What is the correct way to create a spam rule to block by Reply-To?

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
DrmCa
Normal user
Normal user
Posts: 74
Joined: 2011-02-14 21:30

What is the correct way to create a spam rule to block by Reply-To?

Post by DrmCa » 2019-02-02 17:33

Hi all,

I started getting tons of spam which is variable in every respect, but the Reply-To field.
How can I block it?

Thank you!

palinka
Senior user
Senior user
Posts: 530
Joined: 2017-09-12 17:57

Re: What is the correct way to create a spam rule to block by Reply-To?

Post by palinka » 2019-02-02 19:03

You can use rules. But what is it about the reply-to that is not variable? Its the same for each message?

User avatar
jimimaseye
Moderator
Moderator
Posts: 7766
Joined: 2011-09-08 17:48

Re: What is the correct way to create a spam rule to block by Reply-To?

Post by jimimaseye » 2019-02-02 19:05

If you use spamassassin you can write a rule there.

Or

You can use a mini script in the onacceptmessage to test the reply-to header and reject

Or

Have a rule to test 'custom header' reply-to and delete message

[Entered by mobile. Excuse my spelling.]
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

DrmCa
Normal user
Normal user
Posts: 74
Joined: 2011-02-14 21:30

Re: What is the correct way to create a spam rule to block by Reply-To?

Post by DrmCa » 2019-02-02 19:39

palinka wrote:
2019-02-02 19:03
You can use rules. But what is it about the reply-to that is not variable? Its the same for each message?
I have tons of rules, but when adding a new one there is no field for matching on Reply-To.
How specifically should I set up a rule?

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: What is the correct way to create a spam rule to block by Reply-To?

Post by SorenR » 2019-02-02 21:54

DrmCa wrote:
2019-02-02 19:39
palinka wrote:
2019-02-02 19:03
You can use rules. But what is it about the reply-to that is not variable? Its the same for each message?
I have tons of rules, but when adding a new one there is no field for matching on Reply-To.
How specifically should I set up a rule?
Reply-To is not added to the headers until AFTER rules have been invoked...

Enable WScript and add this to your EventHandlers.vbs

Code: Select all

Sub XEnvelope(oMessage)
   Dim i, strEnvelope1, strEnvelope2
   For i = 0 To oMessage.Recipients.Count-1
      If (i = 0) Then
         strEnvelope1 = oMessage.Recipients(i).Address
         strEnvelope2 = oMessage.Recipients(i).OriginalAddress
      Else
         strEnvelope1 = strEnvelope1 & ", " & oMessage.Recipients(i).Address
         strEnvelope2 = strEnvelope2 & ", " & oMessage.Recipients(i).OriginalAddress
      End If
   Next
   oMessage.HeaderValue("X-Envelope-To") = strEnvelope1
   oMessage.HeaderValue("X-Envelope-OriginalTo") = strEnvelope2
   oMessage.HeaderValue("X-Envelope-From") = oMessage.FromAddress
   oMessage.Save
End Sub


Sub OnAcceptMessage(oClient, oMessage)
   '
   ' Add X-Envelope... headers
   '
   Call XEnvelope(oMessage)
End Sub
With your rule do:

(IF)
Custom header field "X-hMailServer-LoopCount" Less than 1
AND
Custom header field "X-Envelope-From" Contains "bastard@spamland"

(THEN)
Forward mail To: "fire and brimstone@hell"
Delete e-mail
Stop rule processing

If you got the time you could have a look at how I do this and much more (split over two posts) viewtopic.php?p=209545#p209545
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

DrmCa
Normal user
Normal user
Posts: 74
Joined: 2011-02-14 21:30

Re: What is the correct way to create a spam rule to block by Reply-To?

Post by DrmCa » 2019-02-02 22:30

SorenR wrote:
2019-02-02 21:54
Reply-To is not added to the headers until AFTER rules have been invoked...
Not sure I follow. This header is crafted by the spammers, so it does come in the original email.

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: What is the correct way to create a spam rule to block by Reply-To?

Post by SorenR » 2019-02-02 23:46

DrmCa wrote:
2019-02-02 22:30
SorenR wrote:
2019-02-02 21:54
Reply-To is not added to the headers until AFTER rules have been invoked...
Not sure I follow. This header is crafted by the spammers, so it does come in the original email.
Oops.. It's Return-Path that is added later, not Reply-To...
Oh well...

You can use:

Custom header field "Reply-To" Contains "bastard@spamland"
Attachments
Untitled.jpg
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jimimaseye
Moderator
Moderator
Posts: 7766
Joined: 2011-09-08 17:48

Re: What is the correct way to create a spam rule to block by Reply-To?

Post by jimimaseye » 2019-02-02 23:55

It's almost like i didn't know what i was talking about. Still, if they don't want to read or believe me.....
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: What is the correct way to create a spam rule to block by Reply-To?

Post by SorenR » 2019-02-03 00:49

jimimaseye wrote:
2019-02-02 23:55
It's almost like i didn't know what i was talking about. Still, if they don't want to read or believe me.....
Yeah, I see what you mean... I've got 3 rules to move SPAM, that's it. Detecting SPAM and handling SPAM is about 1.250 lines of code in EventHandlers ...

And... I get 0 SPAM... Well, I get maybe 4-6 SPAM mails total in 6 INBOX'es per month. My low score SPAM folders and high score SPAM folder NEVER go hungry to bed ... plus the many emails I reject every day :mrgreen:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
mattg
Moderator
Moderator
Posts: 19460
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: What is the correct way to create a spam rule to block by Reply-To?

Post by mattg » 2019-02-03 02:33

After reading this >> http://www.dontbouncespam.org/
I've actually stopped rejecting very high score spam, and just autoban the IP and drop (delete) the message

I now only bounce medium score spam, and accept and quarantine low score spam.

On my system, using scripts
'big mail senders' (eg Gmail, Outlook, twitter, etc) is determined by their EHLO greeting as Per SorenR's EHLO test script
A score of 18 or over that is not from one of the 'big mail senders' is autobanned and deleted
A score of 14 or over, AND mail from one of the big sender with a score of 18 or more is rejected
Scores between 7 and 14 are quarantined.

Works well when SpamAssassin does (i'm still having to manually restart SpamAssassin multiple time per week, I have got the SpamAssassin Web service restart call to work as yet)

One thing that I've noticed since implementation a couple of months back is that hMailserver is flagging many more viruses now. This is caused due to me including ClamAV (with SaneSecurity Defs) scoring in SpamAssassin and ALSO doing ClamAV scans in virus checking.

The messages are now accepted, then scanned again and rejected as Virus containing. There is a significant wait between the tests, so I'd guess that I'm also using the resources of the spam bot by holding the connection...

Also, I've done this for one domain >> http://wiki.junkemailfilter.com/index.p ... ct_tarbaby
No issues noted so far, so I think that I'll expand that across all of my domains.
It is a bit hard to quantify the success of this measure though...
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 530
Joined: 2017-09-12 17:57

Re: What is the correct way to create a spam rule to block by Reply-To?

Post by palinka » 2019-02-03 03:10

mattg wrote:
2019-02-03 02:33

One thing that I've noticed since implementation a couple of months back is that hMailserver is flagging many more viruses now. This is caused due to me including ClamAV (with SaneSecurity Defs) scoring in SpamAssassin and ALSO doing ClamAV scans in virus checking.
I am seeing the same thing for apparently the same reason. I was going to post a question as to why but you just answered it for me, so thanks!

Post Reply