Random characters on email account bypasses all filters

Welcome to MagicSpam Pro for cPanel WHM! A better spam protection in an easy to use cPanel WHM Module. Visit here for support, frequently asked questions, wishlists and discussion groups on this great module to make life with cPanel WHM that much simpler.

Moderators: wizard, magicspam

Post Reply
NubeNinja
Posts: 4
Joined: Tue Oct 26, 2021 10:25 am

Random characters on email account bypasses all filters

Post by NubeNinja » Tue Oct 26, 2021 12:20 pm

Hi,

I'm getting several emails from accounts like:

random@somedomain.com

That bypass any SpamAsassin and MagicSpam.

I want to treat those emails as SPAM; mails like:

1.- Email: AtttJnW0/THC83JL6ADvm3A==_1102288667035_o09sgHXmEeqRGtSuUqLLUg==@in.constantcontact.com
2.- Email: 010f017cb80b9efb-24140d54-ba00-4648-a1b6-67126fa95e31-000000@us-east-2.amazonses.com

Among others.

Here are the important part of the headers:

1.-

Return-Path: <AtttJnW0/THC83JL6ADvm3A==_1102288667035_o09sgHXmEeqRGtSuUqLLUg==@in.constantcontact.com>
Received: from ccm36.constantcontact.com ([208.75.123.196]:60381)
Received: from [10.252.0.1] ([10.252.0.1:44016] helo=p2-jbemailsyndicator34.ctct.net)
From: Entorno Cit Tour Operador & Receptivo <cit.promos@gmail.com>
Reply-To: gerencia.entornocit@gmail.com
Sender: Entorno Cit Tour Operador & Receptivo <destinos@mexico.ccsend.com>

2.-

Return-Path: <010f017cb80b9efb-24140d54-ba00-4648-a1b6-67126fa95e31-000000@us-east-2.amazonses.com>
Received: from a94-117.smtp-out.us-east-2.amazonses.com ([54.240.94.117]:35137)
Received: (no HELO on this)
From: Vanessa Lara <proyectos@inteligenciaempresarial.mx>
Reply-To: Vanessa Lara <vlara@inteligenciaempresarial.mx>
Sender: (No SENDER declared on this)

For the second example I have a plus... the domain and subdomains for "inteligenciaempresarial" are blocked by wildcard (*@inteligenciaempresarial.mx and *@*.inteligenciaempresarial.mx) and nevertheless it bypasses the filter!

Could you help me?

magicspam
Posts: 1553
Joined: Tue Oct 28, 2008 2:27 pm

Re: Random characters on email account bypasses all filters

Post by magicspam » Mon Nov 01, 2021 12:44 pm

Hello NubeNinja,

The MagicSpam Sender From Blacklist operates on the data in the MAIL FROM command which is equivalent to the Return-Path email header rather than the From email header, so you will have to add a wildcard blacklist entry to target the domain in the Return-Path header, e.g.

Example 1: Return-Path: <AtttJnW0/THC83JL6ADvm3A==_1102288667035_o09sgHXmEeqRGtSuUqLLUg==@in.constantcontact.com>

Add Sender Blacklist Entry: *@*.constantcontact.com

Example 2: Return-Path: <010f017cb80b9efb-24140d54-ba00-4648-a1b6-67126fa95e31-000000@us-east-2.amazonses.com>

Add Sender Blacklist Entry: *@*.amazonses.com

It might not be the best idea to blacklist these domains even though they have been leaking spam as they belong to legitimate email services (ConstantContact, Amazon SES) and may have legitimate customers sending legitimate emails. However, feel free to blacklist these domains if you don't expect to receive any legitimate emails from them.

As an alternative in the first case with ConstantContact, their IP addresses are already listed on MIPSpace-Poor which we recommend to set to FLAG. Note that MIPSpace is designed specifically deal with unwanted marketing emails.

As for the second case with Amazon SES, it's trickier to deal with as they are not listed on any IP reputation lists. If you could send us these uncaught spam samples as attachments via email (support@magicspam.com), then we can pass them along to our threat research team to create new content filtering rules which will be automatically downloaded by your MagicSpam installation.

Let us know if you have anymore questions.

Thank you!
-- MagicSpam Support Team --

NubeNinja
Posts: 4
Joined: Tue Oct 26, 2021 10:25 am

Re: Random characters on email account bypasses all filters

Post by NubeNinja » Wed Nov 03, 2021 11:27 am

Thank you for the reply,

So, if I understand well, an email account formatted as: AtttJnW0/THC83JL6ADvm3A==_1102288667035_o09sgHXmEeqRGtSuUqLLUg==@whatever.com is fine? How can that be possible?

As a workaround, can I "Add Sender Blacklist Entry" as follows?:

Block "=": *=*@*
Block "/": */*@*

... and so on; is that possible?

Or maybe:

Block "=" only on subdomain of contantcontact: *=*@*.constantcontact.com
Block "/" only on subdomain of contantcontact: */*@*.constantcontact.com

But, all in all, I'd preferer a rule like https://spamauditor.org/best-practices/rfc-mail-from/ or https://spamauditor.org/best-practices/ ... dentifier/ specially in: "HELO @(&$ (characters not normally allowed in domain names)" as "=" or "/" characters are not normally allowed (or even used) on email users.

Thanks in advance

magicspam
Posts: 1553
Joined: Tue Oct 28, 2008 2:27 pm

Re: Random characters on email account bypasses all filters

Post by magicspam » Wed Nov 10, 2021 6:54 pm

Hey NubeNinja,

Yes, it isn't against the RFC specifications for the local part of the email address issued in the SMTP MAIL FROM command to be formatted like that as all the characters used are valid and does not exceed the maximum length. Email services like Amazon SES automatically generates the local part when sending email on the behalf of their customer for a variety of reasons (e.g. logging, tracking, statistics) and will instead set the From header in the email body to the actual sender domain.

You shouldn't blacklist email address using patterns which target non-typical characters (e.g. equal, slash characters) in the local part as legitimate senders using these email services that you do want to communicate with will not be able to have their messages delivered to your server. If you do want to block ALL email from these email services, then you would be better off with following the previously provided instructions of blocking their subdomains.

Your suggestion about creating a spam policy to reject messages where the SMTP MAIL FROM address contains non-typical characters is quite interesting. We have created a development ticket and brought it to the attention of our threat research team to further investigate the utility and possibly of false positives for such a spam policy.

Thank you and do let us know if you have any questions or require further assistance.
-- MagicSpam Support Team --

Post Reply

Return to “MagicSpam Pro for WHM/cPanel”

Who is online

Users browsing this forum: No registered users and 16 guests