I'm getting some spam from a very determined spammer. The messages around about 125k in size, most of which is a massive block of bogus HTML, with a single valid link buried down towards the end, all encoded as base64. The consistent part of the url is "url387.fmemail.net". I've tried putting this url in the postfix body_checks, and it doesn't seem to find it. I know amavis-new is working and checking spam, as it finds other things that I've added to /etc/spamassassin/local.cf. For some reason, it's not finding this url. Here's the section of local.cf: Code: body __BW_SITE21 /url387.fmemail.net/i body __BW_SITE22 /fmemail.net/i body __BW_SITE23 /url387.fmemail/i body __BW_SITE24 /url387/i body __BW_SITE25 /fmemail/i meta __BW_FMEMAIL (__BW_SITE21 + __BW_SITE22 + __BW_SITE23 + __BW_SITE24 + __BW_SITE25 >= 1) score __BW_FMEMAIL 10 describe __BW_FMEMAIL Variety of spam I've increased the maximum size of the file to 400k. Does anyone know why this might not be working, or how I can make it work? Thanks, Bob
If sender is the same in all messages, you can use Postfix Blacklist, in ISPConfig Panel | Email -tab | Global Filters.
Unfortunately, the sender isn't the same in any of the messages. It's usually some obfuscated gmail address, such as: Code: To: <my address> From: "Home Depot Voucher" <[email protected]> Date: Sat, 20 Feb 2021 04:43:40 -0800 Message-ID: <CAGGSdJfF3KGMsgPAJLzkoRDCNdrOJKvv-piN1a=4RkRtbBWYVQ@mail.gmail.com> In-Reply-To: <[email protected]> References: <[email protected]> Subject: Re: Share your opinion and claim your gift! I figured out how to flag the ones where they've added random garbage after a "+" in a gmail address, and that works, but that wasn't what was done here. Thanks, Bob
Try a uri rule instead of body, eg. Code: uri BW_FMEMAIL /url387\.fmemail\.net/i or Code: uri BW_FMEMAIL m,://url387\.fmemail\.net/,i