How to block SPAM to internal recipients in BCC - ORF Forums

How to block SPAM to internal recipients in BCC RSS Back to forum

1

Hello,

Our users recieve lots of SPAM messages addressed to recipients even not in our local domain. I mean in "To" field of the header listed e-mail address not of our domain. We found out that this e-mails reach our internal recipients becouse of their addresses has been put in by spammer into "BCC" field.

Is it possible to block emails addressed to in BCC?

by anton.tkachenko 6 years ago
2

Yes, it is possible. You should add a "header filter" to the Keyword Blacklist of ORF that could block any email that contains the specified email address in the Bcc field:

1. Start the ORF Administration Tool
2. Navigate to 'Blacklists > Keyword Blacklist' page
3. Click 'New'
4. In the 'Keyword Filter Properties' dialog, set the search scope to 'Email header (raw MIME)'
5. Add a 'Comment text' (e.g. "Bcc spam")
6. On the 'Filter Expression' tab, add the following expression:
.*^Bcc:[^\r\n]*\b[^\r\n]support@example\.com\b[^\r\n]*\s$
7. Set the expression type to 'Regular expression (Perl-compatible)'
8. Click 'OK'
9. Save the ORF configuration to apply the new settings (Ctrl + S)

Note, however, that adding the Bcc field to the message header is not actually required when sending blind carbon copies. It is enough if the sending server specifies the recipient in the 'RCPT TO' command during the SMTP transmission. In that case, the header filter above would not help.

If you are having spam issues, consider sending us (to ) your ORF configuration (orfent.ini) file along with a few ORF logs (e.g. orfee-2018-08-30.log, orfee-2018-08-29.log) for analysis.

by Daniel Novak (Vamsoft) 6 years ago
3

@Daniel Novak (Vamsoft): Dear Daniel,

Thanks a lot for quick response. I've applied this rule. Will let you to know whether it helps.

by anton.tkachenko 6 years ago
(in reply to this post)

4

@Daniel Novak (Vamsoft): Dear Daniel,

We've found out this does not work. The reason for that is field "bcc:" does not exist in the e-mail header. BCC recipients address beig delivered from one SMTP server to another within "envelope" during transmission.

Is there any way to parse e-mails on this stage and block them is they addressed to exact address with BC?

by anton.tkachenko 6 years ago
(in reply to this post)

5

Hello Anton,

I am afraid neither ORF, not your mail server has any way to distinguish whether a recipient is a To, Cc or Bcc type recipient solely by looking at the envelope recipient address. The envelope recipient addresses are submitted by the sending server in a series of "RCPT TO" SMTP commands - without any additional information.

There might be workaround to this issue, though, but it requires some scripting skills: You could connect a short script to ORF (as an External Agent, see: http://vamsoft.com/r?o-hto-adm-agents) that would look for the "" address in the "To" and "Cc" fields of the message header and returns a "hit code" if the address was *not* found. This way ORF could blacklist Bcc emails sent to the address in question and apply the appropriate filter action. I believe this could work.

That being said, if you were to send us your ORF configuration file for a review we might be able to provide you with some tips on how to improve the filtering performance and spam-catch rate of your ORF installation or identify some configuration issues - which in turn might just stop the influx of this "bcc spam".

by Daniel Novak (Vamsoft) 6 years ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2