Same email (spam), one is quarantined, one is delivered

dthompson

Well-Known Member
Nov 23, 2011
146
14
58
Canada
www.digitaltransitions.ca
I have a weird problem and I don't know how to solve it. I am seeing emails start to come through where one email for a user @domainA.com gets quarantined, but the same email for a user @domainB.com gets delivered. I don't know what to do in order to solve this.

Quarantined Email:


Sep 02 11:12:37rhetoric@bakenest.promvf@domainA.comquarantine
Sep 2 11:12:35 swarmx1 postfix/smtpd[1866303]: connect from unknown[45.131.0.36]
Sep 2 11:12:35 swarmx1 postfix/smtpd[1866303]: AB33B121099: client=unknown[45.131.0.36]
Sep 2 11:12:35 swarmx1 postfix/cleanup[1866304]: AB33B121099: message-id=<uCPgbWevNJgympfobbyUn7U1yUJXnJ45hzbTl8Ak-5E.GcqDfufSLC4NBDGx3iJmeRFvnK2LKxYd-xNyGOFQDGc@bakenest.pro>
Sep 2 11:12:35 swarmx1 postfix/qmgr[1600497]: AB33B121099: from=<rhetoric@bakenest.pro>, size=9797, nrcpt=1 (queue active)
Sep 2 11:12:36 swarmx1 pmg-smtp-filter[1865669]: 1212B35D6D316406AF5: new mail message-id=<uCPgbWevNJgympfobbyUn7U1yUJXnJ45hzbTl8Ak-5E.GcqDfufSLC4NBDGx3iJmeRFvnK2LKxYd-xNyGOFQDGc@bakenest.pro>
Sep 2 11:12:36 swarmx1 postfix/smtpd[1866303]: disconnect from unknown[45.131.0.36] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Sep 2 11:12:37 swarmx1 pmg-smtp-filter[1865669]: 1212B35D6D316406AF5: SA score=3/5 time=1.847 bayes=0.88 autolearn=no autolearn_force=no hits=BAYES_80(2),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),FROMSPACE(0.001),FROM_SUSPICIOUS_NTLD(0.499),HTML_MESSAGE(0.001),RDNS_NONE(0.793),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),T_REMOTE_IMAGE(0.01)
Sep 2 11:12:37 swarmx1 pmg-smtp-filter[1865669]: 1212B35D6D316406AF5: moved mail for <mvf@domainA.com> to spam quarantine - 1212B75D6D3165E0696 (rule: Quarantine/Mark Spam (Level 3))
Sep 2 11:12:37 swarmx1 pmg-smtp-filter[1865669]: 1212B35D6D316406AF5: processing time: 1.895 seconds (1.847, 0.032, 0)
Sep 2 11:12:37 swarmx1 postfix/lmtp[1866225]: AB33B121099: to=<mvf@domainA.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.3, delays=0.25/0/0.1/1.9, dsn=2.5.0, status=sent (250 2.5.0 OK (1212B35D6D316406AF5))
Sep 2 11:12:37 swarmx1 postfix/qmgr[1600497]: AB33B121099: removed


Delivered Email:

Sep 02 11:12:37rhetoric@bakenest.prodavid@domainB.comaccepted/delivered
Sep 2 11:12:35 swarmx1 postfix/smtpd[1866302]: connect from unknown[45.131.0.36]
Sep 2 11:12:35 swarmx1 postfix/smtpd[1866302]: A97D1120F04: client=unknown[45.131.0.36]
Sep 2 11:12:35 swarmx1 postfix/cleanup[1866132]: A97D1120F04: message-id=<VMrRXp9TpZ2CIzHsW5wpUWp1XGSv_0nrCXALdRaY3XI.evUT4d0lHf0H2E-8az3Qjed_76DvRZQXddAODZRcqFo@bakenest.pro>
Sep 2 11:12:35 swarmx1 postfix/qmgr[1600497]: A97D1120F04: from=<rhetoric@bakenest.pro>, size=10101, nrcpt=1 (queue active)
Sep 2 11:12:36 swarmx1 pmg-smtp-filter[1866226]: 1212B65D6D316406B28: new mail message-id=<VMrRXp9TpZ2CIzHsW5wpUWp1XGSv_0nrCXALdRaY3XI.evUT4d0lHf0H2E-8az3Qjed_76DvRZQXddAODZRcqFo@bakenest.pro>
Sep 2 11:12:36 swarmx1 postfix/smtpd[1866302]: disconnect from unknown[45.131.0.36] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Sep 2 11:12:37 swarmx1 pmg-smtp-filter[1866226]: 1212B65D6D316406B28: SA score=2/5 time=1.845 bayes=0.68 autolearn=no autolearn_force=no hits=AWL(0.250),BAYES_60(1.5),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),FROMSPACE(0.001),FROM_SUSPICIOUS_NTLD(0.499),HTML_MESSAGE(0.001),RDNS_NONE(0.793),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),T_REMOTE_IMAGE(0.01)
Sep 2 11:12:37 swarmx1 postfix/smtpd[1866315]: connect from localhost[127.0.0.1]
Sep 2 11:12:37 swarmx1 postfix/smtpd[1866315]: E2A96121099: client=localhost[127.0.0.1], orig_client=unknown[45.131.0.36]
Sep 2 11:12:37 swarmx1 postfix/cleanup[1866132]: E2A96121099: message-id=<VMrRXp9TpZ2CIzHsW5wpUWp1XGSv_0nrCXALdRaY3XI.evUT4d0lHf0H2E-8az3Qjed_76DvRZQXddAODZRcqFo@bakenest.pro>
Sep 2 11:12:37 swarmx1 postfix/qmgr[1600497]: E2A96121099: from=<rhetoric@bakenest.pro>, size=11309, nrcpt=1 (queue active)
Sep 2 11:12:37 swarmx1 pmg-smtp-filter[1866226]: 1212B65D6D316406B28: accept mail to <david@domainB.com> (E2A96121099) (rule: default-accept)
Sep 2 11:12:37 swarmx1 postfix/smtpd[1866315]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Sep 2 11:12:37 swarmx1 pmg-smtp-filter[1866226]: 1212B65D6D316406B28: processing time: 1.903 seconds (1.845, 0.029, 0)
Sep 2 11:12:37 swarmx1 postfix/lmtp[1866133]: A97D1120F04: to=<david@domainB.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.3, delays=0.25/0/0.11/1.9, dsn=2.5.0, status=sent (250 2.5.0 OK (1212B65D6D316406B28))
Sep 2 11:12:37 swarmx1 postfix/qmgr[1600497]: A97D1120F04: removed
Sep 2 11:12:38 swarmx1 postfix/smtp[1866288]: E2A96121099: to=<david@domainB.com>, relay=192.168.11.220[192.168.11.220]:25, delay=0.54, delays=0/0/0.02/0.51, dsn=2.0.0, status=sent (250 Mail queued for delivery)
Sep 2 11:12:38 swarmx1 postfix/qmgr[1600497]: E2A96121099: removed



Can someone please shed some light on this as to why an identical email gets quarantined for one domain but delivered for another? Thats very inconsistent and I don't know how to outright stop that from happening.

I'm currently still on PMG 5.2.7 and have not yet upgraded to version 6 as of yet.

Thank you!!
 
hmm - seems that the most relevant difference between both mails is the bayes score - once it's considered only 60% likely to be spam (1.5 points in SpamAssassin), once it's considered 80% likely to be spam (2.0 points).

And this makes the difference between a score of 2 (deliver) and 3 (quarantine) in your setup.

* How do you train your bayes filter?
* What does the E-mail get when you disable bayes filtering?

I hope this helps!
 
hmm - seems that the most relevant difference between both mails is the bayes score - once it's considered only 60% likely to be spam (1.5 points in SpamAssassin), once it's considered 80% likely to be spam (2.0 points).

And this makes the difference between a score of 2 (deliver) and 3 (quarantine) in your setup.

* How do you train your bayes filter?
* What does the E-mail get when you disable bayes filtering?

I hope this helps!


Thanks for the reply.

* How do you train your bayes filter?
>> I use sa-learn if thats what you are referring to. I have emails that users mark as "junk" and them import those emails via sa-learn command

* What does the E-mail get when you disable bayes filtering?
>> How does one disable the Bayes filtering?
 
I use sa-learn if thats what you are referring to. I have emails that users mark as "junk" and them import those emails via sa-learn command
sounds good!

How does one disable the Bayes filtering?
in the GUI->'Configuration'->'Spam Detector'->'Options'->'Use Bayesian Filter'

I hope this helps!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!