Mail Filter not working

djx · April 8, 2023, 5:17pm

NethServer Version: 7.9.2009
Module: nethserver-mail

I have put in some domains as “block” I no longer want to receive spam from, but I still receive spam. The configuration is pretty simple in the UI, so I’m not sure what else I need to do to get it blocked. At first I did the whole domain, which didn’t work. Then I added the specific e-mail address.

fasttech · April 8, 2023, 6:09pm

Open the rspamd user interface, go to History and search for childrens then you can select those emails and see where they’re really coming from and try blocks based on those addresses or domains.

djx · April 8, 2023, 7:41pm

This is what it shows:

ASN (0) [asn:22606, ipnet:13.111.0.0/16, country:US]
BAYES_SPAM (5.064175) [99.91%]
DKIM_REPUTATION (-0.407967) [-0.40796675305569]
DKIM_TRACE (0) [childrenslearningadventure.com:+]
DMARC_NA (0) [childrenslearningadventure.com]
FORGED_SENDER (0.3) [info@childrenslearningadventure.com,bounce-26080_HTML-1234716950-60522-100039513-32786@bounce.s10.mc.pd25.com]
FROM_HAS_DN (0)
FROM_NEQ_ENVFROM (0) [info@childrenslearningadventure.com,bounce-26080_HTML-1234716950-60522-100039513-32786@bounce.s10.mc.pd25.com]
GENERIC_REPUTATION (-0.407967) [-0.40796675305569]
HAS_LIST_UNSUB (-0.01)
IP_REPUTATION_HAM (-0.669566) [asn: 22606(-0.28), country: US(-0.01), ip: 13.111.127.178(-0.39)]
MIME_GOOD (-0.1) [multipart/alternative,text/plain]
MIME_TRACE (0) [0:+,1:+,2:~]
MX_GOOD (-0.01) []
NEURAL_HAM (0) [-1.000]
PREVIOUSLY_DELIVERED (0) [<my_email>]
R_DKIM_ALLOW (0.154698) [childrenslearningadventure.com:s=200608]
R_SPF_ALLOW (-0.2) [+ip4:13.111.0.0/16:c]
R_SUSPICIOUS_IMAGES (1.69756)
RCPT_COUNT_ONE (0) [1]
RCVD_COUNT_TWO (0) [2]
RCVD_IN_DNSWL_NONE (0) [13.111.127.178:from]
RCVD_TLS_LAST (0)
SPF_REPUTATION_HAM (-0.622326) [-0.62232576017374]
SUBJECT_HAS_EXCLAIM (0)
TO_DN_NONE (0)
TO_MATCH_ENVRCPT_ALL (0)

Is it this “bounce.s10.mc.pd25.com” domain that I need to block? Looks like it’s a mail sending service, so blocking it may impact other e-mails I receive? Is there another way to block e-mails based on the forged From address?

mrmarkuz · April 10, 2023, 10:41am

Yes. It’s also possible to block pd25.com, so any subdomains like *.pd25.com will be blocked too, see Email — NethServer 7 Final

No, I don’t think so as there’s no DNS entry for that domain.
You could always check rspamd interface for possibly wrong blocks.