1 (edited by jackb 2024-11-06 23:46:53)

Topic: SPAM not being flagged due to using gmail.com sent from

Good evening,

So we are being bombarded by SPAM as the SPAM are using From address which is gmail.com yet the logs show that it's being received by there own dodgy MTA, is there any solution? I have implemented Auto learn which stops this after marking it as SPAM but I find it very interested that using a gmail address doesn't trigger the SPAM filters. Here is the output of SMTP Header.

It's not my Mail Server that has the same problem neither, the Data Center I work at also has the same problem, but it seems that masking it with gmail.com address doesn't trigger it as SPAM

Received: from server.bestdigitalser.tech (server.bestdigitalser.tech [2.58.200.24])
by mx1.co.uk (Postifx) with ESMTP id 4Xj77Q4gm4zYcn3
for mx1.co.uk; Mon, 4 Nov 2024 23:33:06 +0000 (GMT)
Received: from [209.209.40.232] (unknown [209.209.40.232])
by server.bestdigitalser.tech (Postfix) with ESMTPA id 87152448CD
for domain.co.uk; Tue, 5 Nov 2024 07:18:26 +0800 (AWST)
Content-Type: multipart/alternative; boundary="===============1649301661=="

Regards

Post's attachments

Screenshot from 2024-11-06 15-44-05.png
Screenshot from 2024-11-06 15-44-05.png 83.43 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: SPAM not being flagged due to using gmail.com sent from

I'd investigate start from using the sender/receive mail

grep 'Passed SPAM' maillog | grep sender
and see what scores they have.

There are two
Passed SPAM
Passed SPAMMY

3

Re: SPAM not being flagged due to using gmail.com sent from

chris.23lo wrote:

I'd investigate start from using the sender/receive mail

grep 'Passed SPAM' maillog | grep sender
and see what scores they have.

There are two
Passed SPAM
Passed SPAMMY

This what Roundcube says, It would be nice if it was flagged automatically with these sorts of emails

X-Spam-Flag: NO
X-Spam-Score: 3.681
X-Spam-Level: ***
X-Spam-Status: No, score=3.681 tagged_above=2 required=6.2
    tests=[DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1,
    FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001,
    FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001,
    NML_ADSP_CUSTOM_MED=1.2, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,
    RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,
    RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001,
    SPF_SOFTFAIL=0.972, SPOOFED_FREEMAIL=0.001, SPOOF_GMAIL_MID=0.001]
    autolearn=no autolearn_force=no

4

Re: SPAM not being flagged due to using gmail.com sent from

jackb wrote:
chris.23lo wrote:

I'd investigate start from using the sender/receive mail

grep 'Passed SPAM' maillog | grep sender
and see what scores they have.

There are two
Passed SPAM
Passed SPAMMY

This what Roundcube says, It would be nice if it was flagged automatically with these sorts of emails

X-Spam-Flag: NO
X-Spam-Score: 3.681
X-Spam-Level: ***
X-Spam-Status: No, score=3.681 tagged_above=2 required=6.2
    tests=[DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1,
    FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001,
    FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001,
    NML_ADSP_CUSTOM_MED=1.2, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,
    RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,
    RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001,
    SPF_SOFTFAIL=0.972, SPOOFED_FREEMAIL=0.001, SPOOF_GMAIL_MID=0.001]
    autolearn=no autolearn_force=no

Not everyone has identical configuraiton.

I have mine with additional dnsbl.

postscreen_dnsbl_sites =
    zen.spamhaus.org=127.0.0.[2..11]*3
    b.barracudacentral.org=127.0.0.2*2

5

Re: SPAM not being flagged due to using gmail.com sent from

chris.23lo wrote:
jackb wrote:
chris.23lo wrote:

I'd investigate start from using the sender/receive mail

grep 'Passed SPAM' maillog | grep sender
and see what scores they have.

There are two
Passed SPAM
Passed SPAMMY

This what Roundcube says, It would be nice if it was flagged automatically with these sorts of emails

X-Spam-Flag: NO
X-Spam-Score: 3.681
X-Spam-Level: ***
X-Spam-Status: No, score=3.681 tagged_above=2 required=6.2
    tests=[DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1,
    FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001,
    FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001,
    NML_ADSP_CUSTOM_MED=1.2, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,
    RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,
    RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001,
    SPF_SOFTFAIL=0.972, SPOOFED_FREEMAIL=0.001, SPOOF_GMAIL_MID=0.001]
    autolearn=no autolearn_force=no

Not everyone has identical configuraiton.

I have mine with additional dnsbl.

postscreen_dnsbl_sites =
    zen.spamhaus.org=127.0.0.[2..11]*3
    b.barracudacentral.org=127.0.0.2*2

I am using those SPAM filters too. They work with fine but the problem is, these spammers are using gmail to mask there Server i.e using Googles Relay Service.

6 (edited by chris.23lo 2024-11-09 14:44:33)

Re: SPAM not being flagged due to using gmail.com sent from

Without having more details, I'd share my experience in general.
yeah, false +ve and false -ve happens, for false -ve, I'd gather the sending ip and
1) report to spamcop
2) block them manually, some spam sites can be as big as /18 and very common to be /24
3) the fight to spam is never ending and no one-easy formula, sometimes I'd gather their helo and block them in helo_access.pcre if a common pattern is found
4) similarly sometimes block domain like .xyz , .vip .online but use with care whenever it cannot be overlapped with legitimate sites

7

Re: SPAM not being flagged due to using gmail.com sent from

chris.23lo wrote:

Without having more details, I'd share my experience in general.
yeah, false +ve and false -ve happens, for false -ve, I'd gather the sending ip and
1) report to spamcop
2) block them manually, some spam sites can be as big as /18 and very common to be /24
3) the fight to spam is never ending and no one-easy formula, sometimes I'd gather their helo and block them in helo_access.pcre if a common pattern is found
4) similarly sometimes block domain like .xyz , .vip .online but use with care whenever it cannot be overlapped with legitimate sites

Solution is to use ASN Blocking, blocked the ASN for the provider of the IP addresses.

Regards