Email is referred to as *** SPAM ***

I keep getting emails from one client marked as spam, but there is nothing in the headers. The mail doesn’t even go to spam. I’ve tried everything. I’ve added the domain and IP address to whitelist etc, but still the mails get marked. All mails that come to me from this server, even from another domain get marked *** SPAM ***. I have searched all the configurations and found nothing subtle.

Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Wed, 22 Jan 2025 11:42:33 +0100
Received: from iredmail.virtis.cz ([185.9.116.45])
    by datatc.cz with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    (Exim 4.93)
    (envelope-from <[email protected]>)
    id 1taYBs-007J6Q-Gt
    for [email protected]; Wed, 22 Jan 2025 11:42:33 +0100
Received: from localhost (localhost [127.0.0.1])
    by iredmail.virtis.cz (Postfix) with ESMTP id 458AAA15F9
    for <[email protected]>; Wed, 22 Jan 2025 11:42:32 +0100 (CET)
Authentication-Results: iredmail.virtis.cz (amavisd-new);
    dkim=pass (1024-bit key) reason="pass (just generated, assumed good)"
    header.d=virtis.cz
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=virtis.cz; h=
    content-transfer-encoding:content-type:content-type:mime-version
    :references:in-reply-to:organization:message-id:date:date
    :subject:subject:to:from:from; s=dkim; t=1737542551; x=
    1738406552; bh=V+CHxPB81O/siVlRoA2TAlKICk4wgl0Ju4cToxTFncw=; b=m
    Gul5X+hV3gk+P4y/VvTXE8T2Rc0++NPsXaplbCFJpsq5EchgtLTtsmJa2zJAx23z
    2H3ol7jMexY63LKMZuDh9bx8kON9lQOnkfEHqtdG8pxBgjr/EuBxcQTOc4JIvNnJ
    TbA+B9RI1CzGUftZio9G3KMfFLdre0A/9YIl2UC8tI=
X-Virus-Scanned: Debian amavisd-new at iredmail.virtis.cz
X-Spam-Flag: NO
X-Spam-Score: -2.899
X-Spam-Level:
X-Spam-Status: No, score=-2.899 tagged_above=-9999 required=6.31
    tests=[ALL_TRUSTED=-1, BAYES_00=-1.9, HTML_MESSAGE=0.001]
    autolearn=ham
Received: from iredmail.virtis.cz ([127.0.0.1])
    by localhost (iredmail.virtis.cz [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id zINuImkJeck3 for <[email protected]>;
    Wed, 22 Jan 2025 11:42:31 +0100 (CET)
Received: from emailgw2.virtis.cz (unknown [192.168.46.51])
    by iredmail.virtis.cz (Postfix) with ESMTP id 420A6A1E01
    for <[email protected]>; Wed, 22 Jan 2025 11:42:31 +0100 (CET)
From: David =?utf-8?B?QnLFr2hh?= <[email protected]>
To: "[email protected]" <[email protected]>
Date: Wed, 22 Jan 2025 11:42:30 +0100
Message-ID: <2211632.irdbgypaU6@optiplex>
Organization: Virtis s.r.o.
In-Reply-To:
    <PAWPR10MB80687CBFC4D52A4734E055F4F5E12@PAWPR10MB8068.EURPRD10.PROD.OUTLOOK.COM>
References:
    <PAWPR10MB80687CBFC4D52A4734E055F4F5E12@PAWPR10MB8068.EURPRD10.PROD.OUTLOOK.COM>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="nextPart13685264.uLZWGnKmhe"
Content-Transfer-Encoding: 7Bit
X-Spam-Score: -38
X-Spam-Bar: ---
X-Spam-Report: Spam detection software, running on the system "datatc.cz",
    has NOT identified this incoming email as spam. The original
    message has been attached to this so you can view it or label
    similar future email. If you have any questions, see
    @@CONTACT_ADDRESS@@ for details.
    Content preview: Dobrý den, samozřejmě. -- S pozdravem,
    Content analysis details: (-3.9 points, 5.0 required)
    pts rule name description
    ---- ---------------------- --------------------------------------------------
    0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to
    DNSWL was blocked. See
    http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
    for more information.
    [185.9.116.45 listed in list.dnswl.org]
    -0.0 SPF_PASS SPF: sender matches SPF record
    -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
    0.0 HTML_MESSAGE BODY: HTML included in message
    -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
    envelope-from domain
    0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
    valid
    -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
    -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
    author's domain
    -3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified -
    Contact [email protected]
    [Excessive Number of Queries | <https://knowledge.validity.com/hc/en-us/articles/20961730681243>]
    -2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact
    [email protected]
    1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
    https://senderscore.org/blacklistlookup/
    [185.9.116.45 listed in bl.score.senderscore.com]
Subject: *** SPAM *** Re: Test

Hello, is SpamAssassin installed?

#   Add *****SPAM***** to the Subject header of spam e-mails
rewrite_header Subject *****SPAM*****

Yes I also tried adding for example: whitelist_from_rcvd [email protected] 185.9.116.45
And it doesn’t help. I’m having a problem receiving mail from this server. The mail doesn’t even go to the spam folder, it gets marked *** SPAM ***

What does your log say?/var/log/exim4/mainlog

Are you sure your server is adding that subject? I’m asking because these are the headers added by Exim:

add_header     = X-Spam-Score: $spam_score_int
add_header     = X-Spam-Bar: $spam_bar
add_header     = X-Spam-Report: $spam_report
add_header     = X-Spam-Status: Yes

So, Exim only adds headers X-Spam-Score, X-Spam-Bar, X-Spam-Report and X-Spam-Status only if the mail is marked as spam (Yes) but if we check the headers of your mail:

X-Virus-Scanned: Debian amavisd-new at iredmail.virtis.cz
X-Spam-Flag: NO
X-Spam-Score: -2.899
X-Spam-Level:
X-Spam-Status: No, score=-2.899 tagged_above=-9999 required=6.31
    tests=[ALL_TRUSTED=-1, BAYES_00=-1.9, HTML_MESSAGE=0.001]
    autolearn=ham

You can see that iredmail.virtis.cz added the X-Virus-Scanned header. Additionally, the X-Spam-Flag and X-Spam-Level headers are present, but these are not used by the configuration that Hestia adds to Exim. Furthermore, you can see the header X-Spam-Status: No, [...]. As mentioned earlier, Exim only adds the X-Spam-Status: Yes header.

I forgot to say that Exim only rewrites the subject when it finds the case sensitive word Yes in header X-Spam-Status:

$ head -n7 /etc/exim4/system.filter
if $h_X-Spam-Status: contains "Yes"
then
    headers add "Old-Subject: $h_subject"
    headers remove "Subject"
    headers add "Subject: *** SPAM *** $h_old-subject"
    headers remove "Old-Subject"
endif

From virtis.cz a mail was sent to the mail-tester, where it received 10/10. See the test result.

From log:

2025-01-23 09:12:19 1tasK2-000rHk-FC <= [email protected] H=iredmail.virtis.cz [185.9.116.45] P=esmtps X=TLS1.2:ECDHE_SECP256R1__RSA_SHA512__AES_128_GCM:128 CV=no S=6141 DKIM=virtis.cz id=2685339.tIAgqjz4sF@optiplex

I don’t see completed, when messages are successfully sent there is always completed

Did you modify Spamassassin rules/conf?

grep -r rewrite_header /usr/share/spamassassin/ /etc/spamassassin

I edited the filter and instead of *** SPAM *** I rewrote it to - SPAM -. And the messages are now marked as - SPAM -. I should add that I have a hestium installation on two non-dependent servers and the same thing happens on both of them, but only if the mails come from virtis.cz

Sorry edit:

2025-01-23 09:12:19 1tasK2-000rHk-FC <= [email protected] H=iredmail.virtis.cz [185.9.116.45] P=esmtps X=TLS1.2:ECDHE_SECP256R1__RSA_SHA512__AES_128_GCM:128 CV=no S=6141 DKIM=virtis.cz id=2685339.tIAgqjz4sF@optiplex
2025-01-23 09:12:19 1tasK2-000rHk-FC => info <[email protected]> R=localuser T=local_delivery
2025-01-23 09:12:19 1tasK2-000rHk-FC Completed

The one that should rewrite the subject is Exim, comment the rewrite_header in your spamassassin.

I don’t understand. You mean in /etc/spamassassin/local.cf?

You just apply the filter in /etc/exim4/system.filter

What I meant to say is that you shouldn’t edit it in the SpamAssassin rules. If you edited it in the Exim configuration (system.filter), then it’s correct.

Yeah, like this. I understand now. I edited the system.filter. However, I don’t understand why emails are still being marked as SPAM… I spent a lot of time on this and came up with nothing.

Edit /etc/exim4/system.filter and modify this:

if $h_X-Spam-Status: contains "Yes"

by this

if $h_X-Spam-Status: contains "ZZZ"

Restart exim and try again:

systemctl restart exim4

This will disable the filter application. I wonder why the filter is applied if it is running and everything in the header is fine.

As far as I know, if $h_X-Spam-Status: contains "Yes" is case-sensitive, so it doesn’t make sense for the condition to match X-Spam-Status. However, it’s possible that in your Exim version, it is case-insensitive and matches because of the word BAYES.

But as I said, Hestia, using the default conf for Exim and SpamAssassin, doesn’t add the header X-Spam-Status if the result is No, only if the result is Yes.