Daily mail report going to Spam ?!

[briceb]

Hi,

Why would the Daily mail report go to the Junk folder ?

I upgraded to 6.0.7 on Friday and this just happened today for some reason, but taking a look at the previous days the spam score was almost high enough to put those in that folder as well..

Here is the Spam Status :

X-Spam-Status: Yes, score=5.01 tagged_above=-10 required=5
tests=[ALL_TRUSTED=-1, BAYES_00=-1.9, IP_LINK_PLUS=0.012,
NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242,
T_RP_MATCHES_RCVD=-0.01, T_URIBL_BLACK_OVERLAP=0.01,
URIBL_BLACK=1.725, URIBL_DBL_SPAM=1.7, URIBL_WS_SURBL=1.608,
URI_HEX=1.122, URI_NOVOWEL=0.5] autolearn=no

Please advise ! Thanks!

[ewilen]

What seems to be going on is, SA changed its scores--whether between versions or simply in the normal course of score updates (i.e. what you'd see if you ran sa_update).

Here's what the same field on my last daily mail report looks like:

X-Spam-Status: No, score=-1.34 tagged_above=-10 required=4.4 tests=[ALL_TRUSTED=-1.8, AWL=-1.267, BAYES_00=-2.599, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=0.001, URIBL_BLACK=1.955, URIBL_WS_SURBL=1.5, URI_HEX=0.368, URI_NOVOWEL=0.5, WEIRD_PORT=0.001] autolearn=no

Here are some major differences between my 6.0.6 and your 6.0.7 scores:

ALL_TRUSTED -1.8 -1
BAYES_00 -2.599 -1.9
NUMERIC_HTTP_ADDR 0.001 1.242

Some others either don't exist on both emails or they're relatively small differences.

I'll bet you can work around this short-term by creating a whitelisting in the administrator account--just whitelist admin@<yourserver>.

[briceb]

Hi Elliot,

First thank you for your answer, it's nice to understand where the issue is coming from.

Now, shouldn't it be considered as a bug? I mean a system message going to the Junk folder.. isn't it more than enough to say it's a bug if there's no misconfiguration from the system administrator?

Voted for 44384..

[ewilen]

Yeah, I guess. Basically the positive scoring is because of all the spam-like urls in the daily mail report. Aside from simply skipping SA (which might be hard) or making a whitelist entry (which will let some forged-address spam through), what could be done is to create an SA rule that scores a high negative on some text that's unique to the report.

Anyway, no harm making a bug report. You could reference this thread. Please put the bug number here so other folks can track and vote for it.

[LMStone]

We've seen this so many times before that we now use the "BFI" method to "fix" this (Brute Force and Ignorance...)

We just add the Daily Mail Report sending email address to /opt/zimbra/conf/amavid.conf.in and pre-scrore it with -10.0. See the last entry in the whitelist section below for example:

Code:

     <snip>
     'owner-technews@postel.acm.org'          => -3.0,
     'ietf-123-owner@loki.ietf.org'           => -3.0,
     'cvs-commits-list-admin@gnome.org'       => -3.0,
     'rt-users-admin@lists.fsck.com'          => -3.0,
     'clp-request@comp.nus.edu.sg'            => -3.0,
     'surveys-errors@lists.nua.ie'            => -3.0,
     'emailnews@genomeweb.com'                => -5.0,
     'yahoo-dev-null@yahoo-inc.com'           => -3.0,
     'returns.groups.yahoo.com'               => -3.0,
     'clusternews@linuxnetworx.com'           => -3.0,
     lc('lvs-users-admin@LinuxVirtualServer.org')    => -3.0,
     lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,
     'zimbra@malbec.reliablenetworks.com'     => -10.0, 

     # soft-blacklisting (positive score)
     'sender@example.net'                     =>  3.0,
     '.example.net'                           =>  1.0,
     <snip>

This needs to be redone after every ZCS upgrade, but it's easy, quick and it just works.

Hope that helps,
Mark

[moyasolutions]

Ever since the upgrade 6.07 our when our users email each other their emails are going to junk. how can we fix this?

[ewilen]

Please open a separate thread and then post some headers.