Home

Results 1 to 8 of 8

Thread: incoming spam bypassing junk mail folder

  1. #1
    Steve B NNTP User

    incoming spam bypassing junk mail folder

    We use the “Heath and James mod”, to tag spam messages with
    "X-Spam-Flag: Yes" and send them to the "Junk Mail" folder. The problem
    we run into with this method is that any incoming spam message that has
    the recipient in the to and from fields, bypasses the junk mail rules
    and goes to the inbox. This has not been a problem until lately we have
    been dealing with a very persistent phishing campaign

    is there a way to stop the behavior of letting email with the
    "X-Spam-Flag: Yes" tag bypass the Junk Mail folder if the from address
    is the recipients address?

    example header:

    Return-path: <honda@kagawaseiko.co.jp>
    Received: from kagawaseiko.co.jp (063.ourdomain.com [10.10.55.30])
    by mail.ourdomain.com with ESMTP (TLS encrypted); Tue, 19 Feb 2019
    06:17:53 -0600
    Received: FROM kagawaseiko.co.jp (60.43.172.174) BY ourdomain.com WITH ESMTP
    FOR userg@ourdomain.com;
    Tue, 19 Feb 2019 06:17:53 -0500
    Received: from [84-241-63-206.shatel.ir] (unknown [84.241.63.206])
    (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    (Client did not present a certificate)
    by kagawaseiko.co.jp (Postfix) with ESMTPSA id 15C8518A0E68
    for <userg@ourdomain.com>; Tue, 19 Feb 2019 21:17:48 +0900 (JST)
    User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
    From: <userg@ourdomain.com>
    X-Sender: <honda@kagawaseiko.co.jp>
    List-Unsubscribe:

    <mailto:u-ifsimrh_xzckmcsjhl_ozkhqyhqus_gkgktrgjk_v@bounce.k agawaseiko.co.jp?subject=Unsubscribe>
    To: userg@ourdomain.com
    Subject: userg
    Date: Tue, 19 Feb 2019 13:17:49 +0100
    Message-ID: <056f0ojkjo4kgub2dyyqe7yumi9id@6kin5xxxk9rydch2fbs 0qdpsde>
    Content-Transfer-Encoding: base64
    Content-Type: text/plain; charset=UTF-8
    X-Priority: 2
    X-Sender-Info: <honda@kagawaseiko.co.jp>
    List-Help: <http://aavcdhx.com/lq/rvanus/gjyavuqhs>
    List-ID: <03791515.rvbulonlio.local>
    X-Spam-Flag: Yes

  2. #2

    Re: incoming spam bypassing junk mail folder

    On Tue, 19 Feb 2019 15:27:23 GMT, Steve B <cns965+nospam@gmail.com>
    wrote:

    >We use the Heath and James mod, to tag spam messages with
    >"X-Spam-Flag: Yes" and send them to the "Junk Mail" folder. The problem
    >we run into with this method is that any incoming spam message that has
    >the recipient in the to and from fields, bypasses the junk mail rules
    >and goes to the inbox. This has not been a problem until lately we have
    >been dealing with a very persistent phishing campaign
    >
    >is there a way to stop the behavior of letting email with the
    >"X-Spam-Flag: Yes" tag bypass the Junk Mail folder if the from address
    >is the recipients address?
    >
    >example header:
    >
    >Return-path: <honda@kagawaseiko.co.jp>
    >Received: from kagawaseiko.co.jp (063.ourdomain.com [10.10.55.30])
    > by mail.ourdomain.com with ESMTP (TLS encrypted); Tue, 19 Feb 2019
    >06:17:53 -0600
    >Received: FROM kagawaseiko.co.jp (60.43.172.174) BY ourdomain.com WITH ESMTP
    > FOR userg@ourdomain.com;
    > Tue, 19 Feb 2019 06:17:53 -0500
    >Received: from [84-241-63-206.shatel.ir] (unknown [84.241.63.206])
    > (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    > (Client did not present a certificate)
    > by kagawaseiko.co.jp (Postfix) with ESMTPSA id 15C8518A0E68
    > for <userg@ourdomain.com>; Tue, 19 Feb 2019 21:17:48 +0900 (JST)
    >User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
    >From: <userg@ourdomain.com>
    >X-Sender: <honda@kagawaseiko.co.jp>
    >List-Unsubscribe:
    >
    ><mailto:u-ifsimrh_xzckmcsjhl_ozkhqyhqus_gkgktrgjk_v@bounce.k agawaseiko.co.jp?subject=Unsubscribe>
    >To: userg@ourdomain.com
    >Subject: userg
    >Date: Tue, 19 Feb 2019 13:17:49 +0100
    >Message-ID: <056f0ojkjo4kgub2dyyqe7yumi9id@6kin5xxxk9rydch2fbs 0qdpsde>
    >Content-Transfer-Encoding: base64
    >Content-Type: text/plain; charset=UTF-8
    >X-Priority: 2
    >X-Sender-Info: <honda@kagawaseiko.co.jp>
    >List-Help: <http://aavcdhx.com/lq/rvanus/gjyavuqhs>
    >List-ID: <03791515.rvbulonlio.local>
    >X-Spam-Flag: Yes


    Steve,
    Not a direct answer because I don't bother with the junk mail folder
    in GroupWise - I just use the SMG quarantine. I take this tactic. My
    mail server is the only one authorized to send email for my domain. So
    incoming email should never have a from with my domain in it. I have
    added a header filter that checks for "FROM:*@mydomain". If the email
    hits that filter, I block and quarantine it. Stops quite a bit of
    garbage from getting in.

    --
    Ken
    Knowledge Partner

    Create and vote for enhancements!
    https://www.microfocus.com/products/...t-request.html

  3. #3
    Steve B NNTP User

    Re: incoming spam bypassing junk mail folder

    On 2/19/2019 10:43 AM, KeN Etter wrote:
    > On Tue, 19 Feb 2019 15:27:23 GMT, Steve B <cns965+nospam@gmail.com>
    > wrote:
    >
    >> We use the “Heath and James mod”, to tag spam messages with
    >> "X-Spam-Flag: Yes" and send them to the "Junk Mail" folder. The problem
    >> we run into with this method is that any incoming spam message that has
    >> the recipient in the to and from fields, bypasses the junk mail rules
    >> and goes to the inbox. This has not been a problem until lately we have
    >> been dealing with a very persistent phishing campaign
    >>
    >> is there a way to stop the behavior of letting email with the
    >> "X-Spam-Flag: Yes" tag bypass the Junk Mail folder if the from address
    >> is the recipients address?
    >>
    >> example header:
    >>
    >> Return-path: <honda@kagawaseiko.co.jp>
    >> Received: from kagawaseiko.co.jp (063.ourdomain.com [10.10.55.30])
    >> by mail.ourdomain.com with ESMTP (TLS encrypted); Tue, 19 Feb 2019
    >> 06:17:53 -0600
    >> Received: FROM kagawaseiko.co.jp (60.43.172.174) BY ourdomain.com WITH ESMTP
    >> FOR userg@ourdomain.com;
    >> Tue, 19 Feb 2019 06:17:53 -0500
    >> Received: from [84-241-63-206.shatel.ir] (unknown [84.241.63.206])
    >> (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    >> (Client did not present a certificate)
    >> by kagawaseiko.co.jp (Postfix) with ESMTPSA id 15C8518A0E68
    >> for <userg@ourdomain.com>; Tue, 19 Feb 2019 21:17:48 +0900 (JST)
    >> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
    >> From: <userg@ourdomain.com>
    >> X-Sender: <honda@kagawaseiko.co.jp>
    >> List-Unsubscribe:
    >>
    >> <mailto:u-ifsimrh_xzckmcsjhl_ozkhqyhqus_gkgktrgjk_v@bounce.k agawaseiko.co.jp?subject=Unsubscribe>
    >> To: userg@ourdomain.com
    >> Subject: userg
    >> Date: Tue, 19 Feb 2019 13:17:49 +0100
    >> Message-ID: <056f0ojkjo4kgub2dyyqe7yumi9id@6kin5xxxk9rydch2fbs 0qdpsde>
    >> Content-Transfer-Encoding: base64
    >> Content-Type: text/plain; charset=UTF-8
    >> X-Priority: 2
    >> X-Sender-Info: <honda@kagawaseiko.co.jp>
    >> List-Help: <http://aavcdhx.com/lq/rvanus/gjyavuqhs>
    >> List-ID: <03791515.rvbulonlio.local>
    >> X-Spam-Flag: Yes

    >
    > Steve,
    > Not a direct answer because I don't bother with the junk mail folder
    > in GroupWise - I just use the SMG quarantine. I take this tactic. My
    > mail server is the only one authorized to send email for my domain. So
    > incoming email should never have a from with my domain in it. I have
    > added a header filter that checks for "FROM:*@mydomain". If the email
    > hits that filter, I block and quarantine it. Stops quite a bit of
    > garbage from getting in.
    >


    We did try that, but we ran into a different problem. In the old version
    of GWAVA we had a list of phrases we search for in the message body and
    a separate list of items we look for in the header. With the latest
    version of SCM, you can only have one text filter on the incoming scan
    policy. So we had to choose between the phrases list or the headers.


