Same spam mails, different spam results

P

prahn

Active Member
Proxmox Subscriber
Dec 19, 2020
67
5
28
49
While analyzing through coming spam, I just realized that there are mails coming from one domain, that has different SPAM results in PMG, although it has almost the same content. Any idea how to tune this in PMG settings? What can I do, that mail 1 and mail 3 also gets 3 points in SpamAssassin?

Mail 1, Result accepted/delivered
Code: 
May 21 18:14:33 pmg postfix/cleanup[19324]: CD584220DA7: message-id=<dgeczstymjv-72482925718701740661985751394362@isikradyo.com>
May 21 18:14:33 pmg postfix/qmgr[17956]: CD584220DA7: from=<carstenbpehknt@isikradyo.com>, size=4002, nrcpt=1 (queue active)
May 21 18:14:33 pmg postfix/smtpd[19318]: disconnect from marked.isikradyo.com[63.81.90.114] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
May 21 18:14:37 pmg pmg-smtp-filter[18005]: 2212AA60A7F8890BD57: SA score=1/5 time=4.486 bayes=undefined autolearn=no autolearn_force=no hits=DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),HTML_IMAGE_ONLY_24(1.282),HTML_MESSAGE(0.001),MIME_HTML_ONLY(0.1),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_REMOTE_IMAGE(0.01)
May 21 18:14:37 pmg postfix/qmgr[17956]: 8BFDF22137A: from=<carstenbpehknt@isikradyo.com>, size=5008, nrcpt=1 (queue active)
May 21 18:14:37 pmg pmg-smtp-filter[18005]: 2212AA60A7F8890BD57: accept mail to <nnn@xxx.de> (8BFDF22137A) (rule: default-accept)

Mail 2, Result quarantined
Code: 
May 21 18:26:50 pmg postfix/smtpd[19381]: B9BAD220DA7: client=marked.isikradyo.com[63.81.90.114]
May 21 18:26:50 pmg postfix/cleanup[19386]: B9BAD220DA7: message-id=<abbdeinxzie.7072433456188935700297149415789@isikradyo.com>
May 21 18:26:50 pmg postfix/qmgr[17956]: B9BAD220DA7: from=<karintfxnayfkries@isikradyo.com>, size=4117, nrcpt=1 (queue active)
May 21 18:26:51 pmg postfix/smtpd[19381]: disconnect from marked.isikradyo.com[63.81.90.114] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
May 21 18:26:54 pmg pmg-smtp-filter[18296]: 2212AA60A7FB6AF3CA4: SA score=3/5 time=3.156 bayes=undefined autolearn=no autolearn_force=no hits=DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),HK_RANDOM_ENVFROM(0.999),HK_RANDOM_FROM(0.999),HTML_IMAGE_ONLY_24(1.282),HTML_MESSAGE(0.001),MIME_HTML_ONLY(0.1),SPF_HELO_NONE(0.001),SPF_PASS(-0.001)
May 21 18:26:54 pmg pmg-smtp-filter[18296]: 2212AA60A7FB6AF3CA4: moved mail for <ddd@xxx.de> to spam quarantine - 22137A60A7FB6E2DB28 (rule: Quarantine/Mark Spam (Level 3))

Mail 3, Result accepted/delivered
Code: 
May 21 21:21:04 pmg postfix/smtpd[21711]: 5743F22041D: client=receptive.isikradyo.com[63.81.90.115]
May 21 21:21:04 pmg postfix/cleanup[21705]: 5743F22041D: message-id=<itvvmv-68409543118391933539541@isikradyo.com>
May 21 21:21:04 pmg postfix/qmgr[20536]: 5743F22041D: from=<laurazsrhnst@isikradyo.com>, size=7242, nrcpt=1 (queue active)
May 21 21:21:04 pmg postfix/smtpd[21711]: disconnect from receptive.isikradyo.com[63.81.90.115] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
May 21 21:21:09 pmg pmg-smtp-filter[20976]: 220D4560A824408DBAA: SA score=0/5 time=4.573 bayes=undefined autolearn=disabled hits=DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),HTML_MESSAGE(0.001),MIME_HTML_ONLY(0.1),SPF_HELO_NONE(0.001),SPF_PASS(-0.001)
May 21 21:21:09 pmg postfix/qmgr[20536]: 308EC221383: from=<laurazsrhnst@isikradyo.com>, size=8106, nrcpt=1 (queue active)
May 21 21:21:09 pmg pmg-smtp-filter[20976]: 220D4560A824408DBAA: accept mail to <zzz@xxx.de> (308EC221383) (rule: default-accept)
 
Last edited:
Here is the raw content of the quarantined mail.


