I use a sieve filter to move spam email to user's Junk folder:
# cat spam_to_junk.sieve
require "fileinto";
? if exists "X-Spam-Status" {
????????? if header :contains "X-Spam-Status" "YES" {
????????? fileinto "Junk";
????????? stop;
????????? } else {
????? }
? }
? if header :contains "subject" ["SPAM?"] {
??? fileinto "Junk";
??? stop;
? }
Most time this filter works fine but occasionally it move non-spam in to
Junk folder. Here is an example, this email is from dovecot mailling
list and it end up in my Junk folder. Mailllog and header here. Would
someone help me to figure out what went wrong here?
Thanks.
Gao
=======Header========Dovecot Mailing List <dovecot at dovecot.org>
References: <c2562504-d5ae-cf3b-3e71-35ef0df15b79 at rename-it.nl>
?<e804da79-6bdc-fb21-8ed4-7c1385ea8936 at gmx.com>
From: sender name <sender at rename-it.nl>
Message-ID: <9100b497-7f3e-8129-9f8f-c675296e2bd7 at rename-it.nl>
Date: Thu, 14 Dec 2017 11:54:19 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
?Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <e804da79-6bdc-fb21-8ed4-7c1385ea8936 at gmx.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-SA-Exim-Connect-IP: 217.119.239.130
X-SA-Exim-Mail-From: sender at rename-it.nl
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sogo.guto.nl
X-Spam-Level:
X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00
?autolearn=ham version=3.3.2, No
Subject: Re: New Dovecot service: SMTP Submission (RFC6409)
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on sogo.guto.nl)
X-BeenThere: dovecot at dovecot.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Dovecot Mailing List <dovecot.dovecot.org>
List-Unsubscribe: <https://dovecot.org/mailman/options/dovecot>,
?<mailto:dovecot-request at dovecot.org?subject=unsubscribe>
List-Archive: <https://dovecot.org/pipermail/dovecot/>
List-Post: <mailto:dovecot at dovecot.org>
List-Help: <mailto:dovecot-request at dovecot.org?subject=help>
List-Subscribe: <https://dovecot.org/mailman/listinfo/dovecot>,
?<mailto:dovecot-request at dovecot.org?subject=subscribe>
Errors-To: dovecot-bounces at dovecot.org
Sender: "dovecot" <dovecot-bounces at dovecot.org>
X-mydomain-MailScanner-Information: Please contact the administrator for
more information
X-mydomain-MailScanner-ID: D6773400AB09.ADBA7
X-mydomain-MailScanner: Found to be clean
X-mydomain-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
??? score=-4.598, required 5, autolearn=not spam, BAYES_00 -1.90,
??? DCC_CHECK 1.10, HEADER_FROM_DIFFERENT_DOMAINS 0.00,
??? KAM_LAZY_DOMAIN_SECURITY 1.00, KAM_SHORT 0.00,
??? RCVD_IN_DNSWL_MED -2.30, RCVD_IN_HOSTKARMA_W -2.50)
X-mydomain-MailScanner-From: dovecot-bounces at dovecot.org
=====End of header======
=======Maillog========Dec 14 02:54:51 mail postfix/postscreen[19236]: CONNECT
from
[94.237.32.243]:40818 to [10.11.22.68]:25
Dec 14 02:54:52 mail postfix/postscreen[19236]: PASS OLD
[94.237.32.243]:40818
Dec 14 02:54:52 mail postfix/smtpd[19244]: connect from
wursti.dovecot.fi[94.237.32.243]
Dec 14 02:54:52 mail policyd-spf[19248]: None; identity=helo;
client-ip=94.237.32.243; helo=mail.dovecot.fi;
envelope-from=dovecot-bounces at dovecot.org; receiver=gao at pztop.com
Dec 14 02:54:52 mail policyd-spf[19248]: None; identity=mailfrom;
client-ip=94.237.32.243; helo=mail.dovecot.fi;
envelope-from=dovecot-bounces at dovecot.org; receiver=gao at pztop.com
Dec 14 02:54:52 mail postfix/smtpd[19244]: D6773400AB09:
client=wursti.dovecot.fi[94.237.32.243]
Dec 14 02:54:53 mail postfix/cleanup[19249]: D6773400AB09: hold: header
Received: from mail.dovecot.fi (wursti.dovecot.fi [94.237.32.243])??by
mail.mydomain.com (Postfix) with ESMTP id D6773400AB09??for
<gao at pztop.com>; Thu, 14 Dec 2017 02:54:52 -0800 (PST) from
wursti.dovecot.fi[94.237.32.243]; from=<dovecot-bounces at dovecot.org>
to=<gao at pztop.com> proto=ESMTP helo=<mail.dovecot.fi>
Dec 14 02:54:53 mail postfix/cleanup[19249]: D6773400AB09:
message-id=<9100b497-7f3e-8129-9f8f-c675296e2bd7 at rename-it.nl>
Dec 14 02:54:53 mail opendkim[1706]: D6773400AB09: wursti.dovecot.fi
[94.237.32.243] not internal
Dec 14 02:54:53 mail opendkim[1706]: D6773400AB09: not authenticated
Dec 14 02:54:53 mail opendkim[1706]: D6773400AB09: no signature data
Dec 14 02:54:53 mail postfix/smtpd[19244]: disconnect from
wursti.dovecot.fi[94.237.32.243] ehlo=1 mail=1 rcpt=1 data=1 quit=1
commands=5
Dec 14 02:54:53 mail MailScanner[18700]: New Batch: Scanning 1 messages,
7572 bytes
Dec 14 02:54:53 mail MailScanner[18700]: Virus and Content Scanning:
Starting
Dec 14 02:54:53 mail MailScanner[18700]: Spam Checks: Starting
Dec 14 02:54:53 mail MailScanner[18700]: MailWatch: Blacklist refresh
time reached
Dec 14 02:54:53 mail MailScanner[18700]: MailWatch: Starting up
MailWatch SQL Blacklist
Dec 14 02:54:53 mail MailScanner[18700]: MailWatch: Read 0 blacklist entries
Dec 14 02:54:56 mail MailScanner[18700]: Requeue: D6773400AB09.ADBA7 to
24EDE400AABD
Dec 14 02:54:56 mail MailScanner[18700]: Uninfected: Delivered 1 messages
Dec 14 02:54:56 mail postfix/qmgr[1756]: 24EDE400AABD:
from=<dovecot-bounces at dovecot.org>, size=6784, nrcpt=1 (queue active)
Dec 14 02:54:56 mail MailScanner[18700]: Deleted 1 messages from
processing-database
Dec 14 02:54:56 mail MailScanner[18700]: MailWatch: Logging message
D6773400AB09.ADBA7 to SQL
Dec 14 02:54:56 mail MailScanner[18962]: MailWatch: D6773400AB09.ADBA7:
Logged to MailWatch SQL
Dec 14 02:54:56 mail dovecot: lmtp(19259): Connect from local
Dec 14 02:54:56 mail dovecot: lmtp(gao at pztop.com):
AHqjGYBYMlo7SwAAlqGq+A: sieve:
msgid=<9100b497-7f3e-8129-9f8f-c675296e2bd7 at rename-it.nl>: stored mail
into mailbox 'Junk'
Dec 14 02:54:56 mail dovecot: lmtp(19259): Disconnect from local:
Successful quit
Dec 14 02:54:56 mail postfix/lmtp[19258]: 24EDE400AABD:
to=<gao at pztop.com>, relay=mail.mydomain.com[private/dovecot-lmtp],
delay=3.9, delays=3.8/0.01/0.01/0.06, dsn=2.0.0, status=sent (250 2.0.0
<gao at pztop.com> AHqjGYBYMlo7SwAAlqGq+A Saved)
Dec 14 02:54:56 mail postfix/qmgr[1756]: 24EDE400AABD: removed
Dec 14 02:54:56 mail dovecot: indexer-worker(gao at pztop.com): Indexed 1
messages in Junk (UIDs 11..11)
======End of Maillog======