We have people sending email just internally and its being detected as spam. Here are the headers:
Yes, score=4.44 tagged_above=-10 required=4 tests=[BAYES_50=0.8, DOS_OUTLOOK_TO_MX=2.845, HELO_NO_DOMAIN=0.001, HTML_MESSAGE=0.001, RDNS_NONE=0.793] autolearn=no
We just upgraded to zimbra 6.0.7. What is this DOS_OUTLOOK_TO_MX ?
Any help would be appreciated.
Do you know what would cause that? I'm not sure why it would go directly tot he mx. All our users are using the outlook connector with outlook.
I also notice that having reverse DNS set on your IP's would have brought the score low enough to pass.
Bayes is kind of high also:
I'm not sure if your spam databases got reset or something, but dragging the messages from Junk to Inbox should update the Bayes databases in the server, so in 24 hours that score should hopefully be lower.
One more thing - you may want to add your mail server or subnet to the "MTA Trusted Networks" box in the Admin Console (Servers > MTA > MTA Trusted Networks), that will add some bonus points to SpamAssassin using the ALL_TRUSTED rule if it hits only your MTA.
Thanks for the help the MTA Trusted Networks helps when people send email from the office. Is this spam rule new? Now when people send email from home they are getting spammed because of that OUTLOOK TO MX rule.
While all the above advice is good, you may also want to vote for Bug 44384 – Bypass SA for emails sent from internal ZWC users (or provide a way to score them)
Note that the workaround in that bug does not apply in your case, because the workaround only helps when the sender's IP is in a DNSRBL and they're using ZWC or ZCO.
I'm guessing you may be using Outlook as an IMAP/SMTP client and not ZCO. If so then perhaps you are sending to the SMTP port 25 (or possibly secure SMTP port 465) and this is triggering DOS_OUTLOOK_TO_MX. And maybe if you configured Outlook to use Submission (port 587) you would not trigger the rule.
With 6.0.7, we now have local users who are sending emails to other local users with Outlook+ZCO and their mail is getting flagged as spam because of DOS_OUTLOOK_TO_MX and RCVD_IN_PBL. If I remember correctly, the former is new in 6.0.7 and the scoring of the latter increased in 6.0.7. The same emails were being scored with RCVD_IN_PBL with 6.0.6 as well, so this isn't a new problem, it's just a problem that 6.0.7 exposed because of the higher scores those same emails are now getting.
Originally Posted by akertis
This seems to be caused by the "X-Originating-IP" header that Zimbra places on emails. It records the IP address of the client that sent the email, and if that IP address is in the PBL (if it's a broadband service IP address, it almost certainly is) then you get RCVD_IN_PBL. I think DOS_OUTLOOK_TO_MX will happen regardless.
The fix for me was to disable the setting of X-Originating-IP altogether in the admin console, under Global Settings -> MTA. Now you get no score from either of those rules on your local mail.
Seems to me like it most certainly must be a bug that Zimbra would score local email on these two rules, as it's completely contrary to the point of both rules. I have a support ticket in about it.
In other news, the "Daily mail report" that Zimbra sends out each night is also now being flagged as spam with 6.0.7. Equally ridiculous.
edit: Also worth noting, I already have the "MTA Trusted Networks" setup properly. This only gets triggered by email sent from people outside the local network, where the X-Originating-IP ends up being their home IP. It happens whether they are VPN'ed in or not (ZCO works either way), because either way it slaps their home IP on as the X-Originating-IP.
No, the workaround does fix the DOS_OUTLOOK_TO_MX issue. Did for me.
Originally Posted by ewilen
I am now running 6.0.8 on debian x64 I have been having the exact same issue. What I want to know is when is Zimbra going to admit that the interface for filtering dns checks is WEAK.... I get more functionality with cPanel integrated email. At least there I can adjust different whitelists to ignore checks for trusted smtp locations the fact that LMTP mails are being flagged should be a red alarm to Zimbra that something is definately need of attention.
Or if there is a recommended configuration that they can give that alleviates this without having to turn it off and open the server up to MORE SPAM