Stopping generic spam

D

dthompson

Well-Known Member
Nov 23, 2011
146
15
58
Canada
www.digitaltransitions.ca
I'm looking at a way to stop some generic spam from getting through. I have some spam thats getting through at shouldn't be and would like to know how I can better block this sort of spam.

In the logs, it looks as follows:

The email shows as being from: noreply@server.com, but the email is coming in from slot0.greemertrips.com. I've changed the actual end result mail addresses and domains to user@domain.ca in the post below.

Currently the only DNSBL I am using is zen.spamhaus.org, however when I lookup the hostname on mxtoolbox.com it it listed on Spamhaus, barracuda and ibmsip24 DNSBL's, yet for some reason that email was able to get bast the spam filter.

Any ideas as to how I can better block this type of spam from getting past?

Jan 21 04:19:12noreply@server.comuser@domain.caaccepted/delivered
Jan 21 04:19:07 swarmx1 postfix/smtpd[371024]: connect from slot0.greemertrips.com[104.168.236.4]
Jan 21 04:19:07 swarmx1 postfix/smtpd[371024]: Anonymous TLS connection established from slot0.greemertrips.com[104.168.236.4]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jan 21 04:19:07 swarmx1 postfix/smtpd[371024]: D40DC402DF: client=slot0.greemertrips.com[104.168.236.4]
Jan 21 04:19:07 swarmx1 postfix/cleanup[371008]: D40DC402DF: message-id=<20200121024846.10F138D3D812F817@server.com>
Jan 21 04:19:07 swarmx1 postfix/qmgr[20531]: D40DC402DF: from=<noreply@server.com>, size=4174, nrcpt=1 (queue active)
Jan 21 04:19:08 swarmx1 pmg-smtp-filter[369661]: 2138E5E26C20C02A2F: new mail message-id=<20200121024846.10F138D3D812F817@server.com>#012
Jan 21 04:19:08 swarmx1 postfix/smtpd[371024]: disconnect from slot0.greemertrips.com[104.168.236.4] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Jan 21 04:19:12 swarmx1 pmg-smtp-filter[369661]: 2138E5E26C20C02A2F: SA score=1/5 time=4.763 bayes=0.00 autolearn=no autolearn_force=no hits=BAYES_00(-1.9),HTML_FONT_LOW_CONTRAST(0.001),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),KAM_LAZY_DOMAIN_SECURITY(1),MIME_HTML_ONLY(0.1),PDS_FRNOM_TODOM_NAKED_TO(1),PDS_FROM_NAME_TO_DOMAIN(0.999),SPF_HELO_NONE(0.001),SPF_NONE(0.001)
Jan 21 04:19:12 swarmx1 postfix/smtpd[371014]: connect from localhost[127.0.0.1]
Jan 21 04:19:12 swarmx1 postfix/smtpd[371014]: C40B240212: client=localhost[127.0.0.1], orig_client=slot0.greemertrips.com[104.168.236.4]
Jan 21 04:19:12 swarmx1 postfix/cleanup[371008]: C40B240212: message-id=<20200121024846.10F138D3D812F817@server.com>
Jan 21 04:19:12 swarmx1 postfix/qmgr[20531]: C40B240212: from=<noreply@server.com>, size=5145, nrcpt=1 (queue active)
Jan 21 04:19:12 swarmx1 postfix/smtpd[371014]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Jan 21 04:19:12 swarmx1 pmg-smtp-filter[369661]: 2138E5E26C20C02A2F: accept mail to <user@domain.ca> (C40B240212) (rule: default-accept)
Jan 21 04:19:12 swarmx1 pmg-smtp-filter[369661]: 2138E5E26C20C02A2F: processing time: 4.795 seconds (4.763, 0.015, 0)
Jan 21 04:19:12 swarmx1 postfix/lmtp[371027]: D40DC402DF: to=<user@domain.ca>, relay=127.0.0.1[127.0.0.1]:10024, delay=5, delays=0.2/0.01/0/4.8, dsn=2.5.0, status=sent (250 2.5.0 OK (2138E5E26C20C02A2F))
Jan 21 04:19:12 swarmx1 postfix/qmgr[20531]: D40DC402DF: removed
Jan 21 04:19:12 swarmx1 postfix/smtp[371015]: C40B240212: to=<user@domain.ca>, relay=192.168.11.221[192.168.11.221]:25, delay=0.06, delays=0/0/0.05/0.01, dsn=2.0.0, status=sent (250 Mail queued for delivery)
Jan 21 04:19:12 swarmx1 postfix/qmgr[20531]: C40B240212: removed
 
are RBL-checks enabled in the Spam Detector (not the Mail Proxy)?
GUI -> Configuration -> Spam Detector -> Options
 
dthompson said:
BAYES_00(-1.9)
Click to expand...
hmm - one thing your could consider is disabling Bayes (and thus clearing the bayes database) - this rule gave the mail -1.9 points, without it it would have gotten close to 3 points (a margin where you can consider quarantining the mails)

also consider disabling the auto-whitelist

I hope this helps
 
Thanks Stoiko, I'll try that!

What are the caveats between disabling either of these? Looking at the online documentation, it doesn't seem to discuss either of these in much detail outside of turning them off and on.
 
dthompson said:
What are the caveats between disabling either of these?
Click to expand...
There is not much to it - if you disable the features - SpamAssassin won't run the messages through the Plugins.
Unless you have a well trained Bayes filter (training in that case means a manual process where you manually select good samples for spam and ham and feed them to spamassassin) - running it can lead to false positives (or as in this case false negatives).
see the documentation on Bayes filtering in SpamAssassin [0]

for Auto Whitelist check [1]

Put in more practical terms - try disabling it and keep an eye on your logs, of how the detection rates behave.

I hope this helps!

[0] https://cwiki.apache.org/confluence/display/spamassassin/BayesInSpamAssassin
[1] https://cwiki.apache.org/confluence/display/spamassassin/AutoWhitelist
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back