Active8
Verified User
- Joined
- Jul 13, 2013
- Messages
- 1,872
Solved How can I block this spam coming via Google?
- Thread starter Richard G
- Start date
Hostking
Verified User
I checked logs across all our servers and we’re no longer seeing new spam from these Google Groups reaching customer inboxes — most of it is now being caught by the spam filter rule mentioned earlier.
The KAM.cf rules also made a noticeable difference.
If these messages are still getting through on your side, it’s worth checking your scoring setup. For example, if your required score is around 8, make sure your custom rule like HK_GOOGLE_GROUPS is set significantly higher (e.g. 10+) so it guarantees a hit.
Here’s an example of how these messages are being scored on our side:
spamd: result: Y 19 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GB_URI_ASTERISK,HK_GOOGLE_GROUPS,HTML_FONT_SIZE_HUGE,HTML_IMAGE_ONLY_08,HTML_MESSAGE,HTML_SHORT_LINK_IMG_1,MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,URIBL_ABUSE_SURBL,URIBL_DBL_BLOCKED
So even though the messages pass SPF/DKIM, the combined rule weight (especially HK_GOOGLE_GROUPS) pushes them well over the threshold.
The KAM.cf rules also made a noticeable difference.
If these messages are still getting through on your side, it’s worth checking your scoring setup. For example, if your required score is around 8, make sure your custom rule like HK_GOOGLE_GROUPS is set significantly higher (e.g. 10+) so it guarantees a hit.
Here’s an example of how these messages are being scored on our side:
spamd: result: Y 19 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GB_URI_ASTERISK,HK_GOOGLE_GROUPS,HTML_FONT_SIZE_HUGE,HTML_IMAGE_ONLY_08,HTML_MESSAGE,HTML_SHORT_LINK_IMG_1,MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,URIBL_ABUSE_SURBL,URIBL_DBL_BLOCKED
So even though the messages pass SPF/DKIM, the combined rule weight (especially HK_GOOGLE_GROUPS) pushes them well over the threshold.
Hostking
Verified User
Here’s another example showing the same pattern — note how everything passes SPF/DKIM/DMARC, yet the message is still clearly spam and gets caught mainly due to the Google Groups rule:
Return-path: <[email protected]>
Envelope-to: hello@<domainremoved>;
Delivery-date: Tue, 28 Apr 2026 18:04:28 +0200
Received: from mail-yw1-f200.google.com ([209.85.128.200])
by <server removed> with esmtps (TLS1.3)
(Exim 4.99.1)
for hello@<domainremoved>;
Authentication-Results:
dkim=pass;
spf=pass;
dmarc=pass;
Precedence: list
Mailing-list: list [email protected]
List-ID: <hs.chinacvcn.com>
X-Google-Group-Id: 806615142161
X-Spam-Score: 11.7 (required 8.0)
And the key part from the SpamAssassin breakdown:
pts rule name description
---- ---------------------- ---------------------------------------
10.0 HK_GOOGLE_GROUPS Message sent via Google Groups
1.9 URIBL_ABUSE_SURBL URL listed in blocklist
0.5 LOCAL_HTML_ONLY_HIGH HTML-only message
0.2 HEADER_FROM_DIFFERENT_DOMAINS
-1.0 MAILING_LIST_MULTI
Even though authentication is clean (SPF_PASS, DKIM_VALID, DMARC_PASS), the message still scores 11.7, mainly due to:
HK_GOOGLE_GROUPS (custom rule doing the heavy lifting)
URIBL hit
Typical HTML-only / list characteristics
Without a strong rule like HK_GOOGLE_GROUPS, this would likely slip through on many default configurations.
Return-path: <[email protected]>
Envelope-to: hello@<domainremoved>;
Delivery-date: Tue, 28 Apr 2026 18:04:28 +0200
Received: from mail-yw1-f200.google.com ([209.85.128.200])
by <server removed> with esmtps (TLS1.3)
(Exim 4.99.1)
for hello@<domainremoved>;
Authentication-Results:
dkim=pass;
spf=pass;
dmarc=pass;
Precedence: list
Mailing-list: list [email protected]
List-ID: <hs.chinacvcn.com>
X-Google-Group-Id: 806615142161
X-Spam-Score: 11.7 (required 8.0)
And the key part from the SpamAssassin breakdown:
pts rule name description
---- ---------------------- ---------------------------------------
10.0 HK_GOOGLE_GROUPS Message sent via Google Groups
1.9 URIBL_ABUSE_SURBL URL listed in blocklist
0.5 LOCAL_HTML_ONLY_HIGH HTML-only message
0.2 HEADER_FROM_DIFFERENT_DOMAINS
-1.0 MAILING_LIST_MULTI
Even though authentication is clean (SPF_PASS, DKIM_VALID, DMARC_PASS), the message still scores 11.7, mainly due to:
HK_GOOGLE_GROUPS (custom rule doing the heavy lifting)
URIBL hit
Typical HTML-only / list characteristics
Without a strong rule like HK_GOOGLE_GROUPS, this would likely slip through on many default configurations.
Richard G
Verified User
As stated before, the reason is that the mails are too big and therefor not scanned by Spamassassin, my score was already set to 10.
That's also the reason that only a few big mails came through amongst with the chinacvcn.com mail too which was 6M in my case.
A stronger rule will most certainly not help if SA doesn't even scan the mail. So the solution to this is either wait for DA 1.700 or for the time being raise the limit for which Spamassassin will scan a mail in the /etc/exim.easy_spam_fighter/variables.conf.custom file like this:
EASY_SPAMASSASSIN_MAX_SIZE == 10Mor a bigger value, and rebuild the exim configuration.
Before I had this set to 2M and most mails were blocked, except the ones bigger, because SA did not even scan them due to this setting.
However, with DA 1.700 this issue will be passed, we just don't need to forget to remove the setting in the variables.conf.custom file after updating to Directadmin 1.700.