Menu
Reply
  • 9
  • 0
  • 1
wrentom
Tuning in
343 Views
Message 1 of 5
Flag for a moderator

Whitelisted sender' email classed as SPAM

All emails from one of my contacts (in my contact list) are being classed as SPAM.

This contact has been emailing me successfully for about 10 years but, from about mid December 2018, all his emails are being treated as Spam by Virginmedia.  I have searched for a means of specifically whitelisting him but I can find anything other than ensuring he is one of my contacts.

I have checked with hi IT guy who assures me that he has the correct SPF and DMARC records in place.

Any ideas what can be done about this?

 

0 Kudos
Reply
  • 9.95K
  • 1.1K
  • 4.74K
Very Insightful Person
Very Insightful Person
339 Views
Message 2 of 5
Flag for a moderator

Re: Whitelisted sender' email classed as SPAM

There is no mechanism you can use for "whitelisting" as you describe it.  It is said that having the sender in your address book ensures that mail from that sender won't go into your spam folder. I have my doubts, even though I've given that advice in the past.

The VM incoming spam filters are good but they aren't great. I could guess at any number of reasons why e-mail gets classed as spam. However it would helpful to diagnose the issue if we could see a header from one of the e-mails that has been classified as spam so we can understand the reason.  Post it in this thread, edited to ensure that no identifying details are included - usually the name before the e-mail @ symbol.

 



As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

Mark as Helpful Answer if I've helped



Highlighted
  • 9
  • 0
  • 1
wrentom
Tuning in
327 Views
Message 3 of 5
Flag for a moderator

Re: Whitelisted sender' email classed as SPAM

Here is a sample header with his name replaced by xxx and mine by yyy.  Also his domain name replaced by hisdomain and a second domain (his business domain) replaced by domain2.  Incidentally, even when he sends directly from his business email, it is still getting classed as spam.

Return-Path: <xxx>
Delivered-To: yyy
Received: from md9.tb.ukmail.iss.local ([212.54.57.71])
 by mc34.tb.ukmail.iss.local with LMTP id UJYnGgByT1xQTQAALsEXRw
 for <yyy>; Mon, 28 Jan 2019 22:20:00 +0100
Received: from smtpclienthelo ([212.54.57.71])
 by md9.tb.ukmail.iss.local with LMTP id qNWxAv5xT1xmBQAABc+m+w
 ; Mon, 28 Jan 2019 22:20:00 +0100
Authentication-Results: ukmail.iss.as9143.net;
 spf=fail (85.233.160.22;hisdomain);
 dkim=none (nosigs);
 dmarc=fail header.from=hisdomain(p=quarantine sp=none dis=quarantine);
X-Spam-Reason: DMARC=quarantine
X-Spam: yes
X-Env-Mailfrom: xxx
X-Env-Rcptto: yyyy
X-SourceIP: 85.233.160.22
X-CNFS-Analysis: v=2.3 cv=H6ilPNQi c=1 sm=1 tr=0
 a=oie9c3m2UhJATcW6IDq6EA==:117 a=UyDRz3Zeqbgk8xvg5YXF1Q==:17
 a=L4HattXivdAA:10 a=3JhidrIBZZsA:10 a=r77TgQKjGQsHNAKrUKIA:9 a=w6fiGHXdAAAA:8
 a=9zMDbu3EAAAA:8 a=vEfmA1mdAAAA:8 a=vAfoDNkPAAAA:8 a=FgU2R7vnAAAA:8
 a=8RloEfZUAAAA:8 a=P6Bh8bKs8702w25q9c8A:9 a=FGhV9mw3AbW5oZFk:21
 a=JFFJNJ-DBRnpoUqv:21 a=QEXdDO2ut3YA:10 a=hCrJTIY1N4cSLIcOS2cA:9
 a=gdgLzCXJH66AzH-K:21 a=4u-sSl0j-P8I_vKj:21 a=UjfhNGpaqz1NTX2-:21
 a=_W_S_7VecoQA:10 a=1_PC4CJ83AaPUxXPIbUA:9 a=ODzOv9djO4yoFKtC:18
 a=KQqxNPgzF0kA:10 a=VEiTNn8F7TgA:10 a=xYihD3OFtvih7UelkU4A:22
 a=U9MWIJRMMEAq0FcQnuor:22 a=QUFq61r44m7JzdkgnSPz:22 a=nM__XUXkTQkBUxi0b838:22
 a=iiAHTbxIZ1HKOH8Qy-s6:22 a=ea-aaFCQWd8KpuIyLtRc:22
Received: from fwd0.hosts.co.uk ([85.233.160.22])
 by mx4.tb.ukmail.iss.as9143.net with ESMTP
 id oEJzg02MWjWIIoEJzgwxQo; Mon, 28 Jan 2019 22:20:00 +0100
Received: from [208.109.80.60] (helo=p3plsmtps2ded03.prod.phx3.secureserver.net)
 by fwd0.hosts.co.uk with esmtp (Exim 4.91)
 (envelope-from <xxx>)
 id 1goEJz-0000ir-Au
 for yyy; Mon, 28 Jan 2019 21:19:59 +0000
Received: from pb-vps.domain2([192.169.243.92])
 by : HOSTING RELAY : with ESMTP
 id oEIwgg3xUSwDHoEIwgyYc0; Mon, 28 Jan 2019 14:18:55 -0700
Received: from [95.147.111.175] (port=58950 helo=[192.168.0.14])
 by pb-vps.domain2 with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128)
 (Exim 4.91)
 (envelope-from <xxx>)
 id 1goEIw-0005XF-3k; Mon, 28 Jan 2019 21:18:54 +0000
Subject: <SPAM> Re: Subject

