Thanks for reply. I will check tommorow what You have mentioned to check.
I have obfuscated my domains like this: mail.mydomain.pl -> example.com.pl mydomain.com -> example.com hostname.mail.mydomain.pl -> srv01.example.com.pl That wopuld be all about obfuscating. Do You suggest that: blacklist_from *@example.com - would be enough ? blacklist_from *@example.com* - doesn't this cover more examples of matching ? Best Regards! AtAt W dniu 2019-03-13 15:00:39 użytkownik Bill Cole <sausers-20150...@billmail.scconsult.com> napisał: > On 13 Mar 2019, at 8:50, atat wrote: > > > Hi, > > > > Spamassassin 3.4.0-4.el7_5 on centos 7, updated from Base Repo. > > > > My regex rules are not always matching spammers from outside. Please > > help me understan why it's happening sometimes. > > > > All not matched emails has multipart info in header: > > > > Content-Type: multipart/mixed; > > boundary="----=_NextPart_000_0012_6D4A727D.1A2015BF" This is a > > multi-part message in MIME format. > > ------=_NextPart_000_0012_6D4A727D.1A2015BF Content-Type: > > multipart/alternative; > > boundary="----=_NextPart_001_0013_6D4A727D.1A2015BF" > > That cannot be relevant. > > > > Spamassassin Rules: > > blacklist_from *@example.com* > > blacklist_from *@example.com > > blacklist_from *@example.com* > > blacklist_from *@example.com > > blacklist_from *@example.com.pl* > > blacklist_from *@example.com.pl > > blacklist_from *@example.com.pl* > > blacklist_from *@example.com.pl > > header BLOKOWANIE_EXAMPLE_COM From =~ /example.com\.pl/i > > score BLOKOWANIE_EXAMPLE_COM 100.0 > > header BLOKOWANIE_EXAMPLE_COM1 From =~ /.*example.com.pl\.*/i > > score BLOKOWANIE_EXAMPLE_COM1 100.0 > > header BLOKOWANIE_EXAMPLE_COM2 From =~ /example\.com/i > > score BLOKOWANIE_EXAMPLE_COM2 100.0 > > header BLOKOWANIE_EXAMPLE_COM3 From =~ /.*example\.com\.pl.*/i > > score BLOKOWANIE_EXAMPLE_COM3 100.0 > > > The fact that you've chosen to obfuscate these rules and the sample > messages makes it nearly impossible to figure out with any certainty > what's going wrong. > > But I have a wild guess... > > > 01 Not matching rules > > ----------------------------------------------------------------------- > > Return-Path: <> > > X-Original-To: mail...@srv01.example.com.pl > > Delivered-To: mail...@srv01.example.com.pl > > Received: from localhost (localhost [127.0.0.1]) > > by srv01.example.com.pl (Postfix) with ESMTP id 01E8A400748ED > > for <mail...@srv01.example.com.pl>; Tue, 12 Mar 2019 09:34:57 > > +0100 (CET) > > X-Envelope-From: <glo...@koreaunicom.co.kr> > > X-Envelope-To: <marketin...@example.com> > > X-Envelope-To-Blocked: <marketin...@example.com> > > X-Quarantine-ID: <OM22wOiFBUgK> > > X-Spam-Flag: YES > > X-Spam-Score: 23.329 > > X-Spam-Level: *********************** > > X-Spam-Status: Yes, score=23.329 tag=-888 tag2=6 kill=6 > > tests=[AM.WBL=1.6, > > BAYES_999=0.2, BAYES_99=7, DATE_IN_FUTURE_06_12=4.897, > > FREEMAIL_FORGED_REPLYTO=2.095, HTML_MESSAGE=0.001, > > RCVD_IN_SORBS_DUL=0.001, RDNS_NONE=0.793, > > SPF_HELO_SOFTFAIL=0.732, > > SPF_SOFTFAIL=6, T_ISO_ATTACH=0.01] autolearn=no > > autolearn_force=no > > Received: from srv01.example.com.pl ([127.0.0.1]) > > by localhost (srv01.example.com.pl [127.0.0.1]) (amavisd-new, > > port 10024) > > with ESMTP id OM22wOiFBUgK for <marketin...@example.com>; > > Tue, 12 Mar 2019 09:34:53 +0100 (CET) > > Received: from koreaunicom.co.kr (unknown [178.128.125.68]) > > by srv01.example.com.pl (Postfix) with ESMTP id 7BDC44011BBB0 > > for <marketin...@example.com>; Tue, 12 Mar 2019 09:34:50 +0100 > > (CET) > > Reply-To: misain.nc...@gmail.com > > From: ko...@example.com.pl, u...@example.com.pl, c...@example.com.pl, > > "Co."@example.com.pl, Ltd. <glo...@koreaunicom.co.kr> > [SNIP] > > This looks like you have a broken header masquerade configured in your > MTA (apparently Postfix) or some other associated tool which is > mis-parsing the From header and appending '@example.com.pl' to each > token in a display name part of the From header. Since this is happening > AFTER SA scans the message (i.e. in the Postfix smtpd instance behind > the amavisd-new SMTP proxy or ensuing cleanup process) SA does not see > the mangled header. > > The original From header was probably: > > From: Korea Uni Com Co., Ltd. <glo...@koreaunicom.co.kr> > > > > 02 Not matching rules > > ----------------------------------------------------------------------- > > Return-Path: <> > > X-Original-To: mail...@srv01.example.com.pl > > Delivered-To: mail...@srv01.example.com.pl > > Received: from localhost (localhost [127.0.0.1]) > > by srv01.example.com.pl (Postfix) with ESMTP id 0A4ED40118229 > > for <mail...@srv01.example.com.pl>; Mon, 11 Mar 2019 19:47:59 > > +0100 (CET) > > X-Envelope-From: <i...@puresmileborehamwood.co.uk> > > X-Envelope-To: <aaa....@example.com> > > X-Envelope-To-Blocked: <aaa....@example.com> > > X-Quarantine-ID: <3gOmOfFwP2Re> > > X-Spam-Flag: YES > > X-Spam-Score: 8.8 > > X-Spam-Level: ******** > > X-Spam-Status: Yes, score=8.8 tag=-888 tag2=6 kill=6 > > tests=[AM.WBL=1.6, > > BAYES_999=0.2, BAYES_99=7] autolearn=no autolearn_force=no > > Received: from srv01.example.com.pl ([127.0.0.1]) > > by localhost (srv01.example.com.pl [127.0.0.1]) (amavisd-new, > > port 10024) > > with ESMTP id 3gOmOfFwP2Re for <aaa....@example.com>; > > Mon, 11 Mar 2019 19:47:57 +0100 (CET) > > Received: from 495011.vps-10.com (495011.vps-10.com [212.67.214.132]) > > (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 > > bits)) > > (No client certificate requested) > > by srv01.example.com.pl (Postfix) with ESMTPS id E5672400748E8 > > for <aaa....@example.com>; Mon, 11 Mar 2019 19:47:56 +0100 > > (CET) > > Received: from [192.10.19.6] (unknown [146.83.109.33]) > > by 495011.vps-10.com (Postfix) with ESMTPSA id 002DD283695 > > for <aaa....@example.com>; Mon, 11 Mar 2019 17:45:37 +0000 > > (GMT) > > Date: Mon, 11 Mar 2019 15:42:39 -0400 > > From: b...@example.com.pl, Martin <i...@puresmileborehamwood.co.uk> > > Same explanation. Original From: > > From: Bell, Martin <i...@puresmileborehamwood.co.uk> > > > > 03 Not matching rules > > ----------------------------------------------------------------------- > > Return-Path: <> > > X-Original-To: mail...@srv01.example.com.pl > > Delivered-To: mail...@srv01.example.com.pl > > Received: from localhost (localhost [127.0.0.1]) > > by srv01.example.com.pl (Postfix) with ESMTP id 6B27740008232 > > for <mail...@srv01.example.com.pl>; Wed, 13 Mar 2019 10:21:58 > > +0100 (CET) > > X-Envelope-From: <kha...@premiersintl.com> > > X-Envelope-To: <john2.d...@example.com> > > X-Envelope-To-Blocked: <john2.d...@example.com> > > X-Quarantine-ID: <QE9zm4o-7hou> > > X-Spam-Flag: YES > > X-Spam-Score: 22.919 > > X-Spam-Level: ********************** > > X-Spam-Status: Yes, score=22.919 tag=-888 tag2=6 kill=6 > > tests=[ADVANCE_FEE_3_NEW=2.967, BAYES_999=0.2, BAYES_99=7, > > DATE_IN_FUTURE_06_12=4.897, DEAR_SOMETHING=1.973, > > FROM_ADDR_WS=2.999, > > HTML_MESSAGE=0.001, RDNS_NONE=0.793, SUBJ_ALL_CAPS=1.506, > > T_ISO_ATTACH=0.01, URG_BIZ=0.573] autolearn=no > > autolearn_force=no > > Received: from srv01.example.com.pl ([127.0.0.1]) > > by localhost (srv01.example.com.pl [127.0.0.1]) (amavisd-new, > > port 10024) > > with ESMTP id QE9zm4o-7hou for <john2.d...@example.com>; > > Wed, 13 Mar 2019 10:21:56 +0100 (CET) > > Received: from premiersintl.com (unknown [128.199.215.46]) > > by srv01.example.com.pl (Postfix) with ESMTP id 4D5E34000823A > > for <john2.d...@example.com>; Wed, 13 Mar 2019 10:21:49 +0100 > > (CET) > > From: do...@example.com.pl, Perry|account...@example.com.pl, > > mana...@example.com.pl, kha...@premiersintl.com > > Originally: > > From: Donna Perry|Accounting Manager, kha...@premiersintl.com > > The commonality in these 3 is misinterpretation of commas in the From > headers and over-aggressive masquerading. > > Also I see that each of these (despite the bogus "Return-Path: <>" which > is probably a delivery artifact,) seems to have had an envelope sender > (preserved in the X-Envelope-From: header) NOT using whatever you've > replaced with example.com.pl. > > > 04 Not matching rules > > ------------------------------------------------------------------------ > > But matched simple: > > blacklist_from *@example.com* > > blacklist_from *@example.com > > blacklist_from *@example.com* > > blacklist_from *@example.com > > blacklist_from *@example.com.pl* > > blacklist_from *@example.com.pl > > blacklist_from *@example.com.pl* > > blacklist_from *@example.com.pl > > Note that these are duplicative, so your mangling has probably lost some > useful details... > > > Return-Path: <> > > X-Original-To: mail...@srv01.example.com.pl > > Delivered-To: mail...@srv01.example.com.pl > > Received: from localhost (localhost [127.0.0.1]) > > by srv01.example.com.pl (Postfix) with ESMTP id A38D540002948 > > for <mail...@srv01.example.com.pl>; Mon, 11 Mar 2019 19:33:23 > > +0100 (CET) > > X-Envelope-From: <voicemail_sen...@cc-shoretel.example.com.pl> > > This envelope sender may match one of your *actual* blacklist_from > directives. > > > X-Envelope-To: <john....@example.com> > > X-Envelope-To-Blocked: <john....@example.com> > > X-Quarantine-ID: <uz_8uQBRiKxN> > > X-Spam-Flag: YES > > X-Spam-Score: 104.983 > > X-Spam-Level: > > **************************************************************** > > X-Spam-Status: Yes, score=104.983 tag=-888 tag2=6 kill=6 > > tests=[BAYES_95=4, > > HEADER_FROM_DIFFERENT_DOMAINS=0.001, RDNS_DYNAMIC=0.982, > > USER_IN_BLACKLIST=100] autolearn=no autolearn_force=no > > Received: from srv01.example.com.pl ([127.0.0.1]) > > by localhost (srv01.example.com.pl [127.0.0.1]) (amavisd-new, > > port 10024) > > with ESMTP id uz_8uQBRiKxN for <john....@example.com>; > > Mon, 11 Mar 2019 19:33:22 +0100 (CET) > > Received: from CC-ShoreTel.quadra.local > > (72-24-204-226.cpe.cableone.net [72.24.204.226]) > > by srv01.example.com.pl (Postfix) with ESMTP id 29EC4400748EE > > for <john....@example.com>; Mon, 11 Mar 2019 19:33:20 +0100 > > (CET) > > Received: from mail pickup service by CC-ShoreTel.quadra.local with > > Microsoft SMTPSVC; > > Mon, 11 Mar 2019 11:23:38 -0700 > > thread-index: AdTYN4w7x9VrrKKPQR27vx0vwmcnRA== > > Thread-Topic: ShoreTel voice message from Jessica Johnson, 204 for > > mailbox 145 > > From: "ShoreWare Voice Mail" > > <voicemail_sen...@cc-shoretel.example.com.pl> > > This may be the header masquerading operating as intended, qualifying > the bare hostname "CC-ShoreTel" by tacking on ".example.com.pl" > > Again, this would be happening AFTER the SA scan, so SA can't see it. > > IN SUMMARY: > > None of these (except *maybe* the last one) actually should match your > blacklist_from directives or header rules, because what you're trying to > match (apparently a local domain) is being added to From headers by > something local that acts after the SA scan. Generally speaking, that > sort of tactic is a misguided effort to use a MTA and/or delivery agent > to "fix" a problem caused by other software generating bogus unqualified > addresses, and the proper solution is to just stop doing it and instead > fix the source of the problem. >
