Best way to block this received value

MiamiJack

MiamiJack

Active Member
Proxmox Subscriber
Sep 17, 2020
315
20
38
Hello,

I have tried blocking as both who and what senders, but I want to better understand the correct value to match/block.
As you can see below messages are coming from sdwebserver, while it says "received from:" where do I match it from?


Delivered-To: amah@test.com
Return-Path: guardians-insurance-find-savings-amah=test.com@figurativegems.com
Received-SPF: pass (figurativegems.com: 107.158.176.147 is authorized to use 'guardians-insurance-find-savings-amah=test.com@figurativegems.com' in 'mfrom' identity (mechanism 'mx' matched)) receiver=mgw.mgw.net; identity=mailfrom; envelope-from="guardians-insurance-find-savings-amah=test.com@figurativegems.com"; helo=mail.figurativegems.com; client-ip=107.158.176.147

Received: from mail.figurativegems.com (web.sdwebserver.com [107.158.176.147])
by mgw.localdomain (Proxmox) with ESMTP id 7F633816A7
for <amah@test.com>; Mon, 12 Oct 2020 19:22:43 -0400 (EDT)

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=figurativegems.com;
h=Date:From:To:Subject:MIME-Version:Content-Type:List-Unsubscribe:Message-ID; i=guardians-insurance-find-savings@figurativegems.com;
bh=vadAWTTHkcKykiPw6zoWrccqYKc=;
b=oHE3VeBVDgMPQXXb6JedwalcXgWhvOZiOQeGREU1vsF+xUZaHDdVp5Y+SG7GUhqJPgWFFkSxq6R4
5LE7HquHNPh/UtlRx20A/0cTwK3xtFZbCiuU/Tzcy0wN6MpADfPkEYkukVvivN+PHAYzDUY18R2W
kJG4Kc1EoPIHSR9yFgQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=dkim; d=figurativegems.com;
b=EdLXnbQ+y3ckegZPIRG4lf4lYVZgc+8Xa/wqhGd4OvuO0hEfdfPIY3IQUYNkTtGmfn5t2m9XVFiG
G4Wpct4VQx+gRDVZ1V+zEsnNjc9OJT+ImFHu3qfTJRcdiTly5d4oGZGdDIFTw4B3k3hH++ALWbBN
YTZB8j0PLslu+CJ9G7A=;
Received: by mail.figurativegems.com id hgjik60001g3 for <amah@test.com>; Mon, 12 Oct 2020 16:09:47 -0700 (envelope-from <guardians-insurance-find-savings-amah=test.com@figurativegems.com>)
Date: Mon, 12 Oct 2020 16:09:47 -0700
From: "Guardians Insurance Find Savings" <guardians-insurance-find-savings@figurativegems.com>
To: <amah@test.com>
subject: SPAM: Labor Day Discount: Auto coverage from $19/mo
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_856_1720006412.1602544172539"
List-Unsubscribe: <http://www.figurativegems.com/wrang...rrs5Dxb5IbrxIvrIxEGsi8CRkodKKK7s1DYsQ06ApiyXh>
Message-ID: <0.0.0.5E.1D6A0ECC7D77F9E.762C0F@mail.figurativegems.com>
X-SPAM-LEVEL: Spam detection results: 15
DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid
DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain
DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain
HTML_IMAGE_RATIO_02 0.001 HTML has a low ratio of text to image area
HTML_MESSAGE 0.001 HTML included in message
JMQ_SPF_NEUTRAL 0.5 SPF set to ?all
KAM_VERY_BLACK_DBL 5 Email that hits both URIBL Black and Spamhaus DBL
RAZOR2_CF_RANGE_51_100 2.43 Razor2 gives confidence level above 50%
RAZOR2_CHECK 1.729 Listed in Razor2 (http://razor.sf.net/)
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record
URIBL_ABUSE_SURBL 1.948 Contains an URL listed in the ABUSE SURBL blocklist [figurativegems.com]
URIBL_BLACK 1.7 Contains an URL listed in the URIBL blacklist [figurativegems.com]
URIBL_DBL_SPAM 2.5 Contains a spam URL listed in the Spamhaus DBL blocklist [figurativegems.com]
 
MiamiJack said:
Hello,

I have tried blocking as both who and what senders, but I want to better understand the correct value to match/block.
As you can see below messages are coming from sdwebserver, while it says "received from:" where do I match it from?


Delivered-To: amah@test.com
Return-Path: guardians-insurance-find-savings-amah=test.com@figurativegems.com
Received-SPF: pass (figurativegems.com: 107.158.176.147 is authorized to use 'guardians-insurance-find-savings-amah=test.com@figurativegems.com' in 'mfrom' identity (mechanism 'mx' matched)) receiver=mgw.mgw.net; identity=mailfrom; envelope-from="guardians-insurance-find-savings-amah=test.com@figurativegems.com"; helo=mail.figurativegems.com; client-ip=107.158.176.147

Received: from mail.figurativegems.com (web.sdwebserver.com [107.158.176.147])
by mgw.localdomain (Proxmox) with ESMTP id 7F633816A7
for <amah@test.com>; Mon, 12 Oct 2020 19:22:43 -0400 (EDT)

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=figurativegems.com;
h=Date:From:To:Subject:MIME-Version:Content-Type:List-Unsubscribe:Message-ID; i=guardians-insurance-find-savings@figurativegems.com;
bh=vadAWTTHkcKykiPw6zoWrccqYKc=;
b=oHE3VeBVDgMPQXXb6JedwalcXgWhvOZiOQeGREU1vsF+xUZaHDdVp5Y+SG7GUhqJPgWFFkSxq6R4
5LE7HquHNPh/UtlRx20A/0cTwK3xtFZbCiuU/Tzcy0wN6MpADfPkEYkukVvivN+PHAYzDUY18R2W
kJG4Kc1EoPIHSR9yFgQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=dkim; d=figurativegems.com;
b=EdLXnbQ+y3ckegZPIRG4lf4lYVZgc+8Xa/wqhGd4OvuO0hEfdfPIY3IQUYNkTtGmfn5t2m9XVFiG
G4Wpct4VQx+gRDVZ1V+zEsnNjc9OJT+ImFHu3qfTJRcdiTly5d4oGZGdDIFTw4B3k3hH++ALWbBN
YTZB8j0PLslu+CJ9G7A=;
Received: by mail.figurativegems.com id hgjik60001g3 for <amah@test.com>; Mon, 12 Oct 2020 16:09:47 -0700 (envelope-from <guardians-insurance-find-savings-amah=test.com@figurativegems.com>)
Date: Mon, 12 Oct 2020 16:09:47 -0700
From: "Guardians Insurance Find Savings" <guardians-insurance-find-savings@figurativegems.com>
To: <amah@test.com>
subject: SPAM: Labor Day Discount: Auto coverage from $19/mo
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_856_1720006412.1602544172539"
List-Unsubscribe: <http://www.figurativegems.com/wrang...rrs5Dxb5IbrxIvrIxEGsi8CRkodKKK7s1DYsQ06ApiyXh>
Message-ID: <0.0.0.5E.1D6A0ECC7D77F9E.762C0F@mail.figurativegems.com>
X-SPAM-LEVEL: Spam detection results: 15
DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid
DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain
DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain
HTML_IMAGE_RATIO_02 0.001 HTML has a low ratio of text to image area
HTML_MESSAGE 0.001 HTML included in message
JMQ_SPF_NEUTRAL 0.5 SPF set to ?all
KAM_VERY_BLACK_DBL 5 Email that hits both URIBL Black and Spamhaus DBL
RAZOR2_CF_RANGE_51_100 2.43 Razor2 gives confidence level above 50%
RAZOR2_CHECK 1.729 Listed in Razor2 (http://razor.sf.net/)
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record
URIBL_ABUSE_SURBL 1.948 Contains an URL listed in the ABUSE SURBL blocklist [figurativegems.com]
URIBL_BLACK 1.7 Contains an URL listed in the URIBL blacklist [figurativegems.com]
URIBL_DBL_SPAM 2.5 Contains a spam URL listed in the Spamhaus DBL blocklist [figurativegems.com]
Click to expand...
Why separate actions needed? As you have an huge SA score of 15, you can easily block such Spam mails with existing rulesets...
 
  • Like
Reactions: Stoiko Ivanov
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back