Code: 
Delivered-To: ddd@xxx.de
Return-Path: karintfxnayfkries@isikradyo.com
Received-SPF: pass (isikradyo.com: 63.81.90.114 is authorized to use 'karintfxnayfkries@isikradyo.com' in 'mfrom' identity (mechanism 'ip4:63.81.90.0/24' matched)) receiver=pmg.xxx.de; identity=mailfrom; envelope-from="karintfxnayfkries@isikradyo.com"; helo=marked.isikradyo.com; client-ip=63.81.90.114
Received: from marked.isikradyo.com (marked.isikradyo.com [63.81.90.114])
    by pmg.xxx.de (Proxmox) with ESMTP id B9BAD220DA7
    for <ddd@xxx.de>; Fri, 21 May 2021 18:26:49 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=dkim; d=isikradyo.com;
 h=Date:Subject:Message-ID:From:List-Unsubscribe:MIME-Version:To:Content-Type:
 Content-Transfer-Encoding; i=karintfxnayfkries@isikradyo.com;
 bh=25YKLATOcK6LUYhkf4Ia1Kg0fiFx8a72AHYo0C2+h9k=;
 b=eArfDvwOOWqgnE/4SEfEwO+OEZAYQUeWocmhHRy7pNb5GoHhXWznYfPWel5J3B1+N8ZJbtPmifCl
   TrnbAzoZ5NF/HqwPwOStFaI3OCP8msdTk0byvKT86fZ2xcv+aW5iaL43F4Urr74gWdcszYmROEKB
   Wtw0Y8fFkVhH5zRqfjc=
Date: Fri, 21 May 2021 20:16:52 +0200
subject: SPAM: =?UTF-8?Q?Ist_der_Gartenschlauch_kurz=3F_Hier_ist_der_60_m_lange_Typ,_reicht_=C3=BCberallhin?=
Message-ID: <abbdeinxzie.7072433456188935700297149415789@isikradyo.com>
From: =?UTF-8?Q?Karin_Kries?= <karintfxnayfkries@isikradyo.com>
List-Unsubscribe: http://isikradyo.com/u/?b=3pi82481308bg7d9wnej32mzazt3jhs4b0e4
MIME-Version: 1.0
To:  <ddd@xxx.de>
X-Report-Abuse: http://isikradyo.com/a/?a=3pi82481308bg7d9wnej32mzazt3jhs4b0e4
Precedence: bulk
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-SPAM-LEVEL: Spam detection results:  3
    DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
    DKIM_VALID               -0.1 Message has at least one valid DKIM or DK signature
    DKIM_VALID_AU            -0.1 Message has a valid DKIM or DK signature from author's domain
    DKIM_VALID_EF            -0.1 Message has a valid DKIM or DK signature from envelope-from domain
    HK_RANDOM_ENVFROM       0.999 Envelope sender username looks random
    HK_RANDOM_FROM          0.999 From username looks random
    HTML_IMAGE_ONLY_24      1.282 HTML: images with 2000-2400 bytes of words
    HTML_MESSAGE            0.001 HTML included in message
    MIME_HTML_ONLY            0.1 Message only has text/html MIME parts
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    SPF_PASS               -0.001 SPF: sender matches SPF record


<!DOCTYPE html><html><head><meta name=3D"charset" content=3D"utf-8"><meta c=
harset=3D"utf-8"><title></title></head><body>=0D
<table align=3D"center" border=3D"0" cellpadding=3D"0" cellspacing=3D"0" st=
yle=3D"width:650px;margin:0 auto;"><tbody><tr><td><font size=3D2 face=3DAri=
al b=C3=BCrokratisieren bluesform sohnem=C3=A4nner tr=C3=B6pfchenmethode Pr=
ojektilflugbahn einzuschreiben eisenbahner Siederei patrizierkleidung brenn=
 Entv=C3=B6lkerung bewachsen abenteurer lindwurm Imam Redaktionssitz sinnsp=
r=C3=BCche Affinit=C3=A4t treten>.</font><br></td></tr><tr><td>=0D
<p style=3D"line-height:22px;font-size:14px;"><a style=3D"border-bottom-sty=
le:solid; " href=3D"http://rq92z.isikradyo.com/jgp:3pi82481308bg7d9wnej32mz=
azt3jhs4b0e4"><img src=3D"http://tbh96.isikradyo.com/00.jpg" style=3D"paddi=
ng-bottom:3px; " alt=3D"" /></a>=0D
<br><a href=3D"http://rq92z.isikradyo.com/hzm:3pi82481308bg7d9wnej32mzazt3j=
hs4b0e4" style=3D"font-variant:normal; padding-top:0px; border-width:thick;=
 font:13px Arial, Helvetica, sans-serif italic boldinherit; border-top-widt=
h:0px; ">Preisvorteil: der b=C3=A4renstarke Gartenschla</a>=0D
<br></p></td></tr></tbody></table><br><br><div style=3D"text-align:center;"=
><a style=3D"background-color:#ffffff; border-top-style:double; margin-righ=
t:1px; top:0px; margin-left:1px;  font-size:12px;" href=3D"http://isikradyo=
.com/u/?qm=3D3pi82481308bg7d9wnej32mzazt3jhs4b0e4">Hier a bmelden</a></div>=
=0D
<img alt=3D"" src=3D"http://isikradyo.com/o/?qhf=3D3pi82481308bg7d9wnej32mz=
azt3jhs4b0e4"><br>
<font size=3D2 face=3DArial russlandreise oberschlei=C3=9Fheimer Kalpetran =
huldigungsfeier unsumme ungef=C3=A4hr kleefarn Silbe Gustav Nordpf=C3=A4lze=
r handeltreibend geschl=C3=BCrft Rechtsabbiegerspur matrik Schweinswurst vi=
err=C3=A4derig geh=C3=B6lzformation Schulzengut chlorartig einf=C3=A4ltig M=
osaikpflaster festgestampft Vinylplatte Verschalungsh=C3=B6lzer ammonheilig=
tum reviergr=C3=B6=C3=9Fe>.</font>
<br>Karin Kries<br><font size=3D2 face=3DArial unfallgesch=C3=A4digt Sektio=
nsgliederung kotelette besch=C3=A4ftigtenabbau Wandelung tausch schrittzuha=
lten kapuzinerstra=C3=9Fe nachgef=C3=BCgt Schuftigkeit zweitschw=C3=A4chste=
 zuwanderer b=C3=A4derheilkunde =C3=A4skulapschlange Tr=C3=A4ufeln unbeheiz=
t nichtrauchend retins=C3=A4ure Momentum Kobaltverbindung marken moll Ziste=
rzienserabt belladonna zusammenzust=C3=BCrzen Aufzug Surabaya jede Palmenar=
t konfirmandenblase syrienfreundlich>.</font>
</body></html>=

But how do I get the raw content of the delivered mails out of PMG?
The header in the source code of the delivered mails in the mail client looks different, I don't see the PMG scan results here?!

Code: 
Received: from pmg.xxx.de (localhost [127.0.0.1])
    by pmg.xxx.de (Proxmox) with ESMTP id 8BFDF22137A
    for <nnn@xxx.de>; Fri, 21 May 2021 18:14:37 +0000 (UTC)
Received-SPF: pass (isikradyo.com: 63.81.90.114 is authorized to use 'carstenbpehknt@isikradyo.com' in 'mfrom' identity (mechanism 'ip4:63.81.90.0/24' matched)) receiver=pmg.xxx.de; identity=mailfrom; envelope-from="carstenbpehknt@isikradyo.com"; helo=marked.isikradyo.com; client-ip=63.81.90.114
Received: from marked.isikradyo.com (marked.isikradyo.com [63.81.90.114])
    by pmg.xxx.de (Proxmox) with ESMTP id CD584220DA7
    for <nnn@xxx.de>; Fri, 21 May 2021 18:14:32 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=dkim; d=isikradyo.com;
 h=Date:Subject:Message-ID:From:List-Unsubscribe:MIME-Version:To:Content-Type:
 Content-Transfer-Encoding; i=carstenbpehknt@isikradyo.com;
 bh=E2j27+M+Ze9IVw0P6SisJ0mep7zEyPT/l6orf3t3aYE=;
 b=LgSuA+7mBmIr6Yifv9QDQnuZmGfcbShRyV36MQlq+uwPfQsCE++d0Y2mW0G3oKeiiFd8mcfWQbSm
   hUEnoYiBH0sHxIw49aSg6YVy+0issq364OCx8za4VT9f7JYrp1mTAtU8H67ZeVIqGxje5XwfMoiD
   CcEQbL/hDXTJNDchhoA=
Date: Fri, 21 May 2021 20:10:49 +0200
Subject: =?UTF-8?Q?60_m_Gartenschlauch,_ultra_stark,_+_gratis_Spr=C3=BChpistole?=
Message-ID: <dgeczstymjv-72482925718701740661985751394362@isikradyo.com>
From: =?UTF-8?Q?Carsten?= <carstenbpehknt@isikradyo.com>
List-Unsubscribe: http://isikradyo.com/u/?b=dleip82481308817znw5yrfjbppyzfe608mn3r9j
MIME-Version: 1.0
To:  <nnn@xxx.de>
X-Report-Abuse: http://isikradyo.com/a/?a=dleip82481308817znw5yrfjbppyzfe608mn3r9j
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html><html><head><meta name=3D"charset" content=3D"utf-8"><meta c=
harset=3D"utf-8"><title></title></head><body>=0D
<table align=3D"center" border=3D"0" cellpadding=3D"0" cellspacing=3D"0" st=
yle=3D"width:650px;margin:0 auto;"><tbody><tr><td><font size=3D2 face=3DAri=
al gefachsimpelt continuation Kultinventar Spinnkopfm=C3=BChle freischw=C3=
=B6mme Whiskyglas Fallenstellen oboenblatt Kaskosch=C3=A4den Niedrigzinspha=
se Kalium angeekelt oberzell hereinwerfen Kreditwesengesetz reliquienkreuz =
Inventar Abkling steinig drehbuchgem=C3=A4=C3=9F trickschilaufen Mol Gro=C3=
=9Fhadern Labyrinth naht grenoble marketenderwagen Demutshaltung zehnmeterb=
rett Detektivromanautor Panoptikum>.</font><br></td></tr><tr><td>=0D
<p style=3D"line-height:22px;font-size:14px;"><a style=3D"border-bottom-sty=
le:solid; " href=3D"http://rq92z.isikradyo.com/jgp:dleip82481308817znw5yrfj=
bppyzfe608mn3r9j"><img src=3D"http://tbh96.isikradyo.com/00.jpg" style=3D"p=
adding-bottom:3px; " alt=3D"" /></a>=0D
<br><a href=3D"http://rq92z.isikradyo.com/hzm:dleip82481308817znw5yrfjbppyz=
fe608mn3r9j" style=3D"font-variant:normal; padding-top:0px; border-width:th=
ick; font:13px Arial, Helvetica, sans-serif italic boldinherit; border-top-=
width:0px; ">Kann s.ich selbst in die L=C3=A4nge 60m z</a>=0D
<br></p></td></tr></tbody></table><br><br><div style=3D"text-align:center;"=
><a style=3D"background-color:#ffffff; border-top-style:double; margin-righ=
t:1px; top:0px; margin-left:1px;  font-size:12px;" href=3D"http://isikradyo=
.com/u/?qm=3Ddleip82481308817znw5yrfjbppyzfe608mn3r9j">Hier a bmelden</a></=
div>=0D
<img alt=3D"" src=3D"http://isikradyo.com/o/?qhf=3Ddleip82481308817znw5yrfj=
bppyzfe608mn3r9j"><br>
<font size=3D2 face=3DArial nichtindianisch canyon mitzulachen Exbotschafte=
r vorbeizubringen suffraganbischof Kr=C3=A4uselkrankheit grabungsst=C3=A4tt=
e R=C3=BCckw=C3=A4rtssalto Rangierfahrt eloxiert Kontextualismus superklug =
bachstelze Teichrohr Steckergeh=C3=A4use rentierherde>.</font>
<br>Carsten<br><font size=3D2 face=3DArial bovist fortschwimmen zubeh=C3=B6=
rmarkt Mononeuritis hinaufgelaufen austernmesser eifersucht Dompropstgemein=
de markusforschung Hermaphrodit altarabisch bodenorientiert abzuklatschen b=
ettelei trickschilaufen metropl=C3=A4ne hochgeschlossen Veteranenverband Fl=
=C3=BCggewerden Quittenbaum Galeerenkapit=C3=A4n paprizieren lostreten Eier=
n ortsgebunden>.</font>
</body></html>=
 
If the mail already delivered, you have to check with the recipient for the email.
Btw, I did not see X-SPAM-LEVEL for your second email. Dis you enable the default modify spam level header rules for all incoming email to your pmg?
 
This was copied from the source of the mail recipient.
As there is also a SpamAssassin running on the Mail-Server (Zimbra) itself... could it be, that the second SpamAssassin deletes the entries of the first one?
Here is the rest of the header:

Code: 
Return-Path: <carstenbpehknt@isikradyo.com>
Received: from zimbra.xxx.de (LHLO zimbra.xxx.de)
 (192.168.2.2) by zimbra.xxx.de with LMTP; Fri, 21 May 2021
 18:14:38 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
    by zimbra.xxx.de (Postfix) with ESMTP id 0AA19C038F
    for <nnn@xxx.de>; Fri, 21 May 2021 18:14:38 +0000 (UTC)
X-Spam-Flag: NO
X-Spam-Score: 0.729
X-Spam-Level:
X-Spam-Status: No, score=0.729 required=6.6 tests=[ALL_TRUSTED=-1,
    BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
    DKIM_VALID_EF=-0.1, DMARC_PASS_NONE=-0.6, HTML_IMAGE_ONLY_24=1.618,
    HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, SPF_HELO_NONE=0.001,
    SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01] autolearn=no autolearn_force=no
Authentication-Results: zimbra.xxx.de (amavisd-new);
    dkim=pass (1024-bit key) header.d=isikradyo.com
Received: from zimbra.xxx.de ([127.0.0.1])
    by localhost (zimbra.xxx.de [127.0.0.1]) (amavisd-new, port 10032)
    with ESMTP id pkHR2h41yq55 for <nnn@xxx.de>;
    Fri, 21 May 2021 18:14:37 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
    by zimbra.xxx.de (Postfix) with ESMTP id C18ADC0AFB
    for <nnn@xxx.de>; Fri, 21 May 2021 18:14:37 +0000 (UTC)
X-Virus-Scanned: amavisd-new at xxx.de
Received: from zimbra.xxx.de ([127.0.0.1])
    by localhost (zimbra.xxx.de [127.0.0.1]) (amavisd-new, port 10026)
    with ESMTP id Igk5d5XP99Xa for <nnn@xxx.de>;
    Fri, 21 May 2021 18:14:37 +0000 (UTC)
Received: from pmg.xxx.de (unknown [192.168.2.5])
    by zimbra.xxx.de (Postfix) with ESMTP id 9EF5EC038F
    for <nnn@xxx.de>; Fri, 21 May 2021 18:14:37 +0000 (UTC)
 
Last edited:
I assume all incoming email will go through PMG first.
Did you enable modify X-SPAM-LEVEL header rules at top priority for all your incoming email?
 
Until now, my rules were all on Factory Defaults. However I just setup a new rule with prio 99 "Modify Spam Level".
See attached screenshot. Ok like this?

Bildschirmfoto 2021-05-23 um 09.04.42.png
 
This original rules should be the same as your X-SPAM-LEVEL rule.
Usually I put it at the highest priority so that all incoming mail through PMG will get tagged with the X-SPAM-LEVEL header field.

1621758338217.png
 
Ok, the new rule works and the spammer is still active.
Once again, here are 2 examples. First one delivered:
Code: 
Return-Path: <judithzpewawjwiesinger@isikradyo.com>
Received-SPF: pass (isikradyo.com: 63.81.90.130 is authorized to use 'judithzpewawjwiesinger@isikradyo.com' in 'mfrom' identity (mechanism 'ip4:63.81.90.0/24' matched)) receiver=pmg.xxx.de; identity=mailfrom; envelope-from="judithzpewawjwiesinger@isikradyo.com"; helo=graceful.isikradyo.com; client-ip=63.81.90.130
Received: from graceful.isikradyo.com (graceful.isikradyo.com [63.81.90.130])
    by pmg.xxx.de (Proxmox) with ESMTP id 22A9A220034
    for <nnn@xxx.de>; Sun, 23 May 2021 18:23:25 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=dkim; d=isikradyo.com;
 h=Date:Message-ID:Subject:List-Unsubscribe:MIME-Version:To:From:Content-Type:
 Content-Transfer-Encoding; i=judithzpewawjwiesinger@isikradyo.com;
 bh=EOsi1gEWlOyYpj/UcXjgLLW9V5LS/sYUQMEX56AEIRU=;
 b=G02eIplV3DS2W8sXwMY+SD42TXbQkzf6sPzQwgcfeyfW9t01C2J8VYbHjipev5z9TkTwp74+cnGI
   +iZtJI1FZggsUlniVtzfRV7apCa4zOZL6ArDx3aFvv787+gUSDcBrHMLPodacxadW4w6bBPITSGJ
   CU6Wnjk20n1esB9k4YE=
Date: Sun, 23 May 2021 20:17:45 +0200
Message-ID: <byiwmjbulbrxmhgzdyuarqmspy@isikradyo.com>
Subject: =?UTF-8?Q?Krankheiten_vorbeugen=3F_Neuer_Blutsauerstoff-_und_Pulsmesser_f=C3=BCr_Zuhause?=
List-Unsubscribe: http://isikradyo.com/u/?b=rco8q82672808817znw5yrfjbppyzfe608mz0ivm
X-Report-Abuse: http://isikradyo.com/a/?a=rco8q82672808817znw5yrfjbppyzfe608mz0ivm
MIME-Version: 1.0
To:  <nnn@xxx.de>
From: =?UTF-8?Q?Judith_Wiesinger?= <judithzpewawjwiesinger@isikradyo.com>
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
PMG-SPAM-LEVEL: Spam detection results:  1
    DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
    DKIM_VALID               -0.1 Message has at least one valid DKIM or DK signature
    DKIM_VALID_AU            -0.1 Message has a valid DKIM or DK signature from author's domain
    DKIM_VALID_EF            -0.1 Message has a valid DKIM or DK signature from envelope-from domain
    HTML_IMAGE_ONLY_24      1.282 HTML: images with 2000-2400 bytes of words
    HTML_MESSAGE            0.001 HTML included in message
    MIME_HTML_ONLY            0.1 Message only has text/html MIME parts
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    SPF_PASS               -0.001 SPF: sender matches SPF record
    T_REMOTE_IMAGE           0.01 Message contains an external image

<!DOCTYPE html><html><head><meta name=3D"charset" content=3D"utf-8"><meta c=
harset=3D"utf-8"><title></title></head><body>=0D
<table align=3D"center" border=3D"0" cellpadding=3D"0" cellspacing=3D"0" st=
yle=3D"width:650px;margin:0 auto;"><tbody><tr><td><font size=3D2 face=3DAri=
al Umlagezahlung brustkrebsbedingt k=C3=B6derwurm Schwelen Wohlstandspyrami=
de Vorortbereich ried=C3=BCbersicht stauaufladung Lehmbruck Schw=C3=BClstig=
keit Seenplatte Beispielhaftigkeit tresorschl=C3=BCssel kindstaufe Nachempf=
inden Wilhelmstein lautschrift>.</font><br></td></tr><tr><td>=0D
<p style=3D"line-height:22px;font-size:14px;"><a href=3D"http://atd50.isikr=
adyo.com/egy:rco8q82672808817znw5yrfjbppyzfe608mz0ivm" style=3D"margin-righ=
t:auto; top:3px; width:auto; "><img alt=3D"" style=3D"margin-left:auto; " s=
rc=3D"http://r7302.isikradyo.com/00.jpg" /></a>=0D
<br><a href=3D"http://atd50.isikradyo.com/cjj:rco8q82672808817znw5yrfjbppyz=
fe608mz0ivm" style=3D"margin-bottom:2px; font:13px Courier New, Courier, mo=
nospace normal boldinherit; ">M=C3=B6chten Sie Ihren K=C3=B6rper im B-lick =
haben? Puls-oximeter f=C3=BCr Zuha</a>=0D
<br></p></td></tr></tbody></table><br><br><div style=3D"text-align:center;"=
><a style=3D"font-size:12px; background-color:#ffffff; border-bottom-width:=
0px; padding-right:0px; border-left:dashed 3px #cc0000; height:auto; paddin=
g-bottom:1px; " href=3D"http://isikradyo.com/u/?k6e=3Drco8q82672808817znw5y=
rfjbppyzfe608mz0ivm">Bitte um L=C3=B6schen der eingetragenen E-Mail-Adresse=
 aus dem Verteiler</a></div>=0D
<img alt=3D"" src=3D"http://isikradyo.com/o/?t08=3Drco8q82672808817znw5yrfj=
bppyzfe608mz0ivm"><br>
<font size=3D2 face=3DArial h=C3=B6herstufig S=C3=BChnecharakter kunstliedz=
yklus fremdvergab Silvaner baryt parabelbelehrung Klettenzelle heraufhalf k=
arbonatgehalt Gasentladungsr=C3=B6hre bewehrung straps p=C3=A4dagogisch Sch=
afsm=C3=A4gen Gestenspiel Erw=C3=A4rmungsprozess vereinigungsrecht italienz=
ug nachzul=C3=B6sen Fehdewesen normenlogisch gesummt>.</font>
<br>Judith Wiesinger<br><font size=3D2 face=3DArial obm=C3=A4nnin endspurtp=
hase Landnahmebuch Laufzeittyppr=C3=BCfung Struktogramm aderig hexadezimalz=
ahl Tumoreinbruch phosphorylchlorid linearit=C3=A4t anzumuten ried=C3=BCber=
sicht gek=C3=B6dert Szenario neckarsuebisch dinosaurierfossil kabellos Kelt=
e Dornbirner>.</font>
</body></html>=

Here is the second example, this one was quarantained:
Code: 
Return-Path: jenssxpzzwwfelmeden@isikradyo.com
Received-SPF: pass (isikradyo.com: 63.81.90.130 is authorized to use 'jenssxpzzwwfelmeden@isikradyo.com' in 'mfrom' identity (mechanism 'ip4:63.81.90.0/24' matched)) receiver=pmg.xxx.de; identity=mailfrom; envelope-from="jenssxpzzwwfelmeden@isikradyo.com"; helo=graceful.isikradyo.com; client-ip=63.81.90.130
Received: from graceful.isikradyo.com (graceful.isikradyo.com [63.81.90.130])
    by pmg.xxx.de (Proxmox) with ESMTP id DC0AD220034
    for <www@xxx.de>; Sun, 23 May 2021 18:32:03 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=dkim; d=isikradyo.com;
 h=Date:Message-ID:Subject:List-Unsubscribe:MIME-Version:To:From:Content-Type:
 Content-Transfer-Encoding; i=jenssxpzzwwfelmeden@isikradyo.com;
 bh=dLp89t2C3JE9G7+JR58ulgk2q/A0wgiqoNk/8EQot1o=;
 b=Lh++k8RbnlDg68ZgkfAuZtIist3UngsvFQ1mPprZExJyeN47QXPJ6DYChF+mCh21EJDABgFmqm0U
   mmpNN5+VJx0OQlxY2mHoSr/eUgh4tYjUrrrrtD1wfwz//kRN7Dq5z/xdGw7UAUkVi105RZm4bqjU
   V4Fz7ILye+aXmFEgcmU=
Date: Sun, 23 May 2021 20:18:34 +0200
Message-ID: <ndkmjqbgbmkilyjbwzhtrohlqrmcntsfo@isikradyo.com>
subject: SPAM: =?UTF-8?Q?M=C3=B6chten_Sie_Ihren_K=C3=B6rper_im_Blick_haben=3F_Pulsoximeter_f=C3=BCr_Zuhause?=
List-Unsubscribe: http://isikradyo.com/u/?b=nest82672808bh6bqtbrghy6h0xp56ac7zvui1
X-Report-Abuse: http://isikradyo.com/a/?a=nest82672808bh6bqtbrghy6h0xp56ac7zvui1
MIME-Version: 1.0
To:  <www@xxx.de>
From: =?UTF-8?Q?Jens_Felmeden?= <jenssxpzzwwfelmeden@isikradyo.com>
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
PMG-SPAM-LEVEL: Spam detection results:  3
    DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
    DKIM_VALID               -0.1 Message has at least one valid DKIM or DK signature
    DKIM_VALID_AU            -0.1 Message has a valid DKIM or DK signature from author's domain
    DKIM_VALID_EF            -0.1 Message has a valid DKIM or DK signature from envelope-from domain
    FROM_LOCAL_NOVOWEL        0.5 From: localpart has series of non-vowel letters
    HK_RANDOM_ENVFROM       0.999 Envelope sender username looks random
    HK_RANDOM_FROM          0.999 From username looks random
    HTML_IMAGE_ONLY_24      1.282 HTML: images with 2000-2400 bytes of words
    HTML_MESSAGE            0.001 HTML included in message
    MIME_HTML_ONLY            0.1 Message only has text/html MIME parts
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    SPF_PASS               -0.001 SPF: sender matches SPF record
    T_REMOTE_IMAGE           0.01 Message contains an external image


<!DOCTYPE html><html><head><meta name=3D"charset" content=3D"utf-8"><meta c=
harset=3D"utf-8"><title></title></head><body>=0D
<table align=3D"center" border=3D"0" cellpadding=3D"0" cellspacing=3D"0" st=
yle=3D"width:650px;margin:0 auto;"><tbody><tr><td><font size=3D2 face=3DAri=
al mikrofotografisch Mehrj=C3=A4hrigkeit intimpflege Sabbatdiskussion verab=
scheuend papistisch sausewind Abblenden inhaltsschwer F=C3=BC=C3=9Fling ost=
europ=C3=A4er warrant Havelland f=C3=BCllungsd=C3=BCse Abqu=C3=A4len dreite=
ilen Don kloake zub=C3=A4nde kn=C3=A4uelstruktur unvermerkt Pyramidenforsch=
er kapitellartig ausrichtungsnadel wegebau parabelflug Vorlesungss=C3=A4le>=
.</font><br></td></tr><tr><td>=0D
<p style=3D"line-height:22px;font-size:14px;"><a href=3D"http://atd50.isikr=
adyo.com/egy:nest82672808bh6bqtbrghy6h0xp56ac7zvui1" style=3D"margin-right:=
auto; top:3px; width:auto; "><img alt=3D"" style=3D"margin-left:auto; " src=
=3D"http://r7302.isikradyo.com/00.jpg" /></a>=0D
<br><a href=3D"http://atd50.isikradyo.com/cjj:nest82672808bh6bqtbrghy6h0xp5=
6ac7zvui1" style=3D"margin-bottom:2px; font:13px Courier New, Courier, mono=
space normal boldinherit; ">Haben Sie noch keinen .</a>=0D
<br></p></td></tr></tbody></table><br><br><div style=3D"text-align:center;"=
><a style=3D"font-size:12px; background-color:#ffffff; border-bottom-width:=
0px; padding-right:0px; border-left:dashed 3px #cc0000; height:auto; paddin=
g-bottom:1px; " href=3D"http://isikradyo.com/u/?k6e=3Dnest82672808bh6bqtbrg=
hy6h0xp56ac7zvui1">Bitte um L=C3=B6schen der eingetragenen E-Mail-Adresse a=
us dem Verteiler</a></div>=0D
<img alt=3D"" src=3D"http://isikradyo.com/o/?t08=3Dnest82672808bh6bqtbrghy6=
h0xp56ac7zvui1"><br>
<font size=3D2 face=3DArial kasachisch dichte hessenwahl talentvoll Werftar=
beit murks Setzdruck Schokorosine Bugsieren Immigration instanzgericht Ando=
ckvorrichtung Schwarzw=C3=A4lder dahingewelkt Nymphensittich erbost Aar wet=
tl=C3=A4uft>.</font>
<br>Jens Felmeden<br><font size=3D2 face=3DArial pinie Monegasse bohairisch=
 Dinklage hemdblusenkleid alterfahren k=C3=BCrbiskern=C3=B6l gewebsentstehu=
ng umpolen vollzuladen springtide mediterran westerl=C3=A4nder mittelmeerst=
r=C3=A4nde ausgeschaltet Demokratisieren helgoland Sylt zusammenschweissen =
niedervoltspannung arcuscosinus Pomp>.</font>
</body></html>=

Why does PMG treat these mails differently?
Is there any way to modify its settings, that all of these mails are marked as spam?
 
Last edited:
I always treat the default spamassasin rules as a basic/general rules. It may or may not work for everyone.
You should always configure/customize PMG spam detection based on your use cases or environment using PMG's mail filters or custom spamassasin rules/scores.

Below are 3 different spamassassin rules/score between the 2 spam mails. You have to investigate which rules do match the headers field.
I do believe both spam mail are not 100% identical.

1621821022589.png

Code: 
header FROM_LOCAL_NOVOWEL       From =~ /[bcdfgjklmnpqrstvwxz]{7}\S*\@/i

header          HK_RANDOM_ENVFROM        EnvelopeFrom =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi

header          HK_RANDOM_FROM              From:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
 
You must log in or register to reply here.
Top Bottom