Anonymous_User Absent Member.
Absent Member.
976 views

incoming spam bypassing junk mail folder

We use the “Heath and James mod”, to tag spam messages with
"X-Spam-Flag: Yes" and send them to the "Junk Mail" folder. The problem
we run into with this method is that any incoming spam message that has
the recipient in the to and from fields, bypasses the junk mail rules
and goes to the inbox. This has not been a problem until lately we have
been dealing with a very persistent phishing campaign

is there a way to stop the behavior of letting email with the
"X-Spam-Flag: Yes" tag bypass the Junk Mail folder if the from address
is the recipients address?

example header:

Return-path: <honda@kagawaseiko.co.jp>
Received: from kagawaseiko.co.jp (063.ourdomain.com [10.10.55.30])
by mail.ourdomain.com with ESMTP (TLS encrypted); Tue, 19 Feb 2019
06:17:53 -0600
Received: FROM kagawaseiko.co.jp (60.43.172.174) BY ourdomain.com WITH ESMTP
FOR userg@ourdomain.com;
Tue, 19 Feb 2019 06:17:53 -0500
Received: from [84-241-63-206.shatel.ir] (unknown [84.241.63.206])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client did not present a certificate)
by kagawaseiko.co.jp (Postfix) with ESMTPSA id 15C8518A0E68
for <userg@ourdomain.com>; Tue, 19 Feb 2019 21:17:48 +0900 (JST)
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
From: <userg@ourdomain.com>
X-Sender: <honda@kagawaseiko.co.jp>
List-Unsubscribe:

<mailto:u-ifsimrh_xzckmcsjhl_ozkhqyhqus_gkgktrgjk_v@bounce.kagawaseiko.co.jp?subject=Unsubscribe>
To: userg@ourdomain.com
Subject: userg
Date: Tue, 19 Feb 2019 13:17:49 +0100
Message-ID: <056f0ojkjo4kgub2dyyqe7yumi9id@6kin5xxxk9rydch2fbs0qdpsde>
Content-Transfer-Encoding: base64
Content-Type: text/plain; charset=UTF-8
X-Priority: 2
X-Sender-Info: <honda@kagawaseiko.co.jp>
List-Help: <http://aavcdhx.com/lq/rvanus/gjyavuqhs>
List-ID: <03791515.rvbulonlio.local>
X-Spam-Flag: Yes
0 Likes
7 Replies
Knowledge Partner
Knowledge Partner

Re: incoming spam bypassing junk mail folder

On Tue, 19 Feb 2019 15:27:23 GMT, Steve B <cns965+nospam@gmail.com>
wrote:

>We use the “Heath and James mod”, to tag spam messages with
>"X-Spam-Flag: Yes" and send them to the "Junk Mail" folder. The problem
>we run into with this method is that any incoming spam message that has
>the recipient in the to and from fields, bypasses the junk mail rules
>and goes to the inbox. This has not been a problem until lately we have
>been dealing with a very persistent phishing campaign
>
>is there a way to stop the behavior of letting email with the
>"X-Spam-Flag: Yes" tag bypass the Junk Mail folder if the from address
>is the recipients address?
>
>example header:
>
>Return-path: <honda@kagawaseiko.co.jp>
>Received: from kagawaseiko.co.jp (063.ourdomain.com [10.10.55.30])
> by mail.ourdomain.com with ESMTP (TLS encrypted); Tue, 19 Feb 2019
>06:17:53 -0600
>Received: FROM kagawaseiko.co.jp (60.43.172.174) BY ourdomain.com WITH ESMTP
> FOR userg@ourdomain.com;
> Tue, 19 Feb 2019 06:17:53 -0500
>Received: from [84-241-63-206.shatel.ir] (unknown [84.241.63.206])
> (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
> (Client did not present a certificate)
> by kagawaseiko.co.jp (Postfix) with ESMTPSA id 15C8518A0E68
> for <userg@ourdomain.com>; Tue, 19 Feb 2019 21:17:48 +0900 (JST)
>User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
>From: <userg@ourdomain.com>
>X-Sender: <honda@kagawaseiko.co.jp>
>List-Unsubscribe:
>
><mailto:u-ifsimrh_xzckmcsjhl_ozkhqyhqus_gkgktrgjk_v@bounce.kagawaseiko.co.jp?subject=Unsubscribe>
>To: userg@ourdomain.com
>Subject: userg
>Date: Tue, 19 Feb 2019 13:17:49 +0100
>Message-ID: <056f0ojkjo4kgub2dyyqe7yumi9id@6kin5xxxk9rydch2fbs0qdpsde>
>Content-Transfer-Encoding: base64
>Content-Type: text/plain; charset=UTF-8
>X-Priority: 2
>X-Sender-Info: <honda@kagawaseiko.co.jp>
>List-Help: <http://aavcdhx.com/lq/rvanus/gjyavuqhs>
>List-ID: <03791515.rvbulonlio.local>
>X-Spam-Flag: Yes


Steve,
Not a direct answer because I don't bother with the junk mail folder
in GroupWise - I just use the SMG quarantine. I take this tactic. My
mail server is the only one authorized to send email for my domain. So
incoming email should never have a from with my domain in it. I have
added a header filter that checks for "FROM:*@mydomain". If the email
hits that filter, I block and quarantine it. Stops quite a bit of
garbage from getting in.

--
Ken
Knowledge Partner

Create and vote for enhancements!
https://www.microfocus.com/products/enhancement-request.html
--
Ken
Knowledge Partner

Create and vote for enhancements!
https://www.microfocus.com/products/enhancement-request.html
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: incoming spam bypassing junk mail folder

On 2/19/2019 10:43 AM, KeN Etter wrote:
> On Tue, 19 Feb 2019 15:27:23 GMT, Steve B <cns965+nospam@gmail.com>
> wrote:
>
>> We use the “Heath and James mod”, to tag spam messages with
>> "X-Spam-Flag: Yes" and send them to the "Junk Mail" folder. The problem
>> we run into with this method is that any incoming spam message that has
>> the recipient in the to and from fields, bypasses the junk mail rules
>> and goes to the inbox. This has not been a problem until lately we have
>> been dealing with a very persistent phishing campaign
>>
>> is there a way to stop the behavior of letting email with the
>> "X-Spam-Flag: Yes" tag bypass the Junk Mail folder if the from address
>> is the recipients address?
>>
>> example header:
>>
>> Return-path: <honda@kagawaseiko.co.jp>
>> Received: from kagawaseiko.co.jp (063.ourdomain.com [10.10.55.30])
>> by mail.ourdomain.com with ESMTP (TLS encrypted); Tue, 19 Feb 2019
>> 06:17:53 -0600
>> Received: FROM kagawaseiko.co.jp (60.43.172.174) BY ourdomain.com WITH ESMTP
>> FOR userg@ourdomain.com;
>> Tue, 19 Feb 2019 06:17:53 -0500
>> Received: from [84-241-63-206.shatel.ir] (unknown [84.241.63.206])
>> (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
>> (Client did not present a certificate)
>> by kagawaseiko.co.jp (Postfix) with ESMTPSA id 15C8518A0E68
>> for <userg@ourdomain.com>; Tue, 19 Feb 2019 21:17:48 +0900 (JST)
>> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
>> From: <userg@ourdomain.com>
>> X-Sender: <honda@kagawaseiko.co.jp>
>> List-Unsubscribe:
>>
>> <mailto:u-ifsimrh_xzckmcsjhl_ozkhqyhqus_gkgktrgjk_v@bounce.kagawaseiko.co.jp?subject=Unsubscribe>
>> To: userg@ourdomain.com
>> Subject: userg
>> Date: Tue, 19 Feb 2019 13:17:49 +0100
>> Message-ID: <056f0ojkjo4kgub2dyyqe7yumi9id@6kin5xxxk9rydch2fbs0qdpsde>
>> Content-Transfer-Encoding: base64
>> Content-Type: text/plain; charset=UTF-8
>> X-Priority: 2
>> X-Sender-Info: <honda@kagawaseiko.co.jp>
>> List-Help: <http://aavcdhx.com/lq/rvanus/gjyavuqhs>
>> List-ID: <03791515.rvbulonlio.local>
>> X-Spam-Flag: Yes

>
> Steve,
> Not a direct answer because I don't bother with the junk mail folder
> in GroupWise - I just use the SMG quarantine. I take this tactic. My
> mail server is the only one authorized to send email for my domain. So
> incoming email should never have a from with my domain in it. I have
> added a header filter that checks for "FROM:*@mydomain". If the email
> hits that filter, I block and quarantine it. Stops quite a bit of
> garbage from getting in.
>


We did try that, but we ran into a different problem. In the old version
of GWAVA we had a list of phrases we search for in the message body and
a separate list of items we look for in the header. With the latest
version of SCM, you can only have one text filter on the incoming scan
policy. So we had to choose between the phrases list or the headers.

0 Likes
Knowledge Partner
Knowledge Partner

Re: incoming spam bypassing junk mail folder

On Tue, 19 Feb 2019 17:02:14 GMT, Steve B <cns965+nospam@gmail.com>
wrote:

>On 2/19/2019 10:43 AM, KeN Etter wrote:
>> On Tue, 19 Feb 2019 15:27:23 GMT, Steve B <cns965+nospam@gmail.com>
>> wrote:
>>
>>> We use the “Heath and James mod”, to tag spam messages with
>>> "X-Spam-Flag: Yes" and send them to the "Junk Mail" folder. The problem
>>> we run into with this method is that any incoming spam message that has
>>> the recipient in the to and from fields, bypasses the junk mail rules
>>> and goes to the inbox. This has not been a problem until lately we have
>>> been dealing with a very persistent phishing campaign
>>>
>>> is there a way to stop the behavior of letting email with the
>>> "X-Spam-Flag: Yes" tag bypass the Junk Mail folder if the from address
>>> is the recipients address?
>>>
>>> example header:
>>>
>>> Return-path: <honda@kagawaseiko.co.jp>
>>> Received: from kagawaseiko.co.jp (063.ourdomain.com [10.10.55.30])
>>> by mail.ourdomain.com with ESMTP (TLS encrypted); Tue, 19 Feb 2019
>>> 06:17:53 -0600
>>> Received: FROM kagawaseiko.co.jp (60.43.172.174) BY ourdomain.com WITH ESMTP
>>> FOR userg@ourdomain.com;
>>> Tue, 19 Feb 2019 06:17:53 -0500
>>> Received: from [84-241-63-206.shatel.ir] (unknown [84.241.63.206])
>>> (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
>>> (Client did not present a certificate)
>>> by kagawaseiko.co.jp (Postfix) with ESMTPSA id 15C8518A0E68
>>> for <userg@ourdomain.com>; Tue, 19 Feb 2019 21:17:48 +0900 (JST)
>>> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
>>> From: <userg@ourdomain.com>
>>> X-Sender: <honda@kagawaseiko.co.jp>
>>> List-Unsubscribe:
>>>
>>> <mailto:u-ifsimrh_xzckmcsjhl_ozkhqyhqus_gkgktrgjk_v@bounce.kagawaseiko.co.jp?subject=Unsubscribe>
>>> To: userg@ourdomain.com
>>> Subject: userg
>>> Date: Tue, 19 Feb 2019 13:17:49 +0100
>>> Message-ID: <056f0ojkjo4kgub2dyyqe7yumi9id@6kin5xxxk9rydch2fbs0qdpsde>
>>> Content-Transfer-Encoding: base64
>>> Content-Type: text/plain; charset=UTF-8
>>> X-Priority: 2
>>> X-Sender-Info: <honda@kagawaseiko.co.jp>
>>> List-Help: <http://aavcdhx.com/lq/rvanus/gjyavuqhs>
>>> List-ID: <03791515.rvbulonlio.local>
>>> X-Spam-Flag: Yes

>>
>> Steve,
>> Not a direct answer because I don't bother with the junk mail folder
>> in GroupWise - I just use the SMG quarantine. I take this tactic. My
>> mail server is the only one authorized to send email for my domain. So
>> incoming email should never have a from with my domain in it. I have
>> added a header filter that checks for "FROM:*@mydomain". If the email
>> hits that filter, I block and quarantine it. Stops quite a bit of
>> garbage from getting in.
>>

>
>We did try that, but we ran into a different problem. In the old version
>of GWAVA we had a list of phrases we search for in the message body and
>a separate list of items we look for in the header. With the latest
>version of SCM, you can only have one text filter on the incoming scan
>policy. So we had to choose between the phrases list or the headers.


Really? I am on the latest version of SMG (rev 598) and I currently
have two header filters in my inbound mail filter policy. And I was
able to drop a message text filter into it also just now. What
happens for you when you try to put more than one text filter in your
policy?

--
Ken
Knowledge Partner

Create and vote for enhancements!
https://www.microfocus.com/products/enhancement-request.html
--
Ken
Knowledge Partner

Create and vote for enhancements!
https://www.microfocus.com/products/enhancement-request.html
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: incoming spam bypassing junk mail folder

On 2/19/2019 11:39 AM, KeN Etter wrote:
> On Tue, 19 Feb 2019 17:02:14 GMT, Steve B <cns965+nospam@gmail.com>
> wrote:
>
>> On 2/19/2019 10:43 AM, KeN Etter wrote:
>>> On Tue, 19 Feb 2019 15:27:23 GMT, Steve B <cns965+nospam@gmail.com>
>>> wrote:
>>>
>>>> We use the “Heath and James mod”, to tag spam messages with
>>>> "X-Spam-Flag: Yes" and send them to the "Junk Mail" folder. The problem
>>>> we run into with this method is that any incoming spam message that has
>>>> the recipient in the to and from fields, bypasses the junk mail rules
>>>> and goes to the inbox. This has not been a problem until lately we have
>>>> been dealing with a very persistent phishing campaign
>>>>
>>>> is there a way to stop the behavior of letting email with the
>>>> "X-Spam-Flag: Yes" tag bypass the Junk Mail folder if the from address
>>>> is the recipients address?
>>>>
>>>> example header:
>>>>
>>>> Return-path: <honda@kagawaseiko.co.jp>
>>>> Received: from kagawaseiko.co.jp (063.ourdomain.com [10.10.55.30])
>>>> by mail.ourdomain.com with ESMTP (TLS encrypted); Tue, 19 Feb 2019
>>>> 06:17:53 -0600
>>>> Received: FROM kagawaseiko.co.jp (60.43.172.174) BY ourdomain.com WITH ESMTP
>>>> FOR userg@ourdomain.com;
>>>> Tue, 19 Feb 2019 06:17:53 -0500
>>>> Received: from [84-241-63-206.shatel.ir] (unknown [84.241.63.206])
>>>> (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
>>>> (Client did not present a certificate)
>>>> by kagawaseiko.co.jp (Postfix) with ESMTPSA id 15C8518A0E68
>>>> for <userg@ourdomain.com>; Tue, 19 Feb 2019 21:17:48 +0900 (JST)
>>>> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
>>>> From: <userg@ourdomain.com>
>>>> X-Sender: <honda@kagawaseiko.co.jp>
>>>> List-Unsubscribe:
>>>>
>>>> <mailto:u-ifsimrh_xzckmcsjhl_ozkhqyhqus_gkgktrgjk_v@bounce.kagawaseiko.co.jp?subject=Unsubscribe>
>>>> To: userg@ourdomain.com
>>>> Subject: userg
>>>> Date: Tue, 19 Feb 2019 13:17:49 +0100
>>>> Message-ID: <056f0ojkjo4kgub2dyyqe7yumi9id@6kin5xxxk9rydch2fbs0qdpsde>
>>>> Content-Transfer-Encoding: base64
>>>> Content-Type: text/plain; charset=UTF-8
>>>> X-Priority: 2
>>>> X-Sender-Info: <honda@kagawaseiko.co.jp>
>>>> List-Help: <http://aavcdhx.com/lq/rvanus/gjyavuqhs>
>>>> List-ID: <03791515.rvbulonlio.local>
>>>> X-Spam-Flag: Yes
>>>
>>> Steve,
>>> Not a direct answer because I don't bother with the junk mail folder
>>> in GroupWise - I just use the SMG quarantine. I take this tactic. My
>>> mail server is the only one authorized to send email for my domain. So
>>> incoming email should never have a from with my domain in it. I have
>>> added a header filter that checks for "FROM:*@mydomain". If the email
>>> hits that filter, I block and quarantine it. Stops quite a bit of
>>> garbage from getting in.
>>>

>>
>> We did try that, but we ran into a different problem. In the old version
>> of GWAVA we had a list of phrases we search for in the message body and
>> a separate list of items we look for in the header. With the latest
>> version of SCM, you can only have one text filter on the incoming scan
>> policy. So we had to choose between the phrases list or the headers.

>
> Really? I am on the latest version of SMG (rev 598) and I currently
> have two header filters in my inbound mail filter policy. And I was
> able to drop a message text filter into it also just now. What
> happens for you when you try to put more than one text filter in your
> policy?
>

Yes, we are on rev.598 too
Anytime I add a new 'Message Text' to the policy, the previous 'Message
Text' gets changed to the same as the new.

Example:
Existing 'Message Text', 'Look in message body' checked, words we check
for in the list, connected to 'Admin Quarantine' - works fine

I come back, add another 'Message Text' box, check 'Look in message
header' add "FROM:*@mydomain", connect to 'Message Block', and save

Come back again, open the original 'Message Text' that used to have our
keywords in it, and it now has the contents of the second 'Message Text'
I added.
0 Likes
Knowledge Partner
Knowledge Partner

Re: incoming spam bypassing junk mail folder

On Tue, 19 Feb 2019 18:50:09 GMT, Steve B <cns965+nospam@gmail.com>
wrote:

>On 2/19/2019 11:39 AM, KeN Etter wrote:
>> On Tue, 19 Feb 2019 17:02:14 GMT, Steve B <cns965+nospam@gmail.com>
>> wrote:
>>
>>> On 2/19/2019 10:43 AM, KeN Etter wrote:
>>>> On Tue, 19 Feb 2019 15:27:23 GMT, Steve B <cns965+nospam@gmail.com>
>>>> wrote:
>>>>
>>>>> We use the “Heath and James mod”, to tag spam messages with
>>>>> "X-Spam-Flag: Yes" and send them to the "Junk Mail" folder. The problem
>>>>> we run into with this method is that any incoming spam message that has
>>>>> the recipient in the to and from fields, bypasses the junk mail rules
>>>>> and goes to the inbox. This has not been a problem until lately we have
>>>>> been dealing with a very persistent phishing campaign
>>>>>
>>>>> is there a way to stop the behavior of letting email with the
>>>>> "X-Spam-Flag: Yes" tag bypass the Junk Mail folder if the from address
>>>>> is the recipients address?
>>>>>
>>>>> example header:
>>>>>
>>>>> Return-path: <honda@kagawaseiko.co.jp>
>>>>> Received: from kagawaseiko.co.jp (063.ourdomain.com [10.10.55.30])
>>>>> by mail.ourdomain.com with ESMTP (TLS encrypted); Tue, 19 Feb 2019
>>>>> 06:17:53 -0600
>>>>> Received: FROM kagawaseiko.co.jp (60.43.172.174) BY ourdomain.com WITH ESMTP
>>>>> FOR userg@ourdomain.com;
>>>>> Tue, 19 Feb 2019 06:17:53 -0500
>>>>> Received: from [84-241-63-206.shatel.ir] (unknown [84.241.63.206])
>>>>> (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
>>>>> (Client did not present a certificate)
>>>>> by kagawaseiko.co.jp (Postfix) with ESMTPSA id 15C8518A0E68
>>>>> for <userg@ourdomain.com>; Tue, 19 Feb 2019 21:17:48 +0900 (JST)
>>>>> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
>>>>> From: <userg@ourdomain.com>
>>>>> X-Sender: <honda@kagawaseiko.co.jp>
>>>>> List-Unsubscribe:
>>>>>
>>>>> <mailto:u-ifsimrh_xzckmcsjhl_ozkhqyhqus_gkgktrgjk_v@bounce.kagawaseiko.co.jp?subject=Unsubscribe>
>>>>> To: userg@ourdomain.com
>>>>> Subject: userg
>>>>> Date: Tue, 19 Feb 2019 13:17:49 +0100
>>>>> Message-ID: <056f0ojkjo4kgub2dyyqe7yumi9id@6kin5xxxk9rydch2fbs0qdpsde>
>>>>> Content-Transfer-Encoding: base64
>>>>> Content-Type: text/plain; charset=UTF-8
>>>>> X-Priority: 2
>>>>> X-Sender-Info: <honda@kagawaseiko.co.jp>
>>>>> List-Help: <http://aavcdhx.com/lq/rvanus/gjyavuqhs>
>>>>> List-ID: <03791515.rvbulonlio.local>
>>>>> X-Spam-Flag: Yes
>>>>
>>>> Steve,
>>>> Not a direct answer because I don't bother with the junk mail folder
>>>> in GroupWise - I just use the SMG quarantine. I take this tactic. My
>>>> mail server is the only one authorized to send email for my domain. So
>>>> incoming email should never have a from with my domain in it. I have
>>>> added a header filter that checks for "FROM:*@mydomain". If the email
>>>> hits that filter, I block and quarantine it. Stops quite a bit of
>>>> garbage from getting in.
>>>>
>>>
>>> We did try that, but we ran into a different problem. In the old version
>>> of GWAVA we had a list of phrases we search for in the message body and
>>> a separate list of items we look for in the header. With the latest
>>> version of SCM, you can only have one text filter on the incoming scan
>>> policy. So we had to choose between the phrases list or the headers.

>>
>> Really? I am on the latest version of SMG (rev 598) and I currently
>> have two header filters in my inbound mail filter policy. And I was
>> able to drop a message text filter into it also just now. What
>> happens for you when you try to put more than one text filter in your
>> policy?
>>

>Yes, we are on rev.598 too
>Anytime I add a new 'Message Text' to the policy, the previous 'Message
>Text' gets changed to the same as the new.
>
>Example:
>Existing 'Message Text', 'Look in message body' checked, words we check
>for in the list, connected to 'Admin Quarantine' - works fine
>
>I come back, add another 'Message Text' box, check 'Look in message
>header' add "FROM:*@mydomain", connect to 'Message Block', and save
>
>Come back again, open the original 'Message Text' that used to have our
>keywords in it, and it now has the contents of the second 'Message Text'
>I added.


Hmm...I just checked this and the SMG interface gets screwy with
Message Text filters. I set mine up a long time ago and haven't
modified them since. Let me check on this.

--
Ken
Knowledge Partner

Create and vote for enhancements!
https://www.microfocus.com/products/enhancement-request.html
--
Ken
Knowledge Partner

Create and vote for enhancements!
https://www.microfocus.com/products/enhancement-request.html
0 Likes
Knowledge Partner
Knowledge Partner

Re: incoming spam bypassing junk mail folder

On Tue, 19 Feb 2019 19:23:15 GMT, KeN Etter
<ketter@no-mx.forums.microfocus.com> wrote:

>On Tue, 19 Feb 2019 18:50:09 GMT, Steve B <cns965+nospam@gmail.com>
>wrote:
>
>>On 2/19/2019 11:39 AM, KeN Etter wrote:
>>> On Tue, 19 Feb 2019 17:02:14 GMT, Steve B <cns965+nospam@gmail.com>
>>> wrote:
>>>
>>>> On 2/19/2019 10:43 AM, KeN Etter wrote:
>>>>> On Tue, 19 Feb 2019 15:27:23 GMT, Steve B <cns965+nospam@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> We use the “Heath and James mod”, to tag spam messages with
>>>>>> "X-Spam-Flag: Yes" and send them to the "Junk Mail" folder. The problem
>>>>>> we run into with this method is that any incoming spam message that has
>>>>>> the recipient in the to and from fields, bypasses the junk mail rules
>>>>>> and goes to the inbox. This has not been a problem until lately we have
>>>>>> been dealing with a very persistent phishing campaign
>>>>>>
>>>>>> is there a way to stop the behavior of letting email with the
>>>>>> "X-Spam-Flag: Yes" tag bypass the Junk Mail folder if the from address
>>>>>> is the recipients address?
>>>>>>
>>>>>> example header:
>>>>>>
>>>>>> Return-path: <honda@kagawaseiko.co.jp>
>>>>>> Received: from kagawaseiko.co.jp (063.ourdomain.com [10.10.55.30])
>>>>>> by mail.ourdomain.com with ESMTP (TLS encrypted); Tue, 19 Feb 2019
>>>>>> 06:17:53 -0600
>>>>>> Received: FROM kagawaseiko.co.jp (60.43.172.174) BY ourdomain.com WITH ESMTP
>>>>>> FOR userg@ourdomain.com;
>>>>>> Tue, 19 Feb 2019 06:17:53 -0500
>>>>>> Received: from [84-241-63-206.shatel.ir] (unknown [84.241.63.206])
>>>>>> (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
>>>>>> (Client did not present a certificate)
>>>>>> by kagawaseiko.co.jp (Postfix) with ESMTPSA id 15C8518A0E68
>>>>>> for <userg@ourdomain.com>; Tue, 19 Feb 2019 21:17:48 +0900 (JST)
>>>>>> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
>>>>>> From: <userg@ourdomain.com>
>>>>>> X-Sender: <honda@kagawaseiko.co.jp>
>>>>>> List-Unsubscribe:
>>>>>>
>>>>>> <mailto:u-ifsimrh_xzckmcsjhl_ozkhqyhqus_gkgktrgjk_v@bounce.kagawaseiko.co.jp?subject=Unsubscribe>
>>>>>> To: userg@ourdomain.com
>>>>>> Subject: userg
>>>>>> Date: Tue, 19 Feb 2019 13:17:49 +0100
>>>>>> Message-ID: <056f0ojkjo4kgub2dyyqe7yumi9id@6kin5xxxk9rydch2fbs0qdpsde>
>>>>>> Content-Transfer-Encoding: base64
>>>>>> Content-Type: text/plain; charset=UTF-8
>>>>>> X-Priority: 2
>>>>>> X-Sender-Info: <honda@kagawaseiko.co.jp>
>>>>>> List-Help: <http://aavcdhx.com/lq/rvanus/gjyavuqhs>
>>>>>> List-ID: <03791515.rvbulonlio.local>
>>>>>> X-Spam-Flag: Yes
>>>>>
>>>>> Steve,
>>>>> Not a direct answer because I don't bother with the junk mail folder
>>>>> in GroupWise - I just use the SMG quarantine. I take this tactic. My
>>>>> mail server is the only one authorized to send email for my domain. So
>>>>> incoming email should never have a from with my domain in it. I have
>>>>> added a header filter that checks for "FROM:*@mydomain". If the email
>>>>> hits that filter, I block and quarantine it. Stops quite a bit of
>>>>> garbage from getting in.
>>>>>
>>>>
>>>> We did try that, but we ran into a different problem. In the old version
>>>> of GWAVA we had a list of phrases we search for in the message body and
>>>> a separate list of items we look for in the header. With the latest
>>>> version of SCM, you can only have one text filter on the incoming scan
>>>> policy. So we had to choose between the phrases list or the headers.
>>>
>>> Really? I am on the latest version of SMG (rev 598) and I currently
>>> have two header filters in my inbound mail filter policy. And I was
>>> able to drop a message text filter into it also just now. What
>>> happens for you when you try to put more than one text filter in your
>>> policy?
>>>

>>Yes, we are on rev.598 too
>>Anytime I add a new 'Message Text' to the policy, the previous 'Message
>>Text' gets changed to the same as the new.
>>
>>Example:
>>Existing 'Message Text', 'Look in message body' checked, words we check
>>for in the list, connected to 'Admin Quarantine' - works fine
>>
>>I come back, add another 'Message Text' box, check 'Look in message
>>header' add "FROM:*@mydomain", connect to 'Message Block', and save
>>
>>Come back again, open the original 'Message Text' that used to have our
>>keywords in it, and it now has the contents of the second 'Message Text'
>>I added.

>
>Hmm...I just checked this and the SMG interface gets screwy with
>Message Text filters. I set mine up a long time ago and haven't
>modified them since. Let me check on this.


Steve,
I did some checking. When you create the second filter, you need to
drag it from the left section (Filter Templates), not the right
section (Components). If you drag from the Components section, you
are making a duplicate and that is why changes overwrite. If you drag
from the Filter Templates, it will ask you if you want to create a
separate copy. Tell it Ok and then you can edit it independently.

The interface issue I was seeing was just an artifact that gets
cleaned up after saving.

Give that a shot and let us know how it goes.

--
Ken
Knowledge Partner

Create and vote for enhancements!
https://www.microfocus.com/products/enhancement-request.html
--
Ken
Knowledge Partner

Create and vote for enhancements!
https://www.microfocus.com/products/enhancement-request.html
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: incoming spam bypassing junk mail folder

On 2/19/2019 3:38 PM, KeN Etter wrote:
> On Tue, 19 Feb 2019 19:23:15 GMT, KeN Etter
> <ketter@no-mx.forums.microfocus.com> wrote:
>
>> On Tue, 19 Feb 2019 18:50:09 GMT, Steve B <cns965+nospam@gmail.com>
>> wrote:
>>
>>> On 2/19/2019 11:39 AM, KeN Etter wrote:
>>>> On Tue, 19 Feb 2019 17:02:14 GMT, Steve B <cns965+nospam@gmail.com>
>>>> wrote:
>>>>
>>>>> On 2/19/2019 10:43 AM, KeN Etter wrote:
>>>>>> On Tue, 19 Feb 2019 15:27:23 GMT, Steve B <cns965+nospam@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> We use the “Heath and James mod”, to tag spam messages with
>>>>>>> "X-Spam-Flag: Yes" and send them to the "Junk Mail" folder. The problem
>>>>>>> we run into with this method is that any incoming spam message that has
>>>>>>> the recipient in the to and from fields, bypasses the junk mail rules
>>>>>>> and goes to the inbox. This has not been a problem until lately we have
>>>>>>> been dealing with a very persistent phishing campaign
>>>>>>>
>>>>>>> is there a way to stop the behavior of letting email with the
>>>>>>> "X-Spam-Flag: Yes" tag bypass the Junk Mail folder if the from address
>>>>>>> is the recipients address?
>>>>>>>
>>>>>>> example header:
>>>>>>>
>>>>>>> Return-path: <honda@kagawaseiko.co.jp>
>>>>>>> Received: from kagawaseiko.co.jp (063.ourdomain.com [10.10.55.30])
>>>>>>> by mail.ourdomain.com with ESMTP (TLS encrypted); Tue, 19 Feb 2019
>>>>>>> 06:17:53 -0600
>>>>>>> Received: FROM kagawaseiko.co.jp (60.43.172.174) BY ourdomain.com WITH ESMTP
>>>>>>> FOR userg@ourdomain.com;
>>>>>>> Tue, 19 Feb 2019 06:17:53 -0500
>>>>>>> Received: from [84-241-63-206.shatel.ir] (unknown [84.241.63.206])
>>>>>>> (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
>>>>>>> (Client did not present a certificate)
>>>>>>> by kagawaseiko.co.jp (Postfix) with ESMTPSA id 15C8518A0E68
>>>>>>> for <userg@ourdomain.com>; Tue, 19 Feb 2019 21:17:48 +0900 (JST)
>>>>>>> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
>>>>>>> From: <userg@ourdomain.com>
>>>>>>> X-Sender: <honda@kagawaseiko.co.jp>
>>>>>>> List-Unsubscribe:
>>>>>>>
>>>>>>> <mailto:u-ifsimrh_xzckmcsjhl_ozkhqyhqus_gkgktrgjk_v@bounce.kagawaseiko.co.jp?subject=Unsubscribe>
>>>>>>> To: userg@ourdomain.com
>>>>>>> Subject: userg
>>>>>>> Date: Tue, 19 Feb 2019 13:17:49 +0100
>>>>>>> Message-ID: <056f0ojkjo4kgub2dyyqe7yumi9id@6kin5xxxk9rydch2fbs0qdpsde>
>>>>>>> Content-Transfer-Encoding: base64
>>>>>>> Content-Type: text/plain; charset=UTF-8
>>>>>>> X-Priority: 2
>>>>>>> X-Sender-Info: <honda@kagawaseiko.co.jp>
>>>>>>> List-Help: <http://aavcdhx.com/lq/rvanus/gjyavuqhs>
>>>>>>> List-ID: <03791515.rvbulonlio.local>
>>>>>>> X-Spam-Flag: Yes
>>>>>>
>>>>>> Steve,
>>>>>> Not a direct answer because I don't bother with the junk mail folder
>>>>>> in GroupWise - I just use the SMG quarantine. I take this tactic. My
>>>>>> mail server is the only one authorized to send email for my domain. So
>>>>>> incoming email should never have a from with my domain in it. I have
>>>>>> added a header filter that checks for "FROM:*@mydomain". If the email
>>>>>> hits that filter, I block and quarantine it. Stops quite a bit of
>>>>>> garbage from getting in.
>>>>>>
>>>>>
>>>>> We did try that, but we ran into a different problem. In the old version
>>>>> of GWAVA we had a list of phrases we search for in the message body and
>>>>> a separate list of items we look for in the header. With the latest
>>>>> version of SCM, you can only have one text filter on the incoming scan
>>>>> policy. So we had to choose between the phrases list or the headers.
>>>>
>>>> Really? I am on the latest version of SMG (rev 598) and I currently
>>>> have two header filters in my inbound mail filter policy. And I was
>>>> able to drop a message text filter into it also just now. What
>>>> happens for you when you try to put more than one text filter in your
>>>> policy?
>>>>
>>> Yes, we are on rev.598 too
>>> Anytime I add a new 'Message Text' to the policy, the previous 'Message
>>> Text' gets changed to the same as the new.
>>>
>>> Example:
>>> Existing 'Message Text', 'Look in message body' checked, words we check
>>> for in the list, connected to 'Admin Quarantine' - works fine
>>>
>>> I come back, add another 'Message Text' box, check 'Look in message
>>> header' add "FROM:*@mydomain", connect to 'Message Block', and save
>>>
>>> Come back again, open the original 'Message Text' that used to have our
>>> keywords in it, and it now has the contents of the second 'Message Text'
>>> I added.

>>
>> Hmm...I just checked this and the SMG interface gets screwy with
>> Message Text filters. I set mine up a long time ago and haven't
>> modified them since. Let me check on this.

>
> Steve,
> I did some checking. When you create the second filter, you need to
> drag it from the left section (Filter Templates), not the right
> section (Components). If you drag from the Components section, you
> are making a duplicate and that is why changes overwrite. If you drag
> from the Filter Templates, it will ask you if you want to create a
> separate copy. Tell it Ok and then you can edit it independently.
>
> The interface issue I was seeing was just an artifact that gets
> cleaned up after saving.
>
> Give that a shot and let us know how it goes.
>

That worked
Thanks
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.