Discussion, requests for help, suggestions and complaints..
Psi-k e-mails flagged as spam (7 replies and 1 comment)
recently, Psi-k e-mails started triggering the spam filters on the Warwick mail relays, which means that most users with a warwick.ac.uk address will have their psi-k e-mails treated as spam. I raised this issue with our IT services, and they will probably whitelist [email protected]
However, this may just be the symptom of a general issue: Psi-k e-mails look too much like spam (at least spamassassin thinks that). A typical psi-k e-mail gets the following rating:
X-Spam-Flag: YES X-Spam-Score: 6.113 X-Spam-Level: ****** X-Spam-Status: Yes, score=6.113 tagged_above=3 required=5.7 tests=[DCC_CHECK=1.1, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.635, MIME_HTML_ONLY=1.105, RCVD_IN_DNSWL_NONE=-0.0001, RDNS_NONE=1.274, TO_NO_BRKTS_NORDNS_HTML=1.997, URIBL_BLOCKED=0.001] autolearn=disabled
So particularly the following rules cause problems:
- TO_NO_BRKTS_NORDNS_HTML - To: misformatted and no rDNS and HTML only.
- RDNS_NONE: Delivered to trusted network by a host with no rDNS.
- MIME_HTML_ONLY: Message only has text/html MIME parts
- HTML_MIME_NO_HTML_TAG: HTML-only message, but there is no HTML tag
- DCC_CHECK: Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
The latter shows you that Warwick is not the only one flagging psi-k mails as spam...
Fixing any of those issues would probably lower the spam score of psi-k to an acceptable level.
Hope that helps,
Thanks for the detailed analysis. I'll check it over tomorrow and I'll see if there's anything that can be done about this.
OK, I've changed things so that the mails now appear to come from 'psik-coord at psi-k.net' instead of 'psik-coord at dl.ac.uk'
Any emails to the former are automatically forwarded to the latter, so the people at Daresbury who deal with these things will see no change.
Hopefully that will help with your spam problem.
PS: of course the old site at psi-k.org - which also used the 'psik-coord at dl.ac.uk' address - would have had exactly the same problem.
I also note that the Daresbury Laboratory SMTP server used by the Psi-k site to send emails was listed at http://www.sorbs.net as having recently sent spam. This may in fact be nothing to do with us at all, as presumably many other people use this server. That said, I have registered on the sorbs.net site and made a delisting request.
changing the from address did not help, the rating was still the same, for the same reasons. The only effect was that it "bypassed" the whitelisting rule Warwick IT Services had added at my request. Now they added the psi-k.net address as well, so my problem (and that of other warwick.ac.uk-subscribers) is fixed.
However, our IT department also offered some feedback, which I would like to share with you:
Thanks for the problem email and full mail headers. It shows that the main (high value) spam rules being broken are do do with reverse DNS lookups, i.e. an unregistered ip address......this is a classic spammers technique hence the high score.
The line in question is:
Received: from [126.96.36.199] (helo=psi-k.net)
if you want to pass this info to them as it's not just Warwick that would be flagging these mails as spam 🙁
I would expect a line like this if all was legitimate:
Received: from ns46.supremeservers.co.uk [188.8.131.52] (helo=psi-k.net)
They may have put this line in manually rather than automatically via their mail sending software as I've just checked and the ip address does actually resolve!
Thanks and regards
Hope this helps,
Indeed - but the problem with the reverse DNS is that the Psi-k site is on a shared server - the one I rent personally and use for the other sites that I maintain (despite the Chairman's initial announcement it's never been anywhere near Finland. .) Updating the PTN record for a shared server needs to be done by the ISP (CWCS) and they won't do that.
Adding an SPF record to the DNS entry may improve things, but if the mail servers are specifically checking the PTR (which most, if not all, will do) then that probably won't help. That said, I have now added the SPF record - as long as custom rules aren't set on the receiving server that might be sufficient for previously blocked mails to go through.
The best solution might be to switch the Psi-k site to a dedicated server (where we can define the reverse DNS). I offered this when I first proposed the design of the site, but no-one showed any interest (either because it was more expensive, or because they didn't understand what I meant..). That said, I decided about three weeks ago that this was where we needed to go. I've been paying for a virtual private server since then (in addition to the shared one) and the only reason I haven't transferred everything over is because I've been too busy. Hopefully I'll get some chance to do this soon.
Thanks again for your help. Let me know if the SPF helps with anything..
unfortunately I will not be able to comment on the success of these measures. By virtue of whitelisting the sender, psi-k e-mails now bypass the spam filter on the mail relay altogether, so I don't get any spam reports.
That being said, it seems that the warwick mail relay is not impressed with the SPF record, if I understand the log correctly:
Authentication-Results: spf=fail (sender IP is 184.108.40.206) smtp.mailfrom=psi-k.net; live.warwick.ac.uk; dkim=none (message not signed) header.d=none;live.warwick.ac.uk; dmarc=none action=none header.from=psi-k.net; Received-SPF: Fail (protection.outlook.com: domain of psi-k.net does not designate 220.127.116.11 as permitted sender) receiver=protection.outlook.com; client-ip=18.104.22.168; helo=mail-relay-4.csv.warwick.ac.uk; Received: from mail-relay-4.csv.warwick.ac.uk (22.214.171.124) by DB3FFO11FD001.mail.protection.outlook.com (10.47.216.90) with Microsoft SMTP Server (TLS) id 126.96.36.199 via Frontend Transport; Wed, 3 Jun 2015 06:34:41 +0000
Maybe all of this will be better on a dedicated server. I hope you can convince the powers that be that this is indeed the way to go.
Good luck and thank you,
I'm building the dedicated server now. Hopefully it won't take too long.
This is now done - see the separate thread about the new server.