Back to Community Threads
How would you deal witht this kind of spam??
Problem reported by Brian Bjerring-Jensen - VonBjerring GmbH - 3/28/2026 at 1:12 AM
Submitted
In the woods here....

Return-Path: <no-reply@cloudpros.dk>
Received: ; Sat, 28 Mar 2026 00:44:11 +0100
X-SmarterMail-SpamAction: None | NoAction
X-SmarterMail-TotalSpamWeight: 0 (Authenticated)
X-SmarterMail-Spam: DMARC [skipped - Authenticated]: 0
Date: Fri, 27 Mar 2026 23:44:11 +0000
To: me@cloudpros.dk
From: Cloudpros <no-reply@cloudpros.dk>
Reply-To: Alyssa Stone <alyssa@turbojot.com>
Subject: [Cloudpros ApS]
Message-ID: <1j2ULlPF5tmOiiZiYhqxFnpW48dzJQjY8SP5XcM7YM@www.cloudpros.dk>
X-Mailer: PHPMailer 7.0.0 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit
Roger Replied
3/28/2026 at 6:11 AM
Depending on how your current anti-spam assessment for this email turns out, you could create a custom rule in SmarterMail to evaluate the header. For instance, if the X-Mailer field contains the value PHPMailer, you could assign +5 spam points.
D
Douglas Foster Replied
3/28/2026 at 8:43 AM
I assume that your problem is:
  • cloudspro.dk is an infrastructure service used by many legitimate clients
  • alyssa@turbojot.com is an attacker who is exploiting the service.
So you need the ability to filter on the Reply-to header.

I spoke about the need for reply-to filtering here:

More generally, identifiers in the email message can have one of these roles:
  • An infrastructure resource used by many clients.   We should expect them to be a mix of acceptable and unacceptable actors.
  • An entity who is using the infrastructure resource, who is responsible for the message
  • An identifier that has been impersonated by the responsible identity.
As you have noticed, an infrastructure service can appear at many levels, including the entire From address.

Assuming that you have good filtering rules in place for known identifiers, all of your risk involves unknown identifiers which have no risk categorization.

For responsible identifiers that have no known reputation, our options are:
  • Allow unknown identifiers by default, defend using a mixture of after-the-fact reviews, user complaints, and content filtering results.   Some malicious traffic will penetrate.  This is the mode that we have been taught should be our "normal."
  • Quarantine unknown identifiers by default, allow or block after quarantine review.  No malicious actor can penetrate.   This is safer.
In either case, we cannot evaluate the reputation unless we notice the identifier.  The reply-to address needs to be evaluated any time that it is different from the Return-Path address and the From address.

Infrastructure resources are a little trickier, because they probably have (or will have) clients that are acceptable.   Inversely, they may not warrant full trust, even if we all of their observed clients are legitimate.  So these should almost never be whitelisted and never blacklisted.   So, quarantine by default is safest even if the experience has been good.   Then the final disposition is based on the client, as long as the client identity has a known reputation.

All of this falls apart if you don't identify and block impersonation, and the only way to eliminate all impersonation is to authenticate everyone.
We have authentication turned on on our primary domain. The mail does not come from our server and therefore should be eliminated at SMTP level and not reach my email...
D
Douglas Foster Replied
3/28/2026 at 10:39 AM
Please clarify.    

Cloudpros.dk has an SPF policy ending in -ALL and no DMARC policy, so the most that SmarterMail will require is that the message pass SPF.   You did not provide full headers, but the X-SmarterMail-* entries imply that the message did pass SPF.   

If cloudpros.dk is your own domain, then it implies that the attacker has used MailChannels.net to attack you, and you should open a ticket with them.

Reply-To not authenticated by any standard algorithm, and consequently Reply-To is not even examined my most spam filters.   You will have to build custom rules to handle that header.

The To address is not authenticated, and it is not unusual for the To domain to be different from the recipient domain.   I do not recommend doing anything about the fact that the To address was cloudpros.dk
HI Douglas

Noted. Dmarc added for the main domain. Thanks.
D
Douglas Foster Replied
3/28/2026 at 1:25 PM
But you still need to open a ticket with Mail channels, because the message would have passed DMARC based on SPF pass with alignment   DMARC does not require a verified DKIM  signature.
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Google Safe Browsing Warning and SmarterMailSmarterMail > Troubleshooting
Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
Send User Spam Feedback Options in SmarterMailSmarterMail > Antispam and Antivirus
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Message Archiving in SmarterMailSmarterMail > Installation and Configuration