Global Rule to delete spam

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
tarucan
New user
New user
Posts: 13
Joined: 2019-09-07 10:44

Global Rule to delete spam

Post by tarucan » 2019-09-18 10:42

Hi there, i receive 18~25 spam mail a day all with different headers but all have something in the source in common:
Return-Path: MarioWrightuoh@logosfts.it
Received: from logosfts.it (Unknown [154.66.245.47])
by mail.lianna.it with ESMTP
; Wed, 18 Sep 2019 09:15:52 +0200
Received: from unknown (125.55.86.48)
by relay-x.misswldrs.com with SMTP; Wed, 18 Sep 2019 08:07:43 -0500
Received: from [64.226.30.68] by nntp.pinxodet.net with ASMTP; Wed, 18 Sep 2019 07:49:54 -0500
Message-ID: <25A6B8E9.FC3F1641@logosfts.it>
Date: Wed, 18 Sep 2019 07:46:02 -0500
From: "Joselyn" <MarioWrightuoh@logosfts.it>
User-Agent: Mozilla 4.79 [en] (Win98; U)
MIME-Version: 1.0
To: "Joselyn" <thp@lianna.it>
Subject: Verrai da me il fine settimana?
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: base64

PCFkb2N0eXBlIGh0bWw+DQo8aHRtbD4NCjxoZWFkPg0KPG1ldGEgY2hhcnNldD0idXRmLTgiPg0K
PC9oZWFkPg0KPGJvZHk+DQo8dGFibGUgd2lkdGg9IjYwMCIgIGJvcmRlcj0iMCIgYWxpZ249ImNl
bnRlciIgIHN0eWxlPSJmb250LWZhbWlseTogQXJpYWw7IGZvbnQtc2l6ZTogMThweCI+DQo8dGJv

the first 6 char PCFkb2 are common to all email, the problem is this is not part of body, since i made a rule delete all mail
which body contain :"PCFkb2" but i still receive
Any suggestions plz?

User avatar
jimimaseye
Moderator
Moderator
Posts: 8777
Joined: 2011-09-08 17:48

Re: Global Rule to delete spam

Post by jimimaseye » 2019-09-18 10:49

Yes.
https://www.hmailserver.com/forum/viewt ... 21&t=28133

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

tarucan
New user
New user
Posts: 13
Joined: 2019-09-07 10:44

Re: Global Rule to delete spam

Post by tarucan » 2019-09-18 12:35

well can you shwo me how to add custom rules for my specific spam mail plz?
still receive that email, cause the string seems not belong to any common headers,
it looks like an inline image.

palinka
Senior user
Senior user
Posts: 2172
Joined: 2017-09-12 17:57

Re: Global Rule to delete spam

Post by palinka » 2019-09-18 13:30

I have noticed a pattern of spam using .it domains starting with the letter L. You can see an example from my connection log project:

http://hmsfirewallbandemo.ddns.net/accr ... mit=Search

If you're absolutely positive you will never receive any legitimate email from Italy, you can create a rule based on this pattern.

criteria > from > regular expression =

Code: Select all

^.+(\@l[a-z]+\.it).+$
action > delete message

palinka
Senior user
Senior user
Posts: 2172
Joined: 2017-09-12 17:57

Re: Global Rule to delete spam

Post by palinka » 2019-09-18 13:46

You could also try regular expression for the body:

Code: Select all

^.*(PCFkb2).*$

tarucan
New user
New user
Posts: 13
Joined: 2019-09-07 10:44

Re: Global Rule to delete spam

Post by tarucan » 2019-09-18 14:07

you forgot to say where do i have to put ^.*(PCFkb2).*$

and no i dont block all italy, just mail containing those weird 6 char.
thanks

palinka
Senior user
Senior user
Posts: 2172
Joined: 2017-09-12 17:57

Re: Global Rule to delete spam

Post by palinka » 2019-09-18 14:29

tarucan wrote:
2019-09-18 14:07
you forgot to say where do i have to put ^.*(PCFkb2).*$
Same as the other one: criteria > body > regular expression

tarucan
New user
New user
Posts: 13
Joined: 2019-09-07 10:44

Re: Global Rule to delete spam

Post by tarucan » 2019-09-18 16:03

ok but in global rules of hmailserver?

palinka
Senior user
Senior user
Posts: 2172
Joined: 2017-09-12 17:57

Re: Global Rule to delete spam

Post by palinka » 2019-09-18 16:08

tarucan wrote:
2019-09-18 16:03
ok but in global rules of hmailserver?
Yes.

palinka
Senior user
Senior user
Posts: 2172
Joined: 2017-09-12 17:57

Re: Global Rule to delete spam

Post by palinka » 2019-09-18 17:04

tarucan wrote:
2019-09-18 10:42
Return-Path: MarioWrightuoh@logosfts.it
From: "Joselyn" <MarioWrightuoh@logosfts.it>
To: "Joselyn" <thp@lianna.it>
I looked in my connection log database again.

a) For HELO entries .it domains that start with L and end with S (and no "-" or "."): ^l([a-z]+[s])\.it$ - 1,932 Hits

b) For HELO entries .it domains that start with L and DO NOT end with S (and no "-" or "."): ^l([a-z]+[^s])\.it$ - 186 Hits

While both a & b are spam, its clear which one spammers prefer. There were no listings for lianna.it in my logs (as should be expected). This could be a bit tougher for you actually being in Italy (which I did not notice earlier). :mrgreen: Someone else might find it useful, though.

tarucan
New user
New user
Posts: 13
Joined: 2019-09-07 10:44

Re: Global Rule to delete spam

Post by tarucan » 2019-09-18 17:20

problem is that return and from are variable, always differenet, noone email has same, an not only .it
the spammer generate it randomly, so there is no way to use those as spam hook

User avatar
jimimaseye
Moderator
Moderator
Posts: 8777
Joined: 2011-09-08 17:48

Re: Global Rule to delete spam

Post by jimimaseye » 2019-09-18 17:53

So:
jimimaseye wrote:
2019-09-18 10:49
Yes.
https://www.hmailserver.com/forum/viewt ... 21&t=28133

[Entered by mobile. Excuse my spelling.]
Spamassassin will likely to catch it and you will not need tailored rules.

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

tarucan
New user
New user
Posts: 13
Joined: 2019-09-07 10:44

Re: Global Rule to delete spam

Post by tarucan » 2019-09-19 08:00

I'm sorry to say none of your solutions work to me, i still receiving that spam.
Spamassassin is installed but dont do much cause obsolete and impossible to find a working dns to update it.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8777
Joined: 2011-09-08 17:48

Re: Global Rule to delete spam

Post by jimimaseye » 2019-09-19 08:48

There are hundreds of people using Spamassassin from those installation instructions and it is very effective. Of you are unable to 'update' it then you have not configured your system correctly. (You need to allow it through firewall adding exceptions etc). As for DNS, it will use the DNS of the machine it is installed on. Review the installation instructions carefully.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

tarucan
New user
New user
Posts: 13
Joined: 2019-09-07 10:44

Re: Global Rule to delete spam

Post by tarucan » 2019-09-19 17:24

jimimaseye, i followed instructions and firewall is not the problem, if you read what i said there are no dns where to download from, take a look to this code to update:
net stop spamassassin
sa-update.exe -v --nogpg --channelfile UpdateChannels.txt
net start spamassassin

this is straight from instructions you mention, well you are wrong.
This command has no effect cause UpdateChannels.txt is missing.
Then as i said already but you didnt read, i spent hours to look for valid dns but noone is working anymore.

As you can see, spamassassin dont get updated even if someone follow the instructions.

palinka
Senior user
Senior user
Posts: 2172
Joined: 2017-09-12 17:57

Re: Global Rule to delete spam

Post by palinka » 2019-09-19 21:49

C:\Program Files\JAM Software\SpamAssassin for Windows\UpdateChannels.txt

Contents:

Code: Select all

updates.spamassassin.org
xsaupdate.jam-software.com
sa.zmi.at
sought.rules.yerp.org
spamassassin.heinlein-support.de

User avatar
jimimaseye
Moderator
Moderator
Posts: 8777
Joined: 2011-09-08 17:48

Re: Global Rule to delete spam

Post by jimimaseye » 2019-09-19 21:56

No no, palinka, that can't be true. Because updates.txt is missing (apparently) and therefore those instructions do not work. You can't possibly have such a file.

:roll:

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

palinka
Senior user
Senior user
Posts: 2172
Joined: 2017-09-12 17:57

Re: Global Rule to delete spam

Post by palinka » 2019-09-19 22:43

jimimaseye wrote:
2019-09-19 21:56
No no, palinka, that can't be true. Because updates.txt is missing (apparently) and therefore those instructions do not work. You can't possibly have such a file.

:roll:

[Entered by mobile. Excuse my spelling.]
I figured he deleted it, so here's a way to recreate it. Although, if one system file is deleted accidentally, then who knows what else has been deleted?

User avatar
ras07
Normal user
Normal user
Posts: 228
Joined: 2010-03-11 08:51

Re: Global Rule to delete spam

Post by ras07 » 2019-09-20 20:45

Wait, wait, wait. Reset.
tarucan wrote:
2019-09-18 10:42
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: base64

PCFkb2N0eXBlIGh0bWw+DQo8aHRtbD4NCjxoZWFkPg0KPG1ldGEgY2hhcnNldD0idXRmLTgiPg0K
PC9oZWFkPg0KPGJvZHk+DQo8dGFibGUgd2lkdGg9IjYwMCIgIGJvcmRlcj0iMCIgYWxpZ249ImNl
bnRlciIgIHN0eWxlPSJmb250LWZhbWlseTogQXJpYWw7IGZvbnQtc2l6ZTogMThweCI+DQo8dGJv

the first 6 char PCFkb2 are common to all email, the problem is this is not part of body, since i made a rule delete all mail
which body contain :"PCFkb2" but i still receive
Any suggestions plz?
First off, since it's base64 encoded, the literal string "PCFkb2" isn't going to show up in any regex on the body. AFAIK you can't even get to the un-decoded base64 string in hMS; matching happens after decoding. (And I think SA works the same way although I wouldn't swear to it.)

Secondly, if you decode the base64, it simply says:

Code: Select all

<!doctype html>
<html>
<head>
<meta charset="utf-8">
...etc...
So it's just generic HTML tags. Therefore even if you were able to filter on the un-decoded string, you'd end up filtering out virtually every HTML email.

Neither rules nor Spam Assassin are going to help you here.

Most HTML-encoded email includes two Content-Type sections; a plain-text section and an HTML section. I noticed that I get a fair bit of spam that has only HTML. By the looks of it this is what you are seeing.

You could add a simple check in the OnAcceptMessage handler to look for email with an empty .Body and a non-empty .HTMLBody . Unfortunately it may filter legit(ish) email as well, since I have seen this from some legit bulk mailers.

By chance are the spam emails in all-image form? Because I do see a lot of spam that is both HTML-only and nothing but a JPG image (an image of text, but no actual text). These are easy to filter out in OnAcceptMessage (and probably in SA as well).

User avatar
jimimaseye
Moderator
Moderator
Posts: 8777
Joined: 2011-09-08 17:48

Re: Global Rule to delete spam

Post by jimimaseye » 2019-09-20 20:51

ras07 wrote:
2019-09-20 20:45
Neither rules nor Spam Assassin are going to help you here.
The suggestion of spamassassin is because it may pick or up based on ip and source reputation. Also, sa is very weary of 'image only' emails.

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
ras07
Normal user
Normal user
Posts: 228
Joined: 2010-03-11 08:51

Re: Global Rule to delete spam

Post by ras07 » 2019-09-20 21:07

jimimaseye wrote:
2019-09-20 20:51
ras07 wrote:
2019-09-20 20:45
Neither rules nor Spam Assassin are going to help you here.
The suggestion of spamassassin is because it may pick or up based on ip and source reputation. Also, sa is very weary of 'image only' emails.

[Entered by mobile. Excuse my spelling.]
Understood; didn't mean that SA wouldn't catch it, just that using anything to try to filter on "PCFkb2" isn't going to be effective.

tarucan
New user
New user
Posts: 13
Joined: 2019-09-07 10:44

Re: Global Rule to delete spam

Post by tarucan » 2019-09-21 05:18

palinka wrote:
2019-09-19 21:49
C:\Program Files\JAM Software\SpamAssassin for Windows\UpdateChannels.txt

Contents:

Code: Select all

updates.spamassassin.org
xsaupdate.jam-software.com
sa.zmi.at
sought.rules.yerp.org
spamassassin.heinlein-support.de
Thanks palinka, this worked to me and now SA update, but as raz07 said, base64 cant see normal string so SA nor hmail rules can do much on this spam. I can't use ip reputation cause i noticed this spam use random ip and dns and names for each spam msg.
They are expert, indeed it's been 4 months i'm looking for a way to stop them but unsuccessful.
I really hope this guy will die soon and someone will shutdown his pc, this is the only solution atm.
This kind of people are leech of society they dont deserve to be alive and consume my oxygen :lol: :evil: :twisted:

User avatar
mattg
Moderator
Moderator
Posts: 21103
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Global Rule to delete spam

Post by mattg » 2019-09-21 06:14

Can you please show some hMailserver SMTPD logs showing one (or some) of these messages being delivered
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 2172
Joined: 2017-09-12 17:57

Re: Global Rule to delete spam

Post by palinka » 2019-09-21 12:26

tarucan wrote:
2019-09-21 05:18

Thanks palinka, this worked to me and now SA update, but as raz07 said, base64 cant see normal string so SA nor hmail rules can do much on this spam. I can't use ip reputation cause i noticed this spam use random ip and dns and names for each spam msg.
They are expert, indeed it's been 4 months i'm looking for a way to stop them but unsuccessful.
I really hope this guy will die soon and someone will shutdown his pc, this is the only solution atm.
This kind of people are leech of society they dont deserve to be alive and consume my oxygen :lol: :evil: :twisted:
Search for a thread called "SA Bootcamp". Its an excellent workup of using SA-learn to build a bayes database. If you teach SA that those messages are spam, it will learn and score them higher. The most important thing is to keep and sort your spam so it can learn. Believe me, it works great and it's not difficult to setup.

Post Reply