Re: Spam : You have 5 Incoming messages

Wed, 30 Jan 2019 03:28:39 -0800 

On 1/30/19 2:03 AM, Brent Clark wrote:
> Good day Guys
> 
> We are seeing quite a few of the following spam, been delivered to our 
> users.
> 
> https://pastebin.com/raw/43VqDPTy
> 
> Notice the:
> 
> You have 5 Incoming messages t=
> hat could not be delivered to eunice@REMOVED
> Retrieve Messages and reconfigure SMTP server to avoid losing important 
> fil=
> es and messages.
> 
> Then at the bottom, see the URL try and catch the recipient.
> 
> This email it to serve as a FYI to the community and maybe a global rule 
> can pushed out, and secondly to ask if someone can please peer review my 
> below ruleset. It works, I am just wondering if it can be done better.
> 
> header    HTEST Subject =~ 
> /[0-9]?\s?(Underliverable|Incoming)?\sMessages\s(for|failed)?\s?(for)?/i
> score     HTEST 0.01
> describe  HTEST Testing new rule
> 
> Many thanks
> Brent Clark

I think you redacted/changed too much for us to be able to help without 
guessing.

1. Did the original email subject have "Spam: " at the front or did your 
system add that?

2. Please leave the original Received: header IPs since that doesn't 
give away any sensitive information.  We need those to check for RBLs.

3.  Please leave any sender information like the envelope-from address 
and the From: header address.

4.  Only redact your recipient's address and name.  Replace the 
recipient's domain with something like example.com or redacted.com so it 
looks like a real domain format.  Otherwise, it may hit SA rules that 
wouldn't trigger on the original email like TO_MALFORMED.

Here's what my SA platform scored it as but it's not going to be 
accurate enough with that first redacted spample.  Please send us 
another one minimally redacted.

X-Spam-Status: Yes, score=5.6 required=5.0 tests=BAYES_50,HTML_MESSAGE,
        TO_IN_SUBJ,TO_MALFORMED,TVD_RCVD_SINGLE,UNPARSEABLE_RELAY 
shortcircuit=no
        autolearn=no autolearn_force=no version=3.4.1
X-Spam-Report:
        *  2.2 TVD_RCVD_SINGLE Message was received from localhost
        *  0.0 HTML_MESSAGE BODY: HTML included in message
        *  1.2 BAYES_50 BODY: Bayes spam probability is 40 to 60%
        *      [score: 0.4993]
        *  2.1 TO_MALFORMED To: has a malformed address
        *  0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay 
lines
        *  0.1 TO_IN_SUBJ To address is in Subject

-- 
David Jones

Reply via email to