How did that one manage to get passed the SPAM filters?!

RollMops

Active Member
Jul 17, 2014
55
1
28
We got 2 identical SPAM mails (same bs, 2 diff. recipients).

How did these [insult goes here] manage to get passed Mail Gateway (which usually very reliably filters SPAM).
See if you can find the trick they used and eliminate their "backdoor", thanks :)

Possibly this:
"URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [acevoic.today]"
or pretending to be sender and recipient at the same time?

(personal/sensible data redacted)

Code:
Return-Path: <21665-27645-2215-5131-ion=i***.***@mail.acevoic.today>
X-Original-To: ion@i***.***
Delivered-To: [our.mailserver.host]@localhost.localdomain
Received: from mailgateway.eunoc.net ([proxmox mail gateway hostname].net [185.*.*.*])
    by [our.mailserver.host].net (Postfix) with ESMTPS id 8F3AF1407C6
    for <ion@i***.***>; Mon, 25 Apr 2022 04:36:03 -0400 (EDT)
Authentication-Results: [our.mailserver.host].net;
    dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=acevoic.today header.i=healthydigestion@acevoic.today header.b="qPWryh0y";
    dkim-atps=neutral
Received: from [proxmox mail gateway hostname].net (localhost [127.0.0.1])
    by mailgateway.eunoc.net (Proxmox) with ESMTP id 2BF6460E74
    for <ion@i***.***>; Mon, 25 Apr 2022 10:36:02 +0200 (CEST)
Received-SPF: pass (mail.acevoic.today: 185.28.37.184 is authorized to use '#-#-#-#-ion=i***.***@mail.acevoic.today' in 'mfrom' identity (mechanism 'a' matched)) receiver=mailgateway.eunoc.net; identity=mailfrom; envelope-from="#-#-#-#-ion=i***.***@mail.acevoic.today"; helo=able.acevoic.today; client-ip=185.28.37.184
Received: from able.acevoic.today (unknown [185.28.37.184])
    by mailgateway.eunoc.net (Proxmox) with ESMTP id 31D4B60D3E
    for <ion@i***.***>; Mon, 25 Apr 2022 10:35:56 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=acevoic.today;
 h=Mime-Version:Content-Type:Date:From:Reply-To:Subject:To:Message-ID; i=healthydigestion@acevoic.today;
 bh=6XiX5EI7sRWfa9M/+tOuQWBLdQ4=;
 b=qPWryh0yO8xhKGQ7ZN0xi2t1lx17oCTwdJfXlLJVhWK6C5zZM/eW+ZzWR99pwaMyA3MClW6iUncp
   GW14t+7bFsPMB92L1iQigqlolsTnC7dnZpt+6Mzh/Iba2ZwJAn1uFWKnH8fJ0vl+bLjwrTryK79/
   yLtVVhj/GTpu7yWKqy4=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=acevoic.today;
 b=FekLrXdj2kfYDntEsIbHB7lI1PeS5udAJpYLwAx8fFIfcQPlYOMI1v7uYRd3idFzbmLOkqtIjyAc
   XlaDFWbjP0G1vdrB/yg7gW/Qr/OvP8V/PgqRHl5uiTfBFp91u5BX5Wpk8IGTTEKoFXJ7Go+GU5JD
   uGbfgBm6XvtzEIgrW48=;
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="51a44db5a09970d935590cdf0215d48e"
Date: Mon, 25 Apr 2022 10:35:11 +0200
From: "Gastrointestinal Problems" <healthydigestion@acevoic.today>
Reply-To: "Gastrointestinal Problems" <healthydigestion@acevoic.today>
Subject: I Went 20 Days Without Pooping
To: <ion@i***.***>
Message-ID: <1be2w8wjb0hc0230-savag0hiud5uo1ua-8a7@acevoic.today>
X-SPAM-LEVEL: Spam detection results:  2
    AWL                    -0.875 Adjusted score from AWL reputation of From: address
    DKIM_INVALID              0.1 DKIM or DK signature exists, but is not valid
    DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
    HTML_MESSAGE            0.001 HTML included in message
    KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
    KAM_GENERICHEALTH        1.75 Matches generic health-related advert/blurbs
    MIME_HTML_MOSTLY          0.1 Multipart message mostly text/html MIME
    RDNS_NONE               1.274 Delivered to internal network by a host with no rDNS
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    SPF_PASS               -0.001 SPF: sender matches SPF record
    T_REMOTE_IMAGE           0.01 Message contains an external image
    URIBL_BLOCKED           0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked.  See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [acevoic.today]

