For a little over a week now, I have been seeing some emails coming in through Astaro that are getting tagged with *SPAM*. It seems to only be one email address, and its not all the time, about 20% of the emails from this address are tagged. Also, other emails from the same domain are fine, always.
I'm only using the SMTP proxy for emails and I have the Spam Protection section disabled.
This started happening on version 5.203, so I did the system Up2Date to 5.206. Also tried turning the Spam Protection on and setting the limits as far conservative as they go, Threshold one to 14 and Quarantine then Threshold two to 15 and Reject. I also have this email address that is having problems in the Spam Sender Whitelist. Even after all of this I'm still having problems with the subject line from this one email address being tagged with *SPAM*.
Please help. Does anyone have any ideas on what might cause this or anything else I should check?
It may not be Astaro that is tagging it as spam - a lot of ISPs use SpamAssassin as well. Check the headers to see what is being added by the scanner. For 5.206 ASL only adds x-spam-score: and x-spam-report: . Something like:
x-spam-score: 3.8 x-spam-report: 0.2 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML 1.5 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50% cf: 100 0.1 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
If you get other headers, like X-Spam-Level: , or X-Spam-Status: , it is getting tagged by something other than ASL.
You can also look at the process list - if you don't see spamd running then SpamAssassin isn't running (really shouldn't be if you have Spam Protection off).
Thanks for the response doug_p. I've now done several packet captures and your right, some other system is putting an X-Spam-Flag: YES header in the email.
The other thing I also saw though, is that Astaro is seeing that header and adding the *SPAM* to the subject line. I checked the processes and spamd is not running. Does anyone know if there is a way to stop this behavior?
Astaro is set up as the MX record for this domain, so the emails should be coming straight here and not through an ISP. Now this is what seems strange to me, the sender that this problem is effecting is from sending from AOL, and it looks like AOL is tagging it as spam outbound from their servers. Not sure if this is correct, but that what it looks like.
So I guess what I'm asking is, has anyone else seen this kind of stuff from AOL's servers and is there any way to stop Astaro from tagging the subject line when it sees that header?
I don't get a lot of email from AOL, but I havn't seen them adding that header in what I have gotten (although the may have recently started doing it).
The POP3 proxy does not show this behavior, but I confirmed that the SMTP proxy acts the same for me. ie. if I add an X-Spam-Flag: YES header to an email, the Subject gets modified and "*SPAM*" gets added. Turning Spam Protection off doesn't change the behavior.
Doesn't solve the issue, but at least it's not just you seeing it.
Here is a packet capture of one of the emails. I don't have the headers from the email message itself, I haven't gotten a bad message from this sender yet, just other people in the company have gotten them. I think this capture will show everything though, let me know if there is anything else you would like to see. This capture is from a computer on the Internet side of the Astaro firewall. At the bottom where it says "In a message dated" is the start of the body. I've ***'d out any info that might be sensitive.
Received: from L************@aol.com...by imo-m14.mx.aol.com (mail_out_v 38_r4.1.) id r.be.2ffb9d6c (4426)... for ; Tue, 30 Aug 2005 16:26:38 -0400 (EDT)..From: L************@aol.com..Message-ID: ..Date: Tue, 30 Aug 2005 16:26:38 EDT..Subject: Re: B*******..To: M***@*****.com..M IME-Version: 1.0..Content-Type: multipart/alternative; boundary="------------------- ----------1125433598"..X-Mailer: 9.0 Security Edition for Windows sub 5009..X-Spam-F lag: YES......-------------------------------1125433598..Content-Type: text/plain; c harset="US-ASCII"..Content-Transfer-Encoding: 7bit.... .. ..In a message dated
It would be really nice if there was an option in the SMTP Proxy menu to control this behavior.
Here is a packet capture of one of the emails. I don't have the headers from the email message itself, I haven't gotten a bad message from this sender yet, just other people in the company have gotten them. I think this capture will show everything though, let me know if there is anything else you would like to see. This capture is from a computer on the Internet side of the Astaro firewall. At the bottom where it says "In a message dated" is the start of the body. I've ***'d out any info that might be sensitive.
Received: from L************@aol.com...by imo-m14.mx.aol.com (mail_out_v 38_r4.1.) id r.be.2ffb9d6c (4426)... for ; Tue, 30 Aug 2005 16:26:38 -0400 (EDT)..From: L************@aol.com..Message-ID: ..Date: Tue, 30 Aug 2005 16:26:38 EDT..Subject: Re: B*******..To: M***@*****.com..M IME-Version: 1.0..Content-Type: multipart/alternative; boundary="------------------- ----------1125433598"..X-Mailer: 9.0 Security Edition for Windows sub 5009..X-Spam-F lag: YES......-------------------------------1125433598..Content-Type: text/plain; c harset="US-ASCII"..Content-Transfer-Encoding: 7bit.... .. ..In a message dated
It would be really nice if there was an option in the SMTP Proxy menu to control this behavior.
It looks like the sender is using AOL's 9.0 Security Edition. They may have their spam settings agressive enough that their normal mail is getting tagged, which is a problem for the sender to resolve.
As for ASL's behavior, it may be a question for support - I wouldn't expect it to modify headers or otherwise mark messages as spam based on some other spam scanning tool of unknown reliability (especially since the X-Spam-Flag header isn't one that ASL uses).
