Mail quarantined showing address on user blacklist, but it isn't

[nlong]

Greetings.

I've had a PMG set up for a little over a year. My boss is complaining because our payroll system's (Gusto) emails are being quarantined. When I look at the tracking, it shows that the emails are "sender in user (*****) blacklist". I've checked the user blacklist and the global blacklist and it isn't listed in either. Also, the HR person has not had any issues with the emails being quarantined.

I'm stumped. Any suggestions would be greatly appreciated.

 

[Stoiko Ivanov]

show the complete log for the mail - this should explain which address is listed on the user blacklist of which user ....

 

[nlong]

This one came in this morning.


Aug 10 08:50:30 pmg postfix/smtpd[56331]: connect from o1.email.zenpayroll.com[198.37.158.81]
Aug 10 08:50:30 pmg postfix/smtpd[56331]: BF4F9C01F9: client=o1.email.zenpayroll.com[198.37.158.81]
Aug 10 08:50:30 pmg postfix/cleanup[56335]: BF4F9C01F9: message-id=<62f3a9952f96_8815970168224@within-one-hour-read-only-worker-697d8bbd6f-fzd6b.mail>
Aug 10 08:50:31 pmg postfix/qmgr[901]: BF4F9C01F9: from=<bounces+481183-a5c1-jboutwell=aquilasolutions.us@email.gusto.com>, size=30118, nrcpt=1 (queue active)
Aug 10 08:50:31 pmg pmg-smtp-filter[54769]: 20AD362F3A99717B71: new mail message-id=<62f3a9952f96_8815970168224@within-one-hour-read-only-worker-697d8bbd6f-fzd6b.mail>#012
Aug 10 08:50:31 pmg postfix/smtpd[56331]: disconnect from o1.email.zenpayroll.com[198.37.158.81] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Aug 10 08:50:38 pmg pmg-smtp-filter[54769]: 20AD362F3A99717B71: SA score=0/5 time=7.002 bayes=0.00 autolearn=no autolearn_force=no hits=AWL(-1.290),BAYES_00(-1.9),DKIM_INVALID(0.1),DKIM_SIGNED(0.1),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),KAM_REALLYHUGEIMGSRC(0.5),RCVD_IN_DNSWL_BLOCKED(0.001),RCVD_IN_MSPIKE_H2(-0.001),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_SCC_BODY_TEXT_LINE(-0.01),URIBL_BLOCKED(0.001)
Aug 10 08:50:38 pmg pmg-smtp-filter[54769]: 20AD362F3A99717B71: sender in user (jboutwell@aquilasolutions.us) blacklist
Aug 10 08:50:38 pmg pmg-smtp-filter[54769]: 20AD362F3A99717B71: moved mail for <jboutwell@aquilasolutions.us> to spam quarantine - 20D0D62F3A99E37568 (rule: Quarantine/Mark Spam (Level 3))
Aug 10 08:50:38 pmg pmg-smtp-filter[54769]: 20AD362F3A99717B71: processing time: 7.14 seconds (7.002, 0.096, 0)
Aug 10 08:50:38 pmg postfix/lmtp[56336]: BF4F9C01F9: to=<jboutwell@aquilasolutions.us>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.6, delays=0.39/0.04/0/7.1, dsn=2.5.0, status=sent (250 2.5.0 OK (20AD362F3A99717B71))
Aug 10 08:50:38 pmg postfix/qmgr[901]: BF4F9C01F9: removed

 

[Stoiko Ivanov]

check the user blacklist of jboutwell@aquilasolutions.us - you should find that it contains the address listed in the relevant headers of the mail.

I hope this helps!

 

[nlong]

That is the problem. I don't see anything in his blacklist that would flag these emails.

This is all he has in his blacklist.

 

[Stoiko Ivanov]

-jboutwell=aquilasolutions.us

from the logs matches the first entry in your screenshot?

 

[nlong]

OH, I see it now. You're exactly right. It sees -jboutwell=aquilasolutions.us in the header. I honestly have no clue why he put that in his blacklist, but that would probably do it.

 

[Stoiko Ivanov]

glad we cleared that up