Blacklist email address notification?
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
Blacklist email address notification? - 5.May2009 9:37:21 AM
|
|
|
Ytsejamer1
Posts: 136
Joined: 7.Mar.2006
Status: offline
|
Hey everyone!
I have a question which I would have hoped the answer would be found in the email blacklist option of ME...but alas, it's not there. We're getting emails from a particular email address which is mildly harassing for a few of our users. I'd like to set up some way to be notified when we receive an email from this particular email address. Does anyone know any way to get that going? I'm doing some Google searches, but unfortunately I haven't found anything as of yet.
And as a postscript, I'd like to make a feature request or two for the blacklist:
1) in the log for the blacklist, I want to know which email address the email came from that was blacklisted. Currently it only tells me the time, the subject, and which recipients the email was going to...NOT FROM. When I was searching to find a record of if this user had emailed to us...the blacklist log was pretty much useless for that.
2)In the options for the blacklist, I'd like the ability to set notifications to go out to a particular group or user if an email comes in from a blacklisted email address. Maybe make an option for each entry, default action will be no notification for each new entry. But it would allow us to select notification as needed.
Thanks!
|
|
|
|
RE: Blacklist email address notification? - 11.May2009 2:16:53 AM
|
|
|
RSP
Posts: 1447
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline
|
If your ME is on the Exchange server, use Exchange's Sender Filtering, and archive the messages. Create a script to check for new email in the archive folder and email an admin.
|
|
|
|
|
RE: Blacklist email address notification? - 11.May2009 9:42:49 AM
|
|
|
Ytsejamer1
Posts: 136
Joined: 7.Mar.2006
Status: offline
|
Hey RSP...
Thanks for the post back... Our GFI server is on a standalone member server. It then forwards mail for our domain to one of our exchange servers through the smarthost IP in the SMTP config for our domain.
I thought about maybe implementing another SMTP sink script (we have one that removes read receipts from incoming mail)...but don't know enough to write something myself...ie, if mailfrom address = emailaddy, fwd to engineers@whatever. I've googled on this and can't find a damn thing.
|
|
|
|
|
RE: Blacklist email address notification? - 11.May2009 10:11:45 AM
|
|
|
RSP
Posts: 1447
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline
|
This should help you in your quest...! Change the 'from=*'
http://support.microsoft.com/kb/324021
|
|
|
|
|
RE: Blacklist email address notification? - 14.May2009 12:59:50 PM
|
|
|
Ytsejamer1
Posts: 136
Joined: 7.Mar.2006
Status: offline
|
Hey RSP!
That is great. I'm working on it now although I really am not sure what I'm supposed to put in my version of the vbs script that Microsoft tells you to create. In the case of the KB article you reference...Catchall.vbs script isn't what I need to have happen. I did find the first part in the mail from=* and have updated that to reflect the address I'm looking to be notified when it comes in. Now I need to figure out how to get it to email me or our group. I don't want to have all mail@mydomain come to my mailbox...or the group address. I guess it wouldn't if the mail from=booevilspammeraddress.
RSP...if you can, try and email my handle here at GFI @ hotmail. Much appreciate it!
|
|
|
|
|
RE: Blacklist email address notification? - 14.May2009 1:22:28 PM
|
|
|
RSP
Posts: 1447
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline
|
From what I saw, you need to edit the ctchall.vbs and replace the bob@ with your email addr. replace from=* with from=evilspammer@somewhere.
will check later.
|
|
|
|
|
RE: Blacklist email address notification? - 14.May2009 1:55:28 PM
|
|
|
Ytsejamer1
Posts: 136
Joined: 7.Mar.2006
Status: offline
|
i think i've got it...and have finagled a way to not send the email in a loop around our system. The third command delprop, worries me a bit. I'm not entirely sure what is happening and when. I just have to be somewhat careful...i have no lab to mess around in.
|
|
|
|
|
RE: Blacklist email address notification? - 15.May2009 5:01:56 AM
|
|
|
RSP
Posts: 1447
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline
|
Having looked at it again, I think the delprop will delete the "mail from=myspammer" part of the rule. Remove it from your setup.
Here's a set of scripts for you - get the smtpreg.vbs from the KB, and change the "mydomain.com", "myspammer" and script location as appropriate. If you want different recipients, you'll need different catchemail.vbs scripts as appropriate. If you want to trap more than one sender, then you'll need to change the "SMTPScriptingCatchAll" to something unique for the second sender. The 1 in catch.cmd indicates to use SMTP instance 1. Note I haven't tried it, but I've adapted it from a live catch-all.
catch.cmd
quote:
cscript //nologo smtpreg.vbs /add 1 onarrival SMTPScriptingCatchAll CDO.SS_SMTPOnArrivalSink "mail from=myspammer@somewhere.com"
cscript //nologo smtpreg.vbs /setprop 1 onarrival SMTPScriptingCatchAll Sink ScriptName c:\ExchangeScripts\CatchEmail.vbs
catchemail.vbs
quote:
<SCRIPT LANGUAGE="VBSCRIPT">
'
' Based on MSKB 324021
'
Option Explicit
'
' For information about this namespace, see
' http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cdosys/html/_cdosys_schema_smtpenvelope.asp
'
Const RECIP_LIST = "http://schemas.microsoft.com/cdo/smtpenvelope/recipientlist"
'
' For information about the CdoEventStatus enumeration, see
' http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cdosys/html/_cdosys_cdoeventstatus_enum.asp
'
Const CDO_RUN_NEXT_SINK = 0
'
' Domain names of interest
' -- these can be pulled from AD (Recipient Policies and Internet Message Formats) - but it's slow
'
Const strEmailDomainName1 = "@mydomain.com" '' make sure these are in lower case
Const strEmailDomainName2 = "@mydomain.com"
'
' Email address to forward received email to if destination address isn't valid for the destination domain
'
Const strDestinationEmail = "smtp:me@mydomain.com;" '' make sure this is in lower-case, starts with "smtp:" and ends with ";"
'
' For Application Event Log entries
'
Const EVENT_SUCCESS = 0
Const EVENT_ERROR = 1
'
'
Const bDebug = False
'
Dim oRootDSE ' (ActiveDs.IADs) directory services root object
Dim varDomainNC ' (String) the domain naming context, will be a string of the form "DC=brnets,DC=int"
Dim StartTime ' (Float) Time the program started
Dim EndTime ' (Float) Time the real work in the program ended
Dim objShell ' (WScript.Shell) Used for logging
Dim Conn ' (ADODB.Connection) Connection to Active Directory
Dim Com ' (ADODB.Command) Active Directory LDAP command
Dim Rs ' (ADODB.Recordset) Result-set from AD LDAP command
Sub IEventIsCacheable_IsCacheable()
' just returns S_OK
End Sub
'
' OnArrival sink entry point
'
Sub ISMTPOnArrival_OnArrival (ByVal Msg, EventStatus)
Dim objFields
Dim strInput
Dim strOutput
On Error Resume Next
If DoSetup () Then
Set objFields = Msg.EnvelopeFields
strInput = objFields (RECIP_LIST).Value
If bDebug Then
objShell.LogEvent EVENT_SUCCESS, "Event sink input: '" & strInput & "'"
End If
If Len (strInput) > 0 Then
strOutput = FixupRecipientList (strInput)
objFields (RECIP_LIST).Value = strOutput
objFields.Update
Msg.DataSource.Save ' Commit changes
End If
If bDebug Then
objShell.LogEvent EVENT_SUCCESS, "Event sink output: '" & strOutput & "' time = " & (Timer - StartTime)
End If
Call DoCleanup ()
End If
EventStatus = CDO_RUN_NEXT_SINK
End Sub
Function SearchForAddress (ByVal strAddress)
'
' Make an LDAP query for the address. It should have the "SMTP:" in front, but the terminal ';' stripped
'
Dim strQuery ' As String
Dim Address ' As String
SearchForAddress = True ' everything is fine so far
On Error Resume Next
strQuery = "<LDAP://" & varDomainNC & ">;(proxyAddresses=" & strAddress & ");userprincipalname"
If bDebug Then
objShell.LogEvent EVENT_SUCCESS, "LDAP Query String: '" & strQuery & "'"
End If
Com.ActiveConnection = Conn
Com.CommandText = strQuery
Err.Clear
Set Rs = Com.Execute
If Err.Number <> 0 Then
objShell.LogEvent EVENT_ERROR, "Com.Execute " & Err.Number & " " & Err.Description
SearchForAddress = False ' arguably, this should be true
Exit Function
End If
' Iterate through the results.
