Back to Community Threads
antispam
Problem reported by Sabatino - 2/4/2026 at 3:27 AM
Submitted
Hi everyone. I hope the energy is over.
I wanted to discuss antispam with you.
I agree that there are powerful solutions, but it is also true that they are expensive. 
For customers who need it and have the budget, I change the MX so that it passes through an input gateway.But I also give a basic service to everyone and I rely on the built-in services of SM (Cyren, message sniffer, RBL, URIBL, greylist, etc.). 
Putting a gateway on everything that arrives and that is an excellent antispam is not feasible for the costs. 
I have evaluated it several times, but it would also increase costs for basic customers. 
But I keep trying.
I received a message that has passed through with these

 headersX-SmarterMail-SpamAction: None | NoActionX-SmarterMail-TotalSpamWeight: 0X-SmarterMail-Spam: Reverse DNS Lookup [Passed]: 0, SPF [Pass]: 0, Null Sender: 0, Backscatter: 0, SEM - Black: 0, Surriel: 0, Spamhaus: 0, UCEProtect Level 2: 0, Truncate: 0, Barracuda: 0, UCEProtect Level 1: 0, HostKarma: 0, SpamCop: 0, DMARC [passed]: 0, ISpamAssassin [raw: 0]: 0, DKIM [Pass]: 0, _ARC: none, URIBL Black: 0, SEM-URI: 0DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d = zzcgtyyhostioob.org; s = mail; h = Message-Id: Date: MIME-Version: Content-Type: To :Subject:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description: Resent-Date: Resent-From: Resent-Sender: Resent-To: Resent-Cc : Resent-Message-ID: In-Reply-To: References: List-Id: List-Help: List-Unsubscribe: List-Subscribe: List-Post: List-Owner: List-Archive; bh = NOgDePPdYFgR / tUXddw7VGZVq4eWVT8PMMg20oM1bJE =; b = PIDQ0UsCKhyyOkvULdJ81xXg3g b224P0OVTFUZYENsY0w9lBJ + re / p84mBMLnB3KIBXFKT0V2LXocBMFXNlMZ1LaoL + w9Nys0JzsNvz u2RTWO + zSj8r8IaD1zphUvsG4qHjc2F6MgSEIpiC668pyXtnhx4vFr / hofxnpkcG2aPYQw7fl / V + L qqgBfHwtUSUR5nVFLkYP/cnwXGPANhWIMfJnEt2DxmZj4oRXrn32aBxO9IP/7ScUaQLcUZltFxUpz vaLdm/SMb8HmIL5zjyMh7NxiwhZnCgC0CYP87vwh8l5vfM4y44dnzvj0JqpzTrXDXU0//P4IuZVW+ K+bV9f9A==; From: "Assistance.aruba.it" <mail@zzcgtyyhostioob.org> 

I took the .eml and did a stupid test, asking chatgpt to analyze it. 
Here is the result:

🚨 Phishing Email Analysis Report

The analyzed email is almost certainly a phishing attempt, even though basic technical checks appear to pass.

❗ Strong Fraud Indicators

  • Fake sender domain: zzcgtyyhostioob.org (not related to Aruba in any way)

  • Spoofed display name: “Assistenza.aruba.it”

  • Generic greeting: “Dear Customer”

  • Urgency & threat: service suspension warning

  • Payment link prompt: typical credential/credit card harvesting tactic

⚠️ Why it bypassed spam filters

Technical authentication passed:

  • SPF ✅

  • DKIM ✅

  • DMARC ✅

  • Spam score: 0

This happens because modern phishing campaigns use fresh, clean domains to avoid blacklists.

✅ Final Verdict

👉 PHISHING EMAIL — DO NOT CLICK — DO NOT REPLY

It is a fake unpaid invoice scam impersonating Aruba.

I'm wondering:
Even if I developed an agent that ran this type of test and returned a score, how would I connect it?
I could still use a local LLM (I tried it and the results are still excellent).

Some sort of external management would be needed.
An agent could also handle the training if done well.
But I need a way to connect it to the anti-spam system.
A bit like what happened with rsSpamD, but with a custom agent.

It's just an idea, yet to be tested, but what do you think?
Sabatino Traini
      Chief Information Officer
Genial s.r.l. 
Martinsicuro - Italy
J
J. LaDow Replied
2/4/2026 at 4:02 AM
The bigger issue you have is privacy.

Everything you send to an AI agent is kept by said agents in their training sets. Everything.

There is no such thing as privacy when AI is used...

As for the AI results - SpamAssassin used to be able to score messages like that - but it takes a LOT of tweaking. SM's internal SpamAssassin configuration is pretty locked down and doesn't allow for much changes. 
MailEnable survivor / convert --
Sabatino Replied
2/4/2026 at 4:19 AM
In fact, I intended to install a local LLM, so there would be no privacy issues.
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
Sébastien Riccio Replied
2/4/2026 at 4:23 AM
Rspamd, which can be integrated with SmarterMail, has a GPT module that can be used with openai API or ollama for local LLM.

That's maybe a path you can study.

Of course, it is really not advised to use it with openai as they will probably use the submitted data to train their stuff.
Sébastien Riccio System & Network Admin https://swisscenter.com
Sabatino Replied
2/4/2026 at 4:47 AM
Yes, Sebastian, I was just checking out RSS feeds with ollama.

I'll try it as soon as I can find some time.


Of course, you also need a hardened server, but I'd cancel my Cyren and Message Sniffer subscriptions.
I don't know, it's worth a try.
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
D
Douglas Foster Replied
2/4/2026 at 6:41 AM
If the existing RspamD integration does not meet your needs, this is your alternative.

The Spool\Proc folder, used by Declude, allows you to do any arbitrary integration.  The only limitation is that the call happens after the SMTP session has closed.  For reasons unknown, this interface has never been fully documented and polished, so here is my version:

I will use "Declude" to represent Declude Classic, Declude Reboot, or any custom process that you choose to write.  Here is the processing flow.

 SmarterMail hands the message to Declude by putting two files into the \spool\proc folder:  
  • <digitstring>.eml has the message body, the same content you see when you use the webmail interface to perform "Download EML"
  • <digitstring>.hdr has message metadata  (SMTP Mail From, SMTP Recipient To, Server HELO, Server ReverseDNS, and Server IP.) 
Declude moves files into \spool\proc\work to being processing.  After processing, allowed messages are delivered to the \Spool folder and the file names are given an "x-" prefix. (No idea if the prefix is significant or not.)

Declude reports results in three ways:
  • Not returning the message to SmarterMail (silent discard or quarantine)
  • Custom Headers added to the EML file
  • A score added to the bottom of the HDR file, using the form: decludeWt: 3.  This weight is included in the "Spool Filtering" total spam score.
My implementation:
  • I use Declude to perform recipient verification and silently discard messages with no valid recipients.
  • I use Declude Custom Headers to store results for downstream processing.   Messages flow from Declude to a commercial spam filter which is still part of my configuration.   Content filtering rules in that product use Declude header text to trigger block, quarantine, or whitelist.   The appliance provides a 90-day archive of all received messages, a web interface for message review, and some content filtering.
  • I don't use spam weights or SmarterMail spool filtering.
Declude can call any program or script as a custom filter, so my suggestion for getting started is to use Declude Reboot to move the message around and a custom filter to launch your AI tool.   If that does not work,  you could create software to replicate Declude's file handling, preferably implemented as a service.

I am impressed by the ability of AI to check for consistency between Friendly Name and From address.  That is one threat vector that is not easily detected.    I also wonder how AI learned so much about private email.
Sabatino Replied
2/4/2026 at 9:25 AM
I did a few more small tests.
Claude gives essentially the same result.
But even a locally installed LLM like ministral-3-14b-reasoing
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
John Quest Replied
2/4/2026 at 10:00 AM
As a long time user/supporter/admin of emails servers and Declude, I agree with Douglas. 

Sure, it takes hands on tweaking, even months after implementation, but after all, if the war on spam was simple it would be over by now.
Sabatino Replied
2/4/2026 at 10:17 AM
The problem is that declude seems like a practically stopped project, instead Rspamd is very active
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
D
Douglas Foster Replied
2/4/2026 at 11:32 AM
RspamD is a viable option.   You asked "How can I integrate?".    This interface is your other option, whether you use Declude/DR or not.    
John Quest Replied
2/4/2026 at 11:39 AM
The problem is that declude seems like a practically stopped project,

Well, not really. The original Declude is indeed no longer updated/upgraded/etc for a number of years due to a "technical" issue as well as other limitations in the original code. 

HOWEVER, it has been completely and thoroughly redesigned and rebuilt. Mails Best Friend is the company that owns "Declude" and is very engaged and working on the new product called DR. 

I have been working with them doing ALPH and then BETA testing since mid 2021 and have been using DR in production for about 2 1/2 years now.
echoDreamz Replied
2/4/2026 at 11:59 PM
I have been testing my personal domain with rSpamd and a local AI that has actually done surprisingly well, it is not 100%, but really does do a damn good job, it took quite a bit of tweaking, especially for image-based spam that I was getting, but it does really well on those too.

If we were to scale this out for our entire SM infrastructure, it would be pretty $$$$$$.
Sabatino Replied
2/5/2026 at 12:35 AM
I don't know. In theory, a server like this should be sufficient.
The cost is €360 + VAT/month.
Considering that I'd be canceling my Cyren Message Sniffer subscription, it's worth considering.
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
Sabatino Replied
2/5/2026 at 12:36 AM
@echoDreamz
Which local LLM did you use?
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
rick Replied
2/5/2026 at 11:10 AM
The best kept secret if your an ISP or MSP:  https://www.spamexperts.com/
Not sure what current pricing is but we've been using them for over 10 years and it's just a few $$ per domain. We sell it as a premium filtering service at a flat rate to customers but it's easily worth $3.00 - $5.00 per user and sits nicely in front of Smartermail and O365. Great for outgoing too.
echoDreamz Replied
2/5/2026 at 11:49 AM
@Sabatino - Using LocalAI https://localai.io/ with LLaMA 13B on a 24GB RTX4090
Sabatino Replied
2/5/2026 at 1:19 PM
Thanks, Rick.
I knew about n-able, but not this product.
I'll try it; I've already signed up for a trial.
Let's also look at the costs.
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
Oliver Replied
2/8/2026 at 6:12 AM
MDaemon's SecurityGateway is an excellent SPAM filter gateway with a wide range of configuration options and now also the option of integrating your own LocalAI. It is also suitable for ISPs and MSPs.
Michael Replied
2/8/2026 at 12:40 PM
I recall some years ago Tim was saying that ST was working on new anti spam integrations or tools upcoming. I'm not sure any of that was yet released? Maybe still in the works? 

Cyren and Message Sniffer seem to be letting through so much spam. It has been frustrating. 

N-able looks interesting. 
D
Douglas Foster Replied
2/8/2026 at 2:17 PM
Before assuming you need a different product, understand how the attacks have changed.
I was successfully blocking a lot of spam using mandatory authentication.   Since a few months ago, I have been receiving a significant increase in total spam volume, and most of it is perfectly authenticated using unrecognized domain names.   The domain name changes frequently.  So my reputation filter is useless because the name is unrecognized, and my authentication filter is useless because there are no authentication problems.    That leaves content filtering, which is reactive and minimally ineffective:  first I get spammed, then I create a block on that name, then I see a similar attack using a different name, so I realize that I need to create a content filter.  Then they change the attack characteristics to work around my content filters.   I had a block for "Marriott", but that did not work when they misspelled it to "Marriot".   I had a block on "Costco", so they started using "C0stc0".   The fraudulent give away attacks have been largely replaced by fraudulent purchase confirmations.

Given the strengths of these attacks, your spam filter will only be as good as the spam that they have already seen attacking someone else, and their speed in adapting to them.   I have found that the SpamHaus lists are helping catch what my commercial product misses (both Zen for IP reputation and DBL for domain reputation.)

I have also benefitted from a data collection process that we started two years ago:  every allowed message is logged to a database, and that detail is used to build a table of known correspondents.   Unrecognized correspondents are flagged as the database entry is being created.   Every morning, I pull the list of messages received from unknown correspondents since the previous business day, and review it, because this is where the spam risk exists.   It is also a tiny list, usually about 50 messages, and most of those messages turn out to be acceptable.

Unwanted messages get a block rule so that they cannot penetrate again.  The worst messages get purged from recipient mailboxes through system admin impersonation, deleting once from the inbox and again from the deleted items folder.   Some also get an abuse report sent to their infrastructure provider.  It is sad to realize that I am letting spam through every day, but my user base is pretty good at ignoring messages that are not business-related, so we have not been burned yet.

I suggest that everyone figure out how to track unrecognized senders and develop a similar process.  Without it, you will have no idea how much spam is getting missed by your spam filter.

I think this also suggests why A.I has intriguing potential.   That deonstrated ability to say "not from asserted brand" is needed.
Sébastien Riccio Replied
2/8/2026 at 8:15 PM
Hello Douglas,

The process of tracking unrecognized senders you're describing is probably do-able if you have a few domains and mailboxes and they are yours, but when you're hosting multiple thousands of customer domains and ten times more mailboxes, it becomes a bit hard to manage.

Unfortunately, the same for content filter you're describing, like Costco. Some users (customers) might want to receive legit mails from them, for example...
Sébastien Riccio System & Network Admin https://swisscenter.com
D
Douglas Foster Replied
2/9/2026 at 5:00 AM
These objections are solvable.

For the multi-tenant problem:

I have embraced this filtering philosophy:
  • Some senders are explicitly trusted because they have been given some form of whitelisting rule to prevent messages from being blocked or delayed.
  • Some senders are implicitly trusted because they have sent us previous email(s), the message did not get flagged by the filtering software, the message did not trigger user complaints, and the message did not destroy our network.
  • While it is true that trusted senders may experience a compromised account, my ability to predict the characteristics of any such "insider" attack is approximately zero.
  • Therefore, all of the detectable threats will come from unrecognized senders.
For a hosting service like yours, the definition of "wanted" and "unwanted" messages will vary between customers, but the threat actors will be equally objectionable to all clients.  I am asserting that all of the threat actors will originally arrive as unrecognized senders, so a single known sender list can be applied globally.  It also means that it is critical to investigate unknown senders when they first arrive.

I have found that the Training folder is very useful for collecting user feedback.

For the "Costco" and "Marriott" problem:

I see these are options:
  • Whitelist the brand's domain (with authentication), then block based on "content contains brand name".   In the past, I have been reluctant to whitelist for fear of compromised accounts at whitelisted domains, but that has changed.  Based on my current philosophy, I am willing to whitelist pretty freely.   The proposed filtering design will create problems for agency messages, such as an Expedia itinerary that includes Marriott hotel stays, so suspicious messages should be sent to quarantine, so that the bad guys can be blocked by name and the good guys can be whitelisted.
  • For some of the current attacks, the brand name is often embedded in the username portion of the address, usually at the beginning, so an address filter of the form "costco*@*" or "*costco*@*" can be effective.   This is difficult to configure in my commercial spam filter, but simple to configure in Declude.   It is unlikely to produce errors.
  • I am intrigued by your A.I. tool that can say, "This is not plausibly from <brand> or an agent for that brand."   But my organization has not pursued A.I. yet.
MattyT Replied
2/9/2026 at 8:20 AM
AI (broad generalization) is probably the most promising, up and coming tool in spam/phishing/attack detection and prevention. When we look at a message in the inbox, we know immediately (for most) whether it's either legitimate, fraudulent, or some flavor of banal UCE. I'm not a software developer, but one would think that LLMs that have digested countless millions to billions of text-based documents, would make reasonably quick work of detecting both the gibberish and the fraudulent through examination of the content/headers/metadata/attachments of email. Barracuda claims to have some kind of "AI" components available now for email scanning, but I wonder how much of this is marketing as opposed to reality as the documentation on "how it works" is vague. Does anyone know about what else is out there or on the horizon?

Rarely is there a message that I need to examine carefully to make a determination on its legitimacy. A quick glance and it's usually obvious. I suppose that spam senders will attempt to develop AI tools to attempt to bypass any of these new and more sophisticated detection engines, but that's the eternal battle I suppose.
Sabatino Replied
2/9/2026 at 8:41 AM
The advantage is that since spammers use LLM for their attacks, LLM adapts to new attacks.

It's important to understand how many resources are needed and what costs are incurred.


Allow me to express my opinion on the matter. Today we find ourselves offering email services to users in competition with gmail, google workspace, office 365, etc., where spam filters are very advanced. 
We have two scenarios: 

the advanced/corporate user who, faced with more support services that we provide, chooses our email services and is also willing to spend $5/month per user for an anti-spam gateway. And here we choose a supplier and propose a solution and we also earn, it seems fair to me. 

The basic type user, on the other hand, is not willing to spend an additional $5/month per user to protect themselves from spam, but to whom we must still provide a minimum of anti-spam protection. Now, in this context, the basic services of SM (greylist, rbl, urirbl etc.) adding cyren + message sniffer, accounts at hand cost us $1/user/year and therefore do not significantly impact costs and in any case do an acceptable job. 

Now the question is: can we replicate such a situation at a low (comparable) cost with better performance using an LLM? RSPAMD with a local LLM could be a solution. On a machine suitable for an LLM, at a cost of $300/400 per month, I think you can install RSPAMD + local LLM and have good performance.Then it's all about configuring it correctly. The training of the local LLM should be generalist, but also by domain, as clearly what is spam for one domain may not be for another. A local LLM has the advantage of adapting quickly, if well trained in new attacks and new techniques. 
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
MattyT Replied
2/9/2026 at 9:07 AM
@Sabatino

Well said and a good analysis of what we face as MSPs. I have been playing around with the ProxMox Mail Gateway for a while and I'm going to attempt the rspamd and AI combo script add-in. I'll point a few "less-important" domains at it to see how it works.

Matt
J
J. LaDow Replied
2/9/2026 at 11:23 AM
We're building out rspamd as well as a custom configuration for SpamAssassin - once we see some stability and good results, we'll share as much as we can.
MailEnable survivor / convert --
rick Replied
2/10/2026 at 5:01 PM
I'll say one thing... whatever signatures Spam Experts is using from Sanesecurity, we block EVERYTHING they flag and it's drop-dead accurate.  These stop the most junk I've ever seen... and I've been doing this since the 90's!    https://sanesecurity.com/  
echoDreamz Replied
2/10/2026 at 8:51 PM
We tried the Sanesecurity stuff as well, while it did well, we also received a TON of complaints about false positives. To the point their DBs were flagging emails from Amex, Hilton, Capital One, a lot of our non-US customers were also getting FPs around sales communications with other 3rd party companies they worked with.

We only used the "Low" risk signatures. 
Gabriele Maoret - SERSIS Replied
2/10/2026 at 11:43 PM
We had a lot of false positive withs Sanesecurity too, so we had to disable a lot of their signatures in ClamAV config...
Gabriele Maoret - Head of SysAdmins and CISO at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
John Quest Replied
2/11/2026 at 9:11 AM
I'll say one thing... whatever signatures Spam Experts is using from Sanesecurity, we block EVERYTHING they flag and it's drop-dead accurate.  These stop the most junk I've ever seen... and I've been doing this since the 90's! 

If the war on spam was that easy, it would be over by now.

What you are experiencing, and falling into the trap of, is the one size fits all solutions. 

It all has to do with what the users/company is that is receiving the emails and what type of business they are conducting.

Email filtering for personal email accounts is entirely different that email filtering for a medical office which is entirely different for a lawyers office which is entirely different for a retail business which is entirely different from a global distributor which is entirely different for a company dealing with Asian businesses and so on and so forth, etc etc etc.
Michael Replied
2/11/2026 at 9:45 AM
Back in 2023, Tim talked about various updates coming to HAM/SPAM training and discussed a new SmarterTools Anti-spam service. Was that released or is it still a work in progress?
D
Douglas Foster Replied
2/11/2026 at 1:56 PM
Since Ctyren came back to life, that project must have been postponed.

The Ham -Spam comment may have been an allusion to the Training folder feature.  I don't know when they added it, but it can be used to train 2 products (Ctyren & rSpamD?), or minimal effort to integrate something else    I use it without automation to perform manual reviews and sender classification. 
rick Replied
2/11/2026 at 1:57 PM
Not sure what set you off on that tangent.... all I'm saying is we block everything that Sanesecurity flags and it is 100% all junk that nobody wants. We have a mix of all types of businesses small and large, and one thing they all have in common is they all don't want anything that, so far, SaneSecurity has flagged. I'm not saying that using that alone has stopped 100% of spam. The guy who figures that out is gonna be a rich man.
t
terry fairbrother Replied
Yesterday at 2:39 PM
i'm seeing password phishing spam like this


yet the header says

X-SmarterMail-SpamAction: None | NoAction
X-SmarterMail-TotalSpamWeight: 0 (Authenticated)

I need to ensure that Smartermail sends all the emails to the RspamD 'server'. Any idea's how this is done?

I paid for the Cyren Prem AS and quite frankly doesn't do anything. If it's Cyren that's making the decision, then it needs to go
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Send User Spam Feedback Options in SmarterMailSmarterMail > Antispam and Antivirus
Key Feature and Version Milestones in SmarterMailSmarterMail
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Configure SmarterMail as a Backup MX ServerSmarterMail > Installation and Configuration
Message Archiving in SmarterMailSmarterMail > Installation and Configuration