Self-Spam confusion - ORF Forums

Self-Spam confusion RSS Back to forum

1

I have noticed big increase of Self-Spam messages in my organization. About 1 year ago I have implemented Blacklisting of my domain and it was working fine till now. I have done some investigation and pls. find result:
1. In the ORF logs that the sender is not from my domain
2. Outlook shows that I got the spam email from myself
3. In the outlook properties I found that I was the sender but in the Return-Path is listed the same sender as ORF logged
I hope my explanation is clear :)
Any advice how to block it?

by Marcin 8 years ago
2

@Marcin: "In the ORF logs that the sender is not from my domain"
That means the SMTP sender address was not spoofed (or at least the server did not spoof your domain name).
"Outlook shows that I got the spam email from myself "
This means the sender spoofed your domain in the MIME sender address (see the difference at http://vamsoft.com/faq.asp#whynotsender)

To block these, you should add a Keyword Blacklist expression with "Email header (raw MIME)" scope, see http://www.vamsoft.com/howto-blacklist-self-spam.asp#mime-sender-spoofing for detailed instructions.

by Krisztian Fekete 8 years ago
(in reply to this post)

3

@Krisztian Fekete: Thanx for the very fast answer :)

I have 1 more question. If I have 50 domains should I proceed follow the instruction with all 50?

by Marcin 8 years ago
(in reply to this post)

4

@Marcin: You can learn more about self-spam and the tools ORF offers against it at http://vamsoft.com/r?selfspam - you will also find detailed instructions in the above article.

I guess you have already read that article a year ago when you blacklisted your domain, but this time focus on the "MIME Sender Spoofing" section at the end of the article, because that section applies to your current situation.

Let me know if you have any questions.

by Peter Karsai (ORF Team) 8 years ago
(in reply to this post)

5

@Marcin: Yes, but fortunately this has to be done only once, and you can add all domains in a single expression like

.*^From:[^\r\n]*\b[^\r\n]*@(yourdomain1|yourdomain2|yourdomain3)\.com\b[^\r\n]*\s$

by Krisztian Fekete 8 years ago
(in reply to this post)

6

@Krisztian Fekete: Long time I didn't respond but the problem is growing :(

Just to clarify (before final implementation) - when I'd like to use the expression you suggested for 50 domains can I build it this way:

.*^From:[^\r\n]*\b[^\r\n]*@(DOMAIN1|DOMAIN2|DOMAIN3)\.com|hu|pl|es\b[^\r\n]*\s$


????

by Marcin 7 years ago
(in reply to this post)

7

@Marcin: It is almost correct, but expressions parts with an 'or' relation must be enclosed between parentheses, like (option1|option2|option3). Due to this, your expression would look like:

.*^From:[^\r\n]*\b[^\r\n]*@(DOMAIN1|DOMAIN2|DOMAIN3)\.(com|hu|pl|es)\b[^\r\n]*\s$

...and that should cover domain1.com, domain2.hu, domain2.es, domain3.com, etc.

You can find an excellent introduction to regular expressions here: http://www.regular-expressions.info/

by Peter Karsai (ORF Team) 7 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2