Home Forums Networks & Cross-Platform Networking Apple Mail - Spam

I am getting at least 15-20 Spam emails from foreign countries, as evidenced by the .uk, for example, at the end of the senders email address. I'm up to 25+ different countries and counting. I'm writting a rule for each country that says if senders email address contains .uk, for example, delete the email. So far I have 25+ rules, one for each country designation.

Does anyone have a suggestion how I can write a rule that would globally delete emails from everywhere with a . '2 letter country designation' ?

Thanks in advance.

I'm not sure exactly what rule you want to create. Please repost with a copy of a complete address so we can see precisely what you're trying to do.

It is not a rule, but I have had good success using Spamsieve and they have a free trial.

Upfront disclosure....this is not going to help much.

Very often, it's the same spammer with a bunch of different pitches and different ways of addressing them. I usually look for something that is common...such as wording in the Subject or Message. However, I have found that, while it will clear out everything that day, the Spammers still come back. It seems they have figured out how to get around Apple Mail Rules.

Without changing the gist of your thread I'm glad you raised the issue of spam blocking because Apple Mail now has a way of assigning "Block Contact" to spammers but, like Apple Mail Rules, it doesn't seem to work either. Maybe it needs to be a chore-specific piece of software as joemike suggests.

This is an address from one of the many spam emails I receive : yasmin.fsh_2250@fsh.kfs.edu.eg . The .eg is the designation for Egypt. I've got 25+ rules, 1 for each different country I receive spam from. Rather than 25+ rules I'd like a rule that would delete any email that has a 2 digit country designation.

I know how you feel about AOL, which, as I've said before, was foisted on me by Verizon when they migrated their own email service, but I can say that virtually no spam gets past whatever software they're running.

I'm far from a Mail rules expert, but I've played around with them in the past, and I can't even begin to guess.

Hmmm... OK, I'll take a shot: How about if you create a new mailbox and direct anything that includes neither .com nor .net to it? Two rules rather than one, and you'll have to check the new mailbox periodically, because there are other good top level domains, but far better than what you've got now if it works.

You could test the theory by turning off your 25+ rules, rather than deleting them, to see what happens.

Good luck!

I don't know if this will work in Mail rules or not but you might try a condition like


each question mark is a wildcards for any character so that should identify any two character domain name.

However, if you start opening those messages and performing a detailed look at the header, you may find the actual from address is something else entirely that is not actually "seen" by Mail's rule processor. In fact they may all be coming from the same IP address. Blocking the IP address is the best protection, but beyond the scope of Mail's rules as there is no provision to search for an IP address. There are a number of email header analysis sites, but the one I generally use is What Is My IP?. Try running those emails through their analysis and look for some common element that Mail rules can "see" and operate on.

That is a lot of work, and the common element can and will change every few days or hours. I use SpamSieve because have a large team of experts that continually monitor spam activity and adapt their product to keep up, and SpamSieve, like Mail, learns what you consider spam so it adapts to your tastes.

Thanks, I'm going to give the .?? a try and see what happens. . . will report back.

I'm curious to learn how joemike's "??" approach works out.

Thinking about it, it's probably 100% unlikely that your spam is actually coming in from all around the world, and I'll also note that if it works, the rule will block legitimate mail from .us domains which, I've read, are popular.

To exclude the .US domain from being deleted change the mail rule to this. This would send any emails from a domain that only has two characters in it except the .us domain or anyone in your contacts or you had previously sent an email to.

This is weird. I copy/pasted the email addresses from 3 different emails into the WhatsmyIP.com and got this message: "Source IP could not be found".

I tried the .?? rule and had those emails sent to the Trash. All 3 emails were in the Junk Box not the Trash. When I did a 'right click' and Apply Rules they were deleted.

I also looked at that site and think it wants the entire Header, not just addresses. to get to your Apple Mail Header: Click on the Email Message, then follow View>Message>All Headers. The Headers are quite long with a lot of information the site likely needs.

Deleted, rather than sent to trash as per your rule? Yep, weird.

It sounds to me as if the rule did what it was supposed to do, but given all your rules there is no telling which rule was in effect or in what sequence the rules were executed or when. Mail Rules only apply to messages in the Inbox folder.

1. Modify your rule one more time to look like this.
2. Drag the rule to the top of the rule list
3. As a belt and suspenders step, deactivate all the other rules.
4. Re-run your test and see what happens

NOTE 1: In my test rule I moved the suspect files to Junk which gives you the opportunity to take a personal look before deleting but you could just as easily choose to delete the message or move the message to Trash

NOTE 2: Assuming a successful test don't forget to go back and delete any of the rules that are no longer needed and re-activate the rest.

Ryck is exactly correct.

1. Select the message in mail
2. Press ⇧⌘H to reveal all the headers
3. click anywhere in the message
4. press ⌘A to copy the entire message and all the headers
5. Go to the WhatIsMyIP in Safari
6. click anywhere in the header entry box and press ⌘V
7. Click on Analyze

I just checked one of this mornings Spam emails. The location is Palo Alto, CA and the service provider is Comcast, which is also my email provider. I just called Tech Support and reported this.

I wouldn't be surprised if Comcast had no part of the entire thing other than delivering the email to your account and the rest of the header information was entirely spoofed.

If you want to minimize the number of messages you see, you could set up a Whitelist rule like this. Of course, that means only those you contact first will ever be able to contact you. Instead of deleting the messages, you might move them to Spam or another folder where you could scan them and have the opportunity to add the sender to your contacts list.

I was not suggesting that Comcast was in any way responsible. I was just alerting them that one of their customers was sending out a lot of SPAM. I have since checked 2 more emails and these were from somewhere in Illinois and also Comcast IP addresses. Going out on a short limb and guessing that the majority of 'foreign designated' SPAM I'm getting is from US and Comcast IP's.

This all started when a good friend, also a Comcast customer, was hacked and I started getting a flood of SPAM emails all with foreign designations. I did not realize that the information to the right of the '@' could be spoofed.

Does my suggestion of creating rules to allow only mail with .com, .net, .us, and maybe .org and .edu look any better now?

The domain can be, but what you are describing has echos of an almost forgotten past. I'll bet your friend is on a Windows PC and either has no antivirus software or the signature file is long out of date.

I haven't needed to recommend this in years, but I strongly urge you to go to Spamcop.net and report each and every one of the spam emails you are receiving. I even more strongly urge you to go to Settings > Network > Details > DNS
and enter the IP of a public DNS server from this list instead of Comcast's default DNS server. (I never use an ISP's DNS server out of long habit but that is another related topic out of ancient history.)

I changed my DNS servers a couple of months ago. Yes my friend is using a Windows PC. I used SpamCop many years ago but haven't had any spam issues for quite some time until this hacking. I had completely forgot about SpamCop, thanks for reminding me.