keep getting spams and track delivery shows no spam score
i keep getting spam emails that bypass spam assasin... is this possible? i found these entries if someone can help...
[root@s1 ~]# grep 1r16tN-0005aQ-1A /var/log/exim_mainlog
2023-11-09 17:24:25 1r16tN-0005aQ-1A <= ujjijhp@wooderstell.pics H=mail.wooderstell.pics [89.163.231.241]:44178 P=esmtp S=146337 id=2226134835377171184736170420602421644516@wooderstell.pics T="\316\230\316\265\317\201\316\261\317\200\316\265\317\215\316\265\316\271 \317\204\316\267\316\275 \317\200\317\201\316\277\317\203\317\204\316\261\317\204\316\257\317\204\316\271\316\264\316\261 \317\203\316\265 28 \316\267\316\274\316\255\317\201\316\265\317\202" for sales@example.gr
2023-11-09 17:24:25 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1r16tN-0005aQ-1A
2023-11-09 17:24:25 1r16tN-0005aQ-1A => sales R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 OEd0DKn5TGU/TwAA24liyQ Saved"
2023-11-09 17:24:26 1r16tN-0005aQ-1A => |/home/example/public_html/crons/pipe.php (sales@example.gr) R=virtual_aliases_nostar T=cagefs_virtual_address_pipe
2023-11-09 17:24:26 1r16tN-0005aQ-1A Completed
-
I am having the same issue...some, but not all email are getting a spam score. 0 -
I hope that's all it needs, but let me know! 0 -
No, the messages I saw today were very small...no attachment. Here is an example of one from today. The only thing I changed was my domain to mydomain.com, and the phishing link in it--I added DONTFOLLOW into the domain of that link. I seem to be unable to use the CODE to insert this in code, but here is the html for this email:
Return-Path: Delivered-To: scott@mydomain.com Received: from scott.mydomain.com by scott.mydomain.com with LMTP id v+THFhPkTGV8RwAARpFy3A (envelope-from ) for ; Thu, 09 Nov 2023 05:52:19 -0800 Return-path: Envelope-to: scott@mydomain.com Delivery-date: Thu, 09 Nov 2023 05:52:19 -0800 Received: from p050057.ppp.asahi-net.or.jp ([221.113.50.57]:50494 helo=fslnx011.inhouse.frontside.jp) by scott.mydomain.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96.2) (envelope-from ) id 1r15SE-0004kp-0D for scott@mydomain.com; Thu, 09 Nov 2023 05:52:19 -0800 Received: from localhost (localhost [127.0.0.1]) by fslnx011.inhouse.frontside.jp (Postfix) with ESMTP id 93CEEC5A91AE for ; Thu, 9 Nov 2023 22:49:38 +0900 (JST) Received: from fslnx011.inhouse.frontside.jp ([127.0.0.1]) by localhost (fslnx011.inhouse.frontside.jp [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id wga1O3MnEpHm for ; Thu, 9 Nov 2023 22:49:38 +0900 (JST) Received: from localhost (localhost [127.0.0.1]) by fslnx011.inhouse.frontside.jp (Postfix) with ESMTP id 3D4CAC5A83D0 for ; Thu, 9 Nov 2023 22:49:38 +0900 (JST) X-Virus-Scanned: amavisd-new at fslnx011.inhouse.frontside.jp Received: from fslnx011.inhouse.frontside.jp ([127.0.0.1]) by localhost (fslnx011.inhouse.frontside.jp [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id M5LX0zGYi83U for ; Thu, 9 Nov 2023 22:49:37 +0900 (JST) Received: from rumalisupreme.com (unknown [5.135.67.230]) by fslnx011.inhouse.frontside.jp (Postfix) with ESMTPSA id 48233C5A91D0 for ; Thu, 9 Nov 2023 22:49:29 +0900 (JST) From: DHL-Express To: scott@mydomain.com Subject: Delivery Notification. scott Date: 09 Nov 2023 05:52:05 -0800 Message-ID: <20231109055205.CE4751D98FD9AAB5@rumalisupreme.com> MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_0012_53791E70.D5B4CD7D" Return-Path: <hello@rumalisupreme.com>
Delivered-To: scott@mydomain.com
Received: from scott.mydomain.com
by scott.mydomain.com with LMTP
id v+THFhPkTGV8RwAARpFy3A
(envelope-from <hello@rumalisupreme.com>)
for <scott@mydomain.com>; Thu, 09 Nov 2023 05:52:19 -0800
Return-path: <hello@rumalisupreme.com>
Envelope-to: scott@mydomain.com
Delivery-date: Thu, 09 Nov 2023 05:52:19 -0800
Received: from p050057.ppp.asahi-net.or.jp ([221.113.50.57]:50494 helo=fslnx011.inhouse.frontside.jp)
by scott.mydomain.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.96.2)
(envelope-from <hello@rumalisupreme.com>)
id 1r15SE-0004kp-0D
for scott@mydomain.com;
Thu, 09 Nov 2023 05:52:19 -0800
Received: from localhost (localhost [127.0.0.1])
by fslnx011.inhouse.frontside.jp (Postfix) with ESMTP id 93CEEC5A91AE
for <scott@mydomain.com>; Thu, 9 Nov 2023 22:49:38 +0900 (JST)
Received: from fslnx011.inhouse.frontside.jp ([127.0.0.1])
by localhost (fslnx011.inhouse.frontside.jp [127.0.0.1]) (amavisd-new, port 10032)
with ESMTP id wga1O3MnEpHm for <scott@mydomain.com>;
Thu, 9 Nov 2023 22:49:38 +0900 (JST)
Received: from localhost (localhost [127.0.0.1])
by fslnx011.inhouse.frontside.jp (Postfix) with ESMTP id 3D4CAC5A83D0
for <scott@mydomain.com>; Thu, 9 Nov 2023 22:49:38 +0900 (JST)
X-Virus-Scanned: amavisd-new at fslnx011.inhouse.frontside.jp
Received: from fslnx011.inhouse.frontside.jp ([127.0.0.1])
by localhost (fslnx011.inhouse.frontside.jp [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id M5LX0zGYi83U for <scott@mydomain.com>;
Thu, 9 Nov 2023 22:49:37 +0900 (JST)
Received: from rumalisupreme.com (unknown [5.135.67.230])
by fslnx011.inhouse.frontside.jp (Postfix) with ESMTPSA id 48233C5A91D0
for <scott@mydomain.com>; Thu, 9 Nov 2023 22:49:29 +0900 (JST)
From: DHL-Express<hello@rumalisupreme.com>
To: scott@mydomain.com
Subject: Delivery Notification. scott
Date: 09 Nov 2023 05:52:05 -0800
Message-ID: <20231109055205.CE4751D98FD9AAB5@rumalisupreme.com>
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_0012_53791E70.D5B4CD7D"
Dear scott
You have a delivery waiting for your confirmation
Mail Authentication
https://www.google.com/url?CLICK TO CONFIRM
2023 © DHL Global0 -
Okay, how about this option - is SpamAssassin not forced on globally for all accounts in WHM >> Exim Configuration Manager? If not, is it possible it's not enabled for this particular domain? I really don't have a good explanation why SpamAssassin would just skip that one message in particular, as that is obviously not supposed to happen. 0 -
It is forced on all accounts. Most of my email are being assigned spam scores, but each day I find several, like the example posted from today, which come through without a score at all. 0 -
PS - It's likely a bug. Perhaps that full header and full html have some clues? I mean these spammers have programmers too, who sit around and figure out how to beat filters all day long. Does it make sense to pass this on to whomever is doing the programming in this area? Would they work at cPanel... SpamAssassin, there must be a system to report issue to them? 0 -
Do you get a decent number when running this command? grep spamd /var/log/exim_paniclog -c 0 -
I got 0. 0 -
Not a very large number, huh? :D It's probably time for a ticket on this one then, since something seems broken and I don't see any recent cases with this type of behavior. 0 -
I don't believe a low number for that particular command is unusual, and since others are also reporting the same issue here, I doubt it is specific to my system. In any case, I've noticed that the majority of spam without spam scores email comes directly from MS Outlook senders. I am not sure if a spam score is being applied to any MS Outlook emails. Here is an example from today, but several I've checked form MS Outlook no longer contain spam scores:
Return-Path: Delivered-To: scott@mydomain.com Received: from scott.mydomain.com by scott.mydomain.com with LMTP id XvrCLnk4TmX5LwAARpFy3A (envelope-from ) for ; Fri, 10 Nov 2023 06:04:41 -0800 Return-path: Envelope-to: scott@mydomain.com Delivery-date: Fri, 10 Nov 2023 06:04:41 -0800 Received: from mail-ve1eur01olkn2038.outbound.protection.outlook.com ([40.92.66.38]:50751 helo=EUR01-VE1-obe.outbound.protection.outlook.com) by scott.mydomain.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96.2) (envelope-from ) id 1r1S7l-0003Bk-1N for scott@mydomain.com; Fri, 10 Nov 2023 06:04:41 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RM1AaFmxe464qbp9fW/5oS4o0ZUAXiQvY/DzNqs+KKOt+ghKFA7U45jPzmSg+quPUuwIRcTOf8A6jEAvQffUxBQC4hxMTL4F5dpu1eo2EZU904Ek9c1m9jR0QHTsmHMz9Y4zBaTSJG0tm2pr+yfqZurWuXO+8wxDFIJzcgU+i3XCdpnmTAyf4njqb+25j+D/HLFXY7PiODTuneeg7ahHtXLiuTL6CIU7BeYb9dVpyg63Jlgl1PandZRE98SxDEzoOhDtwA4nWfPO1/gwdstxgWkF48GlJKZwEAzr24EjcvcXv28IFiOJ5gAY4+RvOEXiBFr4f20VDqZ7FV/V6Muq2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=DMkoEZMpcg7m/LfsBGdrQK6BhClemfLKCtsMJaCHKc4=; b=XnTqEdXxKdH/E9GQb5wOyaq5JONVSuK0HBWwoaTOFnzA035YYwM8YdSHSXJL1rFq9mMu63YjXDXcwJL+RfXcLJzYhF8Ww3CalrAeB82hUxKpE7KfACqJGFokpFXXVDp/betsxxJdcS5bf4dgiWy9s2LWX/1nOYUQHILAjWYHCHFpcp253Mx/Hl66f8kyfFDLFsZX3qlS3bGhqoBrLSVHWjD/mAqG3cTSTMu14lO0+3Y8Of5HGfS+obkCdCr/e2h7xsPmjfUQD5G0rSJpKYf0LgMpJlme3TYcuu4IFuMg5oiWLfG2nVao0nmUZszufgTtOw7vnQjA7GljmWAGdSVEwQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DMkoEZMpcg7m/LfsBGdrQK6BhClemfLKCtsMJaCHKc4=; b=Bp3pIwQCwjdtWFH96/R40oWmHp6ZPcZGHd/qZOHNqe2WuBI8P/SxEtjvdMeIohGVH0FBmHr4n1XDTiXOyoCevSK8XxpTPjKfshwys6Cl1gU388r75METq2yfC6zhSL1zR+dY+FI8JSjrPM1QmnHlOYd9zl/g9rXI0B70dpeJfGrsXnJMCSEw6Sri/riNPssu0HDUXfN++ROt6/DMRdrzPOYFeJrT9FH8jMYXAkJK0JBLUmS6HmLqs58N2ELYuUj2+b85agLgX0XYTkwuBG+xaLGWVVksK50EXc1aH4k7dmgDOdpVvi9+F1rSSjUptR4PKwpSaGlCegfnymyTimYuWg== Received: from AM7PR09MB4200.eurprd09.prod.outlook.com (2603:10a6:20b:118::9) by AM7PR09MB3607.eurprd09.prod.outlook.com (2603:10a6:20b:dd::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6954.29; Fri, 10 Nov 2023 14:00:09 +0000 Received: from AM7PR09MB4200.eurprd09.prod.outlook.com ([fe80::9f92:e4e4:b0d3:a6d3]) by AM7PR09MB4200.eurprd09.prod.outlook.com ([fe80::9f92:e4e4:b0d3:a6d3%5]) with mapi id 15.20.6954.029; Fri, 10 Nov 2023 14:00:09 +0000 From: Sanlam Finance Subject: Sanlam Finance Special Loan Notification Thread-Topic: Sanlam Finance Special Loan Notification Thread-Index: AQHaE94tSH4S4qPQQ0GnGrk4jcD6wg== Importance: high X-Priority: 1 Date: Fri, 10 Nov 2023 14:00:09 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: msip_labels: x-tmn: [oMqmH+ttyKqgyZuhyFEIr83RRoaLCA5C] x-ms-publictraffictype: Email x-ms-traffictypediagnostic: AM7PR09MB4200:EE_|AM7PR09MB3607:EE_ x-ms-office365-filtering-correlation-id: 7af9eea5-c9cc-4b99-b794-08dbe1f559ba x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: DFiaGN914xbzGKKAfenmB3rBBMi1QGk15Z6s3lJzVW/uBdq8bTqIlfqI4ld2/Gl2gvmFz+ZAkTA9gI1/H9aGddevYicKfu4OdMCs3Byj6dkyagVM5nvkzydbKWNo6yxtVOuHcMdOvVNC7SeWoiliPYfQbgMyX0yfkdiba9lxe7QRFGSwrVU2hFwq8vvhCTdt3t3NvSREGXGqdNtLiQto6wHbDVXuzU1DIu+JmRJuQaJFV/RYhk4iPaQSq1Z7oze7LFHRS2Jw2HugRUIYo4ZMDV3lMiTBw+TNlouxsCAnIjQgjtWYNB6ktpirBAeJwyENIWuD75d+/5f7OUgOuHQ6Lgs6vcKRxSccZ/mAzh82ZSxDKbJoGKd86bmNHg4exltTEICVd8Hvo8R0KVB7Is1Z6dFfepoCG2aCyzw+HiwdvyMUj5jWDBjfAMbLic5dli1MPHdnVKu2/62O5noIAGcp5VjGJhATy3zA4KxHLzzNcOGV8Zs7cbr6ypP+JeU9q72a x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: avUBaV9Qf9UwdN2O75zsXwU/1ER92ZmWOnQFviOFajrU0NKpAs/DZYD94T nbd/mxNtJw8VIgVbqoZ+rS/3YR2cBHXAEdnA91fkyDNDyqo73L1xzEiCAE n7T0PTySdHhsLGNqb4ngkz2DYSQHTvSDpo8dnYzgqH+EmlOmHgFoPMx9mu JL5xQmHCdqmm7fxTjriwjOQzHCChLj5bZ9Gg/FFt3q/OgHSvyFXAc9EkQ/ r/eXEVbepL0lto+rG585TJJLNzk774zOS4gGDok6T44FKCpX++tn2cc3ms U1H+oH/4/+7GZJThZAU/Fo2gTUTVwzVYuzX+MBXSA9xEf5CsemY+TvlCmk mszLb+Whie33xcW62+Cpryp5c2m5x/+lJi5pcs/9LhiMraD7+t4jgwrtgs DzlkshY+BH6POLByMNOsIeF8QPUzmkJGEu9/McIxyaPBUTmAASEc+KVVCe 5Jdq6k8xhjcsfayMXKSw1/Ppk0AcKwNT6R/Wj4QcKRk3LyKGnkAmrbxpV0 QoGquAXxZTbIYR43HU+biWoSdTyRQRhxrAU1i82FP7gtCS2rGP3CFL8Cde WCJbz2UXsHLi9o5l0h0PSSgdzRWCCI+K2NgmIds1oNB2oFOTs7nvnASLT7 5Xlq3N5+6k8G5gqD3uLkT9EmP7tBcPHz7dWMRJ0yujmq9X84u7F4AMM5RD IMInaeIctcJOHKQuQdobQvVjMvhD9JHPpNfxUfXtW8dUynGbO3XjWJg0lR KuM4zrqkbCJ+u3ti6UE+senXTNg5WBUzHOiJzUr6hYWOBBCPljq0t3XgQ6 Gco+GLChfDRf+Rzxk8GL6lMG6n6QtVB4F2ppxy722nNu2T9y5ZZ6dIEnvS SPC641ijf8n9XcwlCh1HKyPpfEazAHnTleLVxuw2ocxflG8Z6Jd7cPuBUS hsADwkALPiMOOCgIsgB4L7wAxuXFdL+qQHIEZTRRqJeggOJJ7pJjhf2Kfz Zmuct1Z5EUiINr630+rNhlHSwETBZ5YQhhPiXIJemtKJR3RWuVykihEadK BLLsiSXmI09QlcqEPA0GjcGrSlWApHDlABNKfdEMj93nO12beVGlLbjNeH lYnxxOkPqpSvh7KNmO7mtoggXNCJKIt4kf4/EacG/ZdJ84nWCU9B/evHZg NPdjRA3a48pWdywZxXAmvBjA1FO9dojwKfhtKdCEneC0UWIk8fJzK1WMxp YplpaQdkIMA2G43zGmSYPynvjcMvXRV+os8AKm9MHxZae0Cc0WIeCERpSd AD2Q Content-Type: multipart/mixed; boundary="_002_AM7PR09MB4200E07D009090A4CE4B97C9B7AEAAM7PR09MB4200eurp_" MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: AM7PR09MB4200.eurprd09.prod.outlook.com X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-Network-Message-Id: 7af9eea5-c9cc-4b99-b794-08dbe1f559ba X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Nov 2023 14:00:09.1332 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR09MB3607
Attn: Our 4% and 5% Special offer is promotional and fixed for duration(YEARS) of the loan amount you wish to take up with us. Kindly view the attached flyer for more information on our 4% Personal and 5% for Business Loan! The special offer also opens to blacklisted individuals and debt review. Kind regards, Management. Sanlam Finance (pty) Ltd directsanlammarketing@outlook.com Fax: +27 86 608 5176
0 -
No, a low number there is good. That command is checking to see if the spamd service is failing due to too many concurrent connections that it can't handle, so 0 is the ideal output. 0
Please sign in to leave a comment.
Comments
13 comments