I use a sieve filter to move spam email to user's Junk folder:

cat spam_to_junk.sieve

require "fileinto"; if exists "X-Spam-Status" { if header :contains "X-Spam-Status" "YES" { fileinto "Junk"; stop; } else { } } if header :contains "subject" ["SPAM?"] { fileinto "Junk"; stop; }

Most time this filter works fine but occasionally it move non-spam in to Junk folder. Here is an example, this email is from dovecot mailling list and it end up in my Junk folder. Mailllog and header here. Would someone help me to figure out what went wrong here?

Thanks.

Gao

=======Header========= Dovecot Mailing List <dovecot@dovecot.org> References: <c2562504-d5ae-cf3b-3e71-35ef0df15b79@rename-it.nl> <e804da79-6bdc-fb21-8ed4-7c1385ea8936@gmx.com> From: sender name <sender@rename-it.nl> Message-ID: <9100b497-7f3e-8129-9f8f-c675296e2bd7@rename-it.nl> Date: Thu, 14 Dec 2017 11:54:19 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: <e804da79-6bdc-fb21-8ed4-7c1385ea8936@gmx.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-SA-Exim-Connect-IP: 217.119.239.130 X-SA-Exim-Mail-From: sender@rename-it.nl X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sogo.guto.nl X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.3.2, No Subject: Re: New Dovecot service: SMTP Submission (RFC6409) X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000) X-SA-Exim-Scanned: Yes (on sogo.guto.nl) X-BeenThere: dovecot@dovecot.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Dovecot Mailing List <dovecot.dovecot.org> List-Unsubscribe: <https://dovecot.org/mailman/options/dovecot>, <mailto:dovecot-request@dovecot.org?subject=unsubscribe> List-Archive: <https://dovecot.org/pipermail/dovecot/> List-Post: <mailto:dovecot@dovecot.org> List-Help: <mailto:dovecot-request@dovecot.org?subject=help> List-Subscribe: <https://dovecot.org/mailman/listinfo/dovecot>, <mailto:dovecot-request@dovecot.org?subject=subscribe> Errors-To: dovecot-bounces@dovecot.org Sender: "dovecot" <dovecot-bounces@dovecot.org> X-mydomain-MailScanner-Information: Please contact the administrator for more information X-mydomain-MailScanner-ID: D6773400AB09.ADBA7 X-mydomain-MailScanner: Found to be clean X-mydomain-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-4.598, required 5, autolearn=not spam, BAYES_00 -1.90, DCC_CHECK 1.10, HEADER_FROM_DIFFERENT_DOMAINS 0.00, KAM_LAZY_DOMAIN_SECURITY 1.00, KAM_SHORT 0.00, RCVD_IN_DNSWL_MED -2.30, RCVD_IN_HOSTKARMA_W -2.50) X-mydomain-MailScanner-From: dovecot-bounces@dovecot.org

=====End of header=======

=======Maillog========= Dec 14 02:54:51 mail postfix/postscreen[19236]: CONNECT from [94.237.32.243]:40818 to [10.11.22.68]:25 Dec 14 02:54:52 mail postfix/postscreen[19236]: PASS OLD [94.237.32.243]:40818 Dec 14 02:54:52 mail postfix/smtpd[19244]: connect from wursti.dovecot.fi[94.237.32.243] Dec 14 02:54:52 mail policyd-spf[19248]: None; identity=helo; client-ip=94.237.32.243; helo=mail.dovecot.fi; envelope-from=dovecot-bounces@dovecot.org; receiver=gao@pztop.com Dec 14 02:54:52 mail policyd-spf[19248]: None; identity=mailfrom; client-ip=94.237.32.243; helo=mail.dovecot.fi; envelope-from=dovecot-bounces@dovecot.org; receiver=gao@pztop.com Dec 14 02:54:52 mail postfix/smtpd[19244]: D6773400AB09: client=wursti.dovecot.fi[94.237.32.243] Dec 14 02:54:53 mail postfix/cleanup[19249]: D6773400AB09: hold: header Received: from mail.dovecot.fi (wursti.dovecot.fi [94.237.32.243])??by mail.mydomain.com (Postfix) with ESMTP id D6773400AB09??for <gao@pztop.com>; Thu, 14 Dec 2017 02:54:52 -0800 (PST) from wursti.dovecot.fi[94.237.32.243]; from=<dovecot-bounces@dovecot.org> to=<gao@pztop.com> proto=ESMTP helo=<mail.dovecot.fi> Dec 14 02:54:53 mail postfix/cleanup[19249]: D6773400AB09: message-id=<9100b497-7f3e-8129-9f8f-c675296e2bd7@rename-it.nl> Dec 14 02:54:53 mail opendkim[1706]: D6773400AB09: wursti.dovecot.fi [94.237.32.243] not internal Dec 14 02:54:53 mail opendkim[1706]: D6773400AB09: not authenticated Dec 14 02:54:53 mail opendkim[1706]: D6773400AB09: no signature data Dec 14 02:54:53 mail postfix/smtpd[19244]: disconnect from wursti.dovecot.fi[94.237.32.243] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 Dec 14 02:54:53 mail MailScanner[18700]: New Batch: Scanning 1 messages, 7572 bytes Dec 14 02:54:53 mail MailScanner[18700]: Virus and Content Scanning: Starting Dec 14 02:54:53 mail MailScanner[18700]: Spam Checks: Starting Dec 14 02:54:53 mail MailScanner[18700]: MailWatch: Blacklist refresh time reached Dec 14 02:54:53 mail MailScanner[18700]: MailWatch: Starting up MailWatch SQL Blacklist Dec 14 02:54:53 mail MailScanner[18700]: MailWatch: Read 0 blacklist entries Dec 14 02:54:56 mail MailScanner[18700]: Requeue: D6773400AB09.ADBA7 to 24EDE400AABD Dec 14 02:54:56 mail MailScanner[18700]: Uninfected: Delivered 1 messages Dec 14 02:54:56 mail postfix/qmgr[1756]: 24EDE400AABD: from=<dovecot-bounces@dovecot.org>, size=6784, nrcpt=1 (queue active) Dec 14 02:54:56 mail MailScanner[18700]: Deleted 1 messages from processing-database Dec 14 02:54:56 mail MailScanner[18700]: MailWatch: Logging message D6773400AB09.ADBA7 to SQL Dec 14 02:54:56 mail MailScanner[18962]: MailWatch: D6773400AB09.ADBA7: Logged to MailWatch SQL Dec 14 02:54:56 mail dovecot: lmtp(19259): Connect from local Dec 14 02:54:56 mail dovecot: lmtp(gao@pztop.com): AHqjGYBYMlo7SwAAlqGq+A: sieve: msgid=<9100b497-7f3e-8129-9f8f-c675296e2bd7@rename-it.nl>: stored mail into mailbox 'Junk' Dec 14 02:54:56 mail dovecot: lmtp(19259): Disconnect from local: Successful quit Dec 14 02:54:56 mail postfix/lmtp[19258]: 24EDE400AABD: to=<gao@pztop.com>, relay=mail.mydomain.com[private/dovecot-lmtp], delay=3.9, delays=3.8/0.01/0.01/0.06, dsn=2.0.0, status=sent (250 2.0.0 <gao@pztop.com> AHqjGYBYMlo7SwAAlqGq+A Saved) Dec 14 02:54:56 mail postfix/qmgr[1756]: 24EDE400AABD: removed Dec 14 02:54:56 mail dovecot: indexer-worker(gao@pztop.com): Indexed 1 messages in Junk (UIDs 11..11) ======End of Maillog======