Why move this spam folder

General eFa discussion
Post Reply
gotech
Posts: 7
Joined: 24 Mar 2018 23:13

Why move this spam folder

Post by gotech »

Return-Path: n06343be3f9-c3b51a6b152148208ed72a5587cb8a04-sales===valvps.com@bounce.twitter.com
Received: from mail.server.com (LHLO mail.server.com)
(12.96.123.114) by server.com with LMTP; Fri, 13 Apr 2018
19:35:38 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1])
by mail.gotechswer.com (Postfix) with ESMTP id 90FBE20B708BE
for <sales@valvps.com>; Fri, 13 Apr 2018 19:35:38 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.gotesdshs.com
X-Spam-Flag: YES
X-Spam-Score: 10.042
X-Spam-Level: **********
X-Spam-Status: Yes, score=10.042 required=6.6 tests=[DKIM_SIGNED=0.1,
DMARC_FAIL_REJECT=9, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001,
SPF_FAIL=0.919, T_DKIM_INVALID=0.01, T_KAM_HTML_FONT_INVALID=0.01,
URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: mail.gotechserver.com (amavisd-new);
dkim=fail (2048-bit key) reason="fail (body has been altered)"
header.d=twitter.com
Received: from mail.gotesdas.com ([127.0.0.1])
by localhost (mail.gotecasa.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id ZsqjPBUA5SoS for <sales@valvps.com>;
Fri, 13 Apr 2018 19:35:38 -0400 (EDT)
Received: from mail.editado.com (mail.editado.org [117.121.34.727])
by mail.gotesasacom (Postfix) with ESMTPS id 0537F20B708AA
for <sales@valvps.com>; Fri, 13 Apr 2018 19:35:38 -0400 (EDT)
X-valvps-MailScanner-EFA-Watermark: 1524267301.70213@l5pISAqmKcdunHo26eN6aw
X-valvps-MailScanner-EFA-From: n06343be3f9-c3b51a6b152148208ed72a5587cb8a04-sales===valvps.com@bounce.twitter.com
X-valvps-MailScanner-EFA: Found to be clean
X-valvps-MailScanner-EFA-ID: 86849204D2.AA238
X-valvps-MailScanner-EFA-Information: Please contact lsanchez@gotech.com.pe for more information
Received: from spring-chicken-aq.twitter.com (spring-chicken-aq.twitter.com [199.16.156.156])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail.hostlegion.com (Postfix) with ESMTPS id 86849204D2
for <sales@valvps.com>; Fri, 13 Apr 2018 18:35:00 -0500 (-05)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=twitter.com;
s=dkim-201406; t=1523662500;
bh=BSusYGiHzTn61qvxYudOeMXiSjCNPVGQ1BISMaaMbyY=;
h=Date:From:To:Subject:MIME-Version:Content-Type:List-Unsubscribe:
Message-ID;
b=G0QwtgUIk1xDnRTX6erpTssVeQ9/Vq1EuhMpL/sFo4U4qxZ4w3V8ZprilndwuHxB2
JY0P2DzHt5KoqCneGpyWvowqY2vzRpUvwPdeX0hbNOLBplwNQkbq3R4nuVP3E4r1Ua
xu0s/uAFnk9xpqYNixXQnDBNfU3BUgMdGTLBbN44nF4XvaDLzH8pRtJWv018exmO/T
pWFk2Ea/rKUbTbpQR3fmKr4Vk86yIWmh702PC1devO3M3XUxktN+3o3AD0Q5r+uVVo
UfnAyfgsQ2G/zMYnfxtCDzoipbS0vCtOO7lbph9ztpfhb3FeB19A2TPezVaGeoIJB4
DRXYP39w8YpEg==
X-MSFBL: 5WfnHX3qzEYiGsOh/2Uat9CjqSXleOybT87ATYojBn0=|eyJyIjoic2FsZXNAdmF
sdnBzLmNvbSIsImIiOiJhdGxhLWFxbS0zNy1zcjEtQnVsay4xNzYiLCJnIjoiQnV
sayIsInUiOiJzYWxlc0B2YWx2cHMuY29tQGlpZCMjYzNiNTFhNmIxNTIxNDgyMDh
lZDcyYTU1ODdjYjhhMDRAdXNiIyMyNEAyNDRANDEzNjA0NjM4MUAwQGEyNDY3NDF
jNGJiYmU3NDAzOGIwZjUxNzdlODlmYjExMGM3NzFjMzQifQ==
Date: Fri, 13 Apr 2018 23:35:00 +0000
From: Twitter <info@twitter.com>
To: Luis Sanchez <sales@valvps.com>
Subject: =?UTF-8?Q?Sigue_a_J._Ignacio_Mart=C3=ADnez,_a_Arac?=
=?UTF-8?Q?eli_Giovanna_y_a_Paola_=F0=9F=92=9B_en_Twit...?=
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_12581391_2106203691.1523662500495"
List-Unsubscribe: <https://twitter.com/i/u?t=1&listunsub=t ... 26&usbid=7>
Feedback-ID: 0040162518f58f41d1f0:15491f3b2ee48656f8e7fb2fac:none:twitterESP
Precedence: Bulk
Message-ID: <57.A4.19717.4AE31DA5@twitter.com>
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Why move this spam folder

Post by pdwalker »

Is your question, "why did this message get moved into the spam folder"? It's because the message had a high enough spam score

X-Spam-Flag: YES
X-Spam-Score: 10.042
X-Spam-Level: **********
X-Spam-Status: Yes, score=10.042 required=6.6 tests=[
DKIM_SIGNED=0.1,
DMARC_FAIL_REJECT=9,
HTML_FONT_LOW_CONTRAST=0.001,
HTML_MESSAGE=0.001,
SPF_FAIL=0.919,
T_DKIM_INVALID=0.01,
T_KAM_HTML_FONT_INVALID=0.01,
URIBL_BLOCKED=0.001
] autolearn=no autolearn_force=no
Authentication-Results: mail.gotechserver.com (amavisd-new);
dkim=fail (2048-bit key) reason="fail (body has been altered)"
header.d=twitter.com

Your system gave it a +9 score for a DMARC failure. The dkim failed because the message was changed after the dkim signing.

So first find out why your dkim is failing, and then decide if a dmarc failure deserves a +9 score.
gotech
Posts: 7
Joined: 24 Mar 2018 23:13

Re: Why move this spam folder

Post by gotech »

Hi friend, thank you

can you tell me where I modify this

I can not find it
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Why move this spam folder

Post by pdwalker »

Try this: do any files return results?

Code: Select all

grep DMARC_FAIL_REJECT /etc/mail/spamassassin/*
grep DMARC_FAIL_REJECT /var/lib/spamassassin/3.004001/updates_spamassassin_org/*
I suspect that if you get a hit, it should be in the first directory. Let me know.
gotech
Posts: 7
Joined: 24 Mar 2018 23:13

Re: Why move this spam folder

Post by gotech »

Code: Select all

grep DMARC_FAIL_REJECT /etc/mail/spamassassin/*
/etc/mail/spamassassin/local.cf:score DMARC_FAIL_REJECT 1.0  1.0  1.0  1.0
grep: /etc/mail/spamassassin/sa-update-keys: Is a directory
[root@mail admin]# grep DMARC_FAIL_REJECT /var/lib/spamassassin/3.004001/updates_spamassassin_org/*
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Why move this spam folder

Post by pdwalker »

Yeah, I'm confused. You have a local rule that gives a score of 1.0, yet your spam is getting a 9.0 for that rule it seems. Something weird is going on.

Did you add this local rule, or did someone else add this rule?
gotech
Posts: 7
Joined: 24 Mar 2018 23:13

Re: Why move this spam folder

Post by gotech »

I added it, looking for information I did reload to mailscanner

but it still does not work :(
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Why move this spam folder

Post by pdwalker »

I'm stumped. Without access to your system, I cannot debug the problem further.

Are you still getting messages coming in with DMARC_FAIL_REJECT and a score of +9?

Did you 'service mailscanner restart' ? (I don't think that's necessary when updating the spamassassin rules, but it cannot hurt).

You might want to try to debug the message explicitly; this are the commands I use to debug messages

Code: Select all

# 20180214/spam/36BEE180F1A.A71A8
# look in /var/spool/MailScanner/quarantine/20180214/spam
MSG=36BEE180F1A.A71A8
THEDATE=20180214
DIR=/var/spool/MailScanner/quarantine/$THEDATE/spam
spamassassin -D -t < $DIR/$MSG 2>&1 |vim -
This gives me a nice long file that tells me exactly how and why spamassassin scored a message the way it scored it. Perhaps we might learn something more from doing this?
Post Reply