Jump to content
Network communication blocked after upgrade to macOS 15 (Sequoia) ×

Setted "Action to take on SPAM message" to "no action", to just add "[SPAM]" to the Subject. Now there is no way to block a SPAM message.

frapetti
 Share
Go to solution Solved by frapetti,

Recommended Posts

frapetti

frapetti 2

Posted
Posted

Hi,

I setted "Action to take on SPAM message" to "no action", because we prefer to add "[SPAM]" to the Subject instead of sending it to quarantine. However, now we want to quarantine messages from a specific domain, so we tried adding that domain to "Blocked Body Domain", "Blocked Senders" and "Blocked Domain to IP" lists, expecting for it to take precedence (after all, those are local, manual blacklists), and for the message to be blocked, but instead it seems that ESET just uses it to determine that the message is SPAM, then just adds the "[SPAM]" string to the Subject and allow the message to be delivered.

Is there any way to block, or quarantine the message if it is found on some of the local blacklists, while keeping "no action" set for SPAM messages?

Regards

Link to comment
Share on other sites
  • ESET Staff
M.K.

M.K. 22

Posted
  • ESET Staff
Posted

Hi, you can create a transport rule:

[if] Sender's domain ... is on the Blocked Sender's list  [then]  Quarantine message

and/or

[if] Sender's IP address ... is on the Blocked domain to IP list  [then] Quarantine message

Link to comment
Share on other sites
frapetti

frapetti 2

Posted
  • Author
Posted
On 6/17/2024 at 4:41 AM, M.K. said:

Hi, you can create a transport rule:

[if] Sender's domain ... is on the Blocked Sender's list  [then]  Quarantine message

and/or

[if] Sender's IP address ... is on the Blocked domain to IP list  [then] Quarantine message

Thanks. I tried that, but it don't seems to trigger the rule, so i added two additional items to the list (before, only personal.com was on the list):

image.png.0f756f987cd4ef9e74e00a5ecf779a07.png

And this is the rule:

image.png.6e7243ecf1605443a328ac23a836a30b.png

I suppose it's because the rules check the envelope sender's domain and not the from field, and the mail server protection log shows this:

image.png.90aa0a937680759529926da887b40116.png

So i added an additional rule to check the mail from address:

image.png.1ff495fd4ceb3048cb996a5b3324f13e.png

And also added the vps.ovh.net domain to the Blocked Senders list:

image.png.2ecb9dda9fcecd9ec8986cefaa46dc7d.png

I suppose that the only way to test it, is to wait for another mail to arrive from that domain, right?

Regards

Link to comment
Share on other sites
frapetti

frapetti 2

Posted
  • Author
Posted (edited)

I don't know what vps.ovh.net is, but they seem to host a massive phishing campaing that uses domains that look very similar to the authentic domains:

image.thumb.png.95a55fd673fe453075fba45152860466.png

 

 

 

Edited by frapetti
Link to comment
Share on other sites
  • Solution
frapetti

frapetti 2

Posted
  • Author
  • Solution
Posted

Finally, the following rule triggered:

image.png.e9a1e4c79c1e23c064adc532fc795da2.png

For the following message:

image.thumb.png.02cd7ffd84e863649a909aaebd195138.png

 

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...