We've have SPAM emails which appear to be sent via sendgrid.net but have the FROM: domain of one of our domains we host. The ASSP filter does not appear to be catching these in something that should be detected as a relay. Any suggestions?
Thanks, Brian S - Running: 2.6.4 build 20224 Below is from the Mail Analyzer: analyze is restricted to a maximum length of 8069 bytes attachments will be fully scanned for viruses text processing uses unicode normalization regular expression matches and results are truncated to 32 (RegExLength) characters ASSP-ID: assp.epiinc.inet m1-56277-01738 ASSP-Session: 7F3401180A68 (mail 1) removed all local X-ASSP- header lines for analysis Connecting IP: ' [ callto:149.72.31.47 | 149.72.31.47 ] ' ASN-info: ASN: 11377 , RIP/Mask: 149.72.24.0/21 Connecting HELO: wrqvkfnf.outbound-mail.sendgrid.net sender and reply addresses: MAIL FROM: [ mailto:bounces+14132192-d80c-info=delanoservice....@sendgrid.net | bounces+14132192-d80c-info=delanoservice....@sendgrid.net ] Return-Path: [ mailto:bounces+14132192-d80c-info=delanoservice....@sendgrid.net | bounces+14132192-d80c-info=delanoservice....@sendgrid.net ] From: [ mailto:do_not_re...@delanoservice.com | do_not_re...@delanoservice.com ] recipient addresses: RCPT TO: [ mailto:i...@delanoservice.com | i...@delanoservice.com ] To: [ mailto:i...@delanoservice.com | i...@delanoservice.com ] Subject: Ownership Email Setup Feature Matching: . DoNoFrom: OK - mode is scoring . [ callto:149.72.31.47 | 149.72.31.47 ] is in SPFCache: status=pass with helo=wrqvkfnf.outbound-mail.sendgrid.net . DKIM-check returned OK verified-OK for identity '@sendgrid.net' . SPF-check returned OK for [ callto:149.72.31.47 | 149.72.31.47 ] -> [ mailto:bounces+14132192-d80c-info=delanoservice....@sendgrid.net | bounces+14132192-d80c-info=delanoservice....@sendgrid.net ] , wrqvkfnf.outbound-mail.sendgrid.net . SPF: pass (cache) ip= [ callto:149.72.31.47 | 149.72.31.47 ] [ mailto:mailfrom=bounces+14132192-d80c-info=delanoservice....@sendgrid.net | mailfrom=bounces+14132192-d80c-info=delanoservice....@sendgrid.net ] helo=wrqvkfnf.outbound-mail.sendgrid.net . URIBL check: 'OK' . URIBL result: 'URIBL: neutral, u14132192.ct.sendgrid.net listed in multi.surbl.org' URIBL listed by: multi.surbl.org<-127.0.0.8; . Valid Format of HELO: 'wrqvkfnf.outbound-mail.sendgrid.net' . IP in Helo check: 'OK' . AUTH would be disabled . RBLCacheCheck returned OK for [ callto:149.72.31.47 | 149.72.31.47 ] : inserted as ok at 2020-08-18 08:32:16 . domain sendgrid.net (in Mail From: , Return-Path) has a valid MX record: mx.sendgrid.net . domainMX mx.sendgrid.net has a valid A record: [ callto:167.89.123.50 . 149.72 | 167.89.123.50 . 149.72 ] .31.47 is in PTRCache: status=PTR OK - wrqvkfnf.outbound-mail.sendgrid.net . [ callto:149.72.31.47 | 149.72.31.47 ] is in RWLCache: status=not listed . [ callto:149.72.31.47 | 149.72.31.47 ] SenderBase: status=not classified, data=[CN=US, ORG=STEADFAST, DOM=sendgrid.net, BLS=, HNM=Y, CIDR=20, HN=wrqvkfnf.outbound-mail] Feature Matching Log: Aug-19-20 10:37:28 [Main_Thread] Info: analyze detected: IP: ' [ callto:149.72.31.47 | 149.72.31.47 ] ' , HELO: 'wrqvkfnf.outbound-mail.sendgrid.net' , assp-Host: 'assp.epiinc.inet' Aug-19-20 10:37:29 [Main_Thread] [scoring] DKIM signature verified-OK - pass - identity is: @sendgrid.net - sender policy is: accept - author policy is: accept Aug-19-20 10:37:29 [Main_Thread] Info: analyzing MIME header in incoming email for virus Aug-19-20 10:37:29 [Main_Thread] Info: analyzing attachments in incoming email
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test