This thread was archived. Please ask a new question if you need help.
How to filter against "reply to" field in spam?
I have somehow ended up on a spammer's list and I'm getting dozens to hundreds of emails daily. The "subject" and "from" fields are different on every email but the "reply to" is always the same.
I've tried right-clicking the "reply to" email address and choosing "create filter from". "Reply to" isn't on the pick list of fields to filter against, so the filter is created against the subject field. End result is these messages end up in my inbox instead of being deleted prior to download.
Can anyone give me a workaround for this?
Ok, I think I found the answer - create a custom filter field "Reply-To". So far, so good.Read this answer in context 👍 1
All Replies (18)
Ok, I think I found the answer - create a custom filter field "Reply-To". So far, so good.
I tried this solution: Reply-to Reply_to Reply-To Reply_To "Reply-to" None of them seem to work. Now I was testing this against my Trash folder where a bunch of these now lie. We'll see if one of these will keep this junk out of my Inbox. I suspect not. It would be nice of TBird would accept Reply to, but apparently the "space" is an unacceptable character.
A custom header has to match the syntax of the actual header seen in the message source (Ctrl+U), which is why Reply-to works and the others don't. The custom headers also appear in Classic Search (Ctrl+Shift+F), which is a good way to test the filter syntax.
I added the "Reply-to" filter this afternoon as shown in image 1. This evening I received another of these annoying emails with the same Reply to address as the others. I did the Ctrl-U thing and took a screen shot of the header info shown in image 2. Do I need to add the colon to my filter? Anybody know how to get this filter to screen out these stupid emails? I don't know why this isn't working.
The Reply-to in the message has < and > surrounding the address, so the 'is' rule won't act on them. It might work better with Reply-to + contains + matarovilla. Test it with Classic Search.
My filter is this
match any Reply-To contains matarovilla Delete from POP server Delete message
I had to create "Reply-To" as a custom field. No special characters except the hyphen.
So far none of the spammy crap is making it through to my T-bird client. I'm seeing one occasionally in my phone's email client, which just tells me the message arrived between two scheduled polling sessions.
So I suppose the hot setup would be to log onto my ISP's webmail client and figure out how to filter these things at the server level...
I don't know why I can't get this to work. These dumb emails are driving my wife crazy too. I added a filter for Reply-To , contains , matarovilla and ran the filter against my inbox where 3 of these emails are sitting. Nothing. I then tried setting one up with the entire reply address and added the < and > at the beginning and end. I ran the message filters again. Nothing.
Now I have no problems filtering emails with a standard From email address. I have several of those and they work great, but I am having no luck getting this Reply-to filter to work. Any other ideas would be appreciated. Thanks.
It looks like you have multiple custom headers; delete the ones with quotation marks and underscores, keep Reply-to only. Keep it simple. Run one filter with one rule: Reply-to contains matarovilla, and run it manually to confirm its operation.
Well, what do you know - I'm having nearly the same issue with the EXACT same spammer! Good ol' matarovilla.icu!
I even started a separate thread about it in this same forum yesterday. I don't want to get in trouble for cross-posting, so if this reply is out of bounds, somebody please just delete it. But I've made some progress, and thought I'd share in case it can help somebody else.
I, too, created a message filter with the "customized" header "Reply-to" - just like that, without the quotes - no colon, no spaces, and a dash between the "Reply" and "to". At first I thought it wasn't working...
...but just discovered that it is, in fact, working.
Originally, I had selected, under "Perform these actions" the drop-down menu choice, "Delete from POP server". But the emails were still showing up in my Inbox, so I assumed the filter wasn't working. [Note: I've created many such filters in the past as part of my "Block List", and never heard from those domains again.]
However, as a test, I then added a second action, namely, "Delete message", hit "OK", then "Run Now"... and Thunderbird deleted the spam from matarovilla.icu, i.e., it moved it to my "Trash" folder. Which means the "Reply-to" message filter WAS working.
So the only question that remains, at least for me, is: How do I get these spam emails to "Delete from POP server", which I've always interpreted to mean, be deleted at my ISP email server BEFORE they reach my Thunderbird Inbox?
Getting closer to a solution, I hope...
...because I can't wait to choke off this MAJOR irritant of a spammer.
I think the only way to have messages deleted on the server before downloading to TB is to apply a filter on the mail provider's webmail site. If that's not feasible, the Delete action will still work after it's downloaded. Messages are deleted from the POP server if 'Leave messages on server' is unchecked in the Server Settings for the account in Account Settings.
Although I'm not a POP-account user, I find it odd that there's even a 'Delete from POP server' filter action, as unlike with IMAP accounts, the communication between a mail client and a POP server is one way - the client just contacts the server periodically and downloads the Inbox. It can't, except when fetching new mail, send a command to delete from a POP account.
Hooray! I got it that time. All help is greatly appreciated. I got rid of all the numerous variations that I was trying and set up a simple Reply-to contains matarovilla and ran it against my inbox - which after today, contained 7 or 8 new spam messages. Viola! Gone! Well, I know that they are in my Trash folder, but that's ok. I go in there once in a while and just mass delete anything older than about a month or so. Anyway, thanks one and all for your help with this. Now I just need to go set this up on my wife's computer. Happy Thanksgiving!
For what it's worth... I've been thinking about this issue. My wife and I play Candy Crush and a couple of other King games on our pad. A couple of weeks ago, my wife lost her progress in the game she was playing, but found that by opening an account with King, she could recover it. She convinced me (stupid me) that I should sign up so that if anything ever happened to my game, I too, could recover my progress. We are not Facebook users so we did the email signup. Within 24 to 48 hours of registering with King, these spam emails began showing up. Coincidence? I don't think so. Whether they are hacked or provide lists to people, who knows. And now my game is full of ads I never had to deal with before. I have not done anything else in several months that I believe would be the source of this junk. Just sayin'...
I think the only way to have messages deleted on the server before downloading to TB is to apply a filter on the mail provider's webmail site. If that's not feasible, the Delete action will still work after it's downloaded.
My ISP is Spectrum cable (pity me). I went through the arduous process of recovering my "webmail master account login" (which is different from my normal Spectrum account - why, Spectrum, why?) and finally discovered an area to "Filter and Block Senders"...
...except, unlike Thunderbird, you cannot create a "customized" message filter here (such as the "Reply-to" necessary to block this spammer).
*sigh* So I guess there's no way for me to block this guy at the server, before Thunderbird downloads his spam.
FYI, like slider38 above, this spam occurred almost immediately after I started setting up a new cell phone via WiFi - like, within minutes. Seems way too coincidental to me.
I guess I can delete the load of spam this guy sends every day from my Trash folder, but it feels a little bit like a win for the devious spammer with his "Reply to" message filter dodge technique.
In any case, special thanks to sfhowes for all your help and replies to both of these "matarovilla.icu" threads. I appreciate it.
I too am a Spectrum victim. My webmail UI has an option to "block email addresses or entire domains". I've only this morning had time to investigate this, so don't know yet if adding "matarovilla.icu" to that blacklist will have any effect.
I suppose when I don't see the occasional spam on my phone I'll know it's working...
Unfortunately, I already tried that. I added "gtin.matarovilla.icu" (the portion of the spammer's "Reply to" email address that comes after the "@" symbol) to my "Blocked domains" list on my Spectrum "Webmail" account.
It didn't work.
I'm still getting spam from the same guy (dozens yesterday, which was Black Friday). Yes, the spam emails are at least getting filtered by Thunderbird to my Trash folder...
...but it's not ideal.
Let me know if you find anything that works!
Well, this is interesting.
Early on 11/30 I added this blacklist line item to webmail:
Settings > Filters > Blocked Senders > matarovilla.icu
As of this morning I have nothing in webmail spam or trash folders from this sender that is newer than 11/26.
11/26 is, I think, the day I finally sorted my T-bird filter.
So either Spectrum has blocked this sender at the enterprise level, or my webmail filter is working. Or both.
Also, I'm not seeing any of this crap in my phone's email client. Should have mentioned...
I think it must be Spectrum, rather than your individual email filter, because I added the same filter before you on my Spectrum webmail account... and it didn't work (I think it only filters the "Sender" domain).
However, on the bright side, like you, I have NOT received any spam from this guy for the past couple days.
I think this spammer was such a nuisance, and so many people were complaining (do a Google search - you'll find threads all over the place about "matarovilla.icu") that something finally got done about it. I'm not sure who or where or how...
...but I'm glad to be (hopefully) rid of this villain!