Page 1 of 7 123 ... LastLast
Results 1 to 10 of 62

Thread: local mail getting marked as spam?

  1. #1
    bjquinn is offline Advanced Member
    Join Date
    Nov 2005
    Posts
    175
    Rep Power
    9

    Default local mail getting marked as spam?

    I'm having some mail getting sent from one local user to another (or from a local user to him/herself) that is getting marked as spam. It's getting tagged with all sorts of stuff like the following :

    X-Spam-Status: Yes, score=6.581 tagged_above=-10 required=4 tests=[AWL=-4.156,
    BAYES_05=-1.11, DCC_CHECK=2.17, DIGEST_MULTIPLE=0.765,
    DYN_RDNS_SHORT_HELO_HTML=0.499, HTML_90_100=0.113, HTML_MESSAGE=0.001,
    MIME_HTML_MOSTLY=1.102, PYZOR_CHECK=3.7, RCVD_IN_SORBS_DUL=2.046,
    RDNS_DYNAMIC=0.1, TVD_RCVD_SINGLE=1.351]

    Now, this only seems to happen when roaming/home users send mail. Here's some more of the headers (IP addresses and hostnames changed to protect the innocent, of course)

    Return-Path: xxxxxx@myserver.com
    Received: from mail2.myserver.com (LHLO mail2.myserver.com) (192.168.1.xxx) by
    mail2.myserver.com with LMTP; Sun, 22 Jun 2008 20:27:32 -0500 (CDT)
    Received: from localhost (localhost.localdomain [127.0.0.1])
    by mail2.myserver.com (Postfix) with ESMTP id 82E9693400CD
    for <xxxxxx@myserver.com>; Sun, 22 Jun 2008 20:27:32 -0500 (CDT)
    X-Virus-Scanned: amavisd-new at
    X-Spam-Flag: YES
    X-Spam-Score: 6.581
    X-Spam-Level: ******
    X-Spam-Status: Yes, score=6.581 tagged_above=-10 required=4 tests=[AWL=-4.156,
    BAYES_05=-1.11, DCC_CHECK=2.17, DIGEST_MULTIPLE=0.765,
    DYN_RDNS_SHORT_HELO_HTML=0.499, HTML_90_100=0.113, HTML_MESSAGE=0.001,
    MIME_HTML_MOSTLY=1.102, PYZOR_CHECK=3.7, RCVD_IN_SORBS_DUL=2.046,
    RDNS_DYNAMIC=0.1, TVD_RCVD_SINGLE=1.351]
    Received: from mail2.myserver.com ([127.0.0.1])
    by localhost (mail2.myserver.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id 5LyQDl0JSaxV for <xxxxxx@myserver.com>;
    Sun, 22 Jun 2008 20:27:31 -0500 (CDT)
    Received: from MYHOSTNAME (ppp-70-251-124-xxx.dsl.rcsntx.swbell.net [70.251.124.xxx])
    by mail2.myserver.com (Postfix) with ESMTP id 3A5BD93400C7
    for <xxxxxxx@myserver.com>; Sun, 22 Jun 2008 20:27:31 -0500 (CDT)

    It looks like the home user, who is sending out email through their home DSL connection (but using our server as their outgoing mail server) is tripping all sorts of blacklist rules/filters. Possibly a source of the problem could be that we're using an alternate SMTP port added to zimbra (port 8025, so that those home users whose port 25 is blocked can still use our server as the outgoing mail server), so maybe Zimbra isn't recognizing mail coming in on that alternate port as being local and the source of the mail being an authenticated zimbra user, not some spammer sending out stuff from a DSL connection? We'd just cave in and have the home users use their ISP's outgoing mail server, but that doesn't work, of course, for laptops that roam the world using all sorts of different internet connections, a different one every time they boot their machine up. We're using 5.0.6.

    Thanks!

  2. #2
    Bill Brock is offline Outstanding Member
    Join Date
    May 2007
    Location
    Oklahoma
    Posts
    703
    Rep Power
    9

    Default

    What program are your users using to send mail? Are they required to use SMTP authentication?

  3. #3
    bjquinn is offline Advanced Member
    Join Date
    Nov 2005
    Posts
    175
    Rep Power
    9

    Default

    Oh, most are Outlook. I believe the one for which I posted the headers was Outlook Express. And yes, I do require SMTP Authentication.

    Edit: Oh, and we're only using that alternate SMTP port for home/roaming users. We don't see the same problem internally using port 25.
    Last edited by bjquinn; 06-24-2008 at 09:53 AM.

  4. #4
    bjquinn is offline Advanced Member
    Join Date
    Nov 2005
    Posts
    175
    Rep Power
    9

    Default

    So, in short, when I use my Zimbra server as an outgoing SMTP server on an alternate SMTP port, SpamAssassin detects my home DSL connection's IP as the IP address of my outgoing SMTP server (which, of course would be on blacklists galore), rather than the Zimbra server who is both the outgoing server and the recipient server.

  5. #5
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

    Default

    Quote Originally Posted by bjquinn View Post
    So, in short, when I use my Zimbra server as an outgoing SMTP server on an alternate SMTP port, SpamAssassin detects my home DSL connection's IP as the IP address of my outgoing SMTP server (which, of course would be on blacklists galore), rather than the Zimbra server who is both the outgoing server and the recipient server.
    Marking them as not spam should train SA to ignore that.

