Email quarantined with low score
Dominic Raferd
dominic at timedicer.co.uk
Thu Dec 26 11:20:07 CET 2024
Perhaps the report you are seeing which reads 'Spam detection software,
running on the system "acmewebsites", has NOT identified this incoming
email as spam' was generated by Spamassassin (or another spam detection
software), not by Amavis. Amavis takes the total score given by the
other spam detection software (usually Spamassassin) and can then adjust
it according to more rules of its own before making a final decision.
Amavis's rules might even bypass all previous scoring and impose an
automatic discard. They are described in files in /etc/amavis/conf.d,
especially 50-user.
On 25/12/2024 20:45, phil at philfixit.com.au wrote:
>
> Hi
> Amavis quarantined a mail with less than the required score, how can
> this happen ?
>
> Content type: Spam
> Internal reference code for the message is 2587633-16/VL5SambH1hmN
>
> First upstream SMTP client IP address: [223.165.120.19]
> o4877.e.sub.davidjones.com.au
> According to a 'Received:' trace, the message apparently originated at:
> [223.165.120.19], o4877.e.sub.davidjones.com.au
> o4877.e.sub.davidjones.com.au [223.165.120.19] using TLSv1.3 with cipher
> TLS_AES_128_GCM_SHA256 (128/128 bits)\t key-exchange X25519 server-signature
> RSA-PSS (2048 bits) server-digest SHA256 No client certificate requested
>
> Return-Path:
> <bounces+36848281-5faf-user at example.com@e.sub.davidjones.com.au>
> From: David Jones<optin at sub.davidjones.com.au> (dkim:AUTHOR)
> Message-ID: <2N1MR1WITtqvIJTfsy-_8A at geopod-ismtpd-14>
> Subject: SALE Starts Online Now
> The message has been quarantined as: V/spam-VL5SambH1hmN.gz
>
> The message WAS NOT relayed to:
> <yvettec at acmewebsites.com.au>:
> 250 2.7.0 Ok, discarded, id=2587633-16 - spam
>
> Spam scanner report:
> Spam detection software, running on the system "acmewebsites",
> has NOT identified this incoming email as spam. The original
> message has been attached to this so you can view it or label
> similar future email. If you have any questions, see
> the administrator of that system for details.
>
> Content preview: Up to 50% off fashion & homewares. Shop huge deals instore
> from Boxing Day. DJ Logo (https://l.sub.davidjones.com.au/ls/click?upn=u001.yE9Px-2Fc9-2BssSkJm7SUbZKwWz1TzBmN2yMMQonjv5y5Sy3o8ejnKeLgRbsNJBfI3-2FuJhArKYq-2Fx4WoKz6Tpg2iA-3D-3D4AqR_Vb-2Fy6RPbw82R4IcJOIL0uTxe7md9wlR-2
> [...]
>
> Content analysis details: (2.9 points, 6.0 required)
>
> pts rule name description
> ---- ---------------------- --------------------------------------------------
> 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
> -0.0 SPF_PASS SPF: sender matches SPF record
> 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The
> query to Validity was blocked. See
> https://knowledge.validity.com/hc/en-us/articles/20961730681243
> for more information.
> [223.165.120.19 listed in bl.score.senderscore.com]
> 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The
> query to Validity was blocked. See
> https://knowledge.validity.com/hc/en-us/articles/20961730681243
> for more information.
> [223.165.120.19 listed in sa-accredit.habeas.com]
> 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
> identical to background
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 0.0 HTML_IMAGE_RATIO_04 BODY: HTML has a low ratio of text to image
> area
> 0.5 KAM_REALLYHUGEIMGSRC RAW: Spam with image tags with ridiculously
> huge http urls
> -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
> 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
> valid
> -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
> author's domain
> 2.5 KAM_ZWNS Use of zero width space characters indicates a goal to
> elude scanners
> 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay
> lines
>
> header.hdr
>
> Return-Path:<bounces+36848281-5faf-user at example.com@e.sub.davidjones.com.au>
> Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=223.165.120.19; helo=o4877.e.sub.davidjones.com.au;envelope-from=bounces+36848281-5faf-user at example.com@e.sub.davidjones.com.au; receiver=<UNKNOWN>
> Authentication-Results: OpenDMARC; dmarc=pass (p=reject dis=none) header.from=sub.davidjones.com.au
> Authentication-Results: mail.acmewebsites.com.au;
> dkim=pass (2048-bit key; unprotected) header.d=sub.davidjones.com.auheader.i=@sub.davidjones.com.au header.a=rsa-sha256 header.s=s1 header.b=2iSucZ/D;
> dkim-atps=neutral
> Received: from o4877.e.sub.davidjones.com.au (o4877.e.sub.davidjones.com.au [223.165.120.19])
> (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
> key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
> (No client certificate requested)
> by mail.acmewebsites.com.au (Postfix) with ESMTPS id 061861BC0324
> for<user at example.com>; Tue, 24 Dec 2024 16:03:43 +1100 (AEDT)
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sub.davidjones.com.au;
> h=content-type:from:mime-version:subject:list-unsubscribe:
> list-unsubscribe-post:to:cc:content-type:from:subject:to;
> s=s1; bh=FpiPtj+LEylzHcOnWOpCbhWh4SFSg0Ap+ZjZNH1mRk8=;
> b=2iSucZ/Ds1PkRGs2DbDh/oau39+ean3oqBCf9jZx4+yyNyEsK78Vn42TQlGruE3m3/Dl
> yp5gy6qDwraiVYAz6p26tYpLEesF24i+HNlKZpNgfjHMOHAEDcGfgRkTGyWSo/Drl50y67
> zvz5hW9tIt37Gfhjn2EG5bNs6a+/LQY5r8cJotyEKH8j6FG/Xcmt4nfq6P0GSTSTXA6b1Y
> mekyeNMee53XbbGi1PNFISXcBJm4D5ms1Cx7r0QOzt04vIXQjy6TnQHQCJ02OuwOxrh2xN
> 3j738YcBDCamGQ+EOwTspGJ9/ij1+I0sHmAb05JUqHqwyrzGoa9Ya1jRtk48+WDQ==
> Received: by recvd-6b669b7d6c-cqdht with SMTP id recvd-6b669b7d6c-cqdht-1-676A40AA-D
> 2024-12-24 05:03:38.360565077 +0000 UTC m=+3397206.668822129
> Received: from MzY4NDgyODE (unknown)
> by geopod-ismtpd-14 (SG) with HTTP
> id 2N1MR1WITtqvIJTfsy-_8A
> Tue, 24 Dec 2024 05:03:38.314 +0000 (UTC)
> Content-Type: multipart/alternative; boundary=84ca9c06bdc7443c845bccdca4f5ac9b2b47b1acc5177ac909def4ae7871
> Date: Tue, 24 Dec 2024 05:03:38 +0000 (UTC)
> From: David Jones<optin at sub.davidjones.com.au>
> Mime-Version: 1.0
> Message-ID: <2N1MR1WITtqvIJTfsy-_8A at geopod-ismtpd-14>
> Subject: SALE Starts Online Now
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.amavis.org/pipermail/amavis-users/attachments/20241226/d8003de3/attachment.htm>
More information about the amavis-users
mailing list