SpamAssassin teaching guide needed.

B

BiteMyElbow

Member
Jul 5, 2021
31
0
11
39
Hello to everyone.
I'm new to Postfix and SpamAssassin. I deployed PMG and it is really cool, but I have some SPAM mails in users Inboxes. In my case PMG works as foreground to Microsoft Exchange Server 2013.
Can anyone tell me step-by-step guide for teaching Spamassassin in corporate environment please?
 
Last edited:
Pls post complete mail headers of such spam emails.
 
  • Like
Reactions: Stoiko Ivanov
tom said:
Pls post complete mail headers of such spam emails.
Click to expand...
1. This one has not been identified as spam even by corporate antivirus with antispam setup:
Received: from MAIL04.domain.local (256.256.21.112) by MAIL04.domain.local
(256.256.21.112) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Mailbox
Transport; Wed, 5 Jul 2023 15:41:17 +0300
Received: from MAIL04.domain.local (256.256.21.112) by MAIL04.domain.local
(256.256.21.112) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 5 Jul
2023 15:41:16 +0300
Received: from EDGE02.domain.local (256.256.21.120) by MAIL04.domain.local
(256.256.21.112) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend
Transport; Wed, 5 Jul 2023 15:41:16 +0300
Received: from EDGE02.domain.local (localhost.localdomain [127.0.0.1])
by EDGE02.domain.local (Proxmox) with ESMTP id C9BFE1613BF
for <itdept@abc.ru>; Wed, 5 Jul 2023 15:41:16 +0300 (MSK)
Received-SPF: Fail (MAIL04.domain.local: domain of sales4@cn-airshipping.com does
not designate 256.256.21.120 as permitted sender) receiver=MAIL04.domain.local;
client-ip=256.256.21.120; helo=EDGE02.domain.local;
Received-SPF: pass (cn-airshipping.com: Sender is authorized to use 'sales4@cn-airshipping.com' in 'mfrom' identity (mechanism 'include:yunyou.top' matched)) receiver=EDGE02.domain.local; identity=mailfrom; envelope-from="sales4@cn-airshipping.com"; helo=smtp-my3-03p29.yunyou.top; client-ip=60.247.169.29
Received: from smtp-my3-03p29.yunyou.top (smtp-my3-03p29.yunyou.top [60.247.169.29])
by EDGE02.domain.local (Proxmox) with ESMTPS id 72FDE1613CB
for <itdept@abc.ru>; Wed, 5 Jul 2023 15:41:11 +0300 (MSK)
Received: from CHINAMI-6T5SRGC (unknown [121.34.49.217])
by smtp-my-03.yunyou.top (WestCloudMail) with ESMTPA id CD20485806
for <itdept@abc.ru>; Wed, 5 Jul 2023 20:41:00 +0800 (CST)
DKIM-Filter: WestDKIM Filter v2.10.3 smtp-my-03.yunyou.top CD20485806
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cn-airshipping.com;
s=mailsig; t=1688560861;
bh=IkQ2+9MPihBVIaW2HGmehKymZC/HfvFg3DXZ858bTxI=;
h=Date:From:To:Subject:Message-ID;
b=BEzu8xkQ3SmliYnZHfT3q9Yo4XeMwY35Yw/x+5zyn7YeR7eMeKVKCMHyAam8hejJ0
TUvbWx9HCCZF4OV0HochGAakZh8LwGbNUjFBBpP3zkz7lPwVvDVj7g59O3lwQ+pNqi
bfvPwSqEjnfczsMjEW/VdJEEuAp71hoCRGS4TxMg=
Date: Wed, 5 Jul 2023 20:40:00 +0800
From: "sales4@cn-airshipping.com" <sales4@cn-airshipping.com>
To: itdept <itdept@abc.ru>
Subject: =?UTF-8?B?0JjQtyDQmtC40YLQsNGPINCyINCc0L7RgdC60LLRgyDQrdC70LXQutGC0YDQvtCz0LvQuCDQvdCwINC/0L7QtdC30LTQtQ==?=
X-Priority: 3
X-GUID: A1F665AC-C4A9-4C62-87D9-A6CEE6A01CAC
X-Has-Attach: no
X-Mailer: Foxmail 7.2.25.148[cn]
MIME-Version: 1.0
Message-ID: <20230705193737193756188@cn-airshipping.com>
Content-Type: multipart/alternative;
boundary="----=_001_NextPart574675632866_=----"
X-SPAM-LEVEL: Spam detection results: 0
DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid
DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain
DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain
HTML_MESSAGE 0.001 HTML included in message
NOT_SPAM 1 I'm not spam! Really! I'm not, I'm not, I'm not!
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record
T_SCC_BODY_TEXT_LINE -0.01 -
URIBL_DBL_BLOCKED_OPENDNS 0.001 ADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ [www.tandychina.com]
Return-Path: sales4@cn-airshipping.com
X-MS-Exchange-Organization-PRD: cn-airshipping.com
X-MS-Exchange-Organization-SenderIdResult: Fail
X-MS-Exchange-Organization-Network-Message-Id: 9d0d75aa-e344-46bc-34e9-08db7d55203f
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Organization-AuthSource: MAIL04.domain.local
X-MS-Exchange-Organization-AuthAs: Anonymous

2. This one was identified as spam by corporate antivirus and was marked as "SPAM" in user Inbox:
Received: from MAIL04.domail.local (256.256.21.112) by MAIL04.domail.local
(256.256.21.112) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Mailbox
Transport; Wed, 5 Jul 2023 14:26:03 +0300
Received: from MAIL04.domail.local (256.256.21.112) by MAIL04.domail.local
(256.256.21.112) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 5 Jul
2023 14:26:02 +0300
Received: from EDGE02.domail.local (256.256.21.120) by MAIL04.domail.local
(256.256.21.112) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend
Transport; Wed, 5 Jul 2023 14:26:02 +0300
Received: from EDGE02.domail.local (localhost.localdomain [127.0.0.1])
by EDGE02.domail.local (Proxmox) with ESMTP id 987D41613BB
for <itdept@abc.ru>; Wed, 5 Jul 2023 14:26:02 +0300 (MSK)
Received-SPF: Neutral (MAIL04.domail.local: 256.256.21.120 is neither permitted nor
denied by domain of sender@rodnos.ru)
Received-SPF: pass (rodnos.ru: 193.3.23.124 is authorized to use 'sender@rodnos.ru' in 'mfrom' identity (mechanism 'a' matched)) receiver=EDGE02.domail.local; identity=mailfrom; envelope-from="sender@rodnos.ru"; helo=rodnos.ru; client-ip=193.3.23.124
Received: from rodnos.ru (rodnos.ru [193.3.23.124])
by EDGE02.domail.local (Proxmox) with ESMTP id F0C99160860
for <itdept@abc.ru>; Wed, 5 Jul 2023 14:25:58 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=dkim5; d=rodnos.ru;
h=From:Subject:To:Content-Type:MIME-Version:Date; i=sender@rodnos.ru;
bh=Ifu//ryB56ZbrgJsFsNWM4YkdxThdpU23Kru1qggFio=;
b=SsMHWvuwUHwaKYNAma2S3ZZCnO0Yc6YOv3/QCS1sLb5EBp71txRdnEk9qg7PllugOeKFXrJT8q42
VHgcGm2FjdCEY6caNLGvE0zTs6n7+hwe4mtmyMsi8Jj5AUAAWa+6etaT6gFG5wEx+qeEh0NUiobm
elVeYaPkl78X4NOP1JVu5X6zBBRvpVg+kI99bxznnucGdQ5SzwZdLHxeU47XK77i6hfYOGK1AzJa
XLy4IGoxRridYQKt0EOwgTpdG9Qj4dz/zOgJxELU3aojKh/73G/OJ72kP+ZFi/8jdicMImUUcMaU
YGmCJKH05GerYpH+OZoZZXStJolVkZy5LHw1gg==
From: "=?windows-1251?B?wM4gIszl5Oj26O3gkw==?=" <sender@rodnos.ru>
Subject: =?windows-1251?B?z+7h5eTo8uUg4e7r/CDoIOLl8O3o8uUg8ODk7vHy/CDm6Oft6CDiINbl7fLw5SDo5/P35e3o/yDh7uvoIQ==?=
To: "itdept" <itdept@abc.ru>
Content-Type: multipart/alternative; boundary="0VLfl6O6cvgPDWwMQAe5FC=_Z7q4TbU3DG"
MIME-Version: 1.0
Date: Wed, 5 Jul 2023 14:16:03 +0300
X-SPAM-LEVEL: Spam detection results: 1
DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid
DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain
DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain
HTML_MESSAGE 0.001 HTML included in message
MISSING_MID 0.14 Missing Message-Id: header
RCVD_IN_DNSWL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information.
SPF_HELO_PASS -0.001 SPF: HELO matches SPF record
SPF_PASS -0.001 SPF: sender matches SPF record
T_SCC_BODY_TEXT_LINE -0.01 -
URIBL_ABUSE_SURBL 1.948 Contains an URL listed in the ABUSE SURBL blocklist [rodnos.ru]
URIBL_DBL_BLOCKED_OPENDNS 0.001 ADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ [www.medicina.ru,tilda.ws,static.tildacdn.com,t.me]
Message-ID: <20230705112602.987D41613BB@EDGE02.domail.local>
Return-Path: sender@rodnos.ru
X-MS-Exchange-Organization-PRD: rodnos.ru
X-MS-Exchange-Organization-SenderIdResult: Neutral
X-MS-Exchange-Organization-Network-Message-Id: d3625b2a-c80c-4237-0cd0-08db7d4a9dad
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Organization-AuthSource: MAIL04.domail.local
X-MS-Exchange-Organization-AuthAs: Anonymous
 
Last edited:
I ran Spamhaus Public test and the results are pity:
1688712690895.png

What can be wrong with my PMG setup and how can i fix it? It there any way to handle SPAM beside DNSBL?
 
BiteMyElbow said:
URIBL_DBL_BLOCKED_OPENDNS 0.001 ADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ [
Click to expand...
BiteMyElbow said:
RCVD_IN_DNSWL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information.
Click to expand...
Seems your DNS setup is using a public resolver.

see:
https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway

and all linked pages - in this case in particular:
https://pmg.proxmox.com/wiki/index.php/DNS_server_on_Proxmox_Mail_Gateway
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom