Second domain incoming mail - ALL spam (incorrectly)

Maintenance
1

Hi guys,

I have a MIAB set up on a dedicated Digital Ocean droplet (DO1). It’s intended to, and does (sort of), handle mail for multiple domains. I am using the included MIAB DNS.

Currently I have an email address that works perfect that uses the primary domain (primary-domain .com) - xxxxx @ primary-domain .com

I have a second domain (secondary-domain .com) that runs a website from a second Digital Ocean droplet (DO2). It’s external DNS points to DO1 and I’ve setup an A record via MIAB that points to DO2. The website works great. I have an email address setup for this secondary domain - xxxxx @ secondary-domain .com

This email also works fine with one caveat. Every single incoming email is sent to Junk! Sending is no problem and is delivered to nearly all providers successfully.

I’ve included an email header (sent from the working email xxxxx @ primary-domain .com to the one that sends everything to spam xxxxx @ secondary-domain .com) below. Obviously the lines that reads “3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%” and “0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%” are of concern (and likely the issue). I can’t work out for the life of me how I stop or correct that.

Any ideas welcome. If you need me to post mxtoolbox lookups or anything else please ask. Thanks very much in advance.

Return-Path: <xxxxx @ primary-domain .com>
Delivered-To: <xxxxx @ secondary-domain .com >
Received: from box.primary-domain.com ([127.0.0.1])
    by box.primary-domain.com (Dovecot) with LMTP id SqH0Ifa8qlq5DAAAPKOv6w
    for <xxxxx @ secondary-domain .com>; Thu, 15 Mar 2018 18:35:34 +0000
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on box.primary-domain.com
X-Spam-Level: ***
X-Spam-Status: No, score=3.3 required=5.0 tests=ALL_TRUSTED,BAYES_99,BAYES_999,
    DKIM_SIGNED,HTML_IMAGE_RATIO_02,HTML_MESSAGE,T_DKIM_INVALID,T_REMOTE_IMAGE
    autolearn=no autolearn_force=no version=3.4.0
X-Spam-Report: 
    * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
    * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
    * [score: 1.0000]
    * 0.0 HTML_MESSAGE BODY: HTML included in message
    * 0.4 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area
    * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
    * [score: 1.0000]
    * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
    * valid
    * 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
    * 0.0 T_REMOTE_IMAGE Message contains an external image
X-Spam-Score: 3.3
Received: from authenticated-user (box.primary-domain.com [159.65.22.132])
    (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
    (No client certificate requested)
    by box.primary-domain.com (Postfix) with ESMTPSA id 40BE420415
    for <xxxxx @ secondary-domain .com>; Thu, 15 Mar 2018 18:35:33 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=2hands.co.uk; s=mail;
    t=1521138934; bh=aCjG8mf3Eu1eAW1taJYzhBzQ7gLpwgD9VjeWBPFi6/E=;
    h=From:To:Subject:Date:From;
    b=rmR/vjxHmpDYOJToXMGZSYudF6WD0w41dbipWwf/+PYVzp77nmbTMzcKBzLOBOpfE
    SgtUsBn/soYc77eNMJcxLR7kWoBSrnS8HR3SrpdjoOJcoEnGaI7SXYfaQgaHrAmDyv
    n3HM7HTo3yVdtfEcGmoT4eYTeY4r6X9+uXMBVXAE85lsgLcnCG+3ke10JdRCLCqDcs
    gPPGVbd8+6a19dtTYWknLZKAIrawYLmK+BWJW5fjiPa8OOVlp2jgH2Dvdf1RJUUz/c
    F/CCfzsCu35+wRyfNawEFzoCfx2l6D/8r4exUjB2/HQmvziTdc6MYDk/ekXKSatVEk
    /r1PCge3gyHVA==
Content-Type: multipart/alternative;
    boundary="----sinikael-?=_1-15211389331700.5676882693078369"
From: Me <xxxxx @ primary-domain .com>
To: xxxxx @ secondary-domain .com
Subject: Testing 
Message-Id: <4beeb54f-6c67-491b-a945-8c6668027fa0@2hands.co.uk>
Date: Thu, 15 Mar 2018 18:35:15 +0000
X-Cm-Message-Id:
    1521138916938786228cabc2c52a869a7e2780be4fd15a865aaabce4e53cf996561540
X-Cm-Draft-Id: WyJhIiw4LCJkcmFmdF9pZCIsIjE1MjExMzg5MTU5NTEiLCJ2IiwxXQ==
X-Cm-Tracking-Code:
    2.0/1521138915/060ccd9e8d8a97f60849c1596b210c81/8/49fa4b7a9173d8507ad7486bbd06e452/9ec66aeead3f2604536a2d036244c92c/6f2de4bd5229cf64fbd75354b4fc73d0
MIME-Version: 1.0

PS Sorry for splitting the email addresses and domains up into blocks. As a new user the forum would only allow me to post 2 links in this post

2

Send a user a plain text email and let me know if it works. What email client are you using to send the emails to the account?

3

Hi, Thanks for your reply.

I sent a plain text email from a different account (yyyyy@primary-domain.com). Still sent to Junk. I’ve put the spam report below. It’s better than before (2.6 instead of 3.3) but still not getting through.

