Unanswered

Spam filter flow no longer filtering new wave of anonymous junk emails

(1) Share

Report

Posted on by Jeff2022

Hello Folks -

I recently put in place a simple spam filter flow to automatically clear out my junk folder, following the instructions here:

https://robinhobo.com/how-to-apply-outlook-com-rules-on-the-junk-folder-and-how-to-stop-outlook-com-from-moving-emails-to-junk-or-spam-folder/

The spam in my junk folder consisted of emails from a fake sender (e.g. Vivint, Tommy Chong), and when I hovered on the sender, the real email address would appear - it was consistently "news@" or "newsletter@" or "office@". So I built the flow to zap emails containing the above quoted senders, and it worked great . . . for a while.

Since then, a new kind of spam has been coming in - with ever-increasing volume, in which the sender's "real" address is blocked. I've checked "view message source" on these and tried adding a

new condition based on what appears to be a consistently appearing return address ("geeksquad@"), but it is not working. I'm not familiar with the significance of the elements in "view message source" and would much appreciate any help in tuning up my flow to capture this new, more insidious breed of spam.

I'd be happy to cut and paste a "view message source" result into this thread if it would help.

Regards,

Jeff

Categories:

Building flows

I have the same question (0)

All responses (9)

Answers (0)

Winter1 3 on at

Like (0)

Report

I'm having the exact same issue. Did you find a solution?

Was this reply helpful? Yes No
Jeff2022 10 on at

Like (0)

Report

Hello, no I never heard anything back from my original post. Maybe your bumping this up will result in some input from a more sophisticated flow user!

Was this reply helpful? Yes No
VictorIvanidze 13,073 on at

Like (0)

Report

Hi @Jeff2022,
could you please publish here the SMTP headers of this new spam email?

Was this reply helpful? Yes No
Jeff2022 10 on at

Like (0)

Report

Hi, pasted below is info for a couple of them from "view message source." (I've x'd out part of my email address).
Thanks,
Jeff

Received: from SN6PR04MB4030.namprd04.prod.outlook.com (::1) by
DM5PR04MB3754.namprd04.prod.outlook.com with HTTPS; Sun, 11 Sep 2022 18:46:24
+0000
Received: from AM6PR10CA0017.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:209:89::30)
by SN6PR04MB4030.namprd04.prod.outlook.com (2603:10b6:805:46::11) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5612.14; Sun, 11 Sep
2022 18:46:23 +0000
Received: from VE1EUR03FT005.eop-EUR03.prod.protection.outlook.com
(2603:10a6:209:89:cafe::e) by AM6PR10CA0017.outlook.office365.com
(2603:10a6:209:89::30) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5612.15 via Frontend
Transport; Sun, 11 Sep 2022 18:46:22 +0000
Authentication-Results: spf=neutral (sender IP is 146.255.184.57)
smtp.mailfrom=ivoryges.com; dkim=none (message not signed)
header.d=none;dmarc=fail action=quarantine
header.from=emailinfo.geeksquad.com;compauth=fail reason=000
Received-SPF: Neutral (protection.outlook.com: 146.255.184.57 is neither
permitted nor denied by domain of ivoryges.com)
Received: from mail88.sea91.rsgsv.net (146.255.184.57) by
VE1EUR03FT005.mail.protection.outlook.com (10.152.18.172) with Microsoft SMTP
Server id 15.20.5612.13 via Frontend Transport; Sun, 11 Sep 2022 18:46:22
+0000
X-IncomingTopHeaderMarker:
OriginalChecksum:90A022AE28E6462721DBDA8209F2A25BA29443E0643B8AE212BB19BE9FB57BFC;UpperCasedChecksum:7A2B17802A20CF6E1E46FDC14A09B7EE47255E5233192668DBB832C8CD4A004B;SizeAsReceived:212;Count:6
Content-type: text/html
To: @xxx@hotmail.com
From: Miracle Lash for Women ; <geeksquad@emailinfo.geeksquad.com>
Subject: Get Your Dream Lashes!
Date: Sun, 11 Sep 2022 14:46:14 -0400
X-IncomingHeaderCount: 6
Message-ID:
<d680f1c8-356e-4afa-94b3-2806e18279e1@VE1EUR03FT005.eop-EUR03.prod.protection.outlook.com>
Return-Path: newsletter@ivoryges.com
X-MS-Exchange-Organization-ExpirationStartTime: 11 Sep 2022 18:46:22.7092

