OHG uses a variety of tools to help detect, mark, and reject spam and malware. You can help us with that task by marking any mis-identified emails by categorizing them yourself. To do so, move any false positives (not spam)
You can look at the email headers to tell if OHG servers thought it was spam, they are adding the X-Spam tags in this example. If you don’t see them, it may have been your local client that tagged it as spam. Apple mail tends to be heavy on flagging things that you don’t have a contact entry for, or things that you haven’t seen in a few weeks. You can also check the prefs to see if you have it enabled and are trusting things the server set (which you should do). This example is from a newsletter I get that uses some questionable 3rd party link hosters and includes prominent ads, so we will not blame the servers for thinking it’s spam. Normally, you won’t see the X-Spam-Report if the server didn’t think it was spam (score of less than 5), then it adds it for more details once the score exceeds 5 and it things it’s a spam.
X-Spam-Level: **********X-Spam-Flag: YES
X-Spam-Report: * -0.5 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) * [54.240.77.24 listed in wl.mailspike.net] * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no * trust * [54.240.77.24 listed in list.dnswl.org] * -0.0 SPF_PASS SPF: sender matches SPF record * 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily * valid * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author’s * domain * 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 1.1 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net) * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.2 NOT_FROM_SENDER Not from putative sender * 2.0 URI_TRY_3LD “Try it” URI, suspicious hostname * 0.0 LOTS_OF_MONEY Huge… sums of money * 1.0 DCC_REPUT_95_98 DCC reputation between 95 and 98 % (mostly spam) * -0.0 DMARC_PASS DMARC pass policy * 0.2 TXREP TXREP: Score normalizing based on sender’s reputation * 0.1 URIBL_SBL_A Contains URL’s A record listed in the Spamhaus SBL * blocklist * [URI: sara.archive.md/94.140.114.194] * 8.0 SH_BODYURI_REVERSE_SBL The corresponding A record of an URI * contained in the body is listed in SBL * [URI: sara.archive.md/94.140.114.194]
X-Spam-Status: Yes, hits=10.2 required=5.0 tests=BAYES_00,DCC_CHECK, DCC_REPUT_95_98,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DMARC_PASS, HTML_MESSAGE,LOTS_OF_MONEY,NOT_FROM_SENDER,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SH_BODYURI_REVERSE_SBL, SPF_HELO_NONE,SPF_PASS,TXREP,URIBL_SBL_A,URI_TRY_3LD autolearn=no autolearn_force=no version=4.0.1
This email got tagged for being Bulk and sent to a lot of people (DCC_CHECK & DCC_REPUT), makes sense as a mailing list. OHG uses whitelists to avoid this on popular mailing lists, and will learn this if you move a spam out of the Junk mail folder. This email got most of their points for questionable URIs, including some listed in RBLs, so yeah, it’s spammy, but I want to read it… So move it out of the Junk folder, and the servers will learn from it. If this doesn’t get them to recognize that this is not spam, you can whitelist the sending address. The full anti-virus/spam/malware pipeline is:- DNS/rDNS check and postscreen tests and possible greylisting to weed out bots and things that are so terribly setup they are likely to be abused
- SPF checks, and if the sender domain has strong settings, we will reject here if the SPF doesn’t match
- DKIM/DMARC gets checked here to, but just sets signals, they aren’t rejecting technologies
- AntiVirus (ClamAV with extra rules) will weed out viruses, some malware, and some phishing
- SpamAssassin runs on it, DCC gets pulled in here, and DKIM/DMARC gets figured in, as well as general spamassassin rules, and personalized Bayes learning data (kept per receiving domain, so ohgnetworks.com has different data than onholyground.com), and TX_REP for the sending hosts, again with some receiving domain specifics and then a small contribution from all the email we get.
- Super spammy email gets bounced here, but otherwise this just tags.
- Then email goes to the imap server, and there sieve does the sorting of spam into the Junk folder if you’ve got it enabled, which is the default. Sieve also checks a whitelist before it does that, so the whitelist overrides everything else.
You can adjust your whitelist (and a blacklist), and even make it need more points to get tagged as spam, via the Filters setting on the webmail.ohgnetworks.com client.
Sadly, lots of people don’t get things right when sending email, espcially at any volume, and there are troubles both ways in the spam detection world. In particular, lots of senders are screwing up DKIM settings when they use 3rd party mailers, and that’s a positive spam signal. Unfortunately, many 3rd party hosters tend to allow a lot of spammy senders, so they can get flagged as spam sources as well. Then there’s folk like Twitter/X, who changed all their server settings to use x.com but havn’t fixed up the underlying DNS to match, so lots of places don’t like their email right now. Branded newsletters and emails from shopping sites are a pain too, same people say they aren’t spam, but lots of people just treat them as spam and throw them in the junk folder when they should be unsubscribing. Of course, the current world has trained us not to trust unsubscribe links, so it’s a less useful signal than it might be. But if you recognize the brand name, it usually savfe to actually unsubscribe to the crap everyone signs you up for if you order anything from their website…