• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved Spam black list doesn't work

J

JuanCar

Regular Pleskian
Server operating system version
Centos
Plesk version and microupdate number
Obsidian 18.0.48
Hi
I've set spam black list for a subdomain and for the domain. The filter is *@*.top, because I'm receiving the same spam mails form differents emails: [email protected], [email protected] and so.
I've set the filter but the spam keep on reaching me!!!.
Where is my mistake? Is there any other way to reject this spam?
Thanks
 
If I'm not mistaken, the spam filter blacklist identifies emails from those subdomains as SPAM, but it is to the individual mailboxes filters to either reject SPAM, move it to the SPAM folder or just mark it as such on the subject but still deliver it to the inbox.
 
But in my case, the mail is delivered as any other mail, without any mark or moved to spam folder.
If a set a *@gmail.com in black list, the rule works and the mail is not delivered.
My spams mail came from *@*.top
Thats what I see in maillog
Mar 3 14:17:05 mydomain qmail-queue[797]: 788302: from=<[email protected]> to=<[email protected]>
Mar 3 14:17:05 mydomain qmail-queue[797]: 788302: py-limit-out: stderr: INFO:__main__:No SMTP AUTH and not running in sendmail context (incoming or unrestricted outgoing mail). SKIP message.
Mar 3 14:17:05 mydomain qmail-queue[797]: 788302: py-limit-out: stderr: SKIP
Mar 3 14:17:05 mydomain qmail-queue[797]: 788302: check-quota: stderr: SKIP
Mar 3 14:17:05 mydomain spf[805]: 788302: Error code: (6) Unknown mechanism found
Mar 3 14:17:05 mydomain spf[805]: 788302: Unable to set local policy: Unknown mechanism found near 'spf1 +a +mx '
Mar 3 14:17:05 mydomain spf[805]: 788302: Unable to set local policy: Failed to compile local policy 'spf1 +a +mx +a:mydomain.com -all'
Mar 3 14:17:05 mydomain qmail-queue[797]: 788302: spf: stderr: SKIP
Mar 3 14:17:06 mydomain qmail-queue[806]: scan: the message(drweb.tmp.MJpofr) sent by [email protected] to [email protected] is passed
Mar 3 14:17:06 mydomain qmail-queue[797]: 788302: drweb: stderr: PASS
Mar 3 14:17:06 mydomain qmail[20219]: new msg 788302
Mar 3 14:17:06 mydomain qmail[20219]: info msg 788302: bytes 270206 from <[email protected]> qp 811 uid 2020
Mar 3 14:17:06 mydomain qmail[20219]: starting delivery 1597: msg 788302 to local [email protected]
Mar 3 14:17:06 mydomain qmail[20219]: status: local 1/10 remote 0/20
Mar 3 14:17:06 mydomain qmail-local[812]: 788302: from=<[email protected]> to=<[email protected]>
Mar 3 14:17:06 mydomain spamc[814]: skipped message, greater than max message size (256000 bytes)
Mar 3 14:17:06 mydomain qmail-local[812]: 788302: spam: stderr: PASS
Mar 3 14:17:06 mydomain dk_check[815]: 788302: DKIM verification (d=(null), 0-bit key) failed: domain tag missing
Mar 3 14:17:06 mydomain qmail-local[812]: 788302: dk_check: stderr: PASS
Mar 3 14:17:06 mydomain dmarc[816]: 788302: SPF record was not found in Authentication-Results
Mar 3 14:17:06 mydomain qmail-local[812]: 788302: dmarc: stderr: PASS
Mar 3 14:17:06 mydomain qmail[20219]: delivery 1597: success: did_0+0+2/
Mar 3 14:17:06 mydomain qmail[20219]: status: local 0/10 remote 0/20
Mar 3 14:17:06 mydomain qmail[20219]: end msg 788302

The remote addres here is [email protected], but the same email can came from similar email (*@*.top), all with the same top domain.
 
Is [email protected] also the address used in the From header of the email? Because if I am not mistaken the SpamAssassin blacklist blocks emails solely based on the address set in From header. Not the address used in the senders envelope.
 
Kaspar said:
Is [email protected] also the address used in the From header of the email? Because if I am not mistaken the SpamAssassin blacklist blocks emails solely based on the address set in From header. Not the address used in the senders envelope.
Click to expand...
Yes, header show the same email in from header. Here is a mail header with this spam problem
Authentication-Results: mydomain.com;
dmarc=pass (p=NONE sp=NONE) smtp.from=yaud.top header.from=yaud.top;
dkim=pass header.d=yaud.top;
dkim=temperror header.d=(null)
Received: (qmail 6245 invoked from network); 4 Mar 2023 23:03:17 +0100
Received: from coupons.yaud.top (134.73.142.146)
by mydomain.com with (DHE-RSA-AES256-GCM-SHA384 encrypted) SMTP; 4 Mar 2023 23:03:13 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=default; d=yaud.top;
h=List-Unsubscribe:MIME-Version:From:To:Date:Subject:Content-Type:
Content-Transfer-Encoding; i=[email protected];
bh=2RWaE2NqlvEXsTrIAPxtsl561qlnY/JRkRqbYW93xR0=;
b=GM2fKYuJ5/tQMYgDDD1Tr7B+DBLKwx8/iyraeWVhRQz9ESeTs9aLton56fZGJzQj0bfs/XHTUSt1
8FBePM4KP1lfROdd9OzxAyvFBLHXlv/LwUXaLcBjhcQ/IH+pOVQ5eB4QgvgwSqyJaO1gjGwNyVBj
onAwqWuBnKTvTddmRsg=
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
X-Spam-Score: 0.5
ReturnReceipt: 1
DKIM-Signature: v=DKIM1; k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC93rT0nxRFY5VjvZ4XWHSSB6wukwCfkm7GchaAqsiVz/gyKiJnnxNfzcsc2ChPKIsMv33QNI4aw5evTh22JGdcI6ffaEWgN//+x0SL9bzyZrxXwAYP7uOyg3jgVHioA+n9Lh0DV88aCcQQuAWljcNzyCBivnszhB/qSY7ajBYLCQIDAQAB
List-Unsubscribe: <https://www.sexydoll4u.com/list.cgi?cmd=unsub&lst=list>,
<mailto:[email protected]?subject=unsubscribe>
MIME-Version: 1.0
From: =?utf-8?Q?Louis=C2=AE_Vuitton?= <[email protected]>
To: "mymail" <[email protected]>
Priority: urgent
Importance: high
Date: 4 Mar 2023 13:54:38 -0800
Subject: mymail, Award winning Christmas group purchase.
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64
 
@JuanCar The reason why the messages are passing the filter is that they are too big. Spammers use this technique on purpose, because they know that SpamAssassin only scans messages up to a certain size. This is done so that a mail server cannot be successfully attacked by sending lots of large mails which would cause a lot of cpu load for the scan of the large mail. Spammers put large image files into an HTML body of a mail to achieve this. You can see what happens in this log line of yours:
Code: 
Mar 3 14:17:06 mydomain spamc[814]: skipped message, greater than max message size (256000 bytes)
In the Plesk documentation you can find instructions how to increase the message size threshold of SpamAssassin:
docs.plesk.com

SpamAssassin Spam Filter

The SpamAssassin spam filter identifies spam messages among emails sent to mailboxes hosted on your Plesk server. Lea...
docs.plesk.com docs.plesk.com
 
Peter is right. I missed this line in the mail log, which indicates the messages size is larger then the maximum allowed message size configured in SpamAssassin. Which is why the message is ignored by SpamAssassin.
Mar 3 14:17:06 mydomain spamc[814]: skipped message, greater than max message size (256000 bytes)
Click to expand...
 
Last edited:
You must log in or register to reply here.

Similar threads

propz
Resolved Email Domain Blacklisting not working 100%
Replies
7
Views
960
Kaspar
K
L
Question System Emails Marked as Spam
Replies
2
Views
266
Leighton Thompson
L
E
Issue Mails from MAILER-DAEMON go to spam
Replies
0
Views
387
empty
E
P
Question Plesk Email Security Block list doesn't work
Replies
5
Views
950
Kaspar
K
T
Input Plesk Email Security - treatment of SPF softfail
Replies
2
Views
761
TomBoB
T
Back
Top