SMTP header searching? (Full Version)

All Forums >> [Web & Mail Security] >> GFI MailEssentials



Message

fiscap -> SMTP header searching? (30.Jun.2009 9:53:00 AM)

This is probably more of a feature request since we haven't figured out a way to implement it in our version of ME 14.
 
Basically, we'd like to have the ability to perform a 'keyword' search on the SMTP header itself. The reason for this level of scrutiny is because of a recent harassment issue we've encountered at our organization. For the last year, this perpetrator has been going to one of a few random hotspots and creating a new generic web-based email account (aol, yahoo, hotmail). The emails are sent to various people within the organization at a rate of 10-20 targeted employees per email session.
 
Despite the fact that these are coming from a generic web-based email system, the perpetrator must be naïve enough to not realize the originating public IP address is embedded in the SMTP header. We've been able to examine the headers and determine that these are originating from a few different public hotspots within a 20-mile radius of our office. The public IP address is always the same for each of the locations the sender is randomly rotating between. We'd like to be able to search the SMTP header for these IP addresses and block or re-route accordingly. Is there a way to implement this with the current version of ME 14? If not, can anyone think of a creative way to block these emails from reaching out end users? The information we’re attempting to scan for and block is highlighted in red in the sample header below.
 
 


Microsoft Mail Internet Headers Version 2.0
Received: from Exchange05.xxxxxx.org ([10.10.20.201]) by Exchange08.xxxxxx.org with Microsoft SMTPSVC(6.0.3790.3959);
       Mon, 29 Jun 2009 21:00:34 -0400
Received: from mail.xxxxxx.org ([10.10.5.135]) by Exchange05.xxxxxx.org with Microsoft SMTPSVC(6.0.3790.3959);
       Mon, 29 Jun 2009 21:00:34 -0400
thread-index: Acn5HiwGbFfr5WMYQAG1DKBUkyuJVA==
Content-Transfer-Encoding: 7bit
Received: from mail pickup service by mail.xxxxxx.org with Microsoft SMTPSVC; Mon, 29 Jun 2009 21:00:33 -0400
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4325
x-endofinjectedxheaders: 3012
Received: from n75.bullet.mail.sp1.yahoo.com ([98.136.44.51]) by mail.xxxxxx.org with Microsoft SMTPSVC(6.0.3790.3959); Mon, 29 Jun 2009 21:00:32 -0400
Received: from [216.252.122.219] by n75.bullet.mail.sp1.yahoo.com with NNFMP; 30 Jun 2009 01:00:32 -0000
Received: from [67.195.9.81] by t4.bullet.sp1.yahoo.com with NNFMP; 30 Jun 2009 01:00:32 -0000
Received: from [67.195.9.101] by t1.bullet.mail.gq1.yahoo.com with NNFMP; 30 Jun 2009 01:00:32 -0000
Received: from [127.0.0.1] by omp105.mail.gq1.yahoo.com with NNFMP; 30 Jun 2009 01:00:32 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 81881.74317.bm@omp105.mail.gq1.yahoo.com
Received: (qmail 86561 invoked by uid 60001); 30 Jun 2009 01:00:31 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1246323631; bh=WOkHasb5XE5Mr6obaJfOaqA7n7RT+gTk7eEDtUwkh1Y=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=bEdtO9uXqgNKJzNwnGrvpmWnapjXOAPoQSogP0EttV7929PvKgl9X2M5pa/5/EP7vLWiG6BqTmRtpl5Z4fywCMwtju9YI6pEd15hjpkjVK7cFOSVEbMKPjMRRF353KjACGqoY2jAIzAbJKaasajnarCoJhvG2HtV+M+5sDWCrOw=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;  s=s1024; d=yahoo.com;  h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;  b=pQfYxC+oM7cFSZ1vsNQUXjSmrhy2C4NYjc5uG7CTiT9nJoQgmX3Ph2MkuAtzG8i5F9Hpi6aRt4Bed36Bf533x2NK2ju1YIhGl0SCo8DZAmCY9gqI6Q/TfioEcsm9ubi5STuGe+Nic6Nsx3WBikz6NVSxJJ+5rp8qU+iqpyrNQh4=;
Message-ID: <877571.85915.qm@web111811.mail.gq1.yahoo.com>
X-YMail-OSG: 6NINL5sVM1l5_hYaCrLdwb7KzOJ3VWGg9_ARo8dQutUSMiCh.ucH7JV_PPbNoUCnpoeEzJ3F0uRcBHQm87XJSh4pPLMlA8.lGAJwe56CQpIHqmeb0fQkhH9qadmHoKhH3FpM9GR.S3gCA4IzPK5rJ0BkO6WPTADolN61av4NIdGIjZpPbQs7oFyl1tBDcA17IRa5fE4.OxOo_NPYlcOWzrfDec1ya3g9AGfbTCQprgmMc8FkeBfqqzsE7XON3U6Gl6mTBrNuey38Jh_ittFY4QAQB2fkpajNf8atzwqfqPMH5MKt4Q--
Received: from [xxx.xxx.xxx.49] by web111811.mail.gq1.yahoo.com via HTTP; Mon, 29 Jun 2009 18:00:31 PDT



gpinson -> RE: SMTP header searching? (1.Jul.2009 4:42:27 PM)

Unfortunately, from what I can remember, GFI does not allow for filtering on header information. Several people, as well as myself have been requesting the ability to filter on header items, preferrably with regex for quite some time.
(Hint, Hint GFI)
If you are using 2003, you can write an event sinc to do it for you. Unfortunately, I don't have much experience with 2007
I would recommend finding an application to supplement GFI.
I personally am using ORF by VamSoft. Low cost, supplements the areas where GFI is weak (filtering during the communication stage prior to receipt, fewer NDRs, keyword header filtering, IP blacklist, regex for almost all features) and GFI fills out the areas where ORF is weak (SpamRazor, anti-phishing and bayesian filter)



Gene



Ytsejamer1 -> RE: SMTP header searching? (7.Jul.2009 11:52:11 AM)

Yo Gene,

Can you email me privately off-forum?  You can use my handle at hot - mail to reachme.  I have a couple of questions in regards to your ORF supplement.

Regards!



Page: [1]