frustration with PMG feels like it doesn't work.

[mira]

The Tracking Center uses the syslog (/var/log/syslog) as source. If you want to look something up, look in there (it goes as far back as /var/log/syslog.31.gz if available).

Regarding domains added, they will only match that exact domain and no subdomains. If you want to match the all possible subdomains, you can add an additional simple regex like .*@.*\.<domain>, e.g. for your abideedict.com domain: .*@.*\.abideedict\.com.
This matches an arbitrary character (.) zero or more times (*) in the local part (before the @) as well as an arbitrary character zero or more times before matching .abideedict.com. The dot has to be escaped (\.) so that it matches a literal dot, otherwise it would match any character.

 

[MiamiJack]

Hello,

After looking in the email for the sender's email address domain in /var/log/mail.log, @mira said to check in /var/log/syslog and I do find the senders address domain. (See log entries below.)

Now we have had at least 12 go through, and I'm trying to understand what I can do to stop that.
From what I can tell on these entries 3 were delivered, and 1 was RBL rejected.

I tried to associate the ID's from the queue information at the bottom without success.

I can't find the information in the tracking log.
I have attached 2 of these sender messages headers.
I have also attached my rules and Objects.

What is the best method for me to block these?

Thank you!

Oct  5 20:55:02 mgw pmg-smtp-filter[6474]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE \.mediaware-news\.com$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct  5 20:56:25 mgw pmg-smtp-filter[6578]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE \.mediaware-news\.com$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct  5 20:57:15 mgw pmg-smtp-filter[6474]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE \.mediaware-news\.com$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct  5 20:58:06 mgw pmg-smtp-filter[6578]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE \.mediaware-news\.com$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct  5 20:59:50 mgw pmg-smtp-filter[6474]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE \.mediaware-news\.com$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct  5 21:01:13 mgw pmg-smtp-filter[6578]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE \.mediaware-news\.com$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct  5 21:02:44 mgw pmg-smtp-filter[6474]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE \.mediaware-news\.com$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct  5 21:03:15 mgw pmg-smtp-filter[6578]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE \.mediaware-news\.com$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct  5 21:03:43 mgw pmg-smtp-filter[6474]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE \.mediaware-news\.com$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct  5 21:03:51 mgw pmg-smtp-filter[6578]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE \.mediaware-news\.com$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct  5 21:03:59 mgw pmg-smtp-filter[6474]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE \.mediaware-news\.com$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct  5 21:05:34 mgw pmg-smtp-filter[6578]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE \.mediaware-news\.com$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct  5 21:06:44 mgw pmg-smtp-filter[6474]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE \.mediaware-news\.com$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct  5 21:08:18 mgw pmg-smtp-filter[6578]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE \.mediaware-news\.com$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct  5 21:08:25 mgw pmg-smtp-filter[6474]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE \.mediaware-news\.com$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct  5 21:08:37 mgw pmg-smtp-filter[6578]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE \.mediaware-news\.com$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct  5 21:08:52 mgw pmg-smtp-filter[6474]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE \.mediaware-news\.com$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct  5 21:09:50 mgw pmg-smtp-filter[6578]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE \.mediaware-news\.com$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct  5 21:09:50 mgw pmg-smtp-filter[6474]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE \.mediaware-news\.com$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct  5 21:10:39 mgw pmg-smtp-filter[6880]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE \.mediaware-news\.com$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct  5 21:11:01 mgw pmg-smtp-filter[6578]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE \.mediaware-news\.com$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct  5 21:11:18 mgw pmg-smtp-filter[6880]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE \.mediaware-news\.com$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct  5 21:11:22 mgw pmg-smtp-filter[6578]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE \.mediaware-news\.com$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct  5 21:11:38 mgw pmg-smtp-filter[6880]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE \.mediaware-news\.com$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct  5 21:12:09 mgw pmg-smtp-filter[6578]: WARNING: ^* matches null string many times in regex; marked by <-- HERE in m/^* <-- HERE \.mediaware-news\.com$/ at /usr/share/perl5/PMG/RuleDB/WhoRegex.pm line 90.
Oct  5 21:14:16 mgw postfix/qmgr[1163]: 1877880792: from=<NoReply@xyz.mediaware-news.com>, size=865, nrcpt=1 (queue active)
Oct  6 11:54:08 mgw postfix/qmgr[1163]: 0555B8002D: from=<NoReply@xyz.mediaware-news.com>, size=865, nrcpt=1 (queue active)
Oct 12 16:08:35 mgw postfix/qmgr[18663]: 263848168A: from=<NoReply@xyz.mediaware-news.com>, size=916, nrcpt=1 (queue active)
Oct 29 15:54:45 mgw named[564]: REFUSED unexpected RCODE resolving 'mediaware-news.com.multi.surbl.org/A/IN': 157.131.0.15#53

 

[hata_ph]

From my understanding and experience using PMG,
1. Who object regex/domain/email refer to Return-Path: in the email.
2. to filter From:/To:/Subject:, use What object match field.

Btw, based on your log, it seem your regex is not compatible with PMG.

Delivered-To: susan@mydomain.com
Return-Path: bounce-mc.us3_120957722.4170397-4358a67894@mail86.suw15.mcsv.net
Received-SPF: pass (mail86.suw15.mcsv.net: 198.2.182.86 is authorized to use 'bounce-mc.us3_120957722.#-4358a67894@mail86.suw15.mcsv.net' in 'mfrom' identity (mechanism 'ip4:198.2.182.86' matched)) receiver=pmg.mydomain.com; identity=mailfrom; envelope-from="bounce-mc.us3_120957722.#-4358a67894@mail86.suw15.mcsv.net"; helo=mail86.suw15.mcsv.net; client-ip=198.2.182.86
Received: from mail86.suw15.mcsv.net (mail86.suw15.mcsv.net [198.2.182.86])
    by pmg.mydomain.com (Proxmox) with ESMTP
    for <susan@mydomain.com>; Sat, 14 Nov 2020 07:01:13 +0800 (+08)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchimpapp.net;
    s=k2; t=1605308456; i=myankiastore=3Dhotmail.com@mailchimpapp.net;
    bh=SmqeTARwW1RpJ4xmDJBQeH2e1UfcwWnd1AGiwpxUPMs=;
    h=Subject:From:Reply-To:To:Date:Message-ID:List-ID:List-Unsubscribe:
     Content-Type:MIME-Version;
    b=vPsPHQcYhdw/u5J8Vh/r9ZrcqWrI1ip/s+B7Y6t/+VlsmhczIhW5msdrOGYa105vS
     NRBSqQ8YfhGQhyg1OmAAReBJ+nnMy9CMcTAhUWcBnY++r+8ftSDfhZnffs7ByCwqOj
     egg6yYa5JnoQ7BFBPbodrI6WCViPlC0GDKq7ZLK/AkM/E0ypUFDZ8c5j05hm9vw5id
     mU9jgI4fTuJrX8inzsRthTUst7Riq/Mzey0DTjhpDFI/QvKQu4rhjUdRkwU+uxQzUZ
     jzugODj8uugHgx2+WPb6tz62YL7DMnQV1xeQ85R74g7DlZvvViOLq82gByqdAhv9VE
     0sTOLw7McPESw==
Received: from localhost (localhost [127.0.0.1])
    by mail86.suw15.mcsv.net (Mailchimp) with ESMTP id 4CXv8S6fPZzPm1Wq6
    for <susan@mydomain.com>; Fri, 13 Nov 2020 23:00:56 +0000 (GMT)
Subject: =?utf-8?Q?Lemongor=20|=20New=20Arrivals?=
From: =?utf-8?Q?Yankia?= <myankiastore@hotmail.com>
Reply-To: =?utf-8?Q?Yankia?= <myankiastore@hotmail.com>
To: <susan@mydomain.com>
Date: Fri, 13 Nov 2020 23:00:45 +0000
Message-ID: <9bba2679ff2cb23ef31f43d72.4358a67894.20201113230033.7b2fea9f8a.9673d42a@mail86.suw15.mcsv.net>
X-Mailer: MailChimp Mailer - **CID7b2fea9f8a4358a67894**
X-Campaign: mailchimp9bba2679ff2cb23ef31f43d72.7b2fea9f8a
X-campaignid: mailchimp9bba2679ff2cb23ef31f43d72.7b2fea9f8a
X-Report-Abuse: Please report abuse for this campaign here: https://mailchimp.com/contact/abuse/?u=9bba2679ff2cb23ef31f43d72&id=7b2fea9f8a&e=4358a67894
X-MC-User: 9bba2679ff2cb23ef31f43d72
Feedback-ID: 120957722:120957722.4170397:us3:mc
List-ID: 9bba2679ff2cb23ef31f43d72mc list <9bba2679ff2cb23ef31f43d72.642909.list-id.mcsv.net>
X-Accounttype: pd
List-Unsubscribe: <https://yankia.us3.list-manage.com/unsubscribe?u=9bba2679ff2cb23ef31f43d72&id=972ed00da4&e=4358a67894&c=7b2fea9f8a>, <mailto:unsubscribe-mc.us3_9bba2679ff2cb23ef31f43d72.7b2fea9f8a-4358a67894@mailin.mcsv.net?subject=unsubscribe>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
Content-Type: multipart/alternative; boundary="_----------=_MCPart_1003853843"
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results:  2
    AWL                    -0.867 Adjusted score from AWL reputation of From: address
    BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
    DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
    DKIM_VALID               -0.1 Message has at least one valid DKIM or DK signature
    FORGED_HOTMAIL_RCVD2    0.874 hotmail.com 'From' address, but no 'Received:'
    FREEMAIL_FORGED_FROMDOMAIN  0.249 2nd level domains in From and EnvelopeFrom freemail headers are different
    FREEMAIL_FROM           0.001 Sender email is commonly abused enduser mail provider
    HEADER_FROM_DIFFERENT_DOMAINS   0.25 From and EnvelopeFrom 2nd level mail domains are different
    HTML_IMAGE_RATIO_04     0.001 HTML has a low ratio of text to image area
    HTML_MESSAGE            0.001 HTML included in message
    JMQ_SPF_NEUTRAL           0.5 SPF set to ?all
    LIST_UNSUB                  1 Mailinglist/Newsletter emails
    MIME_QP_LONG_LINE       0.001 Quoted-printable line longer than 76 chars
    RCVD_IN_DNSWL_NONE     -0.0001 Sender listed at https://www.dnswl.org/, no trust
    RCVD_IN_MSPIKE_H2      -0.001 Average reputation (+2)
    SPAM_LINK_1                 1 Spam link 1
    SPF_HELO_PASS          -0.001 SPF: HELO matches SPF record
    SPF_PASS               -0.001 SPF: sender matches SPF record
    SUBJ_UTF8                   1 Subject with UTF-8 encoding
    URIBL_GREY              0.424 Contains an URL listed in the URIBL greylist [list-manage.com]

 

[MiamiJack]

Thanks for the response.
I have some of them as what objects as well, I will need to review.
I'm going to post a different post to confirm the regex I'm using.
That may be a regex we cleaned up to our new simpler formula because the previous ones recommended weren't working.