Blacklisting envelope or header from address

R

rapidscampi

Member
Apr 11, 2021
3
10
8
I just received an email from a perpetual spammer whose domain I have added to the global blacklist using the domain rule.

The sender is using Hubspot to send marketing emails, like many organisations - some of whom are legit and I would be happy to continue to receive email from.

Am I right in thinking that the envelope from address checked against the blacklist rather than the message header from address?

Here's the raw email in question. The domain that's blacklisted is creoate.com yet it passed with a score of 0.36/16!

William Stanford is not a real person (not at our organisation anyway), hence me leaving the name there, I've just got a catch-all set up at the moment.

Where am I going wrong here?

Code: 
Return-Path: <1axby5qqwz8f9tk9ada3o2ilgdt70bqgsrsw7a@bf01.eu1.hubspotemail.net>
Delivered-To: info@mydomain.co.uk
Received: from mail.mydomain.co.uk ([172.22.1.253])
    by 5956d1a4b3e6 with LMTP
    id aOGCGrJLeWJ3WAoAHTCRpQ
    (envelope-from <1axby5qqwz8f9tk9ada3o2ilgdt70bqgsrsw7a@bf01.eu1.hubspotemail.net>)
    for <info@mydomain.co.uk>; Mon, 09 May 2022 18:13:22 +0100
Received: from pmg.mydomain.co.uk (unknown [192.168.1.1])
    by mail.mydomain.co.uk (Postcow) with ESMTP id 1E0B1703BB1
    for <william.stanford@mydomain.co.uk>; Mon,  9 May 2022 18:13:19 +0100 (BST)
Received: from pmg.mydomain.co.uk (localhost.localdomain [127.0.0.1])
    by pmg.mydomain.co.uk (Proxmox) with ESMTP id E719A8105A
    for <william.stanford@mydomain.co.uk>; Mon,  9 May 2022 18:13:18 +0100 (BST)
Received-SPF: pass (bf01.eu1.hubspotemail.net: 143.244.84.1 is authorized to use '1axby5qqwz8f9tk9ada3o2ilgdt70bqgsrsw7a@bf01.eu1.hubspotemail.net' in 'mfrom' identity (mechanism 'ip4:143.244.84.0/28' matched)) receiver=pmg.mydomain.co.uk; identity=mailfrom; envelope-from="1axby5qqwz8f9tk9ada3o2ilgdt70bqgsrsw7a@bf01.eu1.hubspotemail.net"; helo=bd77e6b.bf01.eu1.hubspotemail.net; client-ip=143.244.84.1
Received: from bd77e6b.bf01.eu1.hubspotemail.net (bd77e6b.bf01.eu1.hubspotemail.net [143.244.84.1])
    by pmg.mydomain.co.uk (Proxmox) with ESMTP id BA30F8004A
    for <william.stanford@mydomain.co.uk>; Mon,  9 May 2022 18:13:12 +0100 (BST)
Received: by 172.16.185.10 with SMTP id axhgpp6gfjb4az279xv1nsn8dbpoxzqmv812te;
        Mon, 9 May 2022 17:13:06 GMT
DKIM-Signature: v=1; s=hs2; d=bf01.eu1.hubspotemail.net; 
        i=@bf01.eu1.hubspotemail.net; 
        h=sender:from:from:reply-to:to:to:cc:cc:subject:subject:list-unsubscribe:form-sub:feedback-id; 
        a=rsa-sha256; c=relaxed/relaxed; 
        bh=0K9ZI7/lj9cKggcG5J28SEp1hycjcpmqA1gZtDMEEnM=; 
        b=g1kdGVn07DxbUvuoQ/37ScyIMPEqHH4VVIBXXm3BNAXMz0JAR3vEDW1bxXKohj
         sXEiQ53zQOTSQlAC5v2USvPnhMeJvUeH00DQ7lHK54/lXdGxMYQq86wwYuFsXSz
         Rv4b6Sbiq1Cpj7ZoXMid10DA7OsnrwQcpZLoD6YSw9oa4PhPnAOn7WnidbTkXwD
         qqtJFqhhsiS4XSiFXf3byAfHmwh245kEtpP99MG7okYNBvz2eS+DuX2b+ASwXMe
         6QNBZXvErfLISP7NoQ3bI4bZ7IVY7BaYqlsYIetlyAhOCnnbM0J529g6wbfam0f
         MoSIrwLwsqGdZgSSMKMkgD5orZaw==; q=dns/txt; t=1652116386; 
        x=1652289186;
DKIM-Signature: v=1; s=hs1-25265714; d=creoate.com; 
        i=@creoate.com; 
        h=sender:from:from:reply-to:to:to:cc:cc:subject:subject:list-unsubscribe:form-sub:feedback-id; 
        a=rsa-sha256; c=relaxed/relaxed; 
        bh=0K9ZI7/lj9cKggcG5J28SEp1hycjcpmqA1gZtDMEEnM=; 
        b=G9hCtw1bw0KiZ/WynTX6Rebv/RqANhXP++TIFEP2cNN8+xYKyRJUx62+N72ZAg
         8CQK88gVUtFgxRFO0+hg1OGqGqVgdqLjSrb6YIIICLGAJb75DXeax8ak/rOGiH5
