Ich bemerke in letzter Zeit immer wieder, dass eine gewisse Spam-Sorte “durchrutscht”. Der Spam ist “verpackt” mit einem “Google Forms”-Header und hat leider meist einen recht guten (niedrigen) Spam-Score, wohl weil er wirklich über die offiziellen Google-Mailserver kommt.

Leider “lernt” der RSpamd das ganze trotz eifrigen Verschiebens in den Spamordner nicht wirklich …

Da diesen Google-Forms-Kram wirklich kein Mensch braucht (außer vielleicht ein paar Spammer, die scheinbar irgendeinen Account gehackt haben), frage ich mich, ob ich solche Mails generell blocken kann. Ich finde in den Mails immer im Footer Werbe-Links von Google, die so anfangen:

https://docs.google.com/forms/....

Nun frage ich mich, ob ich irgendwo eine Regel konfigurieren kann, die Mails, die einen solchen Linkanfang beinhalten, mit einem satten Spamscore beaufschlagen kann …?

  • diekuh

    • Community Hero
    • volunteer
    Moolevel 110
  • Post #2
  • This post is in German

Hi,

poste am besten mal die Header, damit die Leser und Helfer sich einen Eindruck machen können.

Ja, man kann solche Regeln bauen. Sollte schon nur mit etwas Regex, Änderungen von Scores und Multimaps klappen (alles dazu in den Rspam docs).

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

Hier ist der Header (meine Mail anonymisiert):

Return-Path: <33APqXwwJApE5y3y3zC7LLMN17v36.x97744vx9Ezx.yz@trix.bounces.google.com>
Delivered-To: email@meinedomain.de
Received: from mail.meinedomain.de ([172.22.1.11])
	by 539db5247626 with LMTP
	id GCsvJOQD6l86Fg0Akqpssg
	(envelope-from <33APqXwwJApE5y3y3zC7LLMN17v36.x97744vx9Ezx.yz@trix.bounces.google.com>)
	for <email@meinedomain.de>; Mon, 28 Dec 2020 17:12:20 +0100
Received: from mail-ot1-f72.google.com (mail-ot1-f72.google.com [209.85.210.72])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by mail.meinedomain.de (Postcow) with ESMTPS id 4B0722F60001
	for <email@meinedomain.de>; Mon, 28 Dec 2020 17:12:15 +0100 (CET)
Received: by mail-ot1-f72.google.com with SMTP id x25so7595232otq.0
        for <email@meinedomain.de>; Mon, 28 Dec 2020 08:12:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:reply-to:message-id:date:subject:from:to;
        bh=7Rbi52bTOhni54aS0/0vMClAZJqbJmANbfVa6MevgJY=;
        b=UArioVIs72IQPGjT+X1Ux88ViVaarQtMvSS74Z7hr6bsf+AlIkJbCr+sm7pBPguhsB
         WKQ2KdI4sms01jeAvy+D/kqP4/gJ6vdIRhQfOE1v6qd2Hbz1v4kuCU5dX1fga9Aaf5E1
         h6zjj1jFhALy/v8QmWsvA7OTyJLDtuMqr3TWr7SXXjTuGj6upWoG0PYldZdFcMYHO0UM
         Xe8ruYKks9iBxAYQh3YasEY3cHkaHemgMR/bkzp3irRFlXB1p3nfTHf1DgUXouYIuHg6
         l5fQhreecQIQ7hnacWmeo0Xhke82js8a1cp9iZfxsjpPgyiV15XEz3wy/RLzcylrYGP0
         yJaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:reply-to:message-id:date:subject
         :from:to;
        bh=7Rbi52bTOhni54aS0/0vMClAZJqbJmANbfVa6MevgJY=;
        b=i1JlAzn0E134X2sJnwpzGTLTAVCbNXCvvJT+px46BF/7dwCseDHZ+cv9dR55URQ+wJ
         MCEoEV4lJFFF2BQs6CyOJ/vGPB4e62YG3i9/kbA0vNM/IGq9K1jbp6YVxUPm3aGak67V
         bdeESx7DbN3j96r2viOSX6i9LZRqFDU6SITwtM3+W+rWKzijaDsG6D+xpwJXWbZ/k5U1
         w4R+r6ejny52wlKE9t2kDtX66LsDG+lcHMVfrmUkUlmUwOS75bPStxFLjx3scQgTk1bC
         dh8A8IbL6RhgddBcYCbwEh1J57/KgTrQfc4kk38sN2cTIGnQ+GROkrnP+afTGHDQ4Aq0
         V0AQ==
X-Gm-Message-State: AOAM5318Lo17TEmzo8A++eyhl2by7fH9QRB0e7eunvKDbwtTAhvBowjZ
	07d8yE/nfNP9glbshElbQn7NqDVubhHsvqFW3D2X
MIME-Version: 1.0
X-Received: by 2002:a9d:2248:: with SMTP id o66mt18107392ota.236.1609171932732;
 Mon, 28 Dec 2020 08:12:12 -0800 (PST)
Reply-To: kdidierm0012@gmail.com
X-No-Auto-Attachment: 1
Message-ID: <0000000000006f005605b78889c2@google.com>
Date: Mon, 28 Dec 2020 16:12:13 +0000
Subject: Hi,Good morning,
From: kdidierm0012@gmail.com
To: email@meinedomain.de
Content-Type: multipart/alternative; boundary="000000000000778b6f05b78889b4"
ARC-Authentication-Results: i=1;
	mail.meinedomain.de;
	dkim=pass header.d=gmail.com header.s=20161025 header.b=UArioVIs;
	spf=pass (mail.meinedomain.de: domain of 33APqXwwJApE5y3y3zC7LLMN17v36.x97744vx9Ezx.yz@trix.bounces.google.com designates 209.85.210.72 as permitted sender) smtp.mailfrom=33APqXwwJApE5y3y3zC7LLMN17v36.x97744vx9Ezx.yz@trix.bounces.google.com
ARC-Seal: i=1; s=dkim; d=meinedomain.de; t=1609171935; a=rsa-sha256; cv=none;
	b=BQPu+HQQr8HQonvfnpug0+pDKIFphBqPh/BxlHKAb1HMz0luGOrFWT4z5J3whT0ZCCdVMj
	SNV2DU1BCrxSVeBXyg588SGufD+ucCCyeh2+OlCfWG2R2X0FmN8TBe6m/a4xo0tU/V+oTF
	Uiq8fGw57lHz8PQ1xPoYZNZ6paMnd9lEAJuCqY9EO29Yo+MYnxot5pTgWJiTmn3y+efaVC
	9JIG6rbpOWyPoDb4BxKprrzk8B7muskk01WB9s2V9ILPwx2t+OeIRHyM4BqC/nHWqf/e40
	IMjtDDGMOQAhSM+thZEAlG7MYh8LDPSLZMuoWnihlUwDMdMBh1RbEROiu40P7g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=meinedomain.de;
	s=dkim; t=1609171935; h=from:from:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:dkim-signature;
	bh=7Rbi52bTOhni54aS0/0vMClAZJqbJmANbfVa6MevgJY=;
	b=Rt8rrYgGy6vAcvLXok0dljyV2SjaaSFRVqDw8Dpd66D0WMfTC2VQXmrl3EUz7jBibYE+7w
	ctgcLRtt+Zolc/bPkfO3Qhe7zJ45frJqEtRtL+Fu0utapUG9jBAKZDBGSJVV8io2O4cliy
	jOhLoJpYc6mXcQBXLFMQl0JIcjSwpIvkxcbh1I0GSy0LBVuUi/1Ju2hUZtIhvKUoGlrwv6
	hbd6X4ZsQfh8o83S+eMxqIsNsdf2Qx4zktt3lgfgTf4S6sayDub8RpyfgAWXaSKi+IvsGS
	tDmx7acY4vErECIwJkHauQx1q6FaTqwpHL5cILk9o1f+2NK3Ic3ZHrdn9PMmWw==
X-Last-TLS-Session-Version: TLSv1.3
X-Spamd-Result: default: False [2.58 / 15.00];
	 HAS_REPLYTO(0.00)[kdidierm0012@gmail.com];
	 RWL_MAILSPIKE_GOOD(0.00)[209.85.210.72:from];
	 FREEMAIL_FROM(0.00)[gmail.com];
	 R_SPF_ALLOW(0.00)[+ip4:209.85.128.0/17];
	 TO_DN_NONE(0.00)[];
	 ARC_SIGNED(0.00)[meinedomain.de:s=dkim:i=1];
	 DKIM_TRACE(0.00)[gmail.com:+];
	 MIME_BASE64_TEXT(0.10)[];
	 DMARC_POLICY_ALLOW(0.00)[gmail.com,none];
	 MX_GOOD(-0.01)[];
	 RBL_SORBS_RECENT(2.00)[209.85.210.72:from];
	 FORGED_SENDER(0.30)[kdidierm0012@gmail.com,33APqXwwJApE5y3y3zC7LLMN17v36.x97744vx9Ezx.yz@trix.bounces.google.com];
	 RCPT_MAILCOW_DOMAIN(0.00)[meinedomain.de];
	 MIME_TRACE(0.00)[0:+,1:+,2:~];
	 ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US];
	 FROM_NEQ_ENVFROM(0.00)[kdidierm0012@gmail.com,33APqXwwJApE5y3y3zC7LLMN17v36.x97744vx9Ezx.yz@trix.bounces.google.com];
	 BAYES_HAM(-3.30)[93.82%];
	 DWL_DNSWL_NONE(0.00)[gmail.com:dkim];
	 ARC_NA(0.00)[];
	 R_DKIM_ALLOW(0.00)[gmail.com:s=20161025];
	 REPLYTO_EQ_FROM(0.00)[];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	 FREEMAIL_REPLYTO(0.00)[gmail.com];
	 PREVIOUSLY_DELIVERED(0.00)[email@meiedomain.de];
	 RCPT_COUNT_ONE(0.00)[1];
	 BAD_REP_POLICIES(2.00)[];
	 FROM_NO_DN(0.00)[];
	 RCVD_IN_DNSWL_NONE(0.00)[209.85.210.72:from];
	 IP_REPUTATION_SPAM(1.59)[asn: 15169(0.40), country: US(-0.00), ip: 209.85.210.72(0.00)];
	 RCVD_COUNT_TWO(0.00)[2];
	 RCVD_TLS_ALL(0.00)[]
Authentication-Results: mail.meinedomain.de;
	dkim=pass header.d=gmail.com header.s=20161025 header.b=UArioVIs;
	spf=pass (mail.meinedomain.de: domain of 33APqXwwJApE5y3y3zC7LLMN17v36.x97744vx9Ezx.yz@trix.bounces.google.com designates 209.85.210.72 as permitted sender) smtp.mailfrom=33APqXwwJApE5y3y3zC7LLMN17v36.x97744vx9Ezx.yz@trix.bounces.google.com;
	dmarc=pass (policy=none) header.from=gmail.com
X-Rspamd-Queue-Id: 4B0722F60001
No one is typing