Spam with .link
Question asked by Mike Roe - 6/23/2015 at 11:15 AM
I have smartermail 13.3.5535 setup with Bruce spam filter and I am getting a lot of spam from the .link domain.
[2015.06.23] 13:17:55 [][40026571] cmd: MAIL FROM:<SimpleFunds@thawsmallbusiness.link> BODY=7BIT
[2015.06.23] 13:17:57 [][40026571] rsp: 250 OK <simplefunds@thawsmallbusiness.link> Sender ok
[2015.06.23] 13:17:57 [][40026571] cmd: RCPT TO:<ll#####@#########.com> 
[2015.06.23] 13:17:57 [][40026571] rsp: 250 OK <ll#####@#########.com> Recipient ok
[2015.06.23] 13:17:57 [][40026571] cmd: DATA
[2015.06.23] 13:17:57 [][40026571] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2015.06.23] 13:17:57 [][40026571] rsp: 250 OK
[2015.06.23] 13:17:57 [][40026571] Data transfer succeeded, writing mail to 743799632171.eml
[2015.06.23] 13:17:57 [][40026571] cmd: QUIT
[2015.06.23] 13:17:57 [][40026571] rsp: 221 Service closing transmission channel
[2015.06.23] 13:17:57 [][40026571] disconnected at 6/23/2015 1:17:57 PM
Some of them are being blocked but a lot of them are getting through.
Can anyone tell me the best way to get domain blocked. 

6 Replies

Reply to Thread
Scarab Replied
You can create a Custom Rule in SECURITY > ANTI-SPAM ADMINISTRATION > SPAM CHECKS as follows:
Rule Source: Header
Header: Return-Path
Rule Type: Regular-Expression
Weight: (variable based upon your Low/Med/High weights)
Rule Text: .*\.link$
(et cetera for each top-level domain you want to catch)
Mike Roe Replied
I will give this a try.
Thanks for the quick response

Mike Roe Replied
I am still getting these.  Do i need to restart service or do anything else after i make rule?
What weight should i use?
I delete for all weights low/med/high 
Scarab Replied
If you have Custom Rules marked for "Enable for Filtering" on your Anti-Spam Administration page it should be active (optionally you can also "Enable for Blocking" if you want and this is your only Custom Rule).

If you delete for all probabilities of Spam then the score should be set to the threshold you have set for at least Low probability.

In my example I chose to use the header "Return-Path" as it can catch spam that is sent from compromised accounts and spoofed addresses. If the "Return-Path" is a different domain than .link then you may want to use the "Reply-To" or "From" as your header value instead. Looking at the headers of the spam you are getting will show which value you would want to configure your filter for. (Optionally you can create identical Custom Rules, one for each header value, to be thorough).
Scarab Replied
I'm beginning to understand why SmarterTools staff is always silent on the subject of Custom Rules in SmarterMail. It is very finicky. After some experimentation I got my rules to work 100% of the time with the following alterations:
Rule Source: Header
Header: Return-Path
Rule Type: Regular-Expression
Weight: (variable based upon your Low/Med/High weights)
Rule Text: .+\.link>$
(et cetera for each top-level domain you want to catch)
Using .+ instead of .* shouldn't make too much of a difference, but can in some unique circumstances, but the important missing piece was the ending > before the end of the string $. Not sure why it would work sometimes without with ending > and not other times, but I was able to confirm that was the problem.
The other thing to note is do not put a : at the end of your Header field as the Custom Rules assumes a : and putting one in that field will result in it never matching (as it will be looking for Return-Path::). 
The same RegEx above should work with the From or Return-Path fields if you would prefer using those.
Getting the Rules to go active doesn't require a restart of the service. Generally unselecting "Enable for Filtering" and clicking on [SAVE] and then reselecting "Enable for Filtering" and clicking on [SAVE] is enough to get SmarterMail to immediately accept your changes.
Bruce Barnes Replied
has been updated to get rid of the spam you are experiencing - so long as you follow it to the letter, enable greylisting, and do not allow users to modify their own spam or greylisting settings.
Bruce Barnes
ChicagoNetTech Inc

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

Reply to Thread