Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » X-Mailer: The Bat! (help!)
  •  
nhoague

Messages: 853
Karma: 18
Send a private message to this user
I have a user who is getting blasted with hundreds of returned emails every morning. The message looks like this:


Return-path: <cate<_at_>example.com>
Received: from avgw (helo=avgw)
by mx54.isp.us-com.jp with local-smtp (Mail 4.69)
id 1PLv1I-00021S-45
for mm<_at_>yr6.highway.ne.jp; Fri, 26 Nov 2010 18:55:08 +0900
Received-SPF: none (example.com: No applicable sender policy available) client-ip=117.99.27.217; envelope-from=cate<_at_>example.com; helo=GMDESIGN;
Received: from [117.99.27.217] (helo=GMDESIGN)
by mx54.isp.us-com.jp with esmtp (Mail 4.69)
id 1PLv1D-0001px-Pb
for mm<_at_>yr6.highway.ne.jp; Fri, 26 Nov 2010 18:55:08 +0900
Received: from [117.99.27.217] by mail101.onepointsync.com; Fri, 26 Nov 2010 15:18:44 +0530
Date: Fri, 26 Nov 2010 15:18:44 +0530
From: "Vance Gilbert" <cate<_at_>example.com>
X-Mailer: The Bat! (v2.01) Business
Reply-To: cate<_at_>example.com
X-Priority: 3 (Normal)
Message-ID: <541658483.36914954323934<_at_>example.com>
To: mm<_at_>yr6.highway.ne.jp
Subject: Fri, 26 Nov 2010 15:18:44 +0530
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------D3C09FB01B01467"

------------D3C09FB01B01467
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit

The problem is these SPAMmers are using her email address as the reply to. I have masked her name as cate<_at_>example.com. The X-Mailer is The Bat! and I have seen numerous posts on the net about SPAMmers using this for SPAM purposes.

Is there any way to block in the SPAM server based on X-Mailer?

Thanks!
  •  
marcobat

Messages: 28
Karma: 0
Send a private message to this user
At the dns level of that domain set a spf record allowing only your server (and any other smtp server she and other people in the domain might use) as the only authorized mail servers for the domain.
It will not completely resolve the problem but surely it will help.
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Setting up an SPF record will at least make the hundreds of falsified emails each morning disappear. If you're checking SPF records yourself, that is.
  •  
nhoague

Messages: 853
Karma: 18
Send a private message to this user
Weird this message states no policy framework, but I know my SPF is in place. I'll check on that now.
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Put this in a file called custom_rules.cf (or something similar) in the same folder as local.cf and restart the mail server process. The code below is a custom SpamAssassin rule which checks for the presence of an X-Mailer header with the string "The Bat! (v2.01) Business".

header          CUSTOM_XMAILER     X-Mailer=~ /The Bat\! \(v2\.01\) Business/i
describe        CUSTOM_XMAILER     X-Mailer header is The Bat!
score           CUSTOM_XMAILER     0.1


I have set the rule to increase the score with 0.1 points, but adjust as you see fit. Maybe it will help somewhat when you combine it with other rules you already have.

[Updated on: Sat, 27 November 2010 12:29]

  •  
nhoague

Messages: 853
Karma: 18
Send a private message to this user
Killer! I'll set it up right now and let you know. I didn't know I "could" create custom rules in Kerio. Any thoughts on how to make custom rules per domain?
  •  
nhoague

Messages: 853
Karma: 18
Send a private message to this user
In addition, TorW, while following another post you had written, I found that I could just type X-Mailer in the Header field in the custom rules! I think that accomplishes the same thing?
  •  
nhoague

Messages: 853
Karma: 18
Send a private message to this user
Nevermind ... it doesnt save Sad
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Yes, making a custom rule in the admin GUI does the same thing and is probably slightly easier to maintain Wink Custom SA rules are much more flexible though.

But what do you mean it doesn't save? The admin GUI rule or the SpamAssasin custom rule?
  •  
nhoague

Messages: 853
Karma: 18
Send a private message to this user
It seems when I try to enter a custom rule in the GUI, after I hit apply and leave the window, when I return the rule is not there!


Perhaps a upgrade to 7.1.2 will help? We are planning that tomorrow night.

Any idea how to have custom rules per domain?

Also, I agree using custom rules in SA is more flexbiel with regex, but something basic like this would be nice!

[Updated on: Sat, 27 November 2010 18:31]

  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Maybe it chokes on the exclamation mark or the parenthesis? Try trimming the match string...
Custom rules per domain isn't possible as far as I know.
  •  
nhoague

Messages: 853
Karma: 18
Send a private message to this user
Well no it does work! Just the rule doesnt show up immediately. Upon a logout/login the rule is there. Seems others are having similar behaviors.

http://forums.kerio.com/index.php?t=msg&goto=76022&S =604e7c528b2493fa54b1e98b9e390f45#msg_76022

Oh well, yes it is working, says last used 8 minutes ago! Thanks for that tip!
Previous Topic: Outlook 2011 for Mac
Next Topic: SNOM300 connection to Kerio LDAP-server?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Sep 24 05:23:16 CEST 2017

Total time taken to generate the page: 0.00604 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.