Questions[spam-marked](server)

I have recently started to look after a mail system where users can host their email with a web mail front end. One of the features provided is a function to set up forwarding.

The problem I am facing, and which people before me have faced, is that when users forward mail to another mailbox, such as their own gmail address, Google sees the email as coming from an unauthorized IP address.

I understand that this is due to the sender domain have set up SPF records with a "-all" flag, and my IP address clearly does not belong there.

Gmail, and other providers, as far as I understand it, then cannot tell the difference between an actual forwarded message, and a spoofed spam message, and then subsequently greylists the address of my server.

I cannot help but think someone else must have solved this before.

The forwarding is done using exim, so what I am looking for is a guide, or even just the right keywords to use to search for, for an answer to this issue.

There are clearly benefits of using a subdomain for sending email to protection domain reputation, but is this always true? What about the extreme case, where a spam domain sends every email from a distinct subdomain?

We are running a platform with + 1 Mio users who sign-up with double opt-in to nurture them and allow them to be notified etc. All notifications by email are using our main domain (example.com) that we also use for Mailers with our CRM etc.

On the other hand we have a team of 50 people who use the same domain for their business emails on G-Suite.

We understand that it is very difficult to keep sender reputation clean if you are sending + 1 Mio emails per month but checking common blacklists, spam score etc. we are fine. Nevertheless most of our email end up in the Spam folder in G-Mail (not in many other email clients) and that includes the personal business emails sent from our team members via g-suite even.

The notification that appears on the recipient in the Spam folder says: "Why is this message in spam? Lots of messages from example.com were identified as spam in the past."

Does anyone has an idea how we can resolve that?

there is two issues here:

1. How can we find out the cause for that and fix it in general for all emails sent with this domain (@example.com)
2. Even if our massive users notifications and emails (after double-optin verification) might end up in Spam, we would like to avoid that same happens with our business emails sent from G-suite as they are 1:1 conversations from our team member to providers, clients etc.

I have postfix with Spamassassin and spamass-milter configured. E-mails with score higher than 4.0 are supposed to be treated as a spam and be rejected. Here is my local.conf

rewrite_header Subject ***** SPAM _SCORE_ *****
report_safe             0
required_score          4.0
use_bayes               1
use_bayes_rules         1
bayes_auto_learn        1
skip_rbl_checks         0

And here is my master.cf for postfix:

smtp      inet  n       -       y       -       -       smtpd
    -o content_filter=spamassassin
smtp      unix  -       -       y       -       -       smtp
...
spamassassin unix -     n       n       -       -       pipe
        user=spamd argv=/usr/bin/spamc -f -e  
                  /usr/sbin/sendmail -oi -f ${sender} ${recipient}

I set in postfix header_checks that it should discard all e-mails marked as spam.

/^X-Spam-Status: Yes/ DISCARD

Also, in spamass-milter I added setting that all e-mails with score higher than 9.0 are rejected.

The thing is, after sending a proper e-mail (let's say from my personal gmail account) to the server and forwarding it (let's say to my second gmail account) the message is scoring below the threshold, but the header keeps being rewritten and given a score bigger than 4.0 -- the message is not being discarded/rejected, it's being forwarded with annoying header. So all the messages are marked with this SPAM header, despite being treated as a non-spam ones.

We use Office 365 as our primary mail provider. We have an internal mail server that we use for relaying things like reports from our SSRS, scan to inbox for old scanners, etc. It is an IIS SMTP on server 2008R2. This server is not exposed through the firewall for any service, and certainly not SMTP, and is connection restricted and relay restricted to the few internal IP addresses on our network that use it as a relay. We use this because not every device we use is capable of using the office 365 services directly (we are a nonprofit and some of our older devices are indeed quite older), along with process control equipment in our manufacturing, things that just do not allow for authenticated/TLS SMTP, to make a short story long, there are several essential conveniences that this system provides to the local network, and there should be no reason we should not be able to use the conveniences. We took all of our precautions, we have proper DNS entries for the server. I have SPF records set for its IP, the name the server advertises when it delivers resolves to its public IP. Everything has worked great for over 1.5 years (since migrating to office 365) in this configuration without issues.

Suddenly one day all mail coming form it started getting rejected, by proxy of being listed in spamhaus and CBL.abuseat, spamhaus states that they are listing by proxy of the CBL entry, CBL states we were listed for sending “staggering large volumes of spam”, they cite that server’s DNS name as being the source. Unless it is using telepathy protocols, we average about 60, and have never sent more than 100 emails in a day, and I have now over three month of captured traffic that show not a SINGLE message that did not originate from a known source, and was not destined for an address that we commonly send to (99% of which are all internal addresses anyway!) So aside from the diatribe that the “help page” spews about all the potential causes for this, how we likely been compromised, how to scan for infections in services we do not even run, etc…. We have without question verified that the claim is false, we have monitored all network traffic to and from that machine from a mirrored switch port using Wireshark, we have monitored all traffic at our border firewall, we have had our ISP confirm the same from their side, we simply are NOT sending any mail we have not explicitly wished to send. From that machine or this IP address. Yet this if now the 4th removal request I have had to process with them. I managed to get two emails from their system, as I was requesting samples of the mail that they claim to be transmitted by us, one is a verbatim copy of their “Help Page” and a request for the IP in question, the other is some chipper reply that is worded like a robot, signed “Murray”, and of no help whatsoever. It seemed that one was a canned reply to the first’s IP request stating it had been submitted for removal already.

We contacted Microsoft to find out that their connection filtering occurs prior to our admin control, meaning setting an “approved sender” is useless if the IP reputation filters disconnect us before it gets to that level. So we cannot whitelist ourselves around this. And they claim zero responsibility for using the service, or the fact that it controls mail flow between our paid service and our business network in a manner neither of us can modify. The only thing we can even conceive is that maybe one of the scan to inbox messages is being forwarded to some overzealous spam filter somewhere, and we are being flagged as being a transport method in the chain of. So I am stuck with nothing to go on, I cannot get movement out of abuseat, I cannot get Microsoft to budge, I have proof that we are being falsely listed, and no evidence to the contrary to even begin to look further into, at a complete loss for what to do other than start changing my public IP and all services dependent on it. I have dealt with open relay securing in the past, and cleaning up the fallout thereof, but this one is absolutely confirmed bogus, and no one to take it up with. But they have us by the short hairs.