Genuine Human Emails appearing in Junk folder

martin MHC

Well-Known Member
Sep 14, 2016
220
36
78
UK
cPanel Access Level
Root Administrator
This has suddenly started happening to a Client account and is hard for me to figure out, so hoping for some guidance from those who know WHM better:

Events:

- Client gets in touch via email telling me that various emails from 3rd parties (written by humans) are ending up in their account Junk Folder.

- I reply to client; my email (localhost; different accounts on the same server) also appears in their Junk folder.

- I log in to their account and this is a server decision rather than an email program on the clients machines.

- I have checked SpamAssassin and this doesn't apply to internal emails and no external emails that are marked as "junk" are at all spam (spam threshold is -5.5; emails score +1.6 for example).

- Both the Sending (ie my) and receiving domains (ie client) have fully working and fully operational DKIM, SPF and DMARC records as assessed by (3rd party) MXToolbox.

- I have not been aware of any server setting changes and have not seen any similar behaviour on other accounts.

- GreyListing is enabled but this doesn't appear to be the cause.

- I have checked Exim Mail Logs for internal reasons for mail to be marked as junk and the result is seemingly negatory:

Code:
2018-05-08 21:58:28 SMTP connection from [123.45.678.90]:55389 (TCP/IP connection count = 1)
2018-05-08 21:58:28 1fG9gq-0004mY-GF H=([192.168.1.10]) [123.45.678.90]:55389 Warning: Message has been scanned: no virus or other harmful content was found
2018-05-08 21:58:28 1fG9gq-0004mY-GF <= [EMAIL][email protected][/EMAIL] H=([192.168.1.10]) [123.45.678.90]:55389 P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no A=dovecot_plain:[email protected] S=18890 [email protected] T="Re: Query from Client" for [EMAIL][email protected][/EMAIL]
2018-05-08 21:58:28 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1fG9gq-0004mY-GF
2018-05-08 21:58:28 SMTP connection from ([192.168.1.10]) [123.45.678.90]:55389 closed by QUIT
2018-05-08 21:58:28 1fG9gq-0004mY-GF => info <[email protected]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> eG9KMnQP8lrZRwAA5Ca53Q Saved"
2018-05-08 21:58:28 1fG9gq-0004mY-GF Completed[/FONT]
================================

EXTERNAL MAIL:

Here is the full header of another external mail as received into the clients junk folder:


================================

Code:
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mail.mydomain.co.uk
   by mail.example.co.uk with LMTP id AF9KM04E8lriHQAA5Ca53Q
   for <[email protected]>; Tue, 08 May 2018 21:10:54 +0100
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Tue, 08 May 2018 21:10:54 +0100
Received: from mail-oln040092069100.outbound.protection.outlook.com ([40.92.69.100]:31772 helo=EUR02-VE1-obe.outbound.protection.outlook.com)
   by mail.example.co.uk with esmtps (TLSv1.2:ECDHE-RSA-AES256-SHA384:256)
   (Exim 4.89_1)
   (envelope-from <[email protected]>)
   id 1fG8wj-0001zB-Sq
   for [email protected]; Tue, 08 May 2018 21:10:54 +0100
Received: from AM5EUR02FT032.eop-EUR02.prod.protection.outlook.com
 (10.152.8.55) by AM5EUR02HT077.eop-EUR02.prod.protection.outlook.com
 (10.152.9.127) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.735.16; Tue, 8
 May 2018 20:10:48 +0000
Received: from DB5PR09MB0453.eurprd09.prod.outlook.com (10.152.8.56) by
 AM5EUR02FT032.mail.protection.outlook.com (10.152.8.109) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.20.735.16 via Frontend Transport; Tue, 8 May 2018 20:10:48 +0000
Received: from DB5PR09MB0453.eurprd09.prod.outlook.com
 ([fe80::ad78:89f8:7f05:5a67]) by DB5PR09MB0453.eurprd09.prod.outlook.com
 ([fe80::ad78:89f8:7f05:5a67%14]) with mapi id 15.20.0735.016; Tue, 8 May 2018
 20:10:48 +0000
From: Nikki Person <[email protected]>
To: Green Client <[email protected]>
Subject: Re: Availability for 2018
Thread-Topic: Availability for 2018
Thread-Index: AQHTiKyvdJfartz3ZkWGBfa+dZul7qNqkpIAgARrBzGAAyvrAIAOFPEqgAHgKgCAPrIAmoABUemAgFmyAcWAAB/BgIAI5b/GgAIlkICAAABbTQ==
Date: Tue, 8 May 2018 20:10:48 +0000
Message-ID: <[email protected]od.outlook.com>
References: <[email protected]9.prod.outlook.com>
 <[email protected]>
 <[email protected]9.prod.outlook.com>
 <[email protected]>
 <[email protected]9.prod.outlook.com>,<[email protected]>
 <[email protected]9.prod.outlook.com>,<[email protected]>
 <[email protected]od.outlook.com>,<[email protected]>
 <[email protected]od.outlook.com>,<[email protected]>
In-Reply-To: <[email protected]>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-incomingtopheadermarker: OriginalChecksum:9524D9CB42DBBC0ED5A3BAED69975A284B2B7ACB211E52FF2933D97485E4660D;UpperCasedChecksum:BCBC273429922CC8BBB0FBD44E2F743269B7EEE8A27414B158413D4316C00E32;SizeAsReceived:7960;Count:46
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [YjStu1U4S7/UN5YXjeScjiF0yxonr1Fr]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;AM5EUR02HT077;7:CMyHh1v22NAllWDgHy8x4okps6f/rEFdw5GN/DoBsVFC14aDqjTQ62/7ZhUrK5vI+443GK/pKPG0UZklt28c9WDpwpqIxGuGrsfYHu7URHGHLSHZPhmwOJI2hQW7whoUssvRUnmkKaWBv9St1XmFO5brUo/tEfHMPungrJIzPZw26rtCYorVKHrgpEQfuIHn1F0fL6EjR45DPGg8IpUtWZXTCm66PfCiiEfcobn4YaQ3m2XQg4JHOBKgygqw1xmi
x-incomingheadercount: 46
x-eopattributedmessage: 0
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(201702061078)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322404)(1601125420)(1603101448)(1701031045);SRVR:AM5EUR02HT077;
x-ms-traffictypediagnostic: AM5EUR02HT077:
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(444000031);SRVR:AM5EUR02HT077;BCL:0;PCL:0;RULEID:;SRVR:AM5EUR02HT077;
x-forefront-prvs: 0666E15D35
x-forefront-antispam-report: SFV:NSPM;SFS:(7070007)(66544003)(199004)(189003)(44832011)(486006)(8676002)(7696005)(59450400001)(6506007)(53546011)(82202002)(102836004)(8936002)(74316002)(26005)(6346003)(99286004)(97736004)(68736007)(7116003)(76176011)(104016004)(11346002)(446003)(6916009)(81156014)(86362001)(476003)(5660300001)(93886005)(106356001)(3280700002)(2900100001)(733005)(99936001)(6436002)(45080400002)(54556002)(1250700005)(9686003)(14454004)(74482002)(966005)(236005)(54896002)(6306002)(53386004)(606006)(6246003)(345774005)(33656002)(105586002)(55016002)(3660700001)(25786009)(229853002)(5250100002)(53946003)(21314002);DIR:OUT;SFP:1901;SCL:1;SRVR:AM5EUR02HT077;H:DB5PR09MB0453.eurprd09.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:;
received-spf: None (protection.outlook.com: live.co.uk does not designate
 permitted sender hosts)
authentication-results: spf=none (sender IP is )
 [email protected];
x-microsoft-antispam-message-info: zsDKilepxdUoXCc/Zh9KdKiVn+ahXpWYXRirNXaj+9xetEqXEWMkd7n18NN1TgiY9VNZiRKQNU3uVRL+KtEf/2wQixYeqeoMkxJQBXHT2K9fICyxBMs16t7OiFvGfDfWgFE2TvJIsErzu391hKMgAkpCh9mPxdgVLdiMkms8yI03/qlFSQhkWyG8mC4xDRIk
Content-Type: multipart/related;
   boundary="_007_DB5PR09MB0453FAAD4C4E0C14A06A2527DF9A0DB5PR09MB0453eurp_";
   type="multipart/alternative"
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 08d34282-b274-4193-918f-08d5b51fca17
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: f12efbb0-867f-4c93-8261-502eceebfafa
X-MS-Exchange-CrossTenant-Network-Message-Id: 08d34282-b274-4193-918f-08d5b51fca17
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: f12efbb0-867f-4c93-8261-502eceebfafa
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 May 2018 20:10:48.1167
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5EUR02HT077
X-Spam-Status: No, score=1.6
X-Spam-Score: 16
X-Spam-Bar: +
X-Ham-Report: Spam detection software, running on the system "mail.mydomain.co.uk",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 root\@localhost for details.
 Content preview:  That's a shame. Thank you so much for all your help. Well
   see you in July x Get Outlook for Android Outlook From: Green
   Client <[email protected]> Sent: Tuesday, May 8, 2018 9:09:31
   PM To: 'Someuser' Subject: RE: Availability for 2018 [...]

 Content analysis details:   (1.6 points, 5.5 required)

  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                            See
                            [URL='http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block']DnsBlocklists - Spamassassin Wiki[/URL]
                             for more information.
                            [URIs: aka.ms]
  1.1 KAM_COUK               Scoring .co.uk emails higher due to poor registry security.
  0.5 KAM_NUMSUBJECT         Subject ends in numbers
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 HTML_MESSAGE           BODY: HTML included in message
X-Spam-Flag: NO

--_007_DB5PR09MB0453FAAD4C4E0C14A06A2527DF9A0DB5PR09MB0453eurp_
Content-Type: multipart/alternative;
   boundary="_000_DB5PR09MB0453FAAD4C4E0C14A06A2527DF9A0DB5PR09MB0453eurp_"

--_000_DB5PR09MB0453FAAD4C4E0C14A06A2527DF9A0DB5PR09MB0453eurp_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

That's a shame. Thank you so much for all your help. Well see you in July x

Get Outlook for AndroidOutlook
================================

And here is the corresponding Exim maillog:

Code:
2018-05-08 21:10:54 1fG8wj-0001zB-Sq H=mail-oln040092069100.outbound.protection.outlook.com (EUR02-VE1-obe.outbound.protection.outlook.com) [40.92.69.100]:31772 Warning: "SpamAssassin as greenhaven detected message as NOT spam (1.6)"
2018-05-08 21:10:54 1fG8wj-0001zB-Sq <= [email protected] H=mail-oln040092069100.outbound.protection.outlook.com (EUR02-VE1-obe.outbound.protection.outlook.com) [40.92.69.100]:31772 P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-SHA384:256 CV=no S=195948 [email protected].prod.outlook.com T="Re: Availability for 2018" for [email protected]
2018-05-08 21:10:54 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1fG8wj-0001zB-Sq
2018-05-08 21:10:54 SSL_write: (from mail-oln040092069100.outbound.protection.outlook.com (EUR02-VE1-obe.outbound.protection.outlook.com) [40.92.69.100]:31772) syscall: Connection reset by peer
2018-05-08 21:10:54 SMTP connection from mail-oln040092069100.outbound.protection.outlook.com (EUR02-VE1-obe.outbound.protection.outlook.com) [40.92.69.100]:31772 closed by QUIT
2018-05-08 21:10:54 1fG8wj-0001zB-Sq => info <[email protected]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> AF9KM04E8lriHQAA5Ca53Q Saved"
2018-05-08 21:10:54 1fG8wj-0001zB-Sq Completed[/FONT]
================================

NOTES:

- WHM version 68.
- The issue occurs for both local emails from different account on the same server and for outside email to this account.
- I have looked at how to find answers but other answers I see are all about how code programs (PHP, etc.) can write emails no human written emails.

================================
1) How can I find the cause for this junk collecting of otherwise valid emails?

2) How (aside from the methods above) can I set what is defined as appearing in the "junk" folder of the recipient mailbox?
 
Last edited:

sparek-3

Well-Known Member
Aug 10, 2002
2,042
230
368
cPanel Access Level
Root Administrator
For me, it's difficult for me to follow information like this because it's been redacted (which I'm not faulting you for) and I'm just not able to access the system.

What email client is the user using to check their mail?

