Solved

Is this a kind of phishing? How to disable it?

Posted on 2011-02-21
10
1,384 Views
Last Modified: 2013-11-08
This is using MailScanner 5.x in CentOS. Recently, a user comes to me and inform me she received the following notification mails, with following error:

MailScanner has detected a possible fraud attempt from "sg.jobstreet.com" claiming to be JobStreet.com

This could be due to link tracking. Can I disable it? Please help!
0
Comment
Question by:Balack
  • 3
  • 2
  • 2
  • +1
10 Comments
 
LVL 7

Expert Comment

by:wct296
ID: 34949017
Technically what is happening is that mailscanner is doing either a reverse PTR record lookup or a simple name server lookup on the IP from where the email came from..

Are you the owner of the domain jobstreet or are you just receiving alerts from it and want them to stop?
0
 
LVL 7

Expert Comment

by:wct296
ID: 34949027
I guess to give a bit of background...

when mailscanner receives and email from blah@jobstreet.com - it seems to be coming from 203.142.21.51 (sg.jobstreet.com) which is the actual server sending emails. Mailscanner wants to make sure that the email seems legit, so it does a either an MX or PTR records check on that domain, jobstreet.com... the MX record reports that jobstreet.com's mail server is 202.157.139.90 - which is obviously quite different.

If its doing a PTR records lookup, its saying that jobstreet responsible mail server is netops.jobstreet.com - which according to my testing, doesnt resolve at all..

So in short - its a misconfiguration of the jobstreet DNS/servers.. If you do not control it you cannot do anything about it. You do not want to relax your mailscanner settings if you can avoid it, mailscanner is working as it should
0
 

Author Comment

by:Balack
ID: 34952408
So, that means this could be a reverse DNS records lookup? Can this function be disable in MailScanner? Only for jobstreet? or all?
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 62

Expert Comment

by:gheist
ID: 34969763
Mailscanner works too late
Mail is already in your hands, you accepted it, so sending NDR would only multiply grief of spam.

You need to perform DNS lookups while in SMTP session.
What is your MTA?
0
 
LVL 19

Expert Comment

by:billmercer
ID: 34984582
This doesn't look like a phishing attempt, it looks like a company with multiple domains that has decided to send mail from an alternate server. Both servers belong to the same company, so it's not some sort of impersonation attempt.

If you need to receive mail from this Jobstreet company for some reason, you could whitelist them. Other than that, there's nothing you need to do on your end.
0
 

Author Comment

by:Balack
ID: 34987775
Already whitelisted both of them, but still the same problem...
0
 
LVL 19

Accepted Solution

by:
billmercer earned 500 total points
ID: 34998218
If you look at the actual text of the incoming message, does it have a link in the message where the link text looks like a URL? If so, and the URL in the text doesn't match the actual URL of the link itself then this will trigger this warming. If this is the case, then the sender of the message is really who needs to fix this, as it will cause this problem in other places as well.

You might try adding the jobstreet domains to the phishing.safe.sites.conf file. That may resolve it for you. However You might also ask to have MailScanner add these domains to their master list.

See http://www.mailscanner.info/phishing.safe.sites.conf.master for more info



0
 

Author Closing Comment

by:Balack
ID: 35005762
good
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Easy CSR creation in Exchange 2007,2010 and 2013
This is my first article on Expert Exchange on the Manual Method of Exporting Office 365 Mailboxes to PST format by using the eDiscovery mechanism of Office. Hope you will enjoy the article.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question