On a new mail system, all the 'From' names for messages detected as spam get "TW" added as suffix (Trigger Warning?). I've been searching in the config files but I couldn't find the place to turn this of. I searched for this online, but couldn't find anything about it. Hope someone here knows where this is hidden
I have never heard of that. What mail system do you use? Postfix? Rspamd? Are you sure this is done on the server and not a client display setting? Can you post the header of a mail with that behavior?
sorry, forget that, that's for the subject line.. possibly the Addr. extension SPAM field in the other tab of the spamfilter policy?
I've reviewed all Spam Policy settings and I there is no extension set. Header from one of the emails: Code: Return-Path: <[email protected]> Delivered-To: [email protected] Received: from localhost (localhost [127.0.0.1]) by mx.example.com (Postfix) with ESMTP id CA4191C291A for <[email protected]>; Wed, 4 Mar 2020 01:07:44 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mx.example.com X-Spam-Flag: YES X-Spam-Score: 7.819 X-Spam-Level: ******* X-Spam-Status: Yes, score=7.819 tagged_above=2.8 required=2.8 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RAZOR2_CF_RANGE_51_100=2.43, RAZOR2_CHECK=1.729, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_ABUSE_SURBL=1.948, URIBL_BLOCKED=0.001, URIBL_CSS=0.1, URIBL_CSS_A=0.1, URIBL_DBL_SPAM=2.5] autolearn=no autolearn_force=no Authentication-Results: mx.example.com (amavisd-new); dkim=pass (1024-bit key) header.d=maximah.info Received: from mx.example.com ([127.0.0.1]) by localhost (mx.example.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ARaAyKnV0Ojm for <[email protected]>; Wed, 4 Mar 2020 01:07:42 +0100 (CET) Received: from earnest.manyhub.info (earnest.manyhub.info [51.77.23.75]) by mx.example.com (Postfix) with ESMTPS id 801081C2919 for <[email protected]>; Wed, 4 Mar 2020 01:07:41 +0100 (CET) Received: from mail.maximah.info (localhost [127.0.0.1]) by mail.maximah.info (Postfix) with ESMTP id 48XDj90vfCz2vGbF for <[email protected]>; Wed, 4 Mar 2020 01:07:41 +0100 (CET) Authentication-Results: mail.maximah.info (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=maximah.info DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=maximah.info; h= list-id:list-unsubscribe:precedence:content-type:content-type :mime-version:to:reply-to:from:from:subject:subject:date:date :message-id; s=dkim; t=1583280461; x=1585872462; bh=Y8wcZMmB2Isd wEPq830D7+KOFcIkN116EJeyqz0pbHw=; b=dPiTsLle+hyGExAr9VaJEEQvRI1I dnKLprzaYPuxloHT5xymAUOlD1GBPIiYs4NS3oJHfcsnUB8MjTKLovUACmBSJkoo RR9WCgu7rC1+wjb3w0hQ6uJaFsOmUS0tE/E7qpqHhd22PpHUHYMzu7GElbLWBb3L hfx+1mgAYp/mMhI= X-Virus-Scanned: amavisd-new at mail.maximah.info Received: from mail.maximah.info ([127.0.0.1]) by mail.maximah.info (mail.maximah.info [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id O2o69DRw1DBf for <[email protected]>; Wed, 4 Mar 2020 01:07:41 +0100 (CET) Received: from mindset.thatein.info (ns570271.ip-51-161-12.net [51.161.12.228]) by mail.maximah.info (Postfix) with ESMTPSA id 48XDj85RT1z2vGbr for <[email protected]>; Wed, 4 Mar 2020 01:07:40 +0100 (CET) Message-ID: <[email protected]> Date: Wed, 04 Mar 2020 00:07:39 +0000 Subject: Bespaar gemiddeld 272 euro met een lagere WOZ waarde From: Uw bezwaar via TW <[email protected]> Reply-To: Uw bezwaar via TW <[email protected]> To: "[email protected]" <[email protected]> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="_=_swift_v4_1583280459_21eab0ca83bfc881a7a8034fddf98a6c_=_" X-Sender: [email protected] X-Report-Abuse: Please report abuse for this campaign here: http://midnight.meidengifts.info/index.php/campaigns/we793zzzvr19a/report-abuse/vf714pctrs165/lw205gbndfa51 