While Not Rs.EOF
' If we get here, the address was found in AD. That's all we care about.
Rs.Close
Exit Function
Wend
' Done with this LDAP query
Rs.Close
' Address of interest was not found in AD
SearchForAddress = False
End Function
Function DoSetup ()
On Error Resume Next
StartTime = Timer
DoSetup = True ' everything is OK so far
Set oRootDSE = GetObject("LDAP://RootDSE")
varDomainNC = oRootDSE.Get ("defaultNamingContext")
'WScript.Echo "Domain Naming Context: " & varDomainNC
Err.Clear
Set objShell = CreateObject ("WScript.Shell")
If Err.Number <> 0 Then
' Can't log an error - don't have any way to!
DoSetup = False
Set oRootDSE = Nothing
Exit Function
End If
Err.Clear
set Conn = CreateObject ("ADODB.Connection")
If Err.Number <> 0 Then
objShell.LogEvent EVENT_ERROR, "Conn.Create " & Err.Number & " " & Err.Description
DoSetup = False
Set oRootDSE = Nothing
Set objShell = Nothing
Exit Function
End If
Err.Clear
set Com = CreateObject ("ADODB.Command")
If Err.Number <> 0 Then
objShell.LogEvent EVENT_ERROR, "Com.Create " & Err.Number & " " & Err.Description
DoSetup = False
Set oRootDSE = Nothing
Set objShell = Nothing
Set Conn = Nothing
Exit Function
End If
' Open the connection.
Conn.Provider = "ADsDSOObject"
Err.Clear
Conn.Open "ADsDSOObject"
If Err.Number <> 0 Then
objShell.LogEvent EVENT_ERROR, "Conn.Open " & Err.Number & " " & Err.Description
DoSetup = False
Set oRootDSE = Nothing
Set objShell = Nothing
Set Conn = Nothing
Set Com = Nothing
Exit Function
End If
End Function
Sub DoCleanup ()
Conn.Close
Set objShell = Nothing
Set Com = Nothing
Set Conn = Nothing
Set Rs = Nothing
Set oRootDSE = Nothing
End Sub
'
' Change any unknown email addresses for strEmailDomainName to strDestinationEmail
'
Function FixupRecipientList (strList)
Dim strL ' left-most entry of recipientlist
Dim lenL ' length of the entry - Len (strL)
Dim strTemp ' what's left of the original recipientlist
Dim lenTemp ' length of strTemp
Dim strFixedList ' the rewritten recipientlist
Dim i ' location of the next semi-colon in the recipientlist
Dim bFound ' was the address found in AD?
strTemp = LCase (strList)
strFixedList = ""
Do
i = InStr (strTemp, ";")
If i = 0 Then
' no more semi-colons, we are at the end of the list
strL = strTemp
lenL = Len (strL)
strTemp = ""
lenTemp = 0
Else
strL = Left (strTemp, i)
lenL = i
strTemp = Right (strTemp, Len (strTemp) - i)
lenTemp = Len (strTemp)
End If
If lenL > 0 Then
If (InStr (strL, strEmailDomainName1) = 0) And (InStr (strL, strEmailDomainName2) = 0) Then
' this address does not contain the email domain of interest
strFixedList = strFixedList & strL
Else
If i > 0 Then
bFound = SearchForAddress (Left (strL, lenL - 1)) ' strip terminal ";"
Else
bFound = SearchForAddress (strL)
End If
If Not bFound Then
' address entry not found, so point to catchall address
strFixedList = strFixedList & strDestinationEmail
Else
' address entry was found, don't change it
strFixedList = strFixedList & strL
End If
End If
End If
Loop While lenTemp > 0
FixupRecipientList = strFixedList
End Function
</SCRIPT>
RemoveCatch.cmd
quote:
cscript //nologo smtpreg.vbs /remove 1 onarrival SMTPScriptingCatchAll
|
|
|
|
|
RE: Blacklist email address notification? - 19.May2009 2:34:45 PM
|
|
|
Ytsejamer1
Posts: 136
Joined: 7.Mar.2006
Status: offline
|
RSP...you are the man.
However, I have another sink script that removes read receipts from anyone@our domain in addition to anyone@ourolddomainname. All that was needed was putting mail from=*@domainname;mail from=*@oldname. I had assumed i could just put any mail from addresses in the single SMTPScriptingCatchall.
In any case...i will be furthering my work on this. Many thanks!
|
|
|
|
|
RE: Blacklist email address notification? - 20.May2009 10:19:11 AM
|
|
|
Ytsejamer1
Posts: 136
Joined: 7.Mar.2006
Status: offline
|
Question...
So I need to create separate catch commands...one for each sender, and rename the SMTPScriptingCatchAll to SMTPScripting<sender>?
I was looking at your catchemail.vbs...trying to compare it to the one on the KB...tis a little different. I have already edited the one on the KB...not sure if that will be able to do what it needs to or if I should use yours. From looking at yours its looking for mail addressed to another domain that doesn't match up what yours is. At that point it will forward it to a particular address@yourdomain.com. I don't think that's what I need it to do. It is coming to my domain...i just need to catch it and forward it to another address. I've created a separate email domain for the forwarding address so that it can take the sink rule from those spammer addresses, and then forward it to a separate domain...just like the KB article indicates.
As for the removal...in the one command, can I list each line for each SMTPScripting<sender> or do I have to create a separate removal command for each unique SMTPScripting<sender>?
< Message edited by Ytsejamer1 -- 20.May2009 10:26:54 AM >
|
|
|
|
|
RE: Blacklist email address notification? - 20.May2009 12:06:21 PM
|
|
|
RSP
Posts: 1447
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline
|
quote:
ORIGINAL: Ytsejamer1
Question...
So I need to create separate catch commands...one for each sender, and rename the SMTPScriptingCatchAll to SMTPScripting<sender>?
Yes, that's correct.
quote:
I was looking at your catchemail.vbs...
I've looked at this again, and come up with a very simple catchemail.vbs - see below. It basically forces the recipient to be whatever you want.
quote:
As for the removal...in the one command, can I list each line for each SMTPScripting<sender> or do I have to create a separate removal command for each unique SMTPScripting<sender>?
You can put as many different SMTPScripting<sender> lines in this as you wish if you want to remove all at once.
New catchemail.vbs - replace me@mydomain.com with where you want the email sent to. Note you'll lose the information as to who it was meant for. However, there is a msg.subject line that's commented out. I believe this will work to prepend the original recipient list to the subject, but I presently have no means of testing it. I'm not sure if the CDO_RUN_NEXT_SINK should be 1 or 0. I guess a 0 means don't run any more sinks, making for better performance. Perhaps the script should now be called RewriteRecipient.vbs? 
quote:
<SCRIPT LANGUAGE="VBSCRIPT">
'
' For information about this namespace, see
' http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cdosys/html/_cdosys_schema_smtpenvelope.asp
'
Const RECIP_LIST = "http://schemas.microsoft.com/cdo/smtpenvelope/recipientlist"
'
' For information about the CdoEventStatus enumeration, see
' http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cdosys/html/_cdosys_cdoeventstatus_enum.asp
'
Const CDO_RUN_NEXT_SINK = 0
'
' OnArrival sink entry point
'
Sub ISMTPOnArrival_OnArrival(ByVal Msg, EventStatus)
On Error Resume Next
Dim objFields
Set objFields = Msg.EnvelopeFields
' Msg.subject = objFields(RECIP_LIST).Value & " -- " & Msg.subject
objFields(RECIP_LIST).Value = "SMTP:me@mydomain.com;"
objFields.Update
Msg.DataSource.Save ' Commit changes
EventStatus = CDO_RUN_NEXT_SINK
End Sub
</SCRIPT>
Information collated from:
http://www.cardboardutopia.com/ExchangeSpamFilter.zip
I think I've also found where the original script came from. Shame on whoever removed the credits before putting it into action at the site I was administering. I apologise for my co-workers.
http://jteufel.no-ip.org:7474/Server/Easy%20Exchange%20Administrator%204.29/ExchangeScripts/Template/catchemail.vbs
< Message edited by RSP -- 20.May2009 5:01:46 PM >
|
|
|
|
|
RE: Blacklist email address notification? - 20.May2009 1:53:22 PM
|
|
|
Ytsejamer1
Posts: 136
Joined: 7.Mar.2006
Status: offline
|
You are a gentleman and a scholar...kudos.
I do have one sink event previously registered that uses the updated smtpreg.vbs which removes read receipts. Again, it's an on arrival sink and has the 'Const cdoRunNextSink = 0' in it. I wonder if I should update that to 1, so it will move onto another sink event (this being the forward email event). I was trying to find out what that cdo command settings are, but haven't yet come across it.
I still can't figure for the life of me why I cannot put all "mail from=addresses" in one single event sink. My read receipt has to entries for "rcpt to=*@mydomain.com;rcpt to=*@olddomain.com" so anything going to both of those domains will call the vbs and have the read receipt removed.
Thanks again RSP. Your time and effort in assisting me is much appreciated. You likely have many other things going...helping some script-challenged mail admin is extremely noble.
|
|
|
|
|
RE: Blacklist email address notification? - 20.May2009 3:08:38 PM
|
|
|
Ytsejamer1
Posts: 136
Joined: 7.Mar.2006
Status: offline
|
Hey RSP...
Well, i went forward and tested with a single email account to block and it did not work. Unfortunately read receipts are now able to come in. I unregistered all sink events and restarted SMTP service, then reapplied the read receipt. no dice...it still comes through. I wonder if the fact that both were SMTPOnArrivalSink events. Below is what my single binding looks like now...although it doesn't seem to be working.
}
---------
| Binding |
---------
Event: SMTP Transport OnSubmission
ID: {7B316823-EC89-4EC8-B0CD-B7AE62B53751}
Name: ReadReceiptSink
SinkClass: CDO.SS_SMTPOnArrivalSink
Enabled: True
SourceProperties: {
Priority = 24575
Rule = rcpt to=*@newdomain.com
;rcpt to=*@olddomain.com
}
SinkProperties {
ScriptName = C:\RemoveReadReqSink\rea
dreceiptrequestremoval.vbs
}
We are in fact on EX2003, but I was hoping to block it at our incoming SMTP server so that all of them get stripped and spammers don't have a chance to get anything back...rather than ones that get through our GFI, then into our exchange organization. When I checked out the EX settings to explore that options, there isn't anything for only read receipts... The only options are Allowing OOO responses, automatic replies, automatic forwards, allow delivery reports and non-delivery reports, and finally just preserving sender's display name.
< Message edited by Ytsejamer1 -- 20.May2009 3:21:41 PM >
|
|
|
|
|
RE: Blacklist email address notification? - 20.May2009 5:01:09 PM
|
|
|
RSP
Posts: 1447
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline
|
Stupid stupid stupid RSP. I missed the </SCRIPT> off the end. Taken me 3 hours to spot that along with 27 test messages...!
The delivery report options apply to read-receipts too.
< Message edited by RSP -- 21.May2009 4:33:41 AM >
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
I like to help and I'm between jobs presently, so it also helps to keep my brain active. 
I guessed wrongly.