[SOLVED] Why is PMG forwarding blocked messages as attachment?

P

Peter Nielsen

Member
Proxmox Subscriber
Jul 31, 2019
24
4
23
53
Hi

Why does pmg forward this mail to me?
The default rule "Block Spam (Level 10)" is set to block mail above Spam level 10.

Br. Peter

-----Forwarded Spam mail-----
Spam detection software, running on the system "pmg.server.local",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: Hej! Jeg har meget dårlige nyheder for dig. 17/11/2018
- På denne dag hackede jeg dit operativsystem og fik fuld adgang til
din konto xxxxx@xxxxx.xxx. Du kan tjekke det - jeg sendte denne [...]

Content analysis details: (26.0 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
1.4 RCVD_IN_NIX_SPAM RBL: Listed in NiX Spam DNSBL (heise.de)
[37.231.250.113 listed in ix.dnsbl.manitu.net]
-0.0 BAYES_20 BODY: Bayes spam probability is 5 to 20%
[score: 0.1389]
3.3 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[37.231.250.113 listed in zen.spamhaus.org]
0.0 SPF_NONE SPF: sender does not publish an SPF Record
0.0 HTML_MESSAGE BODY: HTML included in message
1.4 DCC_REPUT_99_100 DCC reputation between 99 % or higher (spam)
1.1 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
1.0 KAM_HTMLNOISE Spam containing useless HTML padding
1.0 ZMIde_OutlookExpress Outlook Express should not be used anymore
0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
3.5 HDR_ORDER_FTSDMCXX_NORDNS Header order similar to spam
(FTSDMCXX/boundary variant) + no rDNS
1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
anti-forgery methods
0.0 FSL_BULK_SIG Bulk signature with no Unsubscribe
2.0 HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam
(FTSDMCXX/boundary variant) + direct-to-MX
1.2 TO_EQ_FM_DIRECT_MX To == From and direct-to-MX
2.0 MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX
3.5 BITCOIN_SPAM_07 BitCoin spam pattern 07
2.5 DOS_OE_TO_MX Delivered direct to MX with OE headers
0.2 HELO_MISC_IP Looking for more Dynamic IP Relays

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
 
Peter Nielsen said:
Why does pmg forward this mail to me?
The default rule "Block Spam (Level 10)" is set to block mail above Spam level 10.
Click to expand...
The reason should be somewhere in your configured rules.
This should be explained in the mail.log for the corresponding e-mail - please post it (anonymized).

The mail does not seem to have been created by PMG - maybe your downstream server sent out the notification?

Thanks!
 
Here a new example:


-----Forwarded Spam mail-----
Spam detection software, running on the system "pmg.snoxxxx.xx",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: Hej! Jeg har meget dårlige nyheder for dig. 17/11/2018
- På denne dag hackede jeg dit operativsystem og fik fuld adgang til
din konto peter@snoxxxx.xx. Du kan tjekke det - jeg sendte denne beske [...]


Content analysis details: (30.8 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
1.4 RCVD_IN_BRBL RBL: Received via a relay in Barracuda RBL
[188.253.229.11 listed in b.barracudacentral.org]
3.3 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[188.253.229.11 listed in zen.spamhaus.org]
0.4 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
-0.0 BAYES_20 BODY: Bayes spam probability is 5 to 20%
[score: 0.0916]
-0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
[188.253.229.11 listed in wl.mailspike.net]
3.0 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date
0.0 SPF_NONE SPF: sender does not publish an SPF Record
1.4 RCVD_IN_GBUDB RBL: Listed in GBUdb Truncate
[188.253.229.11 listed in truncate.gbudb.net]
0.0 HTML_MESSAGE BODY: HTML included in message
1.4 DCC_REPUT_99_100 DCC reputation between 99 % or higher (spam)
1.1 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
1.0 KAM_HTMLNOISE Spam containing useless HTML padding
1.0 ZMIde_OutlookExpress Outlook Express should not be used anymore
0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
3.5 HDR_ORDER_FTSDMCXX_NORDNS Header order similar to spam
(FTSDMCXX/boundary variant) + no rDNS
1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
anti-forgery methods
0.0 FSL_BULK_SIG Bulk signature with no Unsubscribe
2.0 HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam
(FTSDMCXX/boundary variant) + direct-to-MX
1.2 TO_EQ_FM_DIRECT_MX To == From and direct-to-MX
2.0 MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX
3.5 BITCOIN_SPAM_07 BitCoin spam pattern 07
2.5 DOS_OE_TO_MX Delivered direct to MX with OE headers
0.2 HELO_MISC_IP Looking for more Dynamic IP Relays
0.0 NO_FM_NAME_IP_HOSTN No From name + hostname using IP address

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.



