Country filter problem

Junior Member
Posts: 118
Joined: Thu Nov 15, 2007 12:02 pm
Location: Townsville, Australia

Country filter problem

Postby Stuart » Wed Jun 11, 2014 10:46 pm

When viewing the spam in Proxy History the country is shown as Europe, as far as I can see there is no corosponding country in the Block Country list. The email Subject is 'Читаете Вы - прочтут и другие' but in the log the Subject is shown as being blank. The outlook internet headers show the originating address (I think) as being 'From: =?koi8-r?B?9MnN1dI=?= <enforcementzg4@list.ru>' but if this is so it is not being caught in the Block Conntry Filter as Russia 'ru' is blocked. The spam from this source seems to be increasing, can you tell me how to block it.

Stuart

eWall Log
2014-06-12 07:12:20 8023 0 ------ Requested connection from 194.29.73.29, Country: Europe, SID:1406120712200000
2014-06-12 07:12:20 8023 16 Connected to 127.0.0.1:2525
2014-06-12 07:12:20 8023 16 <-- 220 mail.xxxxxxxxx.com.au
2014-06-12 07:12:20 8023 485 --> EHLO emea-mail1.herbalife.com
2014-06-12 07:12:20 8023 500 <-- 250-mail.xxxxxxxxx.com.au
2014-06-12 07:12:20 8023 500 <-- 250-SIZE 204800000
2014-06-12 07:12:20 8023 500 <-- 250 AUTH LOGIN PLAIN
2014-06-12 07:12:21 8023 969 --> MAIL FROM: <exterminatione@yahoo.com> BODY=8BITMIME
2014-06-12 07:12:21 8023 985 +Filter: "Authentication Exceptions"
2014-06-12 07:12:21 8023 985 +Filter: "SPF Test"
2014-06-12 07:12:21 8023 1125 SPF result: NEUTRAL
2014-06-12 07:12:21 8023 1125 yahoo.com: v=spf1 redirect=_spf.mail.yahoo.com
2014-06-12 07:12:21 8023 1125 _spf.mail.yahoo.com: v=spf1 ptr:yahoo.com ptr:yahoo.net ?all
2014-06-12 07:12:21 8023 1125 +Filter: "Block bad senders"
2014-06-12 07:12:21 8023 1125 <-- 250 OK
2014-06-12 07:12:21 8023 1594 --> RCPT TO:<stuart@xxxxxxxxx.com.au>
2014-06-12 07:12:21 8023 1610 +Filter: "Block harvesters"
2014-06-12 07:12:21 8023 1610 +Filter: "Open relay prevention"
2014-06-12 07:12:21 8023 1610 +Filter: "Max recipient count", skip for recipient <stuart@xxxxxxxxx.com.au>
2014-06-12 07:12:21 8023 1610 <-- 250 OK
2014-06-12 07:12:22 8023 2078 --> DATA
2014-06-12 07:12:22 8023 2078 <-- 354 OK, send.
2014-06-12 07:12:23 8023 3063 Message size: 6.40 KB
2014-06-12 07:12:23 8023 3063 Subject: -
2014-06-12 07:12:23 8023 3063 +Filter: "Archive filter"
2014-06-12 07:12:23 8023 3063 +Filter: "Sophos Antivirus 9.5"
2014-06-12 07:12:48 8023 28141 +Filter: "ClamAV"
2014-06-12 07:12:48 8023 28188 +Filter: "Backup Incoming Mail"
2014-06-12 07:12:48 8023 28188 +Filter: "Block Countries Traffic"
2014-06-12 07:12:48 8023 28188 +Filter: "Block specific charset"
2014-06-12 07:12:48 8023 28188 Found charset: koi8-r
2014-06-12 07:12:48 8023 28188 +Filter: "Backup Outgoing Email"
2014-06-12 07:12:48 8023 28188 +Filter: "Phishing links"
2014-06-12 07:12:48 8023 28188 +Filter: "SURBL Test"
2014-06-12 07:12:48 8023 28188 +Filter: "Spam Assassin (SpamD)"
2014-06-12 07:12:54 8023 34110 SpamD score: 2.0 / 5.0
2014-06-12 07:12:54 8023 34110 +Filter: "Delete Spam Score more than 7"
2014-06-12 07:12:59 8023 39750 SpamD score: 2.0 / 5.0
2014-06-12 07:12:59 8023 39750 +Filter: "Block Subject Matter"
2014-06-12 07:12:59 8023 39750 +Filter: "Block From"
2014-06-12 07:12:59 8023 39766 +Filter: "Block Message Text"
2014-06-12 07:12:59 8023 39782 Mail server accepted data transfer
2014-06-12 07:12:59 8023 39797 <-- 250 Queued (0.000 seconds)
2014-06-12 07:13:00 8023 40250 --> QUIT
2014-06-12 07:13:00 8023 40266 <-- 221 goodbye
2014-06-12 07:13:00 8023 40313 Disconnect


Outlook Internet Headers
Return-Path: exterminatione@yahoo.com
Delivered-To: stuart@xxxxxxxxx.com.au
Received: from emea-mail1.herbalife.com (mail.xxxxxxxxx.local [127.0.0.1]) by mail.xxxxxxxxx.com.au ; Thu, 12 Jun 2014 07:12:59 +1000
Date: Wed, 11 Jun 2014 23:12:22 +0200
Content-Type: multipart/alternative; boundary="663bw381fx0y"
Message-Id: <20140611231222.67VQ8I9GW0SEOK2M@8N4.yahoo.com>
Subject: =?koi8-r?B?/snUwcXUxSD32SAtINDSz97U1dQgySDE0tXHycU=?=
To: <stuart@xxxxxxxxx.com.au>
Cc: <support@xxxxxxxxx.com.au>
X-Mailer: MyBB Mail
From: =?koi8-r?B?9MnN1dI=?= <enforcementzg4@list.ru>
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mailscan.xxxxxxxxx.com.au
X-Spam-Level: *
X-Spam-Status: No, score=2.0 required=5.0 tests=HTML_MESSAGE, MIME_HEADER_CTYPE_ONLY,NO_RECEIVED,NO_RELAYS autolearn=no version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mailscan.xxxxxxxxx.com.au
X-Spam-Level: *
X-Spam-Status: No, score=2.0 required=5.0 tests=HTML_MESSAGE, MIME_HEADER_CTYPE_ONLY,NO_RECEIVED,NO_RELAYS autolearn=no version=3.3.2

Developer
User avatar
Posts: 4431
Joined: Tue Apr 20, 2004 3:43 pm

Re: Country filter problem

Postby Alexander Telegin » Thu Jun 12, 2014 7:30 am

Stuart, you don't want to block whole Europe because of that Russian spam, right? :) Blocking Russian's servers doesn't stop Russian spam from Chines servers etc. I'd recommend use Charset filter form repository and pick the unwanted charsets.

Junior Member
Posts: 118
Joined: Thu Nov 15, 2007 12:02 pm
Location: Townsville, Australia

Re: Country filter problem

Postby Stuart » Mon Jun 16, 2014 11:47 pm

Hi Alex

I am not sure if what I am doing is correct so I hope you can help. I blocked the Charset KO18-R but the email still gets through, eWall tags the mail as SPAM and SPF but does not block it. I have attached the logs, I hope they help identify what I am not doing.

eWall Log
2014-06-16 19:03:55 11737 16 ------ Requested connection from 92.28.76.150, Country: United Kingdom, SID:1406161903550000
2014-06-16 19:03:55 11737 32 Connected to 127.0.0.1:2525
2014-06-16 19:03:55 11737 32 <-- 220 mail.*********.com.au
2014-06-16 19:03:55 11737 438 --> EHLO host-92-28-76-150.as13285.net
2014-06-16 19:03:55 11737 453 <-- 250-mail.*********.com.au
2014-06-16 19:03:55 11737 453 <-- 250-SIZE 204800000
2014-06-16 19:03:55 11737 453 <-- 250 AUTH LOGIN PLAIN
2014-06-16 19:03:55 11737 844 --> MAIL FROM: <auditoryujsa@gmail.com> BODY=8BITMIME
2014-06-16 19:03:55 11737 860 +Filter: "Authentication Exceptions"
2014-06-16 19:03:55 11737 860 +Filter: "SPF Test"
2014-06-16 19:03:56 11737 1047 SPF result: SOFTFAIL
2014-06-16 19:03:56 11737 1047 gmail.com: v=spf1 redirect=_spf.google.com
2014-06-16 19:03:56 11737 1047 _spf.google.com: v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all
2014-06-16 19:03:56 11737 1047 _netblocks.google.com: v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17
2014-06-16 19:03:56 11737 1047 _netblocks2.google.com: v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 i
2014-06-16 19:03:56 11737 1047 _netblocks3.google.com: v=spf1 ~all
2014-06-16 19:03:56 11737 1047 +Filter: "Block bad senders"
2014-06-16 19:03:56 11737 1047 <-- 250 OK
2014-06-16 19:03:56 11737 1438 --> RCPT TO:<stuart@*********.com.au>
2014-06-16 19:03:56 11737 1453 +Filter: "Block harvesters"
2014-06-16 19:03:56 11737 1453 +Filter: "Open relay prevention"
2014-06-16 19:03:56 11737 1453 +Filter: "Max recipient count", skip for recipient <stuart@*********.com.au>
2014-06-16 19:03:56 11737 1453 <-- 250 OK
2014-06-16 19:03:56 11737 1844 --> DATA
2014-06-16 19:03:56 11737 1860 <-- 354 OK, send.
2014-06-16 19:03:57 11737 2266 Message size: 535 Bytes
2014-06-16 19:03:57 11737 2266 Subject: RE:
2014-06-16 19:03:57 11737 2266 +Filter: "Archive filter"
2014-06-16 19:03:57 11737 2266 +Filter: "Sophos Antivirus 9.5"
2014-06-16 19:04:13 11737 18016 +Filter: "ClamAV"
2014-06-16 19:04:13 11737 18047 +Filter: "Backup Incoming Mail"
2014-06-16 19:04:13 11737 18047 +Filter: "Block Countries Traffic"
2014-06-16 19:04:13 11737 18047 +Filter: "Block specific charset"
2014-06-16 19:04:13 11737 18047 Found charset: koi8-r
2014-06-16 19:04:13 11737 18047 +Filter: "Backup Outgoing Email"
2014-06-16 19:04:13 11737 18047 +Filter: "Phishing links"
2014-06-16 19:04:13 11737 18047 +Filter: "SURBL Test"
2014-06-16 19:04:13 11737 18047 +Filter: "Spam Assassin (SpamD)"
2014-06-16 19:04:18 11737 23735 SpamD score: 1.4 / 5.0
2014-06-16 19:04:18 11737 23735 +Filter: "Delete Spam Score more than 7"
2014-06-16 19:04:24 11737 29375 SpamD score: 1.4 / 5.0
2014-06-16 19:04:24 11737 29375 +Filter: "Block Subject Matter"
2014-06-16 19:04:24 11737 29375 +Filter: "Block From"
2014-06-16 19:04:24 11737 29375 +Filter: "Block Message Text"
2014-06-16 19:04:24 11737 29391 Mail server accepted data transfer
2014-06-16 19:04:24 11737 29391 <-- 250 Queued (0.000 seconds)
2014-06-16 19:04:24 11737 29813 --> QUIT
2014-06-16 19:04:24 11737 29828 <-- 221 goodbye
2014-06-16 19:04:24 11737 29875 Disconnect


Outlook Internet Headers
Return-Path: auditoryujsa@gmail.com
Delivered-To: stuart@taxhunter.com.au
Received: from host-92-28-76-150.as13285.net (mail.taxhunter.local [127.0.0.1]) by mail.taxhunter.com.au ; Mon, 16 Jun 2014 19:04:24 +1000
To: <stuart@taxhunter.com.au>
Cc: <support@taxhunter.com.au>
Subject: =?koi8-r?B?UkU6IOby5frl8u7v5SDv4u/y9eTv9+Hu6eUg8u/z8+np?=
Reply-to: plungesd3@yahoo.com
From: =?koi8-r?B?IiDpx87B1M/XIg==?= <plungesd3@yahoo.com>
Content-Type: text/plain; charset=koi8-r
Message-Id: <20140616090401.BA6BUZ1Q@gmail.com>
Date: Mon, 16 Jun 2014 09:04:01 +0000 (MSD)
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mailscan.taxhunter.com.au
X-Spam-Level: *
X-Spam-Status: No, score=1.4 required=5.0 tests=DKIM_ADSP_CUSTOM_MED, FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT,NML_ADSP_CUSTOM_MED,NO_RECEIVED, NO_RELAYS autolearn=no version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mailscan.taxhunter.com.au
X-Spam-Level: *
X-Spam-Status: No, score=1.4 required=5.0 tests=DKIM_ADSP_CUSTOM_MED, FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT,NML_ADSP_CUSTOM_MED,NO_RECEIVED, NO_RELAYS autolearn=no version=3.3.2

Developer
User avatar
Posts: 4431
Joined: Tue Apr 20, 2004 3:43 pm

Re: Country filter problem

Postby Alexander Telegin » Tue Jun 17, 2014 7:55 am

Probably, the result of charset filter was overlapped by next filters. What action charset filter does have?

Junior Member
Posts: 118
Joined: Thu Nov 15, 2007 12:02 pm
Location: Townsville, Australia

Re: Country filter problem

Postby Stuart » Tue Jun 17, 2014 10:38 pm

Hi Alex

My fault, I noticed that I had not set the 'Add Spam Header' to yes so the 'X-eWall-Spam: Yes' and the 'X-eWall-Tags: SPAM' tags were not being generated in the mail Headers, as a result the spam was not being dealt with by the rules in our mail server. I notice that the eWall actions are limited for this rule, would it be possible to add delete to the possible actions?

Developer
User avatar
Posts: 4431
Joined: Tue Apr 20, 2004 3:43 pm

Re: Country filter problem

Postby Alexander Telegin » Wed Jun 18, 2014 12:27 pm

You can use "delete" action in custom filters.

If <something>
then delete message

Return to Filters and scripts

Who is online

Users browsing this forum: No registered users and 1 guest