Out of office emails being blocked

[cyberwired]

I'm getting Out Of Office emails blocked due to no sender address:

SpamAssassin Score: 10.00
Spam Report: spam(no watermark or sender address)

Although the headers appear to be fine (note, some details removed for addresses etc)

Received: from mail.xxxxxx.co.nz (unknown [xxx.xxx.xxx.xxx])
by efa.xxxxxx.net.nz (Postfix) with ESMTP id 9F33F10013D
for <Philip.@co.nz>; Thu, 20 Feb 2014 10:27:58 +1300 (NZDT)
Received: from xxxxxxx.co.nz ([::1]) by xxxxx.co.nz ([::1]) with
Microsoft SMTP Server id 14.01.0438.000; Thu, 20 Feb 2014 10:27:48 +1300
From: Melt Louw <meltl@.co.nz>
To: Philip <Philip@.co.nz>
Subject: Automatic reply: Second test email to Melt
Thread-Topic: Second test email to Melt
Thread-Index: Ac8tua1HonOBHaEpR26LEGYFE7i+Uf///4W2
Date: Wed, 19 Feb 2014 21:27:48 +0000
Message-ID: <dcb5eda4a2b64bd184c3a0fd1be91797@CFD-EX01.cfd.co.nz>
References: <994D83486D79D84199D36B7C51A1C11555E0B236@ex1.xxxxx.local>
In-Reply-To: <994D83486D79D84199D36B7C51A1C11555E0B236@ex1.xxxxxx.local>
X-MS-Has-Attach:
X-Auto-Response-Suppress: All
X-MS-Exchange-Inbox-Rules-Loop: meltl@xxxxxx.co.nz
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative;
boundary="_000_dcb5eda4a2b64bd184c3a0fd1be91797CFDEX01cfdconz_"
MIME-Version: 1.0

[shawniverson]

It your internal host whitelisted?

from: <yourhost>
to: default

[cyberwired]

Only 127.0.0.1 is whitelisted

This is coming from external parties which we've emailed and got a response back

[shawniverson]

Also, many mail servers leave the From address blank on these kind of emails (not the MIME Header From address but the actual Mail From: designation)

By default, if Mailscanner cannot

1) find the Mail From address
2) identify a valid watermark

The message will be tagged with a score of 10 and rejected as spam.

You can change this behavior in /etc/MailScanner/MailScanner.conf (but be forewarned...many spam messages fit this pattern!)

Code: Select all

Treat Invalid Watermarks With No Sender as Spam = high-scoring spam

Change to:

Code: Select all

Treat Invalid Watermarks With No Sender as Spam = nothing

[ramtech]

Firstly let me say, thanks for this awesome project.

Regarding this issue, I get the same problem. If anyone from our org emails someone who has OoO replies turned on, the returning OoO reply is blocked for the same reason. How would I go about creating a rule that identified mail that fit this overall description (OoO reply that had no valid watermark or from email address), and allow it through? Apart from the fact that Exchange generated ones normally start with "Automatic Reply:" in the subject, and they all have no valid watermark or from address, I can't seem to find other uniquely identifying characteristics. These alone don't seem to me to be unique enough to allow the traffic through. These characteristics alone would be too easy to spoof.
Here's a typical header (sanitised) that we get...

Received: from mail.xxx.de (mail.xxx.de [xx.xx.xx.xx])
by our.efa.srvr (Postfix) with ESMTP id E3497101595
for <me@us.them>; Thu, 20 Feb 2014 08:43:47 +1000 (EST)
Received: from mail.xxx.de (localhost [127.0.0.1])
by localhost (Postfix) with SMTP id 7F48B22E083
for <me@us.thrm>; Wed, 19 Feb 2014 23:43:44 +0100 (CET)
Received: from xxx.hkg.xxx.corp (xxx.hkg.xxx.corp [10.0.251.1])
by mail.xxx.de (Postfix) with ESMTP id 78E1F22E080
for <me@us.them>; Wed, 19 Feb 2014 23:43:44 +0100 (CET)
Received: from xxx.haa.xxx.corp (10.0.246.1) by
xxx.hkg.xxx.corp (10.0.251.1) with Microsoft SMTP Server (TLS) id
14.3.174.1; Wed, 19 Feb 2014 23:43:44 +0100
Received: from xxx.haa.xxx.corp ([169.xxx.1.xxx]) by
xxx.haa.xxx.corp ([169.xxx.1.xxx]) with Microsoft SMTP Server
id 14.03.0174.001; Thu, 20 Feb 2014 09:43:38 +1100
From: "A Person" <ao@xxx.com.au>
To: another person <me@us.them>
Subject: Automatic reply: xxx College
Thread-Topic: xxx College
Thread-Index: Ac8tw0HEXFhLHiGfR6u4Wj83vk596QAAMXIa
Date: Wed, 19 Feb 2014 22:43:38 +0000
Message-ID: <602fc95560544c2f896469cd4532a2c9@HAADANHQMBX001.haa.hafele.corp>
References: <BD29EB2429113B4AA86946A31A53B60505BED4701F7A@PAGESRVR.page.local>
In-Reply-To: <BD29EB2429113B4AA86946A31A53B60505BED4701F7A@PAGESRVR.page.local>
X-MS-Has-Attach:
X-Auto-Response-Suppress: All
X-MS-Exchange-Inbox-Rules-Loop: ao@xxx.com.au
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EXCLAIMER-MD-CONFIG: 280bddd4-eb7b-4f23-b44b-7947f577e273

Any assistance greatly appreciated.
Cheers
Rodger

[shawniverson]

I am still researching this issue.

For now all you can do is set disable this function in mailscanner if receiving OoO and NDRs is important.

[cyberwired]

It certainly will be wanted, Out of office is important for business scenarios

I see in the old version instead of treat it as high or ham it specified 4, so it would get a higher setting

[ramtech]

I am still researching this issue.

For now all you can do is set disable this function in mailscanner if receiving OoO and NDRs is important.

Ta Shawn,
I personally hate OoO for the Auto Reply functionality as it just tells spammers your a live address, but it seems a widely accepted business practice so i guess i need to learn how to minimise the threat it creates.

[cyberwired]

It can be limited to send only to people only in your contact list
It may confirm to spammers but its out job to then stop it

Its very important in a business sense as it tells customers etc that you are away and who to contact instead of you or when you're back

[ramtech]

It can be limited to send only to people only in your contact list

Hi Cyberwired,
We only accept mail to live mailboxes anyway (does any use a catch all anymore?????). So this is a given.
I am not sure I agree with you about it being vital for business though. I make all my guys forward their email to their delegate if they are OoO. I have OoO Auto replies disabled for this very reason. Unnecessary traffic IMHO.

However, as mentioned previously. Yourself and many, many others disagree with my views on this and it is widely used. (blxxxy MS )
So i need to mitigate again...

[cyberwired]

I have mixed views on it but at the end of the day I work for my customers and do as they request.
Prime example, I wanted to name two phones after the position (Despatch for a freight company), yet the owner insisted the name must be there so they know who is calling, if the person changes, we change the phone name. I understand but doesn't matter what I want, it's what they want
Forwarding mail to another person doesn't always work, personal email to an extent is expected, some things are dealt with on their return etc
Usually I recommend they say they are away and for urgent support contact xxxx else it will be dealt with upon return.

Regarding valid email addresses, we have efa send email onto maybe 50 different companies, some we manage their servers, some we only provide internet support, not possible to validate emails unfortunately

[ramtech]

This topic came up in another thread.
Here is where it is currently at with tentative success. Shawn is still investigating further though i believe...
http://forum.efa-project.org/viewtopic. ... 1138#p1138

[Matthew]

Hi All,

Firstly I agree thankx for this great anti spam appliance

I know this is a very old Post but I cannot get this to work
No mater what I do the spamassassin lint test fails if I add this
I have double checked spelling etc
I must be doing something wrong
the error I get
Dec 17 14:29:24.486 [6124] warn: config: failed to parse line, skipping, in "/etc/mail/spamassassin/mailscanner.cf": Treat Invalid Watermarks With no Sender as Spam = 7
I have tried all different capitalizations etc and nothing appears to work

[shawniverson]

Dec 17 14:29:24.486 [6124] warn: config: failed to parse line, skipping, in "/etc/mail/spamassassin/mailscanner.cf": Treat Invalid Watermarks With no Sender as Spam = 7
I have tried all different capitalizations etc and nothing appears to work

Edit /etc/MailScanner/MailScanner.conf instead.

[Matthew]

Thanks Shawn

[jotaerre]

Hello to all and Merry Christmas.

I'm having a somewhat related problem.
I've WL my server's IP.
Some internal OoO pass ok, some are still Flaged as SPAM.
There isn't a patern.
Any ideas?
I'll try the MailScanner fix, but i'd rather understand why.