What is the criterion to block this spam ?

[Andrei9385]

Hello. I started receiving a lot of spam from different domains in Japanese. How can I block it? I have already added many domains to the blacklist, but they change every time. What are some methods?

Headers for example:

Spoiler: Spam Example 1

Received: from Azrael.ad.3l.ru (10.2.3.2) by Azrael.ad.3l.ru (10.2.3.2) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.40 via Mailbox
Transport; Mon, 15 Jan 2024 16:05:02 +0300
Received: from Azrael.ad.3l.ru (10.2.3.2) by Azrael.ad.3l.ru (10.2.3.2) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.40; Mon, 15 Jan
2024 16:05:02 +0300
Received: from smtp01.3l.ru (10.2.3.5) by Azrael.ad.3l.ru (10.2.3.2) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.40 via Frontend
Transport; Mon, 15 Jan 2024 16:05:02 +0300
Received: from Valdor.ad.3l.ru (localhost.localdomain [127.0.0.1])
                by smtp01.3l.ru (Proxmox) with ESMTP id BAD15183454
                for <a.kalashnikova@3l.ru>; Mon, 15 Jan 2024 16:05:02 +0300 (MSK)
Received-SPF: none (www522.sakura.ne.jp: No applicable sender policy available) receiver=Valdor.ad.3l.ru; identity=mailfrom; envelope-from="takuma@www522.sakura.ne.jp"; helo=www522.sakura.ne.jp; client-ip=59.106.13.172
Received: from www522.sakura.ne.jp (www522.sakura.ne.jp [59.106.13.172])
                by smtp01.3l.ru (Proxmox) with ESMTPS id 8BAF8183472
                for <a.kalashnikova@3l.ru>; Mon, 15 Jan 2024 16:05:01 +0300 (MSK)
Received: from www522.sakura.ne.jp (localhost [127.0.0.1])
                by www522.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 40FCMi6A026688
                for <a.kalashnikova@3l.ru>; Mon, 15 Jan 2024 21:22:44 +0900 (JST)
                (envelope-from takuma@www522.sakura.ne.jp)
Received: (from takuma@localhost)
                by www522.sakura.ne.jp (8.15.2/8.15.2/Submit) id 40FCMiAd026687;
                Mon, 15 Jan 2024 21:22:44 +0900 (JST)
                (envelope-from takuma)
To: <a.kalashnikova@3l.ru>
Subject: =?UTF-8?B?44GK5ZWP44GE5ZCI44KP44Gb44GE44Gf44Gg44GN44GC44KK44GM44Go44GG?=  =?UTF-8?B?44GU44GW44GE44G+44GZ44CC?=
Date: Mon, 15 Jan 2024 12:22:44 +0000
From: =?UTF-8?B?6bq65YemIOOCpuOCqOODoOODqeOCgeOCk+WtkA==?=
                <shop@uemuramenko.com>
Reply-To: <info@uemuramenko.com>
Message-ID: <tXfIAlXoSr32tPnBxN76tYlPkjq4XxrSDeOIl4AvnU@uemuramenko.com>
X-Mailer: PHPMailer 6.8.1 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  3
                AWL                     1.250 Adjusted score from AWL reputation of From: address
                DMARC_MISSING             0.1 Missing DMARC policy
                GB_SUBJ25                 0.5 Subject with no Spaces
                HEADER_FROM_DIFFERENT_DOMAINS  0.249 From and EnvelopeFrom 2nd level mail domains are different
                KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
                KAM_LAZY_DOMAIN_SECURITY      1 Sending domain does not have any anti-forgery methods
                SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
                SPF_NONE                0.001 SPF: sender does not publish an SPF Record
                T_SCC_BODY_TEXT_LINE    -0.01 -
Return-Path: takuma@www522.sakura.ne.jp
X-MS-Exchange-Organization-Network-Message-Id: 4755f91f-ee4f-4168-121a-08dc15ca9643
X-MS-Exchange-Organization-AuthSource: Azrael.ad.3l.ru
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.0880870
X-MS-Exchange-Processed-By-BccFoldering: 15.02.1118.040

Spoiler: Spam Example 2

Received: from Azrael.ad.3l.ru (10.2.3.2) by Azrael.ad.3l.ru (10.2.3.2) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.40 via Mailbox
Transport; Sat, 13 Jan 2024 21:18:58 +0300
Received: from Azrael.ad.3l.ru (10.2.3.2) by Azrael.ad.3l.ru (10.2.3.2) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.40; Sat, 13 Jan
2024 21:18:58 +0300
Received: from smtp01.3l.ru (10.2.3.5) by Azrael.ad.3l.ru (10.2.3.2) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.40 via Frontend
Transport; Sat, 13 Jan 2024 21:18:58 +0300
Received: from Valdor.ad.3l.ru (localhost.localdomain [127.0.0.1])
                by smtp01.3l.ru (Proxmox) with ESMTP id 81C0F1832B0
                for <a.kalashnikova@3l.ru>; Sat, 13 Jan 2024 21:18:58 +0300 (MSK)
Received-SPF: none (server.ecomksaharley.com: No applicable sender policy available) receiver=Valdor.ad.3l.ru; identity=mailfrom; envelope-from="ecomharley@server.ecomksaharley.com"; helo=server.ecomksaharley.com; client-ip=15.185.53.59
Received: from server.ecomksaharley.com (server.ecomksaharley.com [15.185.53.59])
                by smtp01.3l.ru (Proxmox) with ESMTPS id B0D07183222
                for <a.kalashnikova@3l.ru>; Sat, 13 Jan 2024 21:18:57 +0300 (MSK)
Received: from ecomharley by server.ecomksaharley.com with local (Exim 4.96)
                (envelope-from <ecomharley@server.ecomksaharley.com>)
                id 1rOhcd-0002n5-1h
                for a.kalashnikova@3l.ru;
                Sat, 13 Jan 2024 17:16:39 +0000
To: <a.kalashnikova@3l.ru>
Subject: Confirmation
X-PHP-Script: ecomksaharley.com/index.php for 45.134.225.36
X-PHP-Originating-Script: 1001:Register.php
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
From: <a.kalashnikova@3l.ru>
Message-ID: <E1rOhcd-0002n5-1h@server.ecomksaharley.com>
Date: Sat, 13 Jan 2024 17:16:39 +0000
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.ecomksaharley.com
X-AntiAbuse: Original Domain - 3l.ru
X-AntiAbuse: Originator/Caller UID/GID - [1001 993] / [47 12]
X-AntiAbuse: Sender Address Domain - server.ecomksaharley.com
X-Get-Message-Sender-Via: server.ecomksaharley.com: authenticated_id: ecomharley/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: server.ecomksaharley.com: ecomharley
X-Source:
X-Source-Args:
X-Source-Dir:
X-SPAM-LEVEL: Spam detection results:  2
                DMARC_MISSING             0.1 Missing DMARC policy
                HEADER_FROM_DIFFERENT_DOMAINS  0.248 From and EnvelopeFrom 2nd level mail domains are different
                HTML_MESSAGE            0.001 HTML included in message
                KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
                KAM_LAZY_DOMAIN_SECURITY      1 Sending domain does not have any anti-forgery methods
                KAM_LINEPADDING           1.2 Spam that tries to get past blank line filters
                MIME_HTML_ONLY            0.1 Message only has text/html MIME parts
                SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
                SPF_NONE                0.001 SPF: sender does not publish an SPF Record
                T_SCC_BODY_TEXT_LINE    -0.01 -
Return-Path: ecomharley@server.ecomksaharley.com
X-MS-Exchange-Organization-Network-Message-Id: 1555b9be-3c90-4fef-889b-08dc14641c6d
X-MS-Exchange-Organization-AuthSource: Azrael.ad.3l.ru
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.1470409
X-MS-Exchange-Processed-By-BccFoldering: 15.02.1118.040

 

[Andrei9385]

Help pls

 

[dcsapak]

the first mail is already level 3 so in the default rule set it will be moved to the quarantine

the second one is harder, since there is no obvious thing that stands out (the logs of that would also be interesting)
but did you see already this wiki entry: https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway
it gives a few tips (e.g. dnsbl configuration) on how to improve spam detection