• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Question spam not checked by spamassassin

U

UweO

New Pleskian
Hello,
some "special" spam mail are not filtered by spamassassin. Postfix sends it direct to me:

Return-Path: <MAILER-DAEMON>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: by my.server.de (Postfix, from userid 110)
id 44D3E41AEC; Thu, 22 Oct 2020 00:46:01 +0200 (CEST)
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from saceakee.club (mail.saceakee.club [206.189.21.254])
by my.server.de (Postfix) with ESMTP id D343E3FBF0
for <[email protected]>; Thu, 22 Oct 2020 00:46:00 +0200 (CEST)
To: "[to]"@my.server.de
MIME-Version: 1.0
Date: Wed, 21 Oct 2020 23:48:00 +0200
Message-ID: <1qbao1ncjPX2n91rFsbzutj78pLJynbNyJAYMqHdvqpaz2av3@s01.news.newsletter2go.com>
From: DailySavingsFinder <[email protected]>
Subject: Nehmen Sie an dieser 30-Sekunden-Umfrage über Rossman teil und wir bieten Ihnen exklusive Prämien über 50 US-Dollar!
"... some text ... no pdf no attachment, smal spam"

[email protected] und my22address.de exists.
To: "[to]"@my.server.de ? does not exist

Log
# more maillog2 | grep 206.189.21.254
Oct 22 00:46:00 lvps5-35-245-95 postfix/smtpd[17361]: connect from mail.saceakee.club[206.189.21.254]
Oct 22 00:46:00 lvps5-35-245-95 postfix/smtpd[17361]: D343E3FBF0: client=mail.saceakee.club[206.189.21.254]
Oct 22 00:46:01 lvps5-35-245-95 postfix/smtpd[17361]: disconnect from mail.saceakee.club[206.189.21.254]

# more maillog2 | grep D343E3FBF0
Oct 22 00:46:00 lvps5-35-245-95 postfix/smtpd[17361]: D343E3FBF0: client=mail.saceakee.club[206.189.21.254]
Oct 22 00:46:00 lvps5-35-245-95 postfix/cleanup[17342]: D343E3FBF0: message-id=<1qbao1ncjPX2n91rFsbzutj78pLJynbNyJAYMqHdvqpaz2av3@s01.news.newsletter2go.com>
Oct 22 00:46:01 lvps5-35-245-95 postfix/qmgr[23459]: D343E3FBF0: from=<>, size=6177, nrcpt=1 (queue active)
Oct 22 00:46:01 lvps5-35-245-95 postfix/pipe[17346]: D343E3FBF0: to=<[email protected]>, relay=plesk_virtual, delay=0.42, delays=0.19/0/0/0.24, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Oct 22 00:46:01 lvps5-35-245-95 postfix/qmgr[23459]: D343E3FBF0: removed

All other mails beeing spamfiltered, no mail or spam problem - only this case is wrong.

Kind regard
Uwe
 
A common issue here is that spammers place an image file into their mails to keep SpamAssassin default "max" mail size value from checking these mails. See
docs.plesk.com

SpamAssassin Spam Filter

The SpamAssassin spam filter identifies spam messages among emails sent to mailboxes hosted on your Plesk server. Lea...
docs.plesk.com docs.plesk.com
"Defining the Maximum Mail Size for Spam Assassin" section.
 
Peter Debik said:
A common issue here is that spammers place an image file into their mails to keep SpamAssassin default "max" mail size value from checking these mails. See
docs.plesk.com

SpamAssassin Spam Filter

The SpamAssassin spam filter identifies spam messages among emails sent to mailboxes hosted on your Plesk server. Lea...
docs.plesk.com docs.plesk.com
"Defining the Maximum Mail Size for Spam Assassin" section.
Click to expand...
Hello Peter,
SA_MAX_MAIL_SIZE 3000000
the spam mail has 6,2 KB
I think the problem is
Return-Path: <MAILER-DAEMON>
To: "[to]"@my.server.de =>?
To: myname <[email protected]> => is ok but "[to]"@
 
UweO said:
To: "[to]"@my.server.de =>?
To: myname <[email protected]> => is ok but "[to]"@
Click to expand...
SMTP works like this (only the sending site, your server responds with 200 OK if it accepts the mail):
(connect)
HELO saceakee.club
MAIL FROM: <>
RCPT TO: <[email protected]>
DATA
To: "[to]"@my.server.de
MIME-Version: 1.0
Date: Wed, 21 Oct 2020 23:48:00 +0200
[rest of header, newline, body]
.
[a dot in a line of its own as the end-of-message mark]
i.e. the address in the header is not actually used, only that in the envelope (RCPT TO).
Each server in the chain SHOULD append the envelope data to the headers, though. It is in the Received: lines and in the X-Original-To:.
Your server prepends another Received: because my22@ is internally forwarded to my@ it seems.

The To: line is not used anywhere in the actual delivery of the mail.
 
i have the same problem and still investigation what's going on here. the headers of my mail look little different:
Code: 
Return-Path: <MAILER-DAEMON>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from ex4u.dushi.ca (unknown [52.136.215.223])
        by xxxxx (Postfix) with ESMTP id 3F6344271818
        for <[email protected]>; Fri, 11 Dec 2020 10:58:08 +0100 (CET)
Date: Thu, 17 Dec 2020 15:50:50 +0100
From: ~KETO~ <[email protected]>
To: [email protected]
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/html; charset=us-ascii
User-Agent: Mutt/1.12.1 (2019-06-15)
Subject: ~Verlieren Sie bis zu 14 kg in einem [email protected]~
X-BeenThere: [email protected]
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
 
You must log in or register to reply here.

Similar threads

B
Resolved Mail get lost with wrong Dmarc
Replies
1
Views
2K
Martin Dias
Martin Dias
M
Resolved Postfix Not Delivering to Local Mailbox
Replies
2
Views
4K
Matt Sonnentag
M
C
Issue Plesk doesn't let out my mails to my email client!?
Replies
3
Views
2K
centredeformationfrance
C
T
Issue SpamAssassin is not scanning server-wide
Replies
2
Views
1K
japjay
J
S
Question Email Security showing SRS spam
Replies
0
Views
1K
shogunswb
S
Back
Top