Custom rule - empty sender orig_client

I

Items_GmbH

New Member
Mar 8, 2022
24
2
3
37
Hi

Here is my mail which is obviously spam:

Jul 21 13:20:54 proxima-1 postfix/smtpd[86499]: connect from vps-75623.fhnet.fr[185.41.154.171]
Jul 21 13:20:54 proxima-1 postfix/smtpd[86499]: C3A9A3C0A4F: client=vps-75623.fhnet.fr[185.41.154.171]
Jul 21 13:20:54 proxima-1 postfix/cleanup[86533]: C3A9A3C0A4F: message-id=<oyIcYe430WJD.9ECdyw4u57e2H@mail.shell.de>
Jul 21 13:20:54 proxima-1 postfix/qmgr[898]: C3A9A3C0A4F: from=<>, size=4525, nrcpt=1 (queue active)
Jul 21 13:20:54 proxima-1 pmg-smtp-filter[86179]: 3C104F62D93696CC0D1: new mail message-id=<oyIcYe430WJD.9ECdyw4u57e2H@mail.shell.de>#012
Jul 21 13:20:54 proxima-1 postfix/smtpd[86499]: disconnect from vps-75623.fhnet.fr[185.41.154.171] ehlo=1 mail=1 rcpt=1 bdat=1 quit=1 commands=5
Jul 21 13:20:55 proxima-1 pmg-smtp-filter[86179]: 3C104F62D93696CC0D1: SA score=0/5 time=0.778 bayes=0.00 autolearn=no autolearn_force=no hits=BAYES_00(-1.9),HTML_MESSAGE(0.001),INVALID_DATE(1.096),KAM_DMARC_STATUS(0.01),KAM_QUITE_BAD_DNSWL(3.25),KAM_SHORT(0.001),MIME_HTML_ONLY(0.1),RCVD_IN_BL_SPAMCOP_NET(1.347),RCVD_IN_DNSWL_HI(-5),SPF_HELO_SOFTFAIL(0.732),TO_EQ_FM_DIRECT_MX(1),T_REMOTE_IMAGE(0.01),URIBL_BLOCKED(0.001)
Jul 21 13:20:55 proxima-1 postfix/smtpd[86539]: connect from localhost.localdomain[127.0.0.1]
Jul 21 13:20:55 proxima-1 postfix/smtpd[86539]: 9DFD03C1052: client=localhost.localdomain[127.0.0.1], orig_client=vps-75623.fhnet.fr[185.41.154.171]
Jul 21 13:20:55 proxima-1 postfix/cleanup[86533]: 9DFD03C1052: message-id=<oyIcYe430WJD.9ECdyw4u57e2H@mail.shell.de>
Jul 21 13:20:55 proxima-1 postfix/qmgr[898]: 9DFD03C1052: from=<>, size=5869, nrcpt=1 (queue active)
Jul 21 13:20:55 proxima-1 postfix/smtpd[86539]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Jul 21 13:20:55 proxima-1 pmg-smtp-filter[86179]: 3C104F62D93696CC0D1: accept mail to <xxxxx> (9DFD03C1052) (rule: default-accept)
Jul 21 13:20:55 proxima-1 pmg-smtp-filter[86179]: 3C104F62D93696CC0D1: processing time: 0.816 seconds (0.778, 0.024, 0)
Jul 21 13:20:55 proxima-1 postfix/lmtp[86534]: C3A9A3C0A4F: to=<xxxxx>, relay=127.0.0.1[127.0.0.1]:10024, delay=1, delays=0.22/0/0/0.82, dsn=2.5.0, status=sent (250 2.5.0 OK (3C104F62D93696CC0D1))
Jul 21 13:20:55 proxima-1 postfix/qmgr[898]: C3A9A3C0A4F: removed
Jul 21 13:20:56 proxima-1 postfix/smtp[86540]: 9DFD03C1052: to=<xxxxx>, relay=xxxx.xxxxx.de[IPv4]:25, delay=0.55, delays=0/0/0.24/0.31, dsn=2.6.0, status=sent (250 2.6.0 <oyIcYe430WJD.9ECdyw4u57e2H@mail.shell.de> [InternalId=26091926323223, Hostname=xxxxx.xxxxxx.de] 7597 bytes in 0.239, 30,925 KB/sec Queued mail for delivery)
Jul 21 13:20:56 proxima-1 postfix/qmgr[898]: 9DFD03C1052: removed


I really wonder why this mail wasn´t filtered. Any ideas?
 
Thanks
My Bayes was enabled, DNSBL already working with this config:
1660744659610.png
I´ll monitor the behavior for a while
 
Items_GmbH said:
My Bayes was enabled, DNSBL already working with this config:
Click to expand...
as written in the getting started page - I would disable bayes (not enable it - see the spamassassin hits of the mail in question)
also the dnsbl_sites are not really related to hitting the uribl ratelimit (URIBL_BLOCKED above)

I hope this explains it
 
DNSBL will not work if the sender server (185.41.154.171) is not blacklisted.
Again, it is important to setup local resolver/DNS service if you are using DNSBL.

I think the main issue is RCVD_IN_DNSWL_HI(-5).
If you notice many false positive from this SA score, try modify the default -5 score under Spam Detector -> Custom Scores.

https://www.linode.com/community/questions/21413/rcvd_in_dnswl_hi-false-positives
https://www.intra2net.com/en/support/antispam/blacklist.php_dnsbl=rcvd_in_dnswl_hi.html
https://www.intra2net.com/en/support/antispam/index.php
 
You must log in or register to reply here.
Top Bottom