Crap Spam
Question asked by John Marx - 4/23/2019 at 6:44 AM
Our clients are getting a TON of these emails and is right now our biggest complaint on spam.They are from user@domain.com so SmarterMail is marking them as "Trusted". These are not trusted. as the header show they are not from our system. I know our clients cannot be the only ones getting these crap spam emails. How can we prevent these "false positives"?

Return-Path: <contato@hplus.com.br>
Received: from srv.hplus.com.br (192-163-237-152.unifiedlayer.com []) by xxx-mail-00.xxx.com with SMTP
cipher=Aes256 bits=256);
Tue, 23 Apr 2019 13:39:30 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=hplus.com.br; s=default; h=Subject:From:To:Date:Message-ID:MIME-Version:
bh=woHzbXfA3G7iDB3awS7RKBedYSBd9gDVmnZ0qrtG/4M=; b=nY3+7megOlos7SQJNjg+qFwF7n
Received: from interno.tpa.com.br ([]:46414 helo=[dynamic-179-127-181-236.tpa.net.br])
by srv.hplus.com.br with esmtpsa (TLSv1:ECDHE-RSA-AES256-SHA:256)
(Exim 4.89_1)
(envelope-from <contato@hplus.com.br>)
id 1hIvT5-0006R2-4y
for xxx@xxx.com; Tue, 23 Apr 2019 08:28:29 -0500
Content-Type: multipart/related;
MIME-Version: 1.0
Message-ID: <kyopkzz16202083.79400405@mail.hplus.com.br>
X-Sender: contato@hplus.com.br
User-Agent: Workspace Webmail 6.9.07
Date: Tue, 23 Apr 2019 15:28:15 +0200
To: xxx@xxx.com
From: <xxx@xxx.com>
Organization: Jmrfqeami
Subject: john
X-Abuse-Reports-To: <abuse@mailer.hplus.com.br>
Feedback-ID: 8dmyuipa7jl0wztb5glr1twbz9y6rxncxcl55lr2zbzjvqt:none:lacrtlg
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - srv.hplus.com.br
X-AntiAbuse: Original Domain - xxx.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - hplus.com.br
X-Get-Message-Sender-Via: srv.hplus.com.br: authenticated_id: contato@hplus.com.br
X-Authenticated-Sender: srv.hplus.com.br: contato@hplus.com.br
X-RBL-Warning: WEIGHT10: Weight of 11 reaches or exceeds the limit of 10.
X-Declude-Sender: contato@hplus.com.br []
X-Declude-Spoolname: 392445779.eml
X-Declude-Note: Scanned by Declude 4.12.11
X-Declude-Scan: Incoming Score [11] at 13:39:37 on 23 Apr 2019
X-Declude-Tests: SORBS-RECENT [3], BASE64 [4], HELOBOGUS [5], FROMNOMATCH [2], WEIGHT10 [10]
X-Country-Chain: UNITED STATES->destination
X-Declude-Code: e
X-HELO: srv.hplus.com.br
X-Identity: | 192-163-237-152.unifiedlayer.com | hplus.com.br
X-SmarterMail-Spam: SPF [Fail]: 10, SORBS - Recent: 5, ISpamAssassin [raw:5]: 9, DK [None]: 0, DKIM [None]: 5, Declude: 11
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - Domain)

7 Replies

Reply to Thread
Matt Petty Replied
Employee Post Marked As Answer
We have a fix for SPF [FAIL] Not triggering the invalid trusted sender behavior. I've DM'd you a custom build with a fix.
Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
John Marx Replied
Thanks Matt!
Sébastien Riccio Replied
 we also have this issue with the latest SM 16, will a fix be available for it too as we are not yet ready to migrate our current user base to V17?

Thanks a lot for your answer.
Sébastien Riccio System & Network Admin https://swisscenter.com
Matt Petty Replied
Employee Post
As far as I'm aware SmarterMail 16 does not have this problem as this cropped up due to changes made a couple weeks back to SmarterMail 17.

If you can link the Headers for an email that exhibits this behavior I could tell you if your seeing the same thing.
This specifically fixes cases where SPF fails but we still accept a trusted sender. If SPF or DKIM fail we will print
X-SmarterMail-TotalSpamWeight: X (Trusted Sender - Domain, failed SPF)
X-SmarterMail-TotalSpamWeight: X (Trusted Sender - Domain, failed DKIM)

With X being a non-zero weight.

Notice in the example above by John, this was not the case.
Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
Tim DeMeza Replied
I think I need this build as well.  It would really help.  I am very concerned about malware / phishing scams getting through because of this.  We can educate all we want, but somebody is going to click the link.  Currently we are on 7040.

Thank you.
Matt Petty Replied
Employee Post
I sent that link to you. We do have a minor tentatively scheduled for release today. This link I'm handing out is a build from Friday so if you use this custom build you still might want to consider using the minor from later today.
Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
CTL Replied
I have same problem for build 7040 , I think new build 7053 fix the issue


Reply to Thread