Mail server randomly forwarding messages to junk mail...

Code:

2014-10-13 18:04:10 1XdqWp-0001ux-Pw H=mx1.slc.paypal.com (mx0.slc.paypal.com) [173.0.xx.xxx]:43893 Warning: "SpamAssassin as username detected message as NOT spam (-116.7)"
2014-10-13 18:04:10 1XdqWp-0001ux-Pw <= [email]member@paypal.com[/email] H=mx1.slc.paypal.com (mx0.slc.paypal.com) [173.0.xx.xxx]:43893 P=esmtps X=TLSv1:DHE-RSA-AES256-SHA:256 S=18686 id=1413248634.3850@paypal.com $
2014-10-13 18:04:10 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XdqWp-0001ux-Pw
2014-10-13 18:04:10 1XdqWp-0001ux-Pw => /home/username/mail/domain.com/user/.Junk/ <user@domain.com> R=central_filter T=address_directory
2014-10-13 18:04:10 1XdqWp-0001ux-Pw Completed
2014-10-13 18:04:15 SMTP connection from mx1.slc.paypal.com (mx0.slc.paypal.com) [173.0.84.226]:43893 closed by QUIT

Basically in this case it's taking legit e-mails from PayPal (Spam score -116.7 which I'd say is pretty obviously not accidentally filtering as spam) and then tossing it in the junk folder...

I tried copy-pasting this message in the test filter and it says delivery would be as normal.

This is frustratingly happening with tons of important, legitimate messages (all the meanwhile my inbox is filling up with obvious spam).

How do I determine what filter rules are sending legit e-mails to my junk folder?

I do have a lot of spam rules set up for word combinations such as "penis pills". I've looked over my word list many many times and cannot determine what is causing legit e-mails to be filtered. Basically most of my important clients and payment notifications and support ticket notifications are all ending up in my junk folder for some random reason.

 

Yes we do, we have account level filters configured for the account (not user level). The account level filters we have loaded are filters like this:

Any Header contains Penis Pills action send to junk
Any Header contains Pimsleur Approach action send to junk
Any Header contains FHA Loans action send to junk

I.e. our filters contain very specific spam phrases and re-directs e-mail to junk if a spam phrase is detected. We are not using REGEX, just using "Contains" and then typing our a whole phrase.

I have spent many hours scouring over the account level filters looking for a filter that would be causing about 50% of our legitimate e-mails from clients to end up in the junk folder.

Many of the e-mails are plain formatting (non-HTML), well-written. I have copied-and-pasted these e-mails into the filter test, and the filter test says that the e-mail should be delivered as normal. The logs indicate that the e-mail was not spam, but then as you can see in the logs above, the system re-directs the e-mail to the junk folder anyway.

I am completely baffled here as I cannot trace the exact reason random legit e-mails are being redirected to the junk folder. I am completely open to suggestions on what I can do to further trace or troubleshoot this.

- - - Updated - - -

Also, we disabled spam-assasin for the time being and manually restarted exim and spamd but that didn't help the situation.

 

I have about 200 rules (and add about 5 new rules every day). CPanel does not offer a way to easily disable the filter rules. Is there a way to dig into the logs further and determine specifically which filter is triggering?

I have used the filter test and copied-pasted the e-mail exactly, and the filter test says the message should be delivered as-normal.

[Is there a better alternative filter test that will correctly predict the outcome, or a filter test that will allow pasting of full raw headers for enhanced testing?]

I have spent quiet a few hours reading, re-reading, and re-re-reading the filter lists and e-mails with headers. I just have a hard time finding penis pills, FHA loans or other spam phrases in the headers of these e-mails that are coming from my clients.

 

Hi Michael;

Here is the test I have been performing. Maybe you can help explain what I am doing wrong.

1.) "Legitimate" e-mails land in my junk folder.
2.) I take one of the e-mails that is formatted in plaintext, and copy and paste the subject, sender, and body.
3.) I log into CPANEL at www.mydomain.com/cpanel
4.) I click on "account level filtering".
5.) At the bottom of the page is a "Filter Test" box. I paste the subject, sender and body of the e-mail in question into the filter test box and click Test Filter.
6.) The output is as follows:

Filtering did not set up a significant delivery.
Normal delivery will occur.

So here is where I am having troubles. You have instructed me to "... go... through the filter rules to determine which one is at fault." However, when I try to do this, the Filter Test tells me that the filter is not triggering, and that Normal Delivery should be occuring (but normal delivery is not occuring).

Would you be kind enough to provide a step by step on how I can "go thorugh the filter fules to determine which one is at fault", I am not able to figure this out on my own thus far.