Issue Message is regarded as spam (but isn't spam) and then the spam report is regarded as spam

[King555]

Server operating system version

Ubuntu 18.04.6 LTS x64

Plesk version and microupdate number

18.0.56 Update #2 web admin edition

Recently I got a an e-mail message which was detected as spam by SpamAssassin, although it's obviously no spam. See the relevant parts of the header:

[...]
X-Spam-Status: No, score=-91.8 required=50.0 [...]
[...]
Authentication-Results: myserver.example.com;
    dmarc=pass (p=QUARANTINE sp=NONE) smtp.from=sender.example.org
 header.from=sender.example.org;
    dkim=pass header.d=sender.example.org;
    dkim=pass header.d=sender.example.net;
        spf=pass (sender IP is 0.0.0.0)
[...]

I configured my spam filter to change the subject line of spam mails and to save them to the inbox. This mail's subject was changed and the mail was attached to the spam report mail, which would be correct when it's a spam mail. But as you can see, it was not really detected as spam. Why is that?

And there was a second problem, which is much more a problem for me than the first case: the spam report itself was regarded as spam and was moved to the spam folder (where I usually don't look). See the mail header:

[...]
Authentication-Results: myserver.example.com;
    dmarc=fail (p=QUARANTINE sp=NONE) smtp.from=sender.example.org header.from=sender.example.org
X-Spam-Status: Yes, score=9.2 required=5.0 [...]
[...]

How can this be fixed? I know the article https://support.plesk.com/hc/en-us/articles/12377454166935 , but I do not have a "Return-Path" in this spam report mail (and myserver.example.com is already in /etc/psa/dmarc.conf).

 

[Kaspar]

[...]
Authentication-Results: myserver.example.com;
    dmarc=fail (p=QUARANTINE sp=NONE) smtp.from=sender.example.org header.from=sender.example.org
X-Spam-Status: Yes, score=9.2 required=5.0 [...]
[...]

It's hard to tell from the headers of the first email you posted why it got marked as spam. As headers indicate it isn't spam (it has a negative spam score and dmarc validation passed). Are you perhaps using an e-mail client (Outlook, Thunderbird, Apple mail, ect) with an AV tool that as spam filter too?

For the second mail has a spam score of 9.2, which is over the threshold of 5.0. Also the DMARC validation failed and the policy is set to quarantine. So that would move the email to the spam folder too. You'll have to find out why that email has such a high spam score. And also check why the DMARC validation failed. That usually because the sender header (FROM) and envelope sender (Return-Path) don't align, or because it's not DKIM signed (or DKIM failed).

 

[King555]

I use Outlook and it has a spam filter, but the mail was detected as spam and sent to the spam folder before Outlook, on server level. So this cannot be the reason.

Concerning the second mail (which is the spam report containing the first mail): There is no return-path in the header. I guess the problem is that this mail was sent internally. The complete header is much smaller then of the original mail (the first one) and there is no DKIM signing (which is in the first mail):

Authentication-Results: myserver.example.com;
    dmarc=fail (p=QUARANTINE sp=NONE) smtp.from=sender.example.org header.from=sender.example.org
Received: from localhost by myserver.example.com
    with SpamAssassin (version 3.4.2);
    Mon, 23 Oct 2023 19:35:40 +0200
From: "Sender" <[email protected]>
To: [email protected]
Subject: ***Spam*** Subject
Date: Mon, 23 Oct 2023 19:35:14 +0200 (CEST)
Message-Id:
 <re-pOhWFrwnAsQyth9Nfo-5KV87T37-5KV8AQGJ-TMB1AXQ@sender.example.org>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on myserver.example.com
X-Spam-Flag: YES
X-Spam-Level: *********
X-Spam-Status: Yes, score=9.2 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
    DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS,
    HTML_FONT_LOW_CONTRAST,HTML_FONT_TINY_NORDNS,HTML_IMAGE_RATIO_08,
    HTML_MESSAGE,HTML_TEXT_INVISIBLE_STYLE,MPART_ALT_DIFF,
    NORDNS_LOW_CONTRAST,RCVD_IN_DNSWL_NONE,RDNS_NONE,SPF_FAIL,
    SPF_HELO_PASS,TVD_RATWARE_MSGID_01 autolearn=no autolearn_force=no
    version=3.4.2
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_6536AEEC.7BBE2FF7"

It sounds like the problem from the linked article, but again, there is no return-path which I could whitelist.

 

[Kaspar]

I use Outlook and it has a spam filter, but the mail was detected as spam and sent to the spam folder before Outlook, on server level. So this cannot be the reason.

If you think it happens at server level you could always look in the mail log to see if there is anything related logged for that particular mail.

Concerning the second mail (which is the spam report containing the first mail): There is no return-path in the header. I guess the problem is that this mail was sent internally. The complete header is much smaller then of the original mail (the first one) and there is no DKIM signing (which is in the first mail):

I am not sure why there is not return-path in the header. It could well be part of the issue.