Email from one specific local user always moved to spam folder of another specific local user

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
sciadm1
Posts: 7
Joined: Tue Dec 19, 2017 1:50 pm

Email from one specific local user always moved to spam folder of another specific local user

Post by sciadm1 »

Hi,
I have a local Zimbra server 8.7.11 with 24 mailboxes and one single domain.
From several days now, I have a specific problem with one local domain user (let's call him the SENDER) and another local domain user (the RECEIVER).
Actually every time this SENDER send an email to this RECEIVER, this email goes directly to the RECEIVER SPAM folder. But this same SENDER send emails to other local domain users without any issue.

I have tried to add the SENDER in the whitelist of the RECEIVER mailbox to see -> no change.
I have checked that no filter exist in the RECEIVER mailbox that could redirect this SENDER to the SPAM folder - no filter

However looking through the original email header of one of the spammed emails, I can see something that seems strange for me under the X-Spam-Status:

score=x -> I didn't find any explanation about a value of "x" so far
WHITELISTED -> make me think that the sender is recognized as whitelisted (yes, I did it)

The original email header: (I have substituted username of email addresses by "SENDER" & "RECEIVER" and the domain name by "mydomain.com" )

Code: Select all

Return-Path: SENDER@mydomain.com
Received: from mail1.mydomain.local (LHLO mail.mydomain.com)
 (192.168.0.6) by mail1.mydomain.local with LMTP; Thu, 11 May 2023
 11:36:11 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by mail.mydomain.com (Postfix) with ESMTP id E59A6280CFB
	for <RECEIVER@mydomain.com>; Thu, 11 May 2023 11:36:10 +0200 (CEST)
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=x required=6.6 WHITELISTED tests=[]
	autolearn=unavailable
Authentication-Results: mail1.mydomain.local (amavisd-new);
	dkim=pass (1024-bit key) header.d=mydomain.com
Received: from mail.mydomain.com ([127.0.0.1])
	by localhost (mail1.mydomain.local [127.0.0.1]) (amavisd-new, port 10032)
	with ESMTP id SzDTC0nZL3PX for <RECEIVER@mydomain.com>;
	Thu, 11 May 2023 11:36:10 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by mail.mydomain.com (Postfix) with ESMTP id BFDB3280D0F
	for <RECEIVER@mydomain.com>; Thu, 11 May 2023 11:36:10 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.10.3 mail.mydomain.com BFDB3280D0F
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mydomain.com;
	s=70E5F1CA-0D8D-11E7-9F80-37328B28EDE3; t=1683797770;
	bh=1ZC5awymHXhmoHeuQTnNyzpN7ld6V3b7cG1M52EnFxE=;
	h=Date:From:To:Message-ID:MIME-Version;
	b=2GFNHCJU+GnpTIZBkmk2vqc4gCCP95fGNBScijuJ2CFRl4iN96KW49oMgnLmbEZMO
	 1E6SOZKocHyosWkjDFVrhhBJEBwliUP54ETroRNmE9E9ro3Ajxj0jtVldhlK1iKafU
	 L63fbEwxAmz9oGhgD71otsWXVpzA3MHPRVMHpaQ8=
X-Virus-Scanned: amavisd-new at mail1.mydomain.local
Received: from mail.mydomain.com ([127.0.0.1])
	by localhost (mail1.mydomain.local [127.0.0.1]) (amavisd-new, port 10026)
	with ESMTP id pWmlS12CcUsy for <RECEIVER@mydomain.com>;
	Thu, 11 May 2023 11:36:10 +0200 (CEST)
Received: from mail1.mydomain.local (mail1.mydomain.local [192.168.0.6])
	by mail.mydomain.com (Postfix) with ESMTP id A447D280CFB
	for <RECEIVER@mydomain.com>; Thu, 11 May 2023 11:36:10 +0200 (CEST)
Date: Thu, 11 May 2023 11:36:10 +0200 (CEST)
From: SENDER <SENDER@mydomain.com>
To: RECEIVER <RECEIVER@mydomain.com>
Message-ID: <77982319.213695.1683797770586.JavaMail.zimbra@mydomain.com>
Subject: test
MIME-Version: 1.0
Content-Type: multipart/alternative; 
	boundary="=_8d89b280-2002-480e-b330-c063882df1de"
X-Originating-IP: [192.168.0.6]
X-Mailer: Zimbra 8.7.11_GA_3800 (ZimbraWebClient - GC113 (Win)/8.7.11_GA_3800)
Thread-Index: ovI1MSarikC7SbvoDmtt+2rx53UE6Q==
Thread-Topic: test

--=_8d89b280-2002-480e-b330-c063882df1de
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
In the /var/log/zimbra.log I have found the same email sent ... (same SENDER & RECEIVER substitution)

Code: Select all

May 11 09:14:46 mail1 postfix/smtpd[21784]: NOQUEUE: filter: RCPT from mail1.mydomain.local[192.168.0.6]: <SENDER@mydomain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<SENDER@mydomain.com> to=<RECEIVER@mydomain.com> proto=ESMTP helo=<mail1.mydomain.local>
May 11 09:14:46 mail1 amavis[16535]: (16535-01) ESMTP [127.0.0.1]:10026 /opt/zimbra/data/amavisd/tmp/amavis-20230511T091446-16535-HxLQHDh0: <SENDER@mydomain.com> -> <RECEIVER@mydomain.com> Received: from mail.mydomain.com ([127.0.0.1]) by localhost (mail1.mydomain.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP for <RECEIVER@mydomain.com>; Thu, 11 May 2023 09:14:46 +0200 (CEST)
May 11 09:14:46 mail1 amavis[16535]: (16535-01) Checking: SCHbAMaCj6bP ORIGINATING/MYNETS [192.168.0.6] <SENDER@mydomain.com> -> <RECEIVER@mydomain.com>
May 11 09:14:46 mail1 amavis[16535]: (16535-01) collect banned table[0]: RECEIVER@mydomain.com, tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x3921250)
May 11 09:14:46 mail1 amavis[16535]: (16535-01) p.path RECEIVER@mydomain.com: "P=p003,L=1,M=multipart/alternative | P=p001,L=1/1,M=text/plain,T=asc"
May 11 09:14:46 mail1 amavis[16535]: (16535-01) p.path RECEIVER@mydomain.com: "P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=asc"
May 11 09:14:46 mail1 amavis[16535]: (16535-01) delivery method is 1, recips: RECEIVER@mydomain.com
May 11 09:14:46 mail1 amavis[16535]: (16535-01) smtp cmd> RCPT TO:<RECEIVER@mydomain.com> ORCPT=rfc822;RECEIVER@mydomain.com
May 11 09:14:46 mail1 amavis[16535]: (16535-01) smtp resp to RCPT (pip) (<RECEIVER@mydomain.com>): 250 2.1.5 Ok
May 11 09:14:46 mail1 amavis[16535]: (16535-01) smtp resp to data-dot (<RECEIVER@mydomain.com>): 250 2.0.0 Ok: queued as 58BE6280D1C, dt: 79.3 ms
May 11 09:14:46 mail1 amavis[16535]: (16535-01) SCHbAMaCj6bP FWD from <SENDER@mydomain.com> -> <RECEIVER@mydomain.com>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 58BE6280D1C
May 11 09:14:46 mail1 amavis[16535]: (16535-01) Passed CLEAN {RelayedInternal}, ORIGINATING/MYNETS LOCAL [192.168.0.6]:35966 <SENDER@mydomain.com> -> <RECEIVER@mydomain.com>, Queue-ID: 35B9D280D12, Message-ID: <513497349.203775.1683789286168.JavaMail.zimbra@mydomain.com>, mail_id: SCHbAMaCj6bP, Hits: -, size: 2612, queued_as: 58BE6280D1C, 216 ms
May 11 09:14:46 mail1 postfix/smtp[21786]: 35B9D280D12: to=<RECEIVER@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.24, delays=0.01/0.01/0.01/0.21, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 58BE6280D1C)
May 11 09:14:46 mail1 amavis[16536]: (16536-01) ESMTP [127.0.0.1]:10032 /opt/zimbra/data/amavisd/tmp/amavis-20230511T091446-16536-v8V8YnsJ: <SENDER@mydomain.com> -> <RECEIVER@mydomain.com> SIZE=3150 Received: from mail.mydomain.com ([127.0.0.1]) by localhost (mail1.mydomain.com [127.0.0.1]) (amavisd-new, port 10032) with ESMTP for <RECEIVER@mydomain.com>; Thu, 11 May 2023 09:14:46 +0200 (CEST)
May 11 09:14:46 mail1 amavis[16536]: (16536-01) Checking: FSnt1SE6_BRu ORIGINATING_POST/MYNETS [127.0.0.1] <SENDER@mydomain.com> -> <RECEIVER@mydomain.com>
May 11 09:14:46 mail1 amavis[16536]: (16536-01) collect banned table[0]: RECEIVER@mydomain.com, tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x3921250)
May 11 09:14:46 mail1 amavis[16536]: (16536-01) p.path RECEIVER@mydomain.com: "P=p003,L=1,M=multipart/alternative | P=p001,L=1/1,M=text/plain,T=asc"
May 11 09:14:46 mail1 amavis[16536]: (16536-01) p.path RECEIVER@mydomain.com: "P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=asc"
May 11 09:14:46 mail1 amavis[16536]: (16536-01) delivery method is 1, recips: RECEIVER@mydomain.com
May 11 09:14:46 mail1 amavis[16536]: (16536-01) spam-tag, <SENDER@mydomain.com> -> <RECEIVER@mydomain.com>, No, score=x required=6.6 WHITELISTED tests=[] autolearn=unavailable
May 11 09:14:46 mail1 amavis[16536]: (16536-01) smtp cmd> RCPT TO:<RECEIVER@mydomain.com> ORCPT=rfc822;RECEIVER@mydomain.com
May 11 09:14:46 mail1 amavis[16536]: (16536-01) smtp resp to RCPT (pip) (<RECEIVER@mydomain.com>): 250 2.1.5 Ok
May 11 09:14:46 mail1 amavis[16536]: (16536-01) smtp resp to data-dot (<RECEIVER@mydomain.com>): 250 2.0.0 Ok: queued as 86E9B280D20, dt: 2.7 ms
May 11 09:14:46 mail1 amavis[16536]: (16536-01) FSnt1SE6_BRu FWD from <SENDER@mydomain.com> -> <RECEIVER@mydomain.com>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 86E9B280D20
May 11 09:14:46 mail1 amavis[16536]: (16536-01) Passed CLEAN {RelayedInternal}, ORIGINATING_POST/MYNETS LOCAL [127.0.0.1]:35102 <SENDER@mydomain.com> -> <RECEIVER@mydomain.com>, Queue-ID: 58BE6280D1C, Message-ID: <513497349.203775.1683789286168.JavaMail.zimbra@mydomain.com>, mail_id: FSnt1SE6_BRu, Hits: -, size: 3591, queued_as: 86E9B280D20, dkim_sd=70E5F1CA-0D8D-11E7-9F80-37328B28EDE3:mydomain.com, 107 ms
May 11 09:14:46 mail1 postfix/smtp[21786]: 58BE6280D1C: to=<RECEIVER@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10032, delay=0.2, delays=0.08/0.01/0.01/0.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 86E9B280D20)
I'm a bit lost and would appreciate any help finding new routes to explore.

Thanks
Laurent
agenis
Posts: 19
Joined: Mon Oct 28, 2019 8:04 pm

Re: Email from one specific local user always moved to spam folder of another specific local user

Post by agenis »

You can list all the attributes of the RECEIVER to see if it has something about the RECEIVER configured:

Code: Select all

zmprov ga RECEIVER@mydomain.com|grep -i SENDER
(maybe do the same with SENDER just un case)
sciadm1
Posts: 7
Joined: Tue Dec 19, 2017 1:50 pm

Re: Email from one specific local user always moved to spam folder of another specific local user

Post by sciadm1 »

Thanks for the suggestion !
Actually, running the command with the RECEIVER I found 2 attributes related to the SENDER. Those about the whitelist I have set early with the Zimbra administrator GUI.

Code: Select all

zmprov ga RECEIVER@mydoomain.com | grep -i SENDER
amavisWhitelistSender: SENDER@mydomain.com
zimbraPrefMailTrustedSenderList: SENDER@mydomain.com
Running the same command to get the attributes for the SENDER I didn't found any attribute related to the RECEIVER.

Another thing I noticed: in the SPAM folder if I selected one of the emails sent by the SENDER and mark it as "not a SPAM", the email disappeared from that folder for a few seconds ( moving to the Inbox folder) and reappeared again in the SPAM folder.

I'm curious to hear someone about the SpamAssassin Bayes Database (default Berkeley DB format.)
- Could be the place where a "false" token is the origin of my issue ?
- Is any way to search in the database for any token linked to a email address or mailbox?

Laurent
imanudin11
Outstanding Member
Outstanding Member
Posts: 304
Joined: Sat Sep 13, 2014 2:23 am
ZCS/ZD Version: Release 8.8.15.GA.3829.UBUNTU16.64
Contact:

Re: Email from one specific local user always moved to spam folder of another specific local user

Post by imanudin11 »

sciadm1 wrote: Thu May 11, 2023 5:34 pm Thanks for the suggestion !
Actually, running the command with the RECEIVER I found 2 attributes related to the SENDER. Those about the whitelist I have set early with the Zimbra administrator GUI.

Code: Select all

zmprov ga RECEIVER@mydoomain.com | grep -i SENDER
amavisWhitelistSender: SENDER@mydomain.com
zimbraPrefMailTrustedSenderList: SENDER@mydomain.com
Running the same command to get the attributes for the SENDER I didn't found any attribute related to the RECEIVER.

Another thing I noticed: in the SPAM folder if I selected one of the emails sent by the SENDER and mark it as "not a SPAM", the email disappeared from that folder for a few seconds ( moving to the Inbox folder) and reappeared again in the SPAM folder.

I'm curious to hear someone about the SpamAssassin Bayes Database (default Berkeley DB format.)
- Could be the place where a "false" token is the origin of my issue ?
- Is any way to search in the database for any token linked to a email address or mailbox?

Laurent
Hi,
If you are using IMAP for that account, please check on mailbox.log. I have similar issue and the problem is caused by IMAP on mobile devices. It seems my user mark as spam that email from email client on their mobile devices
**

Best Regards,
Ahmad Imanudin - Sharing is Beautiful !
Personal Blog [EN] :http://www.imanudin.net
User avatar
ExTechOp
Posts: 27
Joined: Wed Jan 25, 2017 2:17 pm

Re: Email from one specific local user always moved to spam folder of another specific local user

Post by ExTechOp »

imanudin11 wrote: Wed May 17, 2023 2:29 am If you are using IMAP for that account, please check on mailbox.log. I have similar issue and the problem is caused by IMAP on mobile devices. It seems my user mark as spam that email from email client on their mobile devices
It does not even have to be the user, I've had instances where some kind of (poorly-documented) spam filtering running on top of the remote IMAP client does things like this without any action by the user.
sciadm1
Posts: 7
Joined: Tue Dec 19, 2017 1:50 pm

Re: Email from one specific local user always moved to spam folder of another specific local user

Post by sciadm1 »

Thanks for your suggestion !

I'm not using IMAP for mobiles. All mobile accounts are thru the "activesync" type.
To make sure, I checked the mailbox.log but I didn't find trace of my concerned user.
Post Reply