Can anyone explain why some mail was marked as spam, because RISKY TLD (3.0 points) was triggered on a dutch sending mail account (.nl), which is not a risky TLD at all?
Love to hear from MXRoute
As of two days ago the RISKYTLD rule did not function entirely as intended, and has since been altered. Can you tell me if you still experience this?
Can you paste the full email headers, either here or to me in PM without any data obscured?
It would help to see the complete headers.
Note, I am not MXRoute staff.
Thanks for helping out, I hope you can give me some insights. By the way, on another somewhat identical email from the same sender, the RISKY TLD was not triggered.
Headers:
Return-Path: <noreply@sender.nl>
Delivered-To: gvw+spam@receiver.nl
Received: from ocean.mxroute.com
by ocean.mxroute.com with LMTP
id bkaqEQNpSl1ocgAAnl20Hw
(envelope-from <noreply@something.nl>)
for <gvw+spam@receiver.nl>; Wed, 07 Aug 2019 06:00:35 +0000
Return-path: <noreply@sender.nl>
Envelope-to: gvw@receiver.nl
Delivery-date: Wed, 07 Aug 2019 06:00:35 +0000
Received: from ns1.sender-server2.nl ([83.172.139.40]:49848)
by ocean.mxroute.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.92)
(envelope-from <noreply@sender.nl>)
id 1hvEzS-0007TF-9W
for gvw@receiver.nl; Wed, 07 Aug 2019 06:00:35 +0000
Received: (qmail 1421 invoked from network); 7 Aug 2019 08:00:01 +0200
Authentication-Results: ns1.sender-server2.nl;
spf=pass (sender IP is 0000:0000:0000:0000:0000:0000:0000:0001) smtp.mailfrom=noreply@sender.nl smtp.helo=www.sender.nl
Received-SPF: pass (ns1.sender-server2.nl: connection is authenticated)
Received: from unknown (HELO www.sender.nl) (0000:0000:0000:0000:0000:0000:0000:0001)
by 0000:0000:0000:0000:0000:0000:0000:0001 with ESMTPA; 7 Aug 2019 08:00:01 +0200
Date: Wed, 7 Aug 2019 08:00:01 +0200
To: gvw@receiver.nl
From: "sender.nl - ProjectMonitor" <noreply@sender.nl>
Subject: HERINNERING notitie's - De Project Monitor
Message-ID: <3051b3fef37cff3ac038c4757e3d0a8c@www.sender.nl>
X-Priority: 3
X-Mailer: PHPMailer 5.2.9 (https://github.com/PHPMailer/PHPMailer/)
MIME-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Spam-Subject: ***SPAM*** HERINNERING notitie's - De Project Monitor
X-Spam-Status: Yes, score=5.1
X-Spam-Score: 51
X-Spam-Bar: +++++
X-Spam-Report: Spam detection software, running on the system "ocean.mxroute.com",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content preview: Goedemorgen Gijs, Voor vandaag staat de opvolging van de
volgende notities gepland Project: Geertuidenberg Bergsche Maas Proefsleuf
Spijkerboor # Ingepland door Notitie 1 Gijs van Waning klerk nabellen of
er al een prijs is.
Content analysis details: (5.1 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
3.0 RISKYTLD TLD heavily abused by spammers
1.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.5 HTML_MESSAGE BODY: HTML included in message
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: sender.nl]
0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML
tag
X-Spam-Flag: YESSo the ‘risky TLD’ was determined by spam assassin. It looks like the combination of that and the lack of plain text message was enough to make the spam score high enough to end up in spam.
You mentioned another email that did not trigger the RISKY TLD … did you determine that from the headers, or the fact that the message did not go into spam?
I do not know if @Jarland has any control over Spamassassin, but I do know that you can set the spam score threshold higher in your cPanel. If Spamassassin is adding 3 points to every .nl domain originated email you may want to raise the score that goes to spam … (as I am guessing you are from NL).
Hopefully Jarland will weigh in on this issue later in the day once it is daylight in the US. 
Thanks for looking into this.
As for your questions:
-
Yes, i checked the headers of the other emails to see that RISKY TLD did not trigger on .nl sending mailaccounts, not even on the same mail as it is somewhat of a notification, of which some got triggered.
-
I do know I can change spam score tresholds and even make the 3.0 points for RISKY TLD lower, but if I do this for every occurance of non justified spam, I end up with a lot of spam that does not get triggered so I would prefer to leave this alone.
Thanks!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.