Does the user have a third-party IMAP client (Thunderbird, Outlook, etc.) running? If so, is that client doing its own local spam filtering? If so turn it off. Client side spam filtering is more trouble than good. You can test this without getting the client involved by temporarily disabling IMAP access to the account and sending test messages.
If that isn't it - I'm not sure.
Mail going to Junk folder
Mail going to Junk folder
[quote user="chauvetp"]Does the user have a third-party IMAP client (Thunderbird, Outlook, etc.) running? If so, is that client doing its own local spam filtering? If so turn it off. Client side spam filtering is more trouble than good. You can test this without getting the client involved by temporarily disabling IMAP access to the account and sending test messages.
If that isn't it - I'm not sure.[/QUOTE]
You bring up a good point, but this particular user only uses the Zimbra web interface, he prefers it to Outlook. His account is also setup via IMAP on his Android phone but he just checks mail on it, doesn't manipulate folders or mark anything as junk on the phone. I'm puzzled myself at this problem.
If that isn't it - I'm not sure.[/QUOTE]
You bring up a good point, but this particular user only uses the Zimbra web interface, he prefers it to Outlook. His account is also setup via IMAP on his Android phone but he just checks mail on it, doesn't manipulate folders or mark anything as junk on the phone. I'm puzzled myself at this problem.
Mail going to Junk folder
Can you grep for the username and Junk in the mailbox.log file? Specifically something like the following (for a user named smithj):
grep smithj mailbox.log | grep Junk
Specifically, I'm looking for a statement like one of the following (IP address/server username redacted):
2014-08-28 09:09:59,156 INFO [btpool0-33820://zmail.newpaltz.edu/service/soap/MsgActionRequest] [name=REDACTEDUSER@zmail.newpaltz.edu;mid=203;ip=IP-ADDRESS;ua=ZimbraWebClient - FF3.0 (Win)/7.2.7_GA_2942;] mailop - moving Message (id=1570) to Folder Junk (id=4)
2014-08-28 09:19:22,837 INFO [LmtpServer-11280] [name=REDACTEDUSER@zmail.newpaltz.edu;mid=17;ip=IP-ADDRESS;] mailop - Adding Message: id=660574, Message-ID=, parentId=-1, folderId=4, folderName=Junk.
The first of the two is when a message was moved (by me) to the Junk folder. The second is when the message was pre-sorted into the Junk folder on arrival (via on our end, the X-Spam-Flag: Yes header). The former should happen if the user or their mail client is moving the message after arrival.
grep smithj mailbox.log | grep Junk
Specifically, I'm looking for a statement like one of the following (IP address/server username redacted):
2014-08-28 09:09:59,156 INFO [btpool0-33820://zmail.newpaltz.edu/service/soap/MsgActionRequest] [name=REDACTEDUSER@zmail.newpaltz.edu;mid=203;ip=IP-ADDRESS;ua=ZimbraWebClient - FF3.0 (Win)/7.2.7_GA_2942;] mailop - moving Message (id=1570) to Folder Junk (id=4)
2014-08-28 09:19:22,837 INFO [LmtpServer-11280] [name=REDACTEDUSER@zmail.newpaltz.edu;mid=17;ip=IP-ADDRESS;] mailop - Adding Message: id=660574, Message-ID=, parentId=-1, folderId=4, folderName=Junk.
The first of the two is when a message was moved (by me) to the Junk folder. The second is when the message was pre-sorted into the Junk folder on arrival (via on our end, the X-Spam-Flag: Yes header). The former should happen if the user or their mail client is moving the message after arrival.
Mail going to Junk folder
I grepped for the username and Junk in the mailbox.log and found this:
2014-08-29 07:23:11,656 WARN [Junk-NotJunk-Handler] [] misc - exception occurred sending spam report SpamReport{account=chrisbush@hcems.com, mbox=32, msgId=74196, isSpam=true, origIp=null, action=imap copy, srcFolder=/Inbox, destFolder=/Junk, destAccount=null, reportRecipient=spam.Zhn3PtuhNv@harriscountyems.com}
2014-08-29 07:23:11,658 WARN [Junk-NotJunk-Handler] [] misc - exception occurred sending spam report SpamReport{account=chrisbush@hcems.com, mbox=32, msgId=74197, isSpam=true, origIp=null, action=imap copy, srcFolder=/Inbox, destFolder=/Junk, destAccount=null, reportRecipient=spam.Zhn3PtuhNv@harriscountyems.com}
2014-08-29 07:23:11,660 WARN [Junk-NotJunk-Handler] [] misc - exception occurred sending spam report SpamReport{account=chrisbush@hcems.com, mbox=32, msgId=74187, isSpam=true, origIp=null, action=imap copy, srcFolder=/Inbox, destFolder=/Junk, destAccount=null, reportRecipient=spam.Zhn3PtuhNv@harriscountyems.com}
2014-08-29 07:23:11,662 WARN [Junk-NotJunk-Handler] [] misc - exception occurred sending spam report SpamReport{account=chrisbush@hcems.com, mbox=32, msgId=74186, isSpam=true, origIp=null, action=imap copy, srcFolder=/Inbox, destFolder=/Junk, destAccount=null, reportRecipient=spam.Zhn3PtuhNv@harriscountyems.com}
And also when I hit "Not spam" on several messages:
2014-08-29 07:55:28,839 INFO [Junk-NotJunk-Handler] [] misc - Sent SpamReport{account=chrisbush@hcems.com, mbox=32, msgId=74270, isSpam=false, origIp=75.89.97.25, action=move, srcFolder=/Junk, destFolder=/Inbox, destAccount=null, reportRecipient=ham.Zhn3PtuhNv@harriscountyems.com}
2014-08-29 07:55:28,845 INFO [Junk-NotJunk-Handler] [] misc - Sent SpamReport{account=chrisbush@hcems.com, mbox=32, msgId=74279, isSpam=false, origIp=75.89.97.25, action=move, srcFolder=/Junk, destFolder=/Inbox, destAccount=null, reportRecipient=ham.Zhn3PtuhNv@harriscountyems.com}
2014-08-29 07:55:28,851 INFO [Junk-NotJunk-Handler] [] misc - Sent SpamReport{account=chrisbush@hcems.com, mbox=32, msgId=74273, isSpam=false, origIp=75.89.97.25, action=move, srcFolder=/Junk, destFolder=/Inbox, destAccount=null, reportRecipient=ham.Zhn3PtuhNv@harriscountyems.com}
2014-08-29 07:55:28,920 INFO [Junk-NotJunk-Handler] [] misc - Sent SpamReport{account=chrisbush@hcems.com, mbox=32, msgId=74269, isSpam=false, origIp=75.89.97.25, action=move, srcFolder=/Junk, destFolder=/Inbox, destAccount=null, reportRecipient=ham.Zhn3PtuhNv@harriscountyems.com}
2014-08-29 07:55:28,930 INFO [Junk-NotJunk-Handler] [] misc - Sent SpamReport{account=chrisbush@hcems.com, mbox=32, msgId=74277, isSpam=false, origIp=75.89.97.25, action=move, srcFolder=/Junk, destFolder=/Inbox, destAccount=null, reportRecipient=ham.Zhn3PtuhNv@harriscountyems.com}
2014-08-29 07:55:28,937 INFO [Junk-NotJunk-Handler] [] misc - Sent SpamReport{account=chrisbush@hcems.com, mbox=32, msgId=74276, isSpam=false, origIp=75.89.97.25, action=move, srcFolder=/Junk, destFolder=/Inbox, destAccount=null, reportRecipient=ham.Zhn3PtuhNv@harriscountyems.com}
I'm wondering if the ham account is wrong for the hcems.com domain. If you look above at the reportRecepient it says ham.Zhn3PtuhNv@harriscountyems.com which is the wrong ham account for that domain. Should I try to reset the ham and spam accounts for the hcems.com domain?
