cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5056
Views
0
Helpful
6
Replies

How to block emails with specific keywords in the From field

jmcelvoy77
Level 1
Level 1

I have a user that keeps getting messages from "Viagra (c) Official Vendor" <users email address> or "Viagra (c) Direct Distributor" <users email address>.  I have a filter on the Incoming Content Filters that says:

condition: Envelope Sender

rule: mail-from == "(?i)(viagra|pfizer|cialis|etc)"

This was recommended by someone on another site, but it's not working.  The emails are still getting forwarded to the end user in a Spam Notificaiton Message.  The actual body of the messages is:

-----Original Message-----

From: VIAGRA (c) Official Vendor [mailto:users@email.com]

Sent: Wednesday, February 10, 2010 8:33 AM

To: User Name

Subject: [SPAM]User Name Brand 73% off Sale

Having trouble reading this email? View it in your browser <http://009b073d.loftyonce.ruc/> .

If nothing shown, click to try again <http://ef5eefa.loftyonce.ruc/>   

© 2007 Uywylisoyxi. All rights reserved.

Unsubscribe <http://dd591a5116.loftyonce.ruc/> 

&

-----Original Message-----

From: VIAGRA (c) Direct Distributor [mailto:liedootyr6587@womensbeanproject.com] <<<<this is not one of our email addresses or users>>

Sent: Wednesday, February 10, 2010 8:38 AM

To: End User

Subject: [SPAM]User Name Buy on 76% cheaper price

Having trouble reading this email? View it in your browser <http://02c3480ad.shapeglad.ru/> .

 

Error in getting images? Click here! <http://4444bebaa60.shapeglad.ru/>      

© 2007 Emerajuu. All rights reserved.

Unsubscribe <http://6f2ddb.shapeglad.ru/> 

6 Replies 6

jamesnoad
Level 1
Level 1

The mail-from test does not consider the From: header.  You need to find the message in you mail_logs to see what exactly made up the message.  You can do this through message tracking in the webUI or the findevent command in the cli.  Searching by subject may be best in this particular case.

To make tracing things easier in future I suggest you set up a message filter at position 1 which comprises something like:

insert_trace_header:

if(true)

  insert-header("X-Trace", "$hostname/$MID/$RemoteIP/$Reputation");

}

Then, if your users can provide you with that header in a problematic message they receive you will be able to quicky find the entire log set.

My user is getting notified of a "suspected spam" message via IronPort.  I have

released 2 of these messages to her so that I can see what the message body says.  It is exactly what I posted in my original post.  The from field says"

From: VIAGRA (c) Official Vendor [mailto:user@domain.com] or

From: VIAGRA (c) Direct Distibutor [mailto:user@domain.com]

I've done a search and can't find any emails to anyone in my company with Viagra in the from field.  The message body says:

Having trouble reading this email? View it in your browser

I guess I could create a Content Filter for Message Body, but would I just put "Having trouble reading this email? View it in your browser"? 

Do I need to seperate each word somehow?  When putting multiple words into a content filter, how do I seperate them, or do I need to seperate them?

Viagra is in the "friendly" part of the From header in this case which might be a problem.

In the command line try running:

grep -i VIAGRA mail_logs

Matching lines are likely to contain something like "MID 1234" somewhere within.  Run another grep using interesting MIDs e.g.

grep -e "MID 1234" -e "MID 5678" -e "MID 9012" mail_logs

Note that the greps will take some time to run.

You can see how far back your mail_logs go by running

grep Begin mail_logs

Interrupt greps with control-C if you want to stop early.

I ran the grep -i VIAGRA mail_logs command and got No results were found.  Use another regular expression

to search

I ran the grep Begin mail_logs and it says Fri Feb 12 09:19:45 2010 Info: Begin Logfile - this was 2 minutes before running this command.

Could I not create a content filter with the Body message of Having trouble reading this?  If so, do I need to seperate the words anyway?  Thanks for your assistance with my issue. 

In the original message the subject has [SPAM] at the beginning. You later say you released the message from the quarantine to the user.

I dont understand the problem, as it looks like to me the IronPort is seeing the message as SPAM and quarantining the message.

Point to note is the SPAM engine passes messages before the content filtering engine does in the email pipeline and therefore your content filter will NOT fire when the message has already been quarantined.

If you wanted to act on this message before the SPAM engine then you would need to write a Message Filter, which is done from the CLI.

Cheers

Shane

shannon.hagan
Level 1
Level 1

Try adding the condition

Other Header with header of From

and then put the criteria you are looking for.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: