Problems with spam when redirect emails
Hi!!
I have a problem with spamassassin. Y have 2 servers with 2 domains. In server A I have an email redirection to real email in server B, for example:
user1@serverA.com -> user1@serverB.com
When I write an email to user1@serverA.com, spamassassin put correct score in server A, but when server B receive this email, classify email as spam.
Example with spamassassin log with same email, receiveing in server A and then, redirect to server B:
Almost 5 more score points!! How I can fix this problem? Thanks for all!! =)
Server A:
2017-02-17 12:46:14 1cegzF-0002xxxxx H= [xxx.xxx.xxx.xxx]:33894 Warning: "SpamAssassin as xxxxx detected message as NOT spam (0.4)"
Server B:
2017-02-17 12:47:05 1ceh06-000Mxxxxx H=xxxxxxx [xxx.xxx.xxx.xxx]:44600 Warning: "SpamAssassin as dogopets detected message as NOT spam (5.3)"
Almost 5 more score points!! How I can fix this problem? Thanks for all!! =)
-
Hello, Could you elaborate on how you are redirecting the email? Is this via a forwarder or a custom Exim configuration? Thank you. 0 -
The email is redirecting with cpanel option "Forwaders" 0 -
You should check the email headers as well to see what is being triggered to cause the score to be so high, that may help to figure out whats going on. 0 -
Hello, Also, please post the output from /var/log/exim_mainlog for the affected messages on each system. EX: exigrep MSGID /var/log/exim_mainlog
Thank you.0 -
I have done a test sending an email from hotmail to the server A redirection and receiving it in an email in server B. This time hasn't detected as spam, since the original message only had score -3.2, but has almost added 5 score points on server B. This is the log and headers from a test: Server A: 2017-02-21 08:27:02 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1cg4qg-0002sk-ES +++ 1cg4qg-0002sk-ES has not completed +++ 2017-02-21 08:27:02 1cg4qg-0002sk-ES H=col004-omc2s4.hotmail.com [65.55.34.78]:51187 Warning: "SpamAssassin as xxxxxx detected message as NOT spam (-3.2)" 2017-02-21 08:27:02 1cg4qg-0002sk-ES <= xxxxxx@hotmail.com H=col004-omc2s4.hotmail.com [65.55.34.78]:51187 P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-SHA384:256 CV=no S=6857 id=HE1PR0801MB18353D9695A378CC8E7D9409F8510@HE1PR0801MB1835.eurprd08.prod.outlook.com T="Test message" for xxxxx@serverA.com 2017-02-21 08:27:02 1cg4qg-0002sk-ES SMTP connection identification D=serverA.com O=xxxxx@serverA.com E=xxxxx@serverB.com M=1cg4qg-0002sk-ES U=xxxxx ID=504 B=redirect_resolver 2017-02-21 08:27:02 1cg4qg-0002sk-ES SMTP connection outbound 1487662022 1cg4qg-0002sk-ES serverA.com xxxxx@serverB.com 2017-02-21 08:27:02 1cg4qg-0002sk-ES => xxxxx R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 D4QsFcbrq1hbKwAAUZY67A Saved" Server B: 2017-02-21 08:27:50 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1cg4rT-0008db-54 2017-02-21 08:27:50 1cg4rT-0008db-54 H=xxx.xxxxx.eu (xxxxxx.ovh.net) [xxx.xxx.160.164]:53230 Warning: "SpamAssassin as usergrup detected message as NOT spam (2.1)" 2017-02-21 08:27:50 1cg4rT-0008db-54 H=xxx.xxxxx.eu (xxxxxx.ovh.net) [xxx.xxx.160.164]:53230 Warning: Message has been scanned: no virus or other harmful content was found 2017-02-21 08:27:50 1cg4rT-0008db-54 <= xxxxx@hotmail.com H=xxx.xxxxx.eu (xxxxx.ovh.net) [xxx.xxx.160.164]:53230 P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=7667 id=HE1PR0801MB18353D9695A378CC8E7D9409F8510@HE1PR0801MB1835.eurprd08.prod.outlook.com T="Test message" for xxxxx@serverB.com 2017-02-21 08:27:50 1cg4rT-0008db-54 => xxxxx R=virtual_user T=dovecot_virtual_delivery_no_batch C="250 2.0.0 VZwWJPbrq1gEggAAUeMStQ Saved" 2017-02-21 08:27:50 1cg4rT-0008db-54 Completed Headers received: X-Exchange-Antispam-Report-Cfa-Test: BCL:0;PCL:0;RULEID:(432015087)(444000031);SRVR:HE1EUR01HT195;BCL:0;PCL:0;RULEID:;SRVR:HE1EUR01HT195; X-Incomingheadercount: 37 X-Spam-Score: 21 X-Ms-Exchange-Crosstenant-Originalarrivaltime: 21 Feb 2017 07:26:18.2862 (UTC) X-Originatororg: hotmail.com X-Ms-Exchange-Transport-Crosstenantheadersstamped: HE1EUR01HT195 X-Forefront-Antispam-Report: EFV:NLI;SFV:NSPM;SFS:(10019020)(98900012);DIR:OUT;SFP:1102;SCL:1;SRVR:HE1EUR01HT195;H:HE1PR0801MB1835.eurprd08.prod.outlook.com;FPR:;SPF:None;LANG:ca; X-Authenticated-Sender: xxxxxx.ovh.net: xxxxx@serverA.com Authentication-Results: serverA.com; dkim=none (message not signed) header.d=none;serverA.com; dmarc=none action=none header.from=hotmail.com; X-Ham-Report: Spam detection software, running on the system "xxxxxxxx.ip-5-196-86.eu", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details. Content preview: Aix" "s una prova Aix" "s una prova [...] Content analysis details: (2.1 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.5 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (xxxxxx[at]hotmail.com) -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 2.6 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS Return-Path: Return-Path: X-Ms-Exchange-Crosstenant-Fromentityheader: Internet Spamdiagnosticoutput: 1:99 X-Ms-Tnef-Correlator: X-Ms-Exchange-Crosstenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-Spam-Bar: ++ Spamdiagnosticmetadata: NSPM Envelope-To: xxxxx@serverB.com Delivery-Date: Tue, 21 Feb 2017 08:27:50 +0100 X-Antiabuse: This header was added to track abuse, please include it with any abuse report X-Antiabuse: Primary Hostname - xxxxxxx.ovh.net X-Antiabuse: Original Domain - serverA.com X-Antiabuse: Originator/Caller UID/GID - [47 12] / [47 12] X-Antiabuse: Sender Address Domain - hotmail.com X-Spam-Flag: NO X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(201702061074)(5061506556)(5061507331)(1603103135)(1601125237)(1603101406)(1701031045);SRVR:HE1EUR01HT195; Thread-Index: AQHSjBPKzU7Ywqx8mUmqdvSm0iWaqA== Accept-Language: es-ES, en-US X-Spam-Status: No, score=2.1 Message-Id: Content-Language: es-ES X-Source-Args: Mime-Version: 1.0 X-Originalarrivaltime: 21 Feb 2017 07:26:21.0524 (UTC) FILETIME=[CCCA4140:01D28C13] X-Ms-Office365-Filtering-Correlation-Id: 3ae84d8e-4aef-4daf-611d-08d45a2aed67 Received: from xxxxxxxx.ip-5-196-86.eu by xxxxxxx.ip-5-196-86.eu (Dovecot) with LMTP id VZwWJPbrq1gEggAAUeMStQ for ; Tue, 21 Feb 2017 08:27:50 +0100 Received: from xxxxxx.xxxxx.eu ([xxx.xxx.160.164]:53230 helo=xxxxxxx.ovh.net) by xxxxxx.ip-5-196-86.eu with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.87) (envelope-from ) id 1cg4rT-0008db-54 for xxxxx@serverB.com; Tue, 21 Feb 2017 08:27:50 +0100 Received: from col004-omc2s4.hotmail.com ([65.55.34.78]:51187) by xxxxxxx.ovh.net with esmtps (TLSv1.2:ECDHE-RSA-AES256-SHA384:256) (Exim 4.87) (envelope-from ) id 1cg4qg-0002sk-ES for xxxxx@serverA.es; Tue, 21 Feb 2017 08:27:02 +0100 Received: from EUR01-HE1-obe.outbound.protection.outlook.com ([65.55.34.73]) by COL004-OMC2S4.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Mon, 20 Feb 2017 23:26:21 -0800 Received: from HE1EUR01FT038.eop-EUR01.prod.protection.outlook.com (10.152.0.52) by HE1EUR01HT195.eop-EUR01.prod.protection.outlook.com (10.152.1.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.919.10; Tue, 21 Feb 2017 07:26:18 +0000 Received: from HE1PR0801MB1835.eurprd08.prod.outlook.com (10.152.0.58) by HE1EUR01FT038.mail.protection.outlook.com (10.152.1.93) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.919.10 via Frontend Transport; Tue, 21 Feb 2017 07:26:18 +0000 Received: from HE1PR0801MB1835.eurprd08.prod.outlook.com ([10.168.150.143]) by HE1PR0801MB1835.eurprd08.prod.outlook.com ([10.168.150.143]) with mapi id 15.01.0919.018; Tue, 21 Feb 2017 07:26:18 +0000 Content-Type: multipart/alternative; boundary="_000_HE1PR0801MB18353D9695A378CC8E7D9409F8510HE1PR0801MB1835_" 0 -
X-Ham-Report: Spam detection software, running on the system "xxxxxxxx.ip-5-196-86.eu", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details. Content preview: Aix" "s una prova Aix" "s una prova [...] Content analysis details: (2.1 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.5 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (xxxxxx[at]hotmail.com) -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 2.6 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS
Hello, This is the part of the message header that will help you to determine why SpamAssassin detects a message as SPAM. Could you enable the "Enable Sender Rewriting Scheme (SRS) Support" option in "WHM >> Service Configuration >> Exim Configuration Manager >> Basic Editor" and let us know if this helps to address the issue? Thank you.0 -
Yesterday I try to activate "Enable Sender Rewriting Scheme (SRS) Support", and it seems that now works well. I see that now the mails that come from the other server spamassassin adds -100 points. 0 -
Hello, I'm happy to see that helped to address the "SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0" message that appeared in the header. Thank you for updating us with the outcome. 0
Please sign in to leave a comment.
Comments
8 comments