Richard G
Verified User
Content of /etc/virtual/blacklist_domains
Received mail, which ip IS present in the Spamhaus blacklist.
Can anybody explain me this because of these default ESF settings:
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) (+30)
0.9 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail) (+30)
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS (+100)
SpamTally: Final spam score: 62???
To my calculations this should at least be 130. (At least 1 time +30 and 1 time +100)
Next to that, it seems that in the processing time, this ip came on the blacklist:
As you can see, it was delivered to me, but 2 minutes later, all mail coming from that .loan domain was blocked by Spamhaus and Exim rejected, so that's good.
Questions:
1.) Why wasn't this email blocked by Exim, due to the blacklist_domains setting?
According to this thread, I did not use *.loan but just .loan as stated in there.
2.) Why wasn't this email blocked by ESF, since the result was wide over the +100 score, which even ESF detected.
And the default setting is EASY_HIGH_SCORE_DROP = 100
3.) Why wasn't this email blocked by Exim because of the invalid helo/ehlo?
Can anybody help me figure out why this mail was not blocked???
Code:
[root@server18: /etc/virtual]# less blacklist_domains
.date
.loan
.website
Received mail, which ip IS present in the Spamhaus blacklist.
Code:
Return-Path: <maely@symine[b].loan[/b]>
Delivered-To: [email protected]
Received: from server18.hostingserver.com
by server18.hostingserver.com with LMTP id eNTLMtCVwVkSUgAADNWw8g
for <[email protected]>; Wed, 20 Sep 2017 00:10:24 +0200
Return-path: <maely@symine[b].loan[/b]>
Envelope-to: [email protected]
Delivery-date: Wed, 20 Sep 2017 00:10:24 +0200
Received: from [192.162.24.180] (helo=symine[b].loan[/b])
by server18.hostingserver.com with esmtp (Exim 4.89)
(envelope-from <maely@symine[b].loan[/b]>)
id 1duQif-0001JC-9W
for [email protected]; Wed, 20 Sep 2017 00:10:24 +0200
From: " Julia Peterson" <[email protected]>
Date: Tue, 19 Sep 2017 16:52:24 -0500
MIME-Version: 1.0
Subject: Download The Best Flight Sim Game Over 120 Aircrafts & Real Airports
To: <[email protected]>
Message-ID: <vnZNZXl0W-E2cWDup4QZFktrUZ8p_C5zd6FJsemnQ0M.9CZzFINKblc10LQyB-k-2viBmyjw3GyYBBlzn7-yRLE@symine.loan>
Content-Type: multipart/alternative;
boundary="------------19141990633071142810361"
SPFCheck: Soft Fail, 30 Spam score
X-Spam-Score: 3.2 (+++) (????)
X-Spam-Report: Spam detection software, running on the system "server18.hostingserver.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Nationality, and ethnicity are a large beaming part of identity
for most people. Factors chiropractic like this matter more for some people
strong than others and for some groups stampede more than others but a sense
rochester of group awareness or membership exists in rockwell varying degrees
across all segments of American dawson . Often its easy to see the kurdish
signifiers of such group identity, in distinctive holmes , food or clothing,
for example. But commons sometimes when symbols or language are co-, dilemma
it is harder to spot. In 2015, more Donald J. Trumps make America great again
alternate and build a wall started out as gangster simple but powerful slogans.
As time went diluted on, they became more infused with a impeccable specific
meaning that symbolized the concerns and varicose preferences of a substantial
set of white stockton Americans. Mr. Trumps appeals were a form greenwich
of group politics or identity politics, and supremo he continues to focus
on threats to file white identity as president. Some Trump critics melt find
his focus on whites as a speed group outrageous or counterproductive. But
survey data intrusion suggest that many white Americans do feel sever threatened,
and that they think there are part policies that discriminate against them
and should mission be changed. Two examples of the presidents mouthpiece
efforts and the underlying support for his bethlehem positions illustrate
these trends. On Wednesday, he discontinued offered his support for a bill
that salt would cut legal immigration to the United swept States in half,
saying this legislation demonstrates lambert our compassion for struggling
American families who budapest deserve an immigration [...]
Content analysis details: (3.2 points, 7.5 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
0.9 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail)
0.0 HTML_MESSAGE BODY: HTML included in message
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
0.0 T_REMOTE_IMAGE Message contains an external image
SpamTally: Final spam score: 62
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
This is a multi-part message in MIME format.
--------------19141990633071142810361
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Can anybody explain me this because of these default ESF settings:
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) (+30)
0.9 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail) (+30)
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS (+100)
SpamTally: Final spam score: 62???
To my calculations this should at least be 130. (At least 1 time +30 and 1 time +100)
Next to that, it seems that in the processing time, this ip came on the blacklist:
Code:
2017-09-20 00:10:24 1duQif-0001JC-9W <= [email protected] H=(symine.loan) [192.162.24.180] P=esmtp S=14052 d=vnZNZXl0W-E2xxxxxxxxxtrUZ8p
C5zd6FJsemnQ0M.9CZzFINKblc10LQyB-k-2viBmyjw3GyYBBlzn7-yRLE@symine.loan T="Download The Best Flight Sim Game Over 120 Aircraft
s & Real Airports" from <[email protected]> for [email protected]
2017-09-20 00:10:24 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1duQif-0001JC-9W
2017-09-20 00:10:25 1duQif-0001JC-9W => info <[email protected]> F=<[email protected]> R=virtual_user T=dovecot_lmtp_udp S=14407 C="250 2.0.0 <[email protected]> eNTLMtCVwVkSUgAADNWw8g Saved"
2017-09-20 00:10:25 1duQif-0001JC-9W Completed
2017-09-20 00:12:57 H=(symine.loan) [192.162.24.180] F=<[email protected]> rejected RCPT <[email protected]>: Email blocked by zen.spamhaus.org
As you can see, it was delivered to me, but 2 minutes later, all mail coming from that .loan domain was blocked by Spamhaus and Exim rejected, so that's good.
Questions:
1.) Why wasn't this email blocked by Exim, due to the blacklist_domains setting?
According to this thread, I did not use *.loan but just .loan as stated in there.
2.) Why wasn't this email blocked by ESF, since the result was wide over the +100 score, which even ESF detected.
And the default setting is EASY_HIGH_SCORE_DROP = 100
3.) Why wasn't this email blocked by Exim because of the invalid helo/ehlo?
Can anybody help me figure out why this mail was not blocked???