Jump to content

Recommended Posts

Posted

My domain emails are forwarded to a gmail account unless spamassassin flags them as spam in which case they are left in a spam mailbox on tommy which is regularly monitored and emails deleted if spam or forwarded if they are false alerts.

 

This setup tries to avoid having tommy blacklisted by gmail who might think tommy is trying to forward spam.

 

I have noticed from track delivery that some spam mail is being going through spam assassin and the thing that concerns me most is that no spam score is being given to the mail.

 

One mail in particular had "Sanesecurity.Malware.27397.RtfHeur.Zip.UNOFFICIAL" and was refused by gmail.

 

Attached are the screenshots of the said incident.

 

post-31085-0-85317100-1531822962_thumb.jpg

 

post-31085-0-12561100-1531822973_thumb.jpg

 

I also tried blacklisting the sender via spamassassin control panel but the incident happened again with the same sender!

 

Can I please get some help in resolving this for the sake of myself and the rest of this community.  I'm sure that just as I am getting these forwards others are having the same misses by spamassassin which might result in blacklisting by major email providers.

 

Ron.

Posted (edited)

Have I lodged this under the wrong section? As nobody has answered the post after 2 days!

Edited by r0nmlt
Posted

It's just been overlooked since we've had bigger phish to fry lately (cleaning up phishing and dealing with the DDoS attack on Johnny has been our focus lately).

 

Lets see if Krydos can look at this when he gets a chance.

Posted

The emails addressed to that account are supposedly never stored in the mailbox.  They are  either forwarded to a gmail account or to the spam account depending on the "spam status" given by spamassassin.

 

There are 3 global email filters which take care of this.

 

The email i highlighted was in the process of being forwaded to gmail only to be refused by gmail.  The email was then lost and the only trace of it is this log.

 

I hope this explains better what is happening.

Posted

Which is the spam account then? I'm trying to find the full text, including headers, from a message that was routed incorrectly.

Posted (edited)

Sorry but I forward all mail and do not store it on tommy.  So you will see all my mailboxes are empty.

 

I have now amended the rules to keep a store on tommy so that if this happens again you will be able to see the email and its headers.

 

With the filters I had in place, the email was in the process of being forwarded but was refused by gmail.  The email was then lost in this process as tommy was being instructed just to forward and not keep a copy.

 

The rules now are forward but keep a copy, so in the event of a similar email, the forwarded email will be lost, but a copy will be stored on a mailbox on tommy.

 

Until then not much can be done, but thank you for the time you put into looking.  Will get back to you when it happens again.

Edited by r0nmlt
Posted

We use spamassassin on our email support forum https://www.helionet.org/index/forum/91-email-support/ and it lets a few through every once in a while. Nothing is perfect. Since it's a publicly posted email address on a fairly high traffic website a lot of spam bots scrape the page and send us spam. Spam assassin catches thousands of emails and only lets through one or two a week. Gmail probably has the best spam filter in the world and a few get through to my inbox every once in a while as well.

Posted

I understand and appreciate that.  The weird thing is that these emails do not have a spam score.  If spamassasin gives a spamscore of 3 when it should have been 30 it is understandable, but to have an email without a spam score is beyond me.  

 

Another email went through with the same issue.  I am attaching the email with headers in a txt file.  Please note that the email has again been flagged by gmail as:

 

"ECDHE-RSA-AES128-GCM-SHA256:128 CV=yes: SMTP error from remote mail server after end of data: 552-5.7.0 This message was blocked because its content presents a potential\n552-5.7.0 security issue. Please visit\n552-5.7.0 https://support.google.com/mail/?p=BlockedMessage to review our\n552 5.7.0 message content and attachment content guidelines. d2-v6si9568929pla.359 - gsmtp"

 

emailwithheaders.txt

 

This is the trace showing the email without spam score.

 

post-31085-0-18561500-1532408221_thumb.jpg

Posted

It looks like it might be forwarding the email before spamassassin even gets a chance to look at it.

 

Ahh, I found this in the documentation:

Note: Apache SpamAssassin will not scan messages that are being forwarded to remote email addresses.

Posted (edited)

Yes that is what is happening, but why are they scanned most of the time and at other times not scanned.

 

Just for the sake of it:  The forwarding is being taken care of by the "global email filters" option not by the "forwarders" option in Cpanel.  I do remember having problems with the forwarders option and spamassasin and therefore opted for the global filters.

Edited by r0nmlt
Guest
This topic is now closed to further replies.
×
×
  • Create New...