A Kerio customer asks:
Why is a lot of what for years has been good mail (like from UPS and the Washington Post) now being marked SPAM? Is it Kerio or something else?
This actually started with a 9:00 PM phone call. I let it go to voice mail because it might just be a "Give me a call tomorrow" message. This one wasn't though and before I even had a chance to listen to the voicemail he had followed up with multiple emails.
The emails complained that many perfectly good emails were being marked as Spam. He was quite upset, because many of these were very important. He included headers pasted from the emails and those immediately told me where the problem was.
It wasn't Kerio. I could see that right at the top of what he sent:
X-Envelope-To: [email protected] X-Spam-Status: No, hits=0.0 required=4.5 tests=AWL: -0.000,BAYES_00: -1.665,HTML_IMAGE_RATIO_08: 0.001, HTML_MESSAGE: 0.001,MIME_HTML_ONLY: 0.001,TOTAL_SCORE: -1.662,autolearn=ham X-Spam-Level:
Those X-Spam lines are Kerio's and they say this mail was NOT Spam. I could also see that his Barracuda scanner was not the cause either:
X-Barracuda-Spam-Score: 0.00 X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=3.5 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=4.0 tests=HTML_IMAGE_RATIO_08, HTML_MESSAGE, MIME_HTML_ONLY
So where was it coming from? The header lines told the story:
X-SMX-Version: 2.4.4(15063) on efilter15.ore.mailhop.org X-SMX-ID: efilter15.ore.mailhop.org m1-21532-06334 X-SMX-Session: 7FAE0986D350 (mail 1) X-SMX-Detected-RIP: 184.108.40.206 X-SMX-Source-IP: 220.127.116.11 X-SMX-Message-Score: 40 (Regex: bombRe 'PB 40: for 67% discount' bombRe: '67% discount') X-SMX-IP-Score: 40 (Regex: bombRe 'PB 40: for 67% discount' bombRe: '67% discount') X-SMX-Message-Score: 24 (HMM Probability: 1.0000) X-SMX-IP-Score: 24 (HMM Probability: 1.0000) X-SMX-Message-Score: 23 (Bayesian Probability: 0.96772) X-SMX-IP-Score: 23 (Bayesian Probability: 0.96772) X-SMX-Spam-Prob: 0.96772 X-SMX-HMM-Spam-Prob: 1.00000 X-SMX-HMM-Confidence: 0.00002 X-SMX-Tag: MessageLimit X-Spam-Status:yes X-SMX-Message-Totalscore: 87 X-Virus-Scanned: ClamAV using ClamSMTP
The mail passed through "efilter15.ore.mailhop.org" and it scanned using an apparently broken ClamAV filter. Quite unfortunately, ClamAV modifies the subject with *SPAM* and my customer has a client rule that files such messages into Junk. That's why everything was going to Spam.
So what the heck is efilter15.ore.mailhop.org and why is his email passing through it? Well, that's a story in itself, but basically he doesn't have a static IP address and needs to pass through a server that can use a dynamic dNS service to find him. For years, that's been http://www.duocircle.com/ which uses this mailhop.org site. Apparently they recently decided to "help" their customers by installing a badly configured ClamAV service. Do I need to tell you that my customer didn't appreciate their help?
So, after a short lesson in reading mail headers, he found another site (http://www.noip.com/) to route his mail through. So far, that's been fine, but I'd rather see him get a static IP or put his Kerio in the cloud where he wouldn't need this extra step.
If you found something useful today, please consider a small donation.
Got something to add? Send me email.
More Articles by Anthony Lawrence © 2015-05-07 Anthony Lawrence
While modern technology has given people powerful new communication tools, it apparently can do nothing to alter the fact that many people have nothing useful to say. (Leo Gomes)