  6. #6
    bjquinn is offline Advanced Member
    Join Date
    Nov 2005
    Posts
    175
    Rep Power
    9

    Default

    Right, but if the users aren't using the Zimbra web client, then they can't do that. Also, SA seems to be set up incorrectly to think local mail is spam! I'd rather fix it at the source than set off hundreds or thousands of "not junk" clicks (and I'm of two minds as to how well that would work anyway...).

    Plus, I wouldn't want SA to ignore that when the incoming email is truly originating from a home DSL account!

  7. #7
    bjquinn is offline Advanced Member
    Join Date
    Nov 2005
    Posts
    175
    Rep Power
    9

    Default

    Any ideas, anyone? In addition to my 5.0.6 server that's doing this, I have a 4.5.7 server now doing the same thing, and it flags off the RCVD_IN_SORBS_DUL rule.

    Why is Zimbra's SpamAssassin detecting the IP address of the internet connection that a LOCAL user connected from as being the IP address of the sending email server? If the sending address is local, then technically my Zimbra server should be considered both the "sending" and the "receiving" email server. It shouldn't consider the IP address that it receives the mail from as the "sending" IP address (to set off spam rules, blacklists, etc.) unless the sender can't successfully authenticate and send mail as a local user.

    About my alternate SMTP port (8025) that I mentioned in the original post. I'm think that's not related to the problem anymore, however, since many users on the local network are also using port 8025 and the problem only appears to happen when a user sends an email from their home internet connection, hotel, etc. However, I guess that if it were related to the problem and 192.168.x.x addresses weren't on the SORBS_DUL, I might have the same symptoms as I do now.
    Last edited by bjquinn; 07-11-2008 at 11:35 AM.

  8. #8
    mdeneen is offline Active Member
    Join Date
    Jul 2007
    Posts
    45
    Rep Power
    8

    Default

    Quote Originally Posted by bjquinn View Post
    Any ideas, anyone? In addition to my 5.0.6 server that's doing this, I have a 4.5.7 server now doing the same thing, and it flags off the RCVD_IN_SORBS_DUL rule.

    Why is Zimbra's SpamAssassin detecting the IP address of the internet connection that a LOCAL user connected from as being the IP address of the sending email server? If the sending address is local, then technically my Zimbra server should be considered both the "sending" and the "receiving" email server. It shouldn't consider the IP address that it receives the mail from as the "sending" IP address (to set off spam rules, blacklists, etc.) unless the sender can't successfully authenticate and send mail as a local user.

    About my alternate SMTP port (8025) that I mentioned in the original post. I'm think that's not related to the problem anymore, however, since many users on the local network are also using port 8025 and the problem only appears to happen when a user sends an email from their home internet connection, hotel, etc. However, I guess that if it were related to the problem and 192.168.x.x addresses weren't on the SORBS_DUL, I might have the same symptoms as I do now.
    I've always found this to be an odd thing with zimbra. What I ended up doing is outlined here: Improving Anti-spam system - Zimbra :: Wiki.

    I just whitelisted anything coming from my domain. It's not a perfect solution, as incoming mail with a forged from address can slip by because it will be whitelisted.

    I would love to see Zimbra auto-whitelist any mail coming from the trusted network, as well as incoming mail which passed through smtp auth.

    Mark

  9. #9
    su_A_ve is offline Advanced Member
    Join Date
    Dec 2006
    Posts
    181
    Rep Power
    8

    Default

    Instead of adding your own port, why not enable the SMTP submission port (587)? That is set up to force authentication regardless, and might trip less spam.

    Course, other ways would be to force them to use webmail when outside and/or require VPN...

  10. #10
    bjquinn is offline Advanced Member
    Join Date
    Nov 2005
    Posts
    175
    Rep Power
    9

    Default

    I appreciate the suggestions. What is the SMTP submission port? What does that mean? Does anyone have any experience with using this to circumvent the problem with getting local mail marked as spam?

    Is it the alternate SMTP port that causes local mail to trip spam rules, or does it happen even with port 25, or maybe even 587? I'd imagine that even if there was a problem that allowed SA to detect local mail as spam regardless of port used, then internal IPs (192.168.x.x) on the same internal network would at least not be found on the blacklists, meaning one would be less likely to notice the problem on port 25.

    As for forcing the users to use webmail, I've got some CEOs, etc., that I'll have trouble talking into that. And did someone actually say VPN?

    I'll take a look at the local domain whitelisting, but that would definitely be a last resort, for the reasons the poster (Mark) suggested.

Page 1 of 7 123 ... LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 7
    Last Post: 02-03-2011, 07:01 AM
  2. Problem with Postfix and MTA
    By ZMilton in forum Administrators
    Replies: 16
    Last Post: 04-16-2008, 06:47 AM
  3. [SOLVED] Mailserver down when send file attach of 50Mb
    By ZMilton in forum Administrators
    Replies: 20
    Last Post: 04-10-2008, 11:44 AM
  4. fresh install down may be due to tomcat
    By gon in forum Installation
    Replies: 10
    Last Post: 07-25-2007, 08:09 AM
  5. receiveing mail
    By maybethistime in forum Administrators
    Replies: 15
    Last Post: 12-09-2005, 04:55 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •