legit email is considered unsolicited bulk e-mail

[mindrunner]

Couple of days ago, a legit email got rejected. The sender got this as reply:

was considered unsolicited bulk e-mail (UBE).

Our internal reference code for your message is 2543112-06/Q8cmmCBHhq9r

The message carried your return address, so it was either a genuine mail
from you, or a sender address was faked and your e-mail address abused
by third party, in which case we apologize for undesired notification.

We do try to minimize backscatter for more prominent cases of UBE and
for infected mail, but for less obvious cases some balance between
losing genuine mail and sending undesired backscatter is sought,
and there can be some collateral damage on either side.

First upstream SMTP client IP address: [80.237.130.84]
  wp562.webpack.hosteurope.de
According to a 'Received:' trace, the message apparently originated at:
  [80.237.130.84], wp562.webpack.hosteurope.de wp562.webpack.hosteurope.de
  [80.237.130.84]

Return-Path: <SRS0=4zXC=6I=sender.de=info@receiver.de>
From: xxx xxx <info@sender.de>
Message-ID: <392089681.1227252.1587743202363@ox.hosteurope.de>
Subject: Post

Delivery of the email was stopped!

My log sais the following:

Apr 24 15:46:48 mx0 postfix/postscreen[2659970]: PASS OLD [80.237.130.84]:56258
Apr 24 15:46:49 mx0 postfix/smtpd[2660647]: connect from wp562.webpack.hosteurope.de[80.237.130.84]
Apr 24 15:46:49 mx0 postfix/smtpd[2660647]: Anonymous TLS connection established from wp562.webpack.hosteurope.de[80.237.130.84]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr 24 15:46:49 mx0 policyd-spf[2660653]: prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=80.237.130.84; helo=wp562.webpack.hosteurope.de; envelope-from=info@sender.de; receiver=<UNKNOWN> 
Apr 24 15:46:49 mx0 postfix/smtpd[2660647]: D0A57606B1: client=wp562.webpack.hosteurope.de[80.237.130.84]
Apr 24 15:46:49 mx0 postsrsd[2660659]: srs_forward: <info@sender.de> rewritten as <SRS0=4zXC=6I=sender.de=info@receiver.de>
Apr 24 15:46:49 mx0 postfix/cleanup[2660658]: D0A57606B1: message-id=<392089681.1227252.1587743202363@ox.hosteurope.de>
Apr 24 15:46:49 mx0 opendkim[340]: D0A57606B1: wp562.webpack.hosteurope.de [80.237.130.84] not internal
Apr 24 15:46:49 mx0 opendkim[340]: D0A57606B1: not authenticated
Apr 24 15:46:49 mx0 opendmarc[346]: D0A57606B1: sender.de none
Apr 24 15:46:49 mx0 postfix/qmgr[1146]: D0A57606B1: from=<SRS0=4zXC=6I=sender.de=info@receiver.de>, size=165859, nrcpt=1 (queue active)
Apr 24 15:46:50 mx0 postfix/smtpd[2660647]: disconnect from wp562.webpack.hosteurope.de[80.237.130.84] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Apr 24 15:46:52 mx0 postfix/postscreen[2659970]: DNSBL rank 5 for [217.112.142.135]:48915
Apr 24 15:46:52 mx0 postfix/postscreen[2659970]: NOQUEUE: reject: RCPT from [217.112.142.135]:48915: 550 5.7.1 Service unavailable; client [217.112.142.135] blocked using zen.spamhaus.org; from=<sorenrfpydsysheinfeld@drkhedri.com>, to=<ubs00987@ccube.de>, proto=ESMTP, helo=<recondite.drkhedri.com>
Apr 24 15:46:52 mx0 postfix/postscreen[2659970]: DISCONNECT [217.112.142.135]:48915
Apr 24 15:46:54 mx0 postfix/smtpd[2660682]: connect from localhost[127.0.0.1]
Apr 24 15:46:54 mx0 postfix/smtpd[2660682]: 21F2F619D2: client=localhost[127.0.0.1]
Apr 24 15:46:54 mx0 postsrsd[2660659]: srs_forward: <""> not rewritten: No at sign in sender address
Apr 24 15:46:54 mx0 postsrsd[2660660]: srs_reverse: <SRS0=4zXC=6I=sender.de=info@receiver.de> rewritten as <info@sender.de>
Apr 24 15:46:54 mx0 postfix/cleanup[2660658]: 21F2F619D2: message-id=<SSQ8cmmCBHhq9r@mx0.receiver.de>
Apr 24 15:46:54 mx0 postsrsd[2660660]: srs_reverse: <SRS0=4zXC=6I=sender.de=info@receiver.de> rewritten as <info@sender.de>
Apr 24 15:46:54 mx0 postfix/qmgr[1146]: 21F2F619D2: from=<>, size=5322, nrcpt=1 (queue active)
Apr 24 15:46:54 mx0 postfix/smtpd[2660682]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Apr 24 15:46:54 mx0 amavis[2543112]: (2543112-06) Blocked SPAM {BouncedInbound,Quarantined}, [80.237.130.84]:56258 [80.237.130.84] <SRS0=4zXC=6I=sender.de=info@receiver.de> -> <mail@receiver.de>, quarantine: Q/spam-Q8cmmCBHhq9r.gz, Queue-ID: D0A57606B1, Message-ID: <392089681.1227252.1587743202363@ox.hosteurope.de>, mail_id: Q8cmmCBHhq9r, Hits: 3.749, size: 166910, 4264 ms
Apr 24 15:46:54 mx0 postfix/smtp[2660661]: D0A57606B1: to=<mail@receiver.de>, orig_to=<mail@receiver.de>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.8, delays=0.57/0.01/0.01/4.3, dsn=2.5.0, status=sent (250 2.5.0 Ok, id=2543112-06, BOUNCE)
Apr 24 15:46:54 mx0 postfix/qmgr[1146]: D0A57606B1: removed