         HJFsc+chOvXRm9WnUAold4a5B6bm81dfmktNlrI4ikFFtT86L6Bbhewq8DN9TEu
         mj5hub+1sFYSFfdl+GTvmHbkcEOqPzdpSprsPMJ2TCIQEGhuvTZDXpSG7pAdB8d
         SzS3iwoYEQ7vVnXHoUzMv0h6EMsPCzLYa2TIE4hrMlUIjz2JIwm16w3R+3YyJu/
         W2kC7tUdCcSrh40h9hJ1xprJbOzA==; q=dns/txt; t=1652116386; 
        x=1652289186;
X-HS-Cid: 1axe7fwpm8mvvd7n4tlp1gsxyxcb5b73s70aom
List-Unsubscribe: <mailto:1axcy4ppr7lbvajtmdirq9ixf2xs62ov82xouu@bf01.eu1.hubspotemail.net?subject=unsubscribe>
Date: Mon, 9 May 2022 18:13:06 +0100
From: Elizabeth at CREOATE <noreply@creoate.com>
Reply-To: noreply@creoate.com
To: william.stanford@mydomain.co.uk
Message-ID: <1652116385815.4135190e-bbb5-4ffe-aa8b-07f8640ebfc9@bf01.eu1.hubspotemail.net>
Subject: Your welcome offer extended for 72 hours only...
MIME-Version: 1.0
Content-Type: multipart/alternative; 
    boundary="----=_Part_434579_797159592.1652116385934"
X-Report-Abuse-To: abuse@hubspot.com (see
 https://policy.hubspot.com/abuse-complaints)
X-SPAM-LEVEL: Spam detection results:  0
    AWL                     0.190 Adjusted score from AWL reputation of From: address
    DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
    DKIM_VALID               -0.1 Message has at least one valid DKIM or DK signature
    DKIM_VALID_AU            -0.1 Message has a valid DKIM or DK signature from author's domain
    HEADER_FROM_DIFFERENT_DOMAINS  0.249 From and EnvelopeFrom 2nd level mail domains are different
    HTML_FONT_LOW_CONTRAST  0.001 HTML font color similar or identical to background
    HTML_MESSAGE            0.001 HTML included in message
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    SPF_PASS               -0.001 SPF: sender matches SPF record
    T_SCC_BODY_TEXT_LINE    -0.01 -
X-Last-TLS-Session-Version: None
Authentication-Results: mail.mydomain.co.uk;
    none
X-Spamd-Result: default: False [0.36 / 15.00];
    FORGED_SENDER(0.30)[noreply@creoate.com,1axby5qqwz8f9tk9ada3o2ilgdt70bqgsrsw7a@bf01.eu1.hubspotemail.net];
    RCVD_NO_TLS_LAST(0.10)[];
    MIME_GOOD(-0.10)[multipart/alternative,text/plain];
    MANY_INVISIBLE_PARTS(0.05)[1];
    BAYES_SPAM(0.02)[51.54%];
    HAS_LIST_UNSUB(-0.01)[];
    RCVD_COUNT_THREE(0.00)[4];
    TO_DN_NONE(0.00)[];
    ARC_NA(0.00)[];
    MIME_TRACE(0.00)[0:+,1:+,2:~];
    RCPT_MAILCOW_DOMAIN(0.00)[mydomain.co.uk];
    WHITELISTED_FWD_HOST(0.00)[192.168.1.1];
    RCPT_COUNT_ONE(0.00)[1];
    PREVIOUSLY_DELIVERED(0.00)[william.stanford@mydomain.co.uk];
    BCC(0.00)[];
    HAS_REPLYTO(0.00)[noreply@creoate.com];
    FROM_NEQ_ENVFROM(0.00)[noreply@creoate.com,1axby5qqwz8f9tk9ada3o2ilgdt70bqgsrsw7a@bf01.eu1.hubspotemail.net];
    FROM_HAS_DN(0.00)[];
    REPLYTO_ADDR_EQ_FROM(0.00)[];
    TO_MATCH_ENVRCPT_ALL(0.00)[];
    WL_FWD_HOST(0.00)[]
X-Rspamd-Queue-Id: 1E0B1703BB1
 

Attachments

  • ksnip_20220509-233620.png
    ksnip_20220509-233620.png
    80.3 KB · Views: 19
rapidscampi said:
Am I right in thinking that the envelope from address checked against the blacklist rather than the message header from address?
Click to expand...
put shortly yes - a bit more involved:
* Who objects in the rule system match the envelope addresses of mails (in this case this would be: `1axby5qqwz8f9tk9ada3o2ilgdt70bqgsrsw7a@bf01.eu1.hubspotemail.net`
* the default Blacklist rule has a Who Object (also called blacklist)

if you want to match the header addresses from the 'From' header - add a What Object (Match Field) with 'from' as the fieldname

I hope this helps!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom