Back to Community Threads
2
Spam Check rules weight being ignored
Problem reported by Daniel McFalls - 2/8/2021 at 3:18 PM
Resolved
Please help me.  The quantity of spam has quadrupled over the past several weeks.  Many of it coming from Outlook, Yahoo, and Gmail servers.

I set a rule for certain phrases to add 50 points to the spam score.  When the same or similar messages received again and the headers indicate the rule was triggered, I add a few hundred points to the score.  All useless.  As you can see from the header below the weight was not counted.  I assumed that maybe the IP address was whitelisted but no.  I assumed the server was greylisted.  No.  IP Bypassed.  NO.  Why are the rules being ignored?

Return-Path: <>
Received: from eurekalert.org (uknes.millinnas.eu [45.143.81.159]) by chicago.macusa.net with SMTP;
   Mon, 8 Feb 2021 06:23:56 -0600
Subject: SPAM: Trust the Experts at TruGreen and take your lawn to the next level
From: "TruGreen - America's #1 Lawn Care Company" <hello.wxa@wdues.starsupial.eu>
Reply-to: <Optoutaddress@yahoo.com>
To: dmcfalls@mcfallsco.com
Content-Type: text/html; charset="utf-8"
Date: Mon, 08 Feb 2021 07:22:17 -0500
X-RBL-Warning: WEIGHT10: Weight of 11 reaches or exceeds the limit of 10.
X-Declude-Sender: <> [45.143.81.159]
X-Declude-Spoolname: 62409498.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.12.11
X-Declude-Scan: Incoming Score [11] at 06:24:02 on 08 Feb 2021
X-Declude-Tests: SUBSPACE-12 [1], SUBCHARS-55 [1], SUBCHARS-60 [1], SUBCHARS-65 [1], FROMNOMATCH [2], FILTER-SPAM [5], WEIGHT10 [10]
X-Country-Chain:
X-Declude-Code: e
X-HELO: eurekalert.org
X-Identity: 45.143.81.159 | uknes.millinnas.eu | Unknown
Message-ID: <ae76093f703345308eaf6b81e71424c2@com>
X-SmarterMail-Spam: ISpamAssassin [raw:9]: 15, SPF [None]: 5, DKIM [None]: 7, Custom Rules [RAW-Corporate General Auditor, Bank of America hueh1368@gmail.com I urge you to trust my skill inheritance fund Part Payment: 300], Declude: 11
X-SmarterMail-TotalSpamWeight: 38

<CeNteR><a hRef="https://storage.googleapis.com/trugreen30/789654nu57r.html"><b><FoNT color=DF3A01 size=6>Request Your Free Lawn Care Quote Today</FoNT><BR><FoNT color=green size=6>America's #1 Lawn Care Company</FoNT></b></a><br>
<imG SRc="https://storage.googleapis.com/trugreen30/Tr7Gre7n.png"; USEmAP="#OPTDOWN">
<mAP naME="OPTDOWN">
<aRea hReF="https://storage.googleapis.com/trugreen30/789654nu57r.html"; coords="2,3,619,1352" shAPe="reCT">
<aRea hReF="https://storage.googleapis.com/trugreen30/327284n65s.html"; coords="0,1362,74,1377" shAPe="reCT">
<aRea hReF="https://storage.googleapis.com/trugreen30/148545o55p.html";  coords="333,1436,405,1451" shAPe="reCT">

9 Replies

Reply to Thread
0
Kyle Kerst Replied
2/8/2021 at 4:53 PM
Employee Post
If no one is able to offer a quick solution on this one, I think this might be best handled via a support ticket so that we can review your logs and spam check rules. Please ping me here if you do so and I'll locate the ticket and take a look. Have a good one!
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
1
Sébastien Riccio Replied
2/8/2021 at 9:35 PM
Hello,

It looks like you're using declude which i'm not familiar with, but one question, did you add your pattern matching rule as a SmarterMail custom rule or as a Declude rule (if that's possible, I have no idea). ?

In which header do you see that it has been triggered ?

Kind regards
Sébastien Riccio System & Network Admin https://swisscenter.com
1
Steve Norton Replied
2/9/2021 at 2:36 AM
Marked As Resolution
Hi Daniel,
It appears SM has an issue with the comma in your rule name (one for support to look at).
Also, it would help if you enabled the 'Null Sender' check and change this rule to a 'Header' check and to look for 'starsupial.eu' in the 'From' header.. The recent Spam campaign is also using 'thential.eu' and 'strels.eu'.
I would also expect some other spam checks to have failed so yo might need a fresh review of your Spam settings.
Steve
0
Daniel McFalls Replied
2/9/2021 at 11:58 AM
Thank you both for your interest in assisting me.

Sebastien,

Declude is a fantastic tool in thwarting off spam.  The rules mentioned here are set up in SM.

Wow!  I didn't notice until you asked what within the message triggered off the rule. Nothing!  I reviewed the rule against the raw message content and there should have been nothing to trigger it.  However, the rule appears in the Custom Rules header content.  Why is that?

Steven,

I have removed comma's from all rules and their names.  I enabled Null Sender and gave it a weight of 20.  

I will start to expand my rule use to include headers.  RAW is so much easier and time-saving.

My Spam settings were setup by MBF.  They have worked very well for so long.

We'll see if that helps.  Any other suggestions will be much appreciated.

Thanks again,

Dan
0
Steve Norton Replied
2/9/2021 at 12:10 PM
Dan,
What is it you're looking for in this rule, is it "I urge you to trust my skill inheritance fund Part Payment", I can send you an email with that in the body and I'll fake the from to include starsupial.eu if I can.

Update:
Fake email sent to you at 20:30 GMT.
0
Daniel McFalls Replied
2/9/2021 at 1:36 PM
Steve,

The problem isn't that rules were not getting triggered.  It was that a custom rule triggered did not add to the score.  I'm wondering if that comma issue was the reason.  Probably not since I have over 500 hundred custom rules.  But time will tell.

I have added "I urge you to trust my skill inheritance fund Part Payment" and  "starsupial.eu" to the custom rules.  if you wish to give it a try send the message to dmcfalls@mcfallsco.com.

Thanks again!
0
Steve Norton Replied
2/9/2021 at 2:00 PM
Dan,
It is the lack of scoring that I've been testing. It's only the rule name that has a problem with commas, you need them in the rule text or it'll not match.
Another fake mail sent at ~20:58 GMT.
Update:
The last one failed, try 21;06 GMT, I watched it go through this time.
0
Daniel McFalls Replied
2/10/2021 at 10:57 AM
Steve,

Still have not received your message.  I received quite a few from starsupial.eu that the rules sent to my Junk Mail.  I didn't realize that starsupial.eu was such a huge source of SPAM.

Thanks for your assistance.

Dan
0
Steve Norton Replied
2/10/2021 at 11:54 AM
Those messages were me, I just made them look like they were from starsupial.eu.
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration
Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
Spam and Security Checks for IPv6 SystemsSmarterMail > Antispam and Antivirus
554 Error - MTA Poor Reputation FixesSmarterMail > Troubleshooting
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management