On 08/07/2017 05:56 PM, Jacek Osuchowski wrote:
We use emails to allow users to reset their passwords to our website. We
send very brief emails containing the reset password. Example between >>>>:
Your password to access your account is:
S]U3bC7k
Upon successful login you may change your password by going to Modify
Account / Change Your Password.
The emails are marked as spam. Sample report from IsnotSpam.com:
SpamAssassin check details:
---- ---------------------- -------------------------------
* 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
* [score: 0.9995]
* -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
* [50.31.63.50 listed in wl.mailspike.net]
* -0.0 SPF_PASS SPF: sender matches SPF record
* 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
* [score: 0.9995]
* 2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words
* 0.1 HTML_MESSAGE BODY: HTML included in message
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
* domain
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
* -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
X-Spam-Status: Yes, hits=5.7 required=-20.0 tests=BAYES_99,BAYES_999,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_IMAGE_ONLY_12,HTML_MESSAGE,
RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_PASS autolearn=no autolearn_force=no
version=3.4.0
X-Spam-Score: 5.7
I understand you trying to provide great software to fight email spam
but you are making my live miserable. I am having more problems with our
emails marked as spam then from the spam itself. Any help on how avoid
being marked as spam would help. Is there a way to be whitelisted by
SpamAssasin globally. Most emails are blocked by internet providers like
Cablevision or comcast and getting them to help is IMPOSSIBLE. They just
install the software and let it run as it is.
Thank You
Perhaps you should take a little time to figure out what should be
changed in that message body to make those emails not score so high.
First, it's a bad idea for a number of reasons to send passwords via
email. Most modern "lost password" mail loops use a unique URL that
expires after a short period of time.
Secondly, that text in the body is very commonly used by bad actors
trying to phish passwords. Why not change the text a bit and run it
through the isnotspam.com site until it doesn't hit such a high Bayesian
rule. This won't guarantee the Bayesian score of other SpamAssassin
platforms but should give a good hint as to what wording is not good to use.
Third, if you could send us complete headers, then we may be able to
provide more help. The SPF and DKIM look good and you seem to be doing
all of the reputation stuff properly. It comes down to content checks
(BAYES) then.
--
David Jones
