Mail received from trusted source being flagged as Junk

fr0st_byte · February 24, 2021, 4:19pm

I can receive emails from a trusted domain to my MiaB server just fine, and it’s been working fine for well over a year now. Just recently, certain emails that weren’t flagged as Junk before are now being flagged as such. I read the forum posts (I’ve been searching to try to find this, maybe I overlooked something but I’ve tried) about training SpamAssassin, but moving the mail to the inbox and such doesn’t seem to be working. I also tried manually whitelisting these domains, but it didn’t seem to work either?

Does anyone have any suggestion I could try? It’s not a huge deal, just seems like something that should be an easy enough fix. We regularly receive emails from 4-5 trusted domains, and we’d prefer them not being flagged as Junk at the server level instead of doing user filters for each one of us if possible.

Thanks!

openletter · February 24, 2021, 4:36pm

What is the spamscore in the email header? If it is lower than 5.0, then maybe a client is moving the mails to spam?

Also, you created your whitelist file in /etc/spamassassin/filename.cf? The Apache page states to use a different folder.

If you have whitelisted properly, then spamassassin should not be evaluating the email, but I have to admit I haven’t messed with this.

Note you could also make a rule that adds -100 to the score, essentially preventing any spamscore assignments from pushing the mail above 5.0.

fr0st_byte · February 24, 2021, 5:24pm

One of the messages in particular scored a 7.0, so that should mean it’s spamassassin right?

I believe I did try editing /etc/spamassassin/local.cf but I will try it again. Can you elaborate more on the -100 rule?

Thank so much.

fr0st_byte · February 24, 2021, 5:27pm

I just tried to edit that file again, adding whitelist_from *@domain.com, restarted spamassassin and no luck, still went to Junk folder.

daveteu · February 24, 2021, 7:27pm

when you type
sudo sa-learn --dump all
is it empty?

fr0st_byte · February 24, 2021, 7:40pm

No, far from it, dumped probably a thousand lines. I have no idea what these are though?

openletter · February 25, 2021, 12:15am

I just did the following:

$ nano /etc/spamassassin/my_whitelist_file.cf

I put in the file:

whitelist_from username@example.com

I then restarted stuffs because I never know exactly what to restart:

$ sudo service spamassassin restart
$ sudo service spampd restart
$ sudo service postfix restart

The example.com DMARC record uses p=reject and the sending server is not authorized under the policies of example.com.

Emails from username@example.com have the following spam scores:

* -0.0 USER_IN_WELCOMELIST user is listed in ‘welcomelist_from’
* -100 USER_IN_WHITELIST DEPRECATED: See USER_IN_WELCOMELIST

I haven’t gone to look up why WHITELIST is deprecated, but the results are what I desired.

daveteu · February 25, 2021, 6:32am

Interesting - 7826 – Improve language around whitelist/blacklist and master/slave

Guess they are moving away from the old terminology of Master and Slave Servers, as well as White and BlackList, and I trust we all know the reasons.

fr0st_byte · February 25, 2021, 1:33pm

I then restarted stuffs because I never know exactly what to restart:
$ sudo service spamassassin restart
$ sudo service spampd restart
$ sudo service postfix restart

This seems to have worked, maybe I needed to restart more than just the spamassassin service?

X-Spam-Status: No, score=-94.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DMARC_NONE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,
	SPF_FAIL,SPF_HELO_NONE,USER_IN_WELCOMELIST,USER_IN_WHITELIST
	autolearn=no autolearn_force=no version=3.4.2

Seems like adding whitelist_from username@example.com to the bottom of /etc/spamassassin/local.cf then restarting those three services does the trick. I’ll do more testing from the other domains I don’t have control of and see. Thank you!

openletter · February 25, 2021, 2:25pm

I’m not sure this never gets rewritten on an update, which is why I made a separate, uniquely named file.

fr0st_byte · February 25, 2021, 2:38pm

Gotcha, hadn’t considered that. I’ll try it with a separate filename and make sure it’s all good. Thank you for your help!

zoof · March 2, 2021, 12:36am

I wonder if spamassassin penalties haven’t been changed. Emails from my public library recently started all showing up in my spam folder with:

X-Spam-Report: 
	* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
	*      [score: 0.0000]
	*  2.0 DMARC_FAIL_NONE DMARC check failed (p=none)
	*  5.0 SPF_FAIL SPF check failed
	*  0.0 T_SPF_HELO_PERMERROR SPF: test of HELO record failed
	*      (permerror)
X-Spam-Score: 5.1

You can see that the score is 5.1 – the threshold is 5. Clearly they have a poorly configured mail server so I guess there’s nothing to do but whitelist the address.

@openletter what is your suggestion for the file for a custom whitelist? Is there anything else that need to be modified to make sure postfix sees the file?

openletter · March 2, 2021, 1:14am

You can call the file anything, though note that it seems all the files in with .cf in that folder. Just follow the instructions above that that is all you need to do.

zoof · March 2, 2021, 3:16pm

Great! Thank you, I’ve added a whitelist file and restarted services!

zoof · March 3, 2021, 3:24pm

Worked great.

I get the rationale for the change but it’s a little odd that they are issuing a deprecation warning without implementing the new option (WELCOMELIST_FROM). Apparently it is not to be implemented until version 4.x.