RE: Filtering rules

LEFBE — Thu, 06 Jul 2017 09:29:49 GMT

Hello Julia,

Below a suggested rule:
Please note you need to adapt it based on your needs:

In this rule the following actions are done:

Check if envelope from contains @gmail.com, @outlook.com, @hotmail.com (please note you can also check for header from)
- If true
  - then check if the subject contains SEO
  - if true
    - then add value into message_log file (here : SEO_DETECTED) and add tag into the subject (here : [SEO DETECTED] )

Finally, the PMX Rule:

# attr NAME=Security Rules - SEO detection
    if anyof(envelope :comparator "i;ascii-casemap" :all :contains ["from"]
                      ["@gmail.com"],
             envelope :comparator "i;ascii-casemap" :all :contains ["from"]
                      ["@outlook.com"],
             envelope :comparator "i;ascii-casemap" :all :contains ["from"]
                      ["@hotmail.com"])
    {
        pmx_mark1 "External_IPBlock";
        # attr NAME=Security Rules - SEO detection in subject
        if header :comparator "i;ascii-casemap" :contains ["Subject"] ["SEO"] {

pmx_mark1 "SEO_DETECTED";
pmx_replace_header :index 0 "Subject" "[SEO DETECTED] %%SUBJECT:h_utf8%%";
}
}

I Hope this information help you.

Best regards,

RE: Filtering rules

Jens Pönninghaus — Wed, 05 Jul 2017 04:42:20 GMT

Hi,

since I am only familar with Puremessage for Unix, the following might not apply to whatever you are referring to as 'Puremessage'.

Since there was no answer within the last couple of weeks, I am tempted to assume that there is no (known) easy way to get this done without substantial changes to the (sieve) policy or your setup.

From my perspective, the most natural approach would be to try to create a custom spam-rule for that in order to adjust the weights. I'm asking for means to create site specific composite rules, e.g. (featuretest1 && featuretest2), once in a while for about a decade but didn't see any 'improvements/comebacks'. The typical suggested workaround was to provide samples to have the rule set adjusted.
You might look into having two independent 'simple' tests with moderate weights, but that will most probably introduce trouble in the sets of mails having feature 1 or 2 but not both but some other independent feature(s) that might give enough additional weight to sink the boat. So in almost all cases where I checked that that approach it was to coarse to give reliable coverage with little risk of collateral damage.
Next option is to 'hard' code those tests in your policy as nested allof/anyof is available as well as substring tests for subject and e.g. envelope from address.
Another option is to have an additional (pmx derived or totally independent) milter hooked to your MTA to do that job.
So, in principle you can 'create' a filter in Puremessage to get that done (btw. what is 'come from <domain>' actually referring to in a technical sense, e.g. env-from, header-from, dns domain of connecting ip, ...) but probably not the way that would seem most natural to us and which I would prefer to have at hand for those cases that are highly site specific and which might need some adjustment from time to time.

Hope this helps or stimulates feedback that gives new thoughts and insights to a very long lasting topic.

Best regards
Jens