Several mails get blocked/rejected by mailcow

bomcow

Lately I see that many legitimate mails are being rejected by rspamd. Here are two examples

MAILCOW_BLACK (999)
MID_RHS_WWW (0.5)
IP_SCORE (-0.267333) [asn: 24940(-1.28), country: DE(-0.06)]
R_SPF_ALLOW (-0.2) [+a]
MIME_GOOD (-0.1) [multipart/mixed, multipart/alternative, text/plain]
MX_GOOD (-0.01) [dedi6647.your-server.de]
ARC_NA (0)
TAG_MOO (0)
RCPT_COUNT_ONE (0) [1]
ARC_SIGNED (0) [i=1]
HAS_REPLYTO (0) [info@kennzeichen-deutschlandweit.de]
TAGGED_RCPT (0) [kennzeichen]
FROM_HAS_DN (0)
R_DKIM_NA (0)
REPLYTO_EQ_FROM (0)
TO_DN_ALL (0)
DMARC_NA (0) [kennzeichen-deutschlandweit.de]
RCPT_MAILCOW_DOMAIN (0) [mydomain.de]
ASN (0) [asn:24940, ipnet:162.55.0.0/16, country:DE]
RCVD_TLS_ALL (0)
TO_MATCH_ENVRCPT_ALL (0)
CLAMAV_FAIL (0) [failed to scan and retransmits exceed]
RCVD_COUNT_ONE (0) [2]
HAS_PHPMAILER_SIG (0)
FROM_EQ_ENVFROM (0)
HAS_ATTACHMENT (0)

MAILCOW_BLACK (999)
MANY_INVISIBLE_PARTS (1) [10]
URI_COUNT_ODD (1) [41]
ZERO_FONT (0.5) [5]
FORGED_SENDER (0.3) [email@news.traderepublic.com, msprvs1=19184KDz5Q8tH=bounces-1898-165@news.traderepublic.com]
DMARC_POLICY_ALLOW (-0.5) [traderepublic.com, reject]
IP_SCORE (-0.444119) [asn: 23528(-2.14), country: US(-0.08)]
R_SPF_ALLOW (-0.2) [+exists:147.253.220.93._spf.sparkpostmail.com]
R_DKIM_ALLOW (-0.2) [news.traderepublic.com]
MIME_GOOD (-0.1) [multipart/alternative, text/plain]
MX_GOOD (-0.01) [smtp.eu.sparkpostmail.com, smtp.eu.sparkpostmail.com, smtp.eu.sparkpostmail.com]
ARC_NA (0)
RCPT_COUNT_ONE (0) [1]
TAGGED_RCPT (0) [traderepublic]
ASN (0) [asn:23528, ipnet:147.253.220.0/23, country:US]
HAS_REPLYTO (0) [service-de@traderepublic.com]
TO_DN_NONE (0)
FROM_NEQ_ENVFROM (0) [email@news.traderepublic.com, msprvs1=19184KDz5Q8tH=bounces-1898-165@news.traderepublic.com]
RCVD_COUNT_ZERO (0) [0]
ARC_SIGNED (0) [i=1]
DKIM_TRACE (0) [news.traderepublic.com:+]
FROM_HAS_DN (0)
RCVD_TLS_ALL (0)
CLAMAV_FAIL (0) [failed to scan and retransmits exceed]
RCPT_MAILCOW_DOMAIN (0) [mydomain.de]
TO_MATCH_ENVRCPT_ALL (0)
REPLYTO_DOM_NEQ_FROM_DOM (0)
TAG_MOO (0)

Why is the MAILCOW_BLACK score so high and what can I do about it?
Those servers are not spamming my server: mails from traderepublic I used to receive and it’s first time contact with the first mail server.

heavygale

Maybe the sending network is on your blacklist or you’ve put the domain on the blacklist for the receiving mailbox - check the mailcow ui.

bomcow

heavygale thanks for your reply. I also already checked the fail2ban permanent and temporary blacklist but those IPs/nets do not show up there.

Any other idea?

heavygale

And there’s nothing in the blacklist for the receiving mailbox?

bomcow

Please see screenshot attached. Is this the right place to check?
That subnet given there is unrelated to any of the blocked but legitimate mails.

heavygale

No, I mean the blacklist for the mailbox itself - editable when logged in for the mailbox:

bomcow

Ahh, that looks as follows:

You may be right that there is time-wise a correlation with me adding those two blacklists.
Did I do a mistake there?

heavygale

Looks good for me… maybe also check the blacklist on domain level:

bomcow

I hope I found the right options in the config (I am running an older version of mailcow)

any other ideas? 🙂

MaxDau

As far as I have seen, there is only one way that the value MAILCOW_BLACK (999) can be created. And this must come from the config, which is created with settings.php.
Please post the output of
docker-compose exec php-fpm-mailcow bash -c “cd /dynmaps ; php settings.php”