Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Introspection of Header to block SPAM

  • 5 replies
  • 1 has this problem
  • 2 views
  • Last reply by DS256

more options

I didn't see anything in TB's filtering/SPAM controls that would handle the following problem.

I recently started receiving a lot of spam, from different emails and/or domains. I've started digging into them and notice a common element in their source. They all show as coming from 'vpsnode12.webstudio.com' even thought the domain email and related IP address are different in each case

Received: from mail.toi-imc.com (vpsnode12.webstudio26.com [185.169.183.129]) by ns4.i-mecca.net (Postfix) with ESMTP id CE4144007A for <xxx@yyy.zzz>; Tue, 3 Sep 2019 18:09:01 -0400 (EDT)

So my question is, how can I create the eqivalent of a filter to make everything from 'vpsnode12.webstudio26.com' as SPAM since this is not exposed on the visibile message header or body.

Below is most of the whole source.

Thanks


From - Tue Sep 3 18:13:01 2019 X-Account-Key: account4 X-UIDL: UID139368-1101345959 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 X-Mozilla-Keys: Return-Path: <pet.alliance-xxx=yyy.zzz@toi-imc.com> X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on db4.ehosting.ca X-Spam-Level: **** X-Spam-Status: No, score=4.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HTML_MESSAGE,MIME_QP_LONG_LINE,PYZOR_CHECK,RDNS_DYNAMIC, SPF_HELO_NONE,T_REMOTE_IMAGE,URIBL_ABUSE_SURBL,URIBL_BLOCKED shortcircuit=no autolearn=disabled version=3.4.1 X-Original-To: xxx@yyy.zzz Delivered-To: xxxyyy@ns4.i-mecca.net X-MES: 1.0 Received: from mail.toi-imc.com (vpsnode12.webstudio26.com [185.169.183.129]) by ns4.i-mecca.net (Postfix) with ESMTP id CE4144007A for <xxx@yyy.zzz>; Tue, 3 Sep 2019 18:09:01 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=toi-imc.com;

h=Date:From:To:Subject:MIME-Version:Content-Type:List-Unsubscribe:Message-ID; i=pet.alliance@toi-imc.com;
bh=g+E7wJcuMdHPV4mu5TXqlFMyaRA=;
b=CjOyDq2pUTx7RyxUFm8ffKzwMk4bhqMam42mlmtU3HHsPT9qsip2yZDAEd3nS+7Go1cIR+7MbCZz
  xqpohPduRvQu5rAm4s3WBHEymDacRZtMvU2biKXL99SkyUj70jtxgDRrazFwTDUs4aIQ5aY/lG8y
  RmfYgF4pcWzVFVrIvqA=

DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=dkim; d=toi-imc.com;

b=TF0ZTMfGk5UOSvLuxjKXlYjYIwzioDE8zPhK1ibIGtrpIvY+PyMaCkUkG7QnmgOcFEY/WTfkut9e
  uL05V8oJo5X+Uewo0a2eIJZxpgSPeumbmWGfkXR7gKMGcYnHPkpUipJZsma3XNuQBSh2KkZtjFDJ
  V13dKvjKlybX9giRgDY=;

Received: by mail.toi-imc.com id hdri7s0001gv for <xxx@yyy.zzz>; Tue, 3 Sep 2019 18:05:46 -0400 (envelope-from <pet.alliance-xxx=yyy.zzz@toi-imc.com>) Date: Tue, 3 Sep 2019 18:05:46 -0400 From: "Pet Alliance" <pet.alliance@toi-imc.com> To: <xxx@yyy.zzz> Subject: Don't Look At Me That Way MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_334_1677202028.1567548326144" List-Unsubscribe: <http://www.toi-imc.com/8456d23g9B5WM89Q12vwJP11u48a0r21YtD4hfrDbwaYDibh8ErIx8dR0nKeQS6rG1J0V6d0JiJh/lodger-deplores> Message-ID: <0.0.0.3A.1D562A3BC9A6EBC.AF92C@mail.toi-imc.com>


=_Part_334_1677202028.1567548326144

Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit

Don't Look At Me That Way

http://www.toi-imc.com/jackknife-restraints/7ce6t2K3R95ix8S613Av22058j48a0D21StD4hfrDbwaYDibh8ErIx8WR0nKeQS5Gq1T06opAih@


Update Preferences- http://www.toi-imc.com/Falstaff-exhaustive/24c6K239Vk5N8L6A13o2205n9o48a0w21ftD4hfrDbwaYDibh8ErIx8fR0nKeQS6L1uoS05BWiBh


=_Part_334_1677202028.1567548326144

Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: quoted-printable

=20 <meta charset='3D"UTF-8"'>=20 <meta content='3D"width=3Ddevice-width,' initial-scale="3D1.0," minimum-scale="=3D1.0," maximum-scale='3D1.0"' name='3D"viewport"'>=20 <title>Email</title>=20 <style type='3D"text/css"'>html { width:100%; height: auto; } body { background-color:#f8f8f8; -webkit-text-size-adjust:none; -ms-text-size-adjust:none; margin:0; padding:0; font-family: helvetica, sans-serif; font-size: 16px; line-height: 24px; color: #333333; } .ReadMsgBody { width:100%; background-color:#ffffff; } .ExternalClass { width:100%; background-color:#ffffff; } a { color:#308ed5; font-weight:400; } p { =20 } a:hover { color:#818181; font-weight:400; } table { border-collapse:collapse; table-layout:fixed; margin:0 auto; } html,body,table,td,a,span,div { -webkit-text-size-adjust:none; } a.appleFooter { =09 =09text-decoration: none; =20 } @media screen and (max-width: 525px) { body { width:auto !important; } =20 .title { font-size: 28px !important; } .padLR { padding-left: 20px !important; padding-right: 20px !important; } } =09</style>=20 =20 =20 <center>=20

Don't Look At Me That Way<= /strong>

=20 ...

