Print Page | Close Window

False positive spam marking

Printed From: The Radio Amateurs' Emergency Network
Category: Information Systems Team
Forum Name: Web support
Forum Description: Support for the Web site and RAYNET e-mail
URL: http://forum.raynet-uk.net/forum_posts.asp?TID=1950
Printed Date: 23/May/2018 at 08:25
Software Version: Web Wiz Forums 11.10 - http://www.webwizforums.com


Topic: False positive spam marking
Posted By: g6enu
Subject: False positive spam marking
Date Posted: 21/December/2017 at 13:00
Purely for interest's sake (I don't do all that much that would be directly impacted by the things it talks about most of the time) I have registered for the Met Office "Space Weather" alerts, using my @raynet-uk.net email address.

They are arriving in my actual email server OK,  but sometimes with a "[SPAM]" tag prepended to the subject line.

I have checked with my email provider, and they tell me that this tag is already there by the time anything tries talking to their systems (and, in any case, now that I think to check, the tag their servers would put on for spam would be "SPAM:" not "[SPAM]", so either the tag is being put there by the Raynet-UK redirector or it is already on the messages before they reach there.

Could someone please give me some guidance as to where and why they are getting this tag and what can be done to stop it? Is it the Raynet-UK redirector doing it, or is it before even that gets sight of them?


-------------
Ian

G6ENU

North East Hampshire Raynet
Surrey 4x4 Response



Replies:
Posted By: 5N0AFJ/A
Date Posted: 27/December/2017 at 13:37
Why is your "Space Weather" link taking you to an ebay website ? 


Posted By: g6enu
Date Posted: 28/December/2017 at 13:44
Sorry, you've lost me. I didn't mention anything about links, and I didn't mention eBay.


-------------
Ian

G6ENU

North East Hampshire Raynet
Surrey 4x4 Response


Posted By: 5N0AFJ/A
Date Posted: 31/December/2017 at 12:02
Ian, If you look at your original message where you have highlighted in quotation brackets for example " http://rover.ebay.com/rover/13/0/19/DealFrame/DealFrame.cmp?bm=203&BEFID=31515&aon=%5E&MerchantID=509220&crawler_id=509220&dealId=q2ttw_Oqibdn2fmEnnE_Sw%3D%3D&url=https%3A%2F%2Fwww.superdry.com%2Fproducts%3Fproduct_id%3D3455127%26utm_source%3Debay_uk%26utm_medium%3DPrice_Comparison%26utm_campaign%3DEbay_Shopping_UK%26ebay_uk&linkin_id=8078755&Issdt=171231065550&searchID=p11.f9f4699f0647aac818f7&DealName=Superdry+Mens+Rookie+Heavy+Weather+Parka+Jacket+Black&dlprc=114.99&AR=1&NG=7&NDP=10&PN=1&ST=7&FPT=DSP&NDS=&NMS=&MRS=&PD=&brnId=14305&IsFtr=0&IsSmart=0&op=&CM=&RR=1&IsLps=0&code=&acode=200&category=&HasLink=&ND=&MN=&GR=&lnkId=&SKU=1020200500262XBZ001" rel="nofollow - Space Weather " for some reason on this website turns the "Space Weather" words into a clickable link - if you move your mouse cursor over or click on "Space Weather" you are taken to an ebay site....just saying no big thing.
All the best for the new year


Posted By: Pete G8OQG
Date Posted: 31/December/2017 at 13:13
Greetings

I could not see any link in the original post at first but now I see several links in all posts , either "space weather" or ebay and hovering over comes up with a message saying "link added by VigLen"

curious

Pete G8OQG


-------------
73 De Pete G8OQG

Bristol and Somerset Group





Posted By: Pete G8OQG
Date Posted: 31/December/2017 at 13:15
Ooops I meant VigLink .


-------------
73 De Pete G8OQG

Bristol and Somerset Group





Posted By: g6enu
Date Posted: 01/January/2018 at 18:47
Whatever is doing that is local to the PC of whoever first sees the effect, then gets propagated forward in replies that quote the original. I think.

-------------
Ian

G6ENU

North East Hampshire Raynet
Surrey 4x4 Response


Posted By: g6enu
Date Posted: 01/January/2018 at 18:54
I've now had the same annoying false positive on an email that I know is not spam because it's my BCC of an email I wrote!

Could someone involved in the configuration and running of the forwarder PLEASE contact me to help me fix this problem. As a matter of priority.

-------------
Ian

G6ENU

North East Hampshire Raynet
Surrey 4x4 Response


Posted By: M0XJM
Date Posted: 02/January/2018 at 13:58
Hi Ian

The RAYNET mail server uses a number of techniques to determine whether an email should be marked as SPAM.  These include:

- Sender Policy Framework
- Checking of the host in the HELO command
- Checking whether the sender has valid DNS MX records
- DNS blacklists
- SURBL services

If any of these tests fails, points are added to an overall SPAM score.  Once a certain points threshold is exceeded, the mail is marked as SPAM.  These systems are imperfect and sometimes false positives result.  I will have a word with a friend over at the Met Office to see if we can make any progress on the issue, but I suspect it will have to wait until we move the email to Office 365.

Regards

James M0XJM


Posted By: g6enu
Date Posted: 04/January/2018 at 11:43
In the most recent case, the message flagged as SPAM

(a) was from g6enu@raynet-uk.net, which I know has MX records because it receives email - see point (b) below

(b) was actually the BCC: to g6enu@raynet-uk.net (hence I know it has MX records, because the message arrived)

(c) was deemed to be spam because the sending domain has no MX records - but see points (a) and (b) above

(d) carried the message-id 263807215.20180101182513@ian-gordon.me.uk, and I know that the domain ian-gordon.me.uk has MX records because it receives email every day


Full headers copied below:-

Received: (qmail 2548 invoked by uid 8); 1 Jan 2018 18:28:11 -0000
Delivered-To: g6enu-raynet@g6enu.net
Received: (qmail 2542 invoked from network); 1 Jan 2018 18:28:11 -0000
Received: from unknown (HELO spam3.interdns.co.uk) (83.170.125.6)
  by mail3.interdns.co.uk with SMTP; 1 Jan 2018 18:28:11 -0000
Received: from edge8.spam.interdns.co.uk ([77.92.64.13])
        by spam3.interdns.co.uk (8.14.3/8.14.3) with ESMTP id w01ISB2J002714
        for <raynet@g6enu.net>; Mon, 1 Jan 2018 18:28:11 GMT
Received: (qmail 19628 invoked from network); 1 Jan 2018 18:28:11 -0000
Received: from unknown (HELO smtp.raynet-uk.net) (40.69.192.99)
        by 192.168.2.208
        with ESMTPS (DHE-RSA-AES128-SHA encrypted); 1 Jan 2018 18:28:11 -0000
X-Pre-Scanned-By: Perimeter Filtering on edge8.spam.interdns.co.uk
Received: from smtp2.interdns.co.uk (smtp2.interdns.co.uk [109.123.97.26])
        by smtp.raynet-uk.net with ESMTP ; Mon, 1 Jan 2018 18:28:09 +0000
Received: (qmail 30817 invoked from network); 1 Jan 2018 18:28:09 -0000
Received: from unknown (HELO Tuvok) (ian@g6enu@176.248.248.169)
        by smtp2.interdns.co.uk
        with ESMTPSA (AES256-SHA encrypted, authenticated); 1 Jan 2018 18:28:08 -0000
Date: Mon, 1 Jan 2018 18:25:13 +0000
From: Ian Gordon <g6enu@raynet-uk.net>
Message-ID: <263807215.20180101182513@ian-gordon.me.uk>
To: Ian g7gmn <g7gmn@aol.com>
Subject: [SPAM] Re: Yateley and Alice Holt sled dog event....  very soon.
In-Reply-To: <160b0830f06-1726-2a6b2@webjas-vad172.srv.aolmail.net>
References:
        <CAP+r1gUHQadvQWJJtegLdqkXAh0sSRZAY_E7dHyh97DRymd0vw@mail.gmail.com>
        <160b0830f06-1726-2a6b2@webjas-vad172.srv.aolmail.net>
MIME-Version: 1.0
X-hMailServer-Spam: YES
X-hMailServer-Reason-1: Sender domain does not have any MX records. -
 (Score: 3)
X-hMailServer-Reason-Score: 3
X-Interdns-Message-Id: feb99168716edb66a919f057c7c1867a
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Original-Ip: 40.69.192.99
X-Scanned-In: 0.00secs
X-SA-SPAM-Flag: No
X-Spam-Score: -100/5.0 USER_IN_WHITELIST
X-Scanned-By: Spam Filtering
X-Envelope-To: raynet@g6enu.net


-------------
Ian

G6ENU

North East Hampshire Raynet
Surrey 4x4 Response


Posted By: M0XJM
Date Posted: 23/January/2018 at 19:26
I am receiving space weather alerts and they are not marked as SPAM.


Posted By: g6enu
Date Posted: 23/January/2018 at 19:48
I've just done a check, and since the beginning of December last year I have received 35 space weather alerts, of which 19 were tagged as spam.

As I said before, I know they are already so tagged before anything tries talking to my mailbox provider because of the format of the spam tag.


-------------
Ian

G6ENU

North East Hampshire Raynet
Surrey 4x4 Response



Print Page | Close Window

Forum Software by Web Wiz Forums® version 11.10 - http://www.webwizforums.com
Copyright ©2001-2017 Web Wiz Ltd. - https://www.webwiz.net