X-Receiver: [email protected] X-Akvh-Tracking-Did: 78 X-Akvh-Subscriber-Uid: lw205gbndfa51 X-Akvh-Mailer: SwiftMailer - 5.4.x X-Akvh-EBS: http://midnight.meidengifts.info/index.php/lists/block-address X-Akvh-Delivery-Sid: 3 X-Akvh-Customer-Uid: xh779wq5ck417 X-Akvh-Customer-Gid: 0 X-Akvh-Campaign-Uid: we793zzzvr19a Precedence: bulk List-Unsubscribe: <http://midnight.meidengifts.info/index.php/lists/vf714pctrs165/unsubscribe/lw205gbndfa51/we793zzzvr19a/unsubscribe-direct?source=email-client-unsubscribe-button>, <mailto:[email protected]?subject=Campaign-Uid:we793zzzvr19a / Subscriber-Uid:lw205gbndfa51 - Unsubscribe request&body=Please unsubscribe me!> List-Id: vf714pctrs165 <OPN> Feedback-ID: we793zzzvr19a:lw205gbndfa51:vf714pctrs165:xh779wq5ck417
Never seen this 'via TW' before which makes it at least less likely that is caused by amavis on the ISPConfig system as I'm working with it for quite some time now. Is it possible that the mail traffic is routed trough some other scanning software or gateway? e.g. various desktop antivirus systems hook themself as email proxy into the connection between mail client and mail server and might change the email in such a way.
There is no additional scanning software and no antivirus software that does anything with my email. Weird issue indeed.
Hmm, ok. Is the same suffix visible when you view the email in RoundCube webmail which is installed on the mail server?
Hmm, very strange. Did you modify your amavis setup in comparison to the one used in the perfect server guide, or in other words, did you customize the config files or add additional amavis plugins or so?
The only thing I did was adding Code: [...] use_razor2 1 [...] to /etc/spamassassin/local.cf Spamfilter is working perfect, so I haven't had the need to change anything special to the config files.
Are you sure this "via TW" is added on your server? It looks like this was there before. I mean the "from" part is signed and dkim is valid. Why should anything on your side mess with this? Is this for all mails? "Uw bezwaar via TW" is Dutch for: "Your objection via TW" while the subject means: "Save on average 272 euros with a lower WOZ value"
I am, while in this sender name it could seem like it is a company called TW, all spam emails have this added as suffix. I am dutch so I know the meaning of the sentences Another header: Code: Return-Path: <[email protected]> Delivered-To: [email protected] Received: from localhost (localhost [127.0.0.1]) by mx.example.com (Postfix) with ESMTP id D4B7C404B1 for <[email protected]>; Sat, 15 Feb 2020 21:39:46 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mx.example.com X-Spam-Flag: YES X-Spam-Score: 7.095 X-Spam-Level: ******* X-Spam-Status: Yes, score=7.095 tagged_above=2.8 required=2.8 tests=[DIGEST_MULTIPLE=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, PYZOR_CHECK=1.985, RAZOR2_CF_RANGE_51_100=2.43, RAZOR2_CHECK=1.729, SPF_PASS=-0.001, URIBL_ABUSE_SURBL=1.948, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: mx.example.com (amavisd-new); dkim=pass (1024-bit key) header.d=anymust.info Received: from mx.example.com ([127.0.0.1]) by localhost (mx.example.