Thanks for the reply, so not possible to have a regex filter to block any email that hides behind the alias?
Not that I know of. You can try search internet again.
But how do you know which/what alias spammers will use in their email? There could be thousand of posibilities...
Hi,
there is a thread (german) which discussed your request.
Create a What Object:
* Type: Match Field
* Field: From
* Value:
if the From address is encoded you can create a second object with:
* Value:
I'm also using this, and it works great.
Greetz
there is a thread (german) which discussed your request.
Create a What Object:
* Type: Match Field
* Field: From
* Value:
^.*<.*>.*<.*>.*$if the From address is encoded you can create a second object with:
* Value:
^.*UTF-8.*<.*>.*$I'm also using this, and it works great.
Greetz
Last edited:
SPF and DKIM may not work any more as some spam mail are going throught legit mail server or domain.
Delivered-To: jessica@xxx.com
Return-Path: Salman.agha@icecreamlab.ae
Received-SPF: pass (icecreamlab.ae: Sender is authorized to use 'salman.agha@icecreamlab.ae' in 'mfrom' identity (mechanism 'include:spf.protection.outlook.com' matched)) receiver=pmg.xxx.com; identity=mailfrom; envelope-from="salman.agha@icecreamlab.ae"; helo=eur03-am5-obe.outbound.protection.outlook.com; client-ip=40.107.3.42
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30042.outbound.protection.outlook.com [40.107.3.42])
by pmg.xxx.com (Proxmox) with ESMTP id 115FC411A1
for <jessicatang@xxx.com>; Wed, 20 Nov 2019 16:47:21 +0800 (+08)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=VpsogTtTlalHALBBjfVOCeCAwMY7LaU0KES1p7PNSCUS9o5+r8AFjoim8QuD3LktNtkG6NwMeKaJK0WArETj68ygeNwdQVmD21zMpsLKNwOeO8pTbmmlZUMe+m099O/SteLh03Vj+ghYkKYwhFS7tAm5BSd0x8MkuuEk5MmJO432JAxdGzIrUbRSmVXpf+OXd96quAcgHRFKj0c5H3fOjXj7LOJ1jQf+XRUjdi8YSS3LMFDbLR1UQDoxrlviMS69jYsnF8ly3F+m1mvW7BPWLsN75ZILMwvckOfJ2urA9T9V7Z2mg508vJVCvn7FYimT3PDAxy67dkMvcbkRU0r4JQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=Fromate:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=eg+yZnbdmwooFnm/9MMI/mpvNrDtAVPAMrFtlF5EeX4=;
b=AiFFWBOQKskzs51j1PwYdYKS+j3HdNeuRRe2jw98Vs26na6lf88wVw1nFswRey6cHzG0gwBlv3Q01xOPMcFRLV8P33ZFB9yiUihvxAU04D08Db03rm7OicP7UPM//I6C6I0qARTvX0Z5jWdivTYZYrtoPuK5YhmcQVDXl9+I9JkrU5BBMUyRon+F0a37sq1WiqvSqr0mwHsSYGWXOJr23Ajax7qZQWibIs6kEFJbT419YoBgvZRMRg+WBnSITAitdZ9kovO2q76M6g6IDqmZPaSjOrVgraZng2NoKSOjP3myttEjJakBrJNIkh3np6/0jzOsEIdoEQw6VO/gg8MPfg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=icecreamlab.ae; dmarc=pass action=none
header.from=icecreamlab.ae; dkim=pass header.d=icecreamlab.ae; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=Eminencegroupme.onmicrosoft.com;
s=selector2-Eminencegroupme-onmicrosoft-com;
h=From
bh=eg+yZnbdmwooFnm/9MMI/mpvNrDtAVPAMrFtlF5EeX4=;
b=iFXD+bUqc8DXTczoyy4KGpwdv9nksrabI/V6ozJ37SIvHhUSxt7fAfBNWbpwk6nmlgAoV4CAN5NyS6fZHHY78BXCXCTG5SMrsRDHS/8Fta45s5GkiQHIUQBJMxkdDMU0zF3YIxZGwIPmKTHiDDjSnXfIrHjV+2ps4fywIHCbpX8=
Received: from AM0PR08MB3780.eurprd08.prod.outlook.com (20.178.82.216) by
AM0PR08MB3283.eurprd08.prod.outlook.com (52.134.94.28) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.2474.16; Wed, 20 Nov 2019 08:47:12 +0000
Received: from AM0PR08MB3780.eurprd08.prod.outlook.com
([fe80::9c13:1a60:7a69:c1a4]) by AM0PR08MB3780.eurprd08.prod.outlook.com
([fe80::9c13:1a60:7a69:c1a4%5]) with mapi id 15.20.2474.015; Wed, 20 Nov 2019
08:47:12 +0000
From: Salman Agha <Salman.agha@icecreamlab.ae>
Hi,
looks good and don't forget to create a `Rule` with that `What Object`.
Greetz
looks good and don't forget to create a `Rule` with that `What Object`.
Greetz
just to want to post back i think the rule is not working these are the headers lucky for me i have macros blocked
as you see my clientdomain seemed that got compromised but its sending from ten.tv which is the bad domain
as you see my clientdomain seemed that got compromised but its sending from ten.tv which is the bad domain
Code:
Delivered-To: jvelez@mydomain.com
Return-Path: doaa.shaban@ten.tv
Received: from email.ten.tv (email.ten.tv [41.33.58.242])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ares.audeinfo.local (Proxmox) with ESMTPS id 6691D5011EC
for <jvelez@mydomain.com>; Wed, 11 Dec 2019 08:10:29 -0500 (-05)
Received: from localhost (localhost [127.0.0.1])
by email.ten.tv (Postfix) with ESMTP id 4799266A38AA
for <jvelez@mydomain.com>; Wed, 11 Dec 2019 00:46:40 +0200 (EET)
X-Virus-Scanned: by amavisd-new-2.10.1 (20141025) (Debian) at ten.tv
Received: from email.ten.tv ([127.0.0.1])
by localhost (email.ten.tv [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id UiKjvyunT200 for <jvelez@mydomain.com>;
Wed, 11 Dec 2019 00:46:39 +0200 (EET)
Received: from [185.4.41.153] (h153.onetel185.4.41.onetelecom.od.ua [185.4.41.153])
by email.ten.tv (Postfix) with ESMTPSA id 361BF6673297
for <jvelez@mydomain.com>; Tue, 10 Dec 2019 19:57:19 +0200 (EET)
Date: Tue, 10 Dec 2019 19:52:26 +0200
From: "secretaria@clientdomain.com" <doaa.shaban@ten.tv>
To: "jvelez@mydomain.com" <jvelez@mydomain.com>
Subject: =?UTF-8?B?UkU6IEpPWUFOR0VMIC0gUmVjZXBjaW9uIGRlIGRvY3VtZW50YWNpw7NuIGNvbnRhYmxl?=
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--57747118643092912315370841403274648"
X-Proxmox-VInfo: Heuristics.OLE2.ContainsMacros (clamav)
----57747118643092912315370841403274648
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printableWhat is your current rules now?
What is the spam email spam score?
PMG use spamassassin to check spam mail.
Depend on your spam filter spam score, spammer can easily bypass it by create low spam score email.
One of the good option is to enable DNSBL to detect blacklisted sender IP but also cannot 100% detect/prevent all spam mail.
My recommendation is to block/quarantine the spam sender domain or part of the sender domain using regex.
Thanks for the reply, here are the rules as the blocking by regex using the above rules to block double email address in the same line i think is not working. that rule is called block fake email
The rules can only catch From: email follow below patern.
From: Test2 Test <t2.test@test.de> <libreria@fce.com.co>
From: =?UTF-8?B?QkJCIFJlY2h0c2Fud8OkbHRlIDxrYW56bGVpQGJiYi1yYS5kZT4=?= <test@test.de>
To block From: "secretaria@clientdomain.com" <doaa.shaban@ten.tv>, use below regex.
^.*".*".*<.*>.*$
or like I say block/quarantine domain @ten.tv or all domain end with .tv.
Thanks for the reply, but if i understood correctly from that pattern is if someone tries to put an email with 2 address on the "from" would block it?
or did i misunderstand
so from the above email example that came 2 days ago
Code:
To block From: "secretaria@clientdomain.com" <doaa.shaban@ten.tv>, use below regex.Thank you
Regex pattern ^.*".*".*<.*>.*$ will catch any From: with xxx "xxx" <xxx@xxx> format. You can read more about how regex work https://regex101.com/.
Spammer can easily forge any email address or domain as they want. They can mix display name and actual email address to trick receiver to open the spam mail.
https://askleo.com/why_are_email_addresses_sometimes_in_anglebrackets/
Thank you for the reply, correct me if i understood correctly,
so i gues my question what pattern would it be to block something like this, so in theory the secretaria@clientdomain.com is the display name of the email and the real email is doaa.shaban@ten.tv?
so this filter rule i have on PMG will block if someone email something like this
Code:
mr smith "robot" <bad@email.com>so i gues my question what pattern would it be to block something like this, so in theory the secretaria@clientdomain.com is the display name of the email and the real email is doaa.shaban@ten.tv?
Code:
"secretaria@clientdomain.com" <doaa.shaban@ten.tv>1. Use the mail filter test string option to test your rules. You might want to becareful using regex as it could detect/block other legit email sender.
2. Yes.
Of course was the account was hacked.
This kind of attack is called email spoofing, the hacker use a hacked email and us a known email from your known list , then they send a email you recognize as your friends, with an attachment but coming from another email.
Generally the users does not check the original message or does not suspect anything because the lack of training about security, so they open the attachement and "BINGO!" they are hacked too with a trojan.
There are steps before the hacker do this attack, first the attacker must look for your known friend email list. He can search for every known destiny mail you have sent and if they success to hack them they send you a email with a valid hacked email with a part of a conversation you have done with your friends but is coming like this:
Code:
From: "yourfriendname@yourfrienddomain" <usermailhacked@domainuserhacked>In other words the hacker try to say is your friend sending you an attached file saying something like: "This is the file you asked" "I have send you the quoted", the message is adjusted according the conversation the hacker has stolen from your friend and you.
Then is easy to make the victim to be taken down with the trojan being open by the end user.
Last edited: