[SOLVED] Cant catch this spam mail

[ukro]

Greetings,
i am getting this email.
----

Received: from vps33729 ([127.0.0.1]) by localhost via TCP with ESMTPA; Wed, 29 Sep 2021 21:08:05 +0800
MIME-Version: 1.0
From: Kevin <huixin1266@126.com>
Sender: Kevin <adpfiip@ujub.com>
To: xxxxx
Reply-To: Kevin <huixin1266@126.com>
Date: 29 Sep 2021 21:08:05 +0800
subject: **SPAM** =?utf-8?B?UmU6IGZsb29yIGRyYWlucyBtYW51ZmFjdHVlcg==?=
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64
X-SPAM-LEVEL: Spam detection results:  5
    DEAR_FRIEND             2.604 Dear Friend? That's not very dear!
    FREEMAIL_FORGED_FROMDOMAIN  0.249 2nd level domains in From and EnvelopeFrom freemail headers are different
    FREEMAIL_FROM           0.001 Sender email is commonly abused enduser mail provider
    FREEMAIL_REPLYTO_END_DIGIT   0.25 Reply-To freemail username ends in digit
    HEADER_FROM_DIFFERENT_DOMAINS   0.25 From and EnvelopeFrom 2nd level mail domains are different
    HTML_MESSAGE            0.001 HTML included in message
    KAM_DMARC_NONE           0.25 DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy
    KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
    KAM_LAZY_DOMAIN_SECURITY      1 Sending domain does not have any anti-forgery methods
    MIME_HTML_ONLY            0.1 Message only has text/html MIME parts
    MISSING_MID              0.14 Missing Message-Id: header
    RCVD_IN_DNSWL_HI           -5 Sender listed at https://www.dnswl.org/, high trust
    RCVD_IN_HOSTKARMA_BL      1.5 Sender listed in HOSTKARMA-BLACK
    RCVD_IN_MSPIKE_H2      -0.001 Average reputation (+2)
    RCVD_IN_VALIDITY_RPBL   1.284 Relay in Validity RPBL, https://senderscore.org/blocklistlookup/
    RDNS_NONE               1.274 Delivered to internal network by a host with no rDNS
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    SPF_NONE                0.001 SPF: sender does not publish an SPF Record
    SPOOFED_FREEMAIL_NO_RDNS  1.499 From SPOOFED_FREEMAIL and no rDNS

-----
I put domain 126.com to blasklist but as i can see PMG is looking on sender which is everytime different.
I would like to put it to blacklist so it will not be in the spam quarantain.
Thank you
P.S. can i force to look on different header name reply to or from?

 

[hata_ph]

Your blacklist is who or what object?

 

[ukro]

Your blacklist is who or what object?

Who

 

[ukro]

Today another ones came:

Delivered-To: xxxxxxx
Return-Path: caeneioocp@unicam.it
Received-SPF: softfail (unicam.it: Sender is not authorized by default to use 'caeneioocp@unicam.it' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) receiver=pmg.xxxx.local; identity=mailfrom; envelope-from="caeneioocp@unicam.it"; helo=places-nl.mail.protection.outlook.com; client-ip=119.122.90.243
Received: from places-nl.mail.protection.outlook.com (unknown [119.122.90.243])
    by pmg.xxxxx.local (Proxmox) with ESMTP id 2E311420DA
    for <xxxxxx>; Thu, 30 Sep 2021 08:43:35 +0300 (EEST)
Date: Thu, 30 Sep 2021 13:43:27 +0800 (CST)
From: smile668899 <smile668899@126.com>
Sender: caeneioocp <caeneioocp@unicam.it>
To: xxxxx <xxxxxxxx>
Message-ID: <888034936.2031130.1632980607421@places-nl.mail.protection.outlook.com>
subject: **SPAM** **SPAM** Re: Introduce DPF Cleaning to your business with excellent
         profits!!
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-SPAM-LEVEL: Spam detection results:  9
    DEAR_FRIEND             2.604 Dear Friend? That's not very dear!
    FREEMAIL_FORGED_FROMDOMAIN  0.249 2nd level domains in From and EnvelopeFrom freemail headers are different
    FREEMAIL_FROM           0.001 Sender email is commonly abused enduser mail provider
    HEADER_FROM_DIFFERENT_DOMAINS  0.249 From and EnvelopeFrom 2nd level mail domains are different
    HTML_MESSAGE            0.001 HTML included in message
    HTML_MIME_NO_HTML_TAG   0.635 HTML-only message, but there is no HTML tag
    KAM_DMARC_NONE           0.25 DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy
    KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
    MIME_HTML_ONLY            0.1 Message only has text/html MIME parts
    RCVD_IN_HOSTKARMA_BL      1.5 Sender listed in HOSTKARMA-BLACK
    RDNS_NONE               1.274 Delivered to internal network by a host with no rDNS
    SPF_SOFTFAIL            0.972 SPF: sender does not match SPF record (softfail)
    SPOOFED_FREEMAIL_NO_RDNS  1.499 From SPOOFED_FREEMAIL and no rDNS
    T_SPF_HELO_TEMPERROR     0.01 SPF: test of HELO record failed (temperror)

 

[ukro]

I am seeing increase in this kind of spam, and some differ from 126.com But the main logic is that sender/from is different and PMG is seeing only Sender and not from. On blacklist WHO

 

[hata_ph]

Your blacklist is who or what object?

Who

Who object only refer to Return-Path header.
To filter From/To header, use what object -> Match Field.

 

[ukro]

Your blacklist is who or what object?

Who object only refer to Return-Path header.
To filter From/To header, use what object -> Match Field.

Omg Thank you, you're a lifesaver!!! i added new rule!