Re: Email quarantined with low score

Thu, 26 Dec 2024 16:14:37 -0800 

Thanks, ill take a look


On 27/12/24 08:55, Kai Risku wrote:
The default amavisd.conf configuration contains a @blacklist_sender_maps configuration that matches some special senders such as “optin@something” and directly blocks the email regardless of score. 

--
kai.ri...@arrak.fi GSM  +358-40-767 8282
Oy Arrak Software Ab http://www.arrak.fi
*From:*amavis-users <amavis-users-bounces+kai.risku=arrak...@amavis.org> *On Behalf Of *p...@philfixit.com.au 
*Sent:* Thursday, December 26, 2024 23:22
*To:* amavis-users@amavis.org
*Subject:* Re: Email quarantined with low score



Thanks Dominic,

My spamassassin and amavis are vanilla except for 50-user which looks like

:~$ cat /etc/amavis/conf.d/50-user
use strict;

#
# Place your configuration directives here.  They will override those in
# earlier files.
#
# See /usr/share/doc/amavisd-new/ for documentation and examples of
# the directives you can use in this file
#
$max_servers = 4;
@local_domains_acl = ( ".$mydomain" );
$ENV{PATH} = $path = '/usr/sbin:/sbin:/usr/bin:/bin <sbin://sbin:/usr/bin:/bin>'; 
$enable_dkim_verification = 1;
@whitelist_sender_acl = @local_domains_acl;

$final_virus_destiny      = D_DISCARD;  # (defaults to D_BOUNCE)
$final_banned_destiny     = D_DISCARD;  # (defaults to D_BOUNCE)
$final_spam_destiny       = D_DISCARD;  # (defaults to D_REJECT)
$final_bad_header_destiny = D_PASS;  # (defaults to D_PASS), D_BOUNCE suggested 

$virus_admin = "virusalert\@$mydomain";
$spam_admin = "postmaster\@$mydomain";

#------------ Do not modify anything below this line -------------
1;  # ensure a defined return
So im a bit surprised it can end up quarantined with a lower score than required, any help on where else to look or how to understand this is appreciated. 

Phil

On 26/12/24 21:20, Dominic Raferd wrote:

    Perhaps the report you are seeing which reads 'Spam detection
    software, running on the system "acmewebsites", has NOT identified
    this incoming email as spam' was generated by Spamassassin (or
    another spam detection software), not by Amavis. Amavis takes the
    total score given by the other spam detection software (usually
    Spamassassin) and can then adjust it according to more rules of
    its own before making a final decision. Amavis's rules might even
    bypass all previous scoring and impose an automatic discard. They
    are described in files in /etc/amavis/conf.d, especially 50-user.

    On 25/12/2024 20:45, p...@philfixit.com.au wrote:


        Hi
        Amavis quarantined a mail with less than the required score,
        how can this happen ?

        Content type: Spam

        Internal reference code for the message is 2587633-16/VL5SambH1hmN

        First upstream SMTP client IP address: [223.165.120.19]

        o4877.e.sub.davidjones.com.au

        According to a 'Received:' trace, the message apparently originated at:

        [223.165.120.19], o4877.e.sub.davidjones.com.au

        o4877.e.sub.davidjones.com.au [223.165.120.19] using TLSv1.3 with cipher

        TLS_AES_128_GCM_SHA256 (128/128 bits)\t key-exchange X25519 
server-signature

        RSA-PSS (2048 bits) server-digest SHA256 No client certificate requested

        Return-Path:

          <bounces+36848281-5faf- 
<mailto:bounces+36848281-5faf-yvette=durabuild.com...@e.sub.davidjones.com.au>u...@example.com 
<mailto:yve...@durabuild.com.au>@e.sub.davidjones.com.au> 
<mailto:bounces+36848281-5faf-yvette=durabuild.com...@e.sub.davidjones.com.au>

        From: David Jones<op...@sub.davidjones.com.au> 
<mailto:op...@sub.davidjones.com.au> (dkim:AUTHOR)

        Message-ID: <2N1MR1WITtqvIJTfsy-_8A@geopod-ismtpd-14>

        Subject: SALE Starts Online Now

        The message has been quarantined as: V/spam-VL5SambH1hmN.gz

        The message WAS NOT relayed to:

        <yvet...@acmewebsites.com.au> <mailto:yvet...@acmewebsites.com.au>:

        250 2.7.0 Ok, discarded, id=2587633-16 - spam

        Spam scanner report:

        Spam detection software, running on the system "acmewebsites",

        has NOT identified this incoming email as spam.The original

        message has been attached to this so you can view it or label

        similar future email.If you have any questions, see

        the administrator of that system for details.

        Content preview:Up to 50% off fashion & homewares. Shop huge deals 
instore

        from Boxing Day. DJ Logo 
(https://l.sub.davidjones.com.au/ls/click?upn=u001.yE9Px-2Fc9-2BssSkJm7SUbZKwWz1TzBmN2yMMQonjv5y5Sy3o8ejnKeLgRbsNJBfI3-2FuJhArKYq-2Fx4WoKz6Tpg2iA-3D-3D4AqR_Vb-2Fy6RPbw82R4IcJOIL0uTxe7md9wlR-2

        [...]

        Content analysis details:(2.9 points, 6.0 required)

          pts rule namedescription

        ---- ---------------------- 
--------------------------------------------------

          0.0 SPF_HELO_NONESPF: HELO does not publish an SPF Record

        -0.0 SPF_PASSSPF: sender matches SPF record

          0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The

        query to Validity was blocked.See

        https://knowledge.validity.com/hc/en-us/articles/20961730681243

        for more information.

        [223.165.120.19 listed in bl.score.senderscore.com]

          0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The

        query to Validity was blocked.See

        https://knowledge.validity.com/hc/en-us/articles/20961730681243

        for more information.

        [223.165.120.19 listed in sa-accredit.habeas.com]

          0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or

        identical to background

          0.0 HTML_MESSAGEBODY: HTML included in message

          0.0 HTML_IMAGE_RATIO_04BODY: HTML has a low ratio of text to image

        area

          0.5 KAM_REALLYHUGEIMGSRCRAW: Spam with image tags with ridiculously

        huge http urls

        -0.1 DKIM_VALIDMessage has at least one valid DKIM or DK signature

          0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily

        valid

        -0.1 DKIM_VALID_AUMessage has a valid DKIM or DK signature from

        author's domain

          2.5 KAM_ZWNSUse of zero width space characters indicates a goal to

        elude scanners

          0.0 UNPARSEABLE_RELAYInformational: message has unparseable relay

        lines


        header.hdr

        Return-Path:<bounces+36848281-5faf- 
<mailto:bounces+36848281-5faf-yvette=durabuild.com...@e.sub.davidjones.com.au>u...@example.com 
<mailto:yve...@durabuild.com.au>@e.sub.davidjones.com.au> 
<mailto:bounces+36848281-5faf-yvette=durabuild.com...@e.sub.davidjones.com.au>

        Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=223.165.120.19; 
helo=o4877.e.sub.davidjones.com.au;envelope-from=bounces+36848281-5faf- 
<mailto:envelope-from=bounces+36848281-5faf-yvette=durabuild.com...@e.sub.davidjones.com.au>u...@example.com
 <mailto:yve...@durabuild.com.au>@e.sub.davidjones.com.au 
<mailto:envelope-from=bounces+36848281-5faf-yvette=durabuild.com...@e.sub.davidjones.com.au>; 
receiver=<UNKNOWN>

        Authentication-Results: OpenDMARC; dmarc=pass (p=reject dis=none) 
header.from=sub.davidjones.com.au

        Authentication-Results: mail.acmewebsites.com.au;

        dkim=pass (2048-bit key; unprotected) 
header.d=sub.davidjones.com.auheader.i=@sub.davidjones.com.au 
header.a=rsa-sha256 header.s=s1 header.b=2iSucZ/D;

        dkim-atps=neutral

        Received: from o4877.e.sub.davidjones.com.au 
(o4877.e.sub.davidjones.com.au [223.165.120.19])

        (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)

          key-exchange X25519 server-signature RSA-PSS (2048 bits) 
server-digest SHA256)

        (No client certificate requested)

        by mail.acmewebsites.com.au (Postfix) with ESMTPS id 061861BC0324

        for<u...@example.com> <mailto:yve...@durabuild.com.au>; Tue, 24 Dec 
2024 16:03:43 +1100 (AEDT)

        DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; 
d=sub.davidjones.com.au;

        h=content-type:from:mime-version:subject:list-unsubscribe:

        list-unsubscribe-post:to:cc:content-type:from:subject:to;

        s=s1; bh=FpiPtj+LEylzHcOnWOpCbhWh4SFSg0Ap+ZjZNH1mRk8=;

        b=2iSucZ/Ds1PkRGs2DbDh/oau39+ean3oqBCf9jZx4+yyNyEsK78Vn42TQlGruE3m3/Dl

        yp5gy6qDwraiVYAz6p26tYpLEesF24i+HNlKZpNgfjHMOHAEDcGfgRkTGyWSo/Drl50y67

        zvz5hW9tIt37Gfhjn2EG5bNs6a+/LQY5r8cJotyEKH8j6FG/Xcmt4nfq6P0GSTSTXA6b1Y

        mekyeNMee53XbbGi1PNFISXcBJm4D5ms1Cx7r0QOzt04vIXQjy6TnQHQCJ02OuwOxrh2xN

        3j738YcBDCamGQ+EOwTspGJ9/ij1+I0sHmAb05JUqHqwyrzGoa9Ya1jRtk48+WDQ==

        Received: by recvd-6b669b7d6c-cqdht with SMTP id 
recvd-6b669b7d6c-cqdht-1-676A40AA-D

        2024-12-24 05:03:38.360565077 +0000 UTC m=+3397206.668822129

        Received: from MzY4NDgyODE (unknown)

        by geopod-ismtpd-14 (SG) with HTTP

        id 2N1MR1WITtqvIJTfsy-_8A

        Tue, 24 Dec 2024 05:03:38.314 +0000 (UTC)

        Content-Type: multipart/alternative; 
boundary=84ca9c06bdc7443c845bccdca4f5ac9b2b47b1acc5177ac909def4ae7871

        Date: Tue, 24 Dec 2024 05:03:38 +0000 (UTC)

        From: David Jones<op...@sub.davidjones.com.au> 
<mailto:op...@sub.davidjones.com.au>

        Mime-Version: 1.0

        Message-ID: <2N1MR1WITtqvIJTfsy-_8A@geopod-ismtpd-14>

        Subject: SALE Starts Online Now

Reply via email to