[TUTORIAL] Mail filter example

hata_ph

Well-Known Member
Nov 13, 2019
870
189
48
43
I notice there is not much who and what object example available in the forum. Just want to share some that I am currently using now.
The objects may cause some false position, I would to set quarantine instead of block.
Others can share their objects too.

Who Object:

Regex:

(\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}\.ae(\W|$)
- Match any domain end with .ae.

(^)james_otc.*@yahoo.com($)
- Match regex mail from yahoo

What Object:

Match Filename:

.*\.(ace|adp|app|asp|ba[st]|cer|chm|cmd|cnt|com|cpl|crt|csh|der|dll|exe|fxp|gadget|hlp|hpj|hta|in[fs]|img|isp|its|jse?|ksh|lnk|ma[dfgmqrstuvw]|md[detwz]|msc|msh|mshxml|msh[12]|msh[12]xml|ms[ipt]|ops|osd|pcd|pif|plg|prf|prg|pst|reg|sc[frt]|sh[bs]|ps[12]|ps[12]xml|psc[12|]tmp|url|vb[eps]?|vsmacros|vsw|ws[cfh]?|xnk|ade|cla|class|grp|jar|mcf|ocx|pl|xbap)
- Match above attachment extension.

.*\.(htm[l]?)
- Match all .html attachment.

Match field:
subject=(?i)(\W|^)([\w.\-]{0,25}?testing\.com)(\W|$)
- Match subject with domain name.
Example: Account Blocked xxx@testing.com 6/24/2020 3:38:07 a.m.

subject=(?i)(\W|^)(ages?|activated?|annoy|asap|attack.*|attentions?)(\W|$)
- Match subject with above words.

subject=(?i)(\W|^)(free shipping)(\W|$)
- Match subject with above sentence.

subject=(?i)(\W|^)(rm|rm.\d+|\$|\$.\d+)(\W|$)
- Match subject with $ or RM sign.
Example: BOOK NOW, PAY LATER To Enjoy Great Savings! From RM138. Limited Time Offer. CLICK To BOOK NOW

subject=(\!|\?|\.)$
- Match subject end with ! or ? or .
Example: A New Order Has Just Arrived!

subject=(?i)^(do|in|hi|hey|how|our|my|are|is|last|please|to|free|we|what|want)(\W|$)
- Match subject start with above words.
Example: Do you see what we see? Money Mule

subject=(\W|^)(\d+.\%)(\W|$)
- Match subject that contain % sign.
Example: Cut 45% Cost from Sanitizer Expenses

subject=(\W|^)(.*\!|.*\?)(\W|$)
- Match subject that contain ! or ? sign.
Example: Do you see what we see? Money Mule

subject=(?i)^(\d+)(\W|$)
- Match subject start with number
Example: 10 questions L&D detectives must ask
 
Last edited:

Drax

Active Member
Jul 21, 2012
126
2
38
How would I make a Who action to block specific senders? or senders with a specific name?
 

hata_ph

Well-Known Member
Nov 13, 2019
870
189
48
43
How would I make a Who action to block specific senders? or senders with a specific name?
Try something like this. Remember who object refer to Return-Path: header in the mail. Make sure the filter match it.

1651189242498.png
 

Drax

Active Member
Jul 21, 2012
126
2
38
thanks. I'm looking for the phoney name that shows up in the sender, the reason is that the same phone name appears but it is always from a different email address. phoney name <email address>
 

hata_ph

Well-Known Member
Nov 13, 2019
870
189
48
43
thanks. I'm looking for the phoney name that shows up in the sender, the reason is that the same phone name appears but it is always from a different email address. phoney name <email address>
Pls provide the spam mail raw format for checking.
 

Drax

Active Member
Jul 21, 2012
126
2
38
You mean the header?

-------- Forwarded Message --------
From:​
18 2022 <>
X-Account-Key:​
account11
X-UIDL:​
sm_0002A901_db94e458b9234f7aa010ac4a7d94ae60
X-Mozilla-Status:​
0000
X-Mozilla-Status2:​
00000000
X-Mozilla-Keys:​
Return-Path:​
<info@adoptionpatent.co>
Received:​
from with SMTP; Fri, 29 Apr 2022 16:18:43 -0700
Received:​
from (Proxmox) with ESMTP id 4841E61533 for <>; Fri, 29 Apr 2022 16:18:42 -0700 (PDT)
Received-SPF:​
none (adoptionpatent.co: No applicable sender policy available) receiver= ; identity=mailfrom; envelope-from="info@adoptionpatent.co"; helo=adoptionpatent.co; client-ip=107.161.87.86
Received:​
from adoptionpatent.co (unknown [107.161.87.86]) by (Proxmox) with ESMTP id 93DF561918 for < >; Fri, 29 Apr 2022 16:18:41 -0700 (PDT)
Date:​
Fri, 29 Apr 2022 18:01:54 -0500
From:​
Mindinsole <info@adoptionpatent.co>
MIME-Version:​
1.0
Precedence:​
bulk
To:​
Subject:​
I Gave Up Hope Of Ever Relieving My Foot Pain... Until I Discovered These Two Hidden Secrets
Message-ID:​
<ganpKi0gv8O3zUcNW03OhFuWFMJW-5XOnrR0U36WGcU.m-9so7_nYHhhqD-fQ1s6sg@adoptionpatent.co>
Content-Type:​
text/html; charset=ISO-8859-1
Content-Transfer-Encoding:​
7bit
X-SPAM-LEVEL:​
Spam detection results: 0 AWL 1.000 Adjusted score from AWL reputation of From: address HTML_MESSAGE 0.001 HTML included in message HTML_MIME_NO_HTML_TAG 0.635 HTML-only message, but there is no HTML tag KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods MIME_HTML_ONLY 0.1 Message only has text/html MIME parts RCVD_IN_DNSWL_HI -5 Sender listed at https://www.dnswl.org/, high trust RDNS_NONE 1.274 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record URIBL_ABUSE_SURBL 1.948 Contains an URL listed in the ABUSE SURBL blocklist [favorsingle.family] URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [favorsingle.family]
X-SmarterMail-TotalSpamWeight:​
0 (IP Whitelisted)
 

hata_ph

Well-Known Member
Nov 13, 2019
870
189
48
43
@Drax, you can opt for below few mail filter option based on the spam mail header.

Who object (refer to Return-Path:)
- Email: info@adoptionpatent.co
- Domain: adoptionpatent.co

What object (subject)
- subject=(?i)(\W|^)(hope|pain|hidden secrets)(\W|$)
 

Drax

Active Member
Jul 21, 2012
126
2
38
The issue is the email address and domain are always changing but the name Mindinsole does not. That is the filter I want to create. Otherwise I’m just trapped making an endless list of addresses and nothing is blocked until they recycle that address.
 

hata_ph

Well-Known Member
Nov 13, 2019
870
189
48
43
The issue is the email address and domain are always changing but the name Mindinsole does not. That is the filter I want to create. Otherwise I’m just trapped making an endless list of addresses and nothing is blocked until they recycle that address.
Try this.

What object regex from=^mindinsole.*<.*>.*$
 
  • Like
Reactions: Stoiko Ivanov

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!