Suddenly, lots of false positive spam hits

**staufj22** · 11-03-2011, 10:49 AM

Hi All,

Been running 7.1.2 for a few months without any major issues. However, recently a lot of legitimate mail is getting categorized as spam. Even those sent from users of the system to each other is getting into the spam folder.
Can someone help me decipher what may be the issue?

Here's the message from a test mail, sent from one user to another on the same system.
mail_id: BP1OeDwqxfw0, Hits: 7.4, size: 1589, queued_as: C646BC6B8F2,
3244 ms
Nov 2 21:37:11 enterprise amavis[3853]: (03853-06) TIMING-SA total 3074
ms - parse: 1.22 (0.0%), extract_message_metadata: 27 (0.9%),
poll_dns_idle: 336 (10.9%), get_uri_detail_list: 1.11 (0.0%),
tests_pri_-1000: 1.30 (0.0%), tests_pri_-950: 0.49 (0.0%),
tests_pri_-900: 0.54 (0.0%), tests_pri_-400: 6 (0.2%), check_bayes: 5
(0.2%), tests_pri_0: 2617 (85.1%), check_dkim_adsp: 181 (5.9%),
check_spf: 326 (10.6%), check_razor2: 1815 (59.0%), check_pyzor: 261
(8.5%), tests_pri_500: 3 (0.1%), learn: 404 (13.1%), get_report: 1.39 (0.0%)

In the message header, I see DSPAM:10

I've temporarily disabled DSPAM for now
zmlocalconfig -e amavis_dspam_enabled=false
but I'd like to address the real issue...
Please advise!

EDIT: Hmm, I just realized the log I posted is just about the timing. Where do I get more detailed info on why it thinks something is spam?

**staufj22** · 11-03-2011, 11:03 AM

Ok, found the logs where it says DSPAM:Spam=10

Nov 2 21:37:11 enterprise amavis[3853]: (03853-06) DSPAM result: Spam, score=10.000, sig=
Nov 2 21:37:11 enterprise amavis[3853]: (03853-06) SPAM-TAG, <user@domain1.com> -> <user1@domain2.com>,<user2@domain2.com>, Yes, score=7.4 tagged_above=-10 required=6 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, DSPAM:Spam=10.000] autolearn=ham
Nov 2 21:37:11 enterprise postfix/smtpd[771]: connect from localhost[127.0.0.1]
Nov 2 21:37:11 enterprise postfix/smtpd[771]: C646BC6B8F2: client=localhost[127.0.0.1]
Nov 2 21:37:11 enterprise postfix/cleanup[759]: C646BC6B8F2: message-id=<4EB21AC4.8040403@domain1.com>
Nov 2 21:37:11 enterprise postfix/smtpd[771]: disconnect from localhost[127.0.0.1]

**ewilen** · 11-11-2011, 10:55 AM

For these kinds of things it's best to post the full header of an email which was classified as spam.

But here it looks like you've set a logging option which gives a little more information on the scoring, so it does look like DSPAM is what's causing the false positive.

See Using DSPAM for Spam Filtering - Zimbra :: Wiki if you'd like to adjust the score contributed by DSPAM and also Enabling DSPAM if you'd like to train DSPAM. (Advisable if you haven't done so yet.)

**staufj22** · 11-14-2011, 02:31 PM

I think the issue is probably somewhere in my configuration, but I can't figure out why. It seems that I'm getting this issue whenever the mail is sent from the mail server to itself, somehow its catching the 127.0.0.1 source and adding points from blacklists based on that source IP. For example, a mail user using the web interface to send email to another mail user. Or, as the following header for daily zimbra report.

