Spam detection software has identified this incoming email as possible spam

iodisciple

Verified User
Joined
Jan 9, 2018
Messages
6
Hi all,

On our DirectAdmin servers I'm getting reports (since today) that mail is marked as spam, which it isn't. It from [email protected] to [email protected] (so from and to the same domain). I attach the analysis details of 2 of these messages.

Message 1:
Code:
Content analysis details:   (6.9 points, 3.0 required)

pts rule name              description
---- ---------------------- --------------------------------------------------
0.0 FSL_HELO_NON_FQDN_1    No description available.
0.0 TVD_RCVD_IP            Message was received from an IP address
0.0 T_SPF_TEMPERROR        SPF: test of record failed (temperror)
0.0 HTML_MESSAGE           BODY: HTML included in message
0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to
                           background
2.5 HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam
                           (FTSDMCXX/boundary variant) direct-to-MX
0.2 SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image
0.4 RDNS_DYNAMIC           Delivered to internal network by host with
                           dynamic-looking rDNS
1.3 DYN_RDNS_AND_INLINE_IMAGE Contains image, and was sent by dynamic
                           rDNS
0.0 DYN_RDNS_SHORT_HELO_HTML Sent by dynamic rDNS, short HELO, and HTML
2.5 DYN_RDNS_SHORT_HELO_IMAGE Short HELO string, dynamic rDNS, inline
                           image

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.
Message 2:
Code:
Content analysis details:   (6.0 points, 3.0 required)

pts rule name              description
---- ---------------------- --------------------------------------------------
0.0 FSL_HELO_NON_FQDN_1    No description available.
0.0 TVD_RCVD_IP            Message was received from an IP address
0.0 T_SPF_TEMPERROR        SPF: test of record failed (temperror)
0.0 HTML_MESSAGE           BODY: HTML included in message
1.6 HTML_IMAGE_ONLY_12     BODY: HTML: images with 800-1200 bytes of words
0.2 SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image
0.4 RDNS_DYNAMIC           Delivered to internal network by host with
                           dynamic-looking rDNS
1.3 DYN_RDNS_AND_INLINE_IMAGE Contains image, and was sent by dynamic
                           rDNS
0.0 DYN_RDNS_SHORT_HELO_HTML Sent by dynamic rDNS, short HELO, and HTML
2.5 DYN_RDNS_SHORT_HELO_IMAGE Short HELO string, dynamic rDNS, inline
                           image

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.
This server has a static IP, is not on any blacklist and spf, dkim and dmarc for the domains are properly configured.

In one of the messages there are 2 smilies (which are images) but overall I don't see anything strange at the content.

Any ideas?
 
Hello,

SpamAssassin does not give less scores to SPAM emails even if they are delivered within one and the same domain.

Check the rule name which got the highest scores and real SpamAssassin official wiki for more details to understand what are they about. It will help you. If you don't want to spend time learning the things you can go a simple way and whitelist your domain in your server, i.t. SpamAssassin section and/or global white lists under /etc/virtual/
 
Hi zEitEr,

I did some checking before posting and couldn't find a proper explanation for these specific high scores. Also, the messages look fine to me. Maybe the direct-to-MX is more clear now after some more googling, but this is not doable for remote clients (using an ISPs SMTP server instead of the DirectAdmin server).

I'll do some more digging. Thanks anyway.

Kind regards,
iodisiciple
 
Back
Top