Received: from BN7PR04MB3779.namprd04.prod.outlook.com (::1) by
DM5PR04MB3754.namprd04.prod.outlook.com with HTTPS; Sun, 11 Sep 2022 06:41:35
+0000
Received: from DS7PR03CA0040.namprd03.prod.outlook.com (2603:10b6:5:3b5::15)
by BN7PR04MB3779.namprd04.prod.outlook.com (2603:10b6:406:c4::16) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5612.20; Sun, 11 Sep
2022 06:41:35 +0000
Received: from DM6NAM12FT020.eop-nam12.prod.protection.outlook.com
(2603:10b6:5:3b5:cafe::46) by DS7PR03CA0040.outlook.office365.com
(2603:10b6:5:3b5::15) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5612.12 via Frontend
Transport; Sun, 11 Sep 2022 06:41:34 +0000
Authentication-Results: spf=neutral (sender IP is 146.255.184.7)
smtp.mailfrom=ivoryges.com; dkim=none (message not signed)
header.d=none;dmarc=fail action=quarantine
header.from=emailinfo.geeksquad.com;compauth=fail reason=000
Received-SPF: Neutral (protection.outlook.com: 146.255.184.7 is neither
permitted nor denied by domain of ivoryges.com)
Received: from mail88.sea91.rsgsv.net (146.255.184.7) by
DM6NAM12FT020.mail.protection.outlook.com (10.13.179.221) with Microsoft SMTP
Server id 15.20.5632.6 via Frontend Transport; Sun, 11 Sep 2022 06:41:34
+0000
X-IncomingTopHeaderMarker:
OriginalChecksum:4E2A18651089320D4F2C2C7435BD11BCB41D95B4F9EA68F8C824DCD5156D7AE4;UpperCasedChecksum:5102C0B6AADA048E599D05A57F54B636915552B83B484CC16E111CEDBAA35344;SizeAsReceived:246;Count:6
Content-type: text/html
To: XXX@hotmail.com
From: Weight loss secret; <geeksquad@emailinfo.geeksquad.com>
Subject: Stop exercising and dieting ASAP (it can LITERALLY kill you)
Date: Sun, 11 Sep 2022 02:41:33 -0400
X-IncomingHeaderCount: 6
Message-ID:
<2be5922a-aa96-43d7-892b-fc4f8504f858@DM6NAM12FT020.eop-nam12.prod.protection.outlook.com>
Return-Path: newsletter@ivoryges.com
X-MS-Exchange-Organization-ExpirationStartTime: 11 Sep 2022 06:41:34.7386

Was this reply helpful? Yes No
VictorIvanidze 13,073 on at

Like (0)

Report
Well there is a From: address:
From: Miracle Lash for Women ; <geeksquad@emailinfo.geeksquad.com>
Why can't you filter based on this?

Was this reply helpful? Yes No
Jeff2022 10 on at

Like (0)

Report

That is what puzzles me. I do have the flow set up to delete the email if "From" contains "geeksquad@" or if "Reply to" contains "geeksquad." But these are still getting through. I don't know if the reason has anything to do with the fact that these messages do not allow me to see the sender when hovering over the "from."
Thoughts?
Thanks,
Jeff

Was this reply helpful? Yes No
tedjohnson101 2 on at

Like (0)

Report

Same problem. I've tried every kind of filter as you did on the "From". It still gets through both Live.com and the Apple Mail spam blockers & filters.

Was this reply helpful? Yes No
VictorIvanidze 13,073 on at

Like (0)

Report

Show your flow - what kind of filters you are using?

Was this reply helpful? Yes No
Jeff2022 10 on at

Like (0)

Report

I've attached a pic of my flow.
Oddly, the latest round of spam no longer contains "geeksquad" as a secondary "from" but now contain "computingmi." So I have added "From contains computingmi" as a trigger to delete.
Jeff

20230422_123826.jpg

Was this reply helpful? Yes No