Spam with text attachment

[Jepz]

Hello!

Have issue with several spam emails. There are two types of them (see below), and i want to figureout what settings should i change to reduce amount of such emails to pass through?

1) Text-only spam message, with no attachement and urls in text.
Email example:

From: Serena <xode@arrb.com> On Behalf Of Serena
Sent: Thursday, February 27, 2020 10:05 PM
To: ***MY EMAIL*** <*****MY EMAIL @ MY COMPANY ****>
Subject: Re: customize usb stick and memory card service
Dear friends,
We are top10 memory card and usb flash drive manufacturer in china,our main customer including Detech,Disney,Shell.
We offer 1/3 of your price and 5years quality guarantee,are you interested to get our catalog with pricelist?
Please contact with me get it.
Regards,
Serena

Tracking center log:
SA score=4/5

Feb 27 22:08:53 post02 postfix/qmgr[996]: 86C57140593: from=<xode@arrb.com>, size=1336, nrcpt=1 (queue active)
Feb 27 22:08:53 post02 pmg-smtp-filter[27686]: 14102E5E5813C5656CA: new mail message-id=
Feb 27 22:08:53 post02 postfix/smtpd[27762]: disconnect from unknown[222.187.139.209] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Feb 27 22:08:54 post02 pmg-smtp-filter[27686]: 14102E5E5813C5656CA: SA score=4/5 time=0.658 bayes=undefined autolearn=no autolearn_force=no hits=FREEMAIL_FORGED_FROMDOMAIN(0.001),FREEMAIL_FROM(0.001),HEADER_FROM_DIFFERENT_DOMAINS(0.248),HTML_MESSAGE(0.001),KAM_DMARC_QUARANTINE(1.5),KAM_DMARC_STATUS(0.01),KAM_LAZY_DOMAIN_SECURITY(1),MIME_HTML_ONLY(0.1),MISSING_MID(0.14),RCVD_IN_SORBS_DUL(0.001),RDNS_NONE(1.274),SPF_HELO_NONE(0.001),SPF_NONE(0.001),SPOOFED_FREEMAIL_NO_RDNS(0.001)

2) Color-text email, with email link in it and .txt file as attachment. Sender emai is like random letters - asdjkad@azafdsfsjf.com
Email example:

Tracking center log:
SA score=3/5

Feb 27 08:03:24 post02 postfix/qmgr[996]: 6838C14057D: from=<info@gsjghruwcsaw.ru>, size=41149, nrcpt=1 (queue active)
Feb 27 08:03:24 post02 postfix/smtpd[16749]: disconnect from mail.gsjghruwcsaw.ru[91.239.215.142] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Feb 27 08:03:24 post02 pmg-smtp-filter[16941]: 14102D5E574D9C74AD6: new mail message-id=<619BD2F9D5012D6EB2B7FE4ADE2A81F9@gsjghruwcsaw.ru>#012
Feb 27 08:03:26 post02 pmg-smtp-filter[16941]: 14102D5E574D9C74AD6: SA score=3/5 time=2.185 bayes=undefined autolearn=no autolearn_force=no hits=AWL(0.500),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),HTML_MESSAGE(0.001),KAM_NUMSUBJECT(0.5),RCVD_IN_PSBL(2.7),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),URIBL_BLOCKED(0.001)

 

[Jepz]

Maybe "sa-learn" could help me, if i knew where proxmox store emails (if it does).

 

[Stoiko Ivanov]

,URIBL_BLOCKED(0.001)

seems you've reached the limit for URIBL queries - see the Questions and Answers section at https://cwiki.apache.org/confluence/display/SPAMASSASSIN/DnsBlocklists

Tracking center log:
SA score=4/5

a score of 4 would qualify in my eyes for putting the mail into quarantine (depending on your setup and how many of those you get maybe even block)

a score of 3 could also be put into quarantine

for this you would need to create/enable an appropriate rule in the rule system - see https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#chapter_mailfilter

I hope this helps!

 

[Jepz]

seems you've reached the limit for URIBL queries - see the Questions and Answers section at https://cwiki.apache.org/confluence/display/SPAMASSASSIN/DnsBlocklists

Thix, fixed it by installing unbound on my proxmox

a score of 4 would qualify in my eyes for putting the mail into quarantine (depending on your setup and how many of those you get maybe even block)

a score of 3 could also be put into quarantine

viewed statistics for past 3 mounths, legit emails were like 98% with score 0-1, and spam were other 2% with 3-4 and higher.