Spam filter oddity

Runbox Chat
#1

This isn’t as much of an issue for me as I rarely if ever receive actual spam, however the spam filter produced false positives before for my own forwarded mails because of SPF_FAIL SPF: sender does not match SPF record, so I had to create an exclusion rule.

What prompted me to create this topic though is that Runbox’s own mail was classified for the very same reason. I am wondering whether that is a bug or not.

Return-path: <runbox@runbox.com>
Received: from exim by delivery05.runbox with sa-scanned  (Exim 4.86_2)
	id ###########
	for ###########@runbox.com; Tue, 19 Dec 2023 19:46:15 +0100
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on antispamc02.runbox
X-Spam-Flag: YES
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.0 required=5.0 tests=HTML_MESSAGE,KAM_DMARC_STATUS,
	MISSING_MIME_HB_SEP,SPF_FAIL,TO_EQ_FM_DOM_SPF_FAIL autolearn=disabled
	version=4.0.0
X-Spam-Report: 
	*  6.0 SPF_FAIL SPF: sender does not match SPF record (fail)
	*  0.0 KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict
	*      Alignment
	*  0.0 MISSING_MIME_HB_SEP BODY: Missing blank line between MIME header and
	*       body
	*  0.0 HTML_MESSAGE BODY: HTML included in message
	*  0.0 TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF
	*      failed
Received: from [10.9.9.168] (helo=mailfront24.runbox)
	by delivery05.runbox with esmtp  (Exim 4.86_2)
	id ###########
	for ###########@runbox.com; Tue, 19 Dec 2023 19:46:15 +0100
Received: from exim by mailfront24.runbox with sa-scanned  (Exim 4.93)
	id ###########
	for ###########@runbox.com; Tue, 19 Dec 2023 19:46:14 +0100
Received-SPF: fail client-ip=193.58.250.140; envelope-from=runbox@runbox.com; helo=mail15.copyleft.no
Received: from mail15.copyleft.no ([193.58.250.140])
	by mailfront24.runbox with esmtps  (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
	(Exim 4.93)
	id ###########
	for ###########@runbox.com; Tue, 19 Dec 2023 19:46:00 +0100
Received: from aibo.runbox.com ([185.226.149.25] helo=admin02.runbox)
	by mail15.copyleft.no with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.95)
	(envelope-from <runbox@runbox.com>)
	id ###########
	for ###########@runbox.com;
	Tue, 19 Dec 2023 18:51:19 +0100
Received: from geir by admin02.runbox with local (Exim 4.93)
	(envelope-from <runbox@runbox.com>)
	id ###########
	for ###########@runbox.com; Tue, 19 Dec 2023 18:06:19 +0100
Subject: [News] Special Holiday Offer from Runbox
Sender: The Runbox Team <runbox@runbox.com>
#2

Two more false positives of legitimate mails being caught in the spam filter. Until recently mails from the same senders passed through.

Here is the spam report:

X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on antispamc01.runbox
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.1 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,
	KAM_HUGEIMGSRC,KAM_LOTSOFHASH,SPF_PASS,T_SCC_BODY_TEXT_LINE
	autolearn=disabled version=4.0.0
X-Spam-Report: 
	* -0.0 SPF_PASS SPF: sender matches SPF record
	*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
	*      valid
	* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
	*       domain
	* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	*  0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to
	*       background
	*  0.0 HTML_MESSAGE BODY: HTML included in message
	*  0.2 KAM_HUGEIMGSRC Message contains many image tags with huge http urls
	* -0.0 T_SCC_BODY_TEXT_LINE No description available.
	*  5.0 KAM_LOTSOFHASH Emails with lots of hash-like gibberish
	* -0.0 DKIMWL_WL_MED DKIMwl.org - Medium trust sender
#3

Does runbox use proxmox mail gateway for all that ?

#4

We have made some changes to the spam scoring recently that should help with this issue. It’s the last but one spam test which scores 5.0 which is the issue in this message. You can raise SPF filter issues with us in our support system as we will need to look at them on an account specific basis which isn’t suitable for a forum discussion for privacy reasons.