Spamassasin settings:

ENABLE_SPAMASSASSIN=1
SPAMASSASSIN_SPAM_TO_INBOX=1
SA_TAG=0.0
SA_TAG2=3.0
SA_KILL=3.0
SA_SPAM_SUBJECT=undef

Is this related to #1396 ?

Why do I not get any notification about this?

Where is the "Quarantaine"?

How can I configure the mailserver to deliver such emails?

[erik-wramner]

Well, as I understand it the SPAMASSASSIN_SPAM_TO_INBOX option was added in #1396? So as you have defined it to 1 you are using that fix, but the message is still bounced?

[mindrunner]

Well, I just found out that I am using my openarc branch, so I probably do not have the current fixes in there. Will switch to latest and report back. Is there any Spam-Email-Tester to reproduce this behaviour?

[mindrunner]

Using this to test the spam filter:
https://en.wikipedia.org/wiki/GTUBE

Using latest tag of docker-mailserver.

Seeing in the log that my message gets quarantied and not delivered:

 -> spam-quarantine, mbx=/var/lib/amavis/virusmails/D/spam-D0iDJuvb9dKN.gz

I suppose, this is NOT expected behavior, right?

[mindrunner]

How can I deliver virusmails into a dedicated mailbox instead of /var/lib/amavis/virusmails/?

[mindrunner]

I figured out that SA_KILL=3.0 overrides SPAMASSASSIN_SPAM_TO_INBOX=1 which was not clear to me. I set SA_KILL to a very high value (10000) now and it seems that spam is delivered to my inbox and then filtered by my sieve filter to the Junk folder, which is exactly what I want.

However, I am not sure about virusmails still.

[erik-wramner]

Seems I'm lagging behind here. I can merge stable to arc if you like, or even latest but it might break things? I think that viruses will go to the quarantine with an e-mail to you that they were blocked. At least that is how the integration test works.

[mindrunner]

I can merge stable to arc if you like, or even latest but it might break things?

Yeah, we could try that. However, I think the OpenARC project is pretty dead, even though they state they are not. I changed my setup so that I do not need ARC anymore at all. So not important for me, but would be nice to keep the feature

I think that viruses will go to the quarantine with an e-mail to you that they were blocked

• What exactly means quarantine here? dumped into the filesystem with no easy way to recover?
• What means "to you"? Postmaster? I never receive such emails.

Edit:
More confusion.... My observations:

• If SA_KILL gets triggered, email will be quarantined into virusmails and I do not get any notification. Neither of which I do understand. Why does a spam go to virusmails? And why is there no notification on the receiver side?

• If I send a real virus (https://www.aleph-tec.com/eicar/index.php), I am getting a notification email to postmaster@domain.com. (Even though POSTMASTER_ADDRESS is set to something else)

Oh by the way. I have CLAMAV disabled at the moment. The virus gets banned with the message

No viruses were found.

Banned name: eicar.com,UNDECIPHERABLE
Content type: Banned
Internal reference code for the message is 01151-17/FDm4prvd69M7

I am confused...

[mindrunner]

Alright, I am not able to answer all my previous questions, but I found a solution for myself.
I created a dedicated mailbox for the quarantine: amavis@domain.com
then in config/amavis.cf:

$clean_quarantine_to      = "amavis\@domain.com";
$virus_quarantine_to      = "amavis\@domain.com";
$banned_quarantine_to     = "amavis\@domain.com";
$bad_header_quarantine_to = "amavis\@domain.com";
$spam_quarantine_to       = "amavis\@domain.com";

This will prevent losing any mails I suppose. Everything which is either infected or exeeds the SA_KILL threshold will be delivered to this mailbox.

[erik-wramner]

Great, perhaps you could document that in the FAQ for the future and close this then?

[mindrunner]

Great idea!

[mindrunner]

Just for curiosity. I think there are a lot of more mails blocked on my domain which do not even get checked by amavis. I think those are the IP blacklist checks which preceeds the actual receiving of the email.

Is there an easy way to disable this as well and/or receive them into another separate mailbox. I would be curious whats going on there. Also this would complete the FAQ entry :)

[casperklein]

Take a look at my comment: #1396 (comment)

[mindrunner]

https://github.com/tomav/docker-mailserver/wiki/FAQ-and-Tips#how-do-i-have-more-control-about-what-spamassasin-is-filtering

[youtous]

Nice documentation @mindrunner!

The current spamassassin filtering behavior is discussed in #1396, as SPAMASSASSIN_SPAM_TO_INBOX is currently bugged, you will not receive any spam in the mailbox. Fix: #1485.

[mindrunner]

Don't really understand. What is bugged? It seems quite functional here in my setup.

[youtous]

SPAMASSASSIN_SPAM_TO_INBOX=1 wasn't working as excepted: amavis/conf.d/49-docker-mailserver wasn't updated, amavis was still using $final_spam_destiny = D_BOUNCE; as spam destiny.

It seems quite functional here in my setup.

You are using SA_KILL=higth value, in this case the spam are always delivered (README)

SA_KILL To inhibit this behaviour and deliver spam emails, set this to a very high value e.g. 100.0.
README.md

It might not affect your setup because $final_spam_destiny was never used due to SA_KILL=hight value.

Regarding your sieve Junk rule, it might not be required anymore if SPAMASSASSIN_SPAM_TO_INBOX=1 and MOVE_SPAM_TO_JUNK=1 are set but I didn't tried with

SA_TAG=-100000.0
SA_KILL=100000.0

With the fix, you could try just setting SPAMASSASSIN_SPAM_TO_INBOX=1 and MOVE_SPAM_TO_JUNK=1 without defining custom SA_TAG/SA_KILL/custom sieve rule, I think legit emails marked as spam will pass and will be delivered directly in the Junk folder.

Be sure to use SA Learn cronjob in order to reduce the next false positives.

[mindrunner]

Yes. that all makes sense. Might update my config as soon as the fix is merged. sa-learn is running once a day here.