Amavis-new configuration

Discussion in 'Installation/Configuration' started by Bob White, Feb 21, 2021.

  1. Bob White

    Bob White Member

    I'm getting some spam from a very determined spammer. The messages around about 125k in size, most of which is a massive block of bogus HTML, with a single valid link buried down towards the end, all encoded as base64. The consistent part of the url is "url387.fmemail.net".
    I've tried putting this url in the postfix body_checks, and it doesn't seem to find it.
    I know amavis-new is working and checking spam, as it finds other things that I've added to /etc/spamassassin/local.cf. For some reason, it's not finding this url. Here's the section of local.cf:
    Code:
    body            __BW_SITE21     /url387.fmemail.net/i
    body            __BW_SITE22     /fmemail.net/i
    body            __BW_SITE23     /url387.fmemail/i
    body            __BW_SITE24     /url387/i
    body            __BW_SITE25     /fmemail/i
    meta            __BW_FMEMAIL    (__BW_SITE21 + __BW_SITE22 + __BW_SITE23 + __BW_SITE24 + __BW_SITE25 >= 1)
    score           __BW_FMEMAIL    10
    describe        __BW_FMEMAIL    Variety of spam
    
    I've increased the maximum size of the file to 400k. Does anyone know why this might not be working, or how I can make it work?
    Thanks,
    Bob
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    If sender is the same in all messages, you can use Postfix Blacklist, in ISPConfig Panel | Email -tab | Global Filters.
     
  3. Bob White

    Bob White Member

    Unfortunately, the sender isn't the same in any of the messages. It's usually some obfuscated gmail address, such as:
    Code:
    To: <my address>
    From: "Home Depot Voucher" <[email protected]>
    Date: Sat, 20 Feb 2021 04:43:40 -0800
    Message-ID: <CAGGSdJfF3KGMsgPAJLzkoRDCNdrOJKvv-piN1a=4RkRtbBWYVQ@mail.gmail.com>
    In-Reply-To: <[email protected]>
    References: <[email protected]>
    Subject: Re: Share your opinion and claim your gift!
    I figured out how to flag the ones where they've added random garbage after a "+" in a gmail address, and that works, but that wasn't what was done here.
    Thanks,
    Bob
     
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Try a uri rule instead of body, eg.
    Code:
    uri  BW_FMEMAIL  /url387\.fmemail\.net/i
    or
    Code:
    uri  BW_FMEMAIL m,://url387\.fmemail\.net/,i
     

Share This Page