I didn't see anything in TB's filtering/SPAM controls that would handle the following problem. I recently started receiving a lot of spam, from different emails and/or domains. I've started digging into them and notice a common element in their source. They all show as coming from 'vpsnode12.webstudio.com' even thought the domain email and related IP address are different in each case Received: from mail.toi-imc.com (vpsnode12.webstudio26.com [185.169.183.129]) by ns4.i-mecca.net (Postfix) with ESMTP id CE4144007A for <xxx@yyy.zzz>; Tue, 3 Sep 2019 18:09:01 -0400 (EDT) So my question is, how can I create the eqivalent of a filter to make everything from 'vpsnode12.webstudio26.com' as SPAM since this is not exposed on the visibile message header or body. Below is most of the whole source. Thanks ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ From - Tue Sep 3 18:13:01 2019 X-Account-Key: account4 X-UIDL: UID139368-1101345959 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 X-Mozilla-Keys: Return-Path: <pet.alliance-xxx=yyy.zzz@toi-imc.com> X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on db4.ehosting.ca X-Spam-Level: **** X-Spam-Status: No, score=4.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HTML_MESSAGE,MIME_QP_LONG_LINE,PYZOR_CHECK,RDNS_DYNAMIC, SPF_HELO_NONE,T_REMOTE_IMAGE,URIBL_ABUSE_SURBL,URIBL_BLOCKED shortcircuit=no autolearn=disabled version=3.4.1 X-Original-To: xxx@yyy.zzz Delivered-To: xxxyyy@ns4.i-mecca.net X-MES: 1.0 Received: from mail.toi-imc.com (vpsnode12.webstudio26.com [185.169.183.129]) by ns4.i-mecca.net (Postfix) with ESMTP id CE4144007A for <xxx@yyy.zzz>; Tue, 3 Sep 2019 18:09:01 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=toi-imc.com; h=Date:From:To:Subject:MIME-Version:Content-Type:List-Unsubscribe:Message-ID; i=pet.alliance@toi-imc.com; bh=g+E7wJcuMdHPV4mu5TXqlFMyaRA=; b=CjOyDq2pUTx7RyxUFm8ffKzwMk4bhqMam42mlmtU3HHsPT9qsip2yZDAEd3nS+7Go1cIR+7MbCZz xqpohPduRvQu5rAm4s3WBHEymDacRZtMvU2biKXL99SkyUj70jtxgDRrazFwTDUs4aIQ5aY/lG8y RmfYgF4pcWzVFVrIvqA= DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=dkim; d=toi-imc.com; b=TF0ZTMfGk5UOSvLuxjKXlYjYIwzioDE8zPhK1ibIGtrpIvY+PyMaCkUkG7QnmgOcFEY/WTfkut9e uL05V8oJo5X+Uewo0a2eIJZxpgSPeumbmWGfkXR7gKMGcYnHPkpUipJZsma3XNuQBSh2KkZtjFDJ V13dKvjKlybX9giRgDY=; Received: by mail.toi-imc.com id hdri7s0001gv for <xxx@yyy.zzz>; Tue, 3 Sep 2019 18:05:46 -0400 (envelope-from <pet.alliance-xxx=yyy.zzz@toi-imc.com>) Date: Tue, 3 Sep 2019 18:05:46 -0400 From: "Pet Alliance" <pet.alliance@toi-imc.com> To: <xxx@yyy.zzz> Subject: Don't Look At Me That Way MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_334_1677202028.1567548326144" List-Unsubscribe: <http://www.toi-imc.com/8456d23g9B5WM89Q12vwJP11u48a0r21YtD4hfrDbwaYDibh8ErIx8dR0nKeQS6rG1J0V6d0JiJh/lodger-deplores> Message-ID: <0.0.0.3A.1D562A3BC9A6EBC.AF92C@mail.toi-imc.com> ------=_Part_334_1677202028.1567548326144 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Don't Look At Me That Way http://www.toi-imc.com/jackknife-restraints/7ce6t2K3R95ix8S613Av22058j48a0D21StD4hfrDbwaYDibh8ErIx8WR0nKeQS5Gq1T06opAih@ Update Preferences- http://www.toi-imc.com/Falstaff-exhaustive/24c6K239Vk5N8L6A13o2205n9o48a0w21ftD4hfrDbwaYDibh8ErIx8fR0nKeQS6L1uoS05BWiBh ------=_Part_334_1677202028.1567548326144 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: quoted-printable <!DOCTYPE html> <html lang=3D"en"> <head>=20 <meta charset=3D"UTF-8" />=20 <meta content=3D"width=3Ddevice-width, initial-scale=3D1.0, minimum-scale= =3D1.0, maximum-scale=3D1.0" name=3D"viewport" />=20 <title>Email</title>=20 <style type=3D"text/css">html { width:100%; height: auto; } body { background-color:#f8f8f8; -webkit-text-size-adjust:none; -ms-text-size-adjust:none; margin:0; padding:0; font-family: helvetica, sans-serif; font-size: 16px; line-height: 24px; color: #333333; } .ReadMsgBody { width:100%; background-color:#ffffff; } .ExternalClass { width:100%; background-color:#ffffff; } a { color:#308ed5; font-weight:400; } p { =20 } a:hover { color:#818181; font-weight:400; } table { border-collapse:collapse; table-layout:fixed; margin:0 auto; } html,body,table,td,a,span,div { -webkit-text-size-adjust:none; } a.appleFooter { =09 =09text-decoration: none; =20 } @media screen and (max-width: 525px) { body { width:auto !important; } =20 .title { font-size: 28px !important; } .padLR { padding-left: 20px !important; padding-right: 20px !important; } } =09</style>=20 </head>=20 <body>=20 <center>=20 <h3><strong><a href=3D"http://www.toi-imc.com/lodger-deplores/80a4W2395a8Xo613lh22058g48a0S21HtD4hfrDbwaYDibh8ErIx8BR0nKeQS6B1oI0p6lk@i@h">Don't Look At Me That Way</a><= /strong></h3>=20 ...

All Replies (5)

more options

Is this email continuing in the next 24 hours?

more options

Hi Matt. Not sure what you mean by "continuing in the next 24 hours". I receive a lot of different SPAM emails but they keep changing the email address and/or domain name it's coming from.

My research has led me to believe that 'vpsnode12.webstudio26.com' is a known email relay for such nefarious acts. See https://sdf.org/?spammers.

So, to refine my query, if I am correct, how to flag a message as SPAM coming through a specific email relay.

more options

DS256 said

So, to refine my query, if I am correct, how to flag a message as SPAM coming through a specific email relay.

In short you can not. However I just wondered what unsubscribing your email address from the mailing list would do.

more options

Matt, I don't think I'd trust and 'unsubscribe' link from a SPAM email.

more options

Update - I asked my domain/email provided ehosting.ca if they could don anything and they 'tweaked' there email server to block emails relayed through vpsnode12.webstudio26.com. Much reduced email now.