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ybOoTyiFvFxa for <[email protected]>; Sat, 15 Feb 2020 21:39:44 +0100 (CET) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=198.50.143.66; helo=diamond.prayg.info; [email protected]; receiver=<UNKNOWN> Received: from diamond.prayg.info (diamond.prayg.info [198.50.143.66]) by mx.example.com (Postfix) with ESMTPS id 620BD3FD2E for <[email protected]>; Sat, 15 Feb 2020 21:39:43 +0100 (CET) Received: from hello.anymust.info (localhost [127.0.0.1]) by return.clubshack.xyz (Postfix) with ESMTP id 48Kfgs1DyMz1Nggh for <[email protected]>; Sat, 15 Feb 2020 13:59:53 -0500 (EST) Authentication-Results: hello.anymust.info (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=anymust.info DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=anymust.info; h= list-id:list-unsubscribe:precedence:content-type:content-type :mime-version:to:reply-to:from:from:subject:subject:date:date :message-id; s=dkim; t=1581793192; x=1584385193; bh=jXJqizxJrtrr 72i41vyQ1ldMsMw4msrma6zZWIFWbME=; b=nOIbfBLN9M/PGV+IpglZCblq9EXY gHgHXVppbl/WGTLs85x4FycyWNUNUhcl9OdKDsll32CjbhWkjI2f8LGqBu2P6PP1 PqmqYhewM8lEq4fKhNwc3nuJLdKt2AhWFYx9OsBs9nIWqsRNbSPfV/3KkT2Mk4GN 3iTQsE26Z2dZFzc= X-Virus-Scanned: amavisd-new at hello.anymust.info Received: from return.clubshack.xyz ([127.0.0.1]) by hello.anymust.info (hello.anymust.info [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 22GjWgotZFaE for <[email protected]>; Sat, 15 Feb 2020 13:59:52 -0500 (EST) Received: from mail.techwrestle.com (ns522361.ip-158-69-126.net [158.69.126.112]) by return.clubshack.xyz (Postfix) with ESMTPSA id 48Kfgr4LBFz1Ngtx for <[email protected]>; Sat, 15 Feb 2020 13:59:52 -0500 (EST) Message-ID: <[email protected]> Date: Sat, 15 Feb 2020 18:59:52 +0000 Subject: Jij bent een van de kanshebbers om gratis Netflix toegang te krijgen voor drie jaar! From: Netflix toegang TW <[email protected]> Reply-To: Netflix toegang TW <[email protected]> To: "[email protected]" <[email protected]> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="_=_swift_v4_1581793192_9653aa1cb7ad549c15557acee5e70817_=_" X-Sender: [email protected] X-Rfbe-Tracking-Did: 1164 X-Rfbe-Subscriber-Uid: zt8669dx6cc6a X-Rfbe-Mailer: SwiftMailer - 5.4.x X-Rfbe-EBS: http://micro.locationsone.co/index.php/lists/block-address X-Rfbe-Delivery-Sid: 738 X-Rfbe-Customer-Uid: pw325cseh52f2 X-Rfbe-Customer-Gid: 0 X-Rfbe-Campaign-Uid: wf874v53w7f40 X-Report-Abuse: Please report abuse for this campaign here: http://micro.locationsone.co/index.php/campaigns/wf874v53w7f40/report-abuse/ee8858b5m7bf8/zt8669dx6cc6a X-Receiver: [email protected] Precedence: bulk List-Unsubscribe: <http://micro.locationsone.co/index.php/lists/ee8858b5m7bf8/unsubscribe/zt8669dx6cc6a/wf874v53w7f40/unsubscribe-direct?source=email-client-unsubscribe-button>, <mailto:[email protected]?subject=Campaign-Uid:wf874v53w7f40 / Subscriber-Uid:zt8669dx6cc6a - Unsubscribe request&body=Please unsubscribe me!> List-Id: ee8858b5m7bf8 <Six> Feedback-ID: wf874v53w7f40:zt8669dx6cc6a:ee8858b5m7bf8:pw325cseh52f2
You can try to set a higher debug level in amavis and then check the mail.log what happens in detail. Also, you might want to check the details of the spamfilter policy with e.g. phpmyadmin directly in the ispconfig database to ensure that the policy which is used for that domain does not has any strange settings, or try to select another policy temporarily in ISPConfig to see if it has any effect.
why do you think, that your server adds the suffix? both mails have this in From and Reply-To when your server receives the mails.
I will get on with the debug level later. I've checked the database and there's nothing weird there. Because mail from several servers to any of my email adresses that is detected as spam have "TW" in the sender name, which seems really weird.
Both mails look like coming from the same "campaign" (same generation software). Do you have spam from a different attempt? For example with a non-dutch text? I still believe this Name is from the spam sender. Maybe a mistake in the sender definition
All spam that doesn't get above the kill score has this added, but probably it is all from the same sender. Had me really confused then, haha
