I'm having success with an MS Outlook filter to detect spam based on the message header contents.

I move the new message to Junk if the email header contains any of :

dkim=fail
dmark=fail
spf=fail
spf=softfail
( unknown[
BAYES_SPAM(5.
HFILTER_HOSTNAME_UNKNOWN
RDNS_NONE
.shop
.click

Hi all,

I see also a lot of SPAM lately on my Plusnet email mailboxes.  When I check the IPs sendong it they are all listed in spamhaus as bad senders.  Why is Plusnet not blocking bad senders which I thought was the default setting ?

The default setting description says:   

With spam filtering turned on, emails sent from mailservers with a bad SenderBase reputation will be rejected and bounced back to the sender. Emails that pass this first check are scanned and given a spam rating. What happens then depends on the settings which follow.

Also I would be curious what "block obvious spam" means I would hope any email from known spam mailservers.

Anyone from Plusnet on these forums to explain this ? 

Also Plusnet's mail servers are on the blacklists 😞  

# nslookup 212.159.14.26
26.14.159.212.in-addr.arpa name = avasin-peh-006.plus.net.

Authoritative answers can be found from:

#./dnsblcheck 212.159.14.26
Checking: 212.159.14.26
-------------------------
[LISTED] 212.159.14.26 on zen.spamhaus.org
[OK] 212.159.14.26 not listed on bl.spamcop.net
[OK] 212.159.14.26 not listed on b.barracudacentral.org
[OK] 212.159.14.26 not listed on dnsbl.sorbs.net
[LISTED] 212.159.14.26 on cbl.abuseat.org
[OK] 212.159.14.26 not listed on psbl.surriel.com
[OK] 212.159.14.26 not listed on dnsbl-1.uceprotect.net

Markus

Small correction the SPAM listing for  212.159.14.26 is wrong i.e. I used cloudflare's 1.1.1.1 DNS server which gets worng responses. Using unbound I get  a clean response.

/dnsblcheck 212.159.14.26
Checking: 212.159.14.26
-------------------------
[OK] 212.159.14.26 not listed on zen.spamhaus.org
[OK] 212.159.14.26 not listed on bl.spamcop.net
[OK] 212.159.14.26 not listed on b.barracudacentral.org
[OK] 212.159.14.26 not listed on dnsbl.sorbs.net
[OK] 212.159.14.26 not listed on cbl.abuseat.org
[OK] 212.159.14.26 not listed on psbl.surriel.com
[OK] 212.159.14.26 not listed on dnsbl-1.uceprotect.net

Markus

@M-M we found the Plusnet spam filter controls stopped working during the tail end of 2025, you may recall spam emails used to be marked as [-SPAM-] in the Subject: field.

Once email migrates to www.greenby.com there are Spam settings in the Greenby Portal ( i.e. not webmail ), if enabled this will divert spam to a Junk / Spam folder on the email server. That folder needs to be checked for false positives, or disabled if you prefer to deal with spam in a mail client like MS Outlook or Thunderbird etc.

I am suspecting your email is not be migrated to Greenby as host : avasin-peh-006.plus.net 212.159.14.26  is a Plusnet hosted in-bound email server.

Why would an inbound server be on a blacklist?

Trying to complain to abuse@plus.net I get blocked. I complaint to OFCOM as they must accept these emails.

It seems also my postings get blocked.  I had posted this:

Which did not appear anywhere.

An inbound server would be on a blacklist if they allow SPAM to be send i.e. they do not control their customers sending spam despite complains.  

Markus 

I need to post as image as it gets removed. ( this was message 10 under this subject as you can see on the bottom of the image )

---

@M-M wrote:

I see also a lot of SPAM lately on my Plusnet email mailboxes.

I see no spam.

---

@M-M wrote:

Also Plusnet's mail servers are on the blacklists 😞  

# nslookup 212.159.14.26
26.14.159.212.in-addr.arpa name = avasin-peh-006.plus.net.

Authoritative answers can be found from:

#./dnsblcheck 212.159.14.26
Checking: 212.159.14.26
-------------------------
[LISTED] 212.159.14.26 on zen.spamhaus.org
[OK] 212.159.14.26 not listed on bl.spamcop.net
[OK] 212.159.14.26 not listed on b.barracudacentral.org
[OK] 212.159.14.26 not listed on dnsbl.sorbs.net
[LISTED] 212.159.14.26 on cbl.abuseat.org
[OK] 212.159.14.26 not listed on psbl.surriel.com
[OK] 212.159.14.26 not listed on dnsbl-1.uceprotect.net

---

Not what I'm seeing.

https://www.whois.com/whois/212.159.14.26

inetnum: 212.159.14.0 - 212.159.14.127
netname: PLUSNET-PORTAL-SERVERS
descr: Plusnet Portal Servers
descr: PlusNet Technologies Ltd
remarks: INFRA-AW
country: GB

https://check.spamhaus.org/212.159.14.26

"212.159.14.26 has no issues"

https://check.spamhaus.org/results?query=avasin-peh-006.plus.net
"avasin-peh-006.plus.net has no issues"

Again - where is this spam?

The Spam is in many people's Plusnet mailboxes.

You seem to be lucky.

It is hundreds a day like the attached.

Markus

Return-path: <user@lastname.plus.com>
Envelope-to: user@lastname.plus.com
Delivery-date: Sun, 03 May 2026 08:51:56 +0100
Received: from [84.93.230.243] (helo=avasin-ptp-007.plus.net)
by inmx-peh-010.plus.net with esmtp (PlusNet MXCore v2.00) id 1wJRcK-00083o-Gt
for user@lastname.plus.com; Sun, 03 May 2026 08:51:56 +0100
Received: from mail.enmail.co ([91.204.208.8])
by Plusnet Cloudmark Gateway with ESMTP
id JRbkw4jgEl3NFJRbkw7kHa; Sun, 03 May 2026 08:51:20 +0100
X-CM-Score: 100.00
X-CNFS-Analysis: v=2.4 cv=O4iavw9W c=1 sm=1 tr=0 ts=69f6fe78
p=cldSXMTIpfOU4Y6ndKLFjA==:17 p=xuSakxmQ/AEa0MmB+nwSGURWKu8=:19
p=PTyU9qhKzLH6fPggfxA3TfOAniY=:19 p=jCbGUyW4jJGoy8l3dHf0DG8VQv0=:19
p=NX+gl+Xpg2tz9MSno0cNtH3+2FI=:19 p=bU8HyK+u2KSFcGbJwLAM7afV7Pw=:19
p=1VCpbxcMXNoKQD3_8Deh:22 a=/50HAxhVri9f9h8qkinWjQ==:117 a=NGcC8JguVDcA:10
a=tQgp67HcAAAA:8 a=lxoXj2O9AAAA:8 a=5TAOmqheAAAA:8 a=es68Ls6DAAAA:8
a=7LJQYQ5cGpOTLzKPqbUA:9 a=7zbRnxVGAaKOODsWIkmG:22
Received: from [198.163.193.190] (unknown [198.163.193.190])
by mail.enmail.co (Postfix) with ESMTP id DC570C0049
for <user@lastname.plus.com>; Sun, 3 May 2026 07:51:17 +0000 (UTC)
Authentication-Results: mail.enmail.co;
dkim=none;
spf=softfail (mail.enmail.co: 198.163.193.190 is neither permitted nor denied by domain of user@lastname.plus.com) smtp.mailfrom=user@lastname.plus.com;
dmarc=fail reason="No valid SPF, No valid DKIM" header.from=plus.com (policy=none)
Received: from wurggqe ([60.220.73.164]) by 15751.com with MailEnable ESMTP; Sun, 3 May 2026 12:51:27 +0500
Received: (qmail 54451 invoked by uid 544); 3 May 2026 12:51:25 +0500
From: user@lastname.plus.com
To: user@lastname.plus.com
Date: Sun, 3 May 2026 12:51:27 +0500
Message-ID: <544510.544510@15751.com>
Mime-Version: 1.0
Content-type: text/plain;
X-Spamd-Result: default: False [9.70 / 4.00];
BAYES_SPAM(5.10)[100.00%];
SUBJ_ALL_CAPS(2.10)[28];
RDNS_NONE(2.00)[];
MV_CASE(0.50)[];
MIME_GOOD(-0.10)[text/plain];
DMARC_POLICY_SOFTFAIL(0.10)[plus.com : No valid SPF, No valid DKIM,none];
ASN(0.00)[asn:8193, ipnet:198.163.193.0/24, country:UZ];
FROM_NO_DN(0.00)[];
RCVD_COUNT_ONE(0.00)[1];
MIME_TRACE(0.00)[0:+];
RCPT_COUNT_ONE(0.00)[1];
ARC_NA(0.00)[];
R_DKIM_NA(0.00)[];
TO_EQ_FROM(0.00)[];
FROM_EQ_ENVFROM(0.00)[];
FUZZY_RATELIMITED(0.00)[rspamd.com];
R_SPF_SOFTFAIL(0.00)[~all:c];
TO_MATCH_ENVRCPT_ALL(0.00)[];
TO_DN_NONE(0.00)[];
NEURAL_SPAM(0.00)[1.000]
X-Spam: Yes
X-Original-Recipient: user@lastname.plus.com
X-CMAE-Envelope: MS4xfG04MJaV1IMERR9BtDs79CH3KUWx2YjRO3GWJJXcblnEymzeGktrgkEEzIsEt9inxVKyuFcSt53rkoCqE3zSI3gGhWWMPr5ZphdlWKvorrm65gJRwO2Z
7E0RADvYrixQTibfmY9QUYTg8EKoLifhDCJCsgGXwlHXUopSHVV1usdOCWiQA807Q9Hg/ezGkm6RRiEzESqb/gXHaDNItCpPAAM=
X-pn-pstn-db:" Spam 99
X-PN-Spam-Filtered: by PlusNet MXCore (v5.00)
Subject: YOU PERVERT, I RECORDED YOU!

Hello!

Unfortunately, there is some bad news for you.

Some time ago, your device was infected with my private Trojan, R.A.T (Remote Administration Tool).

If you want to find out more about it, simply use Google.

My Trojan allowed me to access your files, accounts, and your camera.

Check the sender of this email, I have sent it from your email account.

To ensure you read this email, you will receive it multiple times.

I RECORDED YOU (through your camera) MASTURBATING!

After that, I removed my malware to leave no traces.

If you still doubt my serious intentions, it only takes a couple of mouse clicks to share the video of you masturbating with your family, friends, relatives, all email contacts, on social networks and the darknet.

All you need is $800 USD in Bitcoin (BTC), transferred to my wallet address.

After the transaction is successful, I will proceed to delete everything.

I keep my promises!

You can purchase Bitcoin (BTC) from reputable exchanges here:

http://binance.com - Payment options: Credit/debit cards, bank transfers, P2P trading, third-party payment providers, and gift cards.
http://bitrefill.com - Payment options: Paysafecard, credit/debit cards, crypto, bank transfer, and other gift card options.
http://crypto.com - Payment options: Credit/debit cards, bank transfers, Apple Pay, Google Pay, and more.
http://kucoin.com - Payment options: Credit/debit cards, bank transfer, third-party payment providers, and peer-to-peer.

Alternatively, simply Google for other exchanges.

Once purchased, you can send the Bitcoin directly to my wallet address or use a wallet application such as Atomic Wallet or Exodus Wallet to manage your transactions.

My Bitcoin (BTC) wallet address is: 1LK753UYyYXPcUthYTrxgnaGC8qxXN8ZUK

Yes, that's how the wallet address looks like. Copy and paste my wallet address, it's (case-sensitive).

A piece of advice from me: regularly change all your passwords and update your device with the latest security patches.

@M-M 

This seems significant:

Received: from [198.163.193.190] (unknown [198.163.193.190])
by mail.enmail.co (Postfix) with ESMTP id DC570C0049

https://check.spamhaus.org/results?query=198.163.193.190
"198.163.193.190 has 3 listings"

Robot
Please don’t be alarmed! We understand finding your IP address, domain, URL or ASN on a blocklist can be worrying. This website will give you information about why you are listed and what you can do to ensure you don’t get listed again.

Where it is possible to request removal, we will help you through the process. However, if your IP is listed on the Spamhaus Blocklist (SBL), removal can only be requested by your Internet Service Provider (ISP).

Close
1. eXploits Blocklist (XBL) & CSS Blocklist (CSS) - Why is this IP address listed?
The machine using this IP is infected with malware that is emitting spam, or is sharing a connection with an infected device.

As a result, this IP is listed in the eXploits Blocklist (XBL) and the CSS Blocklist (CSS)

Click on More Info to see if you can request a delisting from this blocklist. This will also display any further information we have relating to this listing.Return-path: <user@lastname.plus.com>

https://www.whois.com/whois/198.163.193.190

% Information related to '198.163.193.0 - 198.163.193.255'
% Abuse contact for '198.163.193.0 - 198.163.193.255' is 'email@bkm.uz'
inetnum: 198.163.193.0 - 198.163.193.255
netname: UZTELECOM
country: UZ

Domain listed as in Uzbekistan.

Yes and enmail.co should have blocked it as a it comes from a blacklisted mailserver instead it forwards to plusnet.  Plusnet should blacklist enmail.co servers, which I did i.e. reported to spamhaus. 

Checking: 198.163.193.190 []
-------------------------
[LISTED] 198.163.193.190 on zen.spamhaus.org → 127.0.0.11 (PBL (Policy Block List))
[LISTED] 198.163.193.190 on zen.spamhaus.org → 127.0.0.4 (XBL (Exploits Block List))
[LISTED] 198.163.193.190 on zen.spamhaus.org → 127.0.0.3 (CSS (Spamhaus CSS))
[OK] 198.163.193.190 not listed on bl.spamcop.net
[OK] 198.163.193.190 not listed on b.barracudacentral.org
[OK] 198.163.193.190 not listed on dnsbl.sorbs.net
[LISTED] 198.163.193.190 on cbl.abuseat.org → 127.0.0.2
[OK] 198.163.193.190 not listed on psbl.surriel.com
[LISTED] 198.163.193.190 on dnsbl-1.uceprotect.net → 127.0.0.2