Need to refine how I try to block senders/from

[MiamiJack]

Hello All,

I know that blocking email addresses have a lot of caveats and so I'm looking for a way to streamline my process and make things more efficient.

As an example I know we have the envelope sender and the from address, trying to catch a domain name within either would be the goal.
I have caught myself putting a rule in multiple places:
Block Who Domains, and add the domain name: Doesnt work too frequently
Block Who Regex with .+@DarnSpammer.com as well as .+@.+DarnSpammer.com and even
Block WHO - E-mail; PainInDaButt@DarnSpammer.Com.

Magically they clear all of that.

In the inbound email I have this information:
Envelope From: PainInDaButt@DarnSpammer.Com
In the Header From: PainInDaButt@DarnSpammer.Com
Return-Path: contains Recipient@notifications.DarnSpammer.Com.

Now before we go off on a tangent, we are using multiple RBL's, we do block many IP Networks that have been spam sources from our own experience and SA with rules to try and block spam.

So to focus in on just block this DarnSpammer.Com domain is there 1 rule that I can say will block in 90% of the cases shown above to finally block these spammers?
By reducing my rules, I'm also expecting to reduce server overhead for simply processing more effeciently.

Thank you!

 

[MiamiJack]

Bump....

 

[dcsapak]

can you post the log of such a mail and the exact entries from the rule system?

 

[MiamiJack]

Hi @dcsapak

I have an entry in BL-WHO-Domains (my Object) -> Domain->DarnSpammer.com
I have an entry in BL-WHO-DomainsR (my object) -> RegEx->.+@DarnSpammer.com.com
The particular message got held up because of bl.octopusdns.com RBL, but they normally aren't on that RBL, so it goes through, but because this got into quarantine I was able to get good header details .
I attached my Rules in images in here as well.



This is the header of an email:
2024-01-02T19:03:06.287255-05:00 mgw pmg-smtp-filter[507030]: A1D9B6594A43A3E90C: new mail message-id=<EOK3Lk_DQYq2id-FTPx5lw@geopod-ismtpd-17>#012 2024-01-02T19:03:10.088082-05:00 mgw pmg-smtp-filter[507030]: A1D9B6594A43A3E90C: SA score=4/5 time=3.566 bayes=0.00 autolearn=no autolearn_force=no hits=AWL(-0.361),BAYES_00(-1.9),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DMARC_PASS(-0.1),HTML_FONT_LOW_CONTRAST(0.001),HTML_MESSAGE(0.001),KAM_REALLYHUGEIMGSRC(0.5),RBL_OCTOPUSDNS(6),RCVD_IN_MSPIKE_H2(-0.001),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_SCC_BODY_TEXT_LINE(-0.01) 2024-01-02T19:03:10.125778-05:00 mgw pmg-smtp-filter[507030]: A1D9B6594A43A3E90C: moved mail for <Client.Name@ClientDomain.com> to spam quarantine - A1DD16594A43E16F86 (rule: Quarantine/Mark Spam (Level 3)) 2024-01-02T19:03:10.130539-05:00 mgw pmg-smtp-filter[507030]: A1D9B6594A43A3E90C: processing time: 3.863 seconds (3.566, 0.18, 0) 2024-01-02T19:03:10.131322-05:00 mgw postfix/smtpd[506568]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (A1D9B6594A43A3E90C); from=<bounces+32626646-23d2-Client.Name=ClientDomain.com@notifications.DarnSpammer.com> to=<Client.Name@ClientDomain.com> proto=ESMTP helo=<o1329.shared.klaviyomail.com> Delivered-To: Client.User@ClientDomain.com Return-Path: bounces+32626646-ffcb-Client.User=ClientDomain.com@notifications.DarnSpammer.com Received-SPF: pass (notifications.DarnSpammer.com: Sender is authorized to use 'bounces@notifications.DarnSpammer.com' in 'mfrom' identity (mechanism 'include:sendgrid.net' matched)) receiver=mgw.innovativeinternet.net; identity=mailfrom; envelope-from="bounces@notifications.DarnSpammer.com"; helo=o1411.shared.klaviyomail.com; client-ip=149.72.148.61 Received: from o1411.shared.klaviyomail.com (o1411.shared.klaviyomail.com [149.72.148.61]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mgw.mgw.innovativeinternet.net (Proxmox) with ESMTPS for <Client.User@ClientDomain.com>; Thu, 11 Jan 2024 19:02:34 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=DarnSpammer.com; h=content-type:from:mime-version:subject:list-unsubscribe:to:cc: content-type:from:subject:to; s=kl; bh=nzIqoylZds5WnAuZjl/o2B2rbLhqczWnyrrJ9NCqs7Q=; b=bRRCXsxNKeKfkFWvf0D3g1KV57c1i781M4y/s2dY0cWKiQZKdvVKQOZx648tpVK4SHO7 CRXOKwLn/1wYgVpWqytsViMmviTrgXQdmXRSChPpp2XDfnrDLFz/DPJtt/LQfmDjqfcdq+ gcTGyQtcXD5fXZlSzPVz0gKNEA2ks8eiDpvKX4gnrtXZv5CokQ9PcKMhZ8pmk6i3eHFG/v 5XfFsXjDbfwSohwPOOo4xo7YK6d0/Gq+TttPH2PZ43MtJhnPj4Tvmmu6lN9HYPNisdiepS iorp3AXVGqwqb9zUIBJHCiJNU7W6/u199s4B90J5PDdz2DPbVQ2Cz3Y01/Di1Z/g== Received: by filterdrecv-59494cb4-g6dwd with SMTP id filterdrecv-59494cb4-g6dwd-1-65A08192-5B 2024-01-12 00:02:26.374108098 +0000 UTC m=+7449668.194000513 Received: from MzI2MjY2NDY (unknown) by geopod-ismtpd-10 (SG) with HTTP id DWs4QLk3Q3KWHaeio3fIDQ Fri, 12 Jan 2024 00:02:26.204 +0000 (UTC) Content-Type: multipart/alternative; boundary=f17c069c345ca34a88f55fc27d3535769fc0b1d6f3c0a397a7cb55d31a6e Date: Fri, 12 Jan 2024 00:02:26 +0000 (UTC) From: SSPAM Sender <admin@DarnSpammer.com> Mime-Version: 1.0 Message-ID: <DWs4QLk3Q3KWHaeio3fIDQ@geopod-ismtpd-10> subject: SPAM: Featured Auctions: 2012 Lamborghini Gallardo LP 570-4 Superleggera X-Kmail-Ops: 01H7K5XYF1Z4EZWE6JDHZV9039 X-Kmail-Account: TWdDe5 X-Kmail-Message: 01HKXAGF2TC2PKZNH949P4YR3N List-Unsubscribe: =?us-ascii?Q?=3Chttps=3A=2F=2Fmanage=2Ekmail-lists=2Ecom=2Fsubscriptions=2Funsubscribe=3Fa=3DTW?= =?us-ascii?Q?dDe5&c=3D01H7K5XYF1Z4EZWE6JDHZV9039&k=3Deaf?= =?us-ascii?Q?fbcc2a49f9264d87fd0b8127d114e&m=3D01HKXAG?= =?us-ascii?Q?F2TC2PKZNH949P4YR3N&r=3D34tw5RsB=3E?= X-SG-EID: =?us-ascii?Q?m+Axak9=2FY9=2FHIQ57MSCwZ9J7Uv6zhE6pZ5eznvInfbp1TVMDn2Ygw5r0C8h+B8?= =?us-ascii?Q?eyhrxn6DUN+hCih4QFw5w76PPypyfBKTqVWpUe5?= =?us-ascii?Q?c4TVjbDiHbOKDQsLi6Mzxl+1gJbAY2GZYBo2150?= =?us-ascii?Q?QyTK=2FBrLLtkCryz=2FD8FBPTRMmpt0KqHuQnf3q5P?= =?us-ascii?Q?wVZp56Om8r4jgviWVeN2jJde2OFqwpFoSx752X6?= =?us-ascii?Q?Q5k8mu37Gni8twh=2F1+ByoL5xzqAKhIuBYD8rFha?= =?us-ascii?Q?o8qoPaZG7zqVhbEQiUrDZUMmcQvQwReOD3npc7u?= =?us-ascii?Q?rgk=3D?= X-SG-ID: =?us-ascii?Q?N2C25iY2uzGMFz6rgvQsb3WdckyvbC2eFaxvdDHn8D1nndBBW0fUClUlZF2fTQ?= =?us-ascii?Q?6K74k1Px5w5UsLILnUzg7DkLSrD=2FC2FlUZC2+YA?= =?us-ascii?Q?61M5LDhz0RoHY9kJEp7vfufKKFRqtYZHVB2DGae?= =?us-ascii?Q?sB=2FniLqAfU0rMkIBGG2NBPRPqdJYqI2+73bylsF?= =?us-ascii?Q?Cnkp9IuQSxReRH3xDAWp1Y1SvtvmCOKwBLhoHz5?= =?us-ascii?Q?SmcTiNYJIkamQLZBMMOCbWYicttnT=2Fw52sqElS1?= =?us-ascii?Q?D57RUv7Z44dSA+Lw9CaEQ=3D=3D?= To: Client.User <Client.User@ClientDomain.com> X-Entity-ID: wIHhWEklOGz1IrYAwMUPJA== X-SPAM-LEVEL: Spam detection results: 5 AWL -0.549 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain DMARC_PASS -0.1 DMARC pass policy HTML_FONT_LOW_CONTRAST 0.001 HTML font color similar or identical to background HTML_MESSAGE 0.001 HTML included in message KAM_REALLYHUGEIMGSRC 0.5 Spam with image tags with ridiculously huge http urls RBL_OCTOPUSDNS 6 Entries listed in bl.octopusdns.com RBL RCVD_IN_HOSTKARMA_BL 1.5 Sender listed in HOSTKARMA-BLACK RCVD_IN_MSPIKE_H2 -0.001 Average reputation (+2) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 -

 

[dcsapak]

I have an entry in BL-WHO-Domains (my Object) -> Domain->DarnSpammer.com
I have an entry in BL-WHO-DomainsR (my object) -> RegEx->.+@DarnSpammer.com.com

i assume the .com.com is a typo?

Return-Path: bounces+32626646-ffcb-Client.User=ClientDomain.com@notifications.DarnSpammer.com

the mail comes from notifications.DarnSpammer.com which matches neiter the domain DarnSpammer.com nor .*@DarnSpammer.com

you'd want something like:

.*\.DarnSpammer.com

 

[MiamiJack]

@dcsapak
Yes, that was a typo.

When I try the regex provided it doesn't pass the regex test.
I tweaked it to this .*@(\w+\.)?DarnSpammer\.com
now I can get a@DarnSpammer.com or a@sub.DarnSpammer.com


Given this regex would match the domain within anything a from email, a sub domain etc, having just this regex should be more efficient than having one entry for a domain, 1 entry for a from, 1 entry with regex of domain or sub domain, would you agree this may be the best catchall for a domain?

Is there some other rule or regex you would think would be better?
This will reduce the amount of objects I'm currently running.

I do check how my rules are working, and they are clearly not as effective as RBL's, but since they execute after the RBL we'll take whatever blocks we can get.

Blocks Jan 2024 to date:
1987 BL-What-MatchFrom)
68 BL-Who-DomainsR)
2 BL-Who-IP)
182 BL-Who-IP-NW)

12119 all.spamrats.com;
3232 b.barracudacentral.org;
2978 bl.score.senderscore.com;
5042 bl.spamcop.net;
1792 bl.spameatingmonkey.net;
1081 psbl.surriel.com;


Blocks Dec 2023
1 BL-What-Dangerous)
1751 BL-What-MatchFrom)
5 BL-Who-Domains)
141 BL-Who-DomainsR)
5 BL-Who-IP)
947 BL-Who-IP-NW)
3 virus

31392 all.spamrats.com;
12463 b.barracudacentral.org;
5325 bl.score.senderscore.com;
23174 bl.spamcop.net;
3110 bl.spameatingmonkey.net;
4727 psbl.surriel.com;

 

[dcsapak]

I tweaked it to this .*@(\w+\.)?DarnSpammer\.com

ah yes of course you also wanted to match without subdomain

i'd probably tweak it even further:

.*@(\w+\.)*DarnSpammer\.com

so that it matches also multiple subdomains (e.g. foo.bar.DarnSpammer.com)

 

[MiamiJack]

@dcsapak
The rule I posted as well as your passes the regex test when adding a rule for both name@dom and name@sub.dom, but to my surprise even after this rule was in place, the spam got delivered.
What method do you think is the best to try and block the from or the envelope sender in 1 place, reducing the amount of rules I need to make?
Or possibly anything in the header...
Adding 2 or 3 rules feels like we are just slowing down each message as it attempts to be delivered.

 

[dcsapak]

The rule I posted as well as your passes the regex test when adding a rule for both name@dom and name@sub.dom, but to my surprise even after this rule was in place, the spam got delivered.

can you post the log of that mail?

Adding 2 or 3 rules feels like we are just slowing down each message as it attempts to be delivered.

that shouldn't matter much IMO, since the spamassassins/disk/networking part take very likely much longer than the rule system processing...

 

[smileluo]

I use below regex to match main domain and subdomain:

.*(@|\.)darnspammer\.com

All main domain email has @darnspammer.com and all subdomain email has .darnspammer.com

 

[MiamiJack]

Thanks @smileluo, I think all of these will work in respect to the regex portion, but its more about where the rule is, WHO vs WHAT etc.

 

[smileluo]

If you want to block Envelope From,you use WHO
Who Objects>Create>Name: SpamSenders; Description: Anything you like
Then click SpamSenders,Add,Regular Expresstion>>>Regex:.*(@|\.)darnspammer\.com

If you want to block header from,you use WHAT
What Object>Create>Name: SpamHeaderFrom; Description: Anything you like
Then click SpamHeaderFrom,Add,Match Field>>>
Field: From
Value:.*(@|\.)darnspammer\.com

Finally,at Mail Filter,you need to add SpamSenders,SpamHeaderFrom to your Block Rules,so that it can work

 

[smileluo]

As you know,for each email,the Envelope From and the header from can be different.

 

[MiamiJack]

@dcsapak
Since I have huge logs its a bit difficult to properly find, document and obfuscate the info.
I can tell you I received the message knowing when I applied the rule.

I think its about what am I comparing to. In the only brief description I have seen below (image), it says WHO is the sender or received, and WHAT is whats in the message, however I have seen several posts that made the person use WHAT Matchfield from instead of WHO.

My goal would be lets say, match ANYTHING in the header to a domain name with the regular expression above, vs having to pick from/reply-to etc.
So the most efficient place for me to put 1 rule that would be 1 entry and stop the spam. (Magic, which we know may not exist)

I have also attached some tracking I do with my rules, so I know where maybe I have 1000 rules, but only reject 4 items a month, then trash those rules, or my new method is better than previous method. I do this for both white & black listing.
In all cases my newer rules execute first ( WL-Who-DOMR, WL-WT-MFrom, BL-Who-DomR , BL-WT-MTo, BL-WT-MFrom )

 

[MiamiJack]

@smileluo Thanks for the replies.​

My situation was that in some cases one wouldn't work and thus I had to put in 2 entries for each domain hoping to block the spam senders. My goal would be to add 1 entry and block anything with that domain in it.
Now that may not really be possible and I will have to add a What & a Who for each domain.

 

[smileluo]

WHAT is to match the info at email header,so my proxmox have below spam rules

HeaderFrom
HeaderTo
HeaderSubject
HeaderMessageID
HeaderReceived
HeaderReplyTo
HeaderXMailer
HeaderDisposition
HeaderOtherInfo

You can add many to each sort.

 

[smileluo]

At the WHO,I have SpamEmail SpamDomain

 

[MiamiJack]

OK, had a perfect example today of what I'm referring to as a BETTER WAY!

I have 3 rules ( Last two being phased out ) to try and block senders.
I think having to make 3 rules, is a bit much and not efficient, but lets move forward.

Who Object: BL-WO-RDomains -
.*@(\w+\.)?mediaware-news\.com

What  Object: BL-WT-MFrom - Match Field from
.*@(\w+\.)*mediaware-news\.com

WHAT Object OLDER, but still active
BL-WHAT-MatchFrom - Match field from
.+@mediaware-news.com

Who Object - BL-WO-RDomains - Regular expression ( 2 entries )
.*@(\w+\.)?embluejet\.com
.*@(\w+\.)?embluemail\.com

Lets not look at syntax above and how everyone does it, the syntax matches correctly, lets just look at the concept behind how we attempt to block.

Here are the key lines from the header organized by matching either the domain I'm trying to block, or the sending server which is also on my radar as spammers.

Line 16: header.d=mediaware-news.com;dmarc=pass action=none Line 17: header.from=mediaware-news.com;compauth=pass reason=100 Line 34: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=epexo; d=mediaware-news.com; Line 36: Message-ID:Date; i=itwarelatam@mediaware-news.com; Line 52: =?utf-8?q?a?= <itwarelatam@mediaware-news.com> Line 56: reply-to: itwarelatam@mediaware-news.com Line 15: smtp.mailfrom=emark9.embluejet.com; dkim=pass (signature was verified) Line 19: emark9.embluejet.com discourages use of 138.9.12.150 as permitted sender) Line 27: Received-SPF: pass (emark9.embluejet.com: Sender is authorized to use 'emblue3prd_user2@emark9.embluejet.com' in 'mfrom' identity (mechanism 'include:_spf.embluemail.com' matched)) receiver=mgw.myproxmox.net; identity=mailfrom; envelope-from="emblue3prd_user2@emark9.embluejet.com"; helo=tnt30.embluetnt.com; client-ip=5.83.1.33 Line 28: Received: from tnt30.embluetnt.com (tnt30.embluetnt.com [5.83.1.33]) Line 41: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=epexo; d=embluetnt.com; Line 59: List-Unsubscribe: <https://app.embluemail.com/Services/Interaccion.svc/DesuscribirContactoEnvio?datos=6g5d-R-ixfxyrxBKuwhhgbr, Line 61: Message-ID: <1RP-ac98e03bbd-p@embluemail.com> Line 63: Return-Path: emblue3prd_user2@emark9.embluejet.com

Of course in outlook you see:
ITware Latam - Noticias de Tecnología en Latinoamérica <itwarelatam@mediaware-news.com>

I didn't add in the blue domains above into my newer rules so I will do that, but this proves my point 100%
I want to simply match mediaware-news in 1 rule, and if it's anywhere in the header, then its a match.

If not I have to do a WHO/WHAT from or Regex, then same for Reply-to and in the end I could easily have hundreds of entries which just seems inefficient.
It also make me have to build the rules for each. ( on a side note, I did build a quick script I feed domains into and it spits out the command line to add the rules/objects)

So having said this, do we have a more efficient way that will do what I'm saying?

 

[MiamiJack]

@dcsapak
Any ideas??

 

[dcsapak]

Any ideas??

im not completely sure what the issue here is, but i try answer:

I want to simply match mediaware-news in 1 rule, and if it's anywhere in the header, then its a match.

that's currently not possible, the envelope sender (what is written in the smtp dialog) is not part of the mail itself and that what is matched on the WHO objects
but the From header is just that, a header wo must be matched with the Match field

since the different types of categories in a rule are 'logical-and' combined you cannot say: that WHO object or that WHAT object you just have to have to rules

but for performance it won't make a difference, since you have to test both matches anyway, also, applying the rules is in most cases not the bottle neck, as the longest things are dns lookups, unpacking/packing the email, virus scan, communicating with the upstream/downstream email server etc. even if you have a few hundred regexes won't take up much time in comparison to the disk and network access (except you have a *extremely* limited cpu/memory setup, but those should be cheap enough these days)