Results 1 to 4 of 4

Thread: Quarantined spam delivered to admin account since 8.0.3

  1. #1
    Klug's Avatar
    Klug is offline Moderator
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,313
    Rep Power
    13

    Default Quarantined spam delivered to admin account since 8.0.3

    We've seen this on two different platforms (with different admins, one OSE and one multi-servers NE).

    Since 8.0.3, the admin mailbox gets a copy of all quarantined spams (markeds as spam by spamassassin).

    Actually the problem is two folds.
    First, the spam should not be quarantined (they're spams, not virii and amavis is setup to deliver all spams to end users).
    Second, the admin account get this copy and there nothing delivered to the spam account (while when a user marks a spam, it is correctly copied to spam account's inbox).

    The sender is "Content-type at zimbra-mta.domain.tld" (replace with real server name) and look like this:
    Code:
    Content type: Spam
    Internal reference code for the message is 08654-07/zsatBFY44RuA
    
    First upstream SMTP client IP address: [127.0.0.1] localhost.localdomain
    According to a 'Received:' trace, the message apparently originated at:
      [162.105.243.14], localhost localhost.localdomain [127.0.0.1]
    
    Return-Path: <xcrfzrbtse@docomo.ne.jp>
    From: <smfkopcvgb@docomo.ne.jp>
    Message-ID: <20130526165245.10AE573@zimbra-mta.domain.tld>
    Subject: {Spam?}
      =?ISO-2022-JP?B?GyRCJV8lSyVtJUgkPyRDJD8jNTh9JEdFdkEqOzBLZiEqIVo1ZjZLJE4hSU4iIUlJLExZMXw1QSFbP2skSzh4MyshKhsoQg==?=
    The message has been quarantined as: spam-zsatBFY44RuA.gz
    
    The message WILL BE relayed to:
    <user@domain.tld>
    
    Spam scanner report:
    Spam detection software, running on the system "zimbra-mta.domain.tld",
    has identified this incoming email as possible spam.  The original
    message has been attached to this so you can view it or label
    similar future email.  If you have any questions, see
    @@CONTACT_ADDRESS@@ for details.
    
    Content preview:  ////  ƒ~ƒjƒƒg”— ””“`  ////                           
       * „  „ャ–。・'*:.„Ÿ„Ÿ„Ÿ„Ÿ„Ÿ„Ÿ„Ÿ„Ÿ„Ÿ„Ÿ„Ÿ„Ÿ„Ÿ„Ÿ„** „ 人 „                    „
       人  ̄‚x ̄„ ‚ ‚‚‚ƒMƒƒƒ“ƒuƒ‹‚ŽŽ‚オ’…‚「‚ス–@‘・… „  ̄‚x ̄  „ * „                    „
       „ * „ッ„Ÿ„Ÿ„Ÿ„Ÿ„Ÿ„Ÿ„Ÿ„Ÿ„Ÿ„Ÿ„Ÿ„Ÿ„Ÿ。.'゜*:・–„ョ [...] 
    
    Content analysis details:   (19.5 points, 5.0 required)
    
     pts rule name              description
    ---- ---------------------- --------------------------------------------------
     1.6 URIBL_WS_SURBL         Contains an URL listed in the WS SURBL blocklist
                                [URIs: loto-x.info]
     1.2 URIBL_JP_SURBL         Contains an URL listed in the JP SURBL blocklist
                                [URIs: loto-x.info]
     0.6 URIBL_SC_SURBL         Contains an URL listed in the SC SURBL blocklist
                                [URIs: loto-x.info]
    -1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
     3.5 BAYES_99               BODY: Bayes spam probability is 99 to 100%
                                [score: 1.0000]
     0.0 T_LONG_HEADER_LINE_80  A header line contains 80-159 characters
     1.0 HK_RANDOM_FROM         From username looks random
     0.0 HK_RANDOM_ENVFROM      Envelope sender username looks random
     2.3 FSL_HELO_BARE_IP_1     FSL_HELO_BARE_IP_1
     0.0 T_FSL_HELO_NON_FQDN_2  T_FSL_HELO_NON_FQDN_2
     0.0 T_FSL_HELO_BARE_IP_2   T_FSL_HELO_BARE_IP_2
     6.0 SPAM_MC                Spam detecte par le Cluster MailCleaner
     0.1 URIBL_SBL_A            Contains URL's A record listed in the SBL blocklist
                                [URIs: loto-x.info]
     1.7 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
                                [URIs: loto-x.info]
     1.6 URIBL_SBL              Contains an URL listed in the SBL blocklist
                                [URIs: loto-x.info]
     0.8 RDNS_NONE              Delivered to internal network by a host with no rDNS
    -0.0 T_NOT_A_PERSON         List, replier, bot, etc.  Filters: skip auto-reply
    
    Return-Path: <xcrfzrbtse@docomo.ne.jp>
    Received: from localhost (localhost.localdomain [127.0.0.1])
            by zimbra-mta.domain.tld (Postfix) with ESMTP id 396FB83
            for <user@domain.tld>; Sun, 26 May 2013 18:52:45 +0200 (CEST)
    X-Virus-Scanned: amavisd-new at admin-domain.tld
    Received: from zimbra-mta.domain.tld ([127.0.0.1])
            by localhost (zimbra-mta.domain.tld [127.0.0.1]) (amavisd-new, port 10026)
            with ESMTP id VQGrtwDrMpRA for <user@domain.tld>;
            Sun, 26 May 2013 18:52:45 +0200 (CEST)
    Received: from domain.tld (external-mta-relay [192.168.101.118])
            by zimbra-mta.domain.tld (Postfix) with ESMTPS id 10AE573
            for <dd.34@domain.tld>; Sun, 26 May 2013 18:52:45 +0200 (CEST)
    Received: from [162.105.243.14] (helo=62.93.225.70)
            by domain.tld stage1 with smtp 
            (Exim MailCleaner) 
            id 1UgeBX-0003kV-Dw 
            for <user@domain.tld> 
            from <xcrfzrbtse@docomo.ne.jp>; Sun, 26 May 2013 18:52:44 +0200
    X-MailCleaner-SPF: softfail
    From: <smfkopcvgb@docomo.ne.jp>
    To: user@domain.tld
    Date: Mon, 27 May 2013 01:52:40 +0900
    X-Info:user@domain.tld
    MIME-Version: 1.0
    Content-Type: text/plain; charset="Shift_JIS"
    List-Id: 8
    X-NiceBayes: disabled (no database ?)
    X-PreRBLs: is spam (SPAMHAUS)
    X-MailCleaner-Information: Please contact  for more information
    X-MailCleaner-ID: 1UgeBY-0003kZ-7u
    X-MailCleaner: Found to be clean
    X-MailCleaner-SpamCheck: spam, PreRBLs (SPAMHAUS)
    Subject: {Spam?} =?ISO-2022-JP?B?GyRCJV8lSyVtJUgkPyRDJD8jNTh9JEdFdkEqOzBLZiEqIVo1ZjZLJE4hSU4iIUlJLExZMXw1QSFbP2skSzh4MyshKhsoQg==?=
    Message-Id: <20130526165245.10AE573@zimbra-mta.domain.tld>

  2. #2
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,256
    Rep Power
    10

    Default

    Hm, main difference I see between 7 and 8 is this line is commented out:

    # $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off

    in /opt/zimbra/conf/amavisd.conf.in

    Try uncommenting it and restarting amavis.

    --Quanah
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  3. #3
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,256
    Rep Power
    10

    Default

    Actually, replace the line with:

    $sa_quarantine_cutoff_level = %%range VAR:zimbraSpamKillPercent 0 20%%; # spam level beyond which quarantine is off
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  4. #4
    Klug's Avatar
    Klug is offline Moderator
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,313
    Rep Power
    13

    Default

    Thank you for the workaround and the fix.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 3
    Last Post: 06-12-2014, 09:20 PM
  2. Replies: 0
    Last Post: 06-20-2012, 12:59 AM
  3. Sometimes mails are delivered to wrong account
    By M.C.S. in forum Administrators
    Replies: 7
    Last Post: 01-26-2012, 06:30 AM
  4. mail flagged as spam still delivered?
    By snapper in forum Administrators
    Replies: 0
    Last Post: 06-16-2009, 06:33 AM
  5. Tagged as spam, delivered to inbox?
    By 196 in forum Administrators
    Replies: 10
    Last Post: 06-04-2008, 10:43 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •