Solved

filtering spams pretending from legit domain.

Posted on 2013-06-21
4
353 Views
Last Modified: 2013-06-24
We receive many spams pretending someone with legit domain name. How do I block this? I have GFI spam filter, but want to know what the general technique to do it such as checking reverse domain lookup or SPF. I enabled both in the past, since many sending email servers out there were not probably setup, I noticed more false positive, though.
0
Comment
Question by:crcsupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 12

Assisted Solution

by:Julian123
Julian123 earned 250 total points
ID: 39266685
I have good results using RBLs by Spamhaus.org: http://www.spamhaus.org/. Have you tried that?
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39266716
So just add zen.spamhaus.org to get beneift of 3 block list?
I think I used it long time ago, don't know why I stopped using..
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39266737
Looking at header, how do I know if it's from legit domain or someone pretending from the forged domain? I need help to interpret the routing part of the header

"Microsoft Mail Internet Headers Version 2.0
Received: from 70-35-36-45.static.wiline.com ([70.35.36.45]) by mail.xxxxx.com with Microsoft SMTPSVC(x.x.xxx.xx..xx);
       Fri, 21 Jun 2013 12:18:35 -0400
Received: from unknown (HELO uslitintrl01.us.lexisnexis.com) ([10.69.142.113])
  by uscwygtw06.dnb.com with ESMTP; Fri, 21 Jun 2013 08:18:32 -0800
Received: from dbpliupap113.us.dnb.com ([158.151.64.113])
  by uslitintrl03.us.lexisnexis.com with ESMTP; Fri, 21 Jun 2013 08:18:32 -0800
Date: Fri, 21 Jun 2013 08:18:32 -0800"


complete header is below.



HEADER INFO
======================
X-Antivirus: xxxxx for E-mail
Microsoft Mail Internet Headers Version 2.0
Received: from 70-35-36-45.static.wiline.com ([70.35.36.45]) by mail.xxxxx.com with Microsoft SMTPSVC(x.x.xxx.xx..xx);
       Fri, 21 Jun 2013 12:18:35 -0400
Received: from unknown (HELO uslitintrl01.us.lexisnexis.com) ([10.69.142.113])
  by uscwygtw06.dnb.com with ESMTP; Fri, 21 Jun 2013 08:18:32 -0800
Received: from dbpliupap113.us.dnb.com ([158.151.64.113])
  by uslitintrl03.us.lexisnexis.com with ESMTP; Fri, 21 Jun 2013 08:18:32 -0800
Date: Fri, 21 Jun 2013 08:18:32 -0800
From: "LexisNexis" <einvoice.notification@lexisnexis.com>
To: <xxxx.xxxx@xxxxxxxx.com>,
      <xxxx@xxxxxxxxx.com>
Message-ID: <228014310.11702817837043755.JavaMail.www@smtp-gw.us.lexisnexis.com>
Subject: Invoice Notification for June 2013
MIME-Version: 1.0
Content-Type: multipart/mixed;
      boundary="----=_Part_3600_128155292.1069652046677"
X-Nonspam: None
Return-Path: no-reply@intuit.com
X-OriginalArrivalTime: 21 Jun 2013 16:18:35.0360 (UTC) FILETIME=[FAE42E00:01CE