Regarding the message 1fG8wj-0001zB-Sq - are you sure it's not being sent to junk by the end user's email client? There's nothing in the headers or logs that would seem to indicate that the message was flagged as spam by SpamAssassin.

Another possibility is an account or user-level filter that delivers the message into a different folder on the account. But I think that shows up in the logs if that happens.

Spam is just extremely subjective and there's just never going to be a de facto way of completely handling it. Sure, there are messages that are obviously spam. But messages that don't fit that profile... the subjective nature of email is going to be a determining factor.
 

martin MHC

Well-Known Member
Sep 14, 2016
220
36
78
UK
cPanel Access Level
Root Administrator
Hello Sparek-3
I'm not sure I follow re: redactions? I've changed email addresses and names but have not removed any lines.

I am fully aware that spam is subjective and I totally follow that; I'm not complaining about the spam status itself; but I am concerned that I can't see why a message (mine or from an outside mailer) is appearing in the junk folder itself.

I also initially thought this was due to the clients mailprogram (Thunderbird) but then viewing freshly sent emails on the serve via webmail they are being delivered to junk before the clients mailprogram has a chance to move messages.

none of the messages I have found have been flagged by SpamAssassin. That's partly my confusion.

Cheers

Martin
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
Hi @martin MHC

I think what @sparek-3 is trying to say is it's difficult to identify the issue when the actual domain names are removed, in this case it does make it more difficult but that's exactly how we request you post things on the forums and not your fault in the least.

Looking at spam assassin I can clearly see that it marks the message as NOT spam:

Code:
X-MS-Office365-Filtering-Correlation-Id: 08d34282-b274-4193-918f-08d5b51fca17
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: f12efbb0-867f-4c93-8261-502eceebfafa
X-MS-Exchange-CrossTenant-Network-Message-Id: 08d34282-b274-4193-918f-08d5b51fca17
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: f12efbb0-867f-4c93-8261-502eceebfafa
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 May 2018 20:10:48.1167
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5EUR02HT077
X-Spam-Status: No, score=1.6
X-Spam-Score: 16
X-Spam-Bar: +
X-Ham-Report: Spam detection software, running on the system "mail.mydomain.co.uk",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 root\@localhost for details.
 Content preview:  That's a shame. Thank you so much for all your help. Well
   see you in July x Get Outlook for Android Outlook From: Green
   Client <[email protected]> Sent: Tuesday, May 8, 2018 9:09:31
   PM To: 'Someuser' Subject: RE: Availability for 2018 [...]

 Content analysis details:   (1.6 points, 5.5 required)

  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                            See
                            [URL='http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block']DnsBlocklists - Spamassassin Wiki[/URL]
                             for more information.
                            [URIs: aka.ms]
  1.1 KAM_COUK               Scoring .co.uk emails higher due to poor registry security.
  0.5 KAM_NUMSUBJECT         Subject ends in numbers
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 HTML_MESSAGE           BODY: HTML included in message
X-Spam-Flag: NO
Most importantly this line:
Code:
X-Spam-Flag: NO
This means, the server is *not* marking this message as spam.

My assumption here is that you could most likely look at /var/log/maillog for this message and see it being delivered to INBOX - not spam. What I believe is occurring here is their mail client is moving the messages to their spam folder once received. This can be the fault of a mail client plugin, antivirus or trained behavior (more than likely by accident) or it could be the Microsoft Filtering in place.

The easiest way to identify which of these is the culprit, in my opinion, would be to change the email password temporarily so the mail client cannot connect, then send a test email to determine if it stays in the INBOX for the email user.


Thanks!
 
  • Like
Reactions: sparek-3

martin MHC

Well-Known Member
Sep 14, 2016
220
36
78
UK
cPanel Access Level
Root Administrator
Hi @cPanelLauren thank you for your reply; that was all I needed was to reassure me that I had approached the problem with the correct methodology .

Your references seem to imply that if SpamAssassin does not detect it as spam then there are not other systems native to CPanel that would chuck an email into junk; thus by a process of deduction it's the clients mail reader .

Since updating yesterday to WHM 70 (stable release) , the client as not mentioned further issues so I'm hesitantly hopeful that being on WHM 70 managed to incidentally iron out the issue.

Thank you for your help.
 
Thread starter Similar threads Forum Replies Date
M Email 5