Receive a lot of these email related to real working email subjects

kenrai123

Verified User
Joined
Oct 3, 2014
Messages
6
Hi all,

We using exim 4.93 with SpamAssassin and below settings

Capture.PNG


But we receive a lot of these spam email related to real working email subjects, the log in exim mainlog as below

Code:
2020-08-28 12:33:16 1kBW4h-0007kE-MX <= [email protected] H=a2nlsmtp01-03.prod.iad2.secureserver.net [198.71.225.37] P=esmtps X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=314286 T="RE: East Portal Fencing for P00A Submission" from <[email protected]> for [email protected]
2020-08-28 12:33:16 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1kBW4h-0007kE-MX
2020-08-28 12:33:16 cwd=/tmp 4 args: /usr/sbin/exim -oMr spam-scanned -bS
2020-08-28 12:33:19 1kBW4i-0007kk-82 <= [email protected] U=mail P=spam-scanned S=314840 [email protected] T="RE: East Portal Fencing for P00A Submission" from <[email protected]> for [email protected]
2020-08-28 12:33:19 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1kBW4i-0007kk-82
2020-08-28 12:33:19 1kBW4i-0007kk-82 => xxxx <[email protected]> F=<[email protected]> R=virtual_user T=dovecot_lmtp_udp S=319204 C="250 2.0.0 <[email protected]> CCQBDw+JSF96cwAAATz2Tg Saved"
2020-08-28 12:33:19 1kBW4i-0007kk-82 Completed
2020-08-28 12:33:19 1kBW4h-0007kE-MX => xxxx <[email protected]> F=<[email protected]> R=spamcheck_director T=spamcheck S=314711
2020-08-28 12:33:19 1kBW4h-0007kE-MX Completed

So what happend on this? Why the spam mail use our working email subject? And id=[email protected] mean? How to stop it?

Thanks.
 
Spam filtering isn't an exact science, especially when using open source solutions. You have one person submitting public code about how to filter spam, and another person perfectly capable of viewing that code trying to send you spam. This is a recipe for an endless race, no one ever wins it. If you want to stop that exact message, you can try adding the sender to your blacklist. Your spam filter is just a written algorithm, it has no idea of the human context you've applied to it like "uses our working email subject."

As far as "GENERATED-WASMISSING" goes, that means the inbound mail did not have a message ID in it's headers, and it was filled in to make the email compliant with standards.
 
Spam filtering isn't an exact science, especially when using open source solutions. You have one person submitting public code about how to filter spam, and another person perfectly capable of viewing that code trying to send you spam. This is a recipe for an endless race, no one ever wins it. If you want to stop that exact message, you can try adding the sender to your blacklist. Your spam filter is just a written algorithm, it has no idea of the human context you've applied to it like "uses our working email subject."

As far as "GENERATED-WASMISSING" goes, that means the inbound mail did not have a message ID in it's headers, and it was filled in to make the email compliant with standards.

Thanks for your response, but another way to stop "GENERATED-WASMISSING" or how to fix it, because the spammer use our working email subject and the customer can confuse about this.
 
Thanks for your response, but another way to stop "GENERATED-WASMISSING" or how to fix it, because the spammer use our working email subject and the customer can confuse about this.

You're focusing in on the wrong detail. If you convince the spammer to use a proper message ID header or make sure that one isn't added in it's absence, this will have no impact on the end result to your users. They won't see the difference at all. Why not just add craeseguridad[.]com to your blacklist in the spamassassin settings in DA?
 
You're focusing in on the wrong detail. If you convince the spammer to use a proper message ID header or make sure that one isn't added in it's absence, this will have no impact on the end result to your users. They won't see the difference at all. Why not just add craeseguridad[.]com to your blacklist in the spamassassin settings in DA?

I've added this domain to blacklist, but I just want understand about "GENERATED-WASMISSING" case. Thanks for your help.
 
Back
Top