duplicate emails from different senders

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
theitmanager
Normal user
Normal user
Posts: 48
Joined: 2005-11-04 15:36

duplicate emails from different senders

Post by theitmanager » 2006-12-21 19:29

For months now, including the previous version of hMailServer and the current one (we recently upgraded to the latest version 4.3, Build 248), most of the accounts receive duplicate emails (same exact email body) from different senders all sent (or received by the server anyway) within a 5 minute (very short) period. They are definately spam and usually relate to some financial tip (Stock Market sort of thing). The subjects are usually only slightly different for each email, too. For example, one might say 'From Bob' and the next 'From Steve', so on...

Sometimes people, including myself, receive as many as 10 or 15 of these and its very annoying. Anyway, the question, of course, is how to stop it.

Here are 3 email headers from a recent example of this:

EMAIL 1 *****************

Received: from p50919821.dip0.t-ipconnect.de ([80.145.152.33])
by mail.hostbrothers.com
with hMailServer ; Thu, 21 Dec 2006 10:05:13 -0500
Return-Path: <preenauctioneer's@aberdeenlivestock.com>
Received: from 64.18.4.14 (HELO aberdeenlivestock.com.mail4.psmtp.com)
by hlwelmira.com with esmtp (4/92:)?9' 2IT6=J)
id C4B33@-IML0M--:)
for aaron@hlwelmira.com; Thu, 21 Dec 2006 15:05:06 -0060
From: "Bernardo Warren" <preenauctioneer's@aberdeenlivestock.com>
To: <aaron@hlwelmira.com>
Subject: It's Bernardo
Date: Thu, 21 Dec 2006 15:05:06 -0060
Message-ID: <01c72511$668432c0$6c822ecf@preenauctioneer's>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
Thread-Index: Aca6QV;+9+@W(+8I,67RK5(1EJL5-7==

EMAIL 2 *****************

Received: from dtmd-4db5d98b.pool.einsundeins.de ([77.181.217.139])
by mail.hostbrothers.com
with hMailServer ; Thu, 21 Dec 2006 10:04:44 -0500
Return-Path: <redeemershellfishes@acacia.eng.sun.com>
Received: from 150.143.103.74 (HELO btmx1.sun.com)
by hlwelmira.com with esmtp (YJ,G?20* U:U31A)
id 0I?R=2-F;-M-S-UI
for aaron@hlwelmira.com; Thu, 21 Dec 2006 15:05:01 -0060
From: "Cedric Barton" <redeemershellfishes@acacia.eng.sun.com>
To: <aaron@hlwelmira.com>
Subject: It's Cedric
Date: Thu, 21 Dec 2006 15:05:01 -0060
Message-ID: <01c72511$633a8600$6c822ecf@redeemershellfishes>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
Thread-Index: Aca6Q36I.@-L)0I)0*W+DV8IRBJ4MS==

EMAIL 3 *****************


Received: from p549DE8B5.dip.t-dialin.net ([84.157.232.181])
by mail.hostbrothers.com
with hMailServer ; Thu, 21 Dec 2006 09:57:12 -0500
Return-Path: <reprovedsaltpeter's@aalandbrug.dk>
Received: from 194.192.15.176 (HELO dkcphmx16.softcom.dk)
by hlwelmira.com with esmtp (F)0N7VW.M-+ 1?@?7)
id 7/3+P(-Q-0A7)-Q>
for aaron@hlwelmira.com; Thu, 21 Dec 2006 12:55:47 -0060
From: "Ignacio Dalton" <reprovedsaltpeter's@aalandbrug.dk>
To: <aaron@hlwelmira.com>
Subject: It's Ignacio
Date: Thu, 21 Dec 2006 12:55:47 -0060
Message-ID: <01c724ff$5585a1f0$6c822ecf@reprovedsaltpeter's>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
Thread-Index: Aca6Q9*1N0*3'GT*>+.;/5W2O2)33B==

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Post by ^DooM^ » 2006-12-21 21:23

I get these as well and so do most of my colleagues and friends. I would suggest you turn on greylisting but even that doesn't seem to stop them unfortunately. All the IP's are open relays and the from addresses as is the case with most spam is fake and alternates frequently. Unless you are willing to setup something like spam assassin or ASSP I am afraid you will just have to put up with it for now.

theitmanager
Normal user
Normal user
Posts: 48
Joined: 2005-11-04 15:36

Post by theitmanager » 2006-12-21 21:29

Right on.

what I'm thinking is some sort of script that, I don't know, might queue message body's of the last, let's say, 5 emails sent to a person and only if there are no matches, allow a new message to be "placed" in their mailbox for pickup.

It's a script thing...but I don't know much about scripting in hMailServer really and that sounds like a difficult script to write...but a sweet one if someone else wrote it ("hint, hint" to hMailServer scripters).

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Post by ^DooM^ » 2006-12-21 22:15

What you are asking is pretty much what greylisting does now except doesn't download the emails first. If the sender resends the email again after it has been delayed with the same credentials as before (to,from,ipaddress) then the email will pass.

Hotlanta
Normal user
Normal user
Posts: 46
Joined: 2006-12-04 20:46

Post by Hotlanta » 2006-12-21 22:39

I'm seeing a lot of them, too. The headache in indentifying these investor emails is that they don't usually have any links (they're not trying to get you to go somewhere), and often the message is nothing more than a textual image. If there is text with the image, it's usually random words. Truth is, that's hard to screen against since it could just as easily be personal mail from any friend sending a picture of their kid. Just to make things fun, the images are usually randomly named and may even be generated on the fly.

I'm also seeing email where they send a gif file that instructs you not to click on it, but to enter their url in your browser.

Here's the good news. There do seem to be ways to id these emails.

1) If it has a single GIF image and no link, it's probably not "normal" business mail (newsletters usually have links), and people rarely send gif images to one another in personal mail.

2) If the message is pure text (about half of them seem to be), you can screen the text based on the word "Symbol:" which seems to be in most of them.

Each email being sent seems to be just a little bit different than the last similar offer, so screening based on them being identical probably won't do much good.

Regards,

John

tonda
Normal user
Normal user
Posts: 93
Joined: 2006-10-20 14:13
Location: CZ

Post by tonda » 2006-12-22 00:24

I think that time and effort, invested to deployment of spamassassin in this case could be much shorter than time and effort, invested to implementation of above mentioned script.

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Post by ^DooM^ » 2006-12-22 00:33

I agree totally with tonda here if greylisting is not helping.

Hotlanta
Normal user
Normal user
Posts: 46
Joined: 2006-12-04 20:46

Post by Hotlanta » 2006-12-22 06:45

Now I've seen what you folks can do, and this really wasn't all that difficult. I'm pretty sure I couldn't set spam assassin up in 15 minutes. Besides, I like being in control and my Perl is a bit rusty these days. LOL!

I liked this concept enough to implement it for myself. Here's the vbscript for what I came up with. Would love to hear any comments on ways to improve it.

Regards,

John

Code: Select all



Sub OnAcceptMessage(oClient, oMessage)
   if HasSpam(oMessage) then
      oMessage.subject="[SPAM] " & oMessage.subject
      oMessage.save()
   end if
   return.value=0
end sub

Function HasSpam(oMessage)
   ' first test for "symbol: " in the text
   HasSpam=False
   strBody=oMessage.Body & " " & oMessage.HTMLBody
   If InStr(1,strBody,"symbol: ",1)<> 0 Then
      SpamContent=True
   Else
      ' count the gif files in the message body
      Set objRegExp = New RegExp
      objRegExp.IgnoreCase = True
      objRegExp.Global = True
      objRegExp.Pattern="(.gif)"
      Set objMatchesFound=objRegExp.Execute(strBody)
      If objMatchesFound.count =1 Then ' found one gif file  in the body of the email
         ' count the links in body
         Set objMatchesFound=Nothing
         objRegExp.Pattern = "<a\s+href=""http://(.*?)"">\s*((\n|.)+?)\s*</a>"  ' finds links
         Set objMatchesFound=objRegExp.Execute(strBody)
         If objMatchesFound.count =0 Then ' a single gif file with no links is probably spam
            HasSpam=True
         End If
      End If
      Set objMatchesFound=Nothing
      Set objRegExp=Nothing
   End If
End Function


tonda
Normal user
Normal user
Posts: 93
Joined: 2006-10-20 14:13
Location: CZ

Post by tonda » 2006-12-22 09:36

Everything has its pros and cons. I am pretty sure it is possible to set up spam assassin in 15 minutes (I talk about sawin32) and than I am able to handle ALL spam messages. This script can handle only small subset of spam messages.

IMHO to focus on cleaning only small subset of spam messages is little bit unconceptual and from my point of view it is only small victory in much larger blazing battle with spam messages. I personally prefer solutions covering given problem in a whole (I work in IT for about 10 years).

On the other side I do not want to blame author of this script, because he made good job.

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Post by ^DooM^ » 2006-12-22 11:57

Very nice HotLanta,

You should post this in the user contributed scripts section with a small explanation.

meanscr
New user
New user
Posts: 2
Joined: 2006-10-27 23:43

Exactly what I was looking for!

Post by meanscr » 2007-01-04 17:20

Thanks for the script HotLanta...I field 8-10 calls a day about these particular emails...I'll give this a shot. Have you implemented it and seen an improvement?

I have been able to kill about 75% of my spam using country based RBLs (which some may think is "unconceptual" as well:), sbl-xbl.spamhaus.org and Hueristic scanning on my Symantec firewall . As a primarily US based business, I could monitor the spam and use DNSStuff.com to find country of origin of the sending server, then use the countries.nerd.dk RBLs to block email from the worst offending countries (for instance, France is fr.countries.nerd.dk - see http://countries.nerd.dk for more info). Ex: Dec. 28th, I blocked 141,972 messages at the firewall (before implementing the heuristics) using spamhaus and countries. On the mail server, I blocked another ~20,000 with more country lists.

Post Reply