Back to Community Threads
3
Getting lots of Mails with Virus names WhatsApp
Problem reported by Devang Shah - 1/7/2016 at 5:17 AM
Submitted
Hi,
 
Since last 15 days, many users on our servers have started getting Virus mails whose name says WhatsApp & they are from diff unknown mail IDs]
 
WhatsApp [festival@alahlidubai.ae]
[virus a variant of Win32/Bayrob.AT.gen trojan] An audio message has been delivered xvvcqd
 
I am using SM 11 Entp edition with latest build, rest of the server is fine except this WhatsApp mails which are attached with Virus mails 
 
Plz advice 
 
Regards,
Devan

9 Replies

Reply to Thread
0
Bruce Barnes Replied
1/8/2016 at 6:11 PM
Try adding these to CUSTOM RULES in your antispam settings:
 
TLS BLOCK - RETURN PATH
TLS BLOCK - RETURN PATH
TLD BLOCK - REPLY TO
TLD BLOCK - REPLY TO
 
TLB BLOCK 2 - FROM
TLB BLOCK 2 - FROM
 
Here's what the list will look like after they have all been added to CUSTOM RULES:
 
List of CUSTOM RULES
List of CUSTOM RULES
 
Remember to ENABLE them:
 
CUSTOM RULES - shown as ENABLED
CUSTOM RULES - shown as ENABLED
 
and then SAVE your changes to your antispam settings by clicking SAVE at the top left-hand corner of the antispam settings page:
 
Don't forget to SAVE your antispam settings!
Don't forget to SAVE your antispam settings!
 
 
 
Here's a list of the TLDs we are blocking.  Note the format:
  • link
  • rocks
  • science
  • work
  • pw
  • ninja
  • cricket
  • hu
 
DOT  ASTERISK  BACKSLASH   DOT DOMAIN  DOLLARSIGN
 
.*\.link$
.*\.rocks$
.*\.science$
.*\.work$
.*\.pw$
.*\.ninja$
.*\.cricket$
.*\.hu$
 
I am in the process of reviewing many of the changes which have been made to RBLs by RBL database providers and will be releasing a new version of my antispam document within the next few weeks.
 
The most recent version of that document can always be found at:
 
 
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Martin Schaible Replied
1/10/2016 at 7:30 AM
If you block hungary (TLD .hu), you could also block Romania (TLD .ro). They are spamming like hell since a while.
0
Matthew Leyda Replied
1/10/2016 at 12:44 PM
Bruce,
For some reason I cant get the rule to work. I setup a test rule to see how it worked. Any idea?
 
Kendra Support http://www.kendra.com support@kendra.com 425-397-7911 Junk Email filtered ISP
0
Martin Schaible Replied
1/10/2016 at 1:08 PM
If you wanna block all .com domains, the regex looks like this: .*\.com$

.* Anything
\. Escaping the period
com$ com needs to be at the end of the line.

I think i see a double quote in your regex.

If you apply this rule, you will have silence on you server :-)
0
Matthew Leyda Replied
1/10/2016 at 1:15 PM
I see the extra period and it still doesn't work.

I put a weight of -1 so people don't get upset. I just want to see if I understand how to get it to work. There is very little info on "regular Expression" usage in the custom rules.
Kendra Support http://www.kendra.com support@kendra.com 425-397-7911 Junk Email filtered ISP
0
Martin Schaible Replied
1/11/2016 at 10:02 AM
Regular expressions are a bit tricky to learn and goes beyond the duty of SmarterMail's documentation.

What you like to do is blocking the WhatsApp-spams. You could add a custom rule for the header with this regular expression:

whats.?app.?(messenger|notifier|reminder|service)

in the header, we have also the FROM, which will be triggered by this regex. I use this since a while and it works as expected.

WhatsApp sends never E-Mails so far i know, maybe the string whats.?app might be good enough.

Hope this helps
0
Ionel Aurelian Rau Replied
1/19/2016 at 2:38 AM
Ahem - I find this at least just a little bit offensive :) - I`m running a SmarterMail server from Romania and also managing 3 other email systems and we`re not SPAMming. But if you think it will help :)
0
Martin Schaible Replied
1/19/2016 at 10:07 AM
Don't take it personal. :-) It is a fact, that we receive tons of spam from eastern europe. Today around 700 from hungary, around 500 from romania and finally nearly 1000 from russia.
0
Ionel Aurelian Rau Replied
1/20/2016 at 12:56 AM
It`s OK, I understand. SPAMmers are the scourge of the Earth, no matter where they spam from.

Anyway, to be on-topic, I`m glad I found this topic as it was very useful to see the right regular expression needed to block certain TLDs.
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Microsoft Defender Antivirus and Virus Scanner ExceptionsSmarterMail > Troubleshooting
Reducing ClamAV False PositivesSmarterMail > Troubleshooting
Move a Domain from one SmarterMail Server to AnotherSmarterMail > Installation and Configuration
Configure Outlook 2011 for MacOS with MAPI & EWSSmarterMail > Desktop and Mobile Synchronization
Spam and Security Checks for IPv6 SystemsSmarterMail > Antispam and Antivirus