Same email (spam), one is quarantined, one is delivered

dthompson

Well-Known Member
Nov 23, 2011
146
16
58
Canada
www.digitaltransitions.ca
I have a weird problem and I don't know how to solve it. I am seeing emails start to come through where one email for a user @domainA.com gets quarantined, but the same email for a user @domainB.com gets delivered. I don't know what to do in order to solve this.

Quarantined Email:


Sep 02 11:12:37rhetoric@bakenest.promvf@domainA.comquarantine
Sep 2 11:12:35 swarmx1 postfix/smtpd[1866303]: connect from unknown[45.131.0.36]
Sep 2 11:12:35 swarmx1 postfix/smtpd[1866303]: AB33B121099: client=unknown[45.131.0.36]
Sep 2 11:12:35 swarmx1 postfix/cleanup[1866304]: AB33B121099: message-id=<uCPgbWevNJgympfobbyUn7U1yUJXnJ45hzbTl8Ak-5E.GcqDfufSLC4NBDGx3iJmeRFvnK2LKxYd-xNyGOFQDGc@bakenest.pro>
Sep 2 11:12:35 swarmx1 postfix/qmgr[1600497]: AB33B121099: from=<rhetoric@bakenest.pro>, size=9797, nrcpt=1 (queue active)
Sep 2 11:12:36 swarmx1 pmg-smtp-filter[1865669]: 1212B35D6D316406AF5: new mail message-id=<uCPgbWevNJgympfobbyUn7U1yUJXnJ45hzbTl8Ak-5E.GcqDfufSLC4NBDGx3iJmeRFvnK2LKxYd-xNyGOFQDGc@bakenest.pro>
Sep 2 11:12:36 swarmx1 postfix/smtpd[1866303]: disconnect from unknown[45.131.0.36] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Sep 2 11:12:37 swarmx1 pmg-smtp-filter[1865669]: 1212B35D6D316406AF5: SA score=3/5 time=1.847 bayes=0.88 autolearn=no autolearn_force=no hits=BAYES_80(2),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),FROMSPACE(0.001),FROM_SUSPICIOUS_NTLD(0.499),HTML_MESSAGE(0.001),RDNS_NONE(0.793),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),T_REMOTE_IMAGE(0.01)
Sep 2 11:12:37 swarmx1 pmg-smtp-filter[1865669]: 1212B35D6D316406AF5: moved mail for <mvf@domainA.com> to spam quarantine - 1212B75D6D3165E0696 (rule: Quarantine/Mark Spam (Level 3))
Sep 2 11:12:37 swarmx1 pmg-smtp-filter[1865669]: 1212B35D6D316406AF5: processing time: 1.895 seconds (1.847, 0.032, 0)
Sep 2 11:12:37 swarmx1 postfix/lmtp[1866225]: AB33B121099: to=<mvf@domainA.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.3, delays=0.25/0/0.1/1.9, dsn=2.5.0, status=sent (250 2.5.0 OK (1212B35D6D316406AF5))
Sep 2 11:12:37 swarmx1 postfix/qmgr[1600497]: AB33B121099: removed


Delivered Email:

Sep 02 11:12:37rhetoric@bakenest.prodavid@domainB.comaccepted/delivered
Sep 2 11:12:35 swarmx1 postfix/smtpd[1866302]: connect from unknown[45.131.0.36]
Sep 2 11:12:35 swarmx1 postfix/smtpd[1866302]: A97D1120F04: client=unknown[45.131.0.36]
Sep 2 11:12:35 swarmx1 postfix/cleanup[1866132]: A97D1120F04: message-id=<VMrRXp9TpZ2CIzHsW5wpUWp1XGSv_0nrCXALdRaY3XI.evUT4d0lHf0H2E-8az3Qjed_76DvRZQXddAODZRcqFo@bakenest.pro>
Sep 2 11:12:35 swarmx1 postfix/qmgr[1600497]: A97D1120F04: from=<rhetoric@bakenest.pro>, size=10101, nrcpt=1 (queue active)
Sep 2 11:12:36 swarmx1 pmg-smtp-filter[1866226]: 1212B65D6D316406B28: new mail message-id=<VMrRXp9TpZ2CIzHsW5wpUWp1XGSv_0nrCXALdRaY3XI.evUT4d0lHf0H2E-8az3Qjed_76DvRZQXddAODZRcqFo@bakenest.pro>
Sep 2 11:12:36 swarmx1 postfix/smtpd[1866302]: disconnect from unknown[45.131.0.36] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Sep 2 11:12:37 swarmx1 pmg-smtp-filter[1866226]: 1212B65D6D316406B28: SA score=2/5 time=1.845 bayes=0.68 autolearn=no autolearn_force=no hits=AWL(0.250),BAYES_60(1.5),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),FROMSPACE(0.001),FROM_SUSPICIOUS_NTLD(0.499),HTML_MESSAGE(0.001),RDNS_NONE(0.793),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),T_REMOTE_IMAGE(0.01)
Sep 2 11:12:37 swarmx1 postfix/smtpd[1866315]: connect from localhost[127.0.0.1]
Sep 2 11:12:37 swarmx1 postfix/smtpd[1866315]: E2A96121099: client=localhost[127.0.0.1], orig_client=unknown[45.131.0.36]
Sep 2 11:12:37 swarmx1 postfix/cleanup[1866132]: E2A96121099: message-id=<VMrRXp9TpZ2CIzHsW5wpUWp1XGSv_0nrCXALdRaY3XI.evUT4d0lHf0H2E-8az3Qjed_76DvRZQXddAODZRcqFo@bakenest.pro>
Sep 2 11:12:37 swarmx1 postfix/qmgr[1600497]: E2A96121099: from=<rhetoric@bakenest.pro>, size=11309, nrcpt=1 (queue active)
Sep 2 11:12:37 swarmx1 pmg-smtp-filter[1866226]: 1212B65D6D316406B28: accept mail to <david@domainB.com> (E2A96121099) (rule: default-accept)
Sep 2 11:12:37 swarmx1 postfix/smtpd[1866315]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Sep 2 11:12:37 swarmx1 pmg-smtp-filter[1866226]: 1212B65D6D316406B28: processing time: 1.903 seconds (1.845, 0.029, 0)
Sep 2 11:12:37 swarmx1 postfix/lmtp[1866133]: A97D1120F04: to=<david@domainB.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.3, delays=0.25/0/0.11/1.9, dsn=2.5.0, status=sent (250 2.5.0 OK (1212B65D6D316406B28))
Sep 2 11:12:37 swarmx1 postfix/qmgr[1600497]: A97D1120F04: removed
Sep 2 11:12:38 swarmx1 postfix/smtp[1866288]: E2A96121099: to=<david@domainB.com>, relay=192.168.11.220[192.168.11.220]:25, delay=0.54, delays=0/0/0.02/0.51, dsn=2.0.0, status=sent (250 Mail queued for delivery)
Sep 2 11:12:38 swarmx1 postfix/qmgr[1600497]: E2A96121099: removed



Can someone please shed some light on this as to why an identical email gets quarantined for one domain but delivered for another? Thats very inconsistent and I don't know how to outright stop that from happening.

I'm currently still on PMG 5.2.7 and have not yet upgraded to version 6 as of yet.

Thank you!!
 
hmm - seems that the most relevant difference between both mails is the bayes score - once it's considered only 60% likely to be spam (1.5 points in SpamAssassin), once it's considered 80% likely to be spam (2.0 points).

And this makes the difference between a score of 2 (deliver) and 3 (quarantine) in your setup.

* How do you train your bayes filter?
* What does the E-mail get when you disable bayes filtering?

I hope this helps!
 
hmm - seems that the most relevant difference between both mails is the bayes score - once it's considered only 60% likely to be spam (1.5 points in SpamAssassin), once it's considered 80% likely to be spam (2.0 points).

And this makes the difference between a score of 2 (deliver) and 3 (quarantine) in your setup.

* How do you train your bayes filter?
* What does the E-mail get when you disable bayes filtering?

I hope this helps!


Thanks for the reply.

* How do you train your bayes filter?
>> I use sa-learn if thats what you are referring to. I have emails that users mark as "junk" and them import those emails via sa-learn command

* What does the E-mail get when you disable bayes filtering?
>> How does one disable the Bayes filtering?
 
I use sa-learn if thats what you are referring to. I have emails that users mark as "junk" and them import those emails via sa-learn command
sounds good!

How does one disable the Bayes filtering?
in the GUI->'Configuration'->'Spam Detector'->'Options'->'Use Bayesian Filter'

I hope this helps!