2014-08-29 07:23:11,656 WARN [Junk-NotJunk-Handler] [] misc - exception occurred sending spam report SpamReport{account=chrisbush@hcems.com, mbox=32, msgId=74196, isSpam=true, origIp=null, action=imap copy, srcFolder=/Inbox, destFolder=/Junk, destAccount=null, reportRecipient=spam.Zhn3PtuhNv@harriscountyems.com}
2014-08-29 07:23:11,658 WARN [Junk-NotJunk-Handler] [] misc - exception occurred sending spam report SpamReport{account=chrisbush@hcems.com, mbox=32, msgId=74197, isSpam=true, origIp=null, action=imap copy, srcFolder=/Inbox, destFolder=/Junk, destAccount=null, reportRecipient=spam.Zhn3PtuhNv@harriscountyems.com}
2014-08-29 07:23:11,660 WARN [Junk-NotJunk-Handler] [] misc - exception occurred sending spam report SpamReport{account=chrisbush@hcems.com, mbox=32, msgId=74187, isSpam=true, origIp=null, action=imap copy, srcFolder=/Inbox, destFolder=/Junk, destAccount=null, reportRecipient=spam.Zhn3PtuhNv@harriscountyems.com}
2014-08-29 07:23:11,662 WARN [Junk-NotJunk-Handler] [] misc - exception occurred sending spam report SpamReport{account=chrisbush@hcems.com, mbox=32, msgId=74186, isSpam=true, origIp=null, action=imap copy, srcFolder=/Inbox, destFolder=/Junk, destAccount=null, reportRecipient=spam.Zhn3PtuhNv@harriscountyems.com}
And also when I hit "Not spam" on several messages:
2014-08-29 07:55:28,839 INFO [Junk-NotJunk-Handler] [] misc - Sent SpamReport{account=chrisbush@hcems.com, mbox=32, msgId=74270, isSpam=false, origIp=75.89.97.25, action=move, srcFolder=/Junk, destFolder=/Inbox, destAccount=null, reportRecipient=ham.Zhn3PtuhNv@harriscountyems.com}
2014-08-29 07:55:28,845 INFO [Junk-NotJunk-Handler] [] misc - Sent SpamReport{account=chrisbush@hcems.com, mbox=32, msgId=74279, isSpam=false, origIp=75.89.97.25, action=move, srcFolder=/Junk, destFolder=/Inbox, destAccount=null, reportRecipient=ham.Zhn3PtuhNv@harriscountyems.com}
2014-08-29 07:55:28,851 INFO [Junk-NotJunk-Handler] [] misc - Sent SpamReport{account=chrisbush@hcems.com, mbox=32, msgId=74273, isSpam=false, origIp=75.89.97.25, action=move, srcFolder=/Junk, destFolder=/Inbox, destAccount=null, reportRecipient=ham.Zhn3PtuhNv@harriscountyems.com}
2014-08-29 07:55:28,920 INFO [Junk-NotJunk-Handler] [] misc - Sent SpamReport{account=chrisbush@hcems.com, mbox=32, msgId=74269, isSpam=false, origIp=75.89.97.25, action=move, srcFolder=/Junk, destFolder=/Inbox, destAccount=null, reportRecipient=ham.Zhn3PtuhNv@harriscountyems.com}
2014-08-29 07:55:28,930 INFO [Junk-NotJunk-Handler] [] misc - Sent SpamReport{account=chrisbush@hcems.com, mbox=32, msgId=74277, isSpam=false, origIp=75.89.97.25, action=move, srcFolder=/Junk, destFolder=/Inbox, destAccount=null, reportRecipient=ham.Zhn3PtuhNv@harriscountyems.com}
2014-08-29 07:55:28,937 INFO [Junk-NotJunk-Handler] [] misc - Sent SpamReport{account=chrisbush@hcems.com, mbox=32, msgId=74276, isSpam=false, origIp=75.89.97.25, action=move, srcFolder=/Junk, destFolder=/Inbox, destAccount=null, reportRecipient=ham.Zhn3PtuhNv@harriscountyems.com}
I'm wondering if the ham account is wrong for the hcems.com domain. If you look above at the reportRecepient it says ham.Zhn3PtuhNv@harriscountyems.com which is the wrong ham account for that domain. Should I try to reset the ham and spam accounts for the hcems.com domain?
Mail going to Junk folder
I ran the following:
zimbra@mail:~$ zmprov gacf | grep -i spamis
zimbraSpamIsNotSpamAccount: ham.Zhn3PtuhNv@harriscountyems.com
zimbraSpamIsSpamAccount: spam.Zhn3PtuhNv@harriscountyems.com
Since all of my main accounts are on the @hcems.com domain shouldn't I have the Spam and Ham accounts set to the ones created for that domain:
ham.8ee1fbmkg@hcems.com
spam.skwvavwp1@hcems.com
I have multiple domains on this server dfwems.com, hcems.com, gulfwaylogistics.com and harriscountyems.com. hcems.com is the main/default domain with the majority of our accounts (100+). So I'm wondering if I need to set the SpamIsNotSpamAccount and SpamIsSpamAccount to the @hcems.com domain accounts for ham and spam?
zimbra@mail:~$ zmprov gacf | grep -i spamis
zimbraSpamIsNotSpamAccount: ham.Zhn3PtuhNv@harriscountyems.com
zimbraSpamIsSpamAccount: spam.Zhn3PtuhNv@harriscountyems.com
Since all of my main accounts are on the @hcems.com domain shouldn't I have the Spam and Ham accounts set to the ones created for that domain:
ham.8ee1fbmkg@hcems.com
spam.skwvavwp1@hcems.com
I have multiple domains on this server dfwems.com, hcems.com, gulfwaylogistics.com and harriscountyems.com. hcems.com is the main/default domain with the majority of our accounts (100+). So I'm wondering if I need to set the SpamIsNotSpamAccount and SpamIsSpamAccount to the @hcems.com domain accounts for ham and spam?
Mail going to Junk folder
If the action is "imap copy" then my best guess would definitely be that the an external client is moving these messages to spam. You wouldn't see imap copy if Zimbra were initially marking it as spam.
As to the reportrecipient settings - its been so long since I've dealt with those, that I can't remember unfortunatey.
As to the reportrecipient settings - its been so long since I've dealt with those, that I can't remember unfortunatey.
Mail going to Junk folder
[quote user="chauvetp"]If the action is "imap copy" then my best guess would definitely be that the an external client is moving these messages to spam. You wouldn't see imap copy if Zimbra were initially marking it as spam.
As to the reportrecipient settings - its been so long since I've dealt with those, that I can't remember unfortunatey.[/QUOTE]
I think you may be right. I dug deeper into the logs and saw this entry:
2014-08-29 07:23:11,328 INFO [ImapSSLServer-566] [name=chrisbush@hcems.com;mid=32;ip=72.14.179.224;oip=172.56.14.43;via=com.android.email,72.14.179.224(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - Performing IMAP copy of Message (id=74176): copyId=74303, folderId=4, folderName=Junk, parentId=-74176.
2014-08-29 07:23:11,329 INFO [ImapSSLServer-566] [name=chrisbush@hcems.com;mid=32;ip=72.14.179.224;oip=172.56.14.43;via=com.android.email,72.14.179.224(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - Performing IMAP copy of Message (id=74183): copyId=74304, folderId=4, folderName=Junk, parentId=-74183.
It looks like his phone is doing an IMAP copy of the message into the Junk folder. I'm going to have him delete and recreate his account on his Android phone and see if that makes a difference. Not sure why his phone is doing this, but it looks like the culprit.
Should I still change my Spam/Ham accounts to the @hcems.com ones since it's our primary domain or leave it alone for now?
As to the reportrecipient settings - its been so long since I've dealt with those, that I can't remember unfortunatey.[/QUOTE]
I think you may be right. I dug deeper into the logs and saw this entry:
2014-08-29 07:23:11,328 INFO [ImapSSLServer-566] [name=chrisbush@hcems.com;mid=32;ip=72.14.179.224;oip=172.56.14.43;via=com.android.email,72.14.179.224(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - Performing IMAP copy of Message (id=74176): copyId=74303, folderId=4, folderName=Junk, parentId=-74176.
2014-08-29 07:23:11,329 INFO [ImapSSLServer-566] [name=chrisbush@hcems.com;mid=32;ip=72.14.179.224;oip=172.56.14.43;via=com.android.email,72.14.179.224(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - Performing IMAP copy of Message (id=74183): copyId=74304, folderId=4, folderName=Junk, parentId=-74183.
It looks like his phone is doing an IMAP copy of the message into the Junk folder. I'm going to have him delete and recreate his account on his Android phone and see if that makes a difference. Not sure why his phone is doing this, but it looks like the culprit.
Should I still change my Spam/Ham accounts to the @hcems.com ones since it's our primary domain or leave it alone for now?
Mail going to Junk folder
I had him recreate his account on his Android device and it seems the phone is still doing the imap copy into the junk folder. Any ideas on this guys?