Let me start by saying I don’t use an online mail service. I find them clunky, confusing, and - most annoyingly - convinced that anything not from your grandmother is spam. So I stick with good old Thunderbird on my PC. No built-in spam filter, no AI guessing games - everything ends up in my inbox, for better or (mostly) worse.
Now, because I run my own web server, I also run my own mail server. And thankfully, that does come with a spam filter. It’s not perfect, but it does catch the absolute no-brainers - the "I am an elite hacker and I watched you through your webcam" types. Impressive skills, considering my webcam is still factory-sealed and gathering dust in the closet. About 75% of the incoming mail gets stopped at that gate.
But that still leaves around 300 to 500 emails hitting my inbox daily. From those, at least half are phishing attempts. Fake warnings that my mailbox is full. Urgent requests to verify my PNC bank card (which I - for all obvious reasons - don’t have). Dire threats from PhotoBucket about losing all my precious memories if I don’t log in right now. You get the idea.
Of the survivors, another 50% are classic scams. Apparently Nigerian princes are out of fashion - now it's mega corporations wanting to place multi-million-dollar orders with my “company,” or lotteries I never entered telling me I've won enough money to actually buy Nigeria.
What’s left? Spam. Sooooo much spam. Mostly focused on... well, personal enhancements. Let’s just say there’s a lot of confidence in what I should be enlarging or how long I should be lasting.
When all’s said and done, I’m left with maybe 10 legitimate emails per day. Out of 2,000 or so. That’s around 0.5%. If email was a party, 99.5% of the guests would be trying to scam me, sell me questionable pills, or convince me I’ve inherited a mysterious fortune.
Cliff, what language are these SPAM emails in? English, Dutch...?
The reason I ask is that the email address I used when I registered here at PFF way back 26 years ago gets a lot of SPAM which looks like it's in Dutch. I don't open them, I'm just going by the subject line. My other email addresses also get SPAM of course, but no foreign language SPAM.
I'm just curious if I'm getting what appears to be Dutch SPAM because that particular email address was used here at this Dutch website. It's not really a problem... I'm just wondering if there's a connection.
Hardly getting any spam in Dutch, really. It's almost exclusively English - or something that is supposed to be English because apparently in those regions they still use the beta version of Google translate.
Are you using Spamassassin? From subject alone a lot of this looks like it should be getting caught. From a quick glance:
"Investment opportunity" - both words should be tokenized and flagged by the bayesian filter
"q2=8F=80?= DagAx1 van vandaag! Vonyx STM2500" - contains header garbage, a product name and 'today!'
"Je lunch verdient beter Äll" - "better lunch" + a special character should have been flagged
"Attention admin you [have delayed emails]" - obfuscated text should have been flagged
From your description, the language used in the other subject lines is just as suspect as the one I translated.
Are you actively marking messages as spam/not spam and running sa-learn on a schedule? It's a huge PITA, but that's really the only mechanism SpamAssassin has to 'learn.'
Alternatively, have you looked at Rspamd? It's easier to setup than SpamAssassin, auto-learns based on message scoring, which means you don't have to do anything for it to get better at blocking spam over time. It also has a lot of modern utility SpamAssassin is lacking. I'm guessing you are using Postfix for your SMTP, and if so you could set up Postscreen pretty easily to compliment your spam filtering.
You could make a weekend project of setting up Rspamd + Redis and add Postscreen to your Postfix. You'd see an immediate difference and cumulative benefit over time, and wouldn't need manually maintain any of it.
Side note: I also noticed you are failing DKIM authentication on your info@pennock.nl emails. You can check your logs, but I'd bet its the selector (s=202006), which doesn't appear to exist on your domain.
[This message has been edited by NewDustin (edited 05-09-2025).]
Side note: I also noticed you are failing DKIM authentication on your info@pennock.nl emails. You can check your logs, but I'd bet its the selector (s=202006), which doesn't appear to exist on your domain.
Huh. I used the headers off of the last info@ email I received, and (full disclosure) used mxtoolbox's RFC822 parser to check why it was marked as spam:
That being said...I didn't actually dig at this at all so take it with a grain of salt.
Lemme know if you want the headers in plain text to investigate.
[This message has been edited by NewDustin (edited 05-09-2025).]
Huh. I used the headers off of the last info@ email I received, and (full disclosure) used mxtoolbox's RFC822 parser to check why it was marked as spam:
Which is also weird because if I send a test email to a spam checker, it gets a perfect 10 out of 10 score (passes all DKIM, DMARC and SPF checks)
quote
Originally posted by NewDustin:
Correct me if I'm wrong, but doesn't this image actually say the DKIM signature is valid?
Sorry NewDustin, I pressed the wrong button and accidentally deleted your last post.
But you said you were using mxtoolbox.com but that site is very unreliable because most of the time it uses the wrong data for testing. Not to mention that the server which does the testing is down a lot.
Sorry NewDustin, I pressed the wrong button and accidentally deleted your last post.
quote
Originally posted by Cliff Pennock: But you said you were using mxtoolbox.com but that site is very unreliable because most of the time it uses the wrong data for testing. Not to mention that the server which does the testing is down a lot.
That hasn't been my experience with it (though it is far from perfect), but again I've found it's a good first stop not an all-inclusive answer. I, admitedly, did not dig into the results.
[This message has been edited by NewDustin (edited 05-10-2025).]
MXToolbox misinterprets some parts of the header. For example, it uses 127.0.0.1 (localhost) as the sending IP address for SPF checks. This IP shows up in the header because, on my and most other mail servers, outgoing mail is first passed through a local virus scanner or content filter (like Amavis, SpamAssassin, or ClamAV) before being handed off to the outbound MTA that actually delivers the mail to the internet. That handoff is logged in the header with 127.0.0.1, since both the scanner and MTA are running on the same machine.
MXToolbox then takes that localhost IP and tries to do an SPF check against it - which of course fails, because no one includes 127.0.0.1 in their SPF records. But that was never the real sending IP in the first place. A proper SPF check should use the public IP address of the server that actually transmitted the message - and that server is also present in the headers. Most other SPF/DKIM checkers (and mail clients) understand this and use the correct IP. MXToolbox doesn’t always do that (if ever), leading to false SPF failures.
DKIM failures can also be incorrectly reported. If the content or headers were slightly modified by a spam filter or virus scanner (even something as minor as extra whitespace) at the receiving end, the DKIM signature can appear broken - even though it was valid when originally sent and received.
That seems likely, though I'm still confused why Outlook would mark it as Spam based on their Spam filtering modifying the DKIM when it doesn't appear to be doing that on all messages. I'm guessing it was something unrelated?
It's not really a problem... I'm just wondering if there's a connection.
