Spam filtering on false sender domains

General discussions and other topics.
10 posts Page 1 of 1
by ronks » Sun Dec 08, 2024 12:56 pm
My sonic.net address receives several bogus mails a day, mostly with artificial From fields of the form
<infomjhj@XJxhErj.RaO>
<infohtyu@JWPpaGo.znw>
<infoUuqU@RippyZI.Dqt>
<infoljqY@RQRTWzh.wEI>

None of those high-level fields (RaO, znw, Dqt, wEI) appear valid.
I'm wondering how to create a filter (on my Sonic account, or in Thunderbird) to accept only from legitimate domains.
Is there a Spamassassin score for this condition?
by jerrielm » Mon Dec 09, 2024 8:11 am
Hello!

Is there any difference between your Thunderbird and Sonic webmail? Do you get certain emails on one account and not another?

To my understanding, Thunderbird should have a built-in spam filter. Adding emails to their spam category might help with catching spam with the help of Thunderbird. We could add more catchalls, but with how different the emails are, it might not help. Do the subjects in these emails stay the same? Adding a block subject line might also help if they are the same.

Best Wishes!
by ronks » Mon Dec 09, 2024 8:27 am
Not sure I understand your question. I receive my sonic.net email via Thunderbird on my PC.
Both have filtering tools; my question is whether either can be crafted to flag messages sent from fake high-level domains. That is, other than .com OR .edu OR .org and so forth.
I suspect I could do it in TBird with a complex Boolean, but I'd be interested to hear of other approaches.
by legenda » Wed Dec 11, 2024 4:59 pm
This is easy with procmail, but setting up procmail takes some effort.

Here's a procmail recipe that recognizes your pattern and several similar patterns and delivers the message to Graymail if it contains any of the patterns.

Code: Select all

:0
* 1^0 ^From: .*allied\..........@
* 1^0 ^From: .*eee
* 1^0 ^From: .*from@
* 1^0 ^From: .*@.*\.gb\.
* 1^0 ^From: .*go@
* 1^0 ^From: .*ii
* 1^0 ^From: .*info....@
* 1^0 ^From: .*noreply.....@
* 1^0 ^From: .*oiu
* 1^0 ^From: .*uio
* 1^0 ^From: .*uu
$DEFAULT.Graymail/

Note that allied is followed by a dot and nine random characters, info is followed by four random characters, and noreply is followed by five random characters.

Spammers are not trying very hard any more, so there are lots of patterns in mail headers that procmail can find and filter on.
by legenda » Sun Dec 15, 2024 2:26 pm
So far today I've received 117 instances of this kind of spam.

They all have 10 to 14 bad header traits that are easy to catch with procmail, so they were easily filtered into my bitbucket.

For folks who don't want to set up procmail, there are two common traits that SpamAssassin can filter on.

The first is the From: address. It's always infoxxxx@something, where xxxx is four random characters. Ideally, you could Blocklist From info????@, and SpamAssassin would put it all in Graymail. However, Member Tools won't accept ? as a legal character, so the best you can do is Blocklist From info*@, and that's likely to cause too many false positives.

The second trait is the SpamAssassin rule INVALID_DATE. Every instance of this kind of spam has an invalid date because the first character after Date: is not a space. The default score for INVALID_DATE is 0.432. If you adjust the score for INVALID_DATE to a value greater than your spam threshold, SpamAssassin will catch every instance of this type of spam.
by legenda » Sun Dec 15, 2024 11:16 pm
My count for this kind of spam is up to 123 just for today.

It occurs to me that there is a way to use Blocklist From and yet avoid common false positives.

First Blocklist From info*@, then Unblocklist From info@. That should block infoxxxx@something without blocking info@something.
by ronks » Mon Dec 16, 2024 12:21 pm
Thanks! I think I will try the invalid-date test and see if it turns up too many false positives.
I could get lost in procmail coding; will save that for last resort.
by legenda » Wed Dec 18, 2024 2:05 pm
It turns out that even though Member Tools accepts info*@ and info@ as Blocklist entries, SpamAssassin won't act on them. So they have to be

Blocklist From info*@*
UnBlocklist From info@*
by ronks » Wed Dec 18, 2024 8:12 pm
Is UnBlocklist the same as Welcomelist?
I don't seem to find an entry with that name.
by legenda » Wed Dec 18, 2024 8:54 pm
No, it's not the same as Welcomelist From. Look at Blocklist From on the Blocklist Address page. It's actually a menu. Unblocklist From is the other choice in the menu.

Unblocklist From is not working correctly at the moment. SpamAssassin adds 100 points for a Blocklist From match, but doesn't recognize an Unblocklist From match. It should add -100 points for an Unblocklist From match so that they would cancel each other out.

I've submitted a bug report to Support.
10 posts Page 1 of 1

Who is online

In total there are 6 users online :: 0 registered, 0 hidden and 6 guests (based on users active over the past 5 minutes)
Most users ever online was 2877 on Wed Sep 25, 2024 9:53 pm

Users browsing this forum: No registered users and 6 guests