Thanks for the reply, so not possible to have a regex filter to block any email that hides behind the alias?
Thanks for the reply, so not possible to have a regex filter to block any email that hides behind the alias?
Thanks for the reply, sorry for not being clear.
What i meant does this filter block also emails that try to mask the sender?
ex: from:client@domain.com <fakeemail@domain.com>
filter to block any email that tries to mask the email with another email.
Thank you
^.*<.*>.*<.*>.*$
^.*UTF-8.*<.*>.*$
Hi,
there is a thread (german) which discussed your request.
Create a What Object:
* Type: Match Field
* Field: From
* Value: ^.*<.*>.*<.*>.*$
if the From address is encoded you can create a second object with:
* Value: ^.*UTF-8.*<.*>.*$
I'm also using this, and it works great.
Greetz
Would checking SPF work here? It should catch the mail is not really from @abc.com.
Delivered-To: jessica@xxx.com
Return-Path: Salman.agha@icecreamlab.ae
Received-SPF: pass (icecreamlab.ae: Sender is authorized to use 'salman.agha@icecreamlab.ae' in 'mfrom' identity (mechanism 'include:spf.protection.outlook.com' matched)) receiver=pmg.xxx.com; identity=mailfrom; envelope-from="salman.agha@icecreamlab.ae"; helo=eur03-am5-obe.outbound.protection.outlook.com; client-ip=40.107.3.42
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30042.outbound.protection.outlook.com [40.107.3.42])
by pmg.xxx.com (Proxmox) with ESMTP id 115FC411A1
for <jessicatang@xxx.com>; Wed, 20 Nov 2019 16:47:21 +0800 (+08)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=VpsogTtTlalHALBBjfVOCeCAwMY7LaU0KES1p7PNSCUS9o5+r8AFjoim8QuD3LktNtkG6NwMeKaJK0WArETj68ygeNwdQVmD21zMpsLKNwOeO8pTbmmlZUMe+m099O/SteLh03Vj+ghYkKYwhFS7tAm5BSd0x8MkuuEk5MmJO432JAxdGzIrUbRSmVXpf+OXd96quAcgHRFKj0c5H3fOjXj7LOJ1jQf+XRUjdi8YSS3LMFDbLR1UQDoxrlviMS69jYsnF8ly3F+m1mvW7BPWLsN75ZILMwvckOfJ2urA9T9V7Z2mg508vJVCvn7FYimT3PDAxy67dkMvcbkRU0r4JQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=Fromate:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=eg+yZnbdmwooFnm/9MMI/mpvNrDtAVPAMrFtlF5EeX4=;
b=AiFFWBOQKskzs51j1PwYdYKS+j3HdNeuRRe2jw98Vs26na6lf88wVw1nFswRey6cHzG0gwBlv3Q01xOPMcFRLV8P33ZFB9yiUihvxAU04D08Db03rm7OicP7UPM//I6C6I0qARTvX0Z5jWdivTYZYrtoPuK5YhmcQVDXl9+I9JkrU5BBMUyRon+F0a37sq1WiqvSqr0mwHsSYGWXOJr23Ajax7qZQWibIs6kEFJbT419YoBgvZRMRg+WBnSITAitdZ9kovO2q76M6g6IDqmZPaSjOrVgraZng2NoKSOjP3myttEjJakBrJNIkh3np6/0jzOsEIdoEQw6VO/gg8MPfg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=icecreamlab.ae; dmarc=pass action=none
header.from=icecreamlab.ae; dkim=pass header.d=icecreamlab.ae; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=Eminencegroupme.onmicrosoft.com;
s=selector2-Eminencegroupme-onmicrosoft-com;
h=Fromate:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=eg+yZnbdmwooFnm/9MMI/mpvNrDtAVPAMrFtlF5EeX4=;
b=iFXD+bUqc8DXTczoyy4KGpwdv9nksrabI/V6ozJ37SIvHhUSxt7fAfBNWbpwk6nmlgAoV4CAN5NyS6fZHHY78BXCXCTG5SMrsRDHS/8Fta45s5GkiQHIUQBJMxkdDMU0zF3YIxZGwIPmKTHiDDjSnXfIrHjV+2ps4fywIHCbpX8=
Received: from AM0PR08MB3780.eurprd08.prod.outlook.com (20.178.82.216) by
AM0PR08MB3283.eurprd08.prod.outlook.com (52.134.94.28) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.2474.16; Wed, 20 Nov 2019 08:47:12 +0000
Received: from AM0PR08MB3780.eurprd08.prod.outlook.com
([fe80::9c13:1a60:7a69:c1a4]) by AM0PR08MB3780.eurprd08.prod.outlook.com
([fe80::9c13:1a60:7a69:c1a4%5]) with mapi id 15.20.2474.015; Wed, 20 Nov 2019
08:47:12 +0000
From: Salman Agha <Salman.agha@icecreamlab.ae>
Hi,
there is a thread (german) which discussed your request.
Create a What Object:
* Type: Match Field
* Field: From
* Value: ^.*<.*>.*<.*>.*$
if the From address is encoded you can create a second object with:
* Value: ^.*UTF-8.*<.*>.*$
I'm also using this, and it works great.
Greetz
Delivered-To: jvelez@mydomain.com
Return-Path: doaa.shaban@ten.tv
Received: from email.ten.tv (email.ten.tv [41.33.58.242])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ares.audeinfo.local (Proxmox) with ESMTPS id 6691D5011EC
for <jvelez@mydomain.com>; Wed, 11 Dec 2019 08:10:29 -0500 (-05)
Received: from localhost (localhost [127.0.0.1])
by email.ten.tv (Postfix) with ESMTP id 4799266A38AA
for <jvelez@mydomain.com>; Wed, 11 Dec 2019 00:46:40 +0200 (EET)
X-Virus-Scanned: by amavisd-new-2.10.1 (20141025) (Debian) at ten.tv
Received: from email.ten.tv ([127.0.0.1])
by localhost (email.ten.tv [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id UiKjvyunT200 for <jvelez@mydomain.com>;
Wed, 11 Dec 2019 00:46:39 +0200 (EET)
Received: from [185.4.41.153] (h153.onetel185.4.41.onetelecom.od.ua [185.4.41.153])
by email.ten.tv (Postfix) with ESMTPSA id 361BF6673297
for <jvelez@mydomain.com>; Tue, 10 Dec 2019 19:57:19 +0200 (EET)
Date: Tue, 10 Dec 2019 19:52:26 +0200
From: "secretaria@clientdomain.com" <doaa.shaban@ten.tv>
To: "jvelez@mydomain.com" <jvelez@mydomain.com>
Subject: =?UTF-8?B?UkU6IEpPWUFOR0VMIC0gUmVjZXBjaW9uIGRlIGRvY3VtZW50YWNpw7NuIGNvbnRhYmxl?=
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--57747118643092912315370841403274648"
X-Proxmox-VInfo: Heuristics.OLE2.ContainsMacros (clamav)
----57747118643092912315370841403274648
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
just to want to post back i think the rule is not working these are the headers lucky for me i have macros blocked
as you see my clientdomain seemed that got compromised but its sending from ten.tv which is the bad domain
Code:Delivered-To: jvelez@mydomain.com Return-Path: doaa.shaban@ten.tv Received: from email.ten.tv (email.ten.tv [41.33.58.242]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ares.audeinfo.local (Proxmox) with ESMTPS id 6691D5011EC for <jvelez@mydomain.com>; Wed, 11 Dec 2019 08:10:29 -0500 (-05) Received: from localhost (localhost [127.0.0.1]) by email.ten.tv (Postfix) with ESMTP id 4799266A38AA for <jvelez@mydomain.com>; Wed, 11 Dec 2019 00:46:40 +0200 (EET) X-Virus-Scanned: by amavisd-new-2.10.1 (20141025) (Debian) at ten.tv Received: from email.ten.tv ([127.0.0.1]) by localhost (email.ten.tv [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UiKjvyunT200 for <jvelez@mydomain.com>; Wed, 11 Dec 2019 00:46:39 +0200 (EET) Received: from [185.4.41.153] (h153.onetel185.4.41.onetelecom.od.ua [185.4.41.153]) by email.ten.tv (Postfix) with ESMTPSA id 361BF6673297 for <jvelez@mydomain.com>; Tue, 10 Dec 2019 19:57:19 +0200 (EET) Date: Tue, 10 Dec 2019 19:52:26 +0200 From: "secretaria@clientdomain.com" <doaa.shaban@ten.tv> To: "jvelez@mydomain.com" <jvelez@mydomain.com> Subject: =?UTF-8?B?UkU6IEpPWUFOR0VMIC0gUmVjZXBjaW9uIGRlIGRvY3VtZW50YWNpw7NuIGNvbnRhYmxl?= MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--57747118643092912315370841403274648" X-Proxmox-VInfo: Heuristics.OLE2.ContainsMacros (clamav) ----57747118643092912315370841403274648 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Thanks for the reply, here are the rules as the blocking by regex using the above rules to block double email address in the same line i think is not working. that rule is called block fake email
View attachment 13423
The rules can only catch From: email follow below patern.
From: Test2 Test <t2.test@test.de> <libreria@fce.com.co>
From: =?UTF-8?B?QkJCIFJlY2h0c2Fud8OkbHRlIDxrYW56bGVpQGJiYi1yYS5kZT4=?= <test@test.de>
To block From: "secretaria@clientdomain.com" <doaa.shaban@ten.tv>, use below regex.
^.*".*".*<.*>.*$
or like I say block/quarantine domain @ten.tv or all domain end with .tv.
To block From: "secretaria@clientdomain.com" <doaa.shaban@ten.tv>, use below regex.
Thanks for the reply, but if i understood correctly from that pattern is if someone tries to put an email with 2 address on the "from" would block it?
or did i misunderstand
so from the above email example that came 2 days ago
so does it mean that secretaria@clientdomain.com was hacked ( the client) by doaa.shaban@ten.tv and was sending it though another domain? so it wasn't masking 2 email address?Code:To block From: "secretaria@clientdomain.com" <doaa.shaban@ten.tv>, use below regex.
Thank you
so this filter rule i have on PMG will block if someone email something like thisRegex pattern ^.*".*".*<.*>.*$ will catch any From: with xxx "xxx" <xxx@xxx> format.
mr smith "robot" <bad@email.com>
"secretaria@clientdomain.com" <doaa.shaban@ten.tv>
Thank you for the reply, correct me if i understood correctly,
so this filter rule i have on PMG will block if someone email something like this
Code:mr smith "robot" <bad@email.com>
so i gues my question what pattern would it be to block something like this, so in theory the secretaria@clientdomain.com is the display name of the email and the real email is doaa.shaban@ten.tv?
Code:"secretaria@clientdomain.com" <doaa.shaban@ten.tv>
Of course was the account was hacked.Thanks for the reply, but if i understood correctly from that pattern is if someone tries to put an email with 2 address on the "from" would block it?
or did i misunderstand
so from the above email example that came 2 days ago
so does it mean that secretaria@clientdomain.com was hacked ( the client) by doaa.shaban@ten.tv and was sending it though another domain? so it wasn't masking 2 email address?Code:To block From: "secretaria@clientdomain.com" <doaa.shaban@ten.tv>, use below regex.
Thank you
From: "yourfriendname@yourfrienddomain" <usermailhacked@domainuserhacked>