Balack
asked on
Is this a kind of phishing? How to disable it?
This is using MailScanner 5.x in CentOS. Recently, a user comes to me and inform me she received the following notification mails, with following error:
MailScanner has detected a possible fraud attempt from "sg.jobstreet.com" claiming to be JobStreet.com
This could be due to link tracking. Can I disable it? Please help!
MailScanner has detected a possible fraud attempt from "sg.jobstreet.com" claiming to be JobStreet.com
This could be due to link tracking. Can I disable it? Please help!
I guess to give a bit of background...
when mailscanner receives and email from blah@jobstreet.com - it seems to be coming from 203.142.21.51 (sg.jobstreet.com) which is the actual server sending emails. Mailscanner wants to make sure that the email seems legit, so it does a either an MX or PTR records check on that domain, jobstreet.com... the MX record reports that jobstreet.com's mail server is 202.157.139.90 - which is obviously quite different.
If its doing a PTR records lookup, its saying that jobstreet responsible mail server is netops.jobstreet.com - which according to my testing, doesnt resolve at all..
So in short - its a misconfiguration of the jobstreet DNS/servers.. If you do not control it you cannot do anything about it. You do not want to relax your mailscanner settings if you can avoid it, mailscanner is working as it should
when mailscanner receives and email from blah@jobstreet.com - it seems to be coming from 203.142.21.51 (sg.jobstreet.com) which is the actual server sending emails. Mailscanner wants to make sure that the email seems legit, so it does a either an MX or PTR records check on that domain, jobstreet.com... the MX record reports that jobstreet.com's mail server is 202.157.139.90 - which is obviously quite different.
If its doing a PTR records lookup, its saying that jobstreet responsible mail server is netops.jobstreet.com - which according to my testing, doesnt resolve at all..
So in short - its a misconfiguration of the jobstreet DNS/servers.. If you do not control it you cannot do anything about it. You do not want to relax your mailscanner settings if you can avoid it, mailscanner is working as it should
ASKER
So, that means this could be a reverse DNS records lookup? Can this function be disable in MailScanner? Only for jobstreet? or all?
Mailscanner works too late
Mail is already in your hands, you accepted it, so sending NDR would only multiply grief of spam.
You need to perform DNS lookups while in SMTP session.
What is your MTA?
Mail is already in your hands, you accepted it, so sending NDR would only multiply grief of spam.
You need to perform DNS lookups while in SMTP session.
What is your MTA?
This doesn't look like a phishing attempt, it looks like a company with multiple domains that has decided to send mail from an alternate server. Both servers belong to the same company, so it's not some sort of impersonation attempt.
If you need to receive mail from this Jobstreet company for some reason, you could whitelist them. Other than that, there's nothing you need to do on your end.
If you need to receive mail from this Jobstreet company for some reason, you could whitelist them. Other than that, there's nothing you need to do on your end.
ASKER
Already whitelisted both of them, but still the same problem...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
good
Are you the owner of the domain jobstreet or are you just receiving alerts from it and want them to stop?