[SOLVED] Cant catch this spam mail

ukro

Member
May 16, 2021
125
13
23
39
Greetings,
i am getting this email.
----
INI:
Received: from vps33729 ([127.0.0.1]) by localhost via TCP with ESMTPA; Wed, 29 Sep 2021 21:08:05 +0800
MIME-Version: 1.0
From: Kevin <huixin1266@126.com>
Sender: Kevin <adpfiip@ujub.com>
To: xxxxx
Reply-To: Kevin <huixin1266@126.com>
Date: 29 Sep 2021 21:08:05 +0800
subject: **SPAM** =?utf-8?B?UmU6IGZsb29yIGRyYWlucyBtYW51ZmFjdHVlcg==?=
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64
X-SPAM-LEVEL: Spam detection results:  5
    DEAR_FRIEND             2.604 Dear Friend? That's not very dear!
    FREEMAIL_FORGED_FROMDOMAIN  0.249 2nd level domains in From and EnvelopeFrom freemail headers are different
    FREEMAIL_FROM           0.001 Sender email is commonly abused enduser mail provider
    FREEMAIL_REPLYTO_END_DIGIT   0.25 Reply-To freemail username ends in digit
    HEADER_FROM_DIFFERENT_DOMAINS   0.25 From and EnvelopeFrom 2nd level mail domains are different
    HTML_MESSAGE            0.001 HTML included in message
    KAM_DMARC_NONE           0.25 DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy
    KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
    KAM_LAZY_DOMAIN_SECURITY      1 Sending domain does not have any anti-forgery methods
    MIME_HTML_ONLY            0.1 Message only has text/html MIME parts
    MISSING_MID              0.14 Missing Message-Id: header
    RCVD_IN_DNSWL_HI           -5 Sender listed at https://www.dnswl.org/, high trust
    RCVD_IN_HOSTKARMA_BL      1.5 Sender listed in HOSTKARMA-BLACK
    RCVD_IN_MSPIKE_H2      -0.001 Average reputation (+2)
    RCVD_IN_VALIDITY_RPBL   1.284 Relay in Validity RPBL, https://senderscore.org/blocklistlookup/
    RDNS_NONE               1.274 Delivered to internal network by a host with no rDNS
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    SPF_NONE                0.001 SPF: sender does not publish an SPF Record
    SPOOFED_FREEMAIL_NO_RDNS  1.499 From SPOOFED_FREEMAIL and no rDNS
-----
I put domain 126.com to blasklist but as i can see PMG is looking on sender which is everytime different.
I would like to put it to blacklist so it will not be in the spam quarantain.
Thank you
P.S. can i force to look on different header name reply to or from?
 
Last edited:
Today another ones came:
INI:
Delivered-To: xxxxxxx
Return-Path: caeneioocp@unicam.it
Received-SPF: softfail (unicam.it: Sender is not authorized by default to use 'caeneioocp@unicam.it' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) receiver=pmg.xxxx.local; identity=mailfrom; envelope-from="caeneioocp@unicam.it"; helo=places-nl.mail.protection.outlook.com; client-ip=119.122.90.243
Received: from places-nl.mail.protection.outlook.com (unknown [119.122.90.243])
    by pmg.xxxxx.local (Proxmox) with ESMTP id 2E311420DA
    for <xxxxxx>; Thu, 30 Sep 2021 08:43:35 +0300 (EEST)
Date: Thu, 30 Sep 2021 13:43:27 +0800 (CST)
From: smile668899 <smile668899@126.com>
Sender: caeneioocp <caeneioocp@unicam.it>
To: xxxxx <xxxxxxxx>
Message-ID: <888034936.2031130.1632980607421@places-nl.mail.protection.outlook.com>
subject: **SPAM** **SPAM** Re: Introduce DPF Cleaning to your business with excellent
         profits!!
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-SPAM-LEVEL: Spam detection results:  9
    DEAR_FRIEND             2.604 Dear Friend? That's not very dear!
    FREEMAIL_FORGED_FROMDOMAIN  0.249 2nd level domains in From and EnvelopeFrom freemail headers are different
    FREEMAIL_FROM           0.001 Sender email is commonly abused enduser mail provider
    HEADER_FROM_DIFFERENT_DOMAINS  0.249 From and EnvelopeFrom 2nd level mail domains are different
    HTML_MESSAGE            0.001 HTML included in message
    HTML_MIME_NO_HTML_TAG   0.635 HTML-only message, but there is no HTML tag
    KAM_DMARC_NONE           0.25 DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy
    KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
    MIME_HTML_ONLY            0.1 Message only has text/html MIME parts
    RCVD_IN_HOSTKARMA_BL      1.5 Sender listed in HOSTKARMA-BLACK
    RDNS_NONE               1.274 Delivered to internal network by a host with no rDNS
    SPF_SOFTFAIL            0.972 SPF: sender does not match SPF record (softfail)
    SPOOFED_FREEMAIL_NO_RDNS  1.499 From SPOOFED_FREEMAIL and no rDNS
    T_SPF_HELO_TEMPERROR     0.01 SPF: test of HELO record failed (temperror)
 
Last edited:
I am seeing increase in this kind of spam, and some differ from 126.com But the main logic is that sender/from is different and PMG is seeing only Sender and not from. On blacklist WHO
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!