March 11, 2019

A simple spam filter for the current Sextortion scams making the rounds

March 11, 2019

For a week or so, an email scam has been making the rounds claiming that a hacker has compromised you computer and caught you doing nasty things with yourself while watching porn videos online. He or she threatens to expose you (no pun intended) unless you pay a ransom of between $1000 and $2000 US in Bitcoins.

While this may cause some people to panic and pay up, most will see it for what it really is: a pathetic sextortion scam. Nobody hacked your computer or planted a video watching virus on it. This is FUD (Fear, Uncertainty and Doubt). But, because these scams are arriving in huge numbers, to multiple mailboxes, it is worth our time to create an email spam filter that detects and even auto-deletes these messages.

This article is mainly presented for MailWasher Pro users, but can also apply to any other email client that allows users to create spam filters from email headers. Think web server email systems...

If you don't use MailWasher Pro, but want to create this spam filter for another email client, or on your website's email server, read these articles I wrote in 2017:


  1. Use RegEx to filter spam from your mail server - part 1

  2. Use RegEx to filter spam from your mail server - part 2


Assuming your email client is MailWasher Pro, or otherwise allows for custom Regular Expressions filters, lets create a Sextortion Scam filter.

All of the Sextortion scams I've seen in the last week match the following criteria:


  1. They all are sent to an email address belonging to you

  2. They also claim to have been sent from that same email account

  3. The Reply-To or Return-Path may be the same account, or a different domain entirely

  4. The subject is either the prefix of your email account, or a phony warning that your account has been hacked

  5. The body text claims that a hacker has hacked your email, planted a spyware program on your camera and keyboard and demands payment to stay quiet about your online activities.

These are the basic facts. Now, let's drill down into the most current incarnation of the hacker sextortion scam.

  1. Sent To your account

  2. Sent From your account (forged header)

  3. Has your account prefix as the Subject

  4. Has a completely unrelated Reply-To or Return-Path address

  5. Is either using Base64 or a .jpg image to display the extortion demand

The Filter

Open MailWasher Pro, go to Settings > Spam Tools > Filters and create a new filter. Set the filter type to Spam and the conditions to match to ALL. Give the filter a name, like this: "To, From and Subject match my email prefix" and create the following rules:


  1. From: > contains > RegEx:

    Your spammed email account prefixes separated by pipe symbols followed by @yourDomain.com (e.g., name1|name2|name3)@yourEmailDomain.com

  2. To: > contains > RegEx:

    Same input as above rule

  3. Subject > contains > RegEx:

    Prefix of these email accounts only. No @ or domain.

  4. Return-Path > Doesn't contain > RegEx:

    yourDomain.com

Set the Action to rate the Spam Score to -200 and the action button option to: "Don't override delete," or "Auto-delete this email," then Save the filter.

In the event that the scammers alter the script again to include your spammed email account in the Return-Path or Reply-To field, just remove that one rule from the filter.

Here is what a sample filter would have in its fields for a single email account:


  1. From: [email protected]

  2. To: [email protected]

  3. Subject: joe

  4. Return-Path: (Doesn't contain)@joe-job.com

If you have multiple email accounts being scammed, use this sample:

  1. From: joe|john|[email protected]

  2. To: joe|john|[email protected]

  3. Subject: joe|john|ken

  4. Return-Path: (Doesn't contain)@joe-job.com


If your domain ends in .net, or .info, or some other TLD, change the rules accordingly. Note that these filter rules don't check the body to see if it uses actual text, or Base64, or an image containing scam text. I already posted a filter that checks plain body text.

Interesting fact. Some of the most recent sextortion scams use images that contain really tiny text. The Bitcoin address to send ransoms to must be copied and pasted to avoid mistakes (it says so in the image text!), because they have mixed cases and special characters. However, as everybody who has tried copying text from an image already knows, you can't do that! So, people fooled into making payments from a sextortion scam image will most likely get the wrong characters and fail to send to the actual scammer's Bitcoin Wallet. Either the payments will bounce, or somebody else will receive them.

If you aren't using MailWasher Pro to screen your incoming email for spam, scams and malicious links and attachments, check it out here. If you want to learn more about custom spam filters, including those that I write, look at my Wizcrafts' MailWasher Pro Email Spam Filters page.

Finally, MailWasher Pro users can learn all of the fine points and details about Regular Expressions in filters on the MailWasher Advanced Features page.

Posted by Wiz at 3:31 PM |

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

March 9, 2019

Tips for sorting your MailWasher Pro spam filters

March 9, 2019

If, like me, you use Firetrust's MailWasher Pro to screen your incoming email for spam, scams and malware, you may have discovered that it allows users to create custom spam filters. This article will give you some tips to get the most out of your custom spam filters.

The program, currently at version 7.12.1, ships with 4 default spam filters that one can customize, add to, enable, or disable. The most important of them is the first one: "Restored Email" - which comes into play after an email has been deleted to the MailWasher Recycle Bin and you later decide that you want it delivered to the Inbox. The filter description says: "Will ensure any email you restore from Recycle Bin will come through marked as good and not marked for delete." You should keep this filter enabled.

The Restored Email filter stops all further filter processing, allowing that restored email to appear and stay in the Inbox and not be automatically deleted by another filter. This is because MailWasher filters are processed from the top on down.

The second default filter is named: "Language Filter" and it is used to block non-English language character sets. The description says: "Currently set for many non Latin languages. You can edit this filter to your own preference." The single rule has a drop down arrow on the right side that opens a menu of languages to block, each prefaced with a checkbox. Select all those you want deleted and press Save.

The third default filter is labeled: "Not to me." The description is: "Looks for messages that are not addressed to you on either the To or CC lines. You need to edit this to include all your own email addresses in use." There are three sample email addresses that need to be changed or deleted. Add as many of your email addresses that you want this filter to inspect. I would use this filter with caution because a lot of professional email lists may not show individual email accounts in the To field. If you enable it, don't set it to auto-delete or you may end up restoring legitimate emails from the Recycle Bin.

The last and newest default filter is called: "Hide & Delete." You have to edit the rules to include sender email addresses, subjects, domains, and/or TLDs that you want hidden and/or auto-deleted upon arrival. These actions are chosen by clicking on the "Actions" tab on top of the filter.

Those are the default filters that come with MailWasher Pro. The rest of this article delves into custom, user created filters.

I recommend keeping the default filters at the top of your custom filters list. Begin adding new filters after them. You can get a good insight into custom filters by examining my own Wizcrafts' MailWasher Pro Email Spam Filters. The page has a good description of the rationale behind my spam filters and has a download link for Filters.xml as well as an iframe containing the full set for you to read through. You can copy and paste right out of the iframe.

Some of the higher up filters deal with the most current types of spam, scams and malware attacks. They include the ongoing hacker extortion scams. Others block Russian dating scams, some block Chinese senders while others detect malicious attachments or links to dangerous domains. A little further down are groups of filters that detect Nigerian 419 scams, weight loss scams and Pyramid stock schemes.

The fastest filters search the email headers, not the body. Whenever possible, create or borrow filters from me that examine the headers before adding body text filters. The headers contain From, To, Reply-to, Subject, Date and Received from fields that can expose unwanted sources, spam domains, failures to validate and other details that can be used to filter out unwanted or dangerous email. MailWasher Pro makes it easy to read the email headers by simply previewing incoming or deleted messages, then clicking on the "Source" tab. The source begins with the headers, followed by one or more blank lines, then the body text, or base64 text, or an image.

The filters use individual lines of rules that are added in sequence from the top down. The rules can be processed as either ALL or ANY to be matched. Once matched, the Action you choose in the Action Tab takes effect. Each rule has three sections, from left to right. The first choice has a large group of drop down options for various headers or the body, or even the entire message to be evaluated. The second group is: "Contains," "Doesn't contain" and "Is." The third group offers two choices: "Plain text" or RegEx."

For instance, to block a known, current phishing scam, you can have a rule that says "From" > "Contains" > "plain text" - followed by an input line containing: "F-acebook" and the Action could be set to: Auto-Delete. The next time a phishing scam arrives with that misspelling of Facebook in the From field, it will go straight to the MailWasher Recycle Bin. If for some strange reason you decide you want to have that obviously deceptive email back, click on the Recycle Bin tab, highlight that message, then click the big Restore button*. MailWasher will attempt to send the message back using the same credentials you inputted when you set up your email accounts in MailWasher's initial setup.

That's all I have time for right now. I will continue these spam filter tips in a follow-up article on my blog.

Posted by Wiz at 2:03 AM |

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

Blog Links

Sponsored Message

I recommend Malwarebytes to protect your computers and Android devices from malicious code attacks. Malwarebytes detects and blocks spyware, viruses and ransomware, as well as rootkits. It removes malware from an already infected device. Get an 18 month subscription to Malwarebytes here.

If you're a fan of Robert Jordan's novels, you can buy boxed sets of The Wheel Of Time, here.

As an Amazon and Google Associate, I earn commissions from qualifying purchases.

CIDR to IPv4 Address Range Utility Tool | IPAddressGuide
CIDR to IPv4 Conversion



Search


About the author
Wiz FeinbergWiz's Blog is written by Bob "Wiz" Feinberg, an experienced freelance computer consultant, troubleshooter and webmaster. Wiz's specialty is in computer and website security. Wizcrafts Computer Services was established in 1996.

I produce this blog and website at my own expense. If you find this information valuable please consider making a donation via PayPal.

Follow @Wizcrafts on Twitter, where I post short updates on security issues, spam trends and things that just eat at my craw.

Follow Wizcrafts on Twitter

Malwarebytes' Anti-Malware is the most frequently recommended malware removal tool in malware removal forums, like Bleeping Computers. It is extremely effective for removing fake/rogue security alerts, Bots, Spyware and the most prevalent and current malware threats in the wild. Learn about Malwarebytes Anti-Malware.

MailWasher Pro is an effective spam filter that protects your desktop email client. Using a combination of blacklists and built-in and user configurable filters, MailWasher Pro recognizes and deletes spam before you download it. MailWasher Pro reveals the actual URL of any links in a message, which protects you from most Phishing scams. Try it free for 30 days.

Categories

Tag Cloud

Recent Posts

Popular Posts

Archives

Subscribe to this blog's feed
Creative Commons License This weblog is licensed under a Creative Commons License.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Powered by Movable Type

back to top ^