----- Mail.log -----
Oct 2 09:07:43 pmg postfix/postscreen[19099]: CONNECT from [188.253.229.11]:11158 to [192.168.0.14]:25
Oct 2 09:07:49 pmg postfix/postscreen[19099]: PASS NEW [188.253.229.11]:11158
Oct 2 09:07:49 pmg postfix/smtpd[19116]: connect from unknown[188.253.229.11]
Oct 2 09:07:49 pmg postfix/smtpd[19116]: B6522403B6: client=unknown[188.253.229.11]
Oct 2 09:07:49 pmg postfix/cleanup[19162]: B6522403B6: message-id=<69D7614E02DFF82D93250A469BBC69D7@7BRVYFH>
Oct 2 09:07:50 pmg spamd[16744]: spamd: connection from ::1 [::1]:50922 to port 783, fd 5
Oct 2 09:07:50 pmg spamd[16744]: spamd: processing message <69D7614E02DFF82D93250A469BBC69D7@7BRVYFH> for peter:113
Oct 2 09:07:53 pmg spamd[19165]: util: setuid: ruid=113 euid=113 rgid=117 117 117 egid=117 117 117
Oct 2 09:07:53 pmg spamd[16744]: spamd: identified spam (30.8/5.0) for peter:113 in 3.4 seconds, 8425 bytes.
Oct 2 09:07:53 pmg spamd[16744]: spamd: result: Y 30 - BAYES_20,BITCOIN_SPAM_07,DATE_IN_FUTURE_03_06,DCC_CHECK,DCC_REPUT_99_100,DOS_OE_TO_MX,FSL_BULK_SIG,HDR_ORDER_FTSDMCXX_DIRECT,HDR_ORDER_FTSDMCXX_NORDNS,HELO_MISC_IP,HTML_MESSAGE,KAM_HTMLNOISE,KAM_LAZY_DOMAIN_SECURITY,MIMEOLE_DIRECT_TO_MX,NO_FM_NAME_IP_HOSTN,RCVD_IN_BRBL,RCVD_IN_GBUDB,RCVD_IN_MSPIKE_H2,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,SPF_NONE,TO_EQ_FM_DIRECT_MX,ZMIde_OutlookExpress scantime=3.4,size=8425,user=peter,uid=113,required_score=5.0,rhost=::1,raddr=::1,rport=50922,mid=<69D7614E02DFF82D93250A469BBC69D7@7BRVYFH>,bayes=0.091579,autolearn=no autolearn_force=no
Oct 2 09:07:53 pmg postfix/qmgr[968]: B6522403B6: from=<peter@snoxxxx.xx>, size=12680, nrcpt=1 (queue active)
Oct 2 09:07:53 pmg pmg-smtp-filter[17889]: 2019/10/02-09:07:53 CONNECT TCP Peer: "[127.0.0.1]:52598" Local: "[127.0.0.1]:10024"
Oct 2 09:07:53 pmg pmg-smtp-filter[17889]: 404925D944CC9D7CAB: new mail message-id=<69D7614E02DFF82D93250A469BBC69D7@7BRVYFH>#012
Oct 2 09:07:54 pmg postfix/smtpd[19116]: disconnect from unknown[188.253.229.11] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Oct 2 09:07:55 pmg pmg-smtp-filter[17889]: 404925D944CC9D7CAB: SA score=32/5 time=1.592 bayes=1.00 autolearn=no autolearn_force=no hits=BAYES_99(3.5),BAYES_999(0.2),BITCOIN_SPAM_07(3.5),DATE_IN_FUTURE_03_06(3.027),DCC_CHECK(1.1),DCC_REPUT_95_98(1),DOS_OE_TO_MX(2.523),FSL_BULK_SIG(0.001),HDR_ORDER_FTSDMCXX_DIRECT(1.999),HDR_ORDER_FTSDMCXX_NORDNS(3.499),HELO_MISC_IP(0.001),HTML_MESSAGE(0.001),KAM_HTMLNOISE(1),KAM_LAZY_DOMAIN_SECURITY(1),MIMEOLE_DIRECT_TO_MX(1.999),RCVD_IN_BRBL(1.4),RCVD_IN_GBUDB(1.4),RCVD_IN_MSPIKE_H2(-0.001),RCVD_IN_PBL(3.335),RCVD_IN_XBL(0.375),RDNS_NONE(0.793),SPF_NONE(0.001),ZMIde_OutlookExpress(1)
Oct 2 09:07:55 pmg postfix/smtpd[19172]: connect from localhost.localdomain[127.0.0.1]
Oct 2 09:07:55 pmg postfix/smtpd[19172]: 954EE40570: client=localhost.localdomain[127.0.0.1], orig_client=unknown[188.253.229.11]
Oct 2 09:07:55 pmg postfix/cleanup[19162]: 954EE40570: message-id=<69D7614E02DFF82D93250A469BBC69D7@7BRVYFH>
Oct 2 09:07:55 pmg postfix/qmgr[968]: 954EE40570: from=<peter@snoxxxx.xx>, size=15183, nrcpt=1 (queue active)
Oct 2 09:07:55 pmg pmg-smtp-filter[17889]: 404925D944CC9D7CAB: accept mail to <peter@snoxxxx.xx> (954EE40570) (rule: Whitelist)
Oct 2 09:07:55 pmg postfix/smtpd[19172]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Oct 2 09:07:55 pmg pmg-smtp-filter[17889]: 404925D944CC9D7CAB: processing time: 1.781 seconds (1.592, 0.087, 0)
Oct 2 09:07:55 pmg postfix/lmtp[19166]: B6522403B6: to=<peter@snoxxxx.xx>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.9, delays=4.1/0.02/0.05/1.8, dsn=2.5.0, status=sent (250 2.5.0 OK (404925D944CC9D7CAB))
Oct 2 09:07:55 pmg postfix/qmgr[968]: B6522403B6: removed
Oct 2 09:07:55 pmg postfix/smtp[19173]: 954EE40570: to=<peter@snoxxxx.xx>, relay=mail.snoxxxx.xx[192.168.0.11]:25, delay=0.21, delays=0.05/0.01/0.02/0.12, dsn=2.6.0, status=sent (250 2.6.0 <69D7614E02DFF82D93250A469BBC69D7@7BRVYFH> [InternalId=27882927685637, Hostname=mail01.snoxxxx.xx] 17168 bytes in 0.109, 152.487 KB/sec Queued mail for delivery)
Oct 2 09:07:55 pmg postfix/qmgr[968]: 954EE40570: removed
Oct 2 09:07:56 pmg spamd[16737]: prefork: child states: II
 
Peter Nielsen said:
Oct 2 09:07:55 pmg pmg-smtp-filter[17889]: 404925D944CC9D7CAB: accept mail to <peter@snoxxxx.xx> (954EE40570) (rule: Whitelist)
Click to expand...
The mail got forwarded because the email-address peter@snoxxxx.xx is in the Global Whitelist (assuming a rather default rule-setup) - the rule which caused this is called Whitelist (GUI->Mail-Filter)

Peter Nielsen said:
Oct 2 09:07:55 pmg postfix/smtp[19173]: 954EE40570: to=<peter@snoxxxx.xx>, relay=mail.snoxxxx.xx[192.168.0.11]:25, delay=0.21, delays=0.05/0.01/0.02/0.12, dsn=2.6.0, status=sent (250 2.6.0 <69D7614E02DFF82D93250A469BBC69D7@7BRVYFH> [InternalId=27882927685637, Hostname=mail01.snoxxxx.xx] 17168 bytes in 0.109, 152.487 KB/sec Queued mail for delivery)
Click to expand...
it got forwarded to mail.snoxxx.xx - which I assume is the system which generated the forwarded mail

I hope this helps!
 
Glad I was able to help!
Please mark the thread as 'SOLVED' - it could help others.
Thanks!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back