Filter on a link in the E-Mail

[aquilaxx]

Hello community,

to get rid of a very annoying spam I would like to filter on a link (target url) in the email. How is this possible?

 

[hata_ph]

Create custom spamassassin rules.

https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_custom_spamassassin_configuration

 

[aquilaxx]

Thank you for you fast reply. I already see this but don't know what to do.... :-(

 

[hata_ph]

Check out uri rule.

https://cwiki.apache.org/confluence/display/SPAMASSASSIN/writingrules
https://github.com/kawaiipantsu/spamassassin-rules/tree/master/rules

 

[aquilaxx]

Thank you for your Information. If i made these custom filter rules, do i see the emails in the tracking center?

 

[hata_ph]

If the spam mail match your custom rules, it will show up in your mail's spam info.

X-SPAM-LEVEL: Spam detection results:  9
    AWL                    -3.026 Adjusted score from AWL reputation of From: address
    BAYES_50                  0.8 Bayes spam probability is 40 to 60%
    CLOUD_SHARE                 1 Suspicious cloud storage links
    DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
    DKIM_VALID               -0.1 Message has at least one valid DKIM or DK signature
    DKIM_VALID_AU            -0.1 Message has a valid DKIM or DK signature from author's domain
    DKIM_VALID_EF            -0.1 Message has a valid DKIM or DK signature from envelope-from domain
    HTML_MESSAGE            0.001 HTML included in message
    KAM_VERY_BLACK_DBL          5 Email that hits both URIBL Black and Spamhaus DBL
    MIME_HTML_ONLY            0.1 Message only has text/html MIME parts
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    SPF_PASS               -0.001 SPF: sender matches SPF record
    T_SCC_BODY_TEXT_LINE    -0.01 -
    URIBL_ABUSE_SURBL        1.25 Contains an URL listed in the ABUSE SURBL blocklist [corelearners360.com]
    URIBL_BLACK               1.7 Contains an URL listed in the URIBL blacklist [appleacademy.com.my]
    URIBL_DBL_SPAM            2.5 Contains a spam URL listed in the Spamhaus DBL blocklist [appleacademy.com.my]

 

[aquilaxx]

Ok thank you. I checked out the uri rule from @hata_ph but i believe that the github cf files would't catch the email.
Just an example. This is a hard mail to catch because its O365 spam:




X-MS-Exchange-CrossTenant-Network-Message-Id: 1ca565ce-2b89-4cb7-4c5c-08da4d3b247a
X-MS-Exchange-CrossTenant-AuthSource: AS1PR01MB9983.eurprd01.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Jun 2022 12:49:23.8781
(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: eba1a024-f06a-4b44-a020-9dc1364f979a
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: kPOSQ/JSQ5ZZ5sYq74HFY0ueYfvASF+i6SdXIhTxG2L0Q88ibGgSlux9S4PDznSaEeqZ0mC5FuAs6Iypaddnz3t8AwWSz7oyCqSY4QIT0wA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR01MB5294
X-SPAM-LEVEL: Spam detection results: 2
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid
DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
FORGED_SPF_HELO 1 -
HTML_MESSAGE 0.001 HTML included in message
KAM_GOOGLE_REDIR 0.5 Message contains a google URL redirector link
RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust
RCVD_IN_MSPIKE_H2 -0.001 Average reputation (+2)
SPF_HELO_PASS -0.001 SPF: HELO matches SPF record
T_SCC_BODY_TEXT_LINE -0.01 -
T_SPF_PERMERROR 0.01 SPF: test of record failed (permerror)
URIBL_DBL_SPAM 2.5 Contains a spam URL listed in the Spamhaus DBL blocklist [ferul.website]
Return-Path: yomna.30929594@art.tanta.edu.eg



The "Unsubscrible" Link have always the same url: mailto:accounts@27corpuunsubscribe.site?subject=Abmelden



How would you block the mail?

 

[hata_ph]

Check out some spamassassin custom rules. For the URI rule, you have to customize it based on your situation and keyword.

https://landofnightandday.blogspot.com/2021/05/proxmox-mail-gateway-spamassassin.html

 

[Stoiko Ivanov]

BAYES_00 -1.9 Bayes spam probability is 0 to 1%

I would suggest to disable bayes - this should give you 1.9 points more on that mail

T_SPF_PERMERROR 0.01 SPF: test of record failed (permerror)

Not 100% sure if that's the case - but check the SPF of the sending domain - and maybe your DNS setup

I hope this helps!

 

[aquilaxx]

Thank you @Stoiko Ivanov - i disabled bayes:



@hata_ph - I implemented all in the custom.cf

I will give you all a feedback how it works.

 

[aquilaxx]

After the changes - unfortunately, next spam from now:


X-MS-Exchange-CrossTenant-Network-Message-Id: beaed4ca-5327-4843-448c-08da4e08dfe0
X-MS-Exchange-CrossTenant-AuthSource: BN6PR19MB3393.namprd19.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Jun 2022 13:22:05.2192
(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8d36836e-6b75-4de6-bab9-5f4b1775427f
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: HLxnY/D6JPgHjGf+OZlcYHo2Ba8oS9whoYmZ63OrjT1ZGcDsHxCag7N+zipnk38YICEOOwo4i5qDTC+HdtkvfTDHTklyI7cAHLTimjE2jmXU2Tn3FMtHSYn/FIWkypfV
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR19MB4447
X-SPAM-LEVEL: Spam detection results: 1
DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid
DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain
DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain
HTML_MESSAGE 0.001 HTML included in message
KAM_GOOGLE_REDIR 0.5 Message contains a google URL redirector link
LIST_UNSUB 1 Mailinglist/Newsletter emails
RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust
RCVD_IN_MSPIKE_H2 -0.001 Average reputation (+2)
SPF_HELO_PASS -0.001 SPF: HELO matches SPF record
SPF_PASS -0.001 SPF: sender matches SPF record
T_SCC_BODY_TEXT_LINE -0.01 -
Return-Path: pedro.sogamosoc@campusucc.edu.co

 

[hata_ph]

After the changes - unfortunately, next spam from now:


X-MS-Exchange-CrossTenant-Network-Message-Id: beaed4ca-5327-4843-448c-08da4e08dfe0
X-MS-Exchange-CrossTenant-AuthSource: BN6PR19MB3393.namprd19.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Jun 2022 13:22:05.2192
(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8d36836e-6b75-4de6-bab9-5f4b1775427f
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: HLxnY/D6JPgHjGf+OZlcYHo2Ba8oS9whoYmZ63OrjT1ZGcDsHxCag7N+zipnk38YICEOOwo4i5qDTC+HdtkvfTDHTklyI7cAHLTimjE2jmXU2Tn3FMtHSYn/FIWkypfV
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR19MB4447
X-SPAM-LEVEL: Spam detection results: 1
DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid
DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain
DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain
HTML_MESSAGE 0.001 HTML included in message
KAM_GOOGLE_REDIR 0.5 Message contains a google URL redirector link
LIST_UNSUB 1 Mailinglist/Newsletter emails
RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust
RCVD_IN_MSPIKE_H2 -0.001 Average reputation (+2)
SPF_HELO_PASS -0.001 SPF: HELO matches SPF record
SPF_PASS -0.001 SPF: sender matches SPF record
T_SCC_BODY_TEXT_LINE -0.01 -
Return-Path: pedro.sogamosoc@campusucc.edu.co

Is the IP being blacklisted?

 

[aquilaxx]

Blacklisting of O365 IPs is not good :-/

 

[hata_ph]

Blacklisting of O365 IPs is not good :-/

I mean if the IP is not blacklisted in DNSBL then spam mail will through.
Your others options is mail filter and spamassassin rules.

 

[aquilaxx]

@hata_ph

These are my configured DNSBL Sites:

zen.spamhaus.org,psbl.surriel.com*2,noptr.spamrats.com*2,escalations.dnsbl.sorbs.net*2,bl.score.senderscore.com,bl.spameatingmonkey.net*2,rbl.realtimeblacklist.com*2,dnsbl.dronebl.org*2,ix.dnsbl.manitu.net,b.barracudacentral.org,truncate.gbudb.net,bl.blocklist.de


I already set your suggested spamassassin rules in the custom.cf.

 

[hata_ph]

PMG utilize few options to block spam.
1. DNSBL - block blacklisted IP based on your DNSBL list.
2. Mail filter - block/quarantine based on your custom what/who object rule.
3. Spamassassin rules - increase/decrease SA score based on spamassassin default and your custom rules.

You have to study your own environment and customize your spam mail fighting strategy.

 

[aquilaxx]

PMG utilize few options to block spam.
1. DNSBL - block blacklisted IP based on your DNSBL list.
2. Mail filter - block/quarantine based on your custom what/who object rule.
3. Spamassassin rules - increase/decrease SA score based on spamassassin default and your custom rules.

You have to study your own environment and customize your spam mail fighting strategy.

Thank you very much for your explanation.
We made a lot of Regular Expression / E-Mail in the "Who" object rule.
For now the fight against O365 Spam looks like the hardest.
"What" Object rule is nearly default configuration of PMG.

Did anybody of you mastered the O365 Spam?
May you have any high sophisticated rule set that works very well?

 

[hata_ph]

Use mail filter with who/what object to filter from/to/subject header.
Again, you have to study the spam mail and customize your rules against it.

https://forum.proxmox.com/threads/mail-filter-example.71904/