Page 1 of 2

Sonic's Webmail Just Dumped a Friend's Email into the Graymail Folder! :(

Posted: Wed Feb 12, 2020 8:19 pm
by ezekielk
This is a friend with whom I communicate almost daily, and all her mail has always shown up in Inbox, until today. Why would Sonic's Roundcube Webmail suddenly decide her email is possible spam? I have no whitelist set up, and I don't care to do that, as I have no need to.

Re: Sonic's Webmail Just Dumped a Friend's Email into the Graymail Folder! :(

Posted: Wed Feb 12, 2020 9:39 pm
by virtualmike
The top of the email in your Graymail box should have a content analysis that would explain why it was diverted. Here's an example of something I received:

Code: Select all

Content analysis details:   (7.3 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 1.7 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
                            [URIs: bit.do]
 1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
                            bl.spamcop.net
            [Blocked - see <https://www.spamcop.net/bl.shtml?113.173.102.170>]
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.0 HTML_MESSAGE           BODY: HTML included in message
 1.5 SNF4SA                 Message Sniffer
 1.1 DCC_CHECK              Detected as bulk mail by DCC (dcc-servers.net)
 0.0 FSL_BULK_SIG           Bulk signature with no Unsubscribe
 0.3 KHOP_HELO_FCRDNS       Relay HELO differs from its IP's reverse DNS
 1.5 TONOM_EQ_TOLOC_SHRT_SHRTNER Short email with shortener and
                            To:name eq To:local
This particular spam wasn't from someone I know, and other than the phishy URL within, there was little other content.

Re: Sonic's Webmail Just Dumped a Friend's Email into the Graymail Folder! :(

Posted: Wed Feb 12, 2020 10:52 pm
by ezekielk
Yes, I already looked that over before posting my question here. It doesn't make any sense to me...especially since nothing has changed at all, with her posts to me...they all come from the same mail server as always, which is provided by the Mendocino County Network:

pts rule name description
---- ---------------------- --------------------------------------------------
-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/,
low trust
[216.150.240.87 listed in list.dnswl.org]
-1.0 SONIC_FRIEND Someone you've likely exchanged email with before
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
7.9 SNF4SA Message Sniffer

And the IP address lookup doesn't reveal anything suspicious:

https://whatismyipaddress.com/ip/216.150.240.87

Re: Sonic's Webmail Just Dumped a Friend's Email into the Graymail Folder! :(

Posted: Thu Feb 13, 2020 5:51 pm
by ezekielk
So, since that "graymail" incident, she's sent me four more emails, all of which have landed in their proper folder. I'm guessing this is the occasional glitch...and am curious exactly how such a glitch occurs. Does anyone know? TIA

Re: Sonic's Webmail Just Dumped a Friend's Email into the Graymail Folder! :(

Posted: Thu Feb 13, 2020 8:36 pm
by virtualmike
This score suggests that there was something in the content in her email that caught the filters' attention:

Code: Select all

7.9 SNF4SA Message Sniffer
[/b]

Re: Sonic's Webmail Just Dumped a Friend's Email into the Graymail Folder! :(

Posted: Thu Feb 13, 2020 8:48 pm
by ezekielk
Could you give an example of what that content might be? Thanks! Furthermore: does it actually read the body of the email? I'd consider that a privacy invasion, and is exactly why I dropped gmail. And wouldn't the score be indicated by the word "score" at the beginning of a line, such as:

score SNF_SCAM 5

I'm presently looking over their product features at:

https://www.armresearch.com/Products/features.jsp

Unfortunately, a simple search for "score 7.9" doesn't get me anything.

Re: Sonic's Webmail Just Dumped a Friend's Email into the Graymail Folder! :(

Posted: Thu Feb 13, 2020 8:58 pm
by virtualmike
Without seeing the content, I'd be unable to guess. You can Google "SNF4SA Message Sniffer" to learn how that filter works.

Yes, the software does scan the messages looking for clues that they may be spam--that's all. Gmail's scanning not only looks for spam, but also for keywords to target advertising.

You can turn off spam detection, if you'd like, through Member Tools.

Re: Sonic's Webmail Just Dumped a Friend's Email into the Graymail Folder! :(

Posted: Thu Feb 13, 2020 9:01 pm
by ezekielk
Oh, I can turn it off...great. That incident was definitely a false positive. And I see I can adjust the heuristics to a higher number. Thanks!

Re: Sonic's Webmail Just Dumped a Friend's Email into the Graymail Folder! :(

Posted: Thu Feb 13, 2020 11:20 pm
by ezekielk
virtualmike wrote:Without seeing the content, I'd be unable to guess. You can Google "SNF4SA Message Sniffer" to learn how that filter works.
I was already checking out their message sniffer service, before posting my query...but it really doesn't give me a clue in my situation. Anyway, here's the email in question (with my friend's name and email crossed out):

Code: Select all

Sonic's AntiSpam detection systems have identified this email as
possible spam.  The original message has been attached to this report
so you can view it (if it isn't spam.)  If this is a false positive,
you may want to whitelist the sender or messages subject using our
member tools.

For more information see
https://help.sonic.com/hc/en-us/articles/236079227-Spam-FAQ

To access messages in your Graymail see
https://members.sonic.net/email/graymail/

To manage your E-Mail filter and delivery options see
http://members.sonic.net/email/

If you have any questions, see support@sonic.net for details.

Content preview:  On 2/12/2020 1:52 PM, Zeke Krahlin wrote: > > >> Perhaps I
   shall turn it over to the tender mercies of the children, >> that they may
   use it in their next rollicking Ullamaliztli match! > > Pok-a-tok [...]

Content analysis details:   (6.2 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
-0.7 RCVD_IN_DNSWL_LOW      RBL: Sender listed at https://www.dnswl.org/,
                            low trust
                            [216.150.240.87 listed in list.dnswl.org]
-1.0 SONIC_FRIEND           Someone you've likely exchanged email with before
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 7.9 SNF4SA                 Message Sniffer


Subject 	Re: P.S.
From 	xxxxx <xxxx.org>
To 	Zeke Krahlin <ezekielk@sonic.net>
Date 	Wed 22:50

On 2/12/2020 1:52 PM, Zeke Krahlin wrote:

>> Perhaps I shall turn it over to the tender mercies of the children,
>> that they may use it in their next rollicking Ullamaliztli match!

> Pok-a-tok it is! Let the children all across the land join in! We Aztecs are widely known for our jollity 
> of sport and generous sacrifice!

We have a lot of heart!

Re: Sonic's Webmail Just Dumped a Friend's Email into the Graymail Folder! :(

Posted: Fri Feb 14, 2020 9:27 pm
by virtualmike
This is just a guess, but the message is rather short and the content doesn't make sense to anyone who doesn't know the context.

That's a common spammer trick--sending a message without a lot of content, and what little content there is doesn't make a lot of sense by itself.

Again, just a guess...