Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 1309 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

F.U. messages by the thousands

JoseTech
I have a user that's been receiving these messages
"F U - ADVcXOLXYS - 5c3614192386b8b71947c802d832350d"
(without the abbreviation) by the thousands today.
I'm not sure how to block those, but also, how do I delete the ones that are in the ASG appliance right now?

This is in the header:
Received: from [112.213.94.51] (port=41931 helo=ns.dedicatedpa.vn)
by secapp.domain.us with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.76)
(envelope-from )
id 1UPxR5-0007MX-19
for user@domain.us; Wed, 10 Apr 2013 11:59:47 -0400
Received: from apache by ns.dedicatedpa.vn with local (Exim 4.69)
(envelope-from )
id 1UPxHh-0000lX-3S
for user@domain.us; Wed, 10 Apr 2013 22:50:05 +0700
X-CTCH-RefID: str=0001.0A020204.51658C73.0248,ss=1,re=0.000,fgs=0

I'll be opening an incident, but I wanted to get some ideas here.

Thanks


This thread was automatically locked due to age.
  • 0
    Is that the complete header?  Assuming that your SMTP Proxy receives all of these from 112.213.94.51, you could DNAT to nowhere all traffic from that server to your "External (Address)".

    If all of the spams are from , you could blacklist that sender.

    If all of the emails have F*** You, then you could put the phrase into the 'Expression filter'.

    To delete large blocks of messages at a time, open the Mail Manager, put F*** You into the box for 'Sender/Rcpt/Subject substring' and select "1000 entries per page."  Now you can click the select box in the title line to select all of the displayed spams and "Delete" them all at the bottom of the page.  You might want to exxperiment with 20 entries first just to be sure you have things set the way you want.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Thanks much for the suggestions.
    I had blacklisted the sender and I blocked F.U. in the expression filter (I might leave that one in there forever).
    I didn't think of the Mail Manager, I handled that on the client side, I left the messages go through and then deleted them.
    Next time I'll use Mail Manager for sure.

    Jose
  • 0
    If you want to "punish" the end user, he can do the same thing in the User Portal. [;)]

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML