On 2/19/2019 3:38 PM, KeN Etter wrote:
> On Tue, 19 Feb 2019 19:23:15 GMT, KeN Etter
> <ketter@no-mx.forums.microfocus.com> wrote:
>
>> On Tue, 19 Feb 2019 18:50:09 GMT, Steve B <cns965+nospam@gmail.com>
>> wrote:
>>
>>> On 2/19/2019 11:39 AM, KeN Etter wrote:
>>>> On Tue, 19 Feb 2019 17:02:14 GMT, Steve B <cns965+nospam@gmail.com>
>>>> wrote:
>>>>
>>>>> On 2/19/2019 10:43 AM, KeN Etter wrote:
>>>>>> On Tue, 19 Feb 2019 15:27:23 GMT, Steve B <cns965+nospam@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> We use the “Heath and James mod”, to tag spam messages with
>>>>>>> "X-Spam-Flag: Yes" and send them to the "Junk Mail" folder. The problem
>>>>>>> we run into with this method is that any incoming spam message that has
>>>>>>> the recipient in the to and from fields, bypasses the junk mail rules
>>>>>>> and goes to the inbox. This has not been a problem until lately we have
>>>>>>> been dealing with a very persistent phishing campaign
>>>>>>>
>>>>>>> is there a way to stop the behavior of letting email with the
>>>>>>> "X-Spam-Flag: Yes" tag bypass the Junk Mail folder if the from address
>>>>>>> is the recipients address?
>>>>>>>
>>>>>>> example header:
>>>>>>>
>>>>>>> Return-path: <honda@kagawaseiko.co.jp>
>>>>>>> Received: from kagawaseiko.co.jp (063.ourdomain.com [10.10.55.30])
>>>>>>> by mail.ourdomain.com with ESMTP (TLS encrypted); Tue, 19 Feb 2019
>>>>>>> 06:17:53 -0600
>>>>>>> Received: FROM kagawaseiko.co.jp (60.43.172.174) BY ourdomain.com WITH ESMTP
>>>>>>> FOR userg@ourdomain.com;
>>>>>>> Tue, 19 Feb 2019 06:17:53 -0500
>>>>>>> Received: from [84-241-63-206.shatel.ir] (unknown [84.241.63.206])
>>>>>>> (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
>>>>>>> (Client did not present a certificate)
>>>>>>> by kagawaseiko.co.jp (Postfix) with ESMTPSA id 15C8518A0E68
>>>>>>> for <userg@ourdomain.com>; Tue, 19 Feb 2019 21:17:48 +0900 (JST)
>>>>>>> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
>>>>>>> From: <userg@ourdomain.com>
>>>>>>> X-Sender: <honda@kagawaseiko.co.jp>
>>>>>>> List-Unsubscribe:
>>>>>>>
>>>>>>> <mailto:u-ifsimrh_xzckmcsjhl_ozkhqyhqus_gkgktrgjk_v@bounce.k agawaseiko.co.jp?subject=Unsubscribe>
>>>>>>> To: userg@ourdomain.com
>>>>>>> Subject: userg
>>>>>>> Date: Tue, 19 Feb 2019 13:17:49 +0100
>>>>>>> Message-ID: <056f0ojkjo4kgub2dyyqe7yumi9id@6kin5xxxk9rydch2fbs 0qdpsde>
>>>>>>> Content-Transfer-Encoding: base64
>>>>>>> Content-Type: text/plain; charset=UTF-8
>>>>>>> X-Priority: 2
>>>>>>> X-Sender-Info: <honda@kagawaseiko.co.jp>
>>>>>>> List-Help: <http://aavcdhx.com/lq/rvanus/gjyavuqhs>
>>>>>>> List-ID: <03791515.rvbulonlio.local>
>>>>>>> X-Spam-Flag: Yes
>>>>>>
>>>>>> Steve,
>>>>>> Not a direct answer because I don't bother with the junk mail folder
>>>>>> in GroupWise - I just use the SMG quarantine. I take this tactic. My
>>>>>> mail server is the only one authorized to send email for my domain. So
>>>>>> incoming email should never have a from with my domain in it. I have
>>>>>> added a header filter that checks for "FROM:*@mydomain". If the email
>>>>>> hits that filter, I block and quarantine it. Stops quite a bit of
>>>>>> garbage from getting in.
>>>>>>
>>>>>
>>>>> We did try that, but we ran into a different problem. In the old version
>>>>> of GWAVA we had a list of phrases we search for in the message body and
>>>>> a separate list of items we look for in the header. With the latest
>>>>> version of SCM, you can only have one text filter on the incoming scan
>>>>> policy. So we had to choose between the phrases list or the headers.
>>>>
>>>> Really? I am on the latest version of SMG (rev 598) and I currently
>>>> have two header filters in my inbound mail filter policy. And I was
>>>> able to drop a message text filter into it also just now. What
>>>> happens for you when you try to put more than one text filter in your
>>>> policy?
>>>>
>>> Yes, we are on rev.598 too
>>> Anytime I add a new 'Message Text' to the policy, the previous 'Message
>>> Text' gets changed to the same as the new.
>>>
>>> Example:
>>> Existing 'Message Text', 'Look in message body' checked, words we check
>>> for in the list, connected to 'Admin Quarantine' - works fine
>>>
>>> I come back, add another 'Message Text' box, check 'Look in message
>>> header' add "FROM:*@mydomain", connect to 'Message Block', and save
>>>
>>> Come back again, open the original 'Message Text' that used to have our
>>> keywords in it, and it now has the contents of the second 'Message Text'
>>> I added.

>>
>> Hmm...I just checked this and the SMG interface gets screwy with
>> Message Text filters. I set mine up a long time ago and haven't
>> modified them since. Let me check on this.

>
> Steve,
> I did some checking. When you create the second filter, you need to
> drag it from the left section (Filter Templates), not the right
> section (Components). If you drag from the Components section, you
> are making a duplicate and that is why changes overwrite. If you drag
> from the Filter Templates, it will ask you if you want to create a
> separate copy. Tell it Ok and then you can edit it independently.
>
> The interface issue I was seeing was just an artifact that gets
> cleaned up after saving.
>
> Give that a shot and let us know how it goes.
>

That worked
Thanks