--51a44db5a03370d935330cdf0215d48e
Content-Type: text/plain;
Content-Transfer-Encoding: 8bit

This email must be viewed in HTML mode.

--51a44db5c49970d944590cdf0215d48e
Content-Type: text/html;
Content-Transfer-Encoding: 8bit

<html>
<head>
    <title></title>
</head>
<body><a href="http://acevoic.today/MXHMnHdM-O77_RPfGNSO4OSBu6INWSNsEsuy7Ek3nhA1wv"><img border="0" src="http://acevoic.today/-BIM5kV5_RTof6YKeJTBy_ZKypBhEWN-1Uuu2Epnh3YUo7" /> </a><br />
&nbsp;
<table align="center" border="0" cellpadding="4" cellspacing="4" style="font-family: Gotham, 'Helvetica Neue', Helvetica, Arial, sans-serif; border:solid 1px #F2AC5E; box-shadow:0px 0px 10px 10px #F2AC5E;" width="611">
    <tbody>
        <tr>
            <td style="padding:0px; margin:0px; line-height:6px; font-size:5px; background-color:#F2AC5E">&nbsp;</td>
        </tr>
        <tr>
            <td align="left">
            <p>Scientists have just discovered constipation is NOT the result of a bad diet or dehydration...</p>

            <p>In fact, after using an incredibly powerful microscope to look deep inside the colon&rsquo;s lining they&#39;ve realised...</p>

            <p>Digestive issues are caused by something terrifying that&#39;s eating away at your colon...</p>

            <p>Do you want to know if you too are in danger?</p>

            <p>This is the #1 SIGN you should pay close attention to!</p>

            <p>Find out more here:</p>

            <p><strong>==&gt; <a href="http://acevoic.today/JHCHw67CxKcP0AagFSFlfGmZC7fQxloYSmtKT-9jzQTzb1"> One Sure Sign That Constipation Is Caused By Terrifying Parasite</a></strong>...</p>
            </td>
        </tr>
        <tr>
            <td align="left">
            <p align="left"><a href="http://acevoic.today/JHCHw67CxKcP0AcYagFddFlfGmZC7fQxloYSmtKT-9jzQTzb1"><img alt="" src="http://acevoic.today/2293f28982d198bc.jpg" /></a></p>
            </td>
        </tr>
        <tr>
            <td style="padding:0px; margin:0px; line-height:6px; font-size:5px; background-color:#F2AC5E"><br />
            &nbsp;</td>
        </tr>
    </tbody>
</table>

<table border="0" cellpadding="10" cellspacing="10" width="100%">
    <tbody>
        <tr>
            <td>&nbsp;</td>
        </tr>
        <tr>
            <td>&nbsp;</td>
        </tr>
        <tr>
            <td>&nbsp;</td>
        </tr>
        <tr>
            <td>&nbsp;</td>
        </tr>
    </tbody>
</table>

<p align="center" style="font-size:12px; "><a href="http://acevoic.today/HR5sJ5DCqzy_HJZZ7gZn5PbeunzjJWtG6DBU8bJomVxp51"><img alt="Please UnSub_scribe Here!!" src="http://acevoic.today/7e0888f2e949547b.jpg" /> </a></p>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
&nbsp;
<table align="center" class="dm">
    <tbody>
        <tr>
            <td colspan="2" style="background-color:#ffffff"><span style="color:#fff; font-family:constantia,lucida bright,dejavu serif,georgia,serif;">
            <style type="text/css">Several languages of Wikipedia also maintain a reference desk, w volunteers answer questions from the general public. According to a study by Pnina Shachaf in the Journal of Documentation, the quality of the Wikipedia reference desk is comparable to a standard library reference desk, with an accuracy of 55 percent.Wikipedia's original  was for users to re and edit content using any standard web browser through a fixed Internet connection. Although Wikipedia content has been ible through the mobile web since July 2013, The New York Times on February 9, 2014, d Erik Möller, deputy director of the Wikimedia Foundation, stating that the transition of internet traffic from desktops to mobile devices was significant and a cause for concern and worry. The article in The New York Times reported the comparison statistics for mobile edits stating that, " 20 percent of the reership of the English-language Wikipedia comes via mobile devices, a figure substantially lowe
 r than the percentage of mobile traffic for other media sites, many of which approach 50 percent. And the shift to mobile editing has lagged even more." The New York Times reports that Möller has assigned "a team of 10 software developers focused on mobile", out of a total of approximately 200 employees working at the Wikimedia Foundation. One principal concern cited by The New York Times for the "worry" is for Wikipedia to effectively dress attrition issues with the number of editors which the online encyclopedia attracts to edit and maintain its content in a mobile  environment.

Bloomberg Businessweek reported in July 2014 that Google's Android mobile apps have dominated the largest share of global smart shipments for 2013 with 78.6% of market share over their next cst competitor in iOS with 15.2% of the market. At the time of the Tretikov appointment and her posted web interview with Sue Gardner in May 2014, Wikimedia representatives me a technical announcement concerning the number of mobile  systems in the market seeking  to Wikipedia. Directly after the posted web interview, the representatives stated that Wikimedia would be applying an all-inclusive approach to accommodate as many mobile  systems as possible in its efforts for expanding general mobile , including BlackBerry and the dows  system, making market share a secondary issue. The latest version of the Android app for Wikipedia was released on July 23, 2014, to generally positive reviews, scoring over four of a possible five in a poll of approximately 200,000 users downloing from Google. The late
 st version for iOS was released on April 3, 2013, to similar reviews.

 to Wikipedia from mobile s was possible as early as 2004, through the Wireless Application Protocol (WAP), via the Wapedia service. In June 2007 Wikipedia launched en.mobile.wikipedia, an official website for wireless devices. In 2009 a newer mobile service was officially released, located at en.m.wikipedia, which caters to more vanced mobile devices such as the i, Android-based devices or WebOS-based devices. Several other methods of mobile  to Wikipedia have emerged. Many devices and applications optimize or enhance the display of Wikipedia content for mobile devices, while some also incorporate ditional features such as use of Wikipedia metata, such as geoination.

Wikipedia Zero was an initiative of the Wikimedia Foundation to expand the reach of the encyclopedia to the developing countries. It was discontinued in February 2018.
            </style>
            </span></td>
        </tr>
    </tbody>
</table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
&nbsp;
<p align="center"><a href="http://acevoic.today/LT_iRIrEUsk3keqLHWquc8uIDokvxEcWsH0XdbDffUD76P"><img src="http://acevoic.today/eb921ef05ff9b638.jpg" /></a></p>
</body>
</html>

--51a44db5a09970d9355cdf0215d48e--


Code:
Return-Path: <21665-27645-2236-5131-ion=i***.***@mail.acevoic.today>
X-Original-To: ion@i***.***
Delivered-To: [our.mailserver.host]@localhost.localdomain
Received: from [mailgateway.proxmox].net ([proxmox mail gateway hostname].net [185.*.*.*])
    by [our.mailserver.host].net (Postfix) with ESMTPS id 8F3AF1407C6
    for <ion@i***.***>; Mon, 25 Apr 2022 04:36:03 -0400 (EDT)
Authentication-Results: [our.mailserver.host].net;
    dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=acevoic.today header.i=healthydigestion@acevoic.today header.b="qPWryh0y";
    dkim-atps=neutral
Received: from [mailgateway.proxmox].net (localhost [127.0.0.1])
    by [mailgateway.proxmox].net (Proxmox) with ESMTP id 2BF6460E74
    for <ion@i***.***>; Mon, 25 Apr 2022 10:36:02 +0200 (CEST)
Received-SPF: pass (mail.acevoic.today: 185.28.37.184 is authorized to use '#-#-#-#-ion=i***.***@mail.acevoic.today' in 'mfrom' identity (mechanism 'a' matched)) receiver=[mailgateway.proxmox].net; identity=mailfrom; envelope-from="#-#-#-#-ion=i***.***@mail.acevoic.today"; helo=able.acevoic.today; client-ip=185.28.37.184
Received: from able.acevoic.today (unknown [185.28.37.184])
    by [mailgateway.proxmox].net (Proxmox) with ESMTP id 31D4B60D3E
    for <ion@i***.***>; Mon, 25 Apr 2022 10:35:56 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=acevoic.today;
 h=Mime-Version:Content-Type:Date:From:Reply-To:Subject:To:Message-ID; i=healthydigestion@acevoic.today;
 bh=6XiX5EI7sRWfa9M/+tOuQWBLdQ4=;
 b=qPWryh0yO8xhKGQ7ZN0xi2t1lx17oCTwdJfXlLJVhWK6C5zZM/eW+ZzWR99pwaMyA3MClW6iUncp
   GW14t+7bFsPMB92L1iQigqlolsTnC7dnZpt+6Mzh/Iba2ZwJAn1uFWKnH8fJ0vl+bLjwrTryK79/
   yLtVVhj/GTpu7yWKqy4=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=acevoic.today;
 b=FekLrXdj2kfYDntEsIbHB7lI1PeS5udAJpYLwAx8fFIfcQPlYOMI1v7uYRd3idFzbmLOkqtIjyAc
   XlaDFWbjP0G1vdrB/yg7gW/Qr/OvP8V/PgqRHl5uiTfBFp91u5BX5Wpk8IGTTEKoFXJ7Go+GU5JD
   uGbfgBm6XvtzEIgrW48=;
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="51a44db5a09970d935590cdf0215d48e"
Date: Mon, 25 Apr 2022 10:35:11 +0200
From: "Gastrointestinal Problems" <healthydigestion@acevoic.today>
Reply-To: "Gastrointestinal Problems" <healthydigestion@acevoic.today>
Subject: I Went 20 Days Without Pooping
To: <ion@i***.***>
Message-ID: <1be2w8wjb0hc0230-savag0hiud5uo1ua-8a7@acevoic.today>
X-SPAM-LEVEL: Spam detection results:  2
    AWL                    -0.875 Adjusted score from AWL reputation of From: address
    DKIM_INVALID              0.1 DKIM or DK signature exists, but is not valid
    DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
    HTML_MESSAGE            0.001 HTML included in message
    KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
    KAM_GENERICHEALTH        1.75 Matches generic health-related advert/blurbs
    MIME_HTML_MOSTLY          0.1 Multipart message mostly text/html MIME
    RDNS_NONE               1.274 Delivered to internal network by a host with no rDNS
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    SPF_PASS               -0.001 SPF: sender matches SPF record
    T_REMOTE_IMAGE           0.01 Message contains an external image
    URIBL_BLOCKED           0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked.  See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [acevoic.today]

--51a44db5a09970d93590cdf0215d48e
Content-Type: text/plain;
Content-Transfer-Encoding: 8bit

This email must be viewed in HTML mode.

--51a44db5a09970935590cdf0215d48e
Content-Type: text/html;
Content-Transfer-Encoding: 8bit

<html>
<head>
    <title></title>
</head>
<body><a href="http://acevoic.today/MXHnHdM-O77_RPfGNSO4OSYvBu6ISNsEsuy7Ek3nhA1wv"><img border="0" src="http://acevoic.today/-BIMkV5_RTof6YKeJo7TBy_ZypBhEWN-1Uuu2Epnh3YUo7" /> </a><br />
&nbsp;


[had to cut some crap due to post-size-limit here...]


            <p><strong>==&gt; <a href="http://acevoic.today/JHCHw67CxKcP0AYagFSFlfGmZC7fQxloYSmtKT-9jzQTzb1"> One Sure Sign That Constipation Is Caused By Terrifying Parasite</a></strong>...</p>
            </td>
        </tr>
        <tr>
            <td align="left">
            <p align="left"><a href="http://acevoic.today/JHCHw67CxKcP0AcYagFSFlfGmZC7fQxloYSmtKT-9jzQTzb1"><img alt="" src="http://acevoic.today/229d13f28982d198bc.jpg" /></a></p>
            </td>
        </tr>
        <tr>
            <td style="padding:0px; margin:0px; line-height:6px; font-size:5px; background-color:#F2AC5E"><br />
            &nbsp;</td>
        </tr>
    </tbody>
</table>

&nbsp;
<p align="center"><a href="http://acevoic.today/LT_iRIrEUsk3keqLHWquc800DokvxEcWsH0XAydbDffUD76P"><img src="http://acevoic.today/eb921ef0155ffll638.jpg" /></a></p>
</body>
</html>

--51a44db5a0997095590cdf0215d48e--
 

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
6,961
1,078
164
Possibly this:
"URIBL_BLOCKED
Yes - this is very well possible - uribl is one of the most effective ways to detect spam (due to the links inside the mail being listed at urbil)

check out the getting started page in the pmg wiki
https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway

and especially the part about setting up a dedicated DNS server for PMG:
https://pmg.proxmox.com/wiki/index.php/DNS_server_on_Proxmox_Mail_Gateway


additionally consider disabling the autowhitelist feature:
AWL -0.875 Adjusted score from AWL reputation of From: address

I hope this helps!
 
  • Like
Reactions: RollMops

RollMops

Active Member
Jul 17, 2014
55
1
28
Yes - this is very well possible - uribl is one of the most effective ways to detect spam (due to the links inside the mail being listed at urbil)
...setting up a dedicated DNS server for PMG
I hope this helps!
Thank you Stoiko!
After another one slipped though (SPAMMER: fiscal50582@fiscal95.idnotificacion2840232.com )
with URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. ... [us.es,idnotificacion2840232.com]
I installed apt install unbound, changed /etc/resolv.conf to query 127.0.0.1, and the URIBL_BLOCKED messages are gone! :)


EDIT:
p.s. PMG now caught that one with the (now) working URIBL! :D

Code:
From: Ministerio de Hacienda - Urgencia 10823 <notificacionid10823@notificacionid2.facturacionid4820021.com>
Message-Id: <20220427050320.321D640CF2@notificacionid2.facturacionid4820021.com>
Date: Wed, 27 Apr 2022 05:03:18 +0000 (UTC)
X-SPAM-LEVEL: Spam detection results:  10
    DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
    DKIM_VALID               -0.1 Message has at least one valid DKIM or DK signature
    DKIM_VALID_AU            -0.1 Message has a valid DKIM or DK signature from author's domain
    HTML_MESSAGE            0.001 HTML included in message
    KAM_HTMLNOISE               1 Spam containing useless HTML padding
    KAM_VERY_BLACK_DBL          5 Email that hits both URIBL Black and Spamhaus DBL
    MIME_HEADER_CTYPE_ONLY    0.1 'Content-Type' found without required MIME headers
    MIME_HTML_ONLY            0.1 Message only has text/html MIME parts
    SPF_HELO_PASS          -0.001 SPF: HELO matches SPF record
    SPF_PASS               -0.001 SPF: sender matches SPF record
    URIBL_BLACK               1.7 Contains an URL listed in the URIBL blacklist [facturacionid4820021.com]
    URIBL_DBL_SPAM            2.5 Contains a spam URL listed in the Spamhaus DBL blocklist [facturacionid4820021.com]
 
Last edited:
  • Like
Reactions: Stoiko Ivanov

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!