Return-Path: zimbra@host.domain.com
Received: from host.domain.com (LHLO host.domain.com)
(67.113.20.194) by host.domain.com with LMTP; Sun, 13 Nov 2011
23:30:10 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
by host.domain.com (Postfix) with ESMTP id B9D46C66F08
for <admin@domain.com>; Sun, 13 Nov 2011 23:30:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at domain.com
X-Spam-Flag: NO
X-Spam-Score: 3.83
X-Spam-Level: ***
X-Spam-Status: No, score=3.83 tagged_above=-10 required=6
tests=[ALL_TRUSTED=-1, BAYES_00=-1.9, FUZZY_AMBIEN=0.552,
IP_LINK_PLUS=0.012, NORMAL_HTTP_TO_IP=0.001,
T_URIBL_BLACK_OVERLAP=0.01, URIBL_BLACK=1.725, URIBL_DBL_SPAM=1.7,
URIBL_WS_SURBL=1.608, URI_HEX=1.122] autolearn=no
Received: from host.domain.com ([127.0.0.1])
by localhost (host.domain.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 2fbHjmGN9ez4 for <admin@domain.com>;
Sun, 13 Nov 2011 23:30:04 -0800 (PST)
Received: from localhost.localdomain (localhost [127.0.0.1])
by host.domain.com (Postfix) with ESMTP id 8BAC6C66D38
for <admin@domain.com>; Sun, 13 Nov 2011 23:30:04 -0800 (PST)
Subject: Daily mail report for 2011-11-13
X-Mailer: Mail::Mailer[v2.07] Net::SMTP[v2.31]
To: admin@domain.com
From: admin@domain.com
Message-Id: <20111114073004.8BAC6C66D38@host.domain.com>
Date: Sun, 13 Nov 2011 23:30:04 -0800 (PST)

**ewilen** · 11-14-2011, 03:03 PM

It looks to me like the bulk of those scores are content-based. (Fuzzy-ambien, obviously; the URIBL ones are for URLs embedded in the body of the mail.)

You've apparently run into an old issue, where the text of the daily mail report contains domain names that Spamassassin doesn't like. Solution: put your logwatch and admin addresses into the admin account's white list.

The other symptoms you're talking about sound very different, so you might want to post headers from those.

**staufj22** · 11-15-2011, 10:01 PM

Thanks Elliot!
I think I found the issue now, the X-Originating-IP tag shows an IP on a block list. Is that something added by the Zimbra web client?

Return-Path: user1@domain1.com
Received: from host.domain.com (LHLO host.domain.com)
(67.113.20.194) by host.domain.com with LMTP; Tue, 8 Nov 2011
03:31:19 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
by host.domain.com (Postfix) with ESMTP id 7D477C6BCFD
for <user2@domain1.com>; Tue, 8 Nov 2011 03:31:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at domain.com
X-Spam-Flag: YES
X-Spam-Score: 6.379
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.379 tagged_above=-10 required=6
tests=[BAYES_00=-1.9, HELO_NO_DOMAIN=0.001,
RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_PBL=3.335, RCVD_IN_RP_RNBL=1.31,
RCVD_IN_SORBS_DUL=0.001, RDNS_NONE=0.793,
SHORT_HELO_AND_INLINE_IMAGE=1.39] autolearn=no
Received: from host.domain.com ([127.0.0.1])
by localhost (host.domain.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id JYSEHT61WaVf; Tue, 8 Nov 2011 03:31:16 -0800 (PST)
Received: from host.domain.com (localhost [127.0.0.1])
by host.domain.com (Postfix) with ESMTP id 9D520C6BCFC;
Tue, 8 Nov 2011 03:31:16 -0800 (PST)
Date: Tue, 08 Nov 2011 03:31:16 -0800 (PST)
From: user1 <user1@domain1.com>
To: user2 <user2@domain1.com>, XXXXX <XXXXX@yahoo.com>
Subject: Fwd: bills
Message-ID: <3ef785bf-cf31-4bba-82a4-8f998beea5b4@enterprise>
In-Reply-To: <1320725965.41221.YahooMailNeo@web39501.mail.mud.y ahoo.com>
Content-Type: multipart/mixed;
boundary="=_6db2e528-f5b4-4802-9360-9b1266107cc3"
MIME-Version: 1.0
X-Originating-IP: [118.168.111.189]
X-Mailer: Zimbra 7.1.2_GA_3268 (ZimbraWebClient - IE8 (Win)/7.1.2_GA_3268)

**phoenix** · 11-15-2011, 11:23 PM

Originally Posted by staufj22

I think I found the issue now, the X-Originating-IP tag shows an IP on a block list. Is that something added by the Zimbra web client?

Yes it is, you can disable it from being added in the Admin UI.

**staufj22** · 11-15-2011, 11:38 PM

Perfect, thanks!
Found it here
Configuration > Global Settings > MTA > Messages > Add X-Originating IP to messages

Zimbra

Thread: Suddenly, lots of false positive spam hits

LinkBack

Thread Tools

Search Thread

Display

Suddenly, lots of false positive spam hits

Thread Information

Users Browsing this Thread

Similar Threads

Email blocked as SPAM, Hits score is blank

Every day a false positive

Help mail server broadcast spam

False Spam tagging of messages from the local domain

[SOLVED] Many false positive spam after 4.5.7 upgrade

Posting Permissions