Results 1 to 8 of 8

Thread: Suddenly, lots of false positive spam hits

  1. #1
    staufj22 Guest

    Default Suddenly, lots of false positive spam hits

    Hi All,

    Been running 7.1.2 for a few months without any major issues. However, recently a lot of legitimate mail is getting categorized as spam. Even those sent from users of the system to each other is getting into the spam folder.
    Can someone help me decipher what may be the issue?

    Here's the message from a test mail, sent from one user to another on the same system.
    mail_id: BP1OeDwqxfw0, Hits: 7.4, size: 1589, queued_as: C646BC6B8F2,
    3244 ms
    Nov 2 21:37:11 enterprise amavis[3853]: (03853-06) TIMING-SA total 3074
    ms - parse: 1.22 (0.0%), extract_message_metadata: 27 (0.9%),
    poll_dns_idle: 336 (10.9%), get_uri_detail_list: 1.11 (0.0%),
    tests_pri_-1000: 1.30 (0.0%), tests_pri_-950: 0.49 (0.0%),
    tests_pri_-900: 0.54 (0.0%), tests_pri_-400: 6 (0.2%), check_bayes: 5
    (0.2%), tests_pri_0: 2617 (85.1%), check_dkim_adsp: 181 (5.9%),
    check_spf: 326 (10.6%), check_razor2: 1815 (59.0%), check_pyzor: 261
    (8.5%), tests_pri_500: 3 (0.1%), learn: 404 (13.1%), get_report: 1.39 (0.0%)

    In the message header, I see DSPAM:10

    I've temporarily disabled DSPAM for now
    zmlocalconfig -e amavis_dspam_enabled=false
    but I'd like to address the real issue...
    Please advise!

    EDIT: Hmm, I just realized the log I posted is just about the timing. Where do I get more detailed info on why it thinks something is spam?

  2. #2
    staufj22 Guest

    Default

    Ok, found the logs where it says DSPAM:Spam=10

    Nov 2 21:37:11 enterprise amavis[3853]: (03853-06) DSPAM result: Spam, score=10.000, sig=
    Nov 2 21:37:11 enterprise amavis[3853]: (03853-06) SPAM-TAG, <user@domain1.com> -> <user1@domain2.com>,<user2@domain2.com>, Yes, score=7.4 tagged_above=-10 required=6 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, DSPAM:Spam=10.000] autolearn=ham
    Nov 2 21:37:11 enterprise postfix/smtpd[771]: connect from localhost[127.0.0.1]
    Nov 2 21:37:11 enterprise postfix/smtpd[771]: C646BC6B8F2: client=localhost[127.0.0.1]
    Nov 2 21:37:11 enterprise postfix/cleanup[759]: C646BC6B8F2: message-id=<4EB21AC4.8040403@domain1.com>
    Nov 2 21:37:11 enterprise postfix/smtpd[771]: disconnect from localhost[127.0.0.1]

  3. #3
    ewilen's Avatar
    ewilen is offline Moderator
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    For these kinds of things it's best to post the full header of an email which was classified as spam.

    But here it looks like you've set a logging option which gives a little more information on the scoring, so it does look like DSPAM is what's causing the false positive.

    See Using DSPAM for Spam Filtering - Zimbra :: Wiki if you'd like to adjust the score contributed by DSPAM and also Enabling DSPAM if you'd like to train DSPAM. (Advisable if you haven't done so yet.)

  4. #4
    staufj22 Guest

    Default

    I think the issue is probably somewhere in my configuration, but I can't figure out why. It seems that I'm getting this issue whenever the mail is sent from the mail server to itself, somehow its catching the 127.0.0.1 source and adding points from blacklists based on that source IP. For example, a mail user using the web interface to send email to another mail user. Or, as the following header for daily zimbra report.

    Return-Path: zimbra@host.domain.com
    Received: from host.domain.com (LHLO host.domain.com)
    (67.113.20.194) by host.domain.com with LMTP; Sun, 13 Nov 2011
    23:30:10 -0800 (PST)
    Received: from localhost (localhost [127.0.0.1])
    by host.domain.com (Postfix) with ESMTP id B9D46C66F08
    for <admin@domain.com>; Sun, 13 Nov 2011 23:30:10 -0800 (PST)
    X-Virus-Scanned: amavisd-new at domain.com
    X-Spam-Flag: NO
    X-Spam-Score: 3.83
    X-Spam-Level: ***
    X-Spam-Status: No, score=3.83 tagged_above=-10 required=6
    tests=[ALL_TRUSTED=-1, BAYES_00=-1.9, FUZZY_AMBIEN=0.552,
    IP_LINK_PLUS=0.012, NORMAL_HTTP_TO_IP=0.001,
    T_URIBL_BLACK_OVERLAP=0.01, URIBL_BLACK=1.725, URIBL_DBL_SPAM=1.7,
    URIBL_WS_SURBL=1.608, URI_HEX=1.122] autolearn=no
    Received: from host.domain.com ([127.0.0.1])
    by localhost (host.domain.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id 2fbHjmGN9ez4 for <admin@domain.com>;
    Sun, 13 Nov 2011 23:30:04 -0800 (PST)
    Received: from localhost.localdomain (localhost [127.0.0.1])
    by host.domain.com (Postfix) with ESMTP id 8BAC6C66D38
    for <admin@domain.com>; Sun, 13 Nov 2011 23:30:04 -0800 (PST)
    Subject: Daily mail report for 2011-11-13
    X-Mailer: Mail::Mailer[v2.07] Net::SMTP[v2.31]
    To: admin@domain.com
    From: admin@domain.com
    Message-Id: <20111114073004.8BAC6C66D38@host.domain.com>
    Date: Sun, 13 Nov 2011 23:30:04 -0800 (PST)

  5. #5
    ewilen's Avatar
    ewilen is offline Moderator
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    It looks to me like the bulk of those scores are content-based. (Fuzzy-ambien, obviously; the URIBL ones are for URLs embedded in the body of the mail.)

    You've apparently run into an old issue, where the text of the daily mail report contains domain names that Spamassassin doesn't like. Solution: put your logwatch and admin addresses into the admin account's white list.

    The other symptoms you're talking about sound very different, so you might want to post headers from those.

  6. #6
    staufj22 Guest

    Default

    Thanks Elliot!
    I think I found the issue now, the X-Originating-IP tag shows an IP on a block list. Is that something added by the Zimbra web client?


    Return-Path: user1@domain1.com
    Received: from host.domain.com (LHLO host.domain.com)
    (67.113.20.194) by host.domain.com with LMTP; Tue, 8 Nov 2011
    03:31:19 -0800 (PST)
    Received: from localhost (localhost [127.0.0.1])
    by host.domain.com (Postfix) with ESMTP id 7D477C6BCFD
    for <user2@domain1.com>; Tue, 8 Nov 2011 03:31:19 -0800 (PST)
    X-Virus-Scanned: amavisd-new at domain.com
    X-Spam-Flag: YES
    X-Spam-Score: 6.379
    X-Spam-Level: ******
    X-Spam-Status: Yes, score=6.379 tagged_above=-10 required=6
    tests=[BAYES_00=-1.9, HELO_NO_DOMAIN=0.001,
    RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_PBL=3.335, RCVD_IN_RP_RNBL=1.31,
    RCVD_IN_SORBS_DUL=0.001, RDNS_NONE=0.793,
    SHORT_HELO_AND_INLINE_IMAGE=1.39] autolearn=no
    Received: from host.domain.com ([127.0.0.1])
    by localhost (host.domain.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id JYSEHT61WaVf; Tue, 8 Nov 2011 03:31:16 -0800 (PST)
    Received: from host.domain.com (localhost [127.0.0.1])
    by host.domain.com (Postfix) with ESMTP id 9D520C6BCFC;
    Tue, 8 Nov 2011 03:31:16 -0800 (PST)
    Date: Tue, 08 Nov 2011 03:31:16 -0800 (PST)
    From: user1 <user1@domain1.com>
    To: user2 <user2@domain1.com>, XXXXX <XXXXX@yahoo.com>
    Subject: Fwd: bills
    Message-ID: <3ef785bf-cf31-4bba-82a4-8f998beea5b4@enterprise>
    In-Reply-To: <1320725965.41221.YahooMailNeo@web39501.mail.mud.y ahoo.com>
    Content-Type: multipart/mixed;
    boundary="=_6db2e528-f5b4-4802-9360-9b1266107cc3"
    MIME-Version: 1.0
    X-Originating-IP: [118.168.111.189]
    X-Mailer: Zimbra 7.1.2_GA_3268 (ZimbraWebClient - IE8 (Win)/7.1.2_GA_3268)

  7. #7
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,506
    Rep Power
    57

    Default

    Quote Originally Posted by staufj22 View Post
    I think I found the issue now, the X-Originating-IP tag shows an IP on a block list. Is that something added by the Zimbra web client?
    Yes it is, you can disable it from being added in the Admin UI.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  8. #8
    staufj22 Guest

    Default

    Perfect, thanks!
    Found it here
    Configuration > Global Settings > MTA > Messages > Add X-Originating IP to messages

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Email blocked as SPAM, Hits score is blank
    By brian-aac in forum Administrators
    Replies: 8
    Last Post: 04-18-2013, 05:25 AM
  2. Every day a false positive
    By ericortego in forum Administrators
    Replies: 6
    Last Post: 01-06-2012, 03:44 PM
  3. Help mail server broadcast spam
    By sh1n_b3 in forum Administrators
    Replies: 0
    Last Post: 01-19-2011, 07:44 PM
  4. False Spam tagging of messages from the local domain
    By camjohnson in forum Administrators
    Replies: 1
    Last Post: 11-20-2007, 05:30 PM
  5. [SOLVED] Many false positive spam after 4.5.7 upgrade
    By deepblue in forum Administrators
    Replies: 8
    Last Post: 10-10-2007, 09:57 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •