I'm having some mail getting sent from one local user to another (or from a local user to him/herself) that is getting marked as spam. It's getting tagged with all sorts of stuff like the following :
X-Spam-Status: Yes, score=6.581 tagged_above=-10 required=4 tests=[AWL=-4.156,
BAYES_05=-1.11, DCC_CHECK=2.17, DIGEST_MULTIPLE=0.765,
DYN_RDNS_SHORT_HELO_HTML=0.499, HTML_90_100=0.113, HTML_MESSAGE=0.001,
MIME_HTML_MOSTLY=1.102, PYZOR_CHECK=3.7, RCVD_IN_SORBS_DUL=2.046,
RDNS_DYNAMIC=0.1, TVD_RCVD_SINGLE=1.351]
Now, this only seems to happen when roaming/home users send mail. Here's some more of the headers (IP addresses and hostnames changed to protect the innocent, of course)
Return-Path: xxxxxx@myserver.com
Received: from mail2.myserver.com (LHLO mail2.myserver.com) (192.168.1.xxx) by
mail2.myserver.com with LMTP; Sun, 22 Jun 2008 20:27:32 -0500 (CDT)
Received: from localhost (localhost.localdomain [127.0.0.1])
by mail2.myserver.com (Postfix) with ESMTP id 82E9693400CD
for ; Sun, 22 Jun 2008 20:27:32 -0500 (CDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: YES
X-Spam-Score: 6.581
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.581 tagged_above=-10 required=4 tests=[AWL=-4.156,
BAYES_05=-1.11, DCC_CHECK=2.17, DIGEST_MULTIPLE=0.765,
DYN_RDNS_SHORT_HELO_HTML=0.499, HTML_90_100=0.113, HTML_MESSAGE=0.001,
MIME_HTML_MOSTLY=1.102, PYZOR_CHECK=3.7, RCVD_IN_SORBS_DUL=2.046,
RDNS_DYNAMIC=0.1, TVD_RCVD_SINGLE=1.351]
Received: from mail2.myserver.com ([127.0.0.1])
by localhost (mail2.myserver.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 5LyQDl0JSaxV for ;
Sun, 22 Jun 2008 20:27:31 -0500 (CDT)
Received: from MYHOSTNAME (ppp-70-251-124-xxx.dsl.rcsntx.swbell.net [70.251.124.xxx])
by mail2.myserver.com (Postfix) with ESMTP id 3A5BD93400C7
for ; Sun, 22 Jun 2008 20:27:31 -0500 (CDT)
It looks like the home user, who is sending out email through their home DSL connection (but using our server as their outgoing mail server) is tripping all sorts of blacklist rules/filters. Possibly a source of the problem could be that we're using an alternate SMTP port added to zimbra (port 8025, so that those home users whose port 25 is blocked can still use our server as the outgoing mail server), so maybe Zimbra isn't recognizing mail coming in on that alternate port as being local and the source of the mail being an authenticated zimbra user, not some spammer sending out stuff from a DSL connection? We'd just cave in and have the home users use their ISP's outgoing mail server, but that doesn't work, of course, for laptops that roam the world using all sorts of different internet connections, a different one every time they boot their machine up. We're using 5.0.6.
Thanks!
local mail getting marked as spam?
-
Bill Brock
- Outstanding Member
- Posts: 618
- Joined: Fri Sep 12, 2014 10:35 pm
local mail getting marked as spam?
What program are your users using to send mail? Are they required to use SMTP authentication?
local mail getting marked as spam?
Oh, most are Outlook. I believe the one for which I posted the headers was Outlook Express. And yes, I do require SMTP Authentication.
Edit: Oh, and we're only using that alternate SMTP port for home/roaming users. We don't see the same problem internally using port 25.
Edit: Oh, and we're only using that alternate SMTP port for home/roaming users. We don't see the same problem internally using port 25.
local mail getting marked as spam?
So, in short, when I use my Zimbra server as an outgoing SMTP server on an alternate SMTP port, SpamAssassin detects my home DSL connection's IP as the IP address of my outgoing SMTP server (which, of course would be on blacklists galore), rather than the Zimbra server who is both the outgoing server and the recipient server.
local mail getting marked as spam?
[quote user="bjquinn"]So, in short, when I use my Zimbra server as an outgoing SMTP server on an alternate SMTP port, SpamAssassin detects my home DSL connection's IP as the IP address of my outgoing SMTP server (which, of course would be on blacklists galore), rather than the Zimbra server who is both the outgoing server and the recipient server.[/QUOTE]
Marking them as not spam should train SA to ignore that.
Marking them as not spam should train SA to ignore that.
local mail getting marked as spam?
Right, but if the users aren't using the Zimbra web client, then they can't do that. Also, SA seems to be set up incorrectly to think local mail is spam! I'd rather fix it at the source than set off hundreds or thousands of "not junk" clicks (and I'm of two minds as to how well that would work anyway...).
Plus, I wouldn't want SA to ignore that when the incoming email is truly originating from a home DSL account!
Plus, I wouldn't want SA to ignore that when the incoming email is truly originating from a home DSL account!
local mail getting marked as spam?
Any ideas, anyone? In addition to my 5.0.6 server that's doing this, I have a 4.5.7 server now doing the same thing, and it flags off the RCVD_IN_SORBS_DUL rule.
Why is Zimbra's SpamAssassin detecting the IP address of the internet connection that a LOCAL user connected from as being the IP address of the sending email server? If the sending address is local, then technically my Zimbra server should be considered both the "sending" and the "receiving" email server. It shouldn't consider the IP address that it receives the mail from as the "sending" IP address (to set off spam rules, blacklists, etc.) unless the sender can't successfully authenticate and send mail as a local user.
