Who Objects -> Blacklist-> Domain (Not Working)

[MiamiJack]

OK, I deleted the what object, but FYI I added it when the who didn't work.
Rules attached, I believe I left those at the default values.

** after applying the rules as requested, continued to receive messages with that sender.
Header attached.

** received another this morning with FC7LX.R3OFC7LX@1JSV.brimmats.com when I test that in the regex it matches, but not sure yet since I havent been using PMG long the reason why it's not being rejected.


Todays header (AM):
Delivered-To: andrew@test.net
Return-Path:
Received: from email.seattle.gov (senke.deparench.eu [89.251.16.110])
by mgw.localdomain (Proxmox) with ESMTP id 37AEB809F1
for <andrew@test.net>; Mon, 12 Oct 2020 09:38:42 -0400 (EDT)
subject: SPAM: Say Bye To Moles And SkinTags
From: "DermaCorrect Skin Tags" <R3OFC7LX.R3OFC7LX@1JSV.brimmats.com>
To: alicia@web56.net
Content-Type: text/html; charset=utf-8;
Content-Disposition: inline
Date: Mon, 12 Oct 2020 09:00:48 -0400
X-SPAM-LEVEL: Spam detection results: 16
BODY_URI_ONLY 0.822 Message body is only a URI in one line of text or for an image
FSL_BULK_SIG 0.001 Bulk signature with no Unsubscribe
HTML_IMAGE_ONLY_12 1.629 HTML: images with 800-1200 bytes of words
HTML_MESSAGE 0.001 HTML included in message
HTML_SHORT_LINK_IMG_1 0.139 HTML is very short with a linked image
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
KAM_EU 0.5 Prevalent use of .eu in spam/malware
KAM_GRABBAG2 5 Grabbag of Spams hitting EU domains and other indicators
KHOP_HELO_FCRDNS 0.4 Relay HELO differs from its IP's reverse DNS
MIME_HTML_ONLY 0.1 Message only has text/html MIME parts
MISSING_MID 0.14 Missing Message-Id: header
RAZOR2_CF_RANGE_51_100 2.43 Razor2 gives confidence level above 50%
RAZOR2_CHECK 1.729 Listed in Razor2 (http://razor.sf.net/)
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
T_KAM_HTML_FONT_INVALID 0.01 Test for Invalidly Named or Formatted Colors in HTML
T_REMOTE_IMAGE 0.01 Message contains an external image
URIBL_ABUSE_SURBL 1.948 Contains an URL listed in the ABUSE SURBL blocklist [telects.eu]
URIBL_BLACK 1.7 Contains an URL listed in the URIBL blacklist [telects.eu]

 

[hata_ph]

Create a new what object from match field as show below, change your Blacklist rule to use the what object instead of the who object.

 

[MiamiJack]

I'm not as familiar with the rule aspect, and the process of trying to change the blacklist rule to use the what object.
I can erase the blacklist part, but no sure how to add in the who object.
Do you have some reference?

Thanks

 

[hata_ph]

Click the minus icon to remove the what object and click the plus icon to add new object.

 

[MiamiJack]

OK, just to be safe, this is what I have done.

Also, how does this affect those blacklists which were created by users or at the main level?

 

[hata_ph]

PMG's rule run based on priority. You can enable/disable the rule for testing.
To test your rules, make it the highest priority so that it will executive first.
It is advise to set quarantine instead of block when testing rules.

 

[MiamiJack]

Thank you.

Ok to further research this and wrap my head around it.

How can I find if we have in fact blocked that domains or senders messages? ( I can't find that domain name in mail.log ).

Second, in the Rules, block, I can add the blacklist after that what object in order to get both criteria to filter/reject right?
And the top down order applies?

Thank you!

 

[hata_ph]

Thank you.

Ok to further research this and wrap my head around it.

How can I find if we have in fact blocked that domains or senders messages? ( I can't find that domain name in mail.log ).

Second, in the Rules, block, I can add the blacklist after that what object in order to get both criteria to filter/reject right?
And the top down order applies?

Thank you!

Check your mail.log or Tracking Center for rules hit as show below.

Oct 15 08:21:22 pmg pmg-smtp-filter[18701]: 4092D5F87960066E04: block mail to <xxx@xxx.com> (rule: Block Spam Domain)

I seldom use multiple filter criteria in rules not i cannot give u a correct answer. I mainly use single filter criteria to simplify my PMG filtering. Maybe the PMG dev can help to clarify on your second question.

 

[MiamiJack]

I think the block is working, thank you for all of your help!!!

 

[MiamiJack]

@hata_ph

I'm not really seeing rules working, some other criteria did block a couple.

I took the regular expression you provided and tested it on a couple of regex testing sites, but it actually doesn't match.

Did I do something wrong from what you provided??

(\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}phxwebserver\.com(\W|$)

Tried it on https://www.regextester.com/ and https://regex101.com/

I'm going to try this one:
(^|^[^:]+:\/\/|[^\.]+\.)phxwebserver\.com

 

[hata_ph]

@hata_ph

I'm not really seeing rules working, some other criteria did block a couple.

I took the regular expression you provided and tested it on a couple of regex testing sites, but it actually doesn't match.

Did I do something wrong from what you provided??

(\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}phxwebserver\.com(\W|$)

Tried it on https://www.regextester.com/ and https://regex101.com/

I'm going to try this one:
(^|^[^:]+:\/\/|[^\.]+\.)phxwebserver\.com

Show the mail log that related to your incoming mail.
Show the raw format of the email if possible.
You are using the regex on who or what object?

 

[MiamiJack]

Sorry, it looks like we deleted those messages after reporting them to spamcop.
They are the same as those above messages .

The first part is that the regex wasn't matching, it should have matched properly not only within PMG which it wasn't as well as any regex site right?

Even when I put in the new regex it's not blocking anything.

I guess I want to better understand and once I get one, the rest are cookie cutters for the block.
As an example below is the same as one of the messages we had issues blocking.

To clarify the docs, if I put a domain in the who blacklist, domain, it will block matching senders @domain.com but not @.sub.domain right?
For that I would have to do a regex with the domain, correct?


In this header line if I put the who - regex received is this the best way to block the domain name within this string?
If I put match, it would be match->received->regex correct?
--- Received: from email.seattle.gov (sikhar.sightning.eu [89.251.17.12])

--- by mgw.localdomain (Proxmox) with ESMTP id 3DDA38133C
--- for <user1@domainname.net>; Tue, 6 Oct 2020 17:48:43 -0400 (EDT)
--- subject: SPAM: 1 Day Bathroom Remodels

And on this line if I use the domain name will it match anything with the domain or is that back to the regex?
Here I would put match->from->regex?
From: "Bathroom Renovation Shop" <S96GU17A.S96GU17A@F9YJ.brimmats.com>

And for both of these, should this be using who or what?
Currently using what.

 

[hata_ph]

Follow below example mail raw format, there is few way to block/quarantine the mail using mail rules.

1. Create a who object with regex (\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}zcsend\.net(\W|$).


2. Create a what object with a from match field.

3. Setup what object with a subject match field.

Delivered-To: abc@mydomain.com
Return-Path: bounce_21769671+a.11fde2ae78c17d5_11699e4bf3a8fd1_v55@mail12.bnws.zcsend.net
Received-SPF: pass (mail12.bnws.zcsend.net: Sender is authorized to use 'bounce_21769671@mail12.bnws.zcsend.net' in 'mfrom' identity (mechanism 'include:zcsend.net' matched)) receiver=pmg.mydomain.com; identity=mailfrom; envelope-from="bounce_21769671@mail12.bnws.zcsend.net"; helo=sender-128.psu3.zcsend.net; client-ip=135.84.81.128
Received: from sender-128.psu3.zcsend.net (sender-128.psu3.zcsend.net [135.84.81.128])
    by pmg.mydomain.com (Proxmox) with ESMTP
    for <abc@mydomain.com>; Mon, 19 Oct 2020 14:01:10 +0800 (+08)
Received: from senderb63.zcsend.net (10.40.13.125) by sender-128.psu3.zcsend.net id hhklqc28epgq for <abc@mydomain.com>; Sun, 18 Oct 2020 23:01:09 -0700 (envelope-from <bounce_21769671+a.11fde2ae78c17d5_11699e4bf3a8fd1_v55@mail12.bnws.zcsend.net>)
Received: from 172.30.235.68 (172.30.235.68) by senderb63.zcsend.net id hhklqa28epgs for <abc@mydomain.com>; Sun, 18 Oct 2020 23:01:09 -0700 (envelope-from <bounce_21769671+a.11fde2ae78c17d5_11699e4bf3a8fd1_v55@mail12.bnws.zcsend.net>)
DKIM-Signature: a=rsa-sha1; b=pNTDTCmLx2UGYzgdffgL+UqnnamkaAld/lyfruaPVJS9EOHacZFWSOkapoXzDDec7tklMJfuj2tywIzQbRKNTmIlukfM01pB/Ysxdv3Wb4/TJbK4RD8o+lb10naBOYuU/sp9iGr/TaU17lbr8WFnWq66cQFwSEXTEpmLI33mcdQ=; c=simple/simple; s=18223; d=disruptivetechasean.com; v=1; bh=5mpNdDzSfnRbLS7SjO5fCm9MWlc=; h=date:from:reply-to:to:message-id:subject:mime-version:content-type;
Date: Sun, 18 Oct 2020 23:01:09 -0700 (PDT)
From: "Monica" <news@disruptivetechasean.com>
Reply-To: news@disruptivetechasean.com
Subject: Save up to 7% with your promo code and this week's Insider Deals!

 

[MiamiJack]

I do have the WHAT->Match-From, and the WHO->REGEX, I also have my Blacklist set to use WHAT objects and block.
Attached is a small part of what in the spam queue (note.txt) and a sample header (headers.txt).

in this example phxwebserver.com is one that simply isn't being blocked.

 

[hata_ph]

Based on your Blacklist rules using Match Field - From rule what object, do you have match field for below field?

From: Goldalliedtrust.com <goldalliedtrust.com@lifesfinancials.com>

Btw, since the email have a spam score of 15, you can block/quarantine the email using the default Quarantine/Mark Spam (Level 3) rules.

X-SPAM-LEVEL: Spam detection results:  15

 

[MiamiJack]

It is being quarantined by spam score, but I would prefer to block them from the beginning.
I ignored the fake from email address since they used too many, and was trying to match the server which is generating all of these.
So I had a rule for this line which was received and the domain name.

Received: from mail.lifesfinancials.com (web.phxwebserver.com [23.231.84.24])

Should this have worked?

 

[hata_ph]

It is being quarantined by spam score, but I would prefer to block them from the beginning.
I ignored the fake from email address since they used too many, and was trying to match the server which is generating all of these.
So I had a rule for this line which was received and the domain name.

Received: from mail.lifesfinancials.com (web.phxwebserver.com [23.231.84.24])

Should this have worked?

Block/quarantine rule with who object for domain should work.

 

[FinneDEV]

Hey,
one information from my side.

We (couple of companies using pmg) adding most oft the sending servers also as a RegEx pattern to the WHO list.
Here it works perfectly.

We're also using the

(\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}domain\.com(\W|$)

RegEx for the sending server and the mail domain.

Here is a before and after:


We've also blocked the sending server, in this case 818q.com because there are several other spam mails coming from there.


So this should work for you too ('Hopefully')

 

[MiamiJack]

Hey,
one information from my side.

We (couple of companies using pmg) adding most oft the sending servers also as a RegEx pattern to the WHO list.
Here it works perfectly.

We're also using the

(\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}domain\.com(\W|$)

RegEx for the sending server and the mail domain.

Here is a before and after:
View attachment 20657

We've also blocked the sending server, in this case 818q.com because there are several other spam mails coming from there.
View attachment 20658

So this should work for you too ('Hopefully')

Thank you, for an individual email that is functioning, but the spammers are sending 100-different-names@spammerdom.com, so rather than try to match that, we are blocking that domain at the top, and thats where the issue is happening for us.

 

[hata_ph]

Individual rule to filter spammer domain and subject with regex work for me.