Community Discussions and Support
Google spam

Has anyone written a rule similar to this?  What works for you, other than blocking Google mail outright?

I use POPFileD and POPFile and it catches all of the 419'ers regardless of sender. It's hands off since it's analyzing the message body for the spam.

 

<blockquote>Has anyone written a rule similar to this?  What works for you, other than blocking Google mail outright? </blockquote><p>I use POPFileD and POPFile and it catches all of the 419'ers regardless of sender. It's hands off since it's analyzing the message body for the spam. </p><p> </p>

I'm trying to come up with a general purpose rule to deal with the 419'ers hiding behind Google mail.  Below are the headers from a typical Google spam:

Return-path: <johnbasil005@torba.com>
Received: from ag-out-0708.google.com (72.14.246.240) by BKBUSA.COM (Mercury/32 v4.62) with ESMTP ID MG0000AD;
   9 Jul 2008 11:03:03 -0400
Received: by ag-out-0708.google.com with SMTP id 22so18158421agd.8
        for <gfy@bkbusa.com>; Wed, 09 Jul 2008 08:02:52 -0700 (PDT)
Received: by 10.90.94.2 with SMTP id r2mr8651250agb.46.1215615772424;
        Wed, 09 Jul 2008 08:02:52 -0700 (PDT)
Received: by 10.90.25.20 with HTTP; Wed, 9 Jul 2008 08:02:52 -0700 (PDT)
Message-ID: <705bb4920807090802u3854eabfq7c4135588e2cf71f@mail.gmail.com>
Date: Wed, 9 Jul 2008 17:02:52 +0200
From: "john basil" <johnbasil005@torba.com>
Subject: I HAVE RESGISTERED YOUR CERTIFIED CONSIGNMENT WITH IMPEX
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_Part_7012_2690575.1215615772418"
X-Blocked: BOFH
X-CC-Diagnostic: Body contains "Africa" (40)
X-PMFLAGS: 570950016 0 1 6C60F058.CNM            

 What I have in mind is a rule that checks for the presence of a Google mail server - ie:"Received: from ag-out-0708.google.com" and has a return address - ie: "Return-path: <johnbasil005@torba.com>" other than a @gmail.com address.

Has anyone written a rule similar to this?  What works for you, other than blocking Google mail outright? 

&lt;p&gt;I&#039;m trying to come up with a general purpose rule to deal with the 419&#039;ers hiding behind Google mail.&amp;nbsp; Below are the headers from a typical Google spam:&lt;/p&gt;&lt;p&gt;Return-path: &amp;lt;johnbasil005@torba.com&amp;gt; Received: from ag-out-0708.google.com (72.14.246.240) by BKBUSA.COM (Mercury/32 v4.62) with ESMTP ID MG0000AD; &amp;nbsp;&amp;nbsp; 9 Jul 2008 11:03:03 -0400 Received: by ag-out-0708.google.com with SMTP id 22so18158421agd.8 &amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; for &amp;lt;gfy@bkbusa.com&amp;gt;; Wed, 09 Jul 2008 08:02:52 -0700 (PDT) Received: by 10.90.94.2 with SMTP id r2mr8651250agb.46.1215615772424; &amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; Wed, 09 Jul 2008 08:02:52 -0700 (PDT) Received: by 10.90.25.20 with HTTP; Wed, 9 Jul 2008 08:02:52 -0700 (PDT) Message-ID: &amp;lt;705bb4920807090802u3854eabfq7c4135588e2cf71f@mail.gmail.com&amp;gt; Date: Wed, 9 Jul 2008 17:02:52 +0200 From: &quot;john basil&quot; &amp;lt;johnbasil005@torba.com&amp;gt; Subject: I HAVE RESGISTERED YOUR CERTIFIED CONSIGNMENT WITH IMPEX MIME-Version: 1.0 Content-Type: multipart/alternative; &amp;nbsp;&amp;nbsp;&amp;nbsp; boundary=&quot;----=_Part_7012_2690575.1215615772418&quot; X-Blocked: BOFH X-CC-Diagnostic: Body contains &quot;Africa&quot; (40) X-PMFLAGS: 570950016 0 1 6C60F058.CNM&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; &lt;/p&gt;&lt;p&gt;&amp;nbsp;What I have in mind is a rule that checks for the presence of a Google mail server - ie:&quot;Received: from ag-out-0708.google.com&quot; and has a return address - ie: &quot;Return-path: &amp;lt;johnbasil005@torba.com&amp;gt;&quot; other than a @gmail.com address.&lt;/p&gt;&lt;p&gt;Has anyone written a rule similar to this?&amp;nbsp; What works for you, other than blocking Google mail outright?&amp;nbsp;&lt;/p&gt;

[quote user="mgolden"]  What I have in mind is a rule that checks for the presence of a Google mail server - ie:"Received: from ag-out-0708.google.com" and has a return address - ie: "Return-path: <johnbasil005@torba.com>" other than a @gmail.com address.[/quote]

That should work: 

IF HEADER "Received" MATCHES "*.google.com *" WEIGHT 101

ANDNOT SENDER CONTAINS "@gmail.com"

Best regards,

 Nico

Edit: Rule changed, it triggered the other way around (gmail sender but no gmail received-by header)

&lt;P&gt;[quote user=&quot;mgolden&quot;]&nbsp;&nbsp;What I have in mind is a rule that checks for the presence of a Google mail server - ie:&quot;Received: from ag-out-0708.google.com&quot; and has a return address - ie: &quot;Return-path: &amp;lt;johnbasil005@torba.com&amp;gt;&quot; other than a @gmail.com address.[/quote]&lt;/P&gt; &lt;P&gt;That should work:&nbsp;&lt;/P&gt; &lt;P&gt;IF HEADER &quot;Received&quot; MATCHES &quot;*.google.com *&quot; WEIGHT 101&lt;/P&gt;&lt;P&gt;ANDNOT SENDER CONTAINS &quot;@gmail.com&quot; &lt;/P&gt; &lt;P&gt;Best regards,&lt;/P&gt; &lt;P&gt;&nbsp;Nico&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Edit:&lt;/STRONG&gt; Rule changed, it triggered the other way around (gmail sender but no gmail received-by header)&lt;/P&gt;
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Cancel
Delete
Pending draft ... Click to resume editing
Discard draft