Email quarantined with low score
phil at philfixit.com.au
phil at philfixit.com.au
Fri Dec 27 01:14:02 CET 2024
Thanks, ill take a look
On 27/12/24 08:55, Kai Risku wrote:
>
> The default amavisd.conf configuration contains a
> @blacklist_sender_maps configuration that matches some special senders
> such as “optin at something” and directly blocks the email regardless of
> score.
>
> --
> Kai.Risku at arrak.fi GSM +358-40-767 8282
> Oy Arrak Software Ab http://www.arrak.fi
>
> *From:*amavis-users
> <amavis-users-bounces+kai.risku=arrak.fi at amavis.org> *On Behalf Of
> *phil at philfixit.com.au
> *Sent:* Thursday, December 26, 2024 23:22
> *To:* amavis-users at amavis.org
> *Subject:* Re: Email quarantined with low score
>
>
>
> Thanks Dominic,
>
> My spamassassin and amavis are vanilla except for 50-user which looks like
>
> :~$ cat /etc/amavis/conf.d/50-user
> use strict;
>
> #
> # Place your configuration directives here. They will override those in
> # earlier files.
> #
> # See /usr/share/doc/amavisd-new/ for documentation and examples of
> # the directives you can use in this file
> #
> $max_servers = 4;
> @local_domains_acl = ( ".$mydomain" );
> $ENV{PATH} = $path = '/usr/sbin:/sbin:/usr/bin:/bin
> <sbin://sbin:/usr/bin:/bin>';
> $enable_dkim_verification = 1;
> @whitelist_sender_acl = @local_domains_acl;
>
> $final_virus_destiny = D_DISCARD; # (defaults to D_BOUNCE)
> $final_banned_destiny = D_DISCARD; # (defaults to D_BOUNCE)
> $final_spam_destiny = D_DISCARD; # (defaults to D_REJECT)
> $final_bad_header_destiny = D_PASS; # (defaults to D_PASS), D_BOUNCE
> suggested
>
> $virus_admin = "virusalert\@$mydomain";
> $spam_admin = "postmaster\@$mydomain";
>
> #------------ Do not modify anything below this line -------------
> 1; # ensure a defined return
>
>
> So im a bit surprised it can end up quarantined with a lower score
> than required, any help on where else to look or how to understand
> this is appreciated.
>
> Phil
>
> On 26/12/24 21:20, Dominic Raferd wrote:
>
> Perhaps the report you are seeing which reads 'Spam detection
> software, running on the system "acmewebsites", has NOT identified
> this incoming email as spam' was generated by Spamassassin (or
> another spam detection software), not by Amavis. Amavis takes the
> total score given by the other spam detection software (usually
> Spamassassin) and can then adjust it according to more rules of
> its own before making a final decision. Amavis's rules might even
> bypass all previous scoring and impose an automatic discard. They
> are described in files in /etc/amavis/conf.d, especially 50-user.
>
> On 25/12/2024 20:45, phil at philfixit.com.au wrote:
>
>
> Hi
> Amavis quarantined a mail with less than the required score,
> how can this happen ?
>
> Content type: Spam
>
> Internal reference code for the message is 2587633-16/VL5SambH1hmN
>
> First upstream SMTP client IP address: [223.165.120.19]
>
> o4877.e.sub.davidjones.com.au
>
> According to a 'Received:' trace, the message apparently originated at:
>
> [223.165.120.19], o4877.e.sub.davidjones.com.au
>
> o4877.e.sub.davidjones.com.au [223.165.120.19] using TLSv1.3 with cipher
>
> TLS_AES_128_GCM_SHA256 (128/128 bits)\t key-exchange X25519 server-signature
>
> RSA-PSS (2048 bits) server-digest SHA256 No client certificate requested
>
> Return-Path:
>
> <bounces+36848281-5faf- <mailto:bounces+36848281-5faf-yvette=durabuild.com.au at e.sub.davidjones.com.au>user at example.com <mailto:yvette at durabuild.com.au>@e.sub.davidjones.com.au> <mailto:bounces+36848281-5faf-yvette=durabuild.com.au at e.sub.davidjones.com.au>
>
> From: David Jones<optin at sub.davidjones.com.au> <mailto:optin at sub.davidjones.com.au> (dkim:AUTHOR)
>
> Message-ID: <2N1MR1WITtqvIJTfsy-_8A at geopod-ismtpd-14>
>
> Subject: SALE Starts Online Now
>
> The message has been quarantined as: V/spam-VL5SambH1hmN.gz
>
> The message WAS NOT relayed to:
>
> <yvettec at acmewebsites.com.au> <mailto:yvettec at acmewebsites.com.au>:
>
> 250 2.7.0 Ok, discarded, id=2587633-16 - spam
>
> Spam scanner report:
>
> Spam detection software, running on the system "acmewebsites",
>
> has NOT identified this incoming email as spam.The original
>
> message has been attached to this so you can view it or label
>
> similar future email.If you have any questions, see
>
> the administrator of that system for details.
>
> Content preview:Up to 50% off fashion & homewares. Shop huge deals instore
>
> from Boxing Day. DJ Logo (https://l.sub.davidjones.com.au/ls/click?upn=u001.yE9Px-2Fc9-2BssSkJm7SUbZKwWz1TzBmN2yMMQonjv5y5Sy3o8ejnKeLgRbsNJBfI3-2FuJhArKYq-2Fx4WoKz6Tpg2iA-3D-3D4AqR_Vb-2Fy6RPbw82R4IcJOIL0uTxe7md9wlR-2
>
> [...]
>
> Content analysis details:(2.9 points, 6.0 required)
>
> pts rule namedescription
>
> ---- ---------------------- --------------------------------------------------
>
> 0.0 SPF_HELO_NONESPF: HELO does not publish an SPF Record
>
> -0.0 SPF_PASSSPF: sender matches SPF record
>
> 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The
>
> query to Validity was blocked.See
>
> https://knowledge.validity.com/hc/en-us/articles/20961730681243
>
> for more information.
>
> [223.165.120.19 listed in bl.score.senderscore.com]
>
> 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The
>
> query to Validity was blocked.See
>
> https://knowledge.validity.com/hc/en-us/articles/20961730681243
>
> for more information.
>
> [223.165.120.19 listed in sa-accredit.habeas.com]
>
> 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
>
> identical to background
>
> 0.0 HTML_MESSAGEBODY: HTML included in message
>
> 0.0 HTML_IMAGE_RATIO_04BODY: HTML has a low ratio of text to image
>
> area
>
> 0.5 KAM_REALLYHUGEIMGSRCRAW: Spam with image tags with ridiculously
>
> huge http urls
>
> -0.1 DKIM_VALIDMessage has at least one valid DKIM or DK signature
>
> 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily
>
> valid
>
> -0.1 DKIM_VALID_AUMessage has a valid DKIM or DK signature from
>
> author's domain
>
> 2.5 KAM_ZWNSUse of zero width space characters indicates a goal to
>
> elude scanners
>
> 0.0 UNPARSEABLE_RELAYInformational: message has unparseable relay
>
> lines
>
>
> header.hdr
>
> Return-Path:<bounces+36848281-5faf- <mailto:bounces+36848281-5faf-yvette=durabuild.com.au at e.sub.davidjones.com.au>user at example.com <mailto:yvette at durabuild.com.au>@e.sub.davidjones.com.au> <mailto:bounces+36848281-5faf-yvette=durabuild.com.au at e.sub.davidjones.com.au>
>
> Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=223.165.120.19; helo=o4877.e.sub.davidjones.com.au;envelope-from=bounces+36848281-5faf- <mailto:envelope-from=bounces+36848281-5faf-yvette=durabuild.com.au at e.sub.davidjones.com.au>user at example.com <mailto:yvette at durabuild.com.au>@e.sub.davidjones.com.au <mailto:envelope-from=bounces+36848281-5faf-yvette=durabuild.com.au at e.sub.davidjones.com.au>; receiver=<UNKNOWN>
>
> Authentication-Results: OpenDMARC; dmarc=pass (p=reject dis=none) header.from=sub.davidjones.com.au
>
> Authentication-Results: mail.acmewebsites.com.au;
>
> dkim=pass (2048-bit key; unprotected) header.d=sub.davidjones.com.auheader.i=@sub.davidjones.com.au header.a=rsa-sha256 header.s=s1 header.b=2iSucZ/D;
>
> dkim-atps=neutral
>
> Received: from o4877.e.sub.davidjones.com.au (o4877.e.sub.davidjones.com.au [223.165.120.19])
>
> (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
>
> key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
>
> (No client certificate requested)
>
> by mail.acmewebsites.com.au (Postfix) with ESMTPS id 061861BC0324
>
> for<user at example.com> <mailto:yvette at durabuild.com.au>; Tue, 24 Dec 2024 16:03:43 +1100 (AEDT)
>
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sub.davidjones.com.au;
>
> h=content-type:from:mime-version:subject:list-unsubscribe:
>
> list-unsubscribe-post:to:cc:content-type:from:subject:to;
>
> s=s1; bh=FpiPtj+LEylzHcOnWOpCbhWh4SFSg0Ap+ZjZNH1mRk8=;
>
> b=2iSucZ/Ds1PkRGs2DbDh/oau39+ean3oqBCf9jZx4+yyNyEsK78Vn42TQlGruE3m3/Dl
>
> yp5gy6qDwraiVYAz6p26tYpLEesF24i+HNlKZpNgfjHMOHAEDcGfgRkTGyWSo/Drl50y67
>
> zvz5hW9tIt37Gfhjn2EG5bNs6a+/LQY5r8cJotyEKH8j6FG/Xcmt4nfq6P0GSTSTXA6b1Y
>
> mekyeNMee53XbbGi1PNFISXcBJm4D5ms1Cx7r0QOzt04vIXQjy6TnQHQCJ02OuwOxrh2xN
>
> 3j738YcBDCamGQ+EOwTspGJ9/ij1+I0sHmAb05JUqHqwyrzGoa9Ya1jRtk48+WDQ==
>
> Received: by recvd-6b669b7d6c-cqdht with SMTP id recvd-6b669b7d6c-cqdht-1-676A40AA-D
>
> 2024-12-24 05:03:38.360565077 +0000 UTC m=+3397206.668822129
>
> Received: from MzY4NDgyODE (unknown)
>
> by geopod-ismtpd-14 (SG) with HTTP
>
> id 2N1MR1WITtqvIJTfsy-_8A
>
> Tue, 24 Dec 2024 05:03:38.314 +0000 (UTC)
>
> Content-Type: multipart/alternative; boundary=84ca9c06bdc7443c845bccdca4f5ac9b2b47b1acc5177ac909def4ae7871
>
> Date: Tue, 24 Dec 2024 05:03:38 +0000 (UTC)
>
> From: David Jones<optin at sub.davidjones.com.au> <mailto:optin at sub.davidjones.com.au>
>
> Mime-Version: 1.0
>
> Message-ID: <2N1MR1WITtqvIJTfsy-_8A at geopod-ismtpd-14>
>
> Subject: SALE Starts Online Now
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.amavis.org/pipermail/amavis-users/attachments/20241227/6b08aab4/attachment.htm>
More information about the amavis-users
mailing list