Hi,
I'm getting several emails from accounts like:
random@somedomain.com
That bypass any SpamAsassin and MagicSpam.
I want to treat those emails as SPAM; mails like:
1.- Email: AtttJnW0/THC83JL6ADvm3A==_1102288667035_o09sgHXmEeqRGtSuUqLLUg==@in.constantcontact.com
2.- Email: 010f017cb80b9efb-24140d54-ba00-4648-a1b6-67126fa95e31-000000@us-east-2.amazonses.com
Among others.
Here are the important part of the headers:
1.-
Return-Path: <AtttJnW0/THC83JL6ADvm3A==_1102288667035_o09sgHXmEeqRGtSuUqLLUg==@in.constantcontact.com>
Received: from ccm36.constantcontact.com ([208.75.123.196]:60381)
Received: from [10.252.0.1] ([10.252.0.1:44016] helo=p2-jbemailsyndicator34.ctct.net)
From: Entorno Cit Tour Operador & Receptivo <cit.promos@gmail.com>
Reply-To: gerencia.entornocit@gmail.com
Sender: Entorno Cit Tour Operador & Receptivo <destinos@mexico.ccsend.com>
2.-
Return-Path: <010f017cb80b9efb-24140d54-ba00-4648-a1b6-67126fa95e31-000000@us-east-2.amazonses.com>
Received: from a94-117.smtp-out.us-east-2.amazonses.com ([54.240.94.117]:35137)
Received: (no HELO on this)
From: Vanessa Lara <proyectos@inteligenciaempresarial.mx>
Reply-To: Vanessa Lara <vlara@inteligenciaempresarial.mx>
Sender: (No SENDER declared on this)
For the second example I have a plus... the domain and subdomains for "inteligenciaempresarial" are blocked by wildcard (*@inteligenciaempresarial.mx and *@*.inteligenciaempresarial.mx) and nevertheless it bypasses the filter!
Could you help me?
Random characters on email account bypasses all filters
Re: Random characters on email account bypasses all filters
Hello NubeNinja,
The MagicSpam Sender From Blacklist operates on the data in the MAIL FROM command which is equivalent to the Return-Path email header rather than the From email header, so you will have to add a wildcard blacklist entry to target the domain in the Return-Path header, e.g.
Example 1: Return-Path: <AtttJnW0/THC83JL6ADvm3A==_1102288667035_o09sgHXmEeqRGtSuUqLLUg==@in.constantcontact.com>
Add Sender Blacklist Entry: *@*.constantcontact.com
Example 2: Return-Path: <010f017cb80b9efb-24140d54-ba00-4648-a1b6-67126fa95e31-000000@us-east-2.amazonses.com>
Add Sender Blacklist Entry: *@*.amazonses.com
It might not be the best idea to blacklist these domains even though they have been leaking spam as they belong to legitimate email services (ConstantContact, Amazon SES) and may have legitimate customers sending legitimate emails. However, feel free to blacklist these domains if you don't expect to receive any legitimate emails from them.
As an alternative in the first case with ConstantContact, their IP addresses are already listed on MIPSpace-Poor which we recommend to set to FLAG. Note that MIPSpace is designed specifically deal with unwanted marketing emails.
As for the second case with Amazon SES, it's trickier to deal with as they are not listed on any IP reputation lists. If you could send us these uncaught spam samples as attachments via email (support@magicspam.com), then we can pass them along to our threat research team to create new content filtering rules which will be automatically downloaded by your MagicSpam installation.
Let us know if you have anymore questions.
Thank you!
The MagicSpam Sender From Blacklist operates on the data in the MAIL FROM command which is equivalent to the Return-Path email header rather than the From email header, so you will have to add a wildcard blacklist entry to target the domain in the Return-Path header, e.g.
Example 1: Return-Path: <AtttJnW0/THC83JL6ADvm3A==_1102288667035_o09sgHXmEeqRGtSuUqLLUg==@in.constantcontact.com>
Add Sender Blacklist Entry: *@*.constantcontact.com
Example 2: Return-Path: <010f017cb80b9efb-24140d54-ba00-4648-a1b6-67126fa95e31-000000@us-east-2.amazonses.com>
Add Sender Blacklist Entry: *@*.amazonses.com
It might not be the best idea to blacklist these domains even though they have been leaking spam as they belong to legitimate email services (ConstantContact, Amazon SES) and may have legitimate customers sending legitimate emails. However, feel free to blacklist these domains if you don't expect to receive any legitimate emails from them.
As an alternative in the first case with ConstantContact, their IP addresses are already listed on MIPSpace-Poor which we recommend to set to FLAG. Note that MIPSpace is designed specifically deal with unwanted marketing emails.
As for the second case with Amazon SES, it's trickier to deal with as they are not listed on any IP reputation lists. If you could send us these uncaught spam samples as attachments via email (support@magicspam.com), then we can pass them along to our threat research team to create new content filtering rules which will be automatically downloaded by your MagicSpam installation.
Let us know if you have anymore questions.
Thank you!
-- MagicSpam Support Team --
Re: Random characters on email account bypasses all filters
Thank you for the reply,
So, if I understand well, an email account formatted as: AtttJnW0/THC83JL6ADvm3A==_1102288667035_o09sgHXmEeqRGtSuUqLLUg==@whatever.com is fine? How can that be possible?
As a workaround, can I "Add Sender Blacklist Entry" as follows?:
Block "=": *=*@*
Block "/": */*@*
... and so on; is that possible?
Or maybe:
Block "=" only on subdomain of contantcontact: *=*@*.constantcontact.com
Block "/" only on subdomain of contantcontact: */*@*.constantcontact.com
But, all in all, I'd preferer a rule like https://spamauditor.org/best-practices/rfc-mail-from/ or https://spamauditor.org/best-practices/ ... dentifier/ specially in: "HELO @(&$ (characters not normally allowed in domain names)" as "=" or "/" characters are not normally allowed (or even used) on email users.
Thanks in advance
So, if I understand well, an email account formatted as: AtttJnW0/THC83JL6ADvm3A==_1102288667035_o09sgHXmEeqRGtSuUqLLUg==@whatever.com is fine? How can that be possible?
As a workaround, can I "Add Sender Blacklist Entry" as follows?:
Block "=": *=*@*
Block "/": */*@*
... and so on; is that possible?
Or maybe:
Block "=" only on subdomain of contantcontact: *=*@*.constantcontact.com
Block "/" only on subdomain of contantcontact: */*@*.constantcontact.com
But, all in all, I'd preferer a rule like https://spamauditor.org/best-practices/rfc-mail-from/ or https://spamauditor.org/best-practices/ ... dentifier/ specially in: "HELO @(&$ (characters not normally allowed in domain names)" as "=" or "/" characters are not normally allowed (or even used) on email users.
Thanks in advance
Re: Random characters on email account bypasses all filters
Hey NubeNinja,
Yes, it isn't against the RFC specifications for the local part of the email address issued in the SMTP MAIL FROM command to be formatted like that as all the characters used are valid and does not exceed the maximum length. Email services like Amazon SES automatically generates the local part when sending email on the behalf of their customer for a variety of reasons (e.g. logging, tracking, statistics) and will instead set the From header in the email body to the actual sender domain.
You shouldn't blacklist email address using patterns which target non-typical characters (e.g. equal, slash characters) in the local part as legitimate senders using these email services that you do want to communicate with will not be able to have their messages delivered to your server. If you do want to block ALL email from these email services, then you would be better off with following the previously provided instructions of blocking their subdomains.
Your suggestion about creating a spam policy to reject messages where the SMTP MAIL FROM address contains non-typical characters is quite interesting. We have created a development ticket and brought it to the attention of our threat research team to further investigate the utility and possibly of false positives for such a spam policy.
Thank you and do let us know if you have any questions or require further assistance.
Yes, it isn't against the RFC specifications for the local part of the email address issued in the SMTP MAIL FROM command to be formatted like that as all the characters used are valid and does not exceed the maximum length. Email services like Amazon SES automatically generates the local part when sending email on the behalf of their customer for a variety of reasons (e.g. logging, tracking, statistics) and will instead set the From header in the email body to the actual sender domain.
You shouldn't blacklist email address using patterns which target non-typical characters (e.g. equal, slash characters) in the local part as legitimate senders using these email services that you do want to communicate with will not be able to have their messages delivered to your server. If you do want to block ALL email from these email services, then you would be better off with following the previously provided instructions of blocking their subdomains.
Your suggestion about creating a spam policy to reject messages where the SMTP MAIL FROM address contains non-typical characters is quite interesting. We have created a development ticket and brought it to the attention of our threat research team to further investigate the utility and possibly of false positives for such a spam policy.
Thank you and do let us know if you have any questions or require further assistance.
-- MagicSpam Support Team --
Who is online
Users browsing this forum: No registered users and 7 guests