please advice how to block low score spam

team2021

Member
Jun 29, 2021
9
1
8
Hello, please advice how to block this kind of email.
What custom score is generally safe to increase ?
Thanks


Code:
Subject: 
Odstraňte papilomy a předejděte rakovině kůže!
From: 
Removio zachraňuje život! <irpipbz@infistonsell.lol>
Date: 
09/08/2023 16:19
Message-ID: <1173578885733665474713033314761407080281@infistonsell.lol>
From: =?utf-8?B?UmVtb3ZpbyB6YWNocmHFiHVqZSDFvml2b3Qh?=
    <irpipbz@infistonsell.lol>
To: 
Subject: =?utf-8?B?T2RzdHJhxYh0ZSBwYXBpbG9teSBhIHDFmWVkZWpkxJt0ZSByYWtvdmluxJsga8Wvxb5lIQ==?=
Date: Wed, 9 Aug 2023 17:19:09 +0300
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative";
    boundary="_adb60e08-dd98-40bb-a63b-017736dfecd3_"
X-SPAM-LEVEL: Spam detection results:  1
    DMARC_MISSING             0.1 Missing DMARC policy
    HTML_FONT_LOW_CONTRAST  0.001 HTML font color similar or identical to background
    HTML_IMAGE_ONLY_20        0.7 HTML: images with 1600-2000 bytes of words
    HTML_IMAGE_RATIO_02     0.001 HTML has a low ratio of text to image area
    HTML_MESSAGE            0.001 HTML included in message
    HTML_SHORT_LINK_IMG_3   0.328 HTML is very short with a linked image
    KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    SPF_PASS               -0.001 SPF: sender matches SPF record
    T_TVD_MIME_EPI           0.01 -
Return-Path: irpipbz@infistonsell.lol
 
please share the complete logs of this mail from your PMG - as well as the mail as .eml - else it's not really possible to tell if there is anything that can be improved
 
Hello, thanks for reply

This is log from PMG and whole email in EML format. Can you plese take a look?

Code:
Aug 9 19:33:00 pmg postfix/smtpd[314413]: connect from mail.infistonsell.lol[178.162.131.38]
Aug 9 19:33:01 pmg postfix/smtpd[314413]: 355AA6C2255: client=mail.infistonsell.lol[178.162.131.38]
Aug 9 19:33:01 pmg postfix/cleanup[314399]: 355AA6C2255: message-id=<1173578885733665474713033314761407080281@infistonsell.lol>
Aug 9 19:33:01 pmg postfix/qmgr[942]: 355AA6C2255: from=<irpipbz@infistonsell.lol>, size=156139, nrcpt=1 (queue active)
Aug 9 19:33:01 pmg postfix/smtpd[314413]: disconnect from mail.infistonsell.lol[178.162.131.38] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Aug 9 19:33:01 pmg pmg-smtp-filter[314103]: 6C225C64D3CDCD56AC6: new mail message-id=<1173578885733665474713033314761407080281@infistonsell.lol>#012
Aug 9 19:33:02 pmg pmg-smtp-filter[314103]: 6C225C64D3CDCD56AC6: SA score=1/5 time=0.981 bayes=undefined autolearn=disabled hits=DMARC_MISSING(0.1),HTML_FONT_LOW_CONTRAST(0.001),HTML_IMAGE_ONLY_20(0.7),HTML_IMAGE_RATIO_02(0.001),HTML_MESSAGE(0.001),HTML_SHORT_LINK_IMG_3(0.328),KAM_DMARC_STATUS(0.01),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_TVD_MIME_EPI(0.01)
Aug 9 19:33:02 pmg postfix/smtpd[314405]: connect from localhost.localdomain[127.0.0.1]
Aug 9 19:33:02 pmg postfix/smtpd[314405]: 62F726C225D: client=localhost.localdomain[127.0.0.1], orig_client=mail.infistonsell.lol[178.162.131.38]
Aug 9 19:33:02 pmg postfix/cleanup[314399]: 62F726C225D: message-id=<1173578885733665474713033314761407080281@infistonsell.lol>
Aug 9 19:33:02 pmg postfix/qmgr[942]: 62F726C225D: from=<irpipbz@infistonsell.lol>, size=157072, nrcpt=1 (queue active)
Aug 9 19:33:02 pmg postfix/smtpd[314405]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Aug 9 19:33:02 pmg pmg-smtp-filter[314103]: 6C225C64D3CDCD56AC6: accept mail to <user@mydomain.com> (62F726C225D) (rule: default-accept)
Aug 9 19:33:02 pmg postfix/smtp[314406]: 62F726C225D: to=<user@mydomain.com>, relay=none, delay=0.05, delays=0.05/0/0/0, dsn=4.4.1, status=deferred (connect to 192.168.1.91[192.168.1.91]:25: Connection refused)
Aug 9 19:33:02 pmg pmg-smtp-filter[314103]: 6C225C64D3CDCD56AC6: processing time: 1.096 seconds (0.981, 0.035, 0)
Aug 9 19:33:02 pmg postfix/lmtp[314400]: 355AA6C2255: to=<user@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.5, delays=0.31/0/0.04/1.1, dsn=2.5.0, status=sent (250 2.5.0 OK (6C225C64D3CDCD56AC6))
Aug 9 19:33:02 pmg postfix/qmgr[942]: 355AA6C2255: removed
Aug 9 19:40:22 pmg postfix/qmgr[942]: 62F726C225D: from=<irpipbz@infistonsell.lol>, size=157072, nrcpt=1 (queue active)
Aug 9 19:40:22 pmg postfix/smtp[314495]: 62F726C225D: to=<user@mydomain.com>, relay=192.168.1.91[192.168.1.91]:25, delay=440, delays=440/0.06/0.02/0, dsn=4.3.2, status=deferred (host 192.168.1.91[192.168.1.91] said: 421 4.3.2 Service not active (in reply to MAIL FROM command))
Aug 9 19:50:22 pmg postfix/qmgr[942]: 62F726C225D: from=<irpipbz@infistonsell.lol>, size=157072, nrcpt=1 (queue active)
Aug 9 19:50:22 pmg postfix/smtp[314606]: 62F726C225D: to=<user@mydomain.com>, relay=192.168.1.91[192.168.1.91]:25, delay=1040, delays=1040/0.06/0.02/0, dsn=4.3.2, status=deferred (host 192.168.1.91[192.168.1.91] said: 421 4.3.2 Service not active (in reply to MAIL FROM command))
Aug 9 20:03:50 pmg postfix/qmgr[942]: 62F726C225D: from=<irpipbz@infistonsell.lol>, size=157072, nrcpt=1 (queue active)
Aug 9 20:03:52 pmg postfix/smtp[314854]: 62F726C225D: to=<user@mydomain.com>, relay=192.168.1.91[192.168.1.91]:25, delay=1850, delays=1848/0.2/0.02/1.9, dsn=2.6.0, status=sent (250 2.6.0 <1173578885733665474713033314761407080281@infistonsell.lol> [InternalId=60430189854755, Hostname=mailserver.mydomain.com] 158246 bytes in 1.915, 80,658 KB/sec Queued mail for delivery)
Aug 9 20:03:52 pmg postfix/qmgr[942]: 62F726C225D: removed
 

Attachments

  • spam.zip
    115.4 KB · Views: 2
Hmm - the postscreen lines for the mail are missing (although the IP is currently not listed at any widely used dnsbl they might help in finding potential misconfigurations)

else - from the look of the mail - it seems there is really nothing standing out too much which would catch this (and would not cause many false positives).
Some sites quarantine mails from certain top-level domains - but I don't know if you receive many legitimate mails from '.lol'
 
  • Like
Reactions: team2021
Thanks, blocking '.lol' seems like good idea : )
Sadly we had similar email for example from "koloskys.de" ( early this week, now it's not existing domain)

According to a random check, it seems to me that increasing the HTML_IMAGE_ONLY_24 score (from 1,282) to maybe 2 could be a solution. We don't have many legitimate emails that contain HTML_IMAGE_ONLY_24 and if they do, they are whitelisted
 
According to a random check, it seems to me that increasing the HTML_IMAGE_ONLY_24 score (from 1,282) to maybe 2 could be a solution. We don't have many legitimate emails that contain HTML_IMAGE_ONLY_24 and if they do, they are whitelisted
sounds also like a good option - as long as you do some checks on your existing mail-flow (and verify that no legitimate mail gets pushed over your set threshold) - this should work fine!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!