SPAM from dynamic-genereated domains

M

mike123

Member
Jun 3, 2019
13
2
8
35
Hello!

tell me who knows how to deal with spam from dynamic domains in a zone like .com

the fact is that the SA does not gain any points at all, which obviously can be increased in the accrual of points (by custom), that is, changing the values of these parameters can greatly increase the false response on white mail.

SA score = 0/5 time = 3.885 bayes = undefined autolearn = ham autolearn_force = no hits = AWL (0.083), HTML_MESSAGE (0.001), KAM_DMARC_STATUS (0.01), MISSING_MIME_HB_SEP (0.001), SPF_HELO_PASS (-0.001), SPF_HELO_PASS (-0.001), SPF_HELO_PASS (-0.001), SPF ), T_REMOTE_IMAGE (0.01), URIBL_BLOCKED (0.001)


here is a domain, spam came from it
Aug 25 04:17:13 mailgw postfix / smtpd [16822]: connect from wakeceremony.com [173.44.175.137]
Aug 25 04:17:14 mailgw postfix / smtpd [16822]: 4E56C10039B: client = wakeceremony.com [173.44.175.137]


but if you make a nslookup mx record for this domain, then the mx record is sent to the google servers ...

wakeceremony.com MX preference = 10, mail exchanger = aspmx.l.google.com

aspmx.l.google.com internet address = 64.233.164.26
aspmx.l.google.com AAAA IPv6 address = 2a00: 1450: 4010: c03 :: 1b

although the postfix seems to check the domain ip, but not the mx record
wakeceremony.com

if you ping the domain
ping wakeceremony.com

then yes, here it is this ip ..
Pinging wakeceremony.com [173.44.175.137] with 32 bytes of data:
Reply from 173.44.175.137: bytes = 32 time = 155ms TTL = 52
Reply from 173.44.175.137: bytes = 32 time = 155ms TTL = 52



please tell me how to deal with such spam, who knows ..?
all acceptable spam options in PMG are included .. greylisting too.
 

Attachments

  • PMg.JPG
    PMg.JPG
    118 KB · Views: 7
The behavior you describe is not unusual for E-mail - the MX is only the address where mail _for_ a domain should be sent to - this does not (necessarily) have anything to do with where mail _from_ a domain gets sent from.

the one thing in your log which indicates that SpamAssassin does not work well is:
mike123 said:
URIBL_BLOCKED
Click to expand...
seems your configured DNS-server is over quota at uribl - this usually harms spamdetection quite severely

check the getting started page
https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway
- and especially the article about setting up a recursive DNS Server on your PMG:
https://pmg.proxmox.com/wiki/index.php/DNS_server_on_Proxmox_Mail_Gateway

I hope this helps!
 
Stoiko Ivanov said:
The behavior you describe is not unusual for E-mail - the MX is only the address where mail _for_ a domain should be sent to - this does not (necessarily) have anything to do with where mail _from_ a domain gets sent from.

the one thing in your log which indicates that SpamAssassin does not work well is:

seems your configured DNS-server is over quota at uribl - this usually harms spamdetection quite severely

check the getting started page
https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway
- and especially the article about setting up a recursive DNS Server on your PMG:
https://pmg.proxmox.com/wiki/index.php/DNS_server_on_Proxmox_Mail_Gateway

I hope this helps!
Click to expand...


And if I do not use this provider URIBL (I have never used it before)

I have only
bl.spamcop.net, bl.blocklist.de, xbl.spamhaus.org, zen.spamhaus.org, pbl.spamhaus.org, b.barracudacentral.org
but from them _BLOCKED does not come

is it written somewhere in the SA configs or postfix?
 
Since you are using bl.spamcop.net, bl.blocklist.de and zen.spamhaus.org as your DNSBL site, it will only work when the IP (173.44.175.137) is being listed in DNSBL site. As I check now, only spamhaus.org listed the IP in their blacklist. FYI, suspicious IP/domain may not get listed immediately on DNSBL site.

Btw, you only need to use zen.spamhaus.org as it contain xbl and pbl (https://www.spamhaus.org/zen/) and spamhaus.org do not work well with google DNS. Use other DNS when use with spamhaus.org.

You can always use http://multirbl.valli.org/lookup/173.44.175.137.html to check the blacklist.

Beside using DNSBL, utilize Mail Rules filter to quarantine/block suspected spam. Filter using domain/email/subject work great.
 
mike123 said:
And if I do not use this provider URIBL (I have never used it before)
Click to expand...
It is used in the default install of spamassassin (which is also the part where the logline with URIBL_BLOCKED comes from) - check https://help.directadmin.com/item.php?id=666 (and the wiki-pages I linked above)

Unless you actively disable it via custom spamassassin configuration it gets used in PMG

I hope this explains it!
 
Stoiko Ivanov said:
It is used in the default install of spamassassin (which is also the part where the logline with URIBL_BLOCKED comes from) - check https://help.directadmin.com/item.php?id=666 (and the wiki-pages I linked above)

Unless you actively disable it via custom spamassassin configuration it gets used in PMG

I hope this explains it!
Click to expand...


I only have internal DNS from AD DC registered in this file
DC, in turn, looks at the DNS of my ISP ..


In any case, thank you very much for your answers and advice.

I will understand further myself.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back