Level 1 Spam

osgit

Member
Jan 12, 2021
55
5
13
Hello, I've been troubleshooting and am getting the following emails that are level 1. Any ideas on tweaking the rules out of the one's listed to block them properly? Thank you in advance! :)

Code:
Apr 6 13:26:30 smtp postfix/smtpd[6796]: connect from mail8.tianxiawuzongshaoLinsi001.top[104.223.248.201]
Apr 6 13:26:30 smtp postfix/smtpd[6796]: 324331438E0: client=mail8.tianxiawuzongshaoLinsi001.top[104.223.248.201]
Apr 6 13:26:30 smtp postfix/cleanup[6626]: 324331438E0: message-id=<XlWMfuwWHvCSYiqzTtSn1cmhonjCEVR7lVEOsMKnd3g.eYwWsRf9MOJbHjvsq6RASyc7NR_XKRz_cGMpB9f9noc@endureshort.cam>
Apr 6 13:26:30 smtp postfix/qmgr[1043]: 324331438E0: from=<info@endureshort.cam>, size=7916, nrcpt=1 (queue active)
Apr 6 13:26:30 smtp pmg-smtp-filter[6551]: 1438E9606CC3F6527AB: new mail message-id=<XlWMfuwWHvCSYiqzTtSn1cmhonjCEVR7lVEOsMKnd3g.eYwWsRf9MOJbHjvsq6RASyc7NR_XKRz_cGMpB9f9noc@endureshort.cam>#012
Apr 6 13:26:30 smtp postfix/smtpd[6796]: 630C814393D: client=mail8.tianxiawuzongshaoLinsi001.top[104.223.248.201]
Apr 6 13:26:30 smtp postfix/smtpd[6796]: 9116E14393F: client=mail8.tianxiawuzongshaoLinsi001.top[104.223.248.201]
Apr 6 13:26:30 smtp postfix/smtpd[6796]: disconnect from mail8.tianxiawuzongshaoLinsi001.top[104.223.248.201] ehlo=1 mail=3 rcpt=3 data=3 quit=1 commands=11
Apr 6 13:26:33 smtp pmg-smtp-filter[6551]: 1438E9606CC3F6527AB: SA score=1/5 time=3.577 bayes=0.50 autolearn=no autolearn_force=no hits=BAYES_50(0.8),HTML_FONT_LOW_CONTRAST(0.001),HTML_MESSAGE(0.001),HTML_MIME_NO_HTML_TAG(0.377),KAM_DMARC_STATUS(0.01),MIME_HTML_ONLY(0.1),MIME_QP_LONG_LINE(0.001),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001)
Apr 6 13:26:34 smtp postfix/smtpd[6813]: connect from localhost.localdomain[127.0.0.1]
Apr 6 13:26:34 smtp postfix/smtpd[6813]: 02C21143941: client=localhost.localdomain[127.0.0.1], orig_client=mail8.tianxiawuzongshaoLinsi001.top[104.223.248.201]
Apr 6 13:26:34 smtp postfix/cleanup[6802]: 02C21143941: message-id=<XlWMfuwWHvCSYiqzTtSn1cmhonjCEVR7lVEOsMKnd3g.eYwWsRf9MOJbHjvsq6RASyc7NR_XKRz_cGMpB9f9noc@endureshort.cam>
Apr 6 13:26:34 smtp postfix/qmgr[1043]: 02C21143941: from=<info@endureshort.cam>, size=8817, nrcpt=1 (queue active)
Apr 6 13:26:34 smtp postfix/smtpd[6813]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Apr 6 13:26:34 smtp pmg-smtp-filter[6551]: 1438E9606CC3F6527AB: accept mail to <user@domain.com> (02C21143941) (rule: default-accept)
Apr 6 13:26:34 smtp pmg-smtp-filter[6551]: 1438E9606CC3F6527AB: processing time: 3.681 seconds (3.577, 0.058, 0)
Apr 6 13:26:34 smtp postfix/lmtp[6798]: 324331438E0: to=<user@domain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.8, delays=0.09/0.04/0/3.7, dsn=2.5.0, status=sent (250 2.5.0 OK (1438E9606CC3F6527AB))
Apr 6 13:26:34 smtp postfix/qmgr[1043]: 324331438E0: removed
Apr 6 13:26:34 smtp postfix/smtp[6814]: Trusted TLS connection established to exchange.domain.com[192.168.56.12]:2525: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Apr 6 13:26:34 smtp postfix/smtp[6814]: 02C21143941: to=<user@domain.com>, relay=exchange.domain.com[192.168.56.12]:2525, delay=0.44, delays=0.01/0.04/0.12/0.28, dsn=2.6.0, status=sent (250 2.6.0 <XlWMfuwWHvCSYiqzTtSn1cmhonjCEVR7lVEOsMKnd3g.eYwWsRf9MOJbHjvsq6RASyc7NR_XKRz_cGMpB9f9noc@endureshort.cam> [InternalId=4196007] Queued mail for delivery)
Apr 6 13:26:34 smtp postfix/qmgr[1043]: 02C21143941: removed

The only one that I saw that might be able to be upped is BAYES_50, but the SPAMASSASSIN docs says not to tweak it:
BAYES_50 you don't want to do anything about – Bayes does not (yet) know whether this email is spam or ham, so it gives effectively no score. Feed this email to Bayes as spam, and that will help identify future emails as spam.
 
Last edited:
Nothing in the SpamAssassin hits stands out as a good indicator for spam.

However - '.top' is a comparatively now tld - I know some deployments where these are blocked outright.
If you don't expect mails from .top mail-addresses - this might work for you

I hope this helps!
 
  • Like
Reactions: osgit
Nothing in the SpamAssassin hits stands out as a good indicator for spam.

However - '.top' is a comparatively now tld - I know some deployments where these are blocked outright.
If you don't expect mails from .top mail-addresses - this might work for you

I hope this helps!
Getting a ton from *.cam as well... I attempted to add the wildcard to the domain, I'm assuming the best way to match those would be just to use the Regex option? Thanks. :)
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!