Back to Community Threads
antispam
Problem reported by Sabatino - 2/4/2026 at 3:27 AM
Submitted
Hi everyone. I hope the energy is over.
I wanted to discuss antispam with you.
I agree that there are powerful solutions, but it is also true that they are expensive. 
For customers who need it and have the budget, I change the MX so that it passes through an input gateway.But I also give a basic service to everyone and I rely on the built-in services of SM (Cyren, message sniffer, RBL, URIBL, greylist, etc.). 
Putting a gateway on everything that arrives and that is an excellent antispam is not feasible for the costs. 
I have evaluated it several times, but it would also increase costs for basic customers. 
But I keep trying.
I received a message that has passed through with these

 headersX-SmarterMail-SpamAction: None | NoActionX-SmarterMail-TotalSpamWeight: 0X-SmarterMail-Spam: Reverse DNS Lookup [Passed]: 0, SPF [Pass]: 0, Null Sender: 0, Backscatter: 0, SEM - Black: 0, Surriel: 0, Spamhaus: 0, UCEProtect Level 2: 0, Truncate: 0, Barracuda: 0, UCEProtect Level 1: 0, HostKarma: 0, SpamCop: 0, DMARC [passed]: 0, ISpamAssassin [raw: 0]: 0, DKIM [Pass]: 0, _ARC: none, URIBL Black: 0, SEM-URI: 0DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d = zzcgtyyhostioob.org; s = mail; h = Message-Id: Date: MIME-Version: Content-Type: To :Subject:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description: Resent-Date: Resent-From: Resent-Sender: Resent-To: Resent-Cc : Resent-Message-ID: In-Reply-To: References: List-Id: List-Help: List-Unsubscribe: List-Subscribe: List-Post: List-Owner: List-Archive; bh = NOgDePPdYFgR / tUXddw7VGZVq4eWVT8PMMg20oM1bJE =; b = PIDQ0UsCKhyyOkvULdJ81xXg3g b224P0OVTFUZYENsY0w9lBJ + re / p84mBMLnB3KIBXFKT0V2LXocBMFXNlMZ1LaoL + w9Nys0JzsNvz u2RTWO + zSj8r8IaD1zphUvsG4qHjc2F6MgSEIpiC668pyXtnhx4vFr / hofxnpkcG2aPYQw7fl / V + L qqgBfHwtUSUR5nVFLkYP/cnwXGPANhWIMfJnEt2DxmZj4oRXrn32aBxO9IP/7ScUaQLcUZltFxUpz vaLdm/SMb8HmIL5zjyMh7NxiwhZnCgC0CYP87vwh8l5vfM4y44dnzvj0JqpzTrXDXU0//P4IuZVW+ K+bV9f9A==; From: "Assistance.aruba.it" <mail@zzcgtyyhostioob.org> 

I took the .eml and did a stupid test, asking chatgpt to analyze it. 
Here is the result:

🚨 Phishing Email Analysis Report

The analyzed email is almost certainly a phishing attempt, even though basic technical checks appear to pass.

❗ Strong Fraud Indicators

  • Fake sender domain: zzcgtyyhostioob.org (not related to Aruba in any way)

  • Spoofed display name: “Assistenza.aruba.it”

  • Generic greeting: “Dear Customer”

  • Urgency & threat: service suspension warning

  • Payment link prompt: typical credential/credit card harvesting tactic

⚠️ Why it bypassed spam filters

Technical authentication passed:

  • SPF ✅

  • DKIM ✅

  • DMARC ✅

  • Spam score: 0

This happens because modern phishing campaigns use fresh, clean domains to avoid blacklists.

✅ Final Verdict

👉 PHISHING EMAIL — DO NOT CLICK — DO NOT REPLY

It is a fake unpaid invoice scam impersonating Aruba.

I'm wondering:
Even if I developed an agent that ran this type of test and returned a score, how would I connect it?
I could still use a local LLM (I tried it and the results are still excellent).

Some sort of external management would be needed.
An agent could also handle the training if done well.
But I need a way to connect it to the anti-spam system.
A bit like what happened with rsSpamD, but with a custom agent.

It's just an idea, yet to be tested, but what do you think?
Sabatino Traini
      Chief Information Officer
Genial s.r.l. 
Martinsicuro - Italy
J
J. LaDow Replied
2/4/2026 at 4:02 AM
The bigger issue you have is privacy.

Everything you send to an AI agent is kept by said agents in their training sets. Everything.

There is no such thing as privacy when AI is used...

As for the AI results - SpamAssassin used to be able to score messages like that - but it takes a LOT of tweaking. SM's internal SpamAssassin configuration is pretty locked down and doesn't allow for much changes. 
MailEnable survivor / convert --
Sabatino Replied
2/4/2026 at 4:19 AM
In fact, I intended to install a local LLM, so there would be no privacy issues.
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
Sébastien Riccio Replied
2/4/2026 at 4:23 AM
Rspamd, which can be integrated with SmarterMail, has a GPT module that can be used with openai API or ollama for local LLM.

That's maybe a path you can study.

Of course, it is really not advised to use it with openai as they will probably use the submitted data to train their stuff.
Sébastien Riccio System & Network Admin https://swisscenter.com
Sabatino Replied
2/4/2026 at 4:47 AM
Yes, Sebastian, I was just checking out RSS feeds with ollama.

I'll try it as soon as I can find some time.


Of course, you also need a hardened server, but I'd cancel my Cyren and Message Sniffer subscriptions.
I don't know, it's worth a try.
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
D
Douglas Foster Replied
2/4/2026 at 6:41 AM
If the existing RspamD integration does not meet your needs, this is your alternative.

The Spool\Proc folder, used by Declude, allows you to do any arbitrary integration.  The only limitation is that the call happens after the SMTP session has closed.  For reasons unknown, this interface has never been fully documented and polished, so here is my version:

I will use "Declude" to represent Declude Classic, Declude Reboot, or any custom process that you choose to write.  Here is the processing flow.

 SmarterMail hands the message to Declude by putting two files into the \spool\proc folder:  
  • <digitstring>.eml has the message body, the same content you see when you use the webmail interface to perform "Download EML"
  • <digitstring>.hdr has message metadata  (SMTP Mail From, SMTP Recipient To, Server HELO, Server ReverseDNS, and Server IP.) 
Declude moves files into \spool\proc\work to being processing.  After processing, allowed messages are delivered to the \Spool folder and the file names are given an "x-" prefix. (No idea if the prefix is significant or not.)

Declude reports results in three ways:
  • Not returning the message to SmarterMail (silent discard or quarantine)
  • Custom Headers added to the EML file
  • A score added to the bottom of the HDR file, using the form: decludeWt: 3.  This weight is included in the "Spool Filtering" total spam score.
My implementation:
  • I use Declude to perform recipient verification and silently discard messages with no valid recipients.
  • I use Declude Custom Headers to store results for downstream processing.   Messages flow from Declude to a commercial spam filter which is still part of my configuration.   Content filtering rules in that product use Declude header text to trigger block, quarantine, or whitelist.   The appliance provides a 90-day archive of all received messages, a web interface for message review, and some content filtering.
  • I don't use spam weights or SmarterMail spool filtering.
Declude can call any program or script as a custom filter, so my suggestion for getting started is to use Declude Reboot to move the message around and a custom filter to launch your AI tool.   If that does not work,  you could create software to replicate Declude's file handling, preferably implemented as a service.

I am impressed by the ability of AI to check for consistency between Friendly Name and From address.  That is one threat vector that is not easily detected.    I also wonder how AI learned so much about private email.
Sabatino Replied
2/4/2026 at 9:25 AM
I did a few more small tests.
Claude gives essentially the same result.
But even a locally installed LLM like ministral-3-14b-reasoing
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
John Quest Replied
2/4/2026 at 10:00 AM
As a long time user/supporter/admin of emails servers and Declude, I agree with Douglas. 

Sure, it takes hands on tweaking, even months after implementation, but after all, if the war on spam was simple it would be over by now.
Sabatino Replied
2/4/2026 at 10:17 AM
The problem is that declude seems like a practically stopped project, instead Rspamd is very active
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
D
Douglas Foster Replied
2/4/2026 at 11:32 AM
RspamD is a viable option.   You asked "How can I integrate?".    This interface is your other option, whether you use Declude/DR or not.    
John Quest Replied
2/4/2026 at 11:39 AM
The problem is that declude seems like a practically stopped project,

Well, not really. The original Declude is indeed no longer updated/upgraded/etc for a number of years due to a "technical" issue as well as other limitations in the original code. 

HOWEVER, it has been completely and thoroughly redesigned and rebuilt. Mails Best Friend is the company that owns "Declude" and is very engaged and working on the new product called DR. 

I have been working with them doing ALPH and then BETA testing since mid 2021 and have been using DR in production for about 2 1/2 years now.
echoDreamz Replied
2/4/2026 at 11:59 PM
I have been testing my personal domain with rSpamd and a local AI that has actually done surprisingly well, it is not 100%, but really does do a damn good job, it took quite a bit of tweaking, especially for image-based spam that I was getting, but it does really well on those too.

If we were to scale this out for our entire SM infrastructure, it would be pretty $$$$$$.
Sabatino Replied
2/5/2026 at 12:35 AM
I don't know. In theory, a server like this should be sufficient.
The cost is €360 + VAT/month.
Considering that I'd be canceling my Cyren Message Sniffer subscription, it's worth considering.
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
Sabatino Replied
2/5/2026 at 12:36 AM
@echoDreamz
Which local LLM did you use?
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
rick Replied
2/5/2026 at 11:10 AM
The best kept secret if your an ISP or MSP:  https://www.spamexperts.com/
Not sure what current pricing is but we've been using them for over 10 years and it's just a few $$ per domain. We sell it as a premium filtering service at a flat rate to customers but it's easily worth $3.00 - $5.00 per user and sits nicely in front of Smartermail and O365. Great for outgoing too.
echoDreamz Replied
2/5/2026 at 11:49 AM
@Sabatino - Using LocalAI https://localai.io/ with LLaMA 13B on a 24GB RTX4090
Sabatino Replied
2/5/2026 at 1:19 PM
Thanks, Rick.
I knew about n-able, but not this product.
I'll try it; I've already signed up for a trial.
Let's also look at the costs.
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
Oliver Replied
Today at 6:12 AM
MDaemon's SecurityGateway is an excellent SPAM filter gateway with a wide range of configuration options and now also the option of integrating your own LocalAI. It is also suitable for ISPs and MSPs.
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Send User Spam Feedback Options in SmarterMailSmarterMail > Antispam and Antivirus
Key Feature and Version Milestones in SmarterMailSmarterMail
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Configure SmarterMail as a Backup MX ServerSmarterMail > Installation and Configuration
Message Archiving in SmarterMailSmarterMail > Installation and Configuration