Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Custom spam rules help (spam rule doesn't seem to work)
  •  
BLIT TECH

Messages: 2
Karma: 0
Send a private message to this user
Here's a weird one that I'm wondering if anyone has run across. (BTW, I'm currently on Connect 7.4.3.7813)

We've been getting a lot of bad mail from "fraud@aexp.com". I setup a custom rule (Condition: Mail Header, Header: From, Type: Contains address, Content: fraud<_at_>aexp.com ). This doesn't catch it. I'm not surprised, since that isn't really the identified sender even though the Kerio logs all show that as the sender, but the message usually shows as someone else.

So, I added another filter above that one that is (Condition: Mail Header, Header: Return-Path, Type: Contains substring, Content: fraud<_at_>aexp.com) I've also tried type as contains address.

None of these catch it. Here is the header of the most recent message that came in.

Return-Path: <fraud<_at_>aexp.com>
X-Spam-Status: Yes, hits=5.0 required=3.5
tests=DNSBL_ZEN.SPAMHAUS.ORG: 3.50,BAYES_50: 1.567,TOTAL_SCORE: 5.067,autolearn=no
X-Spam-Flag: YES
X-Spam-Level: *****
Received: from aexp.com ([181.67.81.31])
Wed, 11 Dec 2013 08:25:34 -0800
Wed, 11 Dec 2013 11:25:33 -0500
Date: Wed, 11 Dec 2013 11:25:33 -0500
From: "Administrator" <Administrator<_at_>domain.com>
X-MS-Has-Attach: yes
X-MS-Exchange-Organization-SCL: -1
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 03
X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;5;0;0 0 0
X-Priority: 3 (Normal)
Message-ID: <3Z1OOR6PY7GIU7MAOCAHT9G55QD5WCE8894FDQ<_at_>domain.com>
X-Original-Subject: Scanned Image from a Xerox WorkCentre
Subject: [*SPAM*] Scanned Image from a Xerox WorkCentre

I would assume that at least the return-path rule would catch it, but it does not. Lastly, I turned on extra debug logging for the spam settings to see what it was doing. For that particular message, it processed the following:

[11/Dec/2013 08:25:37][25184] {spam} Spam Filter: calculating spam rating for message 52a891fe-00024542 from <fraud@aexp.com> to <user<_at_>domain.com>...
[11/Dec/2013 08:25:37][25184] {spam} Spam Filter: Sender IP is on blacklists, adding score 3.50 (DNSBL_ZEN.SPAMHAUS.ORG: 3.50)
[11/Dec/2013 08:25:37][25184] {spam} SpamAssassin result string for message file /opt/kerio/mailserver/store/queue/21/52a891fe-00024542.eml, intrinsic time 0.16s, total time 0.17s: No, 1.567,5,BAYES_50: 1.567,autolearn=no
[11/Dec/2013 08:25:37][25184] {spam} Spam Filter: SpamAssassin check finished, adding score 1.57
[11/Dec/2013 08:25:37][25184] {spam} Spam Filter: Custom spam rules check finished, adding score 0.00
[11/Dec/2013 08:25:37][25184] {spam} Spam Filter: Message 52a891fe-00024542 from <fraud@aexp.com> to <user<_at_>domain.com> got 5.07 hits, total spam score is 5.067

Does anyone have any idea why this is so hard to catch?
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Is the rule with From "contains address" at the top of the list?
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
How is the rule setup? Does it just add a score to the rating? If so, what is your spam threshold set at? Or does it treat it as spam and discard the message?

In the headers you posted, using the From: header will not work for the email addy fraud<_at_>aexp.com. I would take a look at a sample of the spam emails and look at the Received header to see if they are coming from the same place or from multiple sources, and maybe create a custom rule on that and see if it catches anything.

There were no rule hits from Spam Assassin?
  •  
BLIT TECH

Messages: 2
Karma: 0
Send a private message to this user
Quote:
Is the rule with From "contains address" at the top of the list?

It was, but since it didn't work I added the filter for Return-Path above it. The From rule is now the 2nd item.

Quote:
How is the rule setup? Does it just add a score to the rating? If so, what is your spam threshold set at? Or does it treat it as spam and discard the message?

It is set to add a score, but the filter never even detects the message to score it. This particular message was one that should have met the filter criteria and pushed it into the rejection score range.

Quote:
In the headers you posted, using the From: header will not work for the email addy fraud<_at_>aexp.com

That was my conclusion as well, hence my attempt at adding the Return-Path header as a check.
Unfortunately, the messages come from a variety of IP addresses and different identified senders.

Quote:
There were no rule hits from Spam Assassin?

SpamAssassin added 1.57 to the score.
"SpamAssassin result string for message file /opt/kerio/mailserver/store/queue/21/52a891fe-00024542.eml, intrinsic time 0.16s, total time 0.17s: No, 1.567,5,BAYES_50: 1.567,autolearn=no"

The frustrating part is that the server is identifying the exact address I am trying to filter against.
Mail.log
[11/Dec/2013 08:25:36] Recv: Queue-ID: 52a891fe-00024542, Service: SMTP, From: <fraud@aexp.com>, To: <user@domain.com>, Size: 13959, Sender-Host: 181.67.81.31, Subject: Scanned Image from a Xerox WorkCentre, Msg-Id: <3Z1OOR6PY7GIU7MAOCAHT9G55QD5WCE8894FDQ<_at_>domain.com>

Spam.log
[11/Dec/2013 08:25:37] Message detected as spam with score: 5.07, threshold 3.50, From: fraud@aexp.com, To: user<_at_>domain.com, Sender IP: 181.67.81.31, Subject: Scanned Image from a Xerox WorkCentre, Message size: 13959

Debug.log (spam filter logging)
[11/Dec/2013 08:25:37][25184] {spam} Spam Filter: calculating spam rating for message 52a891fe-00024542 from <fraud@aexp.com> to <user<_at_>domain.com>...
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
Quote:

There were no rule hits from Spam Assassin?

SpamAssassin added 1.57 to the score.
"SpamAssassin result string for message file /opt/kerio/mailserver/store/queue/21/52a891fe-00024542.eml, intrinsic time 0.16s, total time 0.17s: No, 1.567,5,BAYES_50: 1.567,autolearn=no"
=========

The reason I was asking about No Spam Assassin was that I didn't see the specific rules listed in your headers that you posted. Here is a sample from one of our emails

Return-Path: <manes<at>crageyre.com>
X-Spam-Status: Yes, hits=7.5 required=5.0
tests=BAYES_95: 5,HTML_MESSAGE: 0.5,MIME_HTML_ONLY: 1.5,
RDNS_NONE: 0.5,TOTAL_SCORE: 7.500,autolearn=no
X-Spam-Flag: YES
X-Spam-Level: *******

I was expecting to see exactly what Spam Assassin did and rated. Some of the above scores are my custom scores.

Previous Topic: Calendar sorting in iCal with 8.2
Next Topic: Items Clean Out
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Oct 16 23:54:28 CEST 2017

Total time taken to generate the page: 0.00414 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.