Getting lots of Mails with Virus names WhatsApp
Problem reported by Devang Shah - 1/7/2016 at 5:17 AM
Submitted
Hi,
 
Since last 15 days, many users on our servers have started getting Virus mails whose name says WhatsApp & they are from diff unknown mail IDs]
 
WhatsApp [festival@alahlidubai.ae]
[virus a variant of Win32/Bayrob.AT.gen trojan] An audio message has been delivered xvvcqd
 
I am using SM 11 Entp edition with latest build, rest of the server is fine except this WhatsApp mails which are attached with Virus mails 
 
Plz advice 
 
Regards,
Devan

9 Replies

Reply to Thread
0
Bruce Barnes Replied
Try adding these to CUSTOM RULES in your antispam settings:
 
TLS BLOCK - RETURN PATH
TLS BLOCK - RETURN PATH
TLD BLOCK - REPLY TO
TLD BLOCK - REPLY TO
 
TLB BLOCK 2 - FROM
TLB BLOCK 2 - FROM
 
Here's what the list will look like after they have all been added to CUSTOM RULES:
 
List of CUSTOM RULES
List of CUSTOM RULES
 
Remember to ENABLE them:
 
CUSTOM RULES - shown as ENABLED
CUSTOM RULES - shown as ENABLED
 
and then SAVE your changes to your antispam settings by clicking SAVE at the top left-hand corner of the antispam settings page:
 
Don't forget to SAVE your antispam settings!
Don't forget to SAVE your antispam settings!
 
 
 
Here's a list of the TLDs we are blocking.  Note the format:
  • link
  • rocks
  • science
  • work
  • pw
  • ninja
  • cricket
  • hu
 
DOT  ASTERISK  BACKSLASH   DOT DOMAIN  DOLLARSIGN
 
.*\.link$
.*\.rocks$
.*\.science$
.*\.work$
.*\.pw$
.*\.ninja$
.*\.cricket$
.*\.hu$
 
I am in the process of reviewing many of the changes which have been made to RBLs by RBL database providers and will be releasing a new version of my antispam document within the next few weeks.
 
The most recent version of that document can always be found at:
 
 
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Martin Schaible Replied
If you block hungary (TLD .hu), you could also block Romania (TLD .ro). They are spamming like hell since a while.
0
Matthew Leyda Replied
Bruce,
For some reason I cant get the rule to work. I setup a test rule to see how it worked. Any idea?
 
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
0
Martin Schaible Replied
If you wanna block all .com domains, the regex looks like this: .*\.com$

.* Anything
\. Escaping the period
com$ com needs to be at the end of the line.

I think i see a double quote in your regex.

If you apply this rule, you will have silence on you server :-)
0
Matthew Leyda Replied
I see the extra period and it still doesn't work.

I put a weight of -1 so people don't get upset. I just want to see if I understand how to get it to work. There is very little info on "regular Expression" usage in the custom rules.
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
0
Martin Schaible Replied
Regular expressions are a bit tricky to learn and goes beyond the duty of SmarterMail's documentation.

What you like to do is blocking the WhatsApp-spams. You could add a custom rule for the header with this regular expression:

whats.?app.?(messenger|notifier|reminder|service)

in the header, we have also the FROM, which will be triggered by this regex. I use this since a while and it works as expected.

WhatsApp sends never E-Mails so far i know, maybe the string whats.?app might be good enough.

Hope this helps
0
Ionel Aurelian Rau Replied
Ahem - I find this at least just a little bit offensive :) - I`m running a SmarterMail server from Romania and also managing 3 other email systems and we`re not SPAMming. But if you think it will help :)
0
Martin Schaible Replied
Don't take it personal. :-) It is a fact, that we receive tons of spam from eastern europe. Today around 700 from hungary, around 500 from romania and finally nearly 1000 from russia.
0
Ionel Aurelian Rau Replied
It`s OK, I understand. SPAMmers are the scourge of the Earth, no matter where they spam from.

Anyway, to be on-topic, I`m glad I found this topic as it was very useful to see the right regular expression needed to bloc certain TLDs.

Reply to Thread