Spam FROM LOCAL [127.0.0.1] - "WILL BE relayed" "WAS NOT relayed"

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
1527AJK
Posts: 9
Joined: Fri Sep 12, 2014 10:33 pm

Spam FROM LOCAL [127.0.0.1] - "WILL BE relayed" "WAS NOT relayed"

Postby 1527AJK » Mon Jul 25, 2016 3:30 am

My version details are:
Release 8.6.0_GA_1153.RHEL6_64_20141215151258 RHEL6_64 NETWORK edition, Patch 8.6.0_P6.

My first issue:
I have distribution groups set up to distribute mail to users within out organisation. I am seeing some odd issues where an email is being delivered to 3 recipients but then be blocked as spam for the 4th recipient. It always seems to be the same user. I do not profess to understand spamassassin but can find my way around Zimbra. ANy help as to why I am seeing this issue would be appreciated.
Here is a sanitized example:

Content type: Spam
Internal reference code for the message is 07481-01/WQgduyq1mA9y

First upstream SMTP client IP address: [127.0.0.1]:40782 localhost
Received from: 127.0.0.1 < 127.0.0.1 < 203.202.xxx.xxx < 127.0.0.1 < 127.0.0.1
< 203.29.xxx.xxx < 199.16.156.164

Return-Path:
<n00009e6445-c191df5d927f4bcba523f69fd882d63c-distribution===domain@bounce.twitter.com>
From: Twitter <info@twitter.com> (dkim:AUTHOR)
Message-ID: <0F.12.25163.723FC875@twitter.com>
Subject: Suggestions based on Steve Lopez
Not quarantined.

The message WILL BE relayed to:
<user1@domain>
<user2@domain>
<user3@domain>

The message WAS NOT relayed to:
<user4@domain>
250 2.7.0 Ok, discarded, id=07481-01 - spam

Spam scanner report:
Spam detection software, running on the system "internal-host.domain",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: User Name, You might also be interested in these accounts.
Find more people you may know on Twitter: https://twitter.com/who_to_follow
[...]

Content analysis details: (-3.0 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to
background
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid

Return-Path: <n00009e6445-c191df5d927f4bcba523f69fd882d63c-distribution===domain@bounce.twitter.com>
Received: from localhost (localhost [127.0.0.1])
by internal-host.domain (Postfix) with ESMTP id 02DB51DC0018;
Tue, 19 Jul 2016 01:38:16 +1000 (AEST)
X-Virus-Scanned: amavisd-new at internal-host.domain
Authentication-Results: internal-host.domain (amavisd-new);
dkim=pass (2048-bit key) header.d=twitter.com
Received: from internal-host.domain ([127.0.0.1])
by localhost (internal-host.domain [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id bRcRp5V9ZQ9w; Tue, 19 Jul 2016 01:38:15 +1000 (AEST)
Received: from mx1.domain (mx1.domain [203.202.xxx.xxx])
by internal-host.domain (Postfix) with ESMTP id 7EBAF1DC0009
for <distribution-list@domain>; Tue, 19 Jul 2016 01:38:15 +1000 (AEST)
Received: from localhost (localhost.localdomain [127.0.0.1])
by mx1.domain (Postfix) with ESMTP id D16B95E01AC
for <distribution-list@domain>; Tue, 19 Jul 2016 01:29:55 +1000 (EST)
X-Virus-Scanned: amavisd-new at mx1.domain
Received: from mx1.domain ([127.0.0.1])
by localhost (mx1.domain [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 2er4G5j8YLft for <distribution-list@domain>;
Tue, 19 Jul 2016 01:29:50 +1000 (EST)
Received: from mx2.domain (mx2.domain [203.29.xxx.xxx])
by mx1.domain (Postfix) with ESMTP id 4681B5E01AB
for <distribution-list@domain>; Tue, 19 Jul 2016 01:29:50 +1000 (EST)
X-Greylist: delayed 1204 seconds by postgrey-1.31 at mx2; Tue, 19 Jul 2016 01:37:56 EST
Received: from spring-chicken-ay.twitter.com (spring-chicken-ay.twitter.com [199.16.156.164])
by mx2.domain (Postfix) with ESMTPS id E5BED35EB0
for <distribution-list@domain>; Tue, 19 Jul 2016 01:37:54 +1000 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=twitter.com;
s=dkim-201406; t=1468855079;
bh=jeWQrm1R5ejXIXTG3tQ2McQhUneHtfgVp95P2TAu/aM
h=Date:From:To:Subject:MIME-Version:Content-Type:List-Unsubscribe:
Message-ID;
b=dajM/zws89m9gJ1B5bmDcUh9GPFgeEQ2IrcJ7uXmL07okHka8oSuPzKcnepuPaxtc
/55hy0kWSd+9vQm9PWiJthtiheagEZQaZZmQ9U9bm037HmsjrdBegnRASPgApGNG0Y
UbLIdnMNsLcF8HVMoruwbU6Pg33n72VyBq+tKndZJfj0hk8Ajkenn9RrHCvynxG/xj
p7DZ9mur+ISaJg84mr21Rl+9ZTq4f+l7sZz+rfcLkXQ3VrxMcMbG7CI084SmPsg0Sk
vifQORy6exx5/wKTeper99JP3Q2C+L6NMJGp68+Ui72EqsSA05DEfOkq8a+LyjR/+s
jsD0Hm4Wv2fWg==
X-MSFBL: Psb4VBoE4ciRGZDL22hiX3YUvlavgb1ladKX/185ugY=|eyJ1IjoiYXVpZ2ZAYXV
kYS5vcmcuYXVAaWlkIyNjMTkxZGY1ZDkyN2Y0YmNiYTUyM2Y2OWZkODgyZDYzY0A
2NEA2MTQ5NjY5ODVAMEAzMTc0MTE0M2E0OTNkZjg2MjJhMmM5ZjZhNTYwNWY0Yjk
3OWE5MzM4IiwiYiI6ImF0bGEtYW9rLTM1LXNyMS1FdmVyeXRoaW5nLjE4NCIsInI
iOiJhdWlnZkBhdWRhLm9yZy5hdSIsImciOiJFdmVyeXRoaW5nIn0=
Date: Mon, 18 Jul 2016 15:17:59 +0000
From: Twitter <info@twitter.com>
To: distribution-list@domain
Subject: Suggestions based on Steve Lopez
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_18144013_836238243.1468855079255"
X-return-path-rewrite: true
List-Unsubscribe: <https://twitter.com/i/u?t=1&listunsub=t&cn=cHN0Zg%3D%3D&sig=d8010e102f45b5922d9995387df9b5abce089921&iid=c191df5d927f4bcba523f69fd882d63c&uid=614966985&nid=64+26>
Feedback-ID: 03560e25:03560e25eakin:twitterESP
Precedence: Bulk
Message-ID: <0F.12.25163.723FC875@twitter.com>



I also see this in other emails where there are 2 recipients.
Content type: Spam
Internal reference code for the message is 13167-05/hM-HV-hriCdk

First upstream SMTP client IP address: [127.0.0.1]:50823 localhost
Received from: 127.0.0.1 < 127.0.0.1 < 203.202.xxx.xxx < 127.0.0.1 < 127.0.0.1
  < 203.59.1.210 < 10.160.234.68

Return-Path: <customer@iinet.net.au>
From: Customer <customer@iinet.net.au>
Message-ID: <9A24DA2E-A867-4272-8FF7-12AC611099E5@iinet.net.au>
X-Mailer: iPhone Mail (13F69)
Subject: Domain
Not quarantined.

The message WILL BE relayed to:
<user5@domain>

The message WAS NOT relayed to:
<user6@domain>:
   250 2.7.0 Ok, discarded, id=13167-05 - spam

Spam scanner report:
Spam detection software, running on the system "internal-host.domain",
has NOT identified this incoming email as spam.  The original
message has been attached to this so you can view it or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  Hi , a bunch of text that was in the email

Content analysis details:   (-2.9 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
-1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
-0.0 T_RP_MATCHES_RCVD      Envelope sender domain matches handover relay
                            domain
-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                            [score: 0.0005]

Return-Path: <customer@iinet.net.au>
Received: from localhost (localhost [127.0.0.1])
        by internal-host.domain (Postfix) with ESMTP id 65B591DC01FA;
        Thu, 21 Jul 2016 20:47:19 +1000 (AEST)
X-Virus-Scanned: amavisd-new at internal-host.domain
Received: from internal-host.domain ([127.0.0.1])
        by localhost (internal-host.domain [127.0.0.1]) (amavisd-new, port 10026)
        with ESMTP id E-3lwFsKPJrj; Thu, 21 Jul 2016 20:47:19 +1000 (AEST)
Received: from mx1.domain (mx1.domain [203.202.xxx.xxx])
        by internal-host.domain (Postfix) with ESMTP id 47E7C1DC0054;
        Thu, 21 Jul 2016 20:47:19 +1000 (AEST)
Received: from localhost (localhost.localdomain [127.0.0.1])
        by mx1.domain (Postfix) with ESMTP id 062335E01A8;
        Thu, 21 Jul 2016 20:38:23 +1000 (EST)
X-Virus-Scanned: amavisd-new at mx1.domain
Received: from mx1.domain ([127.0.0.1])
        by localhost (mx1.domain [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id hHI9qyOLDrMK; Thu, 21 Jul 2016 20:38:18 +1000 (EST)
Received: from icp-osb-irony-out1.external.iinet.net.au (icp-osb-irony-out1.external.iinet.net.au [203.59.1.210])
        by mx1.domain (Postfix) with ESMTP id 821E35E01A7;
        Thu, 21 Jul 2016 20:38:18 +1000 (EST)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result:
A2B/AgCgp5BX/+BChAENUB6oYwaQEoN4gl8SiAIBAQEBAQGGKmeBFgG3II5QAQEIAQEBAQEBIYVigkAIijmCLwWODIsajmuBVgGIEoVRgmWNPIRZiCoBAQE
X-IPAS-Result: A2B/AgCgp5BX/+BChAENUB6oYwaQEoN4gl8SiAIBAQEBAQGGKmeBFgG3II5QAQEIAQEBAQEBIYVigkAIijmCLwWODIsajmuBVgGIEoVRgmWNPIRZiCoBAQE
X-IronPort-AV: E=Sophos;i="5.28,398,1464624000";
   d="scan'208";a="48064524"
Received: from unknown (HELO [10.160.234.68]) ([1.132.66.224])
  by icp-osb-irony-out1.iinet.net.au with ESMTP; 21 Jul 2016 18:47:13 +0800
From: Customer <customer@iinet.net.au>
Content-Type: text/plain;
        charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
Subject: Domain
Message-Id: <9A24DA2E-A867-4272-8FF7-12AC611099E5@iinet.net.au>
Date: Thu, 21 Jul 2016 20:47:11 +1000
To: User5 <user5@domain>,
 User6 <user6@domain>
X-Mailer: iPhone Mail (13F69)


So why does the server accept mail for one account (User 5) but marks it as spam for the other (User 6)?

Is this a postfix configuration setting? A zimbra settingg? Or a spamassassin setting?

Thanks to anyone who can point me in the right direction


v1rtu4l
Posts: 36
Joined: Tue Jun 28, 2016 3:04 pm

Re: Spam FROM LOCAL [127.0.0.1] - "WILL BE relayed" "WAS NOT relayed"

Postby v1rtu4l » Mon Jul 25, 2016 7:17 am

If I understand the Spam Assassin implementation in zimbra correct it's Spam training works per user, so that you could have a mail be Spam for user a even though it is not for user B. Would be nice to get some clarification on that

Gesendet von meinem SM-N910F mit Tapatalk

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 5 guests