  4. #4

    Re: incoming spam bypassing junk mail folder

    On Tue, 19 Feb 2019 17:02:14 GMT, Steve B <cns965+nospam@gmail.com>
    wrote:

    >On 2/19/2019 10:43 AM, KeN Etter wrote:
    >> On Tue, 19 Feb 2019 15:27:23 GMT, Steve B <cns965+nospam@gmail.com>
    >> wrote:
    >>
    >>> We use the Heath and James mod, to tag spam messages with
    >>> "X-Spam-Flag: Yes" and send them to the "Junk Mail" folder. The problem
    >>> we run into with this method is that any incoming spam message that has
    >>> the recipient in the to and from fields, bypasses the junk mail rules
    >>> and goes to the inbox. This has not been a problem until lately we have
    >>> been dealing with a very persistent phishing campaign
    >>>
    >>> is there a way to stop the behavior of letting email with the
    >>> "X-Spam-Flag: Yes" tag bypass the Junk Mail folder if the from address
    >>> is the recipients address?
    >>>
    >>> example header:
    >>>
    >>> Return-path: <honda@kagawaseiko.co.jp>
    >>> Received: from kagawaseiko.co.jp (063.ourdomain.com [10.10.55.30])
    >>> by mail.ourdomain.com with ESMTP (TLS encrypted); Tue, 19 Feb 2019
    >>> 06:17:53 -0600
    >>> Received: FROM kagawaseiko.co.jp (60.43.172.174) BY ourdomain.com WITH ESMTP
    >>> FOR userg@ourdomain.com;
    >>> Tue, 19 Feb 2019 06:17:53 -0500
    >>> Received: from [84-241-63-206.shatel.ir] (unknown [84.241.63.206])
    >>> (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    >>> (Client did not present a certificate)
    >>> by kagawaseiko.co.jp (Postfix) with ESMTPSA id 15C8518A0E68
    >>> for <userg@ourdomain.com>; Tue, 19 Feb 2019 21:17:48 +0900 (JST)
    >>> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
    >>> From: <userg@ourdomain.com>
    >>> X-Sender: <honda@kagawaseiko.co.jp>
    >>> List-Unsubscribe:
    >>>
    >>> <mailto:u-ifsimrh_xzckmcsjhl_ozkhqyhqus_gkgktrgjk_v@bounce.k agawaseiko.co.jp?subject=Unsubscribe>
    >>> To: userg@ourdomain.com
    >>> Subject: userg
    >>> Date: Tue, 19 Feb 2019 13:17:49 +0100
    >>> Message-ID: <056f0ojkjo4kgub2dyyqe7yumi9id@6kin5xxxk9rydch2fbs 0qdpsde>
    >>> Content-Transfer-Encoding: base64
    >>> Content-Type: text/plain; charset=UTF-8
    >>> X-Priority: 2
    >>> X-Sender-Info: <honda@kagawaseiko.co.jp>
    >>> List-Help: <http://aavcdhx.com/lq/rvanus/gjyavuqhs>
    >>> List-ID: <03791515.rvbulonlio.local>
    >>> X-Spam-Flag: Yes

    >>
    >> Steve,
    >> Not a direct answer because I don't bother with the junk mail folder
    >> in GroupWise - I just use the SMG quarantine. I take this tactic. My
    >> mail server is the only one authorized to send email for my domain. So
    >> incoming email should never have a from with my domain in it. I have
    >> added a header filter that checks for "FROM:*@mydomain". If the email
    >> hits that filter, I block and quarantine it. Stops quite a bit of
    >> garbage from getting in.
    >>

    >
    >We did try that, but we ran into a different problem. In the old version
    >of GWAVA we had a list of phrases we search for in the message body and
    >a separate list of items we look for in the header. With the latest
    >version of SCM, you can only have one text filter on the incoming scan
    >policy. So we had to choose between the phrases list or the headers.


    Really? I am on the latest version of SMG (rev 598) and I currently
    have two header filters in my inbound mail filter policy. And I was
    able to drop a message text filter into it also just now. What
    happens for you when you try to put more than one text filter in your
    policy?

    --
    Ken
    Knowledge Partner

    Create and vote for enhancements!
    https://www.microfocus.com/products/...t-request.html

  5. #5
    Steve B NNTP User

    Re: incoming spam bypassing junk mail folder

    On 2/19/2019 11:39 AM, KeN Etter wrote:
    > On Tue, 19 Feb 2019 17:02:14 GMT, Steve B <cns965+nospam@gmail.com>
    > wrote:
    >
    >> On 2/19/2019 10:43 AM, KeN Etter wrote:
    >>> On Tue, 19 Feb 2019 15:27:23 GMT, Steve B <cns965+nospam@gmail.com>
    >>> wrote:
    >>>
    >>>> We use the “Heath and James mod”, to tag spam messages with
    >>>> "X-Spam-Flag: Yes" and send them to the "Junk Mail" folder. The problem
    >>>> we run into with this method is that any incoming spam message that has
    >>>> the recipient in the to and from fields, bypasses the junk mail rules
    >>>> and goes to the inbox. This has not been a problem until lately we have
    >>>> been dealing with a very persistent phishing campaign
    >>>>
    >>>> is there a way to stop the behavior of letting email with the
    >>>> "X-Spam-Flag: Yes" tag bypass the Junk Mail folder if the from address
    >>>> is the recipients address?
    >>>>
    >>>> example header:
    >>>>
    >>>> Return-path: <honda@kagawaseiko.co.jp>
    >>>> Received: from kagawaseiko.co.jp (063.ourdomain.com [10.10.55.30])
    >>>> by mail.ourdomain.com with ESMTP (TLS encrypted); Tue, 19 Feb 2019
    >>>> 06:17:53 -0600
    >>>> Received: FROM kagawaseiko.co.jp (60.43.172.174) BY ourdomain.com WITH ESMTP
    >>>> FOR userg@ourdomain.com;
    >>>> Tue, 19 Feb 2019 06:17:53 -0500
    >>>> Received: from [84-241-63-206.shatel.ir] (unknown [84.241.63.206])
    >>>> (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    >>>> (Client did not present a certificate)
    >>>> by kagawaseiko.co.jp (Postfix) with ESMTPSA id 15C8518A0E68
    >>>> for <userg@ourdomain.com>; Tue, 19 Feb 2019 21:17:48 +0900 (JST)
    >>>> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
    >>>> From: <userg@ourdomain.com>
    >>>> X-Sender: <honda@kagawaseiko.co.jp>
    >>>> List-Unsubscribe:
    >>>>
    >>>> <mailto:u-ifsimrh_xzckmcsjhl_ozkhqyhqus_gkgktrgjk_v@bounce.k agawaseiko.co.jp?subject=Unsubscribe>
    >>>> To: userg@ourdomain.com
    >>>> Subject: userg
    >>>> Date: Tue, 19 Feb 2019 13:17:49 +0100
    >>>> Message-ID: <056f0ojkjo4kgub2dyyqe7yumi9id@6kin5xxxk9rydch2fbs 0qdpsde>
    >>>> Content-Transfer-Encoding: base64
    >>>> Content-Type: text/plain; charset=UTF-8
    >>>> X-Priority: 2
    >>>> X-Sender-Info: <honda@kagawaseiko.co.jp>
    >>>> List-Help: <http://aavcdhx.com/lq/rvanus/gjyavuqhs>
    >>>> List-ID: <03791515.rvbulonlio.local>
    >>>> X-Spam-Flag: Yes
    >>>
    >>> Steve,
    >>> Not a direct answer because I don't bother with the junk mail folder
    >>> in GroupWise - I just use the SMG quarantine. I take this tactic. My
    >>> mail server is the only one authorized to send email for my domain. So
    >>> incoming email should never have a from with my domain in it. I have
    >>> added a header filter that checks for "FROM:*@mydomain". If the email
    >>> hits that filter, I block and quarantine it. Stops quite a bit of
    >>> garbage from getting in.
    >>>

    >>
    >> We did try that, but we ran into a different problem. In the old version
    >> of GWAVA we had a list of phrases we search for in the message body and
    >> a separate list of items we look for in the header. With the latest
    >> version of SCM, you can only have one text filter on the incoming scan
    >> policy. So we had to choose between the phrases list or the headers.

    >
    > Really? I am on the latest version of SMG (rev 598) and I currently
    > have two header filters in my inbound mail filter policy. And I was
    > able to drop a message text filter into it also just now. What
    > happens for you when you try to put more than one text filter in your
    > policy?
    >

    Yes, we are on rev.598 too
    Anytime I add a new 'Message Text' to the policy, the previous 'Message
    Text' gets changed to the same as the new.

    Example:
    Existing 'Message Text', 'Look in message body' checked, words we check
    for in the list, connected to 'Admin Quarantine' - works fine

    I come back, add another 'Message Text' box, check 'Look in message
    header' add "FROM:*@mydomain", connect to 'Message Block', and save

    Come back again, open the original 'Message Text' that used to have our
    keywords in it, and it now has the contents of the second 'Message Text'
    I added.

  6. #6

    Re: incoming spam bypassing junk mail folder

    On Tue, 19 Feb 2019 18:50:09 GMT, Steve B <cns965+nospam@gmail.com>
    wrote:

    >On 2/19/2019 11:39 AM, KeN Etter wrote:
    >> On Tue, 19 Feb 2019 17:02:14 GMT, Steve B <cns965+nospam@gmail.com>
    >> wrote:
    >>
    >>> On 2/19/2019 10:43 AM, KeN Etter wrote:
    >>>> On Tue, 19 Feb 2019 15:27:23 GMT, Steve B <cns965+nospam@gmail.com>
    >>>> wrote:
    >>>>
    >>>>> We use the Heath and James mod, to tag spam messages with
    >>>>> "X-Spam-Flag: Yes" and send them to the "Junk Mail" folder. The problem
    >>>>> we run into with this method is that any incoming spam message that has
    >>>>> the recipient in the to and from fields, bypasses the junk mail rules
    >>>>> and goes to the inbox. This has not been a problem until lately we have
    >>>>> been dealing with a very persistent phishing campaign
    >>>>>
    >>>>> is there a way to stop the behavior of letting email with the
    >>>>> "X-Spam-Flag: Yes" tag bypass the Junk Mail folder if the from address
    >>>>> is the recipients address?
    >>>>>
    >>>>> example header:
    >>>>>
    >>>>> Return-path: <honda@kagawaseiko.co.jp>
    >>>>> Received: from kagawaseiko.co.jp (063.ourdomain.com [10.10.55.30])
    >>>>> by mail.ourdomain.com with ESMTP (TLS encrypted); Tue, 19 Feb 2019
    >>>>> 06:17:53 -0600
    >>>>> Received: FROM kagawaseiko.co.jp (60.43.172.174) BY ourdomain.com WITH ESMTP
    >>>>> FOR userg@ourdomain.com;
    >>>>> Tue, 19 Feb 2019 06:17:53 -0500
    >>>>> Received: from [84-241-63-206.shatel.ir] (unknown [84.241.63.206])
    >>>>> (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    >>>>> (Client did not present a certificate)
    >>>>> by kagawaseiko.co.jp (Postfix) with ESMTPSA id 15C8518A0E68
    >>>>> for <userg@ourdomain.com>; Tue, 19 Feb 2019 21:17:48 +0900 (JST)
    >>>>> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
    >>>>> From: <userg@ourdomain.com>
    >>>>> X-Sender: <honda@kagawaseiko.co.jp>
    >>>>> List-Unsubscribe:
    >>>>>
    >>>>> <mailto:u-ifsimrh_xzckmcsjhl_ozkhqyhqus_gkgktrgjk_v@bounce.k agawaseiko.co.jp?subject=Unsubscribe>
    >>>>> To: userg@ourdomain.com
    >>>>> Subject: userg
    >>>>> Date: Tue, 19 Feb 2019 13:17:49 +0100
    >>>>> Message-ID: <056f0ojkjo4kgub2dyyqe7yumi9id@6kin5xxxk9rydch2fbs 0qdpsde>
    >>>>> Content-Transfer-Encoding: base64
    >>>>> Content-Type: text/plain; charset=UTF-8
    >>>>> X-Priority: 2
    >>>>> X-Sender-Info: <honda@kagawaseiko.co.jp>
    >>>>> List-Help: <http://aavcdhx.com/lq/rvanus/gjyavuqhs>
    >>>>> List-ID: <03791515.rvbulonlio.local>
    >>>>> X-Spam-Flag: Yes
    >>>>
    >>>> Steve,
    >>>> Not a direct answer because I don't bother with the junk mail folder
    >>>> in GroupWise - I just use the SMG quarantine. I take this tactic. My
    >>>> mail server is the only one authorized to send email for my domain. So
    >>>> incoming email should never have a from with my domain in it. I have
    >>>> added a header filter that checks for "FROM:*@mydomain". If the email
    >>>> hits that filter, I block and quarantine it. Stops quite a bit of
    >>>> garbage from getting in.
    >>>>
    >>>
    >>> We did try that, but we ran into a different problem. In the old version
    >>> of GWAVA we had a list of phrases we search for in the message body and
    >>> a separate list of items we look for in the header. With the latest
    >>> version of SCM, you can only have one text filter on the incoming scan
    >>> policy. So we had to choose between the phrases list or the headers.

