Email quarantined with low score

Kai Risku Kai.Risku at arrak.fi
Thu Dec 26 22:55:16 CET 2024 

The default amavisd.conf configuration contains a @blacklist_sender_maps configuration that matches some special senders such as “optin at something” and directly blocks the email regardless of score.

--
Kai.Risku at arrak.fi<mailto:Kai.Risku at arrak.fi>     GSM  +358-40-767 8282
Oy Arrak Software Ab   http://www.arrak.fi

From: amavis-users <amavis-users-bounces+kai.risku=arrak.fi at amavis.org> On Behalf Of phil at philfixit.com.au
Sent: Thursday, December 26, 2024 23:22
To: amavis-users at amavis.org
Subject: Re: Email quarantined with low score



Thanks Dominic,

My spamassassin and amavis are vanilla except for 50-user which looks like

:~$ cat /etc/amavis/conf.d/50-user
use strict;

#
# Place your configuration directives here.  They will override those in
# earlier files.
#
# See /usr/share/doc/amavisd-new/ for documentation and examples of
# the directives you can use in this file
#
$max_servers = 4;
@local_domains_acl = ( ".$mydomain" );
$ENV{PATH} = $path = '/usr/sbin:/sbin:/usr/bin:/bin<sbin://sbin:/usr/bin:/bin>';
$enable_dkim_verification = 1;
@whitelist_sender_acl = @local_domains_acl;

$final_virus_destiny      = D_DISCARD;  # (defaults to D_BOUNCE)
$final_banned_destiny     = D_DISCARD;  # (defaults to D_BOUNCE)
$final_spam_destiny       = D_DISCARD;  # (defaults to D_REJECT)
$final_bad_header_destiny = D_PASS;  # (defaults to D_PASS), D_BOUNCE suggested

$virus_admin = "virusalert\@$mydomain";
$spam_admin = "postmaster\@$mydomain";

#------------ Do not modify anything below this line -------------
1;  # ensure a defined return


So im a bit surprised it can end up quarantined with a lower score than required, any help on where else to look or how to understand this is appreciated.

Phil
On 26/12/24 21:20, Dominic Raferd wrote:

Perhaps the report you are seeing which reads 'Spam detection software, running on the system "acmewebsites", has NOT identified this incoming email as spam' was generated by Spamassassin (or another spam detection software), not by Amavis. Amavis takes the total score given by the other spam detection software (usually Spamassassin) and can then adjust it according to more rules of its own before making a final decision. Amavis's rules might even bypass all previous scoring and impose an automatic discard. They are described in files in /etc/amavis/conf.d, especially 50-user.
On 25/12/2024 20:45, phil at philfixit.com.au<mailto:phil at philfixit.com.au> wrote:

Hi
Amavis quarantined a mail with less than the required score, how can this happen ?

Content type: Spam

Internal reference code for the message is 2587633-16/VL5SambH1hmN



First upstream SMTP client IP address: [223.165.120.19]

  o4877.e.sub.davidjones.com.au

According to a 'Received:' trace, the message apparently originated at:

  [223.165.120.19], o4877.e.sub.davidjones.com.au

  o4877.e.sub.davidjones.com.au [223.165.120.19] using TLSv1.3 with cipher

  TLS_AES_128_GCM_SHA256 (128/128 bits)\t key-exchange X25519 server-signature

  RSA-PSS (2048 bits) server-digest SHA256 No client certificate requested



Return-Path:

  <bounces+36848281-5faf-<mailto:bounces+36848281-5faf-yvette=durabuild.com.au at e.sub.davidjones.com.au>user at example.com<mailto:yvette at durabuild.com.au>@e.sub.davidjones.com.au><mailto:bounces+36848281-5faf-yvette=durabuild.com.au at e.sub.davidjones.com.au>

From: David Jones <optin at sub.davidjones.com.au><mailto:optin at sub.davidjones.com.au> (dkim:AUTHOR)

Message-ID: <2N1MR1WITtqvIJTfsy-_8A at geopod-ismtpd-14>

Subject: SALE Starts Online Now

The message has been quarantined as: V/spam-VL5SambH1hmN.gz



The message WAS NOT relayed to:

<yvettec at acmewebsites.com.au><mailto:yvettec at acmewebsites.com.au>:

   250 2.7.0 Ok, discarded, id=2587633-16 - spam



Spam scanner report:

Spam detection software, running on the system "acmewebsites",

has NOT identified this incoming email as spam.  The original

message has been attached to this so you can view it or label

similar future email.  If you have any questions, see

the administrator of that system for details.



Content preview:  Up to 50% off fashion & homewares. Shop huge deals instore

   from Boxing Day. DJ Logo ( https://l.sub.davidjones.com.au/ls/click?upn=u001.yE9Px-2Fc9-2BssSkJm7SUbZKwWz1TzBmN2yMMQonjv5y5Sy3o8ejnKeLgRbsNJBfI3-2FuJhArKYq-2Fx4WoKz6Tpg2iA-3D-3D4AqR_Vb-2Fy6RPbw82R4IcJOIL0uTxe7md9wlR-2

   [...]



Content analysis details:   (2.9 points, 6.0 required)



 pts rule name              description

---- ---------------------- --------------------------------------------------

 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record

-0.0 SPF_PASS               SPF: sender matches SPF record

 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The

                            query to Validity was blocked.  See

                            https://knowledge.validity.com/hc/en-us/articles/20961730681243

                             for more information.

                           [223.165.120.19 listed in bl.score.senderscore.com]

 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The

                            query to Validity was blocked.  See

                            https://knowledge.validity.com/hc/en-us/articles/20961730681243

                             for more information.

                            [223.165.120.19 listed in sa-accredit.habeas.com]

 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or

                            identical to background

 0.0 HTML_MESSAGE           BODY: HTML included in message

 0.0 HTML_IMAGE_RATIO_04    BODY: HTML has a low ratio of text to image

                            area

 0.5 KAM_REALLYHUGEIMGSRC   RAW: Spam with image tags with ridiculously

                             huge http urls

-0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature

 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily

                            valid

-0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from

                            author's domain

 2.5 KAM_ZWNS               Use of zero width space characters indicates a goal to

                            elude scanners

 0.0 UNPARSEABLE_RELAY      Informational: message has unparseable relay

                            lines

header.hdr

Return-Path: <bounces+36848281-5faf-<mailto:bounces+36848281-5faf-yvette=durabuild.com.au at e.sub.davidjones.com.au>user at example.com<mailto:yvette at durabuild.com.au>@e.sub.davidjones.com.au><mailto:bounces+36848281-5faf-yvette=durabuild.com.au at e.sub.davidjones.com.au>

Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=223.165.120.19; helo=o4877.e.sub.davidjones.com.au; envelope-from=bounces+36848281-5faf-<mailto:envelope-from=bounces+36848281-5faf-yvette=durabuild.com.au at e.sub.davidjones.com.au>user at example.com<mailto:yvette at durabuild.com.au>@e.sub.davidjones.com.au<mailto:envelope-from=bounces+36848281-5faf-yvette=durabuild.com.au at e.sub.davidjones.com.au>; receiver=<UNKNOWN>

Authentication-Results: OpenDMARC; dmarc=pass (p=reject dis=none) header.from=sub.davidjones.com.au

Authentication-Results: mail.acmewebsites.com.au;

   dkim=pass (2048-bit key; unprotected) header.d=sub.davidjones.com.au header.i=@sub.davidjones.com.au<mailto:header.i=@sub.davidjones.com.au> header.a=rsa-sha256 header.s=s1 header.b=2iSucZ/D;

   dkim-atps=neutral

Received: from o4877.e.sub.davidjones.com.au (o4877.e.sub.davidjones.com.au [223.165.120.19])

   (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)

    key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)

   (No client certificate requested)

   by mail.acmewebsites.com.au (Postfix) with ESMTPS id 061861BC0324

   for <user at example.com><mailto:yvette at durabuild.com.au>; Tue, 24 Dec 2024 16:03:43 +1100 (AEDT)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sub.davidjones.com.au;

   h=content-type:from:mime-version:subject:list-unsubscribe:

   list-unsubscribe-post:to:cc:content-type:from:subject:to;

   s=s1; bh=FpiPtj+LEylzHcOnWOpCbhWh4SFSg0Ap+ZjZNH1mRk8=;

 b=2iSucZ/Ds1PkRGs2DbDh/oau39+ean3oqBCf9jZx4+yyNyEsK78Vn42TQlGruE3m3/Dl

 yp5gy6qDwraiVYAz6p26tYpLEesF24i+HNlKZpNgfjHMOHAEDcGfgRkTGyWSo/Drl50y67

 zvz5hW9tIt37Gfhjn2EG5bNs6a+/LQY5r8cJotyEKH8j6FG/Xcmt4nfq6P0GSTSTXA6b1Y

 mekyeNMee53XbbGi1PNFISXcBJm4D5ms1Cx7r0QOzt04vIXQjy6TnQHQCJ02OuwOxrh2xN

 3j738YcBDCamGQ+EOwTspGJ9/ij1+I0sHmAb05JUqHqwyrzGoa9Ya1jRtk48+WDQ==

Received: by recvd-6b669b7d6c-cqdht with SMTP id recvd-6b669b7d6c-cqdht-1-676A40AA-D

   2024-12-24 05:03:38.360565077 +0000 UTC m=+3397206.668822129

Received: from MzY4NDgyODE (unknown)

   by geopod-ismtpd-14 (SG) with HTTP

   id 2N1MR1WITtqvIJTfsy-_8A

   Tue, 24 Dec 2024 05:03:38.314 +0000 (UTC)

Content-Type: multipart/alternative; boundary=84ca9c06bdc7443c845bccdca4f5ac9b2b47b1acc5177ac909def4ae7871

Date: Tue, 24 Dec 2024 05:03:38 +0000 (UTC)

From: David Jones <optin at sub.davidjones.com.au><mailto:optin at sub.davidjones.com.au>

Mime-Version: 1.0

Message-ID: <2N1MR1WITtqvIJTfsy-_8A at geopod-ismtpd-14>

Subject: SALE Starts Online Now

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.amavis.org/pipermail/amavis-users/attachments/20241226/ab5673d3/attachment.htm>

More information about the amavis-users mailing list