Discard subject UTF8

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

Discard subject UTF8

Emanuel
Hello,

due to email accounts compromised by viruses, I have created filters for
the subject of these malicious emails

/^Subject: Your Amazon\.co\.uk order \#[0-9]*$/    DISCARD

Now, I see that these malicious emails keep coming out but they are not
discarded because the subject is encoded in utf8.

=?UTF-8?B?WW91ciBBbWF6b24uY28udWsgb3JkZXIgIzM2Njg1MDk2Nw==?=

How can I discard these emails if they are encoded? yes or if I need to
create a regular expression for the ID in to the subject.

Regards,

--

Reply | Threaded
Open this post in threaded view
|

Re: Discard subject UTF8

Bastian Blank-3
On Thu, Feb 28, 2019 at 10:43:20AM -0300, Emanuel wrote:
> How can I discard these emails if they are encoded? yes or if I need to
> create a regular expression for the ID in to the subject.

You block the users sending them.

Bastian

--
To live is always desirable.
                -- Eleen the Capellan, "Friday's Child", stardate 3498.9
Reply | Threaded
Open this post in threaded view
|

Re: Discard subject UTF8

Emanuel
it's not what I need thanks.

El 28/2/19 a las 10:45, Bastian Blank escribió:
> ou block the users sending them.
--
Reply | Threaded
Open this post in threaded view
|

Re: Discard subject UTF8

John Peach
On 2/28/19 8:51 AM, Emanuel wrote:
> it's not what I need thanks.
>
> El 28/2/19 a las 10:45, Bastian Blank escribió:
>> ou block the users sending them.

It probably is - legitimate Amazon email comes from servers in
amazonses.com - block email purporting to be from Amazon if the server
is not in that domain.



--
John
PGP Public Key: 412934AC
Reply | Threaded
Open this post in threaded view
|

Re: Discard subject UTF8

Emanuel
In these emails not use the domain "amazon.com" so I need to block by
subject but it is encoded in utf8.

Asunto:
Your Amazon.co.uk order #974853812
De:
Amazon.co.uk <[hidden email]>
Fecha:
28/2/19 10:53

the from field changes all the time because they falsify it

El 28/2/19 a las 10:55, John Peach escribió:

> On 2/28/19 8:51 AM, Emanuel wrote:
>> it's not what I need thanks.
>>
>> El 28/2/19 a las 10:45, Bastian Blank escribió:
>>> ou block the users sending them.
>
> It probably is - legitimate Amazon email comes from servers in
> amazonses.com - block email purporting to be from Amazon if the server
> is not in that domain.
>
>
>
--
Reply | Threaded
Open this post in threaded view
|

Re: Discard subject UTF8

Emanuel
example:

From: =?UTF-8?B?QW1hem9uLmNvLnVr?=
	[hidden email]
Subject: =?UTF-8?B?WW91ciBBbWF6b24uY28udWsgb3JkZXIgIzk3NDg1MzgxMg==?=
Message-ID: [hidden email]
X-Mailer: PHPMailer 5.3.5
El 28/2/19 a las 11:05, Emanuel escribió:
In these emails not use the domain "amazon.com" so I need to block by subject but it is encoded in utf8.

Asunto:
Your Amazon.co.uk order #974853812
De:
Amazon.co.uk [hidden email]
Fecha:
28/2/19 10:53

the from field changes all the time because they falsify it

El 28/2/19 a las 10:55, John Peach escribió:
On 2/28/19 8:51 AM, Emanuel wrote:
it's not what I need thanks.

El 28/2/19 a las 10:45, Bastian Blank escribió:
ou block the users sending them.

It probably is - legitimate Amazon email comes from servers in amazonses.com - block email purporting to be from Amazon if the server is not in that domain.



--
envialosimple.com
Emanuel Gonzalez
IT / Departamento Emails
[hidden email]
www.envialosimple.com
by donweb
 
Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son confidenciales, de uso exclusivo para el destinatario del mismo. La divulgación y/o uso del mismo sin autorización por parte de DonWeb.com queda prohibida.
DonWeb.com no se hace responsable del mensaje por la falsificación y/o alteración del mismo.
De no ser Ud el destinatario del mismo y lo ha recibido por error, por favor, notifique al remitente y elimínelo de su sistema.
Confidentiality Note: This message and any attachments (the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited by DonWeb.com.
DonWeb.com shall not be liable  for the message if altered or falsified.
If you are not the intended addressee of this message, please cancel it immediately and inform the sender
Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem conter dados confidenciais ou privilegiados.
Se você os recebeu por engano ou não é um dos destinatários aos quais ela foi endereçada, por favor destrua-a e a todos os seus eventuais anexos ou copias realizadas, imediatamente.
É proibida a retenção, distribuição, divulgação ou utilização de quaisquer informações aqui contidas.
Por favor, informenos sobre o recebimento indevido desta mensagem, retornando-a para o autor.
 
Reply | Threaded
Open this post in threaded view
|

Re: Discard subject UTF8

Bastian Blank-3
On Thu, Feb 28, 2019 at 11:08:46AM -0300, Emanuel wrote:
> From: =?UTF-8?B?QW1hem9uLmNvLnVr?=
> <[hidden email]>
> Subject: =?UTF-8?B?WW91ciBBbWF6b24uY28udWsgb3JkZXIgIzk3NDg1MzgxMg==?=
> Message-ID: <[hidden email]>
> X-Mailer: PHPMailer 5.3.5

You have an open PHPMailer, are you serious?

Bastian

--
The face of war has never changed.  Surely it is more logical to heal
than to kill.
                -- Surak of Vulcan, "The Savage Curtain", stardate 5906.5
Reply | Threaded
Open this post in threaded view
|

Re: Discard subject UTF8

Emanuel

Oh, my God, as I said before, email accounts are compromised by viruses, they use them to send SPAM from my server, in this case they use PHP Mailer or any other application to make bulk mail.

if you do not plan to help, do not answer

El 28/2/19 a las 11:11, Bastian Blank escribió:
You have an open PHPMailer, are you serious?

Bastian
--
envialosimple.com
Emanuel Gonzalez
IT / Departamento Emails
[hidden email]
www.envialosimple.com
by donweb
 
Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son confidenciales, de uso exclusivo para el destinatario del mismo. La divulgación y/o uso del mismo sin autorización por parte de DonWeb.com queda prohibida.
DonWeb.com no se hace responsable del mensaje por la falsificación y/o alteración del mismo.
De no ser Ud el destinatario del mismo y lo ha recibido por error, por favor, notifique al remitente y elimínelo de su sistema.
Confidentiality Note: This message and any attachments (the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited by DonWeb.com.
DonWeb.com shall not be liable  for the message if altered or falsified.
If you are not the intended addressee of this message, please cancel it immediately and inform the sender
Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem conter dados confidenciais ou privilegiados.
Se você os recebeu por engano ou não é um dos destinatários aos quais ela foi endereçada, por favor destrua-a e a todos os seus eventuais anexos ou copias realizadas, imediatamente.
É proibida a retenção, distribuição, divulgação ou utilização de quaisquer informações aqui contidas.
Por favor, informenos sobre o recebimento indevido desta mensagem, retornando-a para o autor.
 
Reply | Threaded
Open this post in threaded view
|

Re: Discard subject UTF8

Emanuel

The computer or mobile device of my clients are affected by viruses and their data is stolen and then use their email accounts to send phishing.

I have created filters for the subject of these malicious emails

/^Subject: Your Amazon\.co\.uk order \#[0-9]*$/    DISCARD

Now, I see that these malicious emails keep coming out but they are not discarded because the subject is encoded in utf8.

=?UTF-8?B?WW91ciBBbWF6b24uY28udWsgb3JkZXIgIzM2Njg1MDk2Nw==?=

How can I discard these emails if they are encoded? yes or if I need to create a regular expression for the ID in to the subject.

Regards,

El 28/2/19 a las 11:16, Emanuel escribió:

Oh, my God, as I said before, email accounts are compromised by viruses, they use them to send SPAM from my server, in this case they use PHP Mailer or any other application to make bulk mail.

if you do not plan to help, do not answer

El 28/2/19 a las 11:11, Bastian Blank escribió:
You have an open PHPMailer, are you serious?