    >>
    >> Really? I am on the latest version of SMG (rev 598) and I currently
    >> have two header filters in my inbound mail filter policy. And I was
    >> able to drop a message text filter into it also just now. What
    >> happens for you when you try to put more than one text filter in your
    >> policy?
    >>

    >Yes, we are on rev.598 too
    >Anytime I add a new 'Message Text' to the policy, the previous 'Message
    >Text' gets changed to the same as the new.
    >
    >Example:
    >Existing 'Message Text', 'Look in message body' checked, words we check
    >for in the list, connected to 'Admin Quarantine' - works fine
    >
    >I come back, add another 'Message Text' box, check 'Look in message
    >header' add "FROM:*@mydomain", connect to 'Message Block', and save
    >
    >Come back again, open the original 'Message Text' that used to have our
    >keywords in it, and it now has the contents of the second 'Message Text'
    >I added.


    Hmm...I just checked this and the SMG interface gets screwy with
    Message Text filters. I set mine up a long time ago and haven't
    modified them since. Let me check on this.

    --
    Ken
    Knowledge Partner

    Create and vote for enhancements!
    https://www.microfocus.com/products/...t-request.html

  7. #7

    Re: incoming spam bypassing junk mail folder

    On Tue, 19 Feb 2019 19:23:15 GMT, KeN Etter
    <ketter@no-mx.forums.microfocus.com> wrote:

    >On Tue, 19 Feb 2019 18:50:09 GMT, Steve B <cns965+nospam@gmail.com>
    >wrote:
    >
    >>On 2/19/2019 11:39 AM, KeN Etter wrote:
    >>> On Tue, 19 Feb 2019 17:02:14 GMT, Steve B <cns965+nospam@gmail.com>
    >>> wrote:
    >>>
    >>>> On 2/19/2019 10:43 AM, KeN Etter wrote:
    >>>>> On Tue, 19 Feb 2019 15:27:23 GMT, Steve B <cns965+nospam@gmail.com>
    >>>>> wrote:
    >>>>>
    >>>>>> We use the Heath and James mod, to tag spam messages with
    >>>>>> "X-Spam-Flag: Yes" and send them to the "Junk Mail" folder. The problem
    >>>>>> we run into with this method is that any incoming spam message that has
    >>>>>> the recipient in the to and from fields, bypasses the junk mail rules
    >>>>>> and goes to the inbox. This has not been a problem until lately we have
    >>>>>> been dealing with a very persistent phishing campaign
    >>>>>>
    >>>>>> is there a way to stop the behavior of letting email with the
    >>>>>> "X-Spam-Flag: Yes" tag bypass the Junk Mail folder if the from address
    >>>>>> is the recipients address?
    >>>>>>
    >>>>>> example header:
    >>>>>>
    >>>>>> Return-path: <honda@kagawaseiko.co.jp>
    >>>>>> Received: from kagawaseiko.co.jp (063.ourdomain.com [10.10.55.30])
    >>>>>> by mail.ourdomain.com with ESMTP (TLS encrypted); Tue, 19 Feb 2019
    >>>>>> 06:17:53 -0600
    >>>>>> Received: FROM kagawaseiko.co.jp (60.43.172.174) BY ourdomain.com WITH ESMTP
    >>>>>> FOR userg@ourdomain.com;
    >>>>>> Tue, 19 Feb 2019 06:17:53 -0500
    >>>>>> Received: from [84-241-63-206.shatel.ir] (unknown [84.241.63.206])
    >>>>>> (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    >>>>>> (Client did not present a certificate)
    >>>>>> by kagawaseiko.co.jp (Postfix) with ESMTPSA id 15C8518A0E68
    >>>>>> for <userg@ourdomain.com>; Tue, 19 Feb 2019 21:17:48 +0900 (JST)
    >>>>>> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
    >>>>>> From: <userg@ourdomain.com>
    >>>>>> X-Sender: <honda@kagawaseiko.co.jp>
    >>>>>> List-Unsubscribe:
    >>>>>>
    >>>>>> <mailto:u-ifsimrh_xzckmcsjhl_ozkhqyhqus_gkgktrgjk_v@bounce.k agawaseiko.co.jp?subject=Unsubscribe>
    >>>>>> To: userg@ourdomain.com
    >>>>>> Subject: userg
    >>>>>> Date: Tue, 19 Feb 2019 13:17:49 +0100
    >>>>>> Message-ID: <056f0ojkjo4kgub2dyyqe7yumi9id@6kin5xxxk9rydch2fbs 0qdpsde>
    >>>>>> Content-Transfer-Encoding: base64
    >>>>>> Content-Type: text/plain; charset=UTF-8
    >>>>>> X-Priority: 2
    >>>>>> X-Sender-Info: <honda@kagawaseiko.co.jp>
    >>>>>> List-Help: <http://aavcdhx.com/lq/rvanus/gjyavuqhs>
    >>>>>> List-ID: <03791515.rvbulonlio.local>
    >>>>>> X-Spam-Flag: Yes
    >>>>>
    >>>>> Steve,
    >>>>> Not a direct answer because I don't bother with the junk mail folder
    >>>>> in GroupWise - I just use the SMG quarantine. I take this tactic. My
    >>>>> mail server is the only one authorized to send email for my domain. So
    >>>>> incoming email should never have a from with my domain in it. I have
    >>>>> added a header filter that checks for "FROM:*@mydomain". If the email
    >>>>> hits that filter, I block and quarantine it. Stops quite a bit of
    >>>>> garbage from getting in.
    >>>>>
    >>>>
    >>>> We did try that, but we ran into a different problem. In the old version
    >>>> of GWAVA we had a list of phrases we search for in the message body and
    >>>> a separate list of items we look for in the header. With the latest
    >>>> version of SCM, you can only have one text filter on the incoming scan
    >>>> policy. So we had to choose between the phrases list or the headers.
    >>>
    >>> Really? I am on the latest version of SMG (rev 598) and I currently
    >>> have two header filters in my inbound mail filter policy. And I was
    >>> able to drop a message text filter into it also just now. What
    >>> happens for you when you try to put more than one text filter in your
    >>> policy?
    >>>

    >>Yes, we are on rev.598 too
    >>Anytime I add a new 'Message Text' to the policy, the previous 'Message
    >>Text' gets changed to the same as the new.
    >>
    >>Example:
    >>Existing 'Message Text', 'Look in message body' checked, words we check
    >>for in the list, connected to 'Admin Quarantine' - works fine
    >>
    >>I come back, add another 'Message Text' box, check 'Look in message
    >>header' add "FROM:*@mydomain", connect to 'Message Block', and save
    >>
    >>Come back again, open the original 'Message Text' that used to have our
    >>keywords in it, and it now has the contents of the second 'Message Text'
    >>I added.

    >
    >Hmm...I just checked this and the SMG interface gets screwy with
    >Message Text filters. I set mine up a long time ago and haven't
    >modified them since. Let me check on this.


    Steve,
    I did some checking. When you create the second filter, you need to
    drag it from the left section (Filter Templates), not the right
    section (Components). If you drag from the Components section, you
    are making a duplicate and that is why changes overwrite. If you drag
    from the Filter Templates, it will ask you if you want to create a
    separate copy. Tell it Ok and then you can edit it independently.

    The interface issue I was seeing was just an artifact that gets
    cleaned up after saving.

    Give that a shot and let us know how it goes.

    --
    Ken
    Knowledge Partner

    Create and vote for enhancements!
    https://www.microfocus.com/products/...t-request.html

