One Email Account Ignoring Spamassassin Settings

[keefe007]

I have no idea how this is happening but i seem to have one email account ignoring spamassassin settings or using the default settings.

I have the require score set to 12, however one email account thinks the score is 5.

Content preview: Check has already been cut. Thank You, Darin Novak [...]

Content analysis details: (6.3 points, 5.0 required)

pts rule name description
---- ----------------------
--------------------------------------------------
0.0 FSL_HELO_NON_FQDN_1 FSL_HELO_NON_FQDN_1
0.0 TVD_RCVD_IP TVD_RCVD_IP
3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[97.88.140.163 listed in zen.spamhaus.org]
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
address
[97.88.140.163 listed in dnsbl.sorbs.net]
0.0 HTML_MESSAGE BODY: HTML included in message
0.4 RDNS_DYNAMIC Delivered to internal network by host with
dynamic-looking rDNS
0.0 DYN_RDNS_SHORT_HELO_HTML Sent by dynamic rDNS, short HELO, and HTML
1.4 DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers

The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor.


The other interesting thing is that this email is from and to the same domain. Doesn't that normally skip spamsassassin altogether?

When looking at the email headers for other users under this domain I can see their required score is 12. Why would a single account under the same domain think the required score is 5?

Thanks,

Keefe

 

[zEitEr]

Hello,

I'd rather see all the email headers.

 

[keefe007]

Here's a test to another email account setup on the same domain.

Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Thu, 07 Feb 2013 15:28:28 -0600
Received: from mail by astra.ethoplex.com with spam-scanned (Exim 4.80.1)
(envelope-from <[email protected]>)
id 1U3Z18-0001PY-Vw
for [email protected]; Thu, 07 Feb 2013 15:28:28 -0600
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on astra.ethoplex.com
X-Spam-Level:
X-Spam-Status: No, score=-0.5 required=12.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,
RCVD_IN_DNSWL_LOW,SPF_PASS,TVD_SPACE_RATIO autolearn=ham version=3.3.2
Received: from mail-wi0-f182.google.com ([209.85.212.182])
by astra.ethoplex.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.80.1)
(envelope-from <[email protected]>)
id 1U3Z18-0001PU-IL
for [email protected]; Thu, 07 Feb 2013 15:28:26 -0600
Received: by mail-wi0-f182.google.com with SMTP id hi18so111953wib.9
for <[email protected]>; Thu, 07 Feb 2013 13:30:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:x-received:reply-to:date:message-id:subject:from:to
:content-type;
bh=PqfPCbCHxUSHMgj4evW4c+ciPfazIgjK+KCo59GQvAI=;
b=sJfk4kaQmYLfLDH2tLamEcUXC7y+Bex3heERouksN2iJp5zLKmYZ1c1dTYrf7MBbII
qL1G2lNVQanc8EuiSUaI38ESzxDmHfn/BvP55zNqLiLHJfXrutVhI8Lvf6VlOlaPTeqM
kq6DuWRiYxWiSkM7GFk73RrMi0bOpL2iR2lnrhfZWl2Vpq16RqOlCp6Ei9c6rYmtSZpt
pLLS22lv7Ob1xnKL9bR+q0YOWRGiOh+RloJH77MGl4EhiYrMKFgZpFFO+rvEFXBnFbq9
EnNKieG//wSEhIz7gk8SlMgT3R+UIKxK8CwwXN7ODIxWIhf5WvIaFc59+IuQDu0KfBmO
27yg==
MIME-Version: 1.0
X-Received: by 10.180.90.106 with SMTP id bv10mr5611049wib.12.1360272603797;
Thu, 07 Feb 2013 13:30:03 -0800 (PST)
Received: by 10.194.21.7 with HTTP; Thu, 7 Feb 2013 13:30:03 -0800 (PST)
Reply-To: [email protected]
Date: Thu, 7 Feb 2013 15:30:03 -0600
Message-ID: <CAAqKmpyW0AzAw_5Y2pQU0HG2mNGgO7N+H1OK4W5ZRPvvQDuzGQ@mail.gmail.com>
Subject: asdfasdf
From: Keefe John <[email protected]>
To: [email protected]
Content-Type: multipart/alternative; boundary=f46d043c81e858d9f904d529253e

 

[zEitEr]

I see here:

1. envelope-from <[email protected]>
2. X-Spam-Status: No, score=-0.5 required=12.0


What do I miss?

 

[keefe007]

Here's an email from the person who is having the problem to another user on the same server and domain.

Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Thu, 07 Feb 2013 15:17:06 -0600
Received: from mail by astra.ethoplex.com with spam-scanned (Exim 4.80.1)
(envelope-from <[email protected]>)
id 1U3Yq2-0000R6-NS; Thu, 07 Feb 2013 15:16:59 -0600
Received: from localhost by astra.ethoplex.com
with SpamAssassin (version 3.3.2);
Thu, 07 Feb 2013 15:16:59 -0600
From: "Person 1" <[email protected]>
To: "'Person 2'" <[email protected]>
Subject: FW: Abuse Notification
Date: Thu, 7 Feb 2013 15:18:37 -0600
Message-Id: <035a01ce0578$b1ddca80$15995f80$@com>
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on astra.ethoplex.com
X-Spam-Flag: YES
X-Spam-Level: *******
X-Spam-Status: Yes, score=7.6 required=5.0 tests=DOS_OUTLOOK_TO_MX,
DYN_RDNS_SHORT_HELO_HTML,FSL_HELO_NON_FQDN_1,HTML_MESSAGE,RCVD_IN_PBL,

RCVD_IN_RP_RNBL,RCVD_IN_SORBS_DUL,RDNS_DYNAMIC,SPF_SOFTFAIL,TVD_RCVD_IP
autolearn=no version=3.3.2
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_511419CB.2AAA1FC6"

 

[keefe007]

Here is this domain's spamassassin settings:


required_score 12.00
report_safe 1
whitelist_from *@lake-link.com
whitelist_from [email protected]
whitelist_from [email protected]
whitelist_from [email protected]

 

[keefe007]

Also, aren't emails TO and FROM the same domain sent locally suppose to bypass spamassassin anyways?

Here's a test i did:

Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Wed, 13 Feb 2013 11:49:03 -0600
Received: from localhost ([127.0.0.1] helo=www.ethoplex.com)
by astra.ethoplex.com with esmtpa (Exim 4.80.1)
(envelope-from <[email protected]>)
id 1U5gS7-0000lv-8g
for [email protected]; Wed, 13 Feb 2013 11:49:03 -0600
Received: from office.ethoplex.com ([208.87.120.3])
(SquirrelMail authenticated user [email protected])
by www.ethoplex.com with HTTP;
Wed, 13 Feb 2013 11:49:03 -0600 (CST)
Message-ID: <[email protected]>
Date: Wed, 13 Feb 2013 11:49:03 -0600 (CST)
Subject: test
From: [email protected]
To: [email protected]
User-Agent: SquirrelMail/1.5.1
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit

 

[keefe007]

In addition to emails from person1 ignoring the required spam score they are also ignoring the whitelist.

 

[zEitEr]

Received: from mail by astra.ethoplex.com with spam-scanned (Exim 4.80.1)
 (envelope-from <[email protected]>)
 id 1U3Yq2-0000R6-NS; Thu, 07 Feb 2013 15:16:59 -0600
 Received: from localhost by astra.ethoplex.com

Was that sent in a webmail?

 

[keefe007]

It was sent from outlook.

 

[zEitEr]

It was sent from outlook.

With prior authorization or not?

 

[keefe007]

They are using SMTP authentication.

 

[zEitEr]

You might need to enable logging of spamd actions and see the logs then.
Or you need somebody to check the things from inside on your server.