Back to Community Threads
2
Unable to block email from 163.com
Question asked by Leo Novelli - 1/18/2020 at 11:04 AM
Answered
We keep getting spam from 163.com and I have been unable to block their emails. Here is a copy of a sample email received today:

Return-Path: <keanvip01@163.com>
Received: from 163.com (UnknownHost [101.88.37.165]) by mail.atlantisnet.com with SMTP;
   Sat, 18 Jan 2020 02:19:02 -0800
Received: from XP-20150122OSUV[192.168.1.118] by 163.com
  with SMTP id 5C14666E; Sat, 18 Jan 2020 18:28:19 +0800
From: "KEAN CO." <keanvip01@163.com>
Subject: Re:Multifunctional USB product Order(2020-042)
To: "someuser" <someuser@atlantisnet.com>
Content-Type: multipart/mixed;
 boundary="=_NextPart_2rfkindysadvnqw3nerasdf";
	charset="gb2312"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Reply-To: keanvip01@163.com
Date: Sat, 18 Jan 2020 18:28:27 +0800
X-Priority: 2
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
Message-ID: <ce21d4d9bda042fb9884a44c9ae4bc38@com>
X-SmarterMail-Spam: Reverse DNS Lookup [ReverseFailed]: 2, ISpamAssassin [raw:5]: 8, SPF [Fail]: 5, DKIM [None]: 0, SpamCop: 4, Spamhaus - PBL2: 2, UCEProtect Level 1: 3, SORBS - Recent: 5, CBL: 5, Surriel: 5
X-SmarterMail-TotalSpamWeight: 39

This is a multi-part message in MIME format

--=_NextPart_2rfkindysadvnqw3nerasdf
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Dear Valued customer:

Our company produce Multifunctional USB Flash Drive/Power Bank/Iring Holder/4in1 Laser Pen for Gifts and Promotion.

OEM your design & accept MOQ 50pcs & Free Shipping Charge win good business reputation for us!

Also we have 364 styles different models of Automobile shape USB Flash Drive & Power Bank. 

If you are interest pls let me know.

Best regards
Maddock

Kean CO.,LTD.

--=_NextPart_2rfkindysadvnqw3nerasdf
Content-Type: application/octet-stream;
        name="Multifunctional USB promotion.jpg"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
        filename="Multifunctional USB promotion.jpg"
Here ares the log entries showing the SMTP transmission as well as the delivery:

[2020.01.18] 02:19:01.154 [101.88.37.165][33882211] rsp: 220 mail.atlantisnet.com  Sat, 18 Jan 2020 02:19:01 -08:00 | SmarterMail Enterprise Version 100.0.7242.24590
[2020.01.18] 02:19:01.154 [101.88.37.165][33882211] connected at 1/18/2020 2:19:01 AM
[2020.01.18] 02:19:01.154 [101.88.37.165][33882211] Country code: CN
[2020.01.18] 02:19:01.326 [101.88.37.165][33882211] cmd: EHLO 163.com
[2020.01.18] 02:19:01.326 [101.88.37.165][33882211] rsp: 250-mail.atlantisnet.com Hello [101.88.37.165]250-SIZE250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250-DSN250 OK
[2020.01.18] 02:19:01.498 [101.88.37.165][33882211] cmd: RSET
[2020.01.18] 02:19:01.498 [101.88.37.165][33882211] rsp: 250 OK
[2020.01.18] 02:19:01.685 [101.88.37.165][33882211] cmd: MAIL FROM:<keanvip01@163.com>
[2020.01.18] 02:19:01.685 [101.88.37.165][33882211] senderEmail(1): keanvip01@163.com parsed using: <keanvip01@163.com>
[2020.01.18] 02:19:01.701 [101.88.37.165][33882211] rsp: 250 OK <keanvip01@163.com> Sender ok
[2020.01.18] 02:19:01.701 [101.88.37.165][33882211] Sender accepted. Weight: 0. 
[2020.01.18] 02:19:01.873 [101.88.37.165][33882211] cmd: RCPT TO:<someuser@atlantisnet.com>
[2020.01.18] 02:19:01.889 [101.88.37.165][33882211] rsp: 250 OK <someuser@atlantisnet.com> Recipient ok
[2020.01.18] 02:19:02.060 [101.88.37.165][33882211] cmd: DATA
[2020.01.18] 02:19:02.060 [101.88.37.165][33882211] Performing PTR host name lookup for 101.88.37.165
[2020.01.18] 02:19:02.357 [101.88.37.165][33882211] PTR host name for 101.88.37.165 resolved as UnknownHost
[2020.01.18] 02:19:02.357 [101.88.37.165][33882211] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2020.01.18] 02:19:02.545 [101.88.37.165][33882211] senderEmail(2): keanvip01@163.com parsed using: "KEAN CO." <keanvip01@163.com>
[2020.01.18] 02:19:04.060 [101.88.37.165][32929259] rsp: 220 mail.atlantisnet.com  Sat, 18 Jan 2020 02:19:04 -08:00 | SmarterMail Enterprise Version 100.0.7242.24590
[2020.01.18] 02:19:04.060 [101.88.37.165][32929259] connected at 1/18/2020 2:19:04 AM
[2020.01.18] 02:19:04.060 [101.88.37.165][32929259] Country code: CN
[2020.01.18] 02:19:04.232 [101.88.37.165][32929259] cmd: EHLO 163.com
[2020.01.18] 02:19:04.248 [101.88.37.165][32929259] rsp: 250-mail.atlantisnet.com Hello [101.88.37.165]250-SIZE250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250-DSN250 OK
[2020.01.18] 02:19:04.435 [101.88.37.165][32929259] cmd: RSET
[2020.01.18] 02:19:04.435 [101.88.37.165][32929259] rsp: 250 OK
[2020.01.18] 02:19:04.607 [101.88.37.165][32929259] cmd: MAIL FROM:<keanvip01@163.com>
[2020.01.18] 02:19:04.607 [101.88.37.165][32929259] senderEmail(1): keanvip01@163.com parsed using: <keanvip01@163.com>
[2020.01.18] 02:19:04.607 [101.88.37.165][32929259] rsp: 250 OK <keanvip01@163.com> Sender ok
[2020.01.18] 02:19:04.607 [101.88.37.165][32929259] Sender accepted. Weight: 0. 
[2020.01.18] 02:19:04.779 [101.88.37.165][32929259] cmd: RCPT TO:someuser@atlantisnet.com>
[2020.01.18] 02:19:04.779 [101.88.37.165][32929259] rsp: 550 <someuser@atlantisnet.com> No such user here
[2020.01.18] 02:19:04.967 [101.88.37.165][32929259] cmd: QUIT
[2020.01.18] 02:19:04.967 [101.88.37.165][32929259] rsp: 221 Service closing transmission channel
[2020.01.18] 02:19:04.967 [101.88.37.165][32929259] disconnected at 1/18/2020 2:19:04 AM
[2020.01.18] 02:19:06.748 [101.88.37.165][33882211] rsp: 250 OK
[2020.01.18] 02:19:06.748 [101.88.37.165][33882211] Received message size: 185037 bytes
[2020.01.18] 02:19:06.748 [101.88.37.165][33882211] Successfully wrote to the HDR file. (e:\SmarterMail\Spool\SubSpool5\156520913.hdr)
[2020.01.18] 02:19:06.748 [101.88.37.165][33882211] Data transfer succeeded, writing mail to 156520913.eml
[2020.01.18] 02:19:06.935 [101.88.37.165][33882211] cmd: QUIT
[2020.01.18] 02:19:06.935 [101.88.37.165][33882211] rsp: 221 Service closing transmission channel
[2020.01.18] 02:19:06.935 [101.88.37.165][33882211] disconnected at 1/18/2020 2:19:06 AM

[2020.01.18] 02:19:05.138 [20913] Delivery started for keanvip01@163.com at 2:19:05 AM
[2020.01.18] 02:19:11.607 [20913] Added to SpamCheckQueue (0 queued; 1/30 processing)
[2020.01.18] 02:19:11.607 [20913] [SpamCheckQueue] Begin Processing.
[2020.01.18] 02:19:11.607 [20913] Starting Spam Checks.
[2020.01.18] 02:19:14.982 [20913] Spam check results: [REVERSE DNS LOOKUP: 2,ReverseFailed], [_INTERNALSPAMASSASSIN: 5:8], [_SPF: 5,Fail], [_DKIM: 0,None], [HOSTKARMA - BLACKLIST: 0,passed], [HOSTKARMA - WHITELIST: 0,passed], [HOSTKARMA - BROWNLIST: 0,passed], [SORBS - ABUSE: 0,passed], [SORBS - DYNAMIC IP: 0,passed], [SORBS - PROXY: 0,passed], [SORBS - SOCKS: 0,passed], [SPAMCOP: 4,failed], [SPAMHAUS - PBL: 0,passed], [SPAMHAUS - PBL2: 2,failed], [SPAMHAUS - SBL: 0,passed], [SPAMHAUS - XBL: 0,passed], [SPAMHAUS - XBL2: 0,passed], [UCEPROTECT LEVEL 1: 3,failed], [UCEPROTECT LEVEL 2: 0,passed], [UCEPROTECT LEVEL 3: 0,passed], [SPAMRATS: 0,passed], [SORBS - NO SERVER: 0,passed], [SORBS - NOMAIL: 0,passed], [SORBS - RECENT: 5,failed], [CBL: 5,failed], [SURRIEL: 5,failed]
[2020.01.18] 02:19:14.982 [20913] Spam Checks completed.
[2020.01.18] 02:19:14.982 [20913] Removed from SpamCheckQueue (0 queued or processing)
[2020.01.18] 02:19:17.872 [20913] Added to LocalDeliveryQueue (0 queued; 1/50 processing)
[2020.01.18] 02:19:17.872 [20913] [LocalDeliveryQueue] Begin Processing.
[2020.01.18] 02:19:17.872 [20913] Starting local delivery to someuser@atlantisnet.com
[2020.01.18] 02:19:18.044 [20913] Delivery for keanvip01@163.com to someuser@atlantisnet.com has completed (Delivered to Junk Email) Filter: Spam (Weight: 39), Action (Global Level): MoveToFolder
[2020.01.18] 02:19:18.044 [20913] End delivery to someuser@atlantisnet.com (MessageID: <ce21d4d9bda042fb9884a44c9ae4bc38@com>)
[2020.01.18] 02:19:18.044 [20913] Removed from LocalDeliveryQueue (0 queued or processing)
[2020.01.18] 02:19:20.904 [20913] Removing Spool message: Killed: False, Failed: False, Finished: True
[2020.01.18] 02:19:20.904 [20913] Delivery finished for keanvip01@163.com at 2:19:20 AM	[id:156520913]
Here is the content filter setup (in Domain Settings):

Name: Delete Kean and Imparture Emails
Order: 14
Match Type: ANY condition must be met
Enable wildcards in search strings (* and ?): enabled

Condition 1:
Condition: Subject or Body
Condition Type: Contains specific words or phrases
Field: Subject or Body
Comparison: Contains
Subject or Body (on per line):
  Kean Co.,LTD.
  *imparture*

Condition 2:
Condition Type: From Address
Field: From specific domains
Comparison: Matches
From specific domains (one per line):

Condition 3:
Condition Type: Contains specific words or phrases
Field: Email header
Comparison: Contains
Email header (one per line):
  kean co.

Action: Delete Message

We are running SmarterMail Enterprise Version - 100.0.7242.24590

Can anyone see why these messages continue to slip past the filter?

5 Replies

Reply to Thread
0
Heimir Eidskrem Replied
1/20/2020 at 2:45 PM
It shows 39 in spam weight.
What is your spam filter settings for the different weights?
That alone should have deleted or moved the email to junkmail based on your settings.

Are you sure you dont have this whitelisted by accident?
0
Employee Replied
1/20/2020 at 3:33 PM
Employee Post Marked As Answer
Hi Leo,

Since you're using a content filter I want to clarify some things about those for you.  

Content filters can only be trigger once and there are three levels of content filters: system level filters (where the message can be marked as spam low, medium, or high), domain level filters (such as the one you are using with the three conditions) and user level filters (similar to domain filters but applies to only a specific user).   

Messages will always first go through the system level filters.  So if a message is not marked as low, medium, or high the message would move on to any domain filters.  If the message does not meet conditions for any domain filters it will move on to user filters.  If, as it is in your case, a messages meets the conditions of a system level filter it will not go through any other filters. 

Your delivery logs show:  "[2020.01.18] 02:19:18.044 [20913] Delivery for keanvip01@163.com to someuser@atlantisnet.com has completed (Delivered to Junk Email) Filter: Spam (Weight: 39), Action (Global Level): MoveToFolder"  

The last part where it says "Action..." shows the message hit the system level filter and was moved to the junk folder.  This is why the domain filter is not working. 

There are some alternate options that may work better for this.  You can blacklist the IP, block the email address or domain (in SMTP blocks), or allow domains to override the spam filtering options and change the actions for low, medium, high spam probabilities on that specific domain.  This last option would allow other domains to override those actions as well.
0
Leo Novelli Replied
1/28/2020 at 4:09 PM
I didn't realize the Antispam options are part of the content filters.

I'll try the SMTP blocking. Question, what should I enter for the "Blocked Address"? 
0
Employee Replied
1/29/2020 at 9:54 AM
Employee Post
Leo,

You can use *163.com.  You do not need the @ included.  It should work if you select "Email Address/Domain" . So it would look something like this:
0
Leo Novelli Replied
1/29/2020 at 2:19 PM
Thank you.
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
Browser Behavior and Mixed Content Email MessagesSmarterMail > Troubleshooting
Untangle Spam Filtering and SmarterMail TLS IssuesGeneral Topics
Cannot Send Email MessagesSmarterMail > Troubleshooting