  8. #8
    Steve B NNTP User

    Re: incoming spam bypassing junk mail folder

    On 2/19/2019 3:38 PM, KeN Etter wrote:
    > On Tue, 19 Feb 2019 19:23:15 GMT, KeN Etter
    > <ketter@no-mx.forums.microfocus.com> wrote:
    >
    >> On Tue, 19 Feb 2019 18:50:09 GMT, Steve B <cns965+nospam@gmail.com>
    >> wrote:
    >>
    >>> On 2/19/2019 11:39 AM, KeN Etter wrote:
    >>>> On Tue, 19 Feb 2019 17:02:14 GMT, Steve B <cns965+nospam@gmail.com>
    >>>> wrote:
    >>>>
    >>>>> On 2/19/2019 10:43 AM, KeN Etter wrote:
    >>>>>> On Tue, 19 Feb 2019 15:27:23 GMT, Steve B <cns965+nospam@gmail.com>
    >>>>>> wrote:
    >>>>>>
    >>>>>>> We use the “Heath and James mod”, to tag spam messages with
    >>>>>>> "X-Spam-Flag: Yes" and send them to the "Junk Mail" folder. The problem
    >>>>>>> we run into with this method is that any incoming spam message that has
    >>>>>>> the recipient in the to and from fields, bypasses the junk mail rules
    >>>>>>> and goes to the inbox. This has not been a problem until lately we have
    >>>>>>> been dealing with a very persistent phishing campaign
    >>>>>>>
    >>>>>>> is there a way to stop the behavior of letting email with the
    >>>>>>> "X-Spam-Flag: Yes" tag bypass the Junk Mail folder if the from address
    >>>>>>> is the recipients address?
    >>>>>>>
    >>>>>>> example header:
    >>>>>>>
    >>>>>>> Return-path: <honda@kagawaseiko.co.jp>
    >>>>>>> Received: from kagawaseiko.co.jp (063.ourdomain.com [10.10.55.30])
    >>>>>>> by mail.ourdomain.com with ESMTP (TLS encrypted); Tue, 19 Feb 2019
    >>>>>>> 06:17:53 -0600
    >>>>>>> Received: FROM kagawaseiko.co.jp (60.43.172.174) BY ourdomain.com WITH ESMTP
    >>>>>>> FOR userg@ourdomain.com;
    >>>>>>> Tue, 19 Feb 2019 06:17:53 -0500
    >>>>>>> Received: from [84-241-63-206.shatel.ir] (unknown [84.241.63.206])
    >>>>>>> (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    >>>>>>> (Client did not present a certificate)
    >>>>>>> by kagawaseiko.co.jp (Postfix) with ESMTPSA id 15C8518A0E68
    >>>>>>> for <userg@ourdomain.com>; Tue, 19 Feb 2019 21:17:48 +0900 (JST)
    >>>>>>> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
    >>>>>>> From: <userg@ourdomain.com>
    >>>>>>> X-Sender: <honda@kagawaseiko.co.jp>
    >>>>>>> List-Unsubscribe:
    >>>>>>>
    >>>>>>> <mailto:u-ifsimrh_xzckmcsjhl_ozkhqyhqus_gkgktrgjk_v@bounce.k agawaseiko.co.jp?subject=Unsubscribe>
    >>>>>>> To: userg@ourdomain.com
    >>>>>>> Subject: userg
    >>>>>>> Date: Tue, 19 Feb 2019 13:17:49 +0100
    >>>>>>> Message-ID: <056f0ojkjo4kgub2dyyqe7yumi9id@6kin5xxxk9rydch2fbs 0qdpsde>
    >>>>>>> Content-Transfer-Encoding: base64
    >>>>>>> Content-Type: text/plain; charset=UTF-8
    >>>>>>> X-Priority: 2
    >>>>>>> X-Sender-Info: <honda@kagawaseiko.co.jp>
    >>>>>>> List-Help: <http://aavcdhx.com/lq/rvanus/gjyavuqhs>
    >>>>>>> List-ID: <03791515.rvbulonlio.local>
    >>>>>>> X-Spam-Flag: Yes
    >>>>>>
    >>>>>> Steve,
    >>>>>> Not a direct answer because I don't bother with the junk mail folder
    >>>>>> in GroupWise - I just use the SMG quarantine. I take this tactic. My
    >>>>>> mail server is the only one authorized to send email for my domain. So
    >>>>>> incoming email should never have a from with my domain in it. I have
    >>>>>> added a header filter that checks for "FROM:*@mydomain". If the email
    >>>>>> hits that filter, I block and quarantine it. Stops quite a bit of
    >>>>>> garbage from getting in.
    >>>>>>
    >>>>>
    >>>>> We did try that, but we ran into a different problem. In the old version
    >>>>> of GWAVA we had a list of phrases we search for in the message body and
    >>>>> a separate list of items we look for in the header. With the latest
    >>>>> version of SCM, you can only have one text filter on the incoming scan
    >>>>> policy. So we had to choose between the phrases list or the headers.
    >>>>
    >>>> Really? I am on the latest version of SMG (rev 598) and I currently
    >>>> have two header filters in my inbound mail filter policy. And I was
    >>>> able to drop a message text filter into it also just now. What
    >>>> happens for you when you try to put more than one text filter in your
    >>>> policy?
    >>>>
    >>> Yes, we are on rev.598 too
    >>> Anytime I add a new 'Message Text' to the policy, the previous 'Message
    >>> Text' gets changed to the same as the new.
    >>>
    >>> Example:
    >>> Existing 'Message Text', 'Look in message body' checked, words we check
    >>> for in the list, connected to 'Admin Quarantine' - works fine
    >>>
    >>> I come back, add another 'Message Text' box, check 'Look in message
    >>> header' add "FROM:*@mydomain", connect to 'Message Block', and save
    >>>
    >>> Come back again, open the original 'Message Text' that used to have our
    >>> keywords in it, and it now has the contents of the second 'Message Text'
    >>> I added.

    >>
    >> Hmm...I just checked this and the SMG interface gets screwy with
    >> Message Text filters. I set mine up a long time ago and haven't
    >> modified them since. Let me check on this.

    >
    > Steve,
    > I did some checking. When you create the second filter, you need to
    > drag it from the left section (Filter Templates), not the right
    > section (Components). If you drag from the Components section, you
    > are making a duplicate and that is why changes overwrite. If you drag
    > from the Filter Templates, it will ask you if you want to create a
    > separate copy. Tell it Ok and then you can edit it independently.
    >
    > The interface issue I was seeing was just an artifact that gets
    > cleaned up after saving.
    >
    > Give that a shot and let us know how it goes.
    >

    That worked
    Thanks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •