Why Spamassassin doesn't catch this email? [Solved]

[gix0970]

A user has been receiving this spam email for a period of 2 weeks. I'm quite puzzle why sa never catch this. The sender domain does has spf record but there is no record on the spam score. I also created global filter to catch it but it didn't work.
My filter is something like this.... From contains [email protected]; and; To contains [email protected]; and; Body contains 抱歉; and; Body contains 您的邮件被退回来了

Return-Path: <>
Delivered-To: [email protected]
Received: from server.mydomain.com
by server.mydomain.com with LMTP
id 3lpyCSZ9nGKmcwAAK+L+Iw
(envelope-from <>)
for <[email protected]>; Sun, 05 Jun 2022 17:53:42 +0800
Return-path: <>
Envelope-to: [email protected]
Delivery-date: Sun, 05 Jun 2022 17:53:42 +0800
Received: from mail-m9744.mail.163.com ([123.126.97.44]:57759)
by server.mydomain.com with esmtp (Exim 4.94.2)
id 1nxmx1-0007gw-8A
for [email protected]; Sun, 05 Jun 2022 17:53:41 +0800
From: [email protected]
To: [email protected]
X-Bounced-Version: 2022050511
Subject: =?gb2312?B?z7XNs83L0MU=?=
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_Part_25899_830792168.1650522289123"
Date: Sun, 5 Jun 2022 17:52:58 +0800 (CST)
Content-Transfer-Encoding: base64
Delivered-To: [email protected]@163.com
X-CM-Original-Message-ID: <[email protected]>
X-Mailer: Coremail MTA server
X-CM-TRANSID:xN1pCgDX56f3fJxif1k7Aw--.37818S3.B83653
Message-Id:<[email protected]>
X-Spam-Status: No, score=2.3
X-Spam-Score: 23
X-Spam-Bar: ++
X-Ham-Report: Spam detection software, running on the system "server.mydomain.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content preview: 抱歉，您的邮件被退回来了…… 原邮件信息： 时 间 2022-06-05
17:52:57 主 题 收件人 [email protected] 退信原因： 邮件被反垃圾系统判定为垃圾邮件
英文说明:rejected by system 建议解决方案： 邮件内容中可能含有广告、欺诈、钓鱼、政治、色情类等内容。建议您绿色地使用邮箱，尝试调整邮件的主题、内容和附件内容并再次发送；或联系收件人所属邮件服务商的客服中心了解并解决。

Content analysis details: (2.3 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.5173]
1.4 HTML_COMMENT_SAVED_URL BODY: HTML message is a saved web page
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME
-0.0 T_SCC_BODY_TEXT_LINE No description available.
0.0 KAM_SHORT Use of a URL Shortener for very short URL
X-Spam-Flag: NO



 

[gix0970]

I removed the From in the filter and it catches it now...could be that it is in capital. [email protected] instead of [email protected]

 

[cPRex]

Various options can affect the case sensitivity of the filtering. There's some more details on that in this older thread:

SpamAssassin Address Case Sensitive

Hello, For some reason our SpamAssassin seems to only be filter emails in lowercase. For example anything coming to [email protected] will be filtered (and per our setup at ***SPAM*** to the subject line) however if the same thing comes to [email protected] (Notice the capital "S" in sales)...

forums.cpanel.net

 

[gix0970]

actually what puzzles me more is the fact that there is no spam score for spf and dkim on this email. 163.com has spf and dkim records. It seemed as if the network scan didn't happen.
Here is example of legitimate email from 163.com

Return-Path: <[email protected]>
Received: from server.mydomain.com
by server.mydomain.com with LMTP
id Z0UvJLM2k2KPDwAAK+L+Iw
(envelope-from <[email protected]>); Sun, 29 May 2022 17:02:43 +0800
Return-path: <[email protected]>
Envelope-to: [email protected],
[email protected],
[email protected]
Delivery-date: Sun, 29 May 2022 17:02:43 +0800
Received: from m12-19.163.com ([220.181.12.19]:34494 helo=m1219.mail.163.com)
by server.mydomain.com with esmtp (Exim 4.94.2)
(envelope-from <[email protected]>)
id 1nvEod-00010q-UQ; Sun, 29 May 2022 17:02:43 +0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com;
s=s110527; h=Date:From:Subject:MIME-Version:Message-ID; bh=91idf
Uv45AjuSeVwcaDXLCg0gwzo3RXzDlNjV4QPU1U=; b=YNlVXv735a8B3DEfsuEid
FA+J8nkcnTSdmm65eWb3Zv0Zn2of+4jj3+1tWsHBQ8qw7vSKGtM82hVDtUYkEq0L
uWKh1P9Nss4GWZmPntxkE8Vvk+le9bLkdI4/Bf4lbgdUBYmTtiNp2xSPT2kLCi7W
EMstZ9qeGInOfEE/bBkO70=
Received: from sender$163.com ( [x.x.x.x] ) by
ajax-webmail-wmsvr211 (Coremail) ; Sun, 29 May 2022 17:01:04 +0800
(GMT+08:00)
X-Originating-IP: [36.7.186.29]
Date: Sun, 29 May 2022 17:01:04 +0800 (GMT+08:00)
From: =?UTF-8?B?user= <[email protected]>
To: =?UTF-8?B?xxx= <[email protected]>,
=?UTF-8?B?xxx= <[email protected]>,
=?UTF-8?B?xxx= <[email protected]>,
=?UTF-8?B?xx= <[email protected]>
Subject: = Sanitized Subject
X-Priority: 3
X-Mailer: Coremail Webmail Server Version XT5.0.13 build 20210622(1d4788a8)
MailMasterPC/4.17.2.1004_(Win10_19H2) Copyright (c) 2002-2022
www.mailtech.cn 163com
Content-Type: multipart/mixed;
boundary="----=_Part_45765_69990202.1653814864454"
MIME-Version: 1.0
Message-ID: <[email protected]>
X-Coremail-Locale: zh_CN
X-CM-TRANSID:kseowAC31z9RNpNiD4cSAA--.22497W
X-CM-SenderInfo: 5khivx5vkl5tpqvkxqqrwthudrp/xtbBZwEPslet7R7ifwABsO
X-Coremail-Antispam: 1U5529EdanIXcx71UUUUU7vcSsGvfC2KfnxnUU==
X-Spam-Status: No, score=-0.2
X-Spam-Score: -1
X-Spam-Bar: /
X-Ham-Report: Spam detection software, running on the system "server.mydomain.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content preview: | | sanitized text | | [email protected] |
sanitized text [email protected]
Content analysis details: (-0.2 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0061]
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
provider
[sender[at]163.com]
-0.0 SPF_PASS SPF: sender matches SPF record
1.4 HTML_IMAGE_ONLY_28 BODY: HTML: images with 2400-2800 bytes of
words
0.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
envelope-from domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
valid
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
-0.0 T_SCC_BODY_TEXT_LINE No description available.
0.5 KAM_NUMSUBJECT Subject ends in numbers excluding current years
0.0 T_REMOTE_IMAGE Message contains an external image
X-Spam-Flag: NO

 

[cPRex]

We may need access to the server to get you more details on this particular issue. Could you open a ticket with our team so we can take a look?

 

[gix0970]

Hi, I have raised a ticket #94453960

 

[cPRex]

I see our team recommended enabling the Sender Verification Callouts option. Can you try that and see if that improves the behavior on the machine?

 

[gix0970]

Yes, I'm considering this. thank you.