SPAM from Microsoft and Google Servers

Dec 27, 2020
89
14
8
42
I cannot seem to find any articles in my quick 5 minute search - please link if there were anything and appreciate your time.

We are getting a lot of emails originating from Microsoft and Google servers which are clearly SPAM, however they obviously pass most test especially when they are mostly text. They are either free Gmail/Outlook accounts or compromised accounts/domains on their platforms which is quite annoying.

Yes I have done some additional filtering:
  • Based on words and word count (eg. SEO, Sexually Explicit etc)
  • Based on email address (return/reply etc)
  • Based on attachments
  • Based on Crypto and AV renewals etc (AV currently is the most annoyoing)
What do others do to filter out emails originating from legitimate sources (this extends to Yahoo to a lesser degree) or is there a way to create a rule if the email doesnt exist in contacts in the last 30-60 days, automatically quarantine it?
 
Last edited:
  • Like
Reactions: team2021

Robstarusa

Active Member
Feb 19, 2009
79
3
28
I've had this happen recently...I made a rule to dump all @gmail.com in the quarantine bin by default. Users can go whitelist who they want and the rest you'll never see. I made the following objects/rules:

Whitelist should be 85 (so it gets hit first)

Mail Filter -> Who Objects -> Add -> Domain
gmail.com

Mail Filter -> Add
Name: Gmail
Priority: 84
Direction: In

Used Objects -> Name -> Action Objects
Quarantine
Used Objects -> Name -> From
Gmail

I don't know if this is a solution for you, but hopefully it can help someone. Get users used to check their quarantine email when somethjing is missing or once a day. They only need to whitelist quarantined inbound once and never again for that person.
 
Last edited:

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
6,968
1,080
164
We are getting a lot of emails originating from Microsoft and Google servers which are clearly SPAM, however they obviously pass most test especially when they are mostly text. They are either free Gmail/Outlook accounts or compromised accounts/domains on their platforms which is quite annoying.
please share the complete logs (anonymize only your sensitive data - and not the spam-hits!) - maybe we can see some option for improvment
 
Dec 27, 2020
89
14
8
42
I've had this happen recently...I made a rule to dump all @gmail.com in the quarantine bin by default. Users can go whitelist who they want and the rest you'll never see. I made the following objects/rules:

Whitelist should be 85 (so it gets hit first)

Mail Filter -> Who Objects -> Add -> Domain
gmail.com

Mail Filter -> Add
Name: Gmail
Priority: 84
Direction: In

Used Objects -> Name -> Action Objects
Quarantine
Used Objects -> Name -> From
Gmail

I don't know if this is a solution for you, but hopefully it can help someone. Get users used to check their quarantine email when somethjing is missing or once a day. They only need to whitelist quarantined inbound once and never again for that person.

Yes, I was looking at this strategy and even considered going further to block entire SMTP domains *.google.com or *.outlook.com to stop them and any associated domains coming in as over the last month more were getting through than usual.

However that would have created more problems for me and telling users to check their quarantine, let alone bookmark it, its easier for them to just complain to me. :mad:
 

hata_ph

Well-Known Member
Nov 13, 2019
830
168
48
43
I would suggest setup subject regex rules to filter spam mail.
 
Dec 27, 2020
89
14
8
42
please share the complete logs (anonymize only your sensitive data - and not the spam-hits!) - maybe we can see some option for improvment

Code:
May 31 02:02:41 spam postfix/smtpd[50460]: connect from mail-il1-f195.google.com[209.85.166.195]
May 31 02:02:42 spam postfix/smtpd[50460]: Anonymous TLS connection established from mail-il1-f195.google.com[209.85.166.195]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
May 31 02:02:46 spam postfix/smtpd[50460]: 22968180B78: client=mail-il1-f195.google.com[209.85.166.195]
May 31 02:02:46 spam postfix/cleanup[50525]: 22968180B78: info: header From: ayusi1181@gmail.com from mail-il1-f195.google.com[209.85.166.195]; from=<ayusi1181@gmail.com> to=<john@DOMAIN.com> proto=ESMTP helo=<mail-il1-f195.google.com>
May 31 02:02:46 spam postfix/cleanup[50525]: 22968180B78: info: header To: <john@DOMAIN.com> from mail-il1-f195.google.com[209.85.166.195]; from=<ayusi1181@gmail.com> to=<john@DOMAIN.com> proto=ESMTP helo=<mail-il1-f195.google.com>
May 31 02:02:46 spam postfix/cleanup[50525]: 22968180B78: info: header Subject: Your order invoice #63873 from mail-il1-f195.google.com[209.85.166.195]; from=<ayusi1181@gmail.com> to=<john@DOMAIN.com> proto=ESMTP helo=<mail-il1-f195.google.com>
May 31 02:02:46 spam postfix/cleanup[50525]: 22968180B78: message-id=<162201d8742e$a7983f40$f6c8bdc0$@gmail.com>
May 31 02:02:46 spam postfix/qmgr[1168]: 22968180B78: from=<ayusi1181@gmail.com>, size=46533, nrcpt=1 (queue active)
May 31 02:02:46 spam pmg-smtp-filter[50592]: 1A04CB6294EAA623C15: new mail message-id=<162201d8742e$a7983f40$f6c8bdc0$@gmail.com>#012
May 31 02:02:50 spam pmg-smtp-filter[50592]: 1A04CB6294EAA623C15: SA score=0/5 time=3.767 bayes=0.00 autolearn=ham autolearn_force=no hits=BAYES_00(-1.9),DKIMWL_WL_MEDHIGH(-3.19),DKIM_SIGNED(0.1),DKIM_VALID(-1.5),DKIM_VALID_AU(-1),DKIM_VALID_EF(-1),FREEMAIL_ENVFROM_END_DIGIT(0.25),FREEMAIL_FROM(0.001),HTML_FONT_LOW_CONTRAST(0.001),HTML_MESSAGE(0.001),KAM_NUMSUBJECT(0.5),LOTS_OF_MONEY(0.001),RCVD_IN_DNSWL_NONE(-0.0001),RCVD_IN_MSPIKE_H2(-0.3),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_SCC_BODY_TEXT_LINE(-0.01)
May 31 02:02:50 spam pmg-smtp-filter[50592]: 1A04CB6294EAA623C15: accept mail to <john@DOMAIN.com> (0A398180BBB) (rule: default-accept)
May 31 02:02:50 spam pmg-smtp-filter[50592]: 1A04CB6294EAA623C15: processing time: 3.902 seconds (3.767, 0.052, 0.026)
May 31 02:02:50 spam postfix/lmtp[50534]: 22968180B78: to=<john@DOMAIN.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.5, delays=3.6/0/0/3.9, dsn=2.5.0, status=sent (250 2.5.0 OK (1A04CB6294EAA623C15))
May 31 02:02:50 spam postfix/qmgr[1168]: 22968180B78: removed
May 31 02:03:17 spam postfix/smtpd[50460]: disconnect from mail-il1-f195.google.com[209.85.166.195] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 quit=1 commands=7

May 31 02:02:50 spam pmg-smtp-filter[50592]: 1A04CB6294EAA623C15:
SA score=0/5 time=3.767 bayes=0.00 autolearn=ham autolearn_force=no hits=
BAYES_00(-1.9),
DKIMWL_WL_MEDHIGH(-3.19),
DKIM_SIGNED(0.1),
DKIM_VALID(-1.5),
DKIM_VALID_AU(-1),
DKIM_VALID_EF(-1),
FREEMAIL_ENVFROM_END_DIGIT(0.25),
FREEMAIL_FROM(0.001),
HTML_FONT_LOW_CONTRAST(0.001),
HTML_MESSAGE(0.001),
KAM_NUMSUBJECT(0.5),
LOTS_OF_MONEY(0.001),
RCVD_IN_DNSWL_NONE(-0.0001),
RCVD_IN_MSPIKE_H2(-0.3),
SPF_HELO_NONE(0.001),
SPF_PASS(-0.001),
T_SCC_BODY_TEXT_LINE(-0.01)

Ignore the DKIM_VALID as I was experimenting with fixed scores.

Yes I could adjust the Whitelist (DKIMWL, MSPIKE), however it would still pass as there are no other SPAM hits that would identify these spam uniquely without impacting legitimate emails.

What I noticed is that all the emails appear unique and only hit once, and its those that gets through. Thats why I was hoping someone had a way to implement a method to check if the sender had sent historically and if not, just can it. Or if an address book can be maintained that would be even better to cross-reference if email is replied historically.
 
Dec 27, 2020
89
14
8
42
I would suggest setup subject regex rules to filter spam mail.

Yes I have tried and that stopped some - although the subject has a tendency of changing. I was working on META scores last time, but didnt finish and isnt working, but the idea was:

Code:
body     __PSW_1         /IT HelpDesk/i
body     __PSW_2         /password Has Expired/i
body     __PSW_3         /keep same password/i
header   __PSW_4         Subject =~ /Action Required Immediately/i
meta     PSWRESET        __PSW_1 && __PSW_2
score    PSWRESET        2.19
 
Dec 27, 2020
89
14
8
42
OOOHHH, I just realised a new hit just in case anyone else is following which seems to hit mainly @gmail.com addresses:

UNDISC_FREEM(3.4),
UNDISC_MONEY(1.301)

However only MorganStanley's daily newsletter seems to fall under the above category - easy fix.
 
  • Like
Reactions: Robstarusa
Dec 27, 2020
89
14
8
42
I do not use the GUI much for the rules, how can I create one based off a single SA Score name?

For example, in the WHAT section under MATCHFIELD, what value do I use as to target any emails containing "UNDISC_" as a SA Score?
 

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
6,968
1,080
164
Dec 27, 2020
89
14
8
42
Thanks @Stoiko Ivanov, yes that is normally what I do via custom.cf.

However I wanted to try something different and capture emails for review so that I can see the content for manual spam targeting. Or in most cases, I have implemented a rule too strong which causes an unrelated email to be quarantined with my gun-ho application of scores.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!