# # Why is good email suddenly being marked spam?
APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

Why is good email suddenly being marked spam?

I've removed advertising from most of this site and will eventually clean up the few pages where it remains.

While not terribly expensive to maintain, this does cost me something. If I don't get enough donations to cover that expense, I will be shutting the site down in early 2020.

If you found something useful today, please consider a small donation.

Some material is very old and may be incorrect today

© May 2019 Anthony Lawrence

A Kerio customer asks:

Why is a lot of what for years has been good mail (like from UPS and the Washington Post) now being marked SPAM? Is it Kerio or something else?

This actually started with a 9:00 PM phone call. I let it go to voice mail because it might just be a "Give me a call tomorrow" message. This one wasn't though and before I even had a chance to listen to the voicemail he had followed up with multiple emails.

The emails complained that many perfectly good emails were being marked as Spam. He was quite upset, because many of these were very important. He included headers pasted from the emails and those immediately told me where the problem was.

It wasn't Kerio. I could see that right at the top of what he sent:

X-Envelope-To: [email protected]
X-Spam-Status: No, hits=0.0 required=4.5
 tests=AWL: -0.000,BAYES_00: -1.665,HTML_IMAGE_RATIO_08: 0.001,
 HTML_MESSAGE: 0.001,MIME_HTML_ONLY: 0.001,TOTAL_SCORE: -1.662,autolearn=ham

Those X-Spam lines are Kerio's and they say this mail was NOT Spam. I could also see that his Barracuda scanner was not the cause either:

X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=3.5 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=4.0 tests=HTML_IMAGE_RATIO_08, HTML_MESSAGE, MIME_HTML_ONLY

So where was it coming from? The header lines told the story:

X-SMX-Version: 2.4.4(15063) on efilter15.ore.mailhop.org
X-SMX-ID: efilter15.ore.mailhop.org m1-21532-06334
X-SMX-Session: 7FAE0986D350 (mail 1)
X-SMX-Message-Score: 40 (Regex: bombRe 'PB 40: for 67% discount'  bombRe:
 '67% discount')
X-SMX-IP-Score: 40 (Regex: bombRe 'PB 40: for 67% discount'  bombRe: '67%
X-SMX-Message-Score: 24 (HMM Probability: 1.0000)
X-SMX-IP-Score: 24 (HMM Probability: 1.0000)
X-SMX-Message-Score: 23 (Bayesian Probability: 0.96772)
X-SMX-IP-Score: 23 (Bayesian Probability: 0.96772)
X-SMX-Spam-Prob: 0.96772
X-SMX-HMM-Spam-Prob: 1.00000
X-SMX-HMM-Confidence: 0.00002
X-SMX-Tag: MessageLimit
X-SMX-Message-Totalscore: 87
X-Virus-Scanned: ClamAV using ClamSMTP

The mail passed through "efilter15.ore.mailhop.org" and it scanned using an apparently broken ClamAV filter. Quite unfortunately, ClamAV modifies the subject with *SPAM* and my customer has a client rule that files such messages into Junk. That's why everything was going to Spam.

So what the heck is efilter15.ore.mailhop.org and why is his email passing through it? Well, that's a story in itself, but basically he doesn't have a static IP address and needs to pass through a server that can use a dynamic dNS service to find him. For years, that's been http://www.duocircle.com/ which uses this mailhop.org site. Apparently they recently decided to "help" their customers by installing a badly configured ClamAV service. Do I need to tell you that my customer didn't appreciate their help?

So, after a short lesson in reading mail headers, he found another site (http://www.noip.com/) to route his mail through. So far, that's been fine, but I'd rather see him get a static IP or put his Kerio in the cloud where he wouldn't need this extra step.

If you found something useful today, please consider a small donation.

Got something to add? Send me email.

(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> Why is good email suddenly being marked spam?

Inexpensive and informative Apple related e-books:

Photos: A Take Control Crash Course

Take Control of Pages

Take Control of Automating Your Mac

El Capitan: A Take Control Crash Course

Take Control of High Sierra

More Articles by © Anthony Lawrence

Related Articles

Printer Friendly Version

Related Articles

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Printer Friendly Version

Don't get suckered in by the comments … they can be terribly misleading. (Dave Storer)

Linux posts

Troubleshooting posts

This post tagged:

Kerio Connect



Kerio Info

Kerio Pricing

Kerio RSS Feed



Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode