Oversensitive Junk Mail Filter

kellytrinh · March 31, 2020, 5:46am

Relatively new MiaB install and getting things going with very light mail load so far.

Just checking things out on the web interface and noticed something funny -

Not sure how the scoring works and what exactly triggered it but noticed in junk folder was the regular “Mail-in-a-Box” usage report. That’s pretty ironic that installed spam filter tags the servers own logs.

I don’t plan to use the web interface going forward, so need a way to fix this as the junk tagged doesn’t get pulled when I am doing POP access…

I looked at filters and doesn’t seem to be a whitelist option (gmail has a ‘never tag as spam’). Is there any other methods?

openletter · March 31, 2020, 11:37am

Please post the header of the email.

I’m not clear that Roundcube is doing any of its own spam filtering.

I believe when you download using POP3, emails in the spam folder will not be downloaded.

I do not trust the Gmail never tag as spam option as I have observed it will begin tagging as spam again even when there is no change to the sending server. Usually this is after a little bit of time. Some of us believe Google is intentionally making things difficult for small mail servers.

kellytrinh · March 31, 2020, 11:58am

Headers below.

Can confirm - Gmail will not POP3 download mail in spam folder. I found this out by just fiddling and randomly logging into webmail. Gmail isn’t really connected to this at all.

Note on headers below - I did have a change-of-server name which I thought went well but seems like the old name is still existing here and there (below masked as NEW and OLD)

Return-Path: <administrator@box.(((NEW-HOSTNAME)))>
Delivered-To: kelly@(((NEW-HOSTNAME)))
Received: from box.(((NEW-HOSTNAME))) ([127.0.0.1])
by box.(((NEW-HOSTNAME))) with LMTP id QNHCNT3wgF5+GQAAtjj8fw
for <kelly@(((NEW-HOSTNAME)))>; Mon, 30 Mar 2020 03:00:13 +0800
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on box.(((NEW-HOSTNAME)))
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.6 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,FROM_FMBLA_NEWDOM,FROM_SUSPICIOUS_NTLD,
FROM_SUSPICIOUS_NTLD_FP,HTML_MESSAGE,PDS_FRNOM_TODOM_NAKED_TO,
PDS_FROM_NAME_TO_DOMAIN,PDS_OTHER_BAD_TLD autolearn=no
autolearn_force=no version=3.4.2
X-Spam-Report:
* -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
* 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs
* [URI: (((NEW-HOSTNAME))) (xyz)]
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
* author’s domain
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
* 1.5 FROM_FMBLA_NEWDOM From domain was registered in last 7 days
* 1.0 PDS_FROM_NAME_TO_DOMAIN From:name looks like To:domain
* 0.2 FROM_SUSPICIOUS_NTLD_FP From abused NTLD
* 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD
* 1.5 PDS_FRNOM_TODOM_NAKED_TO Naked to From name equals to Domain
X-Spam-Score: 5.6
Received: from box.(((OLD-HOSTNAME))) (localhost [127.0.0.1])
by box.(((NEW-HOSTNAME))) (Postfix) with ESMTP id D879D7E314
for <administrator@box.(((NEW-HOSTNAME)))>; Mon, 30 Mar 2020 03:00:03 +0800 (+08)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=box.(((NEW-HOSTNAME)));
((( DELETED A LOT OF STUFF HERE – NOT SURE IF SENSITIVE )))

Content-Type: multipart/alternative; boundary="===============2268834606941719331=="
MIME-Version: 1.0
From: “box.(((NEW-HOSTNAME)))” <administrator@box.(((NEW-HOSTNAME)))>
To: administrator@box.(((NEW-HOSTNAME)))
Subject: [box.(((NEW-HOSTNAME)))] Mail-in-a-Box Usage Report
Message-Id: <20200329190003.D879D7E314@box.(((NEW-HOSTNAME)))>
Date: Mon, 30 Mar 2020 03:00:03 +0800 (+08)

openletter · March 31, 2020, 12:12pm

I believe the X-Spam-Report items tell most of the story. I’ve never dug into why the point values are what they are, but they do seem to be different from point values I see in my reports even for the same item. Perhaps that is part of the “learning” aspect of the filter.

At least the new domain stuff will eventually go away.

The MiaB devs configure the various spam protection tools too strict, in my opinion, and they have been so far inflexible for changing any of it.

My only recommendation is to use IMAP. When you move an email between the Inbox and Spam folders, this trains Spamassassin. Thus, moving from Inbox to Spam trains Spamassassin that this email is spam. And moving emails from Spam to Inbox folder trains Spamassassin that this email is not spam.

kellytrinh · March 31, 2020, 12:33pm

Lets see how it plays out as the training gets better - but looking at the various lines; it does seem like there is multiple layers of penalties for same underlying issue (the domain)

oddly this was just one random usage reports. Others have gotten through so there must be some learning aspect.

On the IMAP thing - does the web interface count?

openletter · March 31, 2020, 12:38pm

Roundcube is basically a GUI for IMAP. There are some more advanced options that I’ve never touched, but by default it’s just a very simple mail client.

So the folders you see in Roundcube are just the IMAP folders. They should be the same on all devices using IMAP with a given account.

I’ve been in the habit of looking at headers for nearly every email I receive.