[SOLVED] SPAM from Google, MS, Yahoo etc

[zolthar]

We are getting more SPAM and Phishing from these servers which obviously passes.

These are mainly:

1. Phising one liners with a bit.ly or some shortened link
2. Password Renewal/Reset Phishing emails
3. Software Development, Website and SEO cold contact (just annoying than anything)

How do you manage these types of SPAM coming in?

What Heuristics or addon would/do you use possibly without over-burdening the server load and processing time?

 

[hata_ph]

Try filter by subject, sender email/name by regex and custom spamassassin score.

You need to study the spam mails content and headers to customize your filtering.

 

[zolthar]

I tried that without much success as it keeps changing both the body, subject and links. Here are some examples - please dont click on any of these links:

Sample 1:

Subject: Yo!.Popular solution

I was amazed! http://ANNTP86U.guilty wide.link/usmy Isn’t it wonderful?

Adele Labrooy

Sample 2:

Subject: Yo! Dear.Right decision

Unbelievable! http://5xl.guilty wide.link/usmy

Have you ever heard of such a thing?

Sample 3:

Subject: Your account has been restricted


 Your account has been restricted


We need your help in securing your account to prevent unauthorized access. For your security, your account may have some restrictions until you take measurements.


We will shut down your account after 1 day (24 hours) and you will be permanently banned from our website.


Everything We need your help in securing your account to prevent unauthorized access. For your security, click Secure My Account to confirm your information.


Secure my account > <http://bit. do/fQwGz>


Support-team


Help | Contact | Privacy policy
Copyrights 2021 All Rights reserved.

Yes with sample 1/2 it was guiltywide link which I can block - however this will always change.

Yes I was able to somewhat detect them as SPAM, however their scores were 3 and 4 for sample 1/2 respectively which is annoying as it is (for us) a borderline with some False Positives and we allow them to go through.

I was hoping maybe DCC or SA has a figure https://www.futurequest.net/docs/SA/ combination that will make a hit and increase the score.

 

[hata_ph]

try this what object to filter mails.

 

[zolthar]

Thanks mate - I have just implemented and will test it out.

I know this will cause issues as "your account" is used for many things such as MYOB, Bank, Crypto etc regarding alerts. But I will definitely use this to fine-tune what gets blocked out nonetheless.

 

[zolthar]

@hata_ph

BTW - is there a possibility of using "AND" in a regex?

Combining => build && seo or seo && website

So if a subject string contains build and seo anywhere it can be blocked?

 

[hata_ph]

If not mistaken the mail filter do not support or condition.

 

[zolthar]

I beleive Its the other way as the pipe is an "OR" Operand and "AND" is not available? Happy to be proven wrong

According to this link https://www.rexegg.com/regex-quickstart.html#logic

So with your statement it matches if it contains any of those values defined.

BTW, still waiting on matches, some False Positives were hit with "popular", so I may remove that in my environment.

 

[hata_ph]

Another option is spamassassin custom rules. Let the score build up and get filtered.
Create your custom rules under /etc/mail/spamassasin/custom.cf. Restart pmg-smtp-filter for the new rules to take effect.

Below is some subject/body rules for references.

https://github.com/kawaiipantsu/spamassassin-rules/blob/master/rules/local-profanity.cf

 

[zolthar]

@hata_ph Thanks heaps - I will definitely have to look into this path with custom rules. This way I can simply control it via a scoring method.

Ill work on this this weekend.

Thanks mate.

 

[zolthar]

@hata_ph Thanks heaps, I have implemented over this weekend but I have not had a hit yet for the custom rule - although did get a couple for your original which is working great

Do you know the regex/custom rule so that I can score email body that has a TLD either contained as a HREF or displayed?

eg.
http://R(RemoveThisPartInBracket)7bgFv.create easy.link/usmy
or
http://someurl.com/something
or
www.somelink.link/somethinghere

As you can see, both have the domain .link and most of the phishing emails have that domain currently.

 

[zolthar]

Should have just Googled it:
https://stackoverflow.com/questions/38331678/regex-matching-a-specific-tld

Here is my altered version:
https://regex101.com/r/hUPnSE/1

I also found this as a more complicated method for reference:
https://stackoverflow.com/questions/32730133/javascript-reg-exp-to-match-specific-domain-name

 

[zolthar]

Ok, having issues applying this rule:

header   LOCAL_BODY_TLD_1  /\.link(?:[.:\/]|$)
describe LOCAL_BODY_TLD_1  Penalise emails containing these TLD
score    LOCAL_BODY_TLD_1  1.5

Restarted:

systemctl restart pmg-smtp-filter

I sent this email body

Testing link again
www.test.link/url

But it doesnt detect in the Score:

SA score=0/5 time=1.560 bayes=0.00 autolearn=ham autolearn_force=no
hits=AWL(1.472),BAYES_00(-1.9),DCC_REPUT_13_19(-0.1),
DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-1),DKIM_VALID_EF(-1),
FREEMAIL_FROM(0.001),HTML_MESSAGE(0.001),RCVD_IN_DNSWL_NONE(-0.0001),
RCVD_IN_MSPIKE_H3(-0.01),RCVD_IN_MSPIKE_WL(-0.01),SPF_HELO_NONE(0.001),
SPF_PASS(-0.001),TVD_SPACE_RATIO(0.001)

Any help would be apprecaited.

 

[hata_ph]

I use below who object regex to filter incoming mail from the .link domain.

(\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}\.link(\W|$)

For spamassassin rules, check out https://gist.github.com/jult/9bfdc4d07b44be01a02cc2aaf25b7c39

 

[hata_ph]

Ok, having issues applying this rule:

header   LOCAL_BODY_TLD_1  /\.link(?:[.:\/]|$)
describe LOCAL_BODY_TLD_1  Penalise emails containing these TLD
score    LOCAL_BODY_TLD_1  1.5

Any help would be apprecaited.

Try this

header   LOCAL_BODY_TLD_1  /\.link(?:[.:\/]|$)/i
describe LOCAL_BODY_TLD_1  Penalise emails containing these TLD
score    LOCAL_BODY_TLD_1  1.5

 

[zolthar]

You are a welath of sources thank you very much - will have to integrate that link you provided.

I use below who object regex to filter incoming mail from the .link domain.

(\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}\.link(\W|$)

For spamassassin rules, check out https://gist.github.com/jult/9bfdc4d07b44be01a02cc2aaf25b7c39

Thank you, however I wanted to target the URI within the body as that is causing the issue moreso than the domain as the emails are coming from outlook.com and gmail.com.

I tried that, however did not recognise in the SPAM Score:

Try this

header   LOCAL_BODY_TLD_1  /\.link(?:[.:\/]|$)/i
describe LOCAL_BODY_TLD_1  Penalise emails containing these TLD
score    LOCAL_BODY_TLD_1  1.5

Ill keep trying later today and hopefully will get it working somehow.

 

[hata_ph]

Try below rule and test with an actual URL link with http://www.test.link/url. If without http:// or https:// you need to use body instead of uri.

uri SPAM_LINK_4 /\.(link|see|me)/i # or /\.(link|see|me)\/*/i
score SPAM_LINK_4 0.4
describe SPAM_LINK_4 Spam link

 

[zolthar]

Thank heaps @hata_ph

I just got back on my PC and learn a valuable lesson when copy and pasting as what you posted made me feel like a box of air .. absolute doh moment!

Try below rule and test with an actual URL link with http://www.test.link/url. If without http:// or https:// you need to use body instead of uri.

uri SPAM_LINK_4 /\.(link|see|me)/i # or /\.(link|see|me)\/*/i
score SPAM_LINK_4 0.4
describe SPAM_LINK_4 Spam link

All I had to do was change the Rule Type correctly from "header" to "uri/body" and it worked:

FREEMAIL_FROM(0.001),HTML_MESSAGE(0.001),LOCAL_BODY_TLD_1(1.5),RCVD_IN_DNSWL_NONE(-0.0001)

Now I can adjust the scoring and hopefully root out these types of emails.

THank you heaps @hata_ph , you saved me lots of debugging time.