Bastian
--
envialosimple.com
Emanuel Gonzalez
IT / Departamento Emails
[hidden email]
www.envialosimple.com
by donweb
 
Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son confidenciales, de uso exclusivo para el destinatario del mismo. La divulgación y/o uso del mismo sin autorización por parte de DonWeb.com queda prohibida.
DonWeb.com no se hace responsable del mensaje por la falsificación y/o alteración del mismo.
De no ser Ud el destinatario del mismo y lo ha recibido por error, por favor, notifique al remitente y elimínelo de su sistema.
Confidentiality Note: This message and any attachments (the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited by DonWeb.com.
DonWeb.com shall not be liable  for the message if altered or falsified.
If you are not the intended addressee of this message, please cancel it immediately and inform the sender
Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem conter dados confidenciais ou privilegiados.
Se você os recebeu por engano ou não é um dos destinatários aos quais ela foi endereçada, por favor destrua-a e a todos os seus eventuais anexos ou copias realizadas, imediatamente.
É proibida a retenção, distribuição, divulgação ou utilização de quaisquer informações aqui contidas.
Por favor, informenos sobre o recebimento indevido desta mensagem, retornando-a para o autor.
 
--
envialosimple.com
Emanuel Gonzalez
IT / Departamento Emails
[hidden email]
www.envialosimple.com
by donweb
 
Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son confidenciales, de uso exclusivo para el destinatario del mismo. La divulgación y/o uso del mismo sin autorización por parte de DonWeb.com queda prohibida.
DonWeb.com no se hace responsable del mensaje por la falsificación y/o alteración del mismo.
De no ser Ud el destinatario del mismo y lo ha recibido por error, por favor, notifique al remitente y elimínelo de su sistema.
Confidentiality Note: This message and any attachments (the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited by DonWeb.com.
DonWeb.com shall not be liable  for the message if altered or falsified.
If you are not the intended addressee of this message, please cancel it immediately and inform the sender
Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem conter dados confidenciais ou privilegiados.
Se você os recebeu por engano ou não é um dos destinatários aos quais ela foi endereçada, por favor destrua-a e a todos os seus eventuais anexos ou copias realizadas, imediatamente.
É proibida a retenção, distribuição, divulgação ou utilização de quaisquer informações aqui contidas.
Por favor, informenos sobre o recebimento indevido desta mensagem, retornando-a para o autor.
 
Reply | Threaded
Open this post in threaded view
|

Re: Discard subject UTF8

Benny Pedersen-2
In reply to this post by Emanuel
Emanuel skrev den 2019-02-28 15:16:
> Oh, my God, as I said before, email accounts are compromised by
> viruses, they use them to send SPAM from my server, in this case they
> use PHP Mailer or any other application to make bulk mail.
>
> if you do not plan to help, do not answer
> El 28/2/19 a las 11:11, Bastian Blank escribió:
>

postfix can denied system users sending mail via php (pickup) or
sendmail, i just lost how to configure postfix to limit pickup spaming,
if you limit it to root only then other users need to do email via inet
with can be sasl auth only, remove permit_mynetwork or only haave
mynetworks with wan ips

show logs to get more help and postconf -n

>> You have an open PHPMailer, are you serious?

+1
Reply | Threaded
Open this post in threaded view
|

Re: Discard subject UTF8

Benny Pedersen-2
In reply to this post by Emanuel
Emanuel skrev den 2019-02-28 15:33:

> /^Subject: Your Amazon\.co\.uk order \#[0-9]*$/    DISCARD

try this in milter-regex

> =?UTF-8?B?WW91ciBBbWF6b24uY28udWsgb3JkZXIgIzM2Njg1MDk2Nw==?=

try do this one in postfix regex

if all fails you will need to learn clamav
Reply | Threaded
Open this post in threaded view
|

Re: Discard subject UTF8

Emanuel


El 28/2/19 a las 11:41, Benny Pedersen escribió:
Emanuel skrev den 2019-02-28 15:33:

/^Subject: Your Amazon\.co\.uk order \#[0-9]*$/    DISCARD

try this in milter-regex

=?UTF-8?B?WW91ciBBbWF6b24uY28udWsgb3JkZXIgIzM2Njg1MDk2Nw==?=

try do this one in postfix regex

The ID within the subject of the email changes constantly

=?UTF-8?B?WW91ciBBbWF6b24uY28udWsgb3JkZXIgIzM2Njg1MDk2Nw==?=

DECODE = Your Amazon.co.uk order #366850967

==> #366850967 ==> THIS ID CHANGE IN EACH MAIL



if all fails you will need to learn clamav
--
envialosimple.com
Emanuel Gonzalez
IT / Departamento Emails
[hidden email]
www.envialosimple.com
by donweb
 
Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son confidenciales, de uso exclusivo para el destinatario del mismo. La divulgación y/o uso del mismo sin autorización por parte de DonWeb.com queda prohibida.
DonWeb.com no se hace responsable del mensaje por la falsificación y/o alteración del mismo.
De no ser Ud el destinatario del mismo y lo ha recibido por error, por favor, notifique al remitente y elimínelo de su sistema.
Confidentiality Note: This message and any attachments (the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited by DonWeb.com.
DonWeb.com shall not be liable  for the message if altered or falsified.
If you are not the intended addressee of this message, please cancel it immediately and inform the sender
Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem conter dados confidenciais ou privilegiados.
Se você os recebeu por engano ou não é um dos destinatários aos quais ela foi endereçada, por favor destrua-a e a todos os seus eventuais anexos ou copias realizadas, imediatamente.
É proibida a retenção, distribuição, divulgação ou utilização de quaisquer informações aqui contidas.
Por favor, informenos sobre o recebimento indevido desta mensagem, retornando-a para o autor.
 
Reply | Threaded
Open this post in threaded view
|

Re: Discard subject UTF8

Emanuel
In reply to this post by Benny Pedersen-2

Feb 28 11:32:36 smarthost02-ded postfix/smtpd[519]: D6D24802716B: client=vps-1578111-x.dattaweb.com[66.97.36.75]
Feb 28 11:32:36 smarthost02-ded postfix/cleanup[32709]: D6D24802716B: warning: header From: =?UTF-8?B?QW1hem9uLmNvLnVr?= [hidden email] from vps-1578111-x.dattaweb.com[66.97.36.75]; from=[hidden email] to=[hidden email] proto=ESMTP helo=<vps-1578111-x.dattaweb.com>
Feb 28 11:32:36 smarthost02-ded postfix/cleanup[32709]: D6D24802716B: warning: header Subject: =?UTF-8?B?WW91ciBBbWF6b24uY28udWsgb3JkZXIgIzMxMjUxNjY2NQ==?= from vps-1578111-x.dattaweb.com[66.97.36.75]; from=[hidden email] to=[hidden email] proto=ESMTP helo=<vps-1578111-x.dattaweb.com>
Feb 28 11:32:36 smarthost02-ded postfix/cleanup[32709]: D6D24802716B: message-id=[hidden email]

Feb 28 11:32:36 smarthost02-ded postfix/qmgr[32479]: D6D24802716B: from=[hidden email], size=12101, nrcpt=1 (queue active)
Feb 28 11:32:40 smarthost02-ded postfix/smtp[547]: D6D24802716B: to=[hidden email], relay=hotmail-com.olc.protection.outlook.com[104.47.45.33]:25, delay=3.2, delays=0.04/0/1.7/1.4, dsn=2.6.0, status=sent (250 2.6.0 [hidden email] [InternalId=35158602327759, Hostname=CO1NAM04HT099.eop-NAM04.prod.protection.outlook.com] 18472 bytes in 0.573, 31.472 KB/sec Queued mail for delivery -> 250 2.1.5)
Feb 28 11:32:40 smarthost02-ded postfix/qmgr[32479]: D6D24802716B: removed

what do you need from the configuration?

El 28/2/19 a las 11:41, Benny Pedersen escribió:
Emanuel skrev den 2019-02-28 15:33:

/^Subject: Your Amazon\.co\.uk order \#[0-9]*$/    DISCARD

try this in milter-regex

=?UTF-8?B?WW91ciBBbWF6b24uY28udWsgb3JkZXIgIzM2Njg1MDk2Nw==?=

try do this one in postfix regex

if all fails you will need to learn clamav
--
envialosimple.com
Emanuel Gonzalez
IT / Departamento Emails
[hidden email]
www.envialosimple.com
by donweb
 
Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son confidenciales, de uso exclusivo para el destinatario del mismo. La divulgación y/o uso del mismo sin autorización por parte de DonWeb.com queda prohibida.
DonWeb.com no se hace responsable del mensaje por la falsificación y/o alteración del mismo.
De no ser Ud el destinatario del mismo y lo ha recibido por error, por favor, notifique al remitente y elimínelo de su sistema.
Confidentiality Note: This message and any attachments (the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited by DonWeb.com.
DonWeb.com shall not be liable  for the message if altered or falsified.
If you are not the intended addressee of this message, please cancel it immediately and inform the sender
Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem conter dados confidenciais ou privilegiados.
Se você os recebeu por engano ou não é um dos destinatários aos quais ela foi endereçada, por favor destrua-a e a todos os seus eventuais anexos ou copias realizadas, imediatamente.
É proibida a retenção, distribuição, divulgação ou utilização de quaisquer informações aqui contidas.
Por favor, informenos sobre o recebimento indevido desta mensagem, retornando-a para o autor.
 
Reply | Threaded
Open this post in threaded view
|

Re: Discard subject UTF8

Varadi Gabor
In reply to this post by Emanuel
2019. 02. 28. 15:48 keltezéssel, Emanuel írta:
> Your Amazon.co.uk order #


^Subject: =?UTF-8?B?WW91ciBBbWF6b24uY28udWsgb3JkZXIgIw/ DISCARD

--
   [Varadi Gabor]
Reply | Threaded
Open this post in threaded view
|

Re: Discard subject UTF8

Benny Pedersen-2
In reply to this post by Emanuel
Emanuel skrev den 2019-02-28 15:49:
> Feb 28 11:32:36 smarthost02-ded postfix/smtpd[519]: D6D24802716B:
> client=vps-1578111-x.dattaweb.com[66.97.36.75]

this is not a system user spamming

more help post postconf -n

i stop here
Reply | Threaded
Open this post in threaded view
|

Re: Discard subject UTF8

Dominic Raferd
In reply to this post by Varadi Gabor
On Thu, 28 Feb 2019 at 15:04, Varadi Gabor <[hidden email]> wrote:
>
> 2019. 02. 28. 15:48 keltezéssel, Emanuel írta:
> > Your Amazon.co.uk order #
>
>
> ^Subject: =?UTF-8?B?WW91ciBBbWF6b24uY28udWsgb3JkZXIgIw/ DISCARD


Or use Spamassassin
Reply | Threaded
Open this post in threaded view
|

Re: Discard subject UTF8

Andrey Repin-2
In reply to this post by Emanuel
Greetings, Emanuel!

> Oh, my God, as I said before, email accounts are compromised by      
> viruses, they use them to send SPAM from my server, in this case       they
> use PHP Mailer or any other application to make bulk mail.

So block these accounts until they sort their crap out.


--
With best regards,
Andrey Repin
Thursday, February 28, 2019 18:21:44

Sorry for my terrible english...

Reply | Threaded
Open this post in threaded view
|

Re: Discard subject UTF8

Bill Cole-3
In reply to this post by Emanuel
On 28 Feb 2019, at 8:43, Emanuel wrote:

> Hello,
>
> due to email accounts compromised by viruses, I have created filters
> for the subject of these malicious emails
>
> /^Subject: Your Amazon\.co\.uk order \#[0-9]*$/    DISCARD

Side note: REJECT is a better choice than DISCARD, unless you're doing
the check on a Postfix instance that doesn't receive mail directly from
the Internet. Discarding means you appear to be accepting the message
for delivery as far as the SMTP client can tell, making your system look
like a promising target. Rejecting instead makes it clear that the spam
isn't going anywhere and in cases where the source is a compromised
account, it makes the abuse apparent to the victim and possibly their
service provider.

> Now, I see that these malicious emails keep coming out but they are
> not discarded because the subject is encoded in utf8.

And just as importantly: encoded with Base64.

> =?UTF-8?B?WW91ciBBbWF6b24uY28udWsgb3JkZXIgIzM2Njg1MDk2Nw==?=
>
> How can I discard these emails if they are encoded? yes or if I need
> to create a regular expression for the ID in to the subject

2 possible solutions:

1. Match against the encoded form. "WW91ciBBbWF6b24uY28udWsgb3JkZXIg" is
'Your Amazon.co.uk order ' encoded with Base64, so you could use this
header_checks line:

/^Subject: =\?UTF-8\?B\?WW91ciBBbWF6b24uY28udWsgb3JkZXIg/    DISCARD

Note that this is error-prone because the standard for non-ASCII header
encoding allows breaking a header into distinct words which may be
encoded independently and even use different encodings. Someone actually
believed that to be a good idea...

2. Do this in an external content filter (e.g. SpamAssassin) that
decodes everything for you so that you can just match against the
decoded header.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole