SpamAssassin teaching guide needed.

B

BiteMyElbow

Member
Jul 5, 2021
40
0
11
40
Hello to everyone.
I'm new to Postfix and SpamAssassin. I deployed PMG and it is really cool, but I have some SPAM mails in users Inboxes. In my case PMG works as foreground to Microsoft Exchange Server 2013.
Can anyone tell me step-by-step guide for teaching Spamassassin in corporate environment please?
 
Last edited:
Pls post complete mail headers of such spam emails.
 
  • Like
Reactions: Stoiko Ivanov
tom said:
Pls post complete mail headers of such spam emails.
Click to expand...
1. This one has not been identified as spam even by corporate antivirus with antispam setup:
Received: from MAIL04.domain.local (256.256.21.112) by MAIL04.domain.local
(256.256.21.112) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Mailbox
Transport; Wed, 5 Jul 2023 15:41:17 +0300
Received: from MAIL04.domain.local (256.256.21.112) by MAIL04.domain.local
(256.256.21.112) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 5 Jul
2023 15:41:16 +0300
Received: from EDGE02.domain.local (256.256.21.120) by MAIL04.domain.local
(256.256.21.112) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend
Transport; Wed, 5 Jul 2023 15:41:16 +0300
Received: from EDGE02.domain.local (localhost.localdomain [127.0.0.1])
by EDGE02.domain.local (Proxmox) with ESMTP id C9BFE1613BF
for <itdept@abc.ru>; Wed, 5 Jul 2023 15:41:16 +0300 (MSK)
Received-SPF: Fail (MAIL04.domain.local: domain of sales4@cn-airshipping.com does
not designate 256.256.21.120 as permitted sender) receiver=MAIL04.domain.local;
client-ip=256.256.21.120; helo=EDGE02.domain.local;
Received-SPF: pass (cn-airshipping.com: Sender is authorized to use 'sales4@cn-airshipping.com' in 'mfrom' identity (mechanism 'include:yunyou.top' matched)) receiver=EDGE02.domain.local; identity=mailfrom; envelope-from="sales4@cn-airshipping.com"; helo=smtp-my3-03p29.yunyou.top; client-ip=60.247.169.29
Received: from smtp-my3-03p29.yunyou.top (smtp-my3-03p29.yunyou.top [60.247.169.29])
by EDGE02.domain.local (Proxmox) with ESMTPS id 72FDE1613CB
for <itdept@abc.ru>; Wed, 5 Jul 2023 15:41:11 +0300 (MSK)
Received: from CHINAMI-6T5SRGC (unknown [121.34.49.217])
by smtp-my-03.yunyou.top (WestCloudMail) with ESMTPA id CD20485806
for <itdept@abc.ru>; Wed, 5 Jul 2023 20:41:00 +0800 (CST)
DKIM-Filter: WestDKIM Filter v2.10.3 smtp-my-03.yunyou.top CD20485806
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cn-airshipping.com;
s=mailsig; t=1688560861;
bh=IkQ2+9MPihBVIaW2HGmehKymZC/HfvFg3DXZ858bTxI=;
h=Date:From:To:Subject:Message-ID;
b=BEzu8xkQ3SmliYnZHfT3q9Yo4XeMwY35Yw/x+5zyn7YeR7eMeKVKCMHyAam8hejJ0
TUvbWx9HCCZF4OV0HochGAakZh8LwGbNUjFBBpP3zkz7lPwVvDVj7g59O3lwQ+pNqi
bfvPwSqEjnfczsMjEW/VdJEEuAp71hoCRGS4TxMg=
Date: Wed, 5 Jul 2023 20:40:00 +0800
From: "sales4@cn-airshipping.com" <sales4@cn-airshipping.com>
To: itdept <itdept@abc.ru>
Subject: =?UTF-8?B?0JjQtyDQmtC40YLQsNGPINCyINCc0L7RgdC60LLRgyDQrdC70LXQutGC0YDQvtCz0LvQuCDQvdCwINC/0L7QtdC30LTQtQ==?=
X-Priority: 3
X-GUID: A1F665AC-C4A9-4C62-87D9-A6CEE6A01CAC
X-Has-Attach: no
X-Mailer: Foxmail 7.2.25.148[cn]
MIME-Version: 1.0
Message-ID: <20230705193737193756188@cn-airshipping.com>
Content-Type: multipart/alternative;
boundary="----=_001_NextPart574675632866_=----"
X-SPAM-LEVEL: Spam detection results: 0
DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid
DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain
DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain
HTML_MESSAGE 0.001 HTML included in message
NOT_SPAM 1 I'm not spam! Really! I'm not, I'm not, I'm not!
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record
T_SCC_BODY_TEXT_LINE -0.01 -
URIBL_DBL_BLOCKED_OPENDNS 0.001 ADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ [www.tandychina.com]
Return-Path: sales4@cn-airshipping.com
X-MS-Exchange-Organization-PRD: cn-airshipping.com
X-MS-Exchange-Organization-SenderIdResult: Fail
X-MS-Exchange-Organization-Network-Message-Id: 9d0d75aa-e344-46bc-34e9-08db7d55203f
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Organization-AuthSource: MAIL04.domain.local
X-MS-Exchange-Organization-AuthAs: Anonymous

2. This one was identified as spam by corporate antivirus and was marked as "SPAM" in user Inbox:
Received: from MAIL04.domail.local (256.256.21.112) by MAIL04.domail.local
(256.256.21.112) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Mailbox
Transport; Wed, 5 Jul 2023 14:26:03 +0300
Received: from MAIL04.domail.local (256.256.21.112) by MAIL04.domail.local
(256.256.21.112) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 5 Jul
2023 14:26:02 +0300
Received: from EDGE02.domail.local (256.256.21.120) by MAIL04.domail.local
(256.256.21.112) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend
Transport; Wed, 5 Jul 2023 14:26:02 +0300
Received: from EDGE02.domail.local (localhost.localdomain [127.0.0.1])
by EDGE02.domail.local (Proxmox) with ESMTP id 987D41613BB
for <itdept@abc.ru>; Wed, 5 Jul 2023 14:26:02 +0300 (MSK)
Received-SPF: Neutral (MAIL04.domail.local: 256.256.21.120 is neither permitted nor
denied by domain of sender@rodnos.ru)
Received-SPF: pass (rodnos.ru: 193.3.23.124 is authorized to use 'sender@rodnos.ru' in 'mfrom' identity (mechanism 'a' matched)) receiver=EDGE02.domail.local; identity=mailfrom; envelope-from="sender@rodnos.ru"; helo=rodnos.ru; client-ip=193.3.23.124
Received: from rodnos.ru (rodnos.ru [193.3.23.124])
by EDGE02.domail.local (Proxmox) with ESMTP id F0C99160860
for <itdept@abc.ru>; Wed, 5 Jul 2023 14:25:58 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=dkim5; d=rodnos.ru;
h=From:Subject:To:Content-Type:MIME-Version:Date; i=sender@rodnos.ru;
bh=Ifu//ryB56ZbrgJsFsNWM4YkdxThdpU23Kru1qggFio=;
b=SsMHWvuwUHwaKYNAma2S3ZZCnO0Yc6YOv3/QCS1sLb5EBp71txRdnEk9qg7PllugOeKFXrJT8q42
VHgcGm2FjdCEY6caNLGvE0zTs6n7+hwe4mtmyMsi8Jj5AUAAWa+6etaT6gFG5wEx+qeEh0NUiobm
elVeYaPkl78X4NOP1JVu5X6zBBRvpVg+kI99bxznnucGdQ5SzwZdLHxeU47XK77i6hfYOGK1AzJa
XLy4IGoxRridYQKt0EOwgTpdG9Qj4dz/zOgJxELU3aojKh/73G/OJ72kP+ZFi/8jdicMImUUcMaU
YGmCJKH05GerYpH+OZoZZXStJolVkZy5LHw1gg==
From: "=?windows-1251?B?wM4gIszl5Oj26O3gkw==?=" <sender@rodnos.ru>
Subject: =?windows-1251?B?z+7h5eTo8uUg4e7r/CDoIOLl8O3o8uUg8ODk7vHy/CDm6Oft6CDiINbl7fLw5SDo5/P35e3o/yDh7uvoIQ==?=
To: "itdept" <itdept@abc.ru>
Content-Type: multipart/alternative; boundary="0VLfl6O6cvgPDWwMQAe5FC=_Z7q4TbU3DG"
MIME-Version: 1.0
Date: Wed, 5 Jul 2023 14:16:03 +0300
X-SPAM-LEVEL: Spam detection results: 1
DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid
DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain
DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain
HTML_MESSAGE 0.001 HTML included in message
MISSING_MID 0.14 Missing Message-Id: header
RCVD_IN_DNSWL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information.
SPF_HELO_PASS -0.001 SPF: HELO matches SPF record
SPF_PASS -0.001 SPF: sender matches SPF record
T_SCC_BODY_TEXT_LINE -0.01 -
URIBL_ABUSE_SURBL 1.948 Contains an URL listed in the ABUSE SURBL blocklist [rodnos.ru]
URIBL_DBL_BLOCKED_OPENDNS 0.001 ADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ [www.medicina.ru,tilda.ws,static.tildacdn.com,t.me]
Message-ID: <20230705112602.987D41613BB@EDGE02.domail.local>
Return-Path: sender@rodnos.ru
X-MS-Exchange-Organization-PRD: rodnos.ru
X-MS-Exchange-Organization-SenderIdResult: Neutral
X-MS-Exchange-Organization-Network-Message-Id: d3625b2a-c80c-4237-0cd0-08db7d4a9dad
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Organization-AuthSource: MAIL04.domail.local
X-MS-Exchange-Organization-AuthAs: Anonymous
 
Last edited:
I ran Spamhaus Public test and the results are pity:
1688712690895.png

What can be wrong with my PMG setup and how can i fix it? It there any way to handle SPAM beside DNSBL?
 
BiteMyElbow said:
URIBL_DBL_BLOCKED_OPENDNS 0.001 ADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ [
Click to expand...
BiteMyElbow said:
RCVD_IN_DNSWL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information.
Click to expand...
Seems your DNS setup is using a public resolver.

see:
https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway

and all linked pages - in this case in particular:
https://pmg.proxmox.com/wiki/index.php/DNS_server_on_Proxmox_Mail_Gateway
 
Last edited:
You must log in or register to reply here.
Top Bottom