Email quarantined with low score
phil at philfixit.com.au
phil at philfixit.com.au
Thu Dec 26 22:21:38 CET 2024
Thanks Dominic,
My spamassassin and amavis are vanilla except for 50-user which looks like
:~$ cat /etc/amavis/conf.d/50-user
use strict;
#
# Place your configuration directives here. They will override those in
# earlier files.
#
# See /usr/share/doc/amavisd-new/ for documentation and examples of
# the directives you can use in this file
#
$max_servers = 4;
@local_domains_acl = ( ".$mydomain" );
$ENV{PATH} = $path = '/usr/sbin:/sbin:/usr/bin:/bin';
$enable_dkim_verification = 1;
@whitelist_sender_acl = @local_domains_acl;
$final_virus_destiny = D_DISCARD; # (defaults to D_BOUNCE)
$final_banned_destiny = D_DISCARD; # (defaults to D_BOUNCE)
$final_spam_destiny = D_DISCARD; # (defaults to D_REJECT)
$final_bad_header_destiny = D_PASS; # (defaults to D_PASS), D_BOUNCE
suggested
$virus_admin = "virusalert\@$mydomain";
$spam_admin = "postmaster\@$mydomain";
#------------ Do not modify anything below this line -------------
1; # ensure a defined return
So im a bit surprised it can end up quarantined with a lower score than
required, any help on where else to look or how to understand this is
appreciated.
Phil
On 26/12/24 21:20, Dominic Raferd wrote:
>
> Perhaps the report you are seeing which reads 'Spam detection
> software, running on the system "acmewebsites", has NOT identified
> this incoming email as spam' was generated by Spamassassin (or another
> spam detection software), not by Amavis. Amavis takes the total score
> given by the other spam detection software (usually Spamassassin) and
> can then adjust it according to more rules of its own before making a
> final decision. Amavis's rules might even bypass all previous scoring
> and impose an automatic discard. They are described in files in
> /etc/amavis/conf.d, especially 50-user.
>
> On 25/12/2024 20:45, phil at philfixit.com.au wrote:
>>
>> Hi
>> Amavis quarantined a mail with less than the required score, how can
>> this happen ?
>>
>> Content type: Spam
>> Internal reference code for the message is 2587633-16/VL5SambH1hmN
>>
>> First upstream SMTP client IP address: [223.165.120.19]
>> o4877.e.sub.davidjones.com.au
>> According to a 'Received:' trace, the message apparently originated at:
>> [223.165.120.19], o4877.e.sub.davidjones.com.au
>> o4877.e.sub.davidjones.com.au [223.165.120.19] using TLSv1.3 with cipher
>> TLS_AES_128_GCM_SHA256 (128/128 bits)\t key-exchange X25519 server-signature
>> RSA-PSS (2048 bits) server-digest SHA256 No client certificate requested
>>
>> Return-Path:
>> <bounces+36848281-5faf-user at example.com@e.sub.davidjones.com.au>
>> From: David Jones<optin at sub.davidjones.com.au> (dkim:AUTHOR)
>> Message-ID: <2N1MR1WITtqvIJTfsy-_8A at geopod-ismtpd-14>
>> Subject: SALE Starts Online Now
>> The message has been quarantined as: V/spam-VL5SambH1hmN.gz
>>
>> The message WAS NOT relayed to:
>> <yvettec at acmewebsites.com.au>:
>> 250 2.7.0 Ok, discarded, id=2587633-16 - spam
>>
>> Spam scanner report:
>> Spam detection software, running on the system "acmewebsites",
>> has NOT identified this incoming email as spam. The original
>> message has been attached to this so you can view it or label
>> similar future email. If you have any questions, see
>> the administrator of that system for details.
>>
>> Content preview: Up to 50% off fashion & homewares. Shop huge deals instore
>> from Boxing Day. DJ Logo (https://l.sub.davidjones.com.au/ls/click?upn=u001.yE9Px-2Fc9-2BssSkJm7SUbZKwWz1TzBmN2yMMQonjv5y5Sy3o8ejnKeLgRbsNJBfI3-2FuJhArKYq-2Fx4WoKz6Tpg2iA-3D-3D4AqR_Vb-2Fy6RPbw82R4IcJOIL0uTxe7md9wlR-2
>> [...]
>>
>> Content analysis details: (2.9 points, 6.0 required)
>>
>> pts rule name description
>> ---- ---------------------- --------------------------------------------------
>> 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
>> -0.0 SPF_PASS SPF: sender matches SPF record
>> 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The
>> query to Validity was blocked. See
>> https://knowledge.validity.com/hc/en-us/articles/20961730681243
>> for more information.
>> [223.165.120.19 listed in bl.score.senderscore.com]
>> 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The
>> query to Validity was blocked. See
>> https://knowledge.validity.com/hc/en-us/articles/20961730681243
>> for more information.
>> [223.165.120.19 listed in sa-accredit.habeas.com]
>> 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
>> identical to background
>> 0.0 HTML_MESSAGE BODY: HTML included in message
>> 0.0 HTML_IMAGE_RATIO_04 BODY: HTML has a low ratio of text to image
>> area
>> 0.5 KAM_REALLYHUGEIMGSRC RAW: Spam with image tags with ridiculously
>> huge http urls
>> -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
>> 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
>> valid
>> -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
>> author's domain
>> 2.5 KAM_ZWNS Use of zero width space characters indicates a goal to
>> elude scanners
>> 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay
>> lines
>>
>> header.hdr
>>
>> Return-Path:<bounces+36848281-5faf-user at example.com@e.sub.davidjones.com.au>
>> Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=223.165.120.19; helo=o4877.e.sub.davidjones.com.au;envelope-from=bounces+36848281-5faf-user at example.com@e.sub.davidjones.com.au; receiver=<UNKNOWN>
>> Authentication-Results: OpenDMARC; dmarc=pass (p=reject dis=none) header.from=sub.davidjones.com.au
>> Authentication-Results: mail.acmewebsites.com.au;
>> dkim=pass (2048-bit key; unprotected) header.d=sub.davidjones.com.auheader.i=@sub.davidjones.com.au header.a=rsa-sha256 header.s=s1 header.b=2iSucZ/D;
>> dkim-atps=neutral
>> Received: from o4877.e.sub.davidjones.com.au (o4877.e.sub.davidjones.com.au [223.165.120.19])
>> (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
>> key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
>> (No client certificate requested)
>> by mail.acmewebsites.com.au (Postfix) with ESMTPS id 061861BC0324
>> for<user at example.com>; Tue, 24 Dec 2024 16:03:43 +1100 (AEDT)
>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sub.davidjones.com.au;
>> h=content-type:from:mime-version:subject:list-unsubscribe:
>> list-unsubscribe-post:to:cc:content-type:from:subject:to;
>> s=s1; bh=FpiPtj+LEylzHcOnWOpCbhWh4SFSg0Ap+ZjZNH1mRk8=;
>> b=2iSucZ/Ds1PkRGs2DbDh/oau39+ean3oqBCf9jZx4+yyNyEsK78Vn42TQlGruE3m3/Dl
>> yp5gy6qDwraiVYAz6p26tYpLEesF24i+HNlKZpNgfjHMOHAEDcGfgRkTGyWSo/Drl50y67
>> zvz5hW9tIt37Gfhjn2EG5bNs6a+/LQY5r8cJotyEKH8j6FG/Xcmt4nfq6P0GSTSTXA6b1Y
>> mekyeNMee53XbbGi1PNFISXcBJm4D5ms1Cx7r0QOzt04vIXQjy6TnQHQCJ02OuwOxrh2xN
>> 3j738YcBDCamGQ+EOwTspGJ9/ij1+I0sHmAb05JUqHqwyrzGoa9Ya1jRtk48+WDQ==
>> Received: by recvd-6b669b7d6c-cqdht with SMTP id recvd-6b669b7d6c-cqdht-1-676A40AA-D
>> 2024-12-24 05:03:38.360565077 +0000 UTC m=+3397206.668822129
>> Received: from MzY4NDgyODE (unknown)
>> by geopod-ismtpd-14 (SG) with HTTP
>> id 2N1MR1WITtqvIJTfsy-_8A
>> Tue, 24 Dec 2024 05:03:38.314 +0000 (UTC)
>> Content-Type: multipart/alternative; boundary=84ca9c06bdc7443c845bccdca4f5ac9b2b47b1acc5177ac909def4ae7871
>> Date: Tue, 24 Dec 2024 05:03:38 +0000 (UTC)
>> From: David Jones<optin at sub.davidjones.com.au>
>> Mime-Version: 1.0
>> Message-ID: <2N1MR1WITtqvIJTfsy-_8A at geopod-ismtpd-14>
>> Subject: SALE Starts Online Now
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.amavis.org/pipermail/amavis-users/attachments/20241227/8dd688eb/attachment.htm>
More information about the amavis-users
mailing list