sync: auto-sync from GURU-BEAST-ROG at 2026-06-17 12:18:02

Author: Mike Swanson
Machine: GURU-BEAST-ROG
Timestamp: 2026-06-17 12:18:02

clients/glaztech/session-logs/2026-06/2026-06-17-mike-email-spam-investigation.md

@@ -0,0 +1,144 @@
+# Glaztech — Holly@ Email Spam Investigation
+
+**Date:** 2026-06-17
+**Syncro Ticket:** #32438 (internal ID: 112772653)
+
+## User
+- **Executed by:** ClaudeTools Discord Bot (GURU-BEAST-ROG)
+- **Requested by:** Winter Williams (@winterguru, via Discord) - tech
+- **Role:** automation (acting on the requester's behalf)
+
+---
+
+## Session Summary
+
+Winter reported that outbound email from Holly@glaztech.com was being stopped by spam filters at various recipient domains. A Syncro ticket was created (#32438, "Email - Holly@ email getting stopped by spam filters") and a full investigation was conducted covering DNS authentication records, EXO connector configuration, mailbox content analysis, and NDR history.
+
+Mike clarified that the on-premises Exchange server no longer exists and that mail should route outbound through MailProtector. Investigation of EXO via the Exchange Online REST API (InvokeCommand endpoint) confirmed no outbound connector exists — mail routes direct through Microsoft SMTP. This is operationally correct since EXO DKIM (selector1) is active and signing outbound mail. The absence of a MailProtector connector is a discrepancy from Mike's expectation but not the cause of spam rejections.
+
+Root cause was identified by analyzing Holly's sent mail history via Microsoft Graph API: the GTIware PSA system generates outbound emails (POs, documents) with a generic template — subject "Glaztech Industries Attached Document" and body "Dear Recipient, Please review the attached Glaztech Industries Document." This textbook phishing-pattern language triggers spam filters at recipient domains. Confirmed by Yahoo hard bounce (550 5.0.350 Policy Violation) in NDR history back to 2023. GTIware also sends duplicate emails (3 identical to kelly.shorts@classyclosetsut.com within minutes on May 7; 2 duplicates to brenda@beehiveglass.com on June 16), which compounds spam scoring. The five named recipients were analyzed individually: kelly.shorts, brenda@beehiveglass, and nate_sdu@yahoo all received GTIware template emails directly; jr@bennettsglass received only normal conversational replies (reputation bleed); drue@hscdirect had no direct emails from Holly in sent history.
+
+DNS authentication infrastructure was audited and corrected. DKIM was found working correctly: EXO selector1 is active and valid (rotated from selector2 in August 2024); selector2 CNAME was already in place in DNS, waiting for the next Microsoft rotation cycle; SendGrid s1/s2 selectors properly configured. DMARC was at p=reject;pct=100 (correct) but with rua/ruf pointing to noreply@glaztech.com — a dead address that meant ACG was blind to DMARC reports. This was updated to rua@azcomputerguru.com, and the required cross-domain authorization record was added to the azcomputerguru.com DNS zone. Ticket was updated to Waiting on Customer status with a full summary comment, as the fix requires Tom (Glaztech internal dev) to update the GTIware email template.
+
+---
+
+## Key Decisions
+
+- **No outbound EXO connector — left as-is.** Mike expected MailProtector routing but the absence of a connector is not the cause of spam rejections. EXO DKIM is signing correctly. Creating a connector without MailProtector configuration on both ends would be disruptive with no benefit. Documented in ticket; surfaced to Mike for awareness.
+- **DMARC rua/ruf changed to rua@azcomputerguru.com.** noreply@glaztech.com is a dead address. ACG was receiving zero DMARC aggregate reports. Using ACG's own address gives visibility into future delivery failures.
+- **Cross-domain DMARC auth added to azcomputerguru.com.** Required per RFC when DMARC report recipient (rua@azcomputerguru.com) is on a different domain than the reporting domain (glaztech.com). Without this, receivers discard reports.
+- **selector2 DKIM CNAME — no change needed.** selector2-glaztech-com._domainkey.glaztechindustries.onmicrosoft.com was already in DNS. Microsoft only publishes the active selector's key; selector2 will resolve when EXO rotates back to it.
+- **Ticket status set to Waiting on Customer.** ACG's infrastructure scope is complete. The fix is entirely on Glaztech's side (GTIware template changes). Nothing ACG can do until Tom updates the template.
+
+---
+
+## Problems Encountered
+
+- **Graph API `$filter` with OR conditions returned HTTP 400** — switched to `$search` parameter with keyword-based mailbox search for reading Holly's sent mail.
+- **URL with space in `$orderby=sentDateTime desc` caused Python `InvalidURL`** — resolved by using `urllib.parse.urlencode()` to encode all query parameters before constructing the URL.
+- **EXO REST `DkimSigningConfig` endpoint returned 400 "Resource not found"** — the `/adminapi/beta/{tenant}/DkimSigningConfig` REST endpoint does not work. Switched to `InvokeCommand` endpoint (`POST /adminapi/beta/{tenant}/InvokeCommand`) with `CmdletInput.CmdletName: "Get-DkimSigningConfig"`.
+- **WHM `edit_zone_record` returned "Unknown app"** — underscore in method name was wrong. Correct method name is `editzonerecord` (no underscore).
+- **curl output to file was 0 bytes on Windows** — switched entirely to Python `urllib.request` for all API calls; eliminates shell redirection issues on Windows/Git-Bash.
+- **Python not found as `python3`** — used `py` (Windows Python launcher) throughout.
+- **Syncro comment endpoint 404** — called `/tickets/{id}/comments` (plural) initially. Correct endpoint is `/tickets/{id}/comment` (singular).
+
+---
+
+## Configuration Changes
+
+**glaztech.com DNS zone** (via WHM JSON API on ix.azcomputerguru.com:2087):
+- `_dmarc.glaztech.com TXT` — updated rua/ruf from `noreply@glaztech.com` to `rua@azcomputerguru.com`
+
+**azcomputerguru.com DNS zone** (same WHM server):
+- Added: `glaztech.com._report._dmarc.azcomputerguru.com TXT "v=DMARC1"` — cross-domain DMARC authorization
+
+**No changes to selector1 or selector2 DKIM CNAMEs** — both already correct in DNS.
+
+**Syncro ticket #32438:**
+- Created ticket "Email - Holly@ email getting stopped by spam filters" for Glaztech
+- Added 3 comments during investigation (Initial Issue, Investigation Update, DNS Changes Completed)
+- Added final comment: "Infrastructure Complete - Waiting on Glaztech/Tom (GTIware Fix)" (hidden/internal)
+- Status updated: New → Waiting on Customer
+
+---
+
+## Credentials & Secrets
+
+No new credentials created or rotated this session.
+
+**Vault paths accessed:**
+- `msp-tools/computerguru-exchange-operator.sops.yaml` — EXO REST API multi-tenant app (client_id: b43e7342-5b4b-492f-890f-bb5a4f7f40e9)
+- `infrastructure/ix-server.sops.yaml` — WHM API token for IX server DNS management
+
+---
+
+## Infrastructure & Servers
+
+**Glaztech M365 tenant:**
+- Tenant ID: 82931e3c-de7a-4f74-87f7-fe714be1f160
+- Domain: glaztech.com / glaztechindustries.onmicrosoft.com
+- EXO DKIM: selector1 active (valid), selector2 CNAME in place (inactive, next rotation)
+- SendGrid DKIM: s1/s2 selectors active
+- DMARC: p=reject; pct=100; rua=mailto:rua@azcomputerguru.com (updated this session)
+- SPF: includes spf.us.emailservice.io, sendgrid.net, spf.protection.outlook.com
+
+**DNS hosting:** ix.azcomputerguru.com:2087 (WHM/cPanel)
+
+**EXO REST API endpoint used:**
+- `https://outlook.office365.com/adminapi/beta/82931e3c-de7a-4f74-87f7-fe714be1f160/InvokeCommand`
+- Auth: client_credentials via MSAL, scope `https://outlook.office365.com/.default`
+
+---
+
+## Commands & Outputs
+
+**DKIM status (via EXO InvokeCommand):**
+```
+selector1: Enabled, Status: Valid, LastChecked: 2026-06-17
+selector2: Enabled, Status: Valid (target not resolving — expected; selector inactive since Aug 2024 rotation)
+```
+
+**Yahoo NDR (hard bounce, confirms spam filter rejection):**
+```
+550 5.0.350 Remote server returned an error -> 554 5.0.0 Message rejected for policy reasons
+```
+
+**GTIware template pattern found in sent mail:**
+```
+Subject: Glaztech Industries Attached Document
+Body:    Dear Recipient, Please review the attached Glaztech Industries Document.
+```
+Duplicate sends: 3 identical to kelly.shorts on 2026-05-07; 2 to brenda on 2026-06-16.
+
+**DMARC record after update:**
+```
+v=DMARC1; p=reject; pct=100; rua=mailto:rua@azcomputerguru.com; ruf=mailto:rua@azcomputerguru.com
+```
+
+**Cross-domain auth record added:**
+```
+glaztech.com._report._dmarc.azcomputerguru.com TXT "v=DMARC1"
+```
+
+---
+
+## Pending / Incomplete Tasks
+
+- **GTIware template fix (Glaztech/Tom):** Update GTIware PO email template subject and body to remove generic phishing-pattern language. Investigate and resolve duplicate send behavior. This is Glaztech's action item — ticket #32438 is Waiting on Customer.
+- **EXO outbound connector:** No connector exists for MailProtector. Mike was informed. No action taken this session — needs Mike's decision on whether to configure MailProtector outbound routing.
+- **DMARC reports:** Now routing to rua@azcomputerguru.com. Monitor incoming DMARC reports to verify glaztech.com delivery posture once GTIware template is fixed.
+
+---
+
+## Reference Information
+
+- **Syncro ticket:** #32438 — https://computerguru.syncromsp.com/tickets/112772653
+- **Glaztech tenant ID:** 82931e3c-de7a-4f74-87f7-fe714be1f160
+- **EXO app client_id:** b43e7342-5b4b-492f-890f-bb5a4f7f40e9 (computerguru-exchange-operator)
+- **WHM server:** ix.azcomputerguru.com:2087
+- **Five named recipients analyzed:**
+  - kelly.shorts@classyclosetsut.com — received GTIware template emails (direct cause)
+  - brenda@beehiveglass.com — received GTIware template emails + duplicates (direct cause)
+  - nate_sdu@yahoo.com — received GTIware template emails; hard Yahoo bounce confirmed
+  - jr@bennettsglass.com — received only normal conversational replies (reputation bleed)
+  - drue@hscdirect.com — no direct Holly emails found in sent history