Need Help with Configuration / Blatant SPAM Getting Through with High X-SPAM Scores

S

SamcSage

New Member
Proxmox Subscriber
Nov 26, 2019
6
0
1
38
I was hoping someone could provide some general suggestions what could be the issue.

We are running PMG in front of our Exchange server and enough unwanted email is getting through to generate complaints.

A user forwarded me an email that had an X-SPAM score of 30 but was still delivered to his inbox. The only thing I can think of is that I have "Verify Receivers" turned on and because it was able to verify the valid email recipient it whitelisted the email???

Here is the output from the tracking center:

Nov 25 23:18:15 mail postfix/smtpd[36613]: connect from vysua1.vysualya.com[54.38.59.45]
Nov 25 23:18:16 mail postfix/smtpd[36613]: Anonymous TLS connection established from vysua1.vysualya.com[54.38.59.45]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Nov 25 23:18:16 mail postfix/smtpd[36613]: CC1E41C13F3: client=vysua1.vysualya.com[54.38.59.45]
Nov 25 23:18:17 mail postfix/cleanup[36619]: CC1E41C13F3: message-id=<20191126051808.08948E9BA36AC195@gmail.com>
Nov 25 23:18:17 mail postfix/qmgr[38634]: CC1E41C13F3: from=<our.recipient@ourdomain.email>, size=5824, nrcpt=1 (queue active)
Nov 25 23:18:17 mail pmg-smtp-filter[32138]: 1C14145DDCA7891A47A: new mail message-id=<20191126051808.08948E9BA36AC195@gmail.com>#012
Nov 25 23:18:17 mail postfix/smtpd[36613]: disconnect from vysua1.vysualya.com[54.38.59.45] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Nov 25 23:18:17 mail pmg-smtp-filter[32138]: 1C14145DDCA7891A47A: SA score=30/5 time=0.625 bayes=0.50 autolearn=spam autolearn_force=no hits=BAYES_50(0.8),DKIM_ADSP_CUSTOM_MED(0.001),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),FORGED_GMAIL_RCVD(1),FREEMAIL_FROM(0.001),FROM_MISSP_FREEMAIL(1.405),HTML_MESSAGE(0.001),KAM_SEX_EXPLICIT(16),KAM_SOMETLD_ARE_BAD_TLD(5),MIME_HTML_ONLY(0.1),NML_ADSP_CUSTOM_MED(0.9),RCVD_IN_RP_RNBL(1.31),SPF_HELO_NONE(0.001),SPF_SOFTFAIL(0.665),URIBL_ABUSE_SURBL(1.25),URIBL_BLOCKED(0.001),URIBL_DBL_SPAM(2.5)
Nov 25 23:18:17 mail postfix/smtpd[36624]: connect from localhost.localdomain[127.0.0.1]
Nov 25 23:18:17 mail postfix/smtpd[36624]: BBE7C1C142C: client=localhost.localdomain[127.0.0.1], orig_client=vysua1.vysualya.com[54.38.59.45]
Nov 25 23:18:17 mail postfix/cleanup[36619]: BBE7C1C142C: message-id=<20191126051808.08948E9BA36AC195@gmail.com>
Nov 25 23:18:17 mail postfix/qmgr[38634]: BBE7C1C142C: from=<stevem@gmail.com>, size=7716, nrcpt=1 (queue active)
Nov 25 23:18:17 mail postfix/smtpd[36624]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Nov 25 23:18:17 mail pmg-smtp-filter[32138]: 1C14145DDCA7891A47A: accept mail to <our.recipient@ourdomain.email> (BBE7C1C142C) (rule: default-accept)
Nov 25 23:18:17 mail pmg-smtp-filter[32138]: 1C14145DDCA7891A47A: processing time: 0.706 seconds (0.625, 0.017, 0)
Nov 25 23:18:17 mail postfix/lmtp[36620]: CC1E41C13F3: to=<our.recipient@ourdomain.email>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.2, delays=0.44/0.01/0.04/0.71, dsn=2.5.0, status=sent (250 2.5.0 OK (1C14145DDCA7891A47A))
Nov 25 23:18:17 mail postfix/qmgr[38634]: CC1E41C13F3: removed
Nov 25 23:18:18 mail postfix/smtp[36625]: BBE7C1C142C: to=<our.recipient@ourdomain.email>, relay=10.0.0.3[10.0.0.3]:25, delay=0.26, delays=0.04/0.02/0.02/0.18, dsn=2.6.0, status=sent (250 2.6.0 <20191126051808.08948E9BA36AC195@gmail.com> [InternalId=5270] Queued mail for delivery)
Nov 25 23:18:18 mail postfix/qmgr[38634]: BBE7C1C142C: removed

Here is the X-SPAM header from one of the same email that came through:

X-SPAM-LEVEL: Spam detection results: 30
BAYES_50 0.8 Bayes spam probability is 40 to 60%
DKIM_ADSP_CUSTOM_MED 0.001 No valid author signature, adsp_override is CUSTOM_MED
DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid
DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
FORGED_GMAIL_RCVD 1 'From' gmail.com does not match 'Received' headers
FREEMAIL_FROM 0.001 Sender email is commonly abused enduser mail provider
FROM_MISSP_FREEMAIL 1.405 From misspaced + freemail provider
HTML_MESSAGE 0.001 HTML included in message
KAM_SEX_EXPLICIT 16 Subject or body indicates Sexually Explicit material
KAM_SOMETLD_ARE_BAD_TLD 5 .stream, .trade, .pw, .top, .press, .bid & .date TLD Abuse
MIME_HTML_ONLY 0.1 Message only has text/html MIME parts
NML_ADSP_CUSTOM_MED 0.9 ADSP custom_med hit, and not from a mailing list
RCVD_IN_RP_RNBL 1.31 Relay in RNBL, https://senderscore.org/blacklistlookup/
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_SOFTFAIL 0.665 SPF: sender does not match SPF record (softfail)
URIBL_ABUSE_SURBL 1.25 Contains an URL listed in the ABUSE SURBL blocklist [bestyspecial.trade]
URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [vysualya.com,bestyspecial.trade,lettermelater.com]
URIBL_DBL_SPAM 2.5 Contains a spam URL listed in the Spamhaus DBL blocklist [vysualya.com,bestyspecial.trade]
 
* add the Quarantine Action to the rule called: Quarantine/Mark Spam (Level 3)
 
Sorry, I meant to also mention that I opted to not use the quarantine and just tag the SPAM with SPAM: instead. Then Outlook filters that to the user's Junk E-Mail folder using a server-level rule.
 
SamcSage said:
Sorry, I meant to also mention that I opted to not use the quarantine and just tag the SPAM with SPAM: instead. Then Outlook filters that to the user's Junk E-Mail folder using a server-level rule.
Click to expand...

If you dun set quarantine action on PMG spam filter, definately it will deliver to your mailbox. When you receive the spam mail in your outlook, is the spam score on outlook same as marked by PMG?
 
The built-in Level 3 Quarantine rule is being used, but instead of quarantining the subject is rewritten with "SPAM: at the beginning of the subject line. There is a server-level rule in the Outlook clients that automatically moves these emails to the "Junk E-Mail" folder.

This is working, and the SPAM i'm concerned about that is making it to Inboxes doesn't have the rewritten subject line.
 
SamcSage said:
The built-in Level 3 Quarantine rule is being used, but instead of quarantining the subject is rewritten with "SPAM: at the beginning of the subject line. There is a server-level rule in the Outlook clients that automatically moves these emails to the "Junk E-Mail" folder.

This is working, and the SPAM i'm concerned about that is making it to Inboxes doesn't have the rewritten subject line.
Click to expand...

Pls show the spam mail's X-SPAM-LEVEL in outlook.
 
SamcSage said:
It's at the bottom of the first post.
Click to expand...

If PMG correctly mark the X-SPAM-LEVEL, mean it is works as normal. Could it be outlook cannot recognize the correct spam score?
What version outlook you are using?
Btw, do outlook use x-spam-level or x-spam-score?
 
Last edited:
I guess I'm not understanding why an email with an X-SPAM-LEVEL of 50 would come in below PMG's SPAM level 3 rule. What is the PMG SPAM score weighting of the heuristic analysis?
 
SamcSage said:
I guess I'm not understanding why an email with an X-SPAM-LEVEL of 50 would come in below PMG's SPAM level 3 rule. What is the PMG SPAM score weighting of the heuristic analysis?
Click to expand...

According to my knowleage of PMG spam filtering, the Modify Header rule will mark X-SPAM-LEVEL using spamassassin (due to higher rules priority), then my spam score 10/5 rules will block/quarantine it.
If you do not set quarantine action on your incoming spam rules, it will go through PMG no matter how high the score.
Is either you set block/quarantine on your PMG spam rules or make sure your outlook is blocking/filtering the email by X-SPAM-LEVEL.
Btw, from your config.txt you do not need to mark spam level again on your quarantine/mark spam rules as it already taken care by Modify Header rules.

Capture11111.JPG
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom