• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Cannot disable Spam Assassin

T

tollube

New Pleskian
Server operating system version
Ubuntu 18.04.6 LTS
Plesk version and microupdate number
Version 18.0.46 Update Nr. 1
Hello,
I use the external Spam Filter by Spam Experts N-Able and its working quite well.
Emails of some specific senders however land in the spam folder on the server. In the Spam Experts Logs I can see that these Mails are recognized as valid mails and they are delivered to the Plesk Mail Server.
I have disabled the Spam Assassin for every Mailbox of that domain so there should not be a Plesk as a second instance to check the mails delivered by SpamExperts.
Still these said mails end up in the Spam folder.
I even tried turning on the spam filter in plesk and set the sender domain to the whitelist of that mailbox - that didn't work either.
Why is my setting ignored?
Any ideas?
 
Can you post the header of an email on which this happened? Obscuring any sensitive data of course.
 
Last edited:
@Kaspar Thanks for your reply. Sure, here:

Code: 
Return-Path: <[email protected]>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on www.mail.my-domain.de
X-Spam-Level:
X-Spam-Status: No, score=-101.9 required=8.0 tests=BAYES_00,DKIM_SIGNED,
    DKIM_VALID,HTML_MESSAGE,SPF_FAIL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE,
    USER_IN_WELCOMELIST,USER_IN_WHITELIST autolearn=no autolearn_force=no
    version=3.4.2
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from out7.antispamcloud.com (out7.antispamcloud.com [1.1.1.1])
    by mail.my-domain.de (Postfix) with ESMTPS id 0CB63405D5
    for <[email protected]>; Wed, 14 Sep 2022 14:50:47 +0200 (CEST)
Authentication-Results: www.mail.my-domain.de;
    dmarc=fail (p=QUARANTINE sp=NONE) smtp.from=their-domain.com header.from=their-domain.com;
    dkim=pass header.d=suocrm.eu;
    spf=fail (sender IP is 1.1.1.1) [email protected] smtp.helo=out7.antispamcloud.com
Received-SPF: fail (www.mail.my-domain.de: domain of their-domain.com does not designate 1.1.1.1 as permitted sender) client-ip=1.1.1.1; [email protected]; helo=out7.antispamcloud.com;
Received: from m239-150.eu.mailgun.net ([3.3.3.3])
    by mx243.antispamcloud.com with esmtps (TLSv1.3:TLS_AES_256_GCM_SHA384:256)
    (Exim 4.92)
    (envelope-from <[email protected]>)
    id 1oYRqo-000L4I-EU
    for [email protected]; Wed, 14 Sep 2022 14:50:46 +0200
DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=suocrm.eu; q=dns/txt; s=krs;
 t=1663159846; x=1663246246; h=Content-Type: Message-Id: In-Reply-To:
 MIME-Version: Date: Subject: Subject: From: From: To: To: Sender;
 bh=HWsl7UBi6vrmAcnS5wOUmcTU3RllbbU0a4Cg6l6aOL4=; b=C88ScbBCIOZcyQ6sWzdBhM2fVUOWme8sOHFuFWuvfUczdSCBDOlOF16BMADm7N/g8TZwGqud
 4DNoae2e7capnvJqaok+tpecU6UpyK7kgWyZ6ErrNlVHpF5lKUrezmna/VZmCYjPriLQ9Rf6
 SBZe20XJukW/ZkzZXEZw6i6G1sA=
X-Mailgun-Sending-Ip: 3.3.3.3
X-Mailgun-Sid: WyI3Y2RkYSIsImIuYmVjaHRsb2ZmQGJtLWJ1ZXJvLmRlIiwiN2VjMjliIl0=
Received: from sopprov080 (<unknown> [2.2.2.2]) by
 smtp-out-n03.prod.eu-central-1.postgun.com with SMTP id
 6321ce26634faefc7a13fea0 (version=TLS1.2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Wed, 14 Sep 2022 12:50:45
 GMT
To: [email protected]
From: [email protected]
Subject: =?UTF-8?Q?(request=20id:1353701)=20Bestellung=20Kom.=20K?=
Date: Wed, 14 Sep 2022 14:50:44 +0200
MIME-Version: 1.0
In-Reply-To: <1.48c4643be78a19fb7e3e@SRV-APP4>
Message-Id: <[email protected]>
x-mailgun-native-send: true
X-Mailgun-Tag: request
X-Mailgun-Variables: {"Message-Id":"<[email protected]>"}
Content-Type: multipart/mixed;
    boundary="xxxxxxxxeJournal20220914145044_"
Received-SPF: pass (mx243.antispamcloud.com: domain of their-domain.com designates 3.3.3.3 as permitted sender) client-ip=3.3.3.3; [email protected]; helo=m239-150.eu.mailgun.net;
X-SPF-Result: mx243.antispamcloud.com: domain of their-domain.com designates 3.3.3.3 as permitted sender
Authentication-Results: mx243.antispamcloud.com;
    iprev=pass (m239-150.eu.mailgun.net) smtp.remote-ip=3.3.3.3;
    spf=pass smtp.mailfrom=their-domain.com;
    dkim=pass header.d=suocrm.eu header.s=krs header.a=rsa-sha256;
    dmarc=pass header.from=their-domain.com
Authentication-Results: antispamcloud.com; spf=pass [email protected]; dkim=pass header.i=suocrm.eu
X-Spampanel-Class: whitelisted
X-Spampanel-Evidence: sender
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0fk35ilLHs86xhgoLEk15gupSDasLI4SayDByyq9LIhVRJKuoL20070G
 U5Ufdh+41WqUuh2MpmQbQvmrab9RbAHqH6xvmyo++UsFY6JUjVh4IAnyBUInwH5cKn2oCMI2kMKD
 o/UuBGctowNamLfZsIaqNgIHQ5dF9dtv8nnICvNY0qV+X09B7oRIR6sG/8Z/pUSITl3F8isfnMI2
 tq4ALYllA8hdgMw+yGVCSAmTklrgIRFsicyJMEhQFtD8PLoinnOAS6PpDqCnaaznktYp5oBpb9Ra
 6iYyqQGTAaO8vx2zuR4qVHkFA/qBnpNOGwuagI40LOPRnx2C7MGkzhNII7ykDci70QkCOxa9CI+8
 v8i3KLTFpngmCzMfOMV6XuhaoSIXSl3UTtRdYJiGYUQnza62tIYCJ/n3L2uYJKWnsi81VNzK/jbu
 y1wiE3yjb0AxN99fxN2oReTDHAyOynaY0CnpM5SCjs4ZT93wVev05uHZmdySlZou9qHIGOZDEEo7
 O58ZQzrOqjAERHu4pt/Ia6w9UV4/JEARQ4EoTxbRsnFJI3gaUGN938qQrvU8KF1EfHd7dFiWOEGL
 5HSrT6MpXTXArnmjOjfvqIvZP6kJMPqJ8BrPBXDdbOC5sSdd6r5I3iy5Vo6xOiF9lxkCbdmQZuRE
 Oxg2xpxiZuRSg9WPZudySguV0TqC9t5Bx9sBk0JPud2zFWR0meLC8ekHjCmP5yYtSBcznPA39C4Y
 3lqp6xi0w2YtW8Xfdg+HyoZOc2RNlu/8dEaVV3MdhXn4rO+cCKa2a3AwamCyiLnYNjemj9LDal4Y
 wmC3OnEX06DH/u17zHU7ciFyqY7skXaE7nl+anmpWW4fIrge7Bb4BWpOiFIMc2inrIFPpsxLbi+L
 dRmYicOpyKA69LF1Ge2GaGfxmfq1liyrvfcJPyJJ/aHi+3XtNN2DREif14W1jImwY9nP8fIjQKAZ
 fI/jcX6o1g9K5ZxlFawbDxpzYifNwA/+CbHAPfcioplqpZqKJkkQlSyYGQ==
X-Report-Abuse-To: [email protected]

This is a multi-part message in MIME format.
 
The part of your header below indicates that SpamAssassin is active, but does not consider the email to be spam. Indicated by the X-Spam-Status: No part. The USER_IN_WHITELIST indicates that the sender of the email is whitelisted (hence the negative spam score score=-101.9).

Code: 
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on www.mail.my-domain.deX-Spam-Status: No, score=-101.9 required=8.0 tests=BAYES_00,DKIM_SIGNED,
    DKIM_VALID,HTML_MESSAGE,SPF_FAIL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE,
    USER_IN_WELCOMELIST,USER_IN_WHITELIST

So SpamAssassin should not (and likely is not) moving this email to your spam folder. It's more likely that custom filter rules are moving this email to the spam folder. That could be filters either on a email client (like Thunderbird or Outlook) or in webmail.

If you're happy with your external spam filter and no longer have a need for SpamAssassin you could always uninstall SpamAssassin from server. This link contains instructions for installing SpamAssassin, but they are almost identical for uninstalling (I am sure you'll get the gist): https://www.plesk.com/kb/support/how-to-install-spamassassin-in-pleskx

But again, it doesn't seems likely that SpamAssassin is the culprit.
 
Last edited:
Thanks, thats what I thought. But I can't seem to find what moves these emails to spam.
Webmail is Roundcube we are not using it, I checked anyway but there was nothing and Outlook/Thunderbird is not uses either. Just some Software that gets Mails by POP.
But while typing this I just remembered it might be an iPad or iPhone mailclient that moves it. I will check this.
 
I checked the iPad and it seems not to be the problem. I changed the password of the mailbox to make sure no device receives mails that I'm not aware of and set it up on two devices only.
On the iPad I moved the conversation of the addresses marked as spam to the inbox folder but sadly it does not fix this issue.
 
You know what, I just noticed the SPF_FAIL in the header of your email. It makes sense for SPF to fail because all emails are routed via the servers of your external spam filter from SpamExperts. Which won't match the SPF rule specified by the sender.

Try adding spf.antispamcloud.com to the SPF local rules input field on Tools & Settings > Mail Server Settings.
 
I got the "v=spf1 include:spf.antispamcloud.com -all" SPF rule on my external DNS. But that field you described is something between my plesk server and the spamcloud server I guess.
I'll see if that fixes it and get back to you.
But what I don't understand then is why all other emails seem to be delivered perfectly fine. What happens in case of a SPF Fail ain't something the sender can specify, right?
 
tollube said:
I got the "v=spf1 include:spf.antispamcloud.com -all" SPF rule on my external DNS. But that field you described is something between my plesk server and the spamcloud server I guess.
Click to expand...
That's for the other direction, servers that are allowed to send outgoing mail with your domain on it.
tollube said:
But what I don't understand then is why all other emails seem to be delivered perfectly fine. What happens in case of a SPF Fail ain't something the sender can specify, right?
Click to expand...
Actually they can, with SPF itself (~all vs. -all) and the DMARC policy.
 
tollube said:
I'll see if that fixes it and get back to you.
Click to expand...
I have to apologize, the information in my previous post is not correct. You should use include:delivery.antispamcloud.com on the SPF local rules instead.

I am also not sure if this will solve the issue your having (ie. mails getting to your spam folder). But since the SPF check clearly fails on mail you're receiving it's an issue that need to be addressed any way. (And it coincidentally might fix your issue initial issue).
tollube said:
But what I don't understand then is why all other emails seem to be delivered perfectly fine. What happens in case of a SPF Fail ain't something the sender can specify, right?
Click to expand...
Like @mow pointed out senders can specify how strict the receiving server need to adhere to the SPF rules. Which the sender can specify in SPF record of their domain with the ~all (soft fail) or -all (fail).

Do other emails you receive that don't end up in your spam folder have the SPF status Soft Fail or Neutral in their header?
 
I was just coming back to post that it sadly didnt fix the issue but it makes sense, when the rule should be different.
I set the rule you provided. Thanks for
 
Sorry for the message above, I clicked the wrong button....

I was just coming back to post that it sadly didnt fix the issue but it makes sense, when the rule should be different.
I set the rule you provided.
1664353278943.png

They dont have two entries for "Received SPF" as the one I sent at the beginning. But in the upper Part it just says (in the middle of the lines):
spf=pass
Click to expand...
The lower one says:
Received-SPF: pass (mx255.antispamcloud.com: domain of customer2.de designates 100.132.234.94 as permitted sender) client-ip=100.132.234.94; envelope-from=[email protected]; helo=mx-relay67-hz1.antispameurope.com;
Click to expand...
But shouldnt I still be able to deceide whether I reveice the mail or not? It is not rejected also but just delivered to the spam folder...
Thanks for the information and for staying on it!
 
I'd love to make this setting but I can't because only one domain uses the antispamcloud service...
Sadly with the new entry the message from that specific sender still lands inside the spam folder.
There are very few senders that land in there, all other traffic seems valid.
 
tollube said:
Sadly with the new entry the message from that specific sender still lands inside the spam folder.
Click to expand...
Sorry to hear that. Out of curiosity, does the email still have the failed SPF status in the header?

Last thing I can think of is that there is a Dovecot Sieve filter (somewhere on your server) that moves emails from that sender (for some reason) to the spam folder. You can run the command below to search trough the Sieve filters for a particular domain (just replace example.com) and replace the search phrase (but leave the single quotes) for phrase or words you want to search for. For example search for 'fileinto' is a command used by Sieve filter rules to copy massages to another folder. I would also search for 'spam' and '@'.

Bash: 
# find /var/qmail/mailnames/example.com -type f -name '*sieve' | xargs grep 'search phrase'

Similarly you want to run the command for the /etc/dovecot/conf.d directory were server wide Dovecot config files reside. Like for example
Bash: 
# find /etc/dovecot/conf.d -type f | xargs grep 'search phrase'

If that doesn't bear any fruit I am not sure what other options there are left to investigate. You'll probably have to open a support ticket with Plesk so the support team can investigate the issue on your server.
 
Wanted to give a quick feedback. It seems like this fixed my problem.
I hope at least - if there is any news I'll get back to you here.

Thank you for your suggestions!
 
You must log in or register to reply here.

Similar threads

W
Question Mail Server configuration so it does not end up as spam?
Replies
2
Views
658
wyga
W
propz
Resolved Email Domain Blacklisting not working 100%
Replies
7
Views
2K
Kaspar
K
W
Question Backup task notification email from PMMCli-Daemon always in Junk folder
Replies
14
Views
2K
Wolfgang Reidlinger
W
E
Issue Mails from MAILER-DAEMON go to spam
Replies
0
Views
1K
empty
E
L
Resolved Default spam filter sensitivity for individual domains
Replies
1
Views
711
LevelupMedia
L
Back
Top