CoudMark Spam filtering
FIXED
@Townman wrote:
Is there anyone other than bobpullen who is able to bottom out issues such as this please?
Yeah, me 
@jab1 wrote:
In the past two days, I have received two emails from my bank (NatWest), and they have both been tagged as 'SPAM' by CloudMark! Why oh why? I would have thought communications from such organisations would be some of the least likely to fall foul of spam filters?
I'll use the headers your provided to @adamwalker (after taking out any customer information) and demonstrate how this has happened, for those of you that don't know email is judged as spam based on lists and that information mainly comes from feedback, and flagging by the recipient, ISP's and deliberate spam/honey traps
The best way to deal with spam, and to help lessen the impact for everyone is to:
- Train the email program or Plusnet's spam filter: mark spam as spam, and make sure to mark those false positives you find in the spam folder as not-spam.
- Never reply to spam.
- Never try to unsubscribe from spam. (If you asked for the email by subscribing, then it’s not spam, and “unsubscribe” is the right way to stop it.)
X-CNFS-Analysis: v=2.3 cv=PIshB8iC c=1 sm=1 tr=0 b=1 p=T_WFs28f9H53z5wjhEQA:9
p=bOUYKNPN92PkZRiT:21 p=qTgyOnX98K_CeIPO:21 p=LUjB688p8_S-EOI0BqEA:9
p=2YpTX6ZUiZnAEpBp:21 p=BUvy6ZjfJLjLh6OW:21 a=qQv52R9awX/EQ7MaPVEOgw==:117
a=qQv52R9awX/EQ7MaPVEOgw==:17 a=NTGMnVQrEZIA:10 a=-uNXE31MpBQA:10
a=_Yaxip1i1oYA:10 a=9DvhAHx2yrWFMPxQWpQA:9 a=5obicqMlAAAA:8 a=j6yTz95HAAAA:8
a=3j4BkbkPAAAA:8 a=BkpHzsgbAAAA:8 a=vnREMb7VAAAA:8 a=JmhL_RV-AAAA:8
a=QEXdDO2ut3YA:10 a=EGHu0Q4xVOoA:10 a=SSmOFEACAAAA:8 a=lJjz8N4HAAAA:8
a=Y0AUEEh5SmV8dea-:21 a=_W_S_7VecoQA:10 a=frz4AuCg-hUA:10 a=Jt41xuF9nUEA:10
a=uUIsLfDk0JFcyPkdChej:22 a=iEMO7MLoSfOkq17C7Rlc:22
For those of you that don't know p= means that it's been identified as possible spam, this has 6 items that were marked as potential spam
That fingerprint is for a hash on the body content of messages that were
reported spammy by end users and that hit honey pots.
There were a very high number of reports. Looking at the feedback we can see:
- 74% of reports seen were to block
- 3% of blocks were from spam traps
- 1 ISP provided spam trap feedback
- Last spam trap hit : 2019-03-26 12:52:16
- First report : 2019-03-26 09:16:02
- Last report : 2019-04-04 10:53:39
We have reset it, but the sender should audit their mailing lists.
X-CNFS-Analysis: v=2.3 cv=Bbj2LIl2 c=1 sm=1 tr=0 b=1 p=u7-pr7BhLHUTfpVp:21
p=33Jx_QgsDH5tgonM:21 a=WzRZNAGC8xgF5At0pXxDXw==:117
a=WzRZNAGC8xgF5At0pXxDXw==:17 a=fmD_JHji_u0A:10 a=NTGMnVQrEZIA:10
a=-uNXE31MpBQA:10 a=i1H_nXBDAAAA:8 a=d9xucNbqG_xMpcgGhwcA:9 a=QEXdDO2ut3YA:10
a=9cMd3DhFMf4A:10 a=0V9lEPa6VcoA:10 a=lj-I7c-bT_oA:10 a=SSmOFEACAAAA:8
a=GAn-aSadAAAA:8 a=EBOSESyhAAAA:8 a=RGMxUAWXr3DJIVSz1WgA:9
a=JnL6mNYF00lwHwKv:21 a=75ILS5z9Ux7RFnW5:21 a=MjcfXWA8CdNu9-qB:21
a=_W_S_7VecoQA:10 a=frz4AuCg-hUA:10 a=tJptbokdDEAA:10 a=AGocr8Xm4UgA:10
a=HfAZLE10IEwA:10 a=E3RuXidrYcQA:10 a=QUI510VwN10A:10 a=UY--BljFdLEA:10
a=lW7-CRe5E_4A:10 a=DHjVRSWASVGjGSoP63Bs:22 a=UM1xAY0NvW3136_APDCo:22
a=yJM6EZoI5SlJf8ks9Ge_:22 a=CffZ9N37v4XOEeO00nN8:22 a=HH7FIXwXL_sUf1zzYxQd:22
This email would actually now be accepted and not marked as spam
X-CNFS-Analysis: v=2.3 cv=KsJjJ1eN c=1 sm=1 tr=0 b=1 p=1Ce2fp3nQoK81J5vHu8A:9
p=jklecccgu1Sg7pzQ:21 p=iOVxWBkoSNaTdfHpvWAA:9 a=edpXgVsGvg8eSV+7Ph4/dw==:117
a=edpXgVsGvg8eSV+7Ph4/dw==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10
a=1gGof8kZl80A:10 a=-uNXE31MpBQA:10 a=ZZnuYtJkoWoA:10 a=dJYnVhUtAAAA:8
a=vnREMb7VAAAA:8 a=jU4qhlNgAAAA:8 a=JqEG_dyiAAAA:8 a=BkpHzsgbAAAA:8
a=3j4BkbkPAAAA:8 a=Uj0gMU6hAAAA:8 a=1p2ajSFzDVw-lKsA:21 a=QEXdDO2ut3YA:10
a=IGPXEDbx7NkA:10 a=Rd0pikts-kcA:10 a=u3ke0JHczUQA:10 a=87COOerbOC4A:10
a=CwVEW5s1O_gA:10 a=-FEs8UIgK8oA:10 a=NWVoK91CQyQA:10 a=SSmOFEACAAAA:8
a=EfB4OZ_GCCJOxd0s:21 a=j_TgnoTjHbXHI9IA:21 a=S8HrKberzaeIV2oh:21
a=frz4AuCg-hUA:10 a=VavykzcozogA:10 a=MY9urf3tlLUA:10
a=rA7B2sRHbwqyddgz4uKf:22 a=oa3KAI9qiCm0rG2ttf_3:22
That fingerprint is for a hash on the body content of messages that were
reported spammy by end users and that hit honey pots.
There were a very high number of reports. Looking at the feedback we see:
- 53% of reports seen were to block
- 98% of blocks were from spam traps
- 1 ISP provided spam trap feedback
- Last spam trap hit : 2019-03-30 05:35:59
- First report : 2019-03-30 05:00:39
- Last report : 2019-04-06 14:28:36
We have reset it, but the sender should audit their mailing lists.
X-CNFS-Analysis: v=2.3 cv=Kdf8TzQD c=1 sm=1 tr=0 b=1 p=Az24vb9sqeT3MpEW94UA:9
p=6vsA-TfetAFkULCA:21 a=oyCnYmNh4phR0UiAjVnr6g==:117
a=oyCnYmNh4phR0UiAjVnr6g==:17 a=O76VCmqbo-wA:10 a=-uNXE31MpBQA:10
a=t-IPkPogAAAA:8 a=87dBFXvJAAAA:8 a=UQK2ULapsBNJ12f_UHEA:9
a=BQ5wd0_FCEpQfe2w:21 a=247pUUCGJnlzcNKk:21 a=QEXdDO2ut3YA:10
a=1ZVuKXJdaskA:10 a=P9Q5jUCw47LfPbl3:21 a=OYVstaJzS2XEskbw:21
a=_W_S_7VecoQA:10 a=frz4AuCg-hUA:10 a=VtGG6ZY1Rh_wYu2ZBCc4:22
a=y85AKpeX8sTgZG6YX2Fa:22 a=HH7FIXwXL_sUf1zzYxQd:22
This email is no longer showing as spam and would now be delivered
X-CNFS-Analysis: v=2.3 cv=PJUhB8iC c=1 sm=1 tr=0 p=7DSNqKSd6uJv_6Sa_B4A:9
p=zQ-LUYnAljvb6cH4XmkA:9 a=igZWDZuHjalP0YnaKmKojg==:117
a=NpZmUt3yXZuefsFAeZomaQ==:17 a=3STV6dmVkJ8A:10 a=KqOhe5OoNmIA:10
a=AhIA3d7-VLYA:10 a=oexKYjalfGEA:10 a=Ys_t-XITiW8A:10 a=-uNXE31MpBQA:10
a=w_ZoycZYAAAA:8 a=Gs7xfV3pMtHAaeA2:21 a=QYN-KKN5j9JtfLjA:21
a=QEXdDO2ut3YA:10 a=bJ2mBjjqAAAA:8 a=jtCsJvAxAAAA:8 a=aaaQ3xuJAAAA:8
a=Gde6D9KsAAAA:8 a=3j4BkbkPAAAA:8 a=JqEG_dyiAAAA:8 a=jU4qhlNgAAAA:8
a=BkpHzsgbAAAA:8 a=G_n6C9hkAAAA:8 a=GAn-aSadAAAA:8 a=nRiPs8dAe3f4diQG:21
a=sBA2fPeYc4SIEi2O:21 a=7RGB6gM_1S6GkELq:21 a=_W_S_7VecoQA:10
a=frz4AuCg-hUA:10 a=CCQOzhSjSZkA:10 a=w5Ah47RKwDcA:10
a=GSNFLtNrRyibBLXr7gtf:22 a=AtCsewl-GoA0oSRnKg9a:22 a=wSaHafRhPoq7VdsM46bt:22
a=DBT0p2UL6-xBlF0eDzZ7:22 a=qMq8LWcisMnaB8kZCWRd:22 a=Jxq69POYtJEursUEhiFn:22
a=UM1xAY0NvW3136_APDCo:22
This email is also no longer marked as spam
X-CNFS-Analysis: v=2.3 cv=Bbj2LIl2 c=1 sm=1 tr=0 p=WUqXHEmm6uYA:10
a=M94SacYp/krJg9OFpXo5tg==:117 a=ohfCQ2es0EJiIs7iudcNwg==:17
a=aNY/+OFkJ92hTRIqsZ/oJLGNU8Q=:19 a=KGjhK52YXX0A:10 a=28bQ1088vbIA:10
a=fmD_JHji_u0A:10 a=oexKYjalfGEA:10 a=-uNXE31MpBQA:10 a=YZoX8ndQ_wIA:10
a=sWKEhP36mHoA:10 a=Pn8iAFh2AAAA:8 a=BrDiTsk0AAAA:8 a=kR_H4XELF5L-DdtwywUA:9
a=6RyHdP9wf0s6W1bbVaoE2bQoMl4=:19 a=yi3GrsYqWOCD3sK7:21 a=9TMgblMvV9gJAsZI:21
a=QEXdDO2ut3YA:10 a=9S7BycrT590A:10 a=SSmOFEACAAAA:8 a=Kmx9NZxSAAAA:8
a=NM0YaXG2AAAA:8 a=qI-sqkvjAAAA:8 a=sJZ4q1TOAAAA:8 a=5p0nf1sHAAAA:8
a=Ns6vSmXSAAAA:8 a=p0i1YNCdAJxeTxqJnp8A:9 a=Tr6uTWX6eBC4fDAj:21
a=DQxtPfI47WtXtbc-:21 a=Ny9yRQnvb3ONb1P7:21 a=_W_S_7VecoQA:10
a=frz4AuCg-hUA:10 a=JNG9enEgSWd0TfEPMk3J:22 a=fK1jZSgjKPFatbRoI9mg:22
a=mKv6If4y4hzCizQr-YMX:22 a=gXJ_ZZDsdc-JdT1_zuUh:22 a=6XukCmkQ18yZopO0AixO:22
a=pWD9WnwaV-55-tVbWQgH:22 a=-jBZtZ9Fr4N1GTPGBZSS:22 a=HH7FIXwXL_sUf1zzYxQd:22
The spam fingerprint here is for the content which was reported as spammy by a a number of recipients
There were a moderate number of reports. Looking at the feedback we see:
- 86% of reports seen were to block
- 0% of blocks were from spam traps
- First report : 2019-01-10 14:11:45
- Last report : 2019-04-07 05:29:54
We've reset it but again the sender needs to audit their mailing lists.
WOW - Thank you - you've always feigned that email techy stuff … goes over your head!! 
This is very helpful. What I read into this is that the false positives (associated with p=) arise from many users inappropriately marking legitimate emails which they have subscribed to as being spam, rather than unsubscribing if they no longer want to receive them.
Where a user has "discard 'obvious' spam" enabled in their spam settings, would this lead to p= classified as spam messages being "thrown away"?
Is there a learning / generic information sharing sticky topic to be derived here, covering what to look form in "marked as spam" email headers and how to have such designations reviewed and rectified
Marking as "Not spam" (even via webmail) is not always easy / practical - for example I have SPAM diverted to a blackhole mailbox (not to be confused with blackhole@plus.net) so that I can review what is being deems as spam … not that everything gets routed there.
Is there advice to be given in respect to the a= entries as well please?
@Townman wrote:
WOW - Thank you - you've always feigned that email techy stuff … goes over your head!!
It's why it took so long for a reply, I needed to go and learn it!
This is very helpful. What I read into this is that the false positives (associated with p=) arise from many users inappropriately marking legitimate emails which they have subscribed to as being spam, rather than unsubscribing if they no longer want to receive them.
That, and a number of Spamtraps/Honeypots maintained by users and ISP's simply to catch spam if the mail goes to one of these email addresses, it's likely spam and will be flagged as such.
Where a user has "discard 'obvious' spam" enabled in their spam settings, would this lead to p= classified as spam messages being "thrown away"?
I'm not sure how many positives it takes to make it obvious, I only learned all this stuff a couple of hours ago
Is there a learning / generic information sharing sticky topic to be derived here, covering what to look form in "marked as spam" email headers and how to have such designations reviewed and rectified
Rather than a sticky, how about if we made a help and support article that people could link to if it was required, I'm just thinking about the number of stickies that we could end up with for email as it's such a complex subject.
Marking as "Not spam" (even via webmail) is not always easy / practical - for example I have SPAM diverted to a blackhole mailbox (not to be confused with blackhole@plus.net) so that I can review what is being deems as spam … not that everything gets routed there.
I understand that, but when it can be done it's really helpful, essentially it's a giant trust list and the more reports the more likely it is to be accurate.
Is there advice to be given in respect to the a= entries as well please?
I'm sure I can find out if it's useful and includes it in the help and support article?
@Townman wrote:
WOW - Thank you - you've always feigned that email techy stuff … goes over your head!!
This is very helpful. What I read into this is that the false positives (associated with p=) arise from many users inappropriately marking legitimate emails which they have subscribed to as being spam, rather than unsubscribing if they no longer want to receive them.
Where a user has "discard 'obvious' spam" enabled in their spam settings, would this lead to p= classified as spam messages being "thrown away"?
That is what happened to a number of my regular mails until I disabled it - had to resubscribe to a few.
Is there a learning / generic information sharing sticky topic to be derived here, covering what to look form in "marked as spam" email headers and how to have such designations reviewed and rectified
Marking as "Not spam" (even via webmail) is not always easy / practical - for example I have SPAM diverted to a blackhole mailbox (not to be confused with blackhole@plus.net) so that I can review what is being deems as spam … not that everything gets routed there.
As I said, Kevin, I rely on Mailwasher to filter my spam - it is more accurate and reliable than the PN filter, and enables me to validate 'new' addresses when a valid sender changes them, for whatever reason - my bank being a prime example.
Is there advice to be given in respect to the a= entries as well please?
@Townman Yep, I noticed that, thanks.
I only raised the query as I had quite a batch over a short period - and as an aside, yes, if you have 'discard obvious spam' set to true, you will potentially loose important emails - I know I did prior to altering the settings.