Blacklisting specific string during SMTP Communications - ORF Forums

Blacklisting specific string during SMTP Communications RSS Back to forum

1

What I would like to be able to do is blacklist the specific body string below bolded in red. From my logging, only the spam email I am receiving has the specific environmental id string “ENVID=26682291”. I believe the spam I am receiving is being sent by the same people/group as it follows the same patterns every day. I receive it around the same time every day, receive roughly the same quantity, it stops in the evening, and I do not receive any on the weekends, nor did I receive any on the recent July 4th holiday. I believe the spam is originating by someone in the United States, despite the fact they are using servers setup all over the world. The environmental id string is the only common piece I have been able to put together, which is why I’d like to be able to blacklist future spam by it.

If there’s a way I can accomplish this in ORF, please let me know, and if not and you have any other suggestions on how to accomplish it, I would greatly appreciate it.


This is an SMTP protocol log for virtual server ID 1, connection #1643.

The client at "69.197.129.154" sent a "ehlo" command, and the SMTP server responded with:

250-blackcomb.xxxxxx.com Hello [69.197.129.154]
250-TURN
250-SIZE
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-X-EXPS GSSAPI NTLM LOGIN
250-X-EXPS=LOGIN
250-AUTH GSSAPI NTLM LOGIN
250-AUTH=LOGIN
250-X-LINK2STATE
250-XEXCH50
250 OK

The full command sent was "ehlo mxmail2.idsmeasuring.net".

The client at "69.197.129.154" sent a "mail" command, and the SMTP server responded with:

250 2.1.0 ....Sender OK

The full command sent was "mail FROM: BODY=8BITMIME ENVID=26682291".

The client at "69.197.129.154" sent a "quit" command, and the SMTP server responded with:

221 2.0.0 blackcomb.xxxxxxx.com Service closing transmission channel

The full command sent was "quit".

Thanks
Josh

by Josh 5 years ago
2

Well, the color didn't come through. This is the string I want to blacklist:

BODY=8BITMIME ENVID=26682291

by Josh 5 years ago
3

@Josh: It is not possible to blacklist SMTP command strings using ORF, but if this envelope ID is present in the MIME header of the email, you can use the Keyword Blacklist to blacklist it. Could you post a MIME header sample of such spam please? The MIME header can be retrieved by opening the email in Outlook and selecting View | Options... (or Message options) from the menu. If you use another email client and do not know how to retrieve the email headers, please visit http://www.spamcop.net/fom-serve/cache/19.html for instructions.

by Krisztián Fekete (Vamsoft) 5 years ago
(in reply to this post)

4

@Krisztián Fekete (Vamsoft): Thanks for the reply Krisztian. Unfortunately, that envelope ID is not present in the MIME header. I've pasted both the server logs and MIME header for one of the emails that came through. If you have any other suggestions, I'd be greatful.

Thanks!

Below is a snapshot directly from my server logs:

This is an SMTP protocol log for virtual server ID 1, connection #1606. The client at "46.4.197.168" sent a "mail" command, and the SMTP server responded with "250 2.1.0 ....Sender OK ". The full command sent was "mail FROM: BODY=8BITMIME ENVID=26682291". This is an informational event and does not indicate an error.


Below is the email MIME header:

Microsoft Mail Internet Headers Version 2.0
Received: from pop.nundew.com ([46.4.197.168]) by blackcomb.xxxxxxx.com with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 26 Jul 2013 17:33:04 -0500
From: "Service Department"
Mime-Version: 1.0
Subject: Your approved for a major cell phone upgrade
Date: Fri, 26 Jul 2013 18:30:55 -0400
To:
Message-ID:
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
Return-Path:
X-OriginalArrivalTime: 26 Jul 2013 22:33:04.0518 (UTC) FILETIME=[1802DA60:01CE8A50]

by Josh 5 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2