emails being delivered to spam folder, but don't know why

keat63

• June 03, 2016 08:32

I've had a larger than normal number of emails delivered to a users spam folder, but for the life of me can't figure out why. The headers would indicate a spam score of say 0.9 with the threshold configured for 5.0, so marked in the header as Spam = No. I have no user or account level filter that would have delivered them to the spam folder.
2016-05-31 09:01:01 1b7ebk-0005l1-Jc H=mail1.bemta12.messagelabs.com [xxx.xx.251.14]:60780 Warning: Message has been scanned: no virus or other harmful content was found 2016-05-31 09:01:02 1b7ebk-0005l1-Jc H=mail1.bemta12.messagelabs.com [xxx.xx.251.14]:60780 Warning: "SpamAssassin as mydomainukltd detected message as NOT spam (0.9)" 2016-05-31 09:01:02 1b7ebk-0005l1-Jc <= r.l.field@customer.com H=mail1.bemta12.messagelabs.com [xxx.xx.251.14]:60780 P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=99222 id=ADR410000001019830100017A477141C1EE689E0B59F2B3A60F0@eu.zzzzz.com T="Purchase Order Modine 406357 45366106" for sales@mydomain.org.uk 2016-05-31 09:01:02 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1b7ebk-0005l1-Jc 2016-05-31 09:01:02 1b7ebk-0005l1-Jc => /home/mydomainukltd/mail/mydomain.org.uk/sales/.spam/ R=virtual_user_filter T=address_directory 2016-05-31 09:01:02 1b7ebk-0005l1-Jc Completed
any thoughts why this went to spam.

• 

  keat63

  • June 03, 2016 14:27

  Just one thing I did notice in the headers on two of the emails before I delivered them to the inbox, They both had reference to being listed on Pyzor. I'm aware that /etc/mail/spamassassin/local.cf has reference to Pyzor. Could it be related ?

  0
• 

  keat63

  • June 06, 2016 08:34

  Got another one this morning. Any thoughts please ?
  Subject: Emailing - A060616092605BEA0569084P06_01_1.pdf Thread-Topic: Emailing - A060616092605BEA0569084P06_01_1.pdf Thread-Index: AdG/zLs3vf93eeLoSpy0TVo16lSNsw== Date: Mon, 6 Jun 2016 08:23:40 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [xx.0.0.xxx] Content-Type: multipart/mixed; boundary="_004_F97550822F01D646BD976FA949841F5201532EB1ARMEGSRV01xxxxx_" MIME-Version: 1.0 X-Spam-Status: No, score=2.4 X-Spam-Score: 24 X-Spam-Bar: ++ X-Ham-Report: Spam detection software, running on the system "host.myserver.co.uk", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details. Content preview: [...] Content analysis details: (2.4 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.1 KAM_COUK Scoring .co.uk emails higher due to poor registry security. 0.0 HTML_MESSAGE BODY: HTML included in message -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.4 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME 1.8 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) 0.0 FSL_BULK_SIG Bulk signature with no Unsubscribe 0.0 TVD_SPACE_RATIO No description available. 1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any anti-forgery methods X-Spam-Flag: NO

2016-06-06 09:29:58 1b9pv3-0004KU-O5 H=gmy2-mh807.smtproutes.com [xx.xxx.xxx.xx]:50639 Warning: Message has been scanned: no virus or other harmful content was found 2016-06-06 09:29:58 1b9pv3-0004KU-O5 H=gmy2-mh807.smtproutes.com [xx.xxx.xxx.xx]:50639 Warning: "SpamAssassin as mydom detected message as NOT spam (2.4)" 2016-06-06 09:29:59 1b9pv3-0004KU-O5 <= j.offler@customer.co.uk H=gmy2-mh807.smtproutes.com [xx.xxx.xxx.xx]:50639 P=esmtp S=58497 id=F97550822F01D646BD976FA949841F5201532EB1@customerSRV01.customer.local T="Emailing - A060616092605BEA0569084P06_01_1.pdf" for sales@mydom.com 2016-06-06 09:29:59 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1b9pv3-0004KU-O5 2016-06-06 09:29:59 1b9pv3-0004KU-O5 => /home/mydom/mail/mydom.com/sales/.spam/ R=virtual_user_filter T=address_directory 2016-06-06 09:29:59 1b9pv3-0004KU-O5 Completed
  

  0
• 

  keat63

  • June 06, 2016 08:50

  OK, so I think I found it, but could now do with understanding why this just started happening. 99.99999% of all email which has the words 'Unsubscribe' is generally considered unsolicited spam. (certainly for the mailbox concerned anyway) Why should I have to unsubscribe from something i never subscribed to, to begin with. So for over 12 months (maybe more), we've had a filter rule, which goes along the lines. 'If body or header contains 'Unsubscribe' then send to spam.' The headers on this email states the following '0.0 FSL_BULK_SIG Bulk signature with no Unsubscribe' I guess this is why it was sent to spam. Where did this come from, is this a new feature of Spam Assasin. ?

  0
• 

  cPanelMichael

  • June 06, 2016 19:33

  'If body or header contains 'Unsubscribe' then send to spam.' The headers on this email states the following '0.0 FSL_BULK_SIG Bulk signature with no Unsubscribe' I guess this is why it was sent to spam. Where did this come from, is this a new feature of Spam Assasin. ?

  
  Hello, SpamAssassin updates their default rules to help stop new SPAM techniques. I suggest modifying the existing filter rule you are using to take that header entry into consideration when filtering emails. For example, you may want to edit the filter rule so it only applies to the message body. Thank you.

  0
• 

  keat63

  • June 07, 2016 08:29

  For the time being, I deleted the rule so I can monitor the spam folder. Thanks

  0

Please sign in to leave a comment.