Any ideas how to filter based on the SMTP incoming value of <{%FROMNAME%}433@me.com>
Question asked by Patrick Mattson - 3/10/2020 at 9:51 AM
Unanswered
I have been getting a lot of incoming smtp logs and not sure what rule I could set up to delete these or something similar. Has anyone else seen these?

Here is the entire line:
[2020.03.09] 02:29:40.849 [185.97.133.233][36813792] senderEmail(1): {%FROMNAME%}433@me.com parsed using: <{%FROMNAME%}433@me.com>

It is one of the I know your password scams.

Trying to think of way to block something like this.

5 Replies

Reply to Thread
0
Robert Emmett Replied
Employee Post
Patrick, you could create a Custom spam rule and look in the From header field for *433@me.com (use the wildcard * preceding the 433) then give it sufficient spam weight to send to Junk E-mail or delete it outright depending on your spam settings.
Robert Emmett
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Patrick Mattson Replied
I probably should have added the number changes, here are the last few that came in:
[2020.03.10] 20:13:56.840 [14.227.130.243][40680564] cmd: MAIL FROM: <{%FROMNAME%}061@me.com>
[2020.03.10] 20:13:56.855 [14.227.130.243][40680564] senderEmail(1): {%FROMNAME%}061@me.com parsed using: <{%FROMNAME%}061@me.com> [2020.03.10]
20:15:12.407 [176.59.64.107][16166550] cmd: MAIL FROM: <{%FROMNAME%}087@icloud.com> [2020.03.10] 20:15:12.423 [176.59.64.107][16166550] senderEmail(1): {%FROMNAME%}087@icloud.com parsed using: <{%FROMNAME%}087@icloud.com>
[2020.03.10] 20:16:18.465 [185.15.62.11][50386608] cmd: MAIL FROM: <{%FROMNAME%}216@icloud.com>

What I noticed if I look at the header of an email that was successful, it shows up as something like serge061

Its only in the SMTP logs after that it turns into a real looking email address

I will try something in my header for the first part, can I do a * for the number?
0
Douglas Foster Replied
You need a regular expression, and this is easy to do with Declude (from mailsbestfriend.com).   Create a filter clause of the form
MAILFROM n PCRE (expression)

Anyone with SmarterMail should get started with Declude while its free, and buy a service contract (currently very inexpensive) to help ensure that it will come back as an actively developed product.

I suggest implementing it as an incoming gateway, rather than embedded. 
1
Scarab Replied
Patrick,

You can make a Custom Rule in SETTINGS > ANTISPAM > SPAM CHECKS with the following settings:

Rule Name: FROMNAME
Rule Source: Header
Header: Return-Path
Rule Source: Regular Expression
Rule Text: (^<(?i:{%FROMNAME%}\d{3})@me\.com>$)
Weight: 30
Enable Spool Filtering: On

As shown in the image below:

This PCRE RegEx does as follows:
Beginning of the line starts with <
Case insensitve {%FROMNAME%} followed by ANY three digits
and ends with @me.com>

I have tested this AntiSpam rule in the latest release version of SmarterMail and it is working as intended.

RegEx is your friend. RegEx is life. RegEx will stop Spam but it will also give you headaches composing them.
0
Patrick Mattson Replied
Thank you, have you been seeing a lot of these Scarab?

I just noticed they changed to a different format:
[2020.03.14] 08:06:44.162 [119.160.71.61][5826017] senderEmail(1): {%FROMNAME%}@8758.com parsed using: <{%FROMNAME%}@8758.com>

Going to play with what you gave me and see if I can come up with a solution.

Reply to Thread