Too much spam getting through

A

AllCore James

New Member
Dec 20, 2018
11
0
1
50
Hello,

We are seeing FAR too much spam getting through PMG.

1. Is there a way to create custom rules for the Server?
2. Is there a way to create a custom rule for a specific domain or email address?

Our clients are getting lots of emails for "viagara" and sex sites etc...

When we started the switch to PMG we felt really excited about the solution but now all of our clients are complaining about the amount of spam they get.
 
* Could you post a few logs from the system?
* The most common cause of too much spam getting through PMG is usually a not properly configured DNS system:
** are you seeing *BL_BLOCKED messages in the log - see https://cwiki.apache.org/confluence/display/spamassassin/DnsBlocklists
** have you configured some rbl for the mailproxy?

I hope this helps!
 
Where are the logs located - ? Sorry, super new to this product.

I did read a bunch of stuff on the DNS... I'm not sure if ours is helping or hurting. We have the servers setup to use the following DNS Servers:
- 208.71.89.29 <- Ours
- 208.71.89.129 <- Ours
- 8.8.8.8 <- google

As for the RBL, I'm "assuming" you mean Configuration > Mail Proxy > DNSBL Sites: ??? the answer is yes, we have the following: zen.spamhaus.org,bl.spamcop.net,cbl.abuseat.org
 
AllCore James said:
Where are the logs located - ? Sorry, super new to this product.
Click to expand...
'/var/log/mail.log' (and all files matching '/var/log/mail.log*') - if you post them please remove all information you consider sensitive!


Using a dedicated DNS-resolver for PMG (or any mailserver, especially ones doing RBL lookups) is always a good idea
The public servers (8.8.8.8) usually have reached the rate-limit for those lists which have one, and you don't get good answers there (this is also shown in the logs)

I hope this helps!
 
Here is a bunch of the logs ... hope this helps...


Sep 9 06:25:09 mx101 postfix/postscreen[29692]: CONNECT from [89.31.97.186]:40610 to [208.71.89.101]:25
Sep 9 06:25:13 mx101 postfix/postscreen[29692]: PASS OLD [89.31.97.186]:40610
Sep 9 06:25:13 mx101 postfix/smtpd[2035]: table hash:/etc/aliases(0,lock|fold_fix|utf8_request) has changed -- restarting
Sep 9 06:25:14 mx101 postfix/smtpd[2322]: connect from es010.cvps.mta.smashedmail.com[89.31.97.186]
Sep 9 06:25:14 mx101 pmgpolicy[29230]: SPF says pass
Sep 9 06:25:14 mx101 postfix/smtpd[2322]: 992B2CF4FD: client=es010.cvps.mta.smashedmail.com[89.31.97.186]
Sep 9 06:25:14 mx101 postfix/cleanup[2039]: 992B2CF4FD: message-id=<HlwcJoGYWP9TiBlkDbgERiONmTIS27ci8voI6PFWdrg@node3.omnimailr.com>
Sep 9 06:25:14 mx101 postfix/qmgr[13124]: 992B2CF4FD: from=<bounce+onWq5UtcmrwiLzWrlhbCq@looniess.com>, size=25237, nrcpt=1 (queue active)
Sep 9 06:25:14 mx101 postfix/smtpd[2322]: disconnect from es010.cvps.mta.smashedmail.com[89.31.97.186] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Sep 9 06:25:14 mx101 pmg-smtp-filter[2047]: 2019/09/09-06:25:14 CONNECT TCP Peer: "[127.0.0.1]:36582" Local: "[127.0.0.1]:10024"
Sep 9 06:25:14 mx101 pmg-smtp-filter[20159]: starting database maintainance
Sep 9 06:25:14 mx101 pmg-smtp-filter[20159]: end database maintainance (9 ms)
Sep 9 06:25:14 mx101 pmg-smtp-filter[2047]: D38575D76288AD39DD: new mail message-id=<HlwcJoGYWP9TiBlkDbgERiONmTIS27ci8voI6PFWdrg@node3.omnimailr.com>
Sep 9 06:25:15 mx101 pmg-smtp-filter[2047]: D38575D76288AD39DD: SA score=0/5 time=0.940 bayes=0 autolearn=ham autolearn_force=no hits=AWL(0.275),BAYES_00(-1.9),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),HTML_FONT_LOW_CONTRAST(0.001),HTML_MESSAGE(0.001),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),T_KAM_HTML_FONT_INVALID(0.01),URIBL_BLOCKED(0.001)
Sep 9 06:25:15 mx101 postfix/smtpd[2045]: connect from localhost.localdomain[127.0.0.1]
Sep 9 06:25:15 mx101 postfix/smtpd[2045]: D326ED3858: client=localhost.localdomain[127.0.0.1], orig_client=es010.cvps.mta.smashedmail.com[89.31.97.186]
Sep 9 06:25:15 mx101 postfix/cleanup[2039]: D326ED3858: message-id=<HlwcJoGYWP9TiBlkDbgERiONmTIS27ci8voI6PFWdrg@node3.omnimailr.com>
Sep 9 06:25:15 mx101 postfix/qmgr[13124]: D326ED3858: from=<bounce+onWq5UtcmrwiLzWrlhbCq@looniess.com>, size=26527, nrcpt=1 (queue active)
Sep 9 06:25:15 mx101 postfix/smtpd[2045]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Sep 9 06:25:15 mx101 pmg-smtp-filter[2047]: D38575D76288AD39DD: accept mail to <**clientEmail**> (D326ED3858)
Sep 9 06:25:15 mx101 pmg-smtp-filter[2047]: D38575D76288AD39DD: processing time: 1.04 seconds (0.94, 0.034, 0)
Sep 9 06:25:15 mx101 postfix/lmtp[2041]: 992B2CF4FD: to=<**clientEmail**>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.4, delays=0.34/0/0.05/1, dsn=2.5.0, status=sent (250 2.5.0 OK (D38575D76288AD39DD))
Sep 9 06:25:15 mx101 postfix/qmgr[13124]: 992B2CF4FD: removed
Sep 9 06:25:15 mx101 postfix/smtp[2046]: D326ED3858: to=<**clientEmail**>, relay=208.71.89.140[208.71.89.140]:25, delay=0.13, delays=0.04/0/0/0.09, dsn=2.0.0, status=sent (250 OK id=1i7GrD-00FDD9-V8)
Sep 9 06:25:15 mx101 postfix/qmgr[13124]: D326ED3858: removed
Sep 9 06:25:35 mx101 postfix/postscreen[29692]: CONNECT from [216.244.67.87]:37211 to [208.71.89.101]:25
Sep 9 06:25:35 mx101 postfix/dnsblog[32020]: addr 216.244.67.87 listed by domain zen.spamhaus.org as 127.0.0.3
Sep 9 06:25:41 mx101 postfix/postscreen[29692]: DNSBL rank 1 for [216.244.67.87]:37211
Sep 9 06:25:42 mx101 postfix/postscreen[29692]: NOQUEUE: reject: RCPT from [216.244.67.87]:37211: 550 5.7.1 Service unavailable; client [216.244.67.87] blocked using zen.spamhaus.org; from=<283-6-433598-65-kbd=**clientEmail7**@mail.cogntivesupsen.xyz>, to=<**clientEmail2**>, proto=ESMTP, helo=<app.cogntivesupsen.xyz>
Sep 9 06:25:42 mx101 postfix/postscreen[29692]: DISCONNECT [216.244.67.87]:37211
Sep 9 06:25:53 mx101 pmgpolicy[22506]: starting policy database maintainance (greylist, rbl)
Sep 9 06:25:53 mx101 pmgpolicy[22506]: found 1 expired mails in greylisting database
Sep 9 06:25:53 mx101 pmgpolicy[22506]: end policy database maintainance (14 ms, 3 ms)
Sep 9 06:27:08 mx101 postfix/postscreen[29692]: CONNECT from [208.71.88.245]:54439 to [208.71.89.101]:25
Sep 9 06:27:08 mx101 postfix/postscreen[29692]: WHITELISTED [208.71.88.245]:54439
Sep 9 06:27:08 mx101 postfix/smtpd[2736]: connect from cp104.hostserve.net[208.71.88.245]
Sep 9 06:27:08 mx101 postfix/smtpd[2736]: 9D572CF4FD: client=cp104.hostserve.net[208.71.88.245]
Sep 9 06:27:08 mx101 postfix/cleanup[2740]: 9D572CF4FD: message-id=<E1i7Gt2-0000FC-8b@cp104.hostserve.net>
Sep 9 06:27:08 mx101 postfix/qmgr[13124]: 9D572CF4FD: from=<root@cp104.hostserve.net>, size=42884, nrcpt=1 (queue active)
Sep 9 06:27:08 mx101 postfix/smtpd[2736]: disconnect from cp104.hostserve.net[208.71.88.245] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Sep 9 06:27:08 mx101 pmg-smtp-filter[1610]: 2019/09/09-06:27:08 CONNECT TCP Peer: "[127.0.0.1]:36626" Local: "[127.0.0.1]:10024"
Sep 9 06:27:08 mx101 pmg-smtp-filter[1610]: D38575D7628FCAA894: new mail message-id=<E1i7Gt2-0000FC-8b@cp104.hostserve.net>
Sep 9 06:27:09 mx101 pmg-smtp-filter[1610]: D38575D7628FCAA894: SA score=1/5 time=0.670 bayes=2.22044604925031e-16 autolearn=no autolearn_force=no hits=AWL(-0.055),BAYES_00(-1.9),HTML_MESSAGE(0.001),KAM_LAZY_DOMAIN_SECURITY(1),KAM_NUMSUBJECT(0.5),SPF_HELO_NONE(0.001),SPF_NONE(0.001),TO_NO_BRKTS_HTML_IMG(1.993),URIBL_BLOCKED(0.001),WEIRD_PORT(0.001)
Sep 9 06:27:09 mx101 postfix/smtpd[2745]: connect from localhost.localdomain[127.0.0.1]
Sep 9 06:27:09 mx101 postfix/smtpd[2745]: 6FAD6D3858: client=localhost.localdomain[127.0.0.1], orig_client=cp104.hostserve.net[208.71.88.245]
Sep 9 06:27:09 mx101 postfix/cleanup[2740]: 6FAD6D3858: message-id=<E1i7Gt2-0000FC-8b@cp104.hostserve.net>
Sep 9 06:27:09 mx101 postfix/qmgr[13124]: 6FAD6D3858: from=<root@cp104.hostserve.net>, size=43980, nrcpt=1 (queue active)
Sep 9 06:27:09 mx101 postfix/smtpd[2745]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back