Frustration in not being able to simply whitelist a property!

[MiamiJack]

Hello All,

First, I apologize for being negative, but every time I work on these types of issues and ask for assistance, I end up in the same place which is without a resolution that works.

I'm trying to whitelist a domain, so I add it simply to one of the whitelists under domain...
That didn't work.
I add the same domain, but use the entire email address instead of the domain option in the whitelist...
That didn't work.
Then I'm told add it under Mail Proxy -> whitelist, I add the email address...
That didn't work.
Then I create another whitelist object, add the domain.... ( so there are 2 whitelists with the domain )
That didn't work.

As you can see from the images, I have put this in several areas to try and allow these messages to flow, and as you can see from the spam quarantine page, they continue to get quarantined.

I have included a screenshot of my action objects, showing that all the whitelists come before the blocks.

I don't want to sit there every time and try 50 things, create regex formulas and do all this crazy stuff ( which I have done ) to get the same result.

I need to have a surefire method that if I want to block or whitelist a domain, you simply type in the domain and walk away with confidence that it will simply work.
YES, I get that it's not always the sender, or the from etc, but I'm matching too many criteria here that these messages should go through.

I appreciate any solid information that will help me to accomplish this without having to do a huge song and dance each time, and still not getting the result I'm looking for.

Thanks!

 

[hata_ph]

Attached the spam email raw format. I want to see the header tag info.
You can change the important data before attached the info.

 

[MiamiJack]

I have changed the recipient's email address, my pmg name, and the sender email address, everything else is intact.
One other note, this is NOT spam, but a good email we were trying to whitelist.
The real sender domain is the m------.ai with the middle hyphenated.

Thanks!

Delivered-To: maria.user-name@customer-domain
Return-Path: bounces+16163398-5334-maria.user-name=customer-domain@sendgrid.net
Received: from o2.3nn.shared.sendgrid.net (o2.3nn.shared.sendgrid.net [167.89.100.130])
    by mgw.proxmoxserver.net (Proxmox) with ESMTPS id 92F58826E2
    for <maria.user-name@customer-domain>; Thu,  8 Jul 2021 18:47:41 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sendgrid.net;
    h=content-transfer-encoding:content-type:from:mime-version:subject:to;
    s=smtpapi; bh=AkpsDJLkJ4CADUSrd4B6TjeWf0YIYjNMNiQMrQtK8IY=;
    b=molUwCZPuf893U59fi/rc8/lVBnQjjojclZm3LmiEcMYMIykQkcky3VODIDkWxY7A3FV
    9xg/xVXflRQZv41LaqBt7ONC43HwQdc6fFMJuDDXUf91kVOo1TNs5c/CBCSOT7kPYJVFBd
    fgEQJNQe7qKH99u7ijaEx/UqvZM3zJiHc=
Received: by filterdrecv-559b45695-vb8vs with SMTP id filterdrecv-559b45695-vb8vs-1-60E7808D-3
        2021-07-08 22:47:41.051811162 +0000 UTC m=+100682.025062408
Received: from MTYxNjMzOTg (unknown)
    by ismtpd0180p1mdw1.sendgrid.net (SG)
    with HTTP id rzDAQK_2S_SamlvF5u4QFw
    for <maria.user-name@customer-domain>;
    Thu, 08 Jul 2021 22:47:41.006 +0000 (UTC)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset=us-ascii
Date: Thu, 08 Jul 2021 22:47:41 +0000 (UTC)
From: noreply@m------.ai
Mime-Version: 1.0
subject: SPAM: Unread conversation!
Message-ID: <rzDAQK_2S_SamlvF5u4QFw@ismtpd0180p1mdw1.sendgrid.net>
X-SG-EID:
 =?us-ascii?Q?lT58ugLK=2FeEakYOTzexAmem6n2Y5YCyO4+TkshKNpwQEqlfeFOkAXYQaESIPkg?=
 =?us-ascii?Q?kmRytWtasngjmSIYZaVMNxzOF2KWykGeCSmsd2J?=
 =?us-ascii?Q?qSiAIpWMssEt2tCbKNBc5QXDCYSzlVqHcE3zNT+?=
 =?us-ascii?Q?BWUH=2FXXF741snLSkUHl=2FarNxAoKevcyrr0js4Qw?=
 =?us-ascii?Q?qFCRxLnnPzKrx6P22IcbOjRkNNtiS=2F+jrYI1ye6?=
 =?us-ascii?Q?3zf8EHxRKFQlfvydc=3D?=
To: maria.user-name@customer-domain
X-Entity-ID: xMZA5JHltpITVBfmeP0eeA==
X-SPAM-LEVEL: Spam detection results:  3
    AWL                     1.074 Adjusted score from AWL reputation of From: address
    BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
    DKIMWL_WL_MED            -0.5 DKIMwl.org - Medium trust sender
    DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
    DKIM_VALID               -0.1 Message has at least one valid DKIM or DK signature
    DKIM_VALID_EF            -0.1 Message has a valid DKIM or DK signature from envelope-from domain
    HEADER_FROM_DIFFERENT_DOMAINS  0.001 From and EnvelopeFrom 2nd level mail domains are different
    HTML_IMAGE_ONLY_12      2.059 HTML: images with 800-1200 bytes of words
    HTML_MESSAGE            0.001 HTML included in message
    HTML_MIME_NO_HTML_TAG   0.377 HTML-only message, but there is no HTML tag
    KAM_REALLYHUGEIMGSRC      0.5 Spam with image tags with ridiculously huge http urls
    KAM_SENDGRID              1.5 Sendgrid being exploited by scammers
    MIME_HTML_ONLY            0.1 Message only has text/html MIME parts
    RCVD_IN_MSPIKE_H2      -0.001 Average reputation (+2)
    SENDGRID_REDIR          0.001 Redirect URI via Sendgrid
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    SPF_PASS               -0.001 SPF: sender matches SPF record
    URIBL_BLOCKED           0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked.  See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [sendgrid.net,u16163398.ct.sendgrid.net]


<p>Unread conversation pending from PETER lastname in CompanyName. Pl=
ease click <a href=3D"https://u16163398.ct.sendgrid.net/ls/click?upn=3DBlnB=
18c5e0BMK6UQ0qYDeOJUV1hSGKyj0yWlf8RLFLBFUmvGHksidD2xcjFPcM11iygi_V3i-2BNiTc=
UjkfLmlIvQ1AYFUQCB5lYMnLnV3kGXK5bBbjpzrC-2F90J-2FKezA6XEqrZaXCGargMCYQ8RIuu=
hrbrgyANWwCPKTEOi3unO-2BcpMIXFZy80WklTCQUsWlWY9XFSIOUQT2V84oAkmfkKqnijer2ds=
MJuDXryHNM3zKl8z7yywA0Xp5awnVZ93VOD65pCNZ9MOKMGpQfQ-2FUtm8IoqSISiEDjZ5Igca7=
EFpUG7fLfM-3D">here</a> to open the conversation.</p><img src=3D"https://u1=
6163398.ct.sendgrid.net/wf/open?upn=3DcnBBvye119SQwWyIMEaVVG7cjiQOKWFXN6bZb=
-2BGI5vEYUihPULzLHJyw2JGEpUirrq7qHu-2FOUhLMDaQXXwQHY4dez0mh3OBx6eceR7J9oYcx=
OfiC8javh7DTs7D64CeQL1JReSNKej9v39eC9qiuPLFao6siU8VZmM-2FGxOnX4Xl0IeZ-2Fa4E=
ACMiUv6rCwWyOHIe2vG02Wv6EU-2BA42GVJzCxXrHa42uhA7fK5CW7OXDEeoPUs-2FfXgJ2UFHj=
qTMtmn" alt=3D"" width=3D"1" height=3D"1" border=3D"0" style=3D"height:1px =
!important;width:1px !important;border-width:0 !important;margin-top:0 !imp=
ortant;margin-bottom:0 !important;margin-right:0 !important;margin-left:0 !=
important;padding-top:0 !important;padding-bottom:0 !important;padding-righ=
t:0 !important;padding-left:0 !important;"/>

 

[hata_ph]

According to your provided mail details, below are few things I would normally setup to filter it.

1. Who object, domain sendgrid.net. Match the domain name from Return-Path.
2. What object, match field from=noreply@m------.ai.
3. What object, match field subject=(\!|\?|\`)$. It will match all email subject that end with ! or ?.
4. Create/increase custom score for KAM_SENDGRID or any others spamassassin score you want to meet your level of spam score.

Again, every spam mails could be unique and you need to study the trend that fit your own situation or environment.

 

[MiamiJack]

Thanks, I have removed all my other rules related, and put in a match object.

 

[hata_ph]

Thanks, I have removed all my other rules related, and put in a match object.

Does it work?

 

[MiamiJack]

FYI, so far this is working, thank you!