Hi! A customer received mail from a client of his, and it landed in the "junk" folder of roundcube. However, when I look at the logs, I dont see the mail marked as junk. Do you know how I can find out where the mail gets marked as junk? Mail.log: Code: Nov 5 10:01:04 mail1 amavis[29086]: (29086-04) Passed CLEAN {RelayedInbound}, [1.2.3.4]:11744 [195.67.44.140] <[email protected]> -> <[email protected]>, Queue-ID: 7D27C20601AE, Message-ID: <[email protected]>, mail_id: epv8-k3HiBPL, Hits: -1.9, size: 13200436, queued_as: 1B3922060240, 1252 ms Nov 5 10:01:04 mail1 postfix/smtp[32422]: 7D27C20601AE: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=19, delays=18/0/0/1.3, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 1B3922060240) Nov 5 10:01:04 mail1 postfix/qmgr[21469]: 7D27C20601AE: removed Nov 5 10:01:04 mail1 dovecot: lda([email protected]): sieve: msgid=<[email protected]>: stored mail into mailbox 'INBOX' Nov 5 10:01:04 mail1 postfix/pipe[32426]: 1B3922060240: to=<[email protected]>, relay=dovecot, delay=0.66, delays=0.38/0/0/0.28, dsn=2.0.0, status=sent (delivered via dovecot service) Nov 5 10:01:04 mail1 postfix/qmgr[21469]: 1B3922060240: removed
Check the mail headers of the email if it has spam-status set to yes. If thats not the case, then take a look at the email filter rules of this mailbox, mabye there is another sieve or maildrop rule configured by this user that moved the mail. A third option is that the users uses more then one mail application to access the mailbox and a filter rule in this other impa client moved the email.
The only spam-headers i could identify where these: Code: X-Forefront-Antispam-Report: CIP:1.2.3.4;CTRY:SE;IPV:NLI;EFV:NLI;SFV:NSPM;SFS:(10009020)(428002)(199003)(189002)(2656002)(44976005)(21056001)(6806004)(15975445006)(92726001)(92566001)(568964001)(19625215002)(101416001)(84326002)(16236675004)(33656002)(512954002)(87936001)(19580395003)(19300405004)(97736003)(69596002)(567704001)(55846006)(4396001)(2501002)(19617315012)(104016003)(107886001)(229853001)(15202345003)(31966008)(106466001)(107046002)(106356001)(564344004)(53416004)(50986999)(54356999)(62966003)(77096003)(575784001)(110136001)(99936001)(95666004)(221733001)(106476002)(64706001)(450100001)(46102003)(86362001)(2351001)(99396003)(20776003)(74482002)(71186001)(120916001)(105586002)(77156002)(81156004)(166393001)(220243001)(19477635001)(19627235001);DIR:OUT;SFP:1101;SCL:1;SRVR:AM2PR01MB338;H:mail.senderdomain.com;FPR:;MLV:sfv;PTR:InfoNoRecords;A:1;MX:1;LANG:en; X-Microsoft-Antispam: UriScan:; X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:AM2PR01MB338; X-Exchange-Antispam-Report-Test: UriScan:; X-Forefront-PRVS: 0386B406AA Received-SPF: None (protection.outlook.com: customer.tld does not designate permitted sender hosts) Authentication-Results: spf=none (sender IP is 1.2.3.4) [email protected]; X-OriginatorOrg: customer.tld They were added from the mailserver of the sender I suppose. Other than that, I can't find any headers referring to spam. Maybe it's of interest that the mail was greylisted on the first attemt by our server. But that should not change anything I guess. Can you make anything of this spam-headers? The mailbox itself has no spam-filter set to "not-enabled" in ISPConfig. Also the sender is whitelisted for the whole customer-domain in ISPConfig.
Not really. For me it looks like the mail got moved to the spam folder by a software outside of the server e.g. with imapprotocol.
Hmm, that sounds plausible. The mailbox is getting accessed by many different people, and one of them could easily have moved the file. I guess in such a case it would be better for the client to forward the address to different mailboxes, instead of directly accessing the mailbox with many different people/clients. Thanks for the help till!