About my alternate SMTP port (8025) that I mentioned in the original post. I'm think that's not related to the problem anymore, however, since many users on the local network are also using port 8025 and the problem only appears to happen when a user sends an email from their home internet connection, hotel, etc. However, I guess that if it were related to the problem and 192.168.x.x addresses weren't on the SORBS_DUL, I might have the same symptoms as I do now.
Why is Zimbra's SpamAssassin detecting the IP address of the internet connection that a LOCAL user connected from as being the IP address of the sending email server? If the sending address is local, then technically my Zimbra server should be considered both the "sending" and the "receiving" email server. It shouldn't consider the IP address that it receives the mail from as the "sending" IP address (to set off spam rules, blacklists, etc.) unless the sender can't successfully authenticate and send mail as a local user.
About my alternate SMTP port (8025) that I mentioned in the original post. I'm think that's not related to the problem anymore, however, since many users on the local network are also using port 8025 and the problem only appears to happen when a user sends an email from their home internet connection, hotel, etc. However, I guess that if it were related to the problem and 192.168.x.x addresses weren't on the SORBS_DUL, I might have the same symptoms as I do now.
local mail getting marked as spam?
[quote user="bjquinn"]Any ideas, anyone? In addition to my 5.0.6 server that's doing this, I have a 4.5.7 server now doing the same thing, and it flags off the RCVD_IN_SORBS_DUL rule.
Why is Zimbra's SpamAssassin detecting the IP address of the internet connection that a LOCAL user connected from as being the IP address of the sending email server? If the sending address is local, then technically my Zimbra server should be considered both the "sending" and the "receiving" email server. It shouldn't consider the IP address that it receives the mail from as the "sending" IP address (to set off spam rules, blacklists, etc.) unless the sender can't successfully authenticate and send mail as a local user.
About my alternate SMTP port (8025) that I mentioned in the original post. I'm think that's not related to the problem anymore, however, since many users on the local network are also using port 8025 and the problem only appears to happen when a user sends an email from their home internet connection, hotel, etc. However, I guess that if it were related to the problem and 192.168.x.x addresses weren't on the SORBS_DUL, I might have the same symptoms as I do now.[/QUOTE]
I've always found this to be an odd thing with zimbra. What I ended up doing is outlined here: Improving Anti-spam system - Zimbra :: Wiki.
I just whitelisted anything coming from my domain. It's not a perfect solution, as incoming mail with a forged from address can slip by because it will be whitelisted.
I would love to see Zimbra auto-whitelist any mail coming from the trusted network, as well as incoming mail which passed through smtp auth.
Mark
Why is Zimbra's SpamAssassin detecting the IP address of the internet connection that a LOCAL user connected from as being the IP address of the sending email server? If the sending address is local, then technically my Zimbra server should be considered both the "sending" and the "receiving" email server. It shouldn't consider the IP address that it receives the mail from as the "sending" IP address (to set off spam rules, blacklists, etc.) unless the sender can't successfully authenticate and send mail as a local user.
About my alternate SMTP port (8025) that I mentioned in the original post. I'm think that's not related to the problem anymore, however, since many users on the local network are also using port 8025 and the problem only appears to happen when a user sends an email from their home internet connection, hotel, etc. However, I guess that if it were related to the problem and 192.168.x.x addresses weren't on the SORBS_DUL, I might have the same symptoms as I do now.[/QUOTE]
I've always found this to be an odd thing with zimbra. What I ended up doing is outlined here: Improving Anti-spam system - Zimbra :: Wiki.
I just whitelisted anything coming from my domain. It's not a perfect solution, as incoming mail with a forged from address can slip by because it will be whitelisted.
I would love to see Zimbra auto-whitelist any mail coming from the trusted network, as well as incoming mail which passed through smtp auth.
Mark
local mail getting marked as spam?
Instead of adding your own port, why not enable the SMTP submission port (587)? That is set up to force authentication regardless, and might trip less spam.
Course, other ways would be to force them to use webmail when outside and/or require VPN...
Course, other ways would be to force them to use webmail when outside and/or require VPN...
local mail getting marked as spam?
I appreciate the suggestions. What is the SMTP submission port? What does that mean? Does anyone have any experience with using this to circumvent the problem with getting local mail marked as spam?
Is it the alternate SMTP port that causes local mail to trip spam rules, or does it happen even with port 25, or maybe even 587? I'd imagine that even if there was a problem that allowed SA to detect local mail as spam regardless of port used, then internal IPs (192.168.x.x) on the same internal network would at least not be found on the blacklists, meaning one would be less likely to notice the problem on port 25.
As for forcing the users to use webmail, I've got some CEOs, etc., that I'll have trouble talking into that. And did someone actually say VPN?
I'll take a look at the local domain whitelisting, but that would definitely be a last resort, for the reasons the poster (Mark) suggested.
Is it the alternate SMTP port that causes local mail to trip spam rules, or does it happen even with port 25, or maybe even 587? I'd imagine that even if there was a problem that allowed SA to detect local mail as spam regardless of port used, then internal IPs (192.168.x.x) on the same internal network would at least not be found on the blacklists, meaning one would be less likely to notice the problem on port 25.
As for forcing the users to use webmail, I've got some CEOs, etc., that I'll have trouble talking into that. And did someone actually say VPN?
I'll take a look at the local domain whitelisting, but that would definitely be a last resort, for the reasons the poster (Mark) suggested.