Techtech

Tue Nov 8, 2016, 10:38 AM

Dumb Outlook Spam question

Does anybody know if there is a way to create a rule based on not the sender's domain (they're all spoofed) but instead based upon a certain hyperlink in the body of the email itself?

apparently half of Eastern Europe wants to have sex with me and I'm getting tired of all these spam emails.

15 replies, 300 views

Reply to this thread

Back to top Alert abuse

Always highlight: 10 newest replies | Replies posted after I mark a forum
Replies to this discussion thread
Arrow 15 replies Author Time Post
Reply Dumb Outlook Spam question (Original post)
Currentsitguy Nov 2016 OP
The Center Holds Nov 2016 #1
Currentsitguy Nov 2016 #2
ProudNYSTaxPayer Nov 2016 #3
Currentsitguy Nov 2016 #4
ProudNYSTaxPayer Nov 2016 #5
Currentsitguy Nov 2016 #6
ProudNYSTaxPayer Nov 2016 #7
Currentsitguy Nov 2016 #8
It Guy Nov 2016 #9
Currentsitguy Nov 2016 #10
It Guy Nov 2016 #11
Currentsitguy Nov 2016 #12
It Guy Nov 2016 #13
Currentsitguy Nov 2016 #14
It Guy Nov 2016 #15

Response to Currentsitguy (Original post)

Tue Nov 8, 2016, 10:43 AM

1. You should be flattered.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to The Center Holds (Reply #1)

Tue Nov 8, 2016, 10:45 AM

2. Not so much

I was already married to a Russian. It didn't turn out so well. She decided my "best friend" was more fun in bed.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Currentsitguy (Original post)

Tue Nov 8, 2016, 10:47 AM

3. In the rules wizard template

you can set a rule based on a particular word or words in the subject, but I am not sure about the body.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to ProudNYSTaxPayer (Reply #3)

Tue Nov 8, 2016, 10:49 AM

4. You can even do words in the body

I'm just not seeing an option for a specific domain hyperlinked in the body. It may not be an option. They all seem to point to http://sexy-dream4.top (don't click on the link!!!)

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Currentsitguy (Reply #4)

Tue Nov 8, 2016, 10:52 AM

5. you should be able to treat that as a word though

since it is still a string.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to ProudNYSTaxPayer (Reply #5)

Tue Nov 8, 2016, 11:02 AM

6. I'll have to try that.

Thanks!

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Currentsitguy (Reply #6)

Tue Nov 8, 2016, 11:12 AM

7. NP

Please let me know if it works, if not I will try and find you another solution.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to ProudNYSTaxPayer (Reply #7)

Tue Nov 8, 2016, 11:14 AM

8. I will

The next one I get, which will be just about any minute now.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Currentsitguy (Original post)

Tue Nov 8, 2016, 11:48 AM

9. Here's something that might help.

You should be able to set filters/rules for the message body.

https://www.msoutlook.info/question/220

You may also want to look into using ZoneAlarm. It scans for all incoming domains with email scan. Not sure if this is fine tunable with freeware vers but give it a shot and it should be.

You also should be able to open the email's header information and that will reveal the source IP address. You can then enter that manually into ZonaAlarm if need be and you should also then be able to enter a countries designated range of IP addresses and block everything coming from that country.

The how too's on all this is easily searchable on Google.

If you really would like to see absolutely everything going out and everything coming in, get Wire Shark, it's shareware. That's a pro Network Analyzer or packet sniffer utility. It's extremely sophisticated, but with a little (hours) of monkeying around you'll figure out how to designate/configure the capture interface.

If you use WS, and if these emails are coming in often enough that'll make your job easier to matching up the time stamps to incoming packets and getting not just the IP address, but also the MAC address.

With the IP address, you'll want to do a Who Is lookup on the net, this might tell you some valuable info, but if the source is behind a proxy server or if the source is coming out of dark net, you've got problems and may simply need a new email address.

Good luck.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to It Guy (Reply #9)

Tue Nov 8, 2016, 11:50 AM

10. What is your opinion of

GFI Mail Essentials?

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Currentsitguy (Reply #10)

Tue Nov 8, 2016, 12:37 PM

11. It's server based. Are you running a server?

It also says that you can setup white lists and black lists. That's essentially what ZoneAlarm does and anything not on those lists will be flagged for your attention before being allowed on your system.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to It Guy (Reply #11)

Tue Nov 8, 2016, 12:52 PM

12. Yup

Exchange 2013 on Server 2008 R2. I actually have my Exchange MCP, this was just a situation I've never encountered before.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Currentsitguy (Reply #12)

Tue Nov 8, 2016, 01:28 PM

13. Well, then it sounds like it may do the job. Is your server behind a NAT and DMZ?

If so, I'd think there would be a way to block the source IP there too.
Personally, I'd prefer using what I have that'll do the job before I'd spend money and go through another learning curve with additional software.

That's what I hated about IT. The endless learning to stay on top of tech and threats.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to It Guy (Reply #13)

Tue Nov 8, 2016, 02:07 PM

14. That's the problem

There is no one source. If I were to venture a guess they are coming from a botnet. I have tracerouted several and they appear to be coming form all over the world. The one, and only one point in common is they all have some hyperlinked text that leads back to a specific domain, hence the reason I was looking to either block, or at least devise a rule, that would parse the body of the email for the embedded hyperlink.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Currentsitguy (Reply #14)

Tue Nov 8, 2016, 02:53 PM

15. Just curious, did you try googling the hyper text? You may also try googling the body of the

text to see what comes up. You'd be surprised at what you may find and possible solutions to stop it.

Just an FYI, there are hacker groups out there and for a sum, a few hundred or less, would mount an attack on the destination. There may be many proxy IP's, but there will be one destination IP. Some of those guys would relish the assault.

I once had a person give me a bunch of crap and accusations that I was fucking with his accounts and had threatened me with the FBI. This, after I had told him he needed to setup his own accounts and keep his passwords to himself. What he do? He told his Muslim friends his password to his FB account, and from there they got into his Apple account.

I took just a little offense with the moron and listed his email address to a spam list that was guaranteed to fill up his inbox with ten thousand spam mails a day. I guess he had to learn after that.

Reply to this post

Back to top Alert abuse Link here Permalink

Techtech