3
Getting lots of Mails with Virus names WhatsApp
Problem reported by Devang Shah - 1/7/2016 at 5:17 AM
Submitted
Hi,
 
Since last 15 days, many users on our servers have started getting Virus mails whose name says WhatsApp & they are from diff unknown mail IDs]
 
WhatsApp [festival@alahlidubai.ae]
[virus a variant of Win32/Bayrob.AT.gen trojan] An audio message has been delivered xvvcqd
 
I am using SM 11 Entp edition with latest build, rest of the server is fine except this WhatsApp mails which are attached with Virus mails 
 
Plz advice 
 
Regards,
Devan

11 Replies

Reply to Thread
0
Bruce Barnes Replied
Try adding these to CUSTOM RULES in your antispam settings:
 
TLS BLOCK - RETURN PATH
TLS BLOCK - RETURN PATH
TLD BLOCK - REPLY TO
TLD BLOCK - REPLY TO
 
TLB BLOCK 2 - FROM
TLB BLOCK 2 - FROM
 
Here's what the list will look like after they have all been added to CUSTOM RULES:
 
List of CUSTOM RULES
List of CUSTOM RULES
 
Remember to ENABLE them:
 
CUSTOM RULES - shown as ENABLED
CUSTOM RULES - shown as ENABLED
 
and then SAVE your changes to your antispam settings by clicking SAVE at the top left-hand corner of the antispam settings page:
 
Don't forget to SAVE your antispam settings!
Don't forget to SAVE your antispam settings!
 
 
 
Here's a list of the TLDs we are blocking.  Note the format:
  • link
  • rocks
  • science
  • work
  • pw
  • ninja
  • cricket
  • hu
 
DOT  ASTERISK  BACKSLASH   DOT DOMAIN  DOLLARSIGN
 
.*\.link$
.*\.rocks$
.*\.science$
.*\.work$
.*\.pw$
.*\.ninja$
.*\.cricket$
.*\.hu$
 
I am in the process of reviewing many of the changes which have been made to RBLs by RBL database providers and will be releasing a new version of my antispam document within the next few weeks.
 
The most recent version of that document can always be found at:
 
 
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Martin Schaible Replied
If you block hungary (TLD .hu), you could also block Romania (TLD .ro). They are spamming like hell since a while.
0
Matthew Leyda Replied
Bruce,
For some reason I cant get the rule to work. I setup a test rule to see how it worked. Any idea?
 
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
0
Martin Schaible Replied
If you wanna block all .com domains, the regex looks like this: .*\.com$

.* Anything
\. Escaping the period
com$ com needs to be at the end of the line.

I think i see a double quote in your regex.

If you apply this rule, you will have silence on you server :-)
0
Matthew Leyda Replied
I see the extra period and it still doesn't work.

I put a weight of -1 so people don't get upset. I just want to see if I understand how to get it to work. There is very little info on "regular Expression" usage in the custom rules.
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
0
Martin Schaible Replied
Regular expressions are a bit tricky to learn and goes beyond the duty of SmarterMail's documentation.

What you like to do is blocking the WhatsApp-spams. You could add a custom rule for the header with this regular expression:

whats.?app.?(messenger|notifier|reminder|service)

in the header, we have also the FROM, which will be triggered by this regex. I use this since a while and it works as expected.

WhatsApp sends never E-Mails so far i know, maybe the string whats.?app might be good enough.

Hope this helps
0
Ionel Aurelian Rau Replied
Ahem - I find this at least just a little bit offensive :) - I`m running a SmarterMail server from Romania and also managing 3 other email systems and we`re not SPAMming. But if you think it will help :)
0
Martin Schaible Replied
Don't take it personal. :-) It is a fact, that we receive tons of spam from eastern europe. Today around 700 from hungary, around 500 from romania and finally nearly 1000 from russia.
0
Ionel Aurelian Rau Replied
It`s OK, I understand. SPAMmers are the scourge of the Earth, no matter where they spam from.

Anyway, to be on-topic, I`m glad I found this topic as it was very useful to see the right regular expression needed to bloc certain TLDs.
0
Harber Candelario Replied
Do they do any serious damage to your system?
Baixar Whatsapp GB at OtherWhatsapp
0
Sophronia Winifred Replied
Un indice audio engageant et de nombreuses questions ici.

Reply to Thread