Hello,
There is one mailchimp user (an org sending mail news by leveraging
mailchimp services), whose mails are flagged by our mail gateway servers
(postfix with amavis and spamassassin) with "FORGED_GMAIL_RCVD".
I am trying to understand what is wrong with these mails and they
trigger the "FORGED_GMAIL_RCVD" rule.
Here are the headers of one such mail (mail local parts and mailchimp
codes modified consistently):
==============================================================================
Return-Path: <>
Delivered-To: spam-quarantine
X-Envelope-From:
<bounce-mcsys.us14_169988169.8021e7b523.NA-userx=noa...@mail21.atl161.mctxapp.net>
X-Envelope-To: <us...@noa.gr>
X-Envelope-To-Blocked: <us...@noa.gr>
X-Quarantine-ID: <SPEvHfP1qu5C>
X-Spam-Flag: YES
X-Spam-Score: 6.446
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.446 tag=-999 tag2=3.4 kill=5.2
tests=[BAYES_50=0.8, DKIM_ADSP_CUSTOM_MED=0.001, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, FORGED_GMAIL_RCVD=4,
FREEMAIL_FORGED_FROMDOMAIN=0.5,
FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25,
HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001,
MIME_HTML_ONLY=0.1, NML_ADSP_CUSTOM_MED=0.9,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_IADB_DK=-0.095,
RCVD_IN_IADB_LISTED=-0.001, RCVD_IN_IADB_SENDERID=-0.001,
RCVD_IN_IADB_SPF=-0.059, SPF_HELO_PASS=-0.1, SPF_PASS=-0.1]
autolearn=disabled
Authentication-Results: mailgw1.noa.gr (amavisd-new); dkim=pass
(2048-bit key)
header.d=mailchimpapp.net
Received: from mailgw1.noa.gr ([127.0.0.1])
by localhost (mailgw1.noa.gr [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id SPEvHfP1qu5C for <us...@noa.gr>;
Thu, 16 Jun 2022 18:53:40 +0300 (EEST)
Received: from mail21.atl161.mctxapp.net (mail21.atl161.mctxapp.net
[198.2.140.21])
by mailgw1.noa.gr (NOA MAIL ICXC-NIKA) with ESMTPS id
4LP6Cl5g3wzMHHc
for <us...@noa.gr>; Thu, 16 Jun 2022 18:53:39 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchimpapp.net;
s=k3; t=1655394817; x=1655697217;
i=geologicalsociety52=3dgmail....@mailchimpapp.net;
bh=sglTLcy5acviMc1jwNJzu3D3fvoIN5jx0MaJ2gqNLL0=;
h=From:Reply-To:To:Date:Message-ID:X-MC-User:Subject:MIME-Version:
Content-Type:Content-Transfer-Encoding:CC:Date:Subject:From;
b=SQNNnPuZp08+GcvBxyEdKfb3RfOpkb0Gn0lXIXKLqzgbt0FsjSirmhlSSaA0JfnIt
PbxfpjtBorjZ/RuVqarc8QuGO5c36buSqUmfaKtiGG4Bg421y58fkzM7b5oH3vzYNl
YAcM3dSgFJh/hyFgP1DxDCeVdymxTJEj9m8GHAFVQN6XR7jvBnW8Q1nmIvmtsmfwyE
TQWyN+pkbIe2UZWZwBx0c95CZhb8r3DsBqEp0qTo+Md66ox/cxE4lYecsSbzabIWpA
dmZ4cIoZ5bHIYaQIvsgNpDButCcbwzhUlI1ID7PVUvjrbCZN8567JSc8hNFG6S13Kr
Xr0GvSnxW0bjw==
Received: from 127.0.0.1 (localhost [127.0.0.1])
by mail21.atl161.mctxapp.net (Mailchimp) with ESMTP id
4LP6Cj4p59zNCpSj3
for <us...@noa.gr>; Thu, 16 Jun 2022 15:53:37 +0000 (GMT)
From: <geo...@gmail.com>
Reply-To: <geo...@gmail.com>
To: <us...@noa.gr>
Date: Thu, 16 Jun 2022 15:53:37 +0000
Message-ID:
<c462fabb8419fd9e90a977dab020df72g1e.20220616155...@mail21.atl161.mctxapp.net>
X-Mailer: Mailchimp Mailer - **CID8021e7b523020df72g1e**
X-Campaign: mailchimpc462fabb8419fd9e90a977dab.8021e7b523
X-campaignid: mailchimpc462fabb8419fd9e90a977dab.8021e7b523
X-Report-Abuse: Please report abuse for this campaign here:
https://mailchimp.com/contact/abuse/?u=c462fabb8419fd9e90a977dab&id=8021e7b523&e=020df72g1e
X-MC-User: c462fabb8419fd9e90a977dab
X-Feedback-ID: 169988169:169988169.8021e7b523:us14:mc
X-Auto-Response-Suppress: OOF, AutoReply
X-Accounttype: ff
Subject: Mailchimp Template Test - "Untitled Template"
MIME-Version: 1.0
Content-Type: text/html; charset="utf-8"; format="fixed"
Content-Transfer-Encoding: quoted-printable
...
==============================================================================
Can you please help me understand why the rule was triggered? I have
done my search but I have not really understood why.
Secondarily, if I understand right, the following rules:
FREEMAIL_FORGED_FROMDOMAIN
HEADER_FROM_DIFFERENT_DOMAINS
were also triggered because the Envelope-From is different from "From:"
but this is expectable from mailing lists.
How should these (and possibly other ones too) rules be treated in
production systems to avoid banning legitimate mailing list mails?
Thanks in advance,
Nick
