rixvet
6 september 2024 om 12:02
1
Ik heb een E-mailgroep op mijn eigen domein (beheerd in de mijn.freedom.nl omgeving) welke geconfigureerd staat naar twee @freedom.nl mailboxen. Mail naar de e-mailgroep beland regelmatig onterecht in de SPAM folder.
Hieronder de volledige X-Soverin-Spam-Result
(waarbij privacy gevoelige gedeeltes zijn geredigeerd):
X-Soverin-Spam-Result: default: False [7.97 / 15.00];
SPAM_FLAG(5.00)[];
S_DOMAIN_PROB_0_75(3.00)[];
S_OK(-2.00)[];
FORGED_RECIPIENTS(2.00)[m:%%%REDACTED%%%@huize-zwet.nl,s:%%%REDACTED_USER1%%%@freedom.nl,s:%%%REDACTED_USER2%%%@freedom.nl];
PHISHING(0.50)[%%%REDACTED_REMOTE_DOMAIN%%%->mlsend.com];
DMARC_POLICY_ALLOW(-0.50)[%%REDACTED_REMOTE_DOMAIN%%%,none];
FORGED_SENDER(0.33)[hallo@REDACTED_REMOTE_DOMAIN,SRS0=RwFC=QD=mlsend.com=bounce-131656514005894337a475212@soverin.net];
R_SPF_ALLOW(-0.20)[+ip4:%%%REDACTED_IPV4%%%:c];
R_DKIM_ALLOW(-0.20)[%%%REDACTED_REMOTE_DOMAIN%%%:s=litesrv,mlsend.com:s=litesrv];
ZERO_FONT(0.11)[1];
MIME_GOOD(-0.10)[multipart/alternative,text/plain];
MANY_INVISIBLE_PARTS(0.05)[1];
MX_GOOD(-0.01)[];
HAS_LIST_UNSUB(-0.01)[];
MIME_TRACE(0.00)[0:+,1:+,2:~];
ARC_NA(0.00)[];
RCPT_COUNT_ONE(0.00)[1];
FUZZY_BLOCKED(0.00)[rspamd.com];
SUBJECT_HAS_QUESTION(0.00)[];
RCVD_TLS_ALL(0.00)[];
HAS_REPLYTO(0.00)[hallo@%%%REDACTED_REMOTE_DOMAIN%%%];
RCVD_COUNT_TWO(0.00)[2];
FROM_NEQ_ENVFROM(0.00)[hallo@%%%REDACTED_REMOTE_DOMAIN%%%,SRS0=RwFC=QD=mlsend.com=bounce-131656514005894337a475212@soverin.net];
FROM_HAS_DN(0.00)[];
TO_DN_EQ_ADDR_ALL(0.00)[];
PRECEDENCE_BULK(0.00)[];
ASN(0.00)[asn:211993, ipnet:185.233.34.0/24, country:NL];
PREVIOUSLY_DELIVERED(0.00)[%%%REDACTED%%%@huize-zwet.nl];
DKIM_TRACE(0.00)[%%%REDACTED_REMOTE_DOMAIN%%%:+,mlsend.com:+];
MISSING_XM_UA(0.00)[];
REPLYTO_EQ_FROM(0.00)[]
Ik kan geen uitleg vinden wat de scores betekenen, wat is bijvoorbeeld FORGED_RECIPIENTS(2.00)
?
Ram
6 september 2024 om 14:16
2
rixvet:
FORGED_RECIPIENTS(2.00)
Ik kende forged recipients nog niet, maar google wist me te vertellen dat het bij meerdere BCC adressen kan triggeren:
when sending Mails with lots of BCC recipients and rspamd recognizes FORGED_RECIPIENTS it adds … FORGED_RECIPIENTS(2.00)[mailadress1 at one.domain ,mailadress2 at second.domain… ] … to the header of the mails.
Noci
6 september 2024 om 22:15
3
Laat de mail verzender een of twee adressen per message verzenden.
(kam makkelijk in een MTA geregeld worden).
rixvet
26 september 2024 om 08:30
4
Ik heb hier nog twee voorbeelden. Deze komen niet van mailinglijsten o.i.d. Bericht van de bol.com en ee password reset mail van Spotify:
Bol.com :
Return-Path: <SRS0=wkC3=QP=verkopen.bol.com=eccd25a4-9ea4-43b8-8988-854d6b5e90b7@soverin.net>
Delivered-To: %%REDACTED_USER2%%freedom.nl
Received: from mx.soverin.net ([10.10.4.101])
by storage.soverin.net with LMTP
id xZIyCRn96Wbp5CAAGAUnpw
(envelope-from <SRS0=wkC3=QP=verkopen.bol.com=eccd25a4-9ea4-43b8-8988-854d6b5e90b7@soverin.net>)
for <%%REDACTED_USER2%%freedom.nl>; Tue, 17 Sep 2024 22:05:13 +0000
Received: from forward.soverin.net (forward.soverin.net [IPv6:2a10:de80:1:4092:b9e9:229b:0:1])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(No client certificate requested)
by mx.soverin.net (Postfix) with ESMTPS id 4X7bS75trPzvS;
Tue, 17 Sep 2024 22:05:11 +0000 (UTC)
Authentication-Results: mx.soverin.net;
dkim=pass header.d=verkopen.bol.com header.s=verkopen header.b=RHeG3X6P;
dmarc=pass (policy=quarantine) header.from=verkopen.bol.com;
spf=pass (mx.soverin.net: domain of "SRS0=wkC3=QP=verkopen.bol.com=eccd25a4-9ea4-43b8-8988-854d6b5e90b7@soverin.net" designates 2a10:de80:1:4092:b9e9:229b:0:1 as permitted sender) smtp.mailfrom="SRS0=wkC3=QP=verkopen.bol.com=eccd25a4-9ea4-43b8-8988-854d6b5e90b7@soverin.net"
Received: from mx.soverin.net (unknown [10.10.4.74])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits))
(No client certificate requested)
by forward.soverin.net (Postfix) with ESMTPS id 4X7bS74WrDz10q2
for <%%REDACTED%%huize-zwet.nl>; Tue, 17 Sep 2024 22:05:11 +0000 (UTC)
Received: from pro-mail-smtp-003-vip5.bol.com (pro-mail-smtp-003-vip5.bol.com [185.14.168.133])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(No client certificate requested)
by mx.soverin.net (Postfix) with ESMTPS id 4X7bS72yrSzvS
for <%%REDACTED%%huize-zwet.nl>; Tue, 17 Sep 2024 22:05:11 +0000 (UTC)
Authentication-Results: mx.soverin.net;
dkim=pass header.d=verkopen.bol.com header.s=verkopen header.b=RHeG3X6P;
spf=pass (mx.soverin.net: domain of eccd25a4-9ea4-43b8-8988-854d6b5e90b7@verkopen.bol.com designates 185.14.168.133 as permitted sender) smtp.mailfrom=eccd25a4-9ea4-43b8-8988-854d6b5e90b7@verkopen.bol.com;
dmarc=pass (policy=quarantine) header.from=verkopen.bol.com
Received: from pro-mail-smtp-003-aip29.bolcom.net (pro-mail-smtp-003-buffer.bolcom.net [10.128.1.66])
by pro-mail-smtp-003-vip5.bol.com (Postfix) with ESMTP id 003DCB002426
for <%%REDACTED%%huize-zwet.nl>; Wed, 18 Sep 2024 00:05:10 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verkopen.bol.com;
s=verkopen; t=1726610711;
bh=9VPTJUASpUKUTFJO/otKkgof4DRGHEZXrMP0vBiVASY=;
h=Date:From:To:Subject;
b=RHeG3X6PVNsiIIhF78Ggl6o219gkbyvrDO5H6THQ76uts4sN+c0nVYkBX6Luvpm92
Wf/VitA+KoZWCgpYyJfqTO3knvdBh1zy12cwSznZMzy7wf6VcH63/eSPGoM3aVPKNO
dKcrXotPtELXeqsX47dnsx5psT3LX/T1cR62Y3is=
Received: from pro-mail-cloudrelay-004.bol.com (pro-mail-cloudrelay-004.bolcom.net [10.128.20.31])
by pro-mail-smtp-003-aip29.bolcom.net (Postfix) with ESMTP id 3E425D002DED
for <%%REDACTED%%huize-zwet.nl>; Wed, 18 Sep 2024 00:05:10 +0200 (CEST)
Received: from aex-deploy-5c855c5c4-9r9c9 (unknown [127.0.0.6])
by pro-mail-cloudrelay-004.bol.com (Postfix) with ESMTP id 34FF51800090
for <%%REDACTED%%huize-zwet.nl>; Wed, 18 Sep 2024 00:05:10 +0200 (CEST)
Date: Wed, 18 Sep 2024 00:04:54 +0200 (CEST)
From: "%%REDACTED_SENDER%%" <noreply@verkopen.bol.com>
To: %%REDACTED%%huize-zwet.nl
Message-ID: <1671305793.2652.1726610710189@mail-cloudrelay.mail.pro.bolcom.services>
Subject: %%REDACTED_SUBJECT%%
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_2650_391468958.1726610710186"
X-CMAE-Score: 0
X-CMAE-Analysis: v=2.4 cv=EbjOQumC c=0 sm=1 tr=0 ts=66e9fd17 awl=host:18239
X-Soverin-Spam-Level: *
X-Soverin-Spam-Result: default: False [1.72 / 15.00];
FORGED_RECIPIENTS(2.20)[m:%%REDACTED%%huize-zwet.nl,s:%%REDACTED_USER1%%freedom.nl,s:%%REDACTED_USER2%%freedom.nl];
DMARC_POLICY_ALLOW(-0.50)[verkopen.bol.com,quarantine];
FORGED_SENDER(0.33)[noreply@verkopen.bol.com,SRS0=wkC3=QP=verkopen.bol.com=eccd25a4-9ea4-43b8-8988-854d6b5e90b7@soverin.net];
R_DKIM_ALLOW(-0.20)[verkopen.bol.com:s=verkopen];
R_SPF_ALLOW(-0.20)[+ip6:2a10:de80:1:4092:b9e9:229b::1:c];
MIME_HTML_ONLY(0.20)[];
MIME_GOOD(-0.10)[multipart/mixed];
MX_GOOD(-0.01)[];
ARC_NA(0.00)[];
MISSING_XM_UA(0.00)[];
ASN(0.00)[asn:211993, ipnet:2a10:de80::/32, country:NL];
RCPT_COUNT_ONE(0.00)[1];
MIME_TRACE(0.00)[0:+,1:~,2:~];
FUZZY_BLOCKED(0.00)[rspamd.com];
HAS_ATTACHMENT(0.00)[];
REDIRECTOR_URL(0.00)[sendgrid.net];
FROM_NEQ_ENVFROM(0.00)[noreply@verkopen.bol.com,SRS0=wkC3=QP=verkopen.bol.com=eccd25a4-9ea4-43b8-8988-854d6b5e90b7@soverin.net];
FROM_HAS_DN(0.00)[];
NEURAL_HAM(-0.00)[-0.964];
RCVD_COUNT_FIVE(0.00)[5];
PREVIOUSLY_DELIVERED(0.00)[%%REDACTED%%huize-zwet.nl];
TO_DN_NONE(0.00)[];
RCVD_TLS_LAST(0.00)[];
DKIM_TRACE(0.00)[verkopen.bol.com:+]
X-Cloudmark-Verdict: spam
X-CMAE-Score: 100
X-CMAE-Analysis: v=2.4 cv=EbjOQumC c=0 sm=1 tr=0 ts=66e9fd18
p=-SBe4VvAAAAA:8 a=5mt8fOQDYxzdREgrYC6DOg==:17 a=1oJP67jkp3AA:10
a=EaEq8P2WXUwA:10 a=fN10o2OVBXYA:10 a=g8TUdU_LZmEA:10 a=SSmOFEACAAAA:8
a=3g80flMcAAAA:8 a=ttGeQjMJAAAA:8 a=CdiQOFsWAAAA:8
X-Cloudmark-Reporter: YNh1M/i2fQkAe1RT4SZ2k6+sYNc=
Spotify:
Return-Path: <bounces+1785577-37eb-%%REDACTED%%=huize-zwet.nl@em.spotify.com>
Delivered-To: %%REDACTED_USER2%%freedom.nl
Received: from mx.soverin.net ([10.10.4.102])
by storage.soverin.net with LMTP
id lvXgI9kX72a0vTYAGAUnpw
(envelope-from <bounces+1785577-37eb-%%REDACTED%%=huize-zwet.nl@em.spotify.com>)
for <%%REDACTED_USER2%%freedom.nl>; Sat, 21 Sep 2024 19:00:41 +0000
Received: from o7.em.spotify.com (o7.em.spotify.com [208.117.48.82])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(No client certificate requested)
by mx.soverin.net (Postfix) with ESMTPS id 4X9z9M1Whgzbx
for <%%REDACTED%%huize-zwet.nl>; Sat, 21 Sep 2024 19:00:38 +0000 (UTC)
Authentication-Results: mx.soverin.net;
dkim=pass header.d=spotify.com header.s=s1 header.b=bg1QTU3W;
spf=pass (mx.soverin.net: domain of "bounces+1785577-37eb-%%REDACTED%%=huize-zwet.nl@em.spotify.com" designates 208.117.48.82 as permitted sender) smtp.mailfrom="bounces+1785577-37eb-%%REDACTED%%=huize-zwet.nl@em.spotify.com";
dmarc=pass (policy=reject) header.from=spotify.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=spotify.com;
h=content-type:from:mime-version:subject:to:cc:content-type:from:
subject:to;
s=s1; bh=Jo8vyWEH+5OSKzqsCscsqTVEIjiw7IBKsAVB5cUwHMk=;
b=bg1QTU3WWLYhD3fJuEzE4I/CusgwHU5G3hsqSZ+1Jy2Lf0NxCLjfwmuiFyQkJ74aA3Mr
BMHovbg5EimcVsAZAAxCwM2qa/bLM8pvTyv7cdGi0J1qJEbP39H1RtdPN9ZbKryTcsX4Ul
RQLOjFKJLGfac8RX3eozPlFb1drABeb2vm3hFS/1FwKOJP+d4RSq440FGc4a1fcS42UWvW
lyhiXKFtef3Nmor+/sYuRmVME6BYUmVzvV8GB/be7hL1R64xIaTvN3xtBsjxxm3wiZQT7p
ZB6c0/4bYTI9n3cOG12B6c1Ua2LVCdekP1K594NYt8jC+q94aQbwujRlnDIoU9dg==
Received: by recvd-65bdd88ff5-jvd4z with SMTP id recvd-65bdd88ff5-jvd4z-1-66EF17CE-37
2024-09-21 19:00:30.770237943 +0000 UTC m=+781322.519999902
Received: from MTc4NTU3Nw (unknown)
by geopod-ismtpd-7 (SG) with HTTP
id f9gK8aTpR-iEFSWnGeJDug
Sat, 21 Sep 2024 19:00:30.768 +0000 (UTC)
Content-Type: multipart/alternative; boundary=56136b41e1bb2ddf454c13ba7d80872b0c06ea9e2e964eb6284b4ed7bf1f
Date: Sat, 21 Sep 2024 19:00:30 +0000 (UTC)
From: Spotify <no-reply@spotify.com>
Mime-Version: 1.0
Message-ID: <f9gK8aTpR-iEFSWnGeJDug@geopod-ismtpd-7>
Subject: Weer toegang krijgen tot je Spotify-account
X-SG-EID:
=?us-ascii?Q?u001=2EZD5aH33R6V7weoiTHIdZyDuP+A6pZLQL0nRW+xTj31Msb5xf5uAbZIKpG?=
=?us-ascii?Q?ToelTWVR8rVonvMrj0NERWIakIdZIRsFW0r4FIS?=
=?us-ascii?Q?UjM8y9VKTMeoLIsz2LPcv8z1MfWIqoEr20zUlK=2F?=
=?us-ascii?Q?b6caklrR1IQ1YnIJOcXF7eOpHxEcrK342i0qE+P?=
=?us-ascii?Q?XE8raRFXHeCrGHr98g9IyxxDjFkVWhMZEImkkZz?=
=?us-ascii?Q?beSxGjQ9UBh2c0g3XhmGOA=3D?=
X-SG-ID:
=?us-ascii?Q?u001=2ESdBcvi+Evd=2FbQef8eZF3BoMNuFmcP5rq+Py=2FzrrMdK4rtEj2suPbIVLVE?=
=?us-ascii?Q?5AYNoH3vMYCGktzGeb4I3joAsEEeZiwJtPPhfFy?=
=?us-ascii?Q?jfqayTUiItuKcyZarrewvEw=2F68Swpu=2FdRisBCGP?=
=?us-ascii?Q?i0WrtziaFn0ZIZeTdkcnRaVEcLweNbRpNYwQOQ3?=
=?us-ascii?Q?a0wxeUbHYcyZj=2FN8xCf5lEu0C0rBzuniYexN4Wf?=
=?us-ascii?Q?41wv47HGfG9vD+5z1UUq8CcvwOVjAuzVNlggVrh?=
=?us-ascii?Q?ax4Whz2HnJeGn+IFSOvEDH+zKbCaS67duoWRAIl?=
=?us-ascii?Q?3nhPCPGochN4jzZSTHbo2TOQqtBqjpD=2FtUvn=2Fgd?=
=?us-ascii?Q?YS4tfaHyQQtKYBEbR65aEM84BGobEefrf086L4q?=
=?us-ascii?Q?m1uwljF9x2jVzFw?=
To: %%REDACTED%%huize-zwet.nl
X-Entity-ID: u001.Bqt4P4G2uDnqBUZHczWe5Q==
X-Soverin-Spam-Result: default: False [-2.71 / 15.00];
WHITELIST_SPF_DKIM(-3.00)[spotify.com:d:+,spotify.com:s:+];
DMARC_POLICY_ALLOW(-0.50)[spotify.com,reject];
MV_CASE(0.50)[];
MID_RHS_NOT_FQDN(0.50)[];
FORGED_SENDER(0.30)[no-reply@spotify.com,bounces@em.spotify.com];
R_SPF_ALLOW(-0.20)[+ip4:208.117.48.0/20:c];
R_DKIM_ALLOW(-0.20)[spotify.com:s=s1];
MIME_GOOD(-0.10)[multipart/alternative,text/plain];
MX_GOOD(-0.01)[];
TO_MATCH_ENVRCPT_ALL(0.00)[];
ARC_NA(0.00)[];
FROM_HAS_DN(0.00)[];
RWL_MAILSPIKE_POSSIBLE(0.00)[208.117.48.82:from];
ASN(0.00)[asn:11377, ipnet:208.117.48.0/21, country:US];
MIME_TRACE(0.00)[0:+,1:+,2:~];
MISSING_XM_UA(0.00)[];
RCVD_TLS_LAST(0.00)[];
FROM_NEQ_ENVFROM(0.00)[no-reply@spotify.com,bounces@em.spotify.com];
NEURAL_HAM(-0.00)[-1.000];
TAGGED_FROM(0.00)[1785577-37eb-%%REDACTED%%=huize-zwet.nl];
FUZZY_BLOCKED(0.00)[rspamd.com];
TO_DN_NONE(0.00)[];
RCVD_COUNT_TWO(0.00)[2];
RCPT_COUNT_ONE(0.00)[1];
DKIM_TRACE(0.00)[spotify.com:+]
X-Cloudmark-Verdict: spam
X-CMAE-Score: 100
X-CMAE-Analysis: v=2.4 cv=EbjOQumC c=0 sm=1 tr=0 ts=66ef17d9 b=1
p=fzyff2Gen9yoc3CkrG0A:9 a=kPda4FdYI8cKv0SffRNFhQ==:117
a=kPda4FdYI8cKv0SffRNFhQ==:17 a=O76VCmqbo-wA:10 a=otRC33yBpwAA:10
a=g8TUdU_LZmEA:10 a=WgwJIo3SAAAA:8 a=t-IPkPogAAAA:8 a=1XWaLZrsAAAA:8
a=BFPSyBzdAAAA:8
X-Cloudmark-Reporter: eMsHaWiRGjfjvtcguOLgW8FxgI0=
Waarom belanden deze nu in de SPAM map? Hier zie ik helemaal geen indicatie deze deze boven de ingestelde score factor van ‘5’ komen.