Back to Community Threads
Spam uptick?
Problem reported by MattyT - 4/10/2026 at 8:21 AM
Submitted
Has anyone else noticed an increase in spam getting through filters lately? For years, message sniffer was doing a pretty good job at filtering but lately the level of junk getting through has increased dramatically. I think it's time for me to revisit our solution. What are people doing these days for filtering that works reasonably well?

Thx,
Matt
Michael Replied
4/10/2026 at 8:41 AM
Yes. A lot of it.
We've been trying to write Regex rules to scan the Raw Content as workarounds.

On a related note, we're seeing a lot of our custom Antispam rules are not firing and can't be seen in message headers since last release. We'll likely need to open a ticket.
J
J. LaDow Replied
4/10/2026 at 12:07 PM
There has been an explosion of garbage coming from Google's cloud platform over the last couple weeks...

We've also seen an uptick from half a dozen other datacenters where the spammers are burning entire class-c's to send garbage out...

Search for HELO vs EHLO in your SMTP logs and you'll see the HELOs are 99.9% garbage...
MailEnable survivor / convert --
E
Emory Kempf Replied
4/10/2026 at 12:41 PM
Michael, do you do this in smartermail? How?
D
Douglas Foster Replied
4/10/2026 at 2:01 PM
Email is implemented with an indefensible security model.

Do  you allow random strangers to wander into your building, ignore your receptionist, set down at any open computer, and start typing?   I doubt it.

Yet we let unknown strangers from all over the world into our networks simply because we do not have enough data to prove that they are not dangerous.  Then we wonder why bad things happen.

For senders with unknown reputation, we have to adopt a policy of quarantine-by-default, instead of allow-by-default.  It is the only way to block all spam.   As many people have observed on many occasions, the attackers only need to succeed once, while we need to succeed every time.   I am working as fast as I can to figure out how to get to that operating mode.
R
Rami El-Zein Replied
4/11/2026 at 3:24 AM

We use Spam Experts for all domains that experience spam complaints. The cost per account is very low, and it covers up to 1,000 email accounts per domain.

It also helps reduce bandwidth usage, as all email traffic is filtered on their side first. Clients appreciate receiving a daily summary of “unsure” emails, rather than having messages sent directly to the junk folder.
D
Douglas Foster Replied
4/11/2026 at 8:51 AM
I have confirmed that @J.LaDow's advice is very good.   I parsed one day of SMTP Logs and I can see that the HELO keyword is mostly or exclusively used by suspicious HELO names.   

To act on his advice, we will need to parse the SMTP log to unique detect IP addresses using the HELO keyword, validate that none of the IP addresses are acceptable, then create IP block rules. 

@J.LaDow has previously indicated that he has this process automated, and that the IP blocks are inserted into his firewall, not into SmarterMail.
J
J. LaDow Replied
4/11/2026 at 9:57 AM
We use Digital Ruby's IPBanPro - I have a little issue with the user interface in the current version but the core functionality is still there. We rely on it for some country blocking when we don't want/need connections at all (mail or clients). The ASN blocking is also very useful. It can scan just about any log file type and runs on windows or linux. Be sure to safe-list internal IPs before configuring your scanning though.

Personally, we're looking at building out our own log scanning appliance that allows us to weight different regex entries and has just a little more versatility for what we need to process in SM's logs.  

When the exploits were running around for the Web interface, we added a couple rules that insta-ban IPs that were attempting to hit us, etc. 
MailEnable survivor / convert --
Michael Replied
4/11/2026 at 11:03 AM
We have a suspicion that custom admin created Antispam rules aren't running properly in the last two SM releases. They run OK for a little bit after service start, then they (mostly?) stop being run by the SM server. We have a support ticket open on this. We're wondering if the entire Antispam engine may not be behaving properly in recent releases.

In any event, it does seem that SmarterMail needs stronger built-in antispam options and controls.
D
Douglas Foster Replied
4/11/2026 at 5:32 PM
Before ST attempts to "build better tools", it would be useful to define requirements.  What does good spam filtering look like?   It is never defined.

 I have been working on the question for awhile.  To avoid a lot of detail here:  I don't think it can be done without a customizable rules engine.

SM misses that mark, in part, because they do not provide custom call outs at Helo, at MailFrom, RecipTo, and EndOfData (while session is open).   But they do well because they have custom call-out after session close.
YS Tech Replied
4/12/2026 at 10:40 AM
I have noticed a lot more spam recently.

I've also noticed that my custom rules don't seem to be working.
As an example I have this set to Delete the message:


These are still getting through:


Surely they shouldn't be there?
Thanks
Michael Replied
4/12/2026 at 11:02 AM
Right. Seeing same. That's a great obvious example. We're also seeing custom rules not running. 
J
J. LaDow Replied
4/12/2026 at 12:48 PM
We have an Email Address/Domain block wildcard *c0sct0*@* that catches those on connect -- 

Then we use our IPBan to insta-ban that IP that tried to send that message.

Forget wasting the bandwidth and processing power needed to process any of that...

Same or the biue*shieid bieucr0ss variations...

Any of those "reputable" companies send their emails through a reputable third party sender that has proper bounce tracking as the sender(1) email. So when you see sender(1) like *mari0tt*@* (or just mariott*@*) in your log files you can almost guarantee they are garbage and so is the sending IP... sender(1) is handled by the Email Address / Domain Blocks in Security -> SMTP Blocks.

example:
(garbage)

(reputable)
MailEnable survivor / convert --
J
J. LaDow Replied
4/12/2026 at 1:06 PM
Here's 24 hours of HELO blocks -- literally nothing in here legitimate...
We block "list verification services" as well because all they're doing is hunting for email addresses to spam (or don't have effective measures in place to prevent abuse of their services)...
 
12 min136.107.144.120GoogleHELO buscroatia.comUS
19 min34.150.179.86GoogleHELO photostockeditor.comUS
27 min3.219.79.151AmazonHELO prestwich.orgUS
39 min34.125.131.250GoogleHELO bridgeguys.comUS
40 min8.229.171.61GoogleHELO ubuy.aeUS
46 min35.196.201.25GoogleHELO cashbb.comUS
1 hour34.139.237.14GoogleHELO gsmsandwich.com.phUS
1 hour34.106.201.130GoogleHELO donatestuff.comUS
1 hour34.87.163.214GoogleHELO nerdcubed.co.ukSG
1 hour34.169.12.112GoogleHELO boldist.coUS
1 hour34.106.121.79GoogleHELO zzap.ruUS
1 hour35.236.129.119GoogleHELO barfers.deTW
1 hour35.245.245.58GoogleHELO gumdropcases.comUS
1 hour35.221.196.45GoogleHELO govsoftware.comTW
1 hour34.69.225.143GoogleHELO atrapalo.clUS
1 hour35.229.163.102GoogleHELO atrapalo.clTW
1 hour34.138.133.115GoogleHELO 4gameground.comUS
2 hours34.80.234.20GoogleHELO yokohamafc.comTW
2 hours35.245.120.120GoogleHELO minecraftsix.comUS
2 hours34.106.244.239GoogleHELO mismarcadores.comUS
3 hours34.186.24.66GoogleHELO zorlupsm.comUS
3 hours34.80.167.86GoogleHELO mismarcadores.comTW
4 hours136.107.141.157GoogleHELO govsoftware.comUS
4 hours35.188.249.207GoogleHELO khamsat.comUS
4 hours35.232.173.211GoogleHELO clydearmory.comUS
4 hours35.196.116.25GoogleHELO gnu.orgUS
4 hours34.106.107.171GoogleHELO jeffpearlman.comUS
4 hours150.241.203.220Interserverhelo [150.241.203.220US
4 hours34.106.36.153GoogleHELO 14khorshid.irUS
4 hours35.234.36.236GoogleHELO assistcard.co.krTW
4 hours34.125.93.120GoogleHELO amanatool.comUS
5 hours35.240.145.71GoogleHELO swde.beSG
5 hours34.90.50.84GoogleHELO willpeavy.comNL
5 hours35.245.210.115GoogleHELO boxdocce2b.comUS
5 hours35.224.109.237GoogleHELO globalwatchshop.co.ukUS
5 hours34.73.179.49GoogleHELO gsmsandwich.com.phUS
5 hours136.115.186.39GoogleHELO kataloog.infoUS
5 hours34.125.138.247GoogleHELO blackberry.comUS
5 hours34.106.24.82GoogleHELO infocomm.orgUS
5 hours34.21.24.140GoogleHELO panoramio.comUS
5 hours34.66.152.15GoogleHELO drugstore.comUS
5 hours34.73.105.56GoogleHELO deadline.comUS
5 hours34.72.20.113GoogleHELO minube.comUS
6 hours100.28.219.35AmazonHELO 6088c90d-d560-4b6b-8bce-
24f9cdafeb94.prvt.dyno
.rt.heroku.com		US
6 hours34.147.94.249GoogleHELO enstage.comNL
6 hours35.236.184.240GoogleHELO msu.eduTW
6 hours136.107.26.170GoogleHELO panoramio.comUS
6 hours34.75.39.168GoogleHELO mensfitness.comUS
6 hours35.232.104.122GoogleHELO drugstore.comUS
6 hours34.139.49.70GoogleHELO sportskeeda.comUS
6 hours34.122.137.63GoogleHELO drugstore.comUS
6 hours34.74.58.253GoogleHELO trivago.comUS
7 hours34.125.200.107GoogleHELO patrika.comUS
7 hours34.136.229.229GoogleHELO minecraftsix.comUS
7 hours35.227.32.106GoogleHELO collegeconfidential.comUS
7 hours35.221.244.42GoogleHELO patrika.comUS
7 hours8.229.56.114GoogleHELO mismarcadores.comUS
7 hours35.232.115.111GoogleHELO pge.comUS
7 hours209.250.5.63Armour CloudHELO prd-bd-D487NP
.bounceprevention.com		US
8 hours34.59.90.183GoogleHELO hochi.co.jpUS
8 hours71.208.248.152CenturyLinkHELO localdomain.comUS
8 hours34.125.135.93GoogleHELO gayboystube.comUS
8 hours34.172.60.67GoogleHELO mensfitness.comUS
8 hours34.74.133.221GoogleHELO couchsurfing.comUS
8 hours34.106.15.184GoogleHELO enstage.comUS
9 hours34.138.152.18GoogleHELO hochi.co.jpUS
9 hours34.124.193.7GoogleHELO blackberry.comSG
9 hours34.168.39.233GoogleHELO gayboystube.comUS
9 hours35.196.73.253GoogleHELO gayboystube.comUS
9 hours34.150.212.88GoogleHELO patrika.comUS
10 hours2a14:1ec7:f728:80f3::1Interserverhelo 150.241.203.220US
11 hours184.107.179.141LeasewebHELO mx.mxsvc.netCA
12 hours74.50.94.11InterserverHELO mx.mxsvc.netUS
12 hours13.216.10.131Amazonhelo 1559931.cloudwaysapps.comUS
14 hours3.212.147.222AmazonHELO prestwich.orgUS
15 hours209.250.5.46Armour CloudHELO prd-bd-OGYXKV.
cleamyemaillist.com		US
17 hours34.80.53.241GoogleHELO sportskeeda.comTW
17 hours136.118.254.35GoogleHELO trivago.comUS
17 hours136.115.70.140GoogleHELO trivago.comUS
17 hours34.73.1.244GoogleHELO trivago.comUS
18 hours104.196.156.39GoogleHELO biccamera.comUS
18 hours35.239.0.114GoogleHELO deadline.comUS
18 hours136.117.21.117GoogleHELO enstage.comUS
18 hours8.229.202.170GoogleHELO msu.eduUS
18 hours34.106.228.201GoogleHELO minecraftsix.comUS
19 hours34.106.231.194GoogleHELO patrika.comUS
19 hours34.172.26.218GoogleHELO drugstore.comUS
19 hours104.155.232.241GoogleHELO panoramio.comTW
19 hours34.75.54.151GoogleHELO ekitan.comUS
20 hours35.185.176.210GoogleHELO biblestudytools.comSG
20 hours35.185.125.14GoogleHELO buscroatia.comUS
20 hours34.122.100.62GoogleHELO klintmarketing.comUS
20 hours34.139.101.23GoogleHELO dreampairshoes.comUS
20 hours34.74.180.9GoogleHELO futureaudioworkshop.comUS
20 hours34.126.175.173GoogleHELO neopets.comSG
22 hours8.229.128.98GoogleHELO minecraftsix.comUS
23 hours35.247.187.219GoogleHELO ideas42.orgSG
23 hours34.80.163.106GoogleHELO nedhardy.comTW
23 hours34.145.123.14GoogleHELO lapizlopez.clUS
23 hours136.112.45.90GoogleHELO essen-ohne-kohlenhydrate.infoUS
23 hours34.81.128.49GoogleHELO chiletrabajos.clTW
MailEnable survivor / convert --
YS Tech Replied
4/13/2026 at 2:06 AM
@J.LaDow where do you have these setup, as a spam check custom rule?
Or under Content Filtering for any given domain?
Or via a third party system like Declude or similar?
Do you not have to try and add every available version of what they are using?
*c0sct0*@*
*cosct0*@*
*c0scto*@*
*c05ct0*@*
*cOsct0*@*
*COsct0*@*
etc...

Could you block emails with "UnknownHost" in the header?
e.g. Received: from able.visio.sa.com (UnknownHost [194.1.192.242])

Thanks
J
J. LaDow Replied
4/13/2026 at 5:10 AM
It only filters on either the EHLO/HELO string presented, or the senderEmail(1) that is presented during the initial connection before DATA commend is allowed.

The additions become a little cumbersome - but the blocking is way more effective. This is the main reason I want regex support in the SMTP blocking section.

There's ultimately about 20 brands that they're using to send these scam emails. The SMTP blocks won't get them all (based on string variation) but it can definitely cut the the traffic down considerably, especially when they start burning through IPs. Enough variants means when their "scripting" changes sender addresses the new IPs get caught just like previously known does.

To access: SETTINGS (top menu) -> SECURITY (left menu) -> SMTP Blocks (data view header)
MailEnable survivor / convert --
D
Douglas Foster Replied
4/13/2026 at 10:06 AM
How do you judge whether an IP address is dedicated to one bad organization or shared between good and bad organizations?

I pulled a list of IP addresses with 2 or more values for HELO, which produced 45 matches.   Using the PSL to define organizations, I found:
  • 6 IP addresses had two HELO organizations but a single Return-Path organization
  • 13 IP addresses had a single HELO organization, but multiple Return-Path organizations
  • 24 IP addresses had a single HELO organization and a single Return-Path organization, but the organizations were different.
  • 2 IP addresses had a single organization for all HELO and Return-Path addresses.
On the flip side, I have thousands of Return-Path domains that arrive from multiple IP addresses within a single hosting service such as AmazaonSes, Barracuda, ExactTarget, Google, ProofPoint, Okta, Outlook.Com and others.

Both of these lists suggest to me that IP blocking is tricky unless I can prove that the IP address is not shared, or only shared by multiple bad guys, and I find this difficult to prove.
J
J. LaDow Replied
4/13/2026 at 11:04 AM
First part - we edge-block for 30 days if the IP trips the IPBan log monitoring.  

For the EHLO/HELO or SMTP blocking by email address, its only manageable because we're not a large provider - there's a lot of log-analysis after the fact. We scan daily for patterns that start appearing - the newest one is sending <support@[impersonated-basic-toplevel-domain.ext]> but they come from googleusercontent IPs - In that address space the IPs may be recycled over time but they're not shared.  Google's shared IPs are in their SPF so they pass.  We take what patterns we see, then scan backwards for a period of time to see if our "potential block" will affect legitimate senders (we have logs going back 90 days). 

It will always be cat and mouse - but being able to scan for certain patterns like HELO [impersonated-basic-toplevel-domain.ext] from googleusercontent with <support@[impersonated-basic-toplevel-domain.ext]> and watching our IP scanner block literally a hundered IPs a day that would have sent in several hundred attempted messages is still something.

Most of the big shared senders use a reserved IP space that identifies different either in EHLO or they have proper SPF/DMARC/DKIM for the domains they're impersonating. 

Our main goal when all said is to have a system that not only scans the logs but can evaluate the offenders on a more granular level, with some automation that can retrieve it's own data about sending IPs - and then integrate with our IP ban.

Currently, we're integrating rspamd - and when I have a better idea how that will all look I'll be able to provide some better notes --

In the end, I'd rather have someone email our support desk and say they're having problems getting mail from an account because we inadvertently blocked an IP (or that IP was being shared with an abuser) - than have the IP be allowed to send in hundreds of malicious/abusive emails when we had the evidence of bad behavior. In a case like that we would get the issue resolved with the outside provider - but we don't waste our time reporting the hundreds of IPs to google, AWS, or whoever.  Eonix is another problem datacenter that we see abuse come from entire class-c's at once and just need blocked for a while until they cool down or are re-sold.
MailEnable survivor / convert --
Michael Replied
4/14/2026 at 7:17 AM
@YS Tech have you heard anything more about custom rules not running?
YS Tech Replied
4/14/2026 at 9:53 AM
@Michael, no, no response as yet, may have to raise a ticket for this one.
MattyT Replied
4/14/2026 at 1:26 PM
Well, have I got a story for us SM admins.

On a whim, I setup a proxmox mail gateway vm, configured it using a little-used domain of mine, opened up the necessary smtp ports, configured mx records and had it to forward to SM. It's a bear to configure as it has a zillion bewildering options. Yet, I really wasn't impressed with the spam filtering results. Then, I installed rspamd on it, and configured rspamd to scan email, pass it to Proxmox, and then off to SM via SMTP. Still not so great. Then I read up on Ollama which is an open source platform to run LLMs. I saw a tutorial to install Ollama on the Proxmox server as a plugin for rspamd. Not expecting it to run, frankly, as everything was so convoluted, and not being a Red Hat Certified Engineer or anything... I downloaded and enabled the deepseek-r1 LLM. Okay, so far everything is working but I have no idea if it is actually going to be useful. Rather than change DNS to point MX records to Proxmox, I went in to SM and configured the rspamd options, pointing it to the rspamd service running on the proxmox server. Enabled it at around 6pm yesterday. By 9pm, I noticed a substantial reduction in spam, like nearly none in my inbox. This morning? Nearly none, except for a slew of junk properly deposited in the junk mail folder. I queried a few of my customers and they noticed the same. I got a few today in my inbox but it's an amazing reduction.

I wasn't crazy about using Deepseek, seeing it's a Chinese model, and all that this might entail, but it works and works well. I chatted with Google Gemini about changing the model to a US model for compliance reasons a number of my customers have to meet. Gemini was insistent that the LLM itself is not a threat but said that either the Meta Llama model or Google's Gemma model might be faster and just as good. I'm going to disable SM's connection to it, change the model, re-enable and see what happens. Gemini recommended a minimum of 16gb of memory for the Ollama service using the AI models.

Suffice to say, although I'm only 24 hours in, I am truly shocked at the dramatic reduction in spam I'm seeing, and it doesn't cost a dime other than CPU cycles. I'll provide updates as I tinker and learn.

Matt
YS Tech Replied
4/17/2026 at 4:27 AM
@Michael, i've just been through a ticket with SM and have gained a bit more knowledge on the way the spam filters and content filters are working.

The reason the content filters aren't working is more than likley because the spam filters are working better and if they trigger first, it won't look to the content filters to do anything as it's already been filtered.
I think i've seen this because my spam filters are actually working better now and placing everything in the spam folder instead of it getting to my content filters that removed the emails or placed them in specific folders.

So, 2 options really.
1) Leave the filtering to do its work and if they are all spam going into the spam folder, choose what you do with them with the main spam filters, whether it be delete or just move to spam.
2) Change your weight ranges so certain probablility of spams don't get moved into spam, then these emails will then go onto the domain level spam filters and if not picked up by them, then onto the content filters.

I'm going to have a play around with the weight ranges and see what happens and when it starts triggering the content filters.

Spam/Content filter order:
1) System Spam checks
2) Domain level Spam checks (if different)
3) Domain level Content Filters
4) User level Spam checks (if different)
5) User level Content Filters

Hope this helps.
MattyT Replied
4/17/2026 at 4:39 AM
It has been three days since I enabled my first rspamd server with ollama/gpt integration. After day one on the first "Franken-server" I built, I decided to build a new rspamd server to deploy without Proxmox mail gateway. I decided that the ideal one would have just the minimum services required and be firewalled from other servers. In the end I used a stripped down Debian server running ssh, rspamd, ollama, and bind. It is not exposed to the Internet and has no postfix or smtp engine of any kind. The new vm instance has 24gb of memory and 8 vCPUs. It took some tinkering to get running properly which included quite a bit of trial and error with various conf file settings. The various services are configured to only allow my SmarterMail server IP addresses to query them. Google's Gemini recommended that I use models either Llama 3.2 (Meta), Phi (Mister Softee), or Gemma (Google). Within each family are variants which might be "smarter" but have substantially higher system requirements such as dedicated GPUs in order to function timely enough for mail filter processing. I opted for Gemma3 which seems to be a good balance between intelligence and performance on relatively low system resources. The model download was approximately 5GB. It runs completely locally and makes no calls out to the Internet, except for rspamd downloading RBL type data, and apt for system updates. I made my last tweaks late last night before switching from the first server iteration to the new one.

This morning, I had zero spam in inbox, and the usual suspects in the junk folder. The only false positives I noticed were local maintenance job notifications because they bypass authentication and fail tests applied to incoming email. At this point, it seems too good to be true which of course worries me greatly. Until I get a complaint from hosting customers about any missing messages, I am going to let this ride and hope that it truly is the remarkable solution that it seems to be, so far... I suspect that at some point spam attacks will attempt to bypass the AI tests as it is naive to believe anything other than that this is an endless battle!

Matt
M
Merle Wait Replied
Yesterday at 12:53 PM
@mattyt Am going to try setting this up.... 
I know nothing of Linux, but I know "a guy" that does...
Thank you for the information and insight.
MattyT Replied
Yesterday at 7:24 PM
Hi Merle,

Well, let me give you an update. Turns out, my Ollama plugin for rspamd, although running, wasn't actually passing judgment on any email at first, to my disappointment. There was something wrong with the syntax and some other rspamd code that was ignoring the scores, or not even attempting to score mail. I kept at it for days, tinkering and making changes to the config files, practically threw in the towel, and eventually asked Anthropic's Claude for help. It recommended code changes I never possibly would have figured out on my own, and got it working.

Literally, there is config file with a prompt that tells the LLM to examine the spooled messages and respond with spam or ham. That code runs against every message in the rspamd spool. Rspamd then puts a value in the header, along with the other tests. It's not perfect but it is working and should get better with time with Bayesian tests.

The problem I've encountered is that an LLM requires far more "horsepower" than I have to give to it for it run well. Even with 8 (modestly older Xeon) vCPUs and 24GB of memory, I really need a GPU for the LLM model to be able to keep up with the mail spool! But, I am not about to drop 3 grand or more on the recommended CPU/GPU hardware for it to be substantially faster. Nevertheless, it, alongside with all the other rspamd checks, have made a huge dent in the spam/phishing attacks. I revisited all my DMARC and SPF settings for my customer's domains, tinkered with the SmarterMail weights, checks, and blocks, implemented this rspamd Frankenspam server, and I can confidently say that I'm generally happy with the results and my customers are, too. Good luck, and I'm happy to try and help you out if you need any assistance.

Matt
M
Merle Wait Replied
Today at 7:52 AM
Thank you @MattyT for the update...
I'll just go with RSPAM ... and check a couple of configs on server as well.
Really appreciate the update.
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Send User Spam Feedback Options in SmarterMailSmarterMail > Antispam and Antivirus
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Key Feature and Version Milestones in SmarterMailSmarterMail
Configure SmarterMail as a Backup MX ServerSmarterMail > Installation and Configuration
Untangle Spam Filtering and SmarterMail TLS IssuesGeneral Topics