X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
    X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5EUR02HT077
    X-Spam-Status: No, score=1.6
    X-Spam-Score: 16
    X-Spam-Bar: +
    X-Ham-Report: Spam detection software, running on the system "mail.mydomain.co.uk",
     has NOT identified this incoming email as spam.  The original
     message has been attached to this so you can view it or label
     similar future email.  If you have any questions, see
     root\@localhost for details.
     Content preview:  That's a shame. Thank you so much for all your help. Well
       see you in July x Get Outlook for Android Outlook From: Green
       Client <info@client-domain.co.uk> Sent: Tuesday, May 8, 2018 9:09:31
       PM To: 'Someuser' Subject: RE: Availability for 2018 [...]
    
     Content analysis details:   (1.6 points, 5.5 required)
    
      pts rule name              description
     ---- ---------------------- --------------------------------------------------
      0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                                See
                                [URL='http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block']DnsBlocklists - Spamassassin Wiki[/URL]
                                 for more information.
                                [URIs: aka.ms]
      1.1 KAM_COUK               Scoring .co.uk emails higher due to poor registry security.
      0.5 KAM_NUMSUBJECT         Subject ends in numbers
     -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
     -0.0 SPF_PASS               SPF: sender matches SPF record
      0.0 HTML_MESSAGE           BODY: HTML included in message
    X-Spam-Flag: NO
    
    --_007_DB5PR09MB0453FAAD4C4E0C14A06A2527DF9A0DB5PR09MB0453eurp_
    Content-Type: multipart/alternative;
       boundary="_000_DB5PR09MB0453FAAD4C4E0C14A06A2527DF9A0DB5PR09MB0453eurp_"
    
    --_000_DB5PR09MB0453FAAD4C4E0C14A06A2527DF9A0DB5PR09MB0453eurp_
    Content-Type: text/plain; charset="Windows-1252"
    Content-Transfer-Encoding: quoted-printable
    
    That's a shame. Thank you so much for all your help. Well see you in July x
    
    Get Outlook for AndroidOutlook
    
    ================================

    And here is the corresponding Exim maillog:

    Code:
    2018-05-08 21:10:54 1fG8wj-0001zB-Sq H=mail-oln040092069100.outbound.protection.outlook.com (EUR02-VE1-obe.outbound.protection.outlook.com) [40.92.69.100]:31772 Warning: "SpamAssassin as greenhaven detected message as NOT spam (1.6)"
    2018-05-08 21:10:54 1fG8wj-0001zB-Sq <= someone@live.co.uk H=mail-oln040092069100.outbound.protection.outlook.com (EUR02-VE1-obe.outbound.protection.outlook.com) [40.92.69.100]:31772 P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-SHA384:256 CV=no S=195948 id=DB5PR09MB0453FAAD4C4E0C14A06A2527DF9A0@DB5PR09MB0453.eurprd09.prod.outlook.com T="Re: Availability for 2018" for info@client-domain.co.uk
    2018-05-08 21:10:54 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1fG8wj-0001zB-Sq
    2018-05-08 21:10:54 SSL_write: (from mail-oln040092069100.outbound.protection.outlook.com (EUR02-VE1-obe.outbound.protection.outlook.com) [40.92.69.100]:31772) syscall: Connection reset by peer
    2018-05-08 21:10:54 SMTP connection from mail-oln040092069100.outbound.protection.outlook.com (EUR02-VE1-obe.outbound.protection.outlook.com) [40.92.69.100]:31772 closed by QUIT
    2018-05-08 21:10:54 1fG8wj-0001zB-Sq => info <info@client-domain.co.uk> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <info@client-domain.co.uk> AF9KM04E8lriHQAA5Ca53Q Saved"
    2018-05-08 21:10:54 1fG8wj-0001zB-Sq Completed[/FONT]
    
    
    ================================

    NOTES:

    - WHM version 68.
    - The issue occurs for both local emails from different account on the same server and for outside email to this account.
    - I have looked at how to find answers but other answers I see are all about how code programs (PHP, etc.) can write emails no human written emails.

    ================================
    1) How can I find the cause for this junk collecting of otherwise valid emails?

    2) How (aside from the methods above) can I set what is defined as appearing in the "junk" folder of the recipient mailbox?
     
    #1 martin MHC, May 8, 2018
    Last edited: May 9, 2018
  2. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,777
    Likes Received:
    120
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    For me, it's difficult for me to follow information like this because it's been redacted (which I'm not faulting you for) and I'm just not able to access the system.

    What email client is the user using to check their mail?

    Regarding the message 1fG8wj-0001zB-Sq - are you sure it's not being sent to junk by the end user's email client? There's nothing in the headers or logs that would seem to indicate that the message was flagged as spam by SpamAssassin.

    Another possibility is an account or user-level filter that delivers the message into a different folder on the account. But I think that shows up in the logs if that happens.

    Spam is just extremely subjective and there's just never going to be a de facto way of completely handling it. Sure, there are messages that are obviously spam. But messages that don't fit that profile... the subjective nature of email is going to be a determining factor.
     
  3. martin MHC

    martin MHC Well-Known Member

    Joined:
    Sep 14, 2016
    Messages:
    97
    Likes Received:
    12
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hello Sparek-3
    I'm not sure I follow re: redactions? I've changed email addresses and names but have not removed any lines.

    I am fully aware that spam is subjective and I totally follow that; I'm not complaining about the spam status itself; but I am concerned that I can't see why a message (mine or from an outside mailer) is appearing in the junk folder itself.

    I also initially thought this was due to the clients mailprogram (Thunderbird) but then viewing freshly sent emails on the serve via webmail they are being delivered to junk before the clients mailprogram has a chance to move messages.

    none of the messages I have found have been flagged by SpamAssassin. That's partly my confusion.

    Cheers

    Martin
     
  4. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,517
    Likes Received:
    251
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @martin MHC

    I think what @sparek-3 is trying to say is it's difficult to identify the issue when the actual domain names are removed, in this case it does make it more difficult but that's exactly how we request you post things on the forums and not your fault in the least.

    Looking at spam assassin I can clearly see that it marks the message as NOT spam:

    Code:
    X-MS-Office365-Filtering-Correlation-Id: 08d34282-b274-4193-918f-08d5b51fca17
    X-OriginatorOrg: outlook.com
    X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: f12efbb0-867f-4c93-8261-502eceebfafa
    X-MS-Exchange-CrossTenant-Network-Message-Id: 08d34282-b274-4193-918f-08d5b51fca17
    X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: f12efbb0-867f-4c93-8261-502eceebfafa
    X-MS-Exchange-CrossTenant-originalarrivaltime: 08 May 2018 20:10:48.1167
     (UTC)
    X-MS-Exchange-CrossTenant-fromentityheader: Internet
    X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
    X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5EUR02HT077
    X-Spam-Status: No, score=1.6
    X-Spam-Score: 16
    X-Spam-Bar: +
    X-Ham-Report: Spam detection software, running on the system "mail.mydomain.co.uk",
     has NOT identified this incoming email as spam.  The original
     message has been attached to this so you can view it or label
     similar future email.  If you have any questions, see
     root\@localhost for details.
     Content preview:  That's a shame. Thank you so much for all your help. Well
       see you in July x Get Outlook for Android Outlook From: Green
       Client <info@client-domain.co.uk> Sent: Tuesday, May 8, 2018 9:09:31
       PM To: 'Someuser' Subject: RE: Availability for 2018 [...]
    
     Content analysis details:   (1.6 points, 5.5 required)
    
      pts rule name              description
     ---- ---------------------- --------------------------------------------------
      0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                                See
                                [URL='http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block']DnsBlocklists - Spamassassin Wiki[/URL]
                                 for more information.
                                [URIs: aka.ms]
      1.1 KAM_COUK               Scoring .co.uk emails higher due to poor registry security.
      0.5 KAM_NUMSUBJECT         Subject ends in numbers
     -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
     -0.0 SPF_PASS               SPF: sender matches SPF record
      0.0 HTML_MESSAGE           BODY: HTML included in message
    X-Spam-Flag: NO
    
    Most importantly this line:
    Code:
    X-Spam-Flag: NO
    This means, the server is *not* marking this message as spam.

    My assumption here is that you could most likely look at /var/log/maillog for this message and see it being delivered to INBOX - not spam. What I believe is occurring here is their mail client is moving the messages to their spam folder once received. This can be the fault of a mail client plugin, antivirus or trained behavior (more than likely by accident) or it could be the Microsoft Filtering in place.

    The easiest way to identify which of these is the culprit, in my opinion, would be to change the email password temporarily so the mail client cannot connect, then send a test email to determine if it stays in the INBOX for the email user.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    sparek-3 likes this.
  5. martin MHC

    martin MHC Well-Known Member

    Joined:
    Sep 14, 2016
    Messages:
    97
    Likes Received:
    12
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi @cPanelLauren thank you for your reply; that was all I needed was to reassure me that I had approached the problem with the correct methodology .

    Your references seem to imply that if SpamAssassin does not detect it as spam then there are not other systems native to CPanel that would chuck an email into junk; thus by a process of deduction it's the clients mail reader .

    Since updating yesterday to WHM 70 (stable release) , the client as not mentioned further issues so I'm hesitantly hopeful that being on WHM 70 managed to incidentally iron out the issue.

    Thank you for your help.
     
  6. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,517
    Likes Received:
    251
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @martin MHC

    You're very welcome and I do hope that the user doesn't experience any further issues but if they do please let us know!

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice