[SOLVED] SPAM from Google, MS, Yahoo etc

Dec 27, 2020
108
16
23
44
We are getting more SPAM and Phishing from these servers which obviously passes.

These are mainly:
  1. Phising one liners with a bit.ly or some shortened link
  2. Password Renewal/Reset Phishing emails
  3. Software Development, Website and SEO cold contact (just annoying than anything)
How do you manage these types of SPAM coming in?

What Heuristics or addon would/do you use possibly without over-burdening the server load and processing time?
 
Try filter by subject, sender email/name by regex and custom spamassassin score.

You need to study the spam mails content and headers to customize your filtering.
 
I tried that without much success as it keeps changing both the body, subject and links. Here are some examples - please dont click on any of these links:

Sample 1:
Code:
Subject: Yo!.Popular solution

I was amazed! http://ANNTP86U.guilty wide.link/usmy Isn’t it wonderful?

Adele Labrooy

Sample 2:
Code:
Subject: Yo! Dear.Right decision

Unbelievable! http://5xl.guilty wide.link/usmy

Have you ever heard of such a thing?

Sample 3:
Code:
Subject: Your account has been restricted


 Your account has been restricted


We need your help in securing your account to prevent unauthorized access. For your security, your account may have some restrictions until you take measurements.


We will shut down your account after 1 day (24 hours) and you will be permanently banned from our website.


Everything We need your help in securing your account to prevent unauthorized access. For your security, click Secure My Account to confirm your information.


Secure my account > <http://bit. do/fQwGz>


Support-team


Help | Contact | Privacy policy
Copyrights 2021 All Rights reserved.


Yes with sample 1/2 it was guiltywide link which I can block - however this will always change.

Yes I was able to somewhat detect them as SPAM, however their scores were 3 and 4 for sample 1/2 respectively which is annoying as it is (for us) a borderline with some False Positives and we allow them to go through.

I was hoping maybe DCC or SA has a figure https://www.futurequest.net/docs/SA/ combination that will make a hit and increase the score.
 
Last edited:
Thanks mate - I have just implemented and will test it out. ;);)

I know this will cause issues as "your account" is used for many things such as MYOB, Bank, Crypto etc regarding alerts. But I will definitely use this to fine-tune what gets blocked out nonetheless.
 
Last edited:
@hata_ph Thanks heaps, I have implemented over this weekend but I have not had a hit yet for the custom rule - although did get a couple for your original which is working great :cool:

Do you know the regex/custom rule so that I can score email body that has a TLD either contained as a HREF or displayed?

eg.
http://R(RemoveThisPartInBracket)7bgFv.create easy.link/usmy
or
http://someurl.com/something
or
www.somelink.link/somethinghere

As you can see, both have the domain .link and most of the phishing emails have that domain currently.
 
Ok, having issues applying this rule:
Code:
header   LOCAL_BODY_TLD_1  /\.link(?:[.:\/]|$)
describe LOCAL_BODY_TLD_1  Penalise emails containing these TLD
score    LOCAL_BODY_TLD_1  1.5

Restarted:
Code:
systemctl restart pmg-smtp-filter

I sent this email body
Code:
Testing link again
www.test.link/url

But it doesnt detect in the Score:
Code:
SA score=0/5 time=1.560 bayes=0.00 autolearn=ham autolearn_force=no
hits=AWL(1.472),BAYES_00(-1.9),DCC_REPUT_13_19(-0.1),
DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-1),DKIM_VALID_EF(-1),
FREEMAIL_FROM(0.001),HTML_MESSAGE(0.001),RCVD_IN_DNSWL_NONE(-0.0001),
RCVD_IN_MSPIKE_H3(-0.01),RCVD_IN_MSPIKE_WL(-0.01),SPF_HELO_NONE(0.001),
SPF_PASS(-0.001),TVD_SPACE_RATIO(0.001)

Any help would be apprecaited.
 
Ok, having issues applying this rule:
Code:
header   LOCAL_BODY_TLD_1  /\.link(?:[.:\/]|$)
describe LOCAL_BODY_TLD_1  Penalise emails containing these TLD
score    LOCAL_BODY_TLD_1  1.5

Any help would be apprecaited.
Try this

Code:
header   LOCAL_BODY_TLD_1  /\.link(?:[.:\/]|$)/i
describe LOCAL_BODY_TLD_1  Penalise emails containing these TLD
score    LOCAL_BODY_TLD_1  1.5
 
You are a welath of sources :) thank you very much - will have to integrate that link you provided.

I use below who object regex to filter incoming mail from the .link domain.

(\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}\.link(\W|$)

For spamassassin rules, check out https://gist.github.com/jult/9bfdc4d07b44be01a02cc2aaf25b7c39

Thank you, however I wanted to target the URI within the body as that is causing the issue moreso than the domain as the emails are coming from outlook.com and gmail.com.

I tried that, however did not recognise in the SPAM Score:
Try this

Code:
header   LOCAL_BODY_TLD_1  /\.link(?:[.:\/]|$)/i
describe LOCAL_BODY_TLD_1  Penalise emails containing these TLD
score    LOCAL_BODY_TLD_1  1.5

Ill keep trying later today and hopefully will get it working somehow.
 
Try below rule and test with an actual URL link with http://www.test.link/url. If without http:// or https:// you need to use body instead of uri.

Code:
uri SPAM_LINK_4 /\.(link|see|me)/i # or /\.(link|see|me)\/*/i
score SPAM_LINK_4 0.4
describe SPAM_LINK_4 Spam link
 
  • Like
Reactions: zolthar
Thank heaps @hata_ph

I just got back on my PC and learn a valuable lesson when copy and pasting as what you posted made me feel like a box of air ;) .. absolute doh moment!
Try below rule and test with an actual URL link with http://www.test.link/url. If without http:// or https:// you need to use body instead of uri.

Code:
uri SPAM_LINK_4 /\.(link|see|me)/i # or /\.(link|see|me)\/*/i
score SPAM_LINK_4 0.4
describe SPAM_LINK_4 Spam link

All I had to do was change the Rule Type correctly from "header" to "uri/body" and it worked:
Code:
FREEMAIL_FROM(0.001),HTML_MESSAGE(0.001),LOCAL_BODY_TLD_1(1.5),RCVD_IN_DNSWL_NONE(-0.0001)

Now I can adjust the scoring and hopefully root out these types of emails.

THank you heaps @hata_ph , you saved me lots of debugging time. :)
 
  • Like
Reactions: hata_ph

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!