SOLVED Problems with spam when redirect emails

Tatchan

Member
Sep 13, 2010
7
0
51
Hi!!

I have a problem with spamassassin. Y have 2 servers with 2 domains. In server A I have an email redirection to real email in server B, for example:

[email protected] -> [email protected]

When I write an email to [email protected], spamassassin put correct score in server A, but when server B receive this email, classify email as spam.

Example with spamassassin log with same email, receiveing in server A and then, redirect to server B:
Code:
Server A:
2017-02-17 12:46:14 1cegzF-0002xxxxx H= [xxx.xxx.xxx.xxx]:33894 Warning: "SpamAssassin as xxxxx detected message as NOT spam (0.4)"

Server B:
2017-02-17 12:47:05 1ceh06-000Mxxxxx H=xxxxxxx [xxx.xxx.xxx.xxx]:44600 Warning: "SpamAssassin as dogopets detected message as NOT spam (5.3)"
Almost 5 more score points!! How I can fix this problem?

Thanks for all!! =)
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363
Hello,

Could you elaborate on how you are redirecting the email? Is this via a forwarder or a custom Exim configuration?

Thank you.
 

Jcats

Well-Known Member
PartnerNOC
May 25, 2011
806
156
168
New Jersey
cPanel Access Level
DataCenter Provider
You should check the email headers as well to see what is being triggered to cause the score to be so high, that may help to figure out whats going on.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363
Hello,

Also, please post the output from /var/log/exim_mainlog for the affected messages on each system. EX:

Code:
exigrep MSGID /var/log/exim_mainlog
Thank you.
 

Tatchan

Member
Sep 13, 2010
7
0
51
I have done a test sending an email from hotmail to the server A redirection and receiving it in an email in server B. This time hasn't detected as spam, since the original message only had score -3.2, but has almost added 5 score points on server B.

This is the log and headers from a test:

Server A:

2017-02-21 08:27:02 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1cg4qg-0002sk-ES



+++ 1cg4qg-0002sk-ES has not completed +++

2017-02-21 08:27:02 1cg4qg-0002sk-ES H=col004-omc2s4.hotmail.com [65.55.34.78]:51187 Warning: "SpamAssassin as xxxxxx detected message as NOT spam (-3.2)"

2017-02-21 08:27:02 1cg4qg-0002sk-ES <= [email protected] H=col004-omc2s4.hotmail.com [65.55.34.78]:51187 P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-SHA384:256 CV=no S=6857 [email protected]rd08.prod.outlook.com T="Test message" for [email protected]

2017-02-21 08:27:02 1cg4qg-0002sk-ES SMTP connection identification D=serverA.com [email protected] [email protected] M=1cg4qg-0002sk-ES U=xxxxx ID=504 B=redirect_resolver

2017-02-21 08:27:02 1cg4qg-0002sk-ES SMTP connection outbound 1487662022 1cg4qg-0002sk-ES serverA.com [email protected]

2017-02-21 08:27:02 1cg4qg-0002sk-ES => xxxxx <[email protected]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> D4QsFcbrq1hbKwAAUZY67A Saved"



Server B:

2017-02-21 08:27:50 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1cg4rT-0008db-54



2017-02-21 08:27:50 1cg4rT-0008db-54 H=xxx.xxxxx.eu (xxxxxx.ovh.net) [xxx.xxx.160.164]:53230 Warning: "SpamAssassin as usergrup detected message as NOT spam (2.1)"

2017-02-21 08:27:50 1cg4rT-0008db-54 H=xxx.xxxxx.eu (xxxxxx.ovh.net) [xxx.xxx.160.164]:53230 Warning: Message has been scanned: no virus or other harmful content was found

2017-02-21 08:27:50 1cg4rT-0008db-54 <= [email protected] H=xxx.xxxxx.eu (xxxxx.ovh.net) [xxx.xxx.160.164]:53230 P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=7667 [email protected]rd08.prod.outlook.com T="Test message" for [email protected]

2017-02-21 08:27:50 1cg4rT-0008db-54 => xxxxx<[email protected]> R=virtual_user T=dovecot_virtual_delivery_no_batch C="250 2.0.0 <[email protected]> VZwWJPbrq1gEggAAUeMStQ Saved"

2017-02-21 08:27:50 1cg4rT-0008db-54 Completed







Headers received:

X-Exchange-Antispam-Report-Cfa-Test: BCL:0;PCL:0;RULEID:(432015087)(444000031);SRVR:HE1EUR01HT195;BCL:0;PCL:0;RULEID:;SRVR:HE1EUR01HT195;

X-Incomingheadercount: 37

X-Spam-Score: 21

X-Ms-Exchange-Crosstenant-Originalarrivaltime: 21 Feb 2017 07:26:18.2862 (UTC)

X-Originatororg: hotmail.com

X-Ms-Exchange-Transport-Crosstenantheadersstamped: HE1EUR01HT195

X-Forefront-Antispam-Report: EFV:NLI;SFV:NSPM;SFS:(10019020)(98900012);DIR:OUT;SFP:1102;SCL:1;SRVR:HE1EUR01HT195;H:HE1PR0801MB1835.eurprd08.prod.outlook.com;FPR:;SPF:None;LANG:ca;

X-Authenticated-Sender: xxxxxx.ovh.net: [email protected]

Authentication-Results: serverA.com; dkim=none (message not signed) header.d=none;serverA.com; dmarc=none action=none header.from=hotmail.com;

X-Ham-Report: Spam detection software, running on the system “xxxxxxxx.ip-5-196-86.eu", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details. Content preview: Això és una prova Això és una prova [...] Content analysis details: (2.1 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.5 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (xxxxxx[at]hotmail.com) -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 2.6 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS

Return-Path: <[email protected]>

Return-Path: <[email protected]>

X-Ms-Exchange-Crosstenant-Fromentityheader: Internet

Spamdiagnosticoutput: 1:99

X-Ms-Tnef-Correlator:

X-Ms-Exchange-Crosstenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa

X-Spam-Bar: ++

Spamdiagnosticmetadata: NSPM

Envelope-To: [email protected]

Delivery-Date: Tue, 21 Feb 2017 08:27:50 +0100

X-Antiabuse: This header was added to track abuse, please include it with any abuse report

X-Antiabuse: Primary Hostname - xxxxxxx.ovh.net

X-Antiabuse: Original Domain - serverA.com

X-Antiabuse: Originator/Caller UID/GID - [47 12] / [47 12]

X-Antiabuse: Sender Address Domain - hotmail.com

X-Spam-Flag: NO

X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(201702061074)(5061506556)(5061507331)(1603103135)(1601125237)(1603101406)(1701031045);SRVR:HE1EUR01HT195;

Thread-Index: AQHSjBPKzU7Ywqx8mUmqdvSm0iWaqA==

Accept-Language: es-ES, en-US

X-Spam-Status: No, score=2.1

Message-Id: <[email protected]8.prod.outlook.com>

Content-Language: es-ES

X-Source-Args:

Mime-Version: 1.0

X-Originalarrivaltime: 21 Feb 2017 07:26:21.0524 (UTC) FILETIME=[CCCA4140:01D28C13]

X-Ms-Office365-Filtering-Correlation-Id: 3ae84d8e-4aef-4daf-611d-08d45a2aed67

Received: from xxxxxxxx.ip-5-196-86.eu by xxxxxxx.ip-5-196-86.eu (Dovecot) with LMTP id VZwWJPbrq1gEggAAUeMStQ for <[email protected]>; Tue, 21 Feb 2017 08:27:50 +0100

Received: from xxxxxx.xxxxx.eu ([xxx.xxx.160.164]:53230 helo=xxxxxxx.ovh.net) by xxxxxx.ip-5-196-86.eu with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.87) (envelope-from <[email protected]>) id 1cg4rT-0008db-54 for [email protected]; Tue, 21 Feb 2017 08:27:50 +0100

Received: from col004-omc2s4.hotmail.com ([65.55.34.78]:51187) by xxxxxxx.ovh.net with esmtps (TLSv1.2:ECDHE-RSA-AES256-SHA384:256) (Exim 4.87) (envelope-from <[email protected]>) id 1cg4qg-0002sk-ES for [email protected]; Tue, 21 Feb 2017 08:27:02 +0100

Received: from EUR01-HE1-obe.outbound.protection.outlook.com ([65.55.34.73]) by COL004-OMC2S4.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Mon, 20 Feb 2017 23:26:21 -0800

Received: from HE1EUR01FT038.eop-EUR01.prod.protection.outlook.com (10.152.0.52) by HE1EUR01HT195.eop-EUR01.prod.protection.outlook.com (10.152.1.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.919.10; Tue, 21 Feb 2017 07:26:18 +0000

Received: from HE1PR0801MB1835.eurprd08.prod.outlook.com (10.152.0.58) by HE1EUR01FT038.mail.protection.outlook.com (10.152.1.93) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.919.10 via Frontend Transport; Tue, 21 Feb 2017 07:26:18 +0000

Received: from HE1PR0801MB1835.eurprd08.prod.outlook.com ([10.168.150.143]) by HE1PR0801MB1835.eurprd08.prod.outlook.com ([10.168.150.143]) with mapi id 15.01.0919.018; Tue, 21 Feb 2017 07:26:18 +0000

Content-Type: multipart/alternative; boundary="_000_HE1PR0801MB18353D9695A378CC8E7D9409F8510HE1PR0801MB1835_"
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363
X-Ham-Report: Spam detection software, running on the system “xxxxxxxx.ip-5-196-86.eu", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details. Content preview: Això és una prova Això és una prova [...] Content analysis details: (2.1 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.5 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (xxxxxx[at]hotmail.com) -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 2.6 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS
Hello,

This is the part of the message header that will help you to determine why SpamAssassin detects a message as SPAM.

Could you enable the "Enable Sender Rewriting Scheme (SRS) Support" option in "WHM >> Service Configuration >> Exim Configuration Manager >> Basic Editor" and let us know if this helps to address the issue?

Thank you.
 

Tatchan

Member
Sep 13, 2010
7
0
51
Yesterday I try to activate "Enable Sender Rewriting Scheme (SRS) Support", and it seems that now works well. I see that now the mails that come from the other server spamassassin adds -100 points.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363
Hello,

I'm happy to see that helped to address the "SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0" message that appeared in the header.

Thank you for updating us with the outcome.