X-Spam-Report: 
    * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
    * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
    * [score: 1.0000]
    * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
    * [score: 1.0000]
    * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
    * valid
    * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
    * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
    * domain
X-Spam-Score: 2.6

I used MacOS Mail for the plain text email. Newton for the previous HTML one.

4

It looks like the emails are getting stuck here. What is the mxtoolbox report for black lists?

EDIT: Are domain one and domain two hosted on the same MIAB or separate ones? Was domain two at any point in the same MIAB as domain one?

5

Hi Murgero,

MxToolBox blacklist is clear for both domains.

Both domains use the same MIAB which is running on its own Digital Ocean Droplet. Both domains have websites elsewhere. Secondary domain has an A record on MIAB DNS

6

The above text is what is catching your emails, I’d look into BAYES_99 when you get a moment.If possible can you re-run the setup as well to make sure you are up to date on all the applications and such?

7

Ok thanks. I’ll look into BAYES_99 further and also run an update. I’ll come back and update any solution/progress.

8

Well, I’ve still go the same problem but it’s not to do with BAYES (I don’t think). Via /etc/spamassassin/local.cf I have set use_bayes = 0

Now the email headers read as follows

X-Spam-Status: No, score=1.5 required=10.0 tests=DKIM_SIGNED,DKIM_VALID,
    DKIM_VALID_AU,FREEMAIL_FROM,HTML_IMAGE_ONLY_12,HTML_MESSAGE,
    RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,T_REMOTE_IMAGE
    autolearn=disabled version=3.4.0
X-Spam-Report: 
    * -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
    * [209.85.216.169 listed in wl.mailspike.net]
    * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
    * trust
    * [209.85.216.169 listed in list.dnswl.org]
    * 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
    * (threequid[at]gmail.com)
    * 0.0 HTML_MESSAGE BODY: HTML included in message
    * 1.6 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words
    * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
    * domain
    * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
    * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
    * valid
    * -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
    * 0.0 T_REMOTE_IMAGE Message contains an external image

Instead of

X-Spam-Status: No, score=5.7 required=10.0 tests=BAYES_99,BAYES_999,
    DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_IMAGE_ONLY_12,
    HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,
    T_REMOTE_IMAGE autolearn=no autolearn_force=no version=3.4.0
X-Spam-Report: 
    * -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
    * [209.85.216.173 listed in wl.mailspike.net]
    * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
    * [score: 1.0000]
    * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
    * trust
    * [209.85.216.173 listed in list.dnswl.org]
    * 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
    * (threequid[at]gmail.com)
    * 0.0 HTML_MESSAGE BODY: HTML included in message
    * 2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words
    * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
    * [score: 1.0000]
    * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
    * domain
    * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
    * valid
    * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
    * -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
    * 0.0 T_REMOTE_IMAGE Message contains an external image

As you can see, the BAYES_99 and BAYES_999 tests are no longer being run so it can’t be them sending it to Junk. The theory that it’s not BAYES at fault is also confirmed as I ran a test that set the

required_score to -10

and

rewrite_header Subject *****SPAM*****

Once I had done this, messages were still sent to Junk but actually had the header prefixed with

*****SPAM***** which the other messages had not been doing.

So, if it’s not BAYES…? I am starting to think it’s Dovecot itself thats moving the incoming messages to Junk. I don’t know how, or why. The spam score is just 1.5 in the first example above so theres really no reason for it being sent to Junk.

Any further help would be very welcome!

9

I have continued to look at this issue further. I feel like I am getting close to the issue. Having studied the dovecot log I can see it is moving the email to INBOX correctly…

Mar 19 15:32:56 lmtp(2300, xxxxx @ secondary domain .com): Info: 7BtbJCbYr1r8CAAAPKOv6w: sieve: msgid=<5ab58090-95e6-49ef-aa89-930a5836fa56@gmail.com>: stored mail into mailbox 'INBOX'

Now when I look at the email that was sent (I am looking via Roundcube) the email shows up in the Inbox AND Junk.

It happens in this order…

  • Email shows up in INBOX
  • Roundcube marks the email as ‘Deleted’ and it greys out but still in INBOX list
  • Message now also appears in Junk folder

If you view the email in anything other than Roundcube the message only shows in Junk

10

According to this message quoted above, (RE: The last email source you sent), the following might help you as well:

https://wiki.apache.org/spamassassin/Rules/HTML_IMAGE_ONLY_12

At this point I would rebuild the server. Having to modify it this much to work past an issue shouldn’t be happening.

11

Thanks for your reply. I am also starting to think something’s gone pretty weird. However, the HTML_IMAGE_ONLY_12 header is one a few (of various ratios) that are displayed on various emails in the junk box. Weirdly, the emails sent have no images at all attached or inline.

When you say rebuild… what exactly do you mean? Scrap it and go with a completely new install? or is there a way to rebuild it whilst retaining the accounts that are in place (that all work perfectly). As mentioned previously there are a number of other email addresses on the same server so I’d prefer to avoid the first of those options if at all possible.

Thanks for all your help :+1:

12

You can backup emails and accounts, etc (See System -> Backups in admin panel)

Rebuild server by reinstalling ubuntu and reinstalling MIAB.