locked
FOPE rule syntax query - Headers RRS feed

  • Question

  • I'm trying to create a rule in FOPE to block spam emails from a known marketing company. The only common element I can see in emails they send on behalf of their various clients is in the header field name "Return-Path" which always has a value of *@in.marketingco.com. where * is a random set of characters, mostly alphanumerics. Can you advise if a rule using the following header values and syntax will work:

    Field Name Match: "Return-Path" (without the quotes)

    Field Value Match (Basic): "*@in.marketingco.com" (without the quotes)

    Thanks

    CM

    Monday, April 11, 2011 3:07 PM

Answers

  • Hi,

    Ideally, you would want to submit those spam messages as per the spam submission article:

    http://technet.microsoft.com/en-us/library/ff715038.aspx

    The "return-path" header isn't in all messages, and could easily be changed by the sender.

    A better option would be to block the IP address from where the mail is being generated.

    If this is an urgent issue, please open a ticket from Admin Center and someone will contact you to help with which ever route you choose.

    Kemper - MSFT

     

    Monday, April 18, 2011 8:21 PM

All replies

  • Anyone from Microsoft (or elsewhere) able to offer any help on this please?
    Monday, April 18, 2011 11:27 AM
  • Hi,

    Ideally, you would want to submit those spam messages as per the spam submission article:

    http://technet.microsoft.com/en-us/library/ff715038.aspx

    The "return-path" header isn't in all messages, and could easily be changed by the sender.

    A better option would be to block the IP address from where the mail is being generated.

    If this is an urgent issue, please open a ticket from Admin Center and someone will contact you to help with which ever route you choose.

    Kemper - MSFT

     

    Monday, April 18, 2011 8:21 PM
  • Kemper - thanks for your reply.

    Unfortunately the volume of messages and number of recipients involved is such that I'd rather block these at the point of entry. I've also established there's at least a dozen different originating IP addresses (which can of course be changed easily too) so that's not a long term option.

    The common element I see in all their messages is the Return-Path field entry which, while I realise it can change, hasn't done so far. So, I'd like to create a blocking rule using this value and, to my original question, what would be the appropriate syntax to block emails with the typical Return-Path field entry as you see below?

    ESC1105203570894_1104240616418_14551_r20@in.marketingco.com

    Thanks

    CM

    Thursday, April 21, 2011 11:26 AM
  • Hi,

    After some digging, it looks like there are 2 reasons why it won’t work:

    1. Reject and Quarantine are unavailable actions for "header" match
    2. Return-path is a special header that is used for routing, and a policy rule match won’t see that header.

    I'd still highly recommend submitting the messages to the spam team; they can create rules to block these messages if they are indeed spam.

    Kemper - MSFT

    Friday, April 22, 2011 11:03 PM