  • 9.95K
  • 1.1K
  • 4.74K
Very Insightful Person
Very Insightful Person
319 Views
Message 4 of 5
Flag for a moderator

Re: Whitelisted sender' email classed as SPAM

I'm no expert but I can see immediately that this mail failed the VM authenticity checks, SPF. VM have followed the rule from the apparent sending domain on what to do if DMARC fails which in this case is to quarantine. VM interprets this as treat as spam so the mail isn't lost

Authentication-Results: ukmail.iss.as9143.net;
 spf=fail (85.233.160.22;hisdomain);
 dkim=none (nosigs);
 dmarc=fail header.from=hisdomain(p=quarantine sp=none dis=quarantine);
X-Spam-Reason: DMARC=quarantine
X-Spam: yes

and as a result classes the e-mail as spam. There is clue in the rest of the header that the sender is using a forwarding service which breaks SPF and so fails the VM authenticity checks. The solution is in the hands of your sender to make sure his forwarding behaves in way which stops this from happening - though not all forwarders can do this.

VM are being strict on this to stop e-mail spoofing from affecting their systems.

I have asked for a bit of confirmation from another Superuser that I am taking the right direction here.

@ravenstar68   -  I hope I have got this basically right, branching out a bit on my own here!



As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

Mark as Helpful Answer if I've helped



  • 17.7K
  • 969
  • 7.32K
Very Insightful Person
Very Insightful Person
298 Views
Message 5 of 5
Flag for a moderator

Re: Whitelisted sender' email classed as SPAM

@wrentom 

Thanks for the header, although it does help to know what the sending domain is in both the From: address and the Return-Rcpt: address.

Can't fault Howard here:

What do we see here:

SPF - fail, without seeing the domain in the Return-Rcpt: line it's hard to say whether his SPF record is correct or not.  But in reality it doesn't matter because the problem is twofold.

1.  Your domain's email isn't residing on it's own server - instead it's being received by your registrar and forwarded to Virgin Media - this breaks SPF because inbound mail servers actually look at the IP address they are talking to when they are determining SPF pass or fail.  Not the server where the mail first came from.

In short if the sender sends DIRECTLY to your Virgin Media address - you will see an SPF pass - as Virgin's inbound server is talking directly to the senders server.

When you put a forwarding server in the mix, you will always get an SPF fail - This is a known weakness in SPF.  There was a draft proposal for getting round this, but with DMARC the draft proposal wouldn't work.

2. The sender ism't using DKIM

DKIM is a method of signing mails with a signature provided by an authorised domain.  As an authentication method it's not impacted by the shortcomings of SPF (although it does have a few of it's own)  However there are occasions when certain mail servers mess with the mail when forwarding when they really shouldn't

For uses such as yours you should find that although the SPF fails DKIM would pass in most circumstances meaning the mail would end up getting a DMARC pass rather than a fail.

Ps when testing by sending a message via Outlook I did actually encounter problems, but that's for another thread.

Because the SPF failed.  DMARC kicks in and the instruction in the DMARC policy to to quarantine the mail because of the authentication fail - which Virgin Media dutifully does.

Tim

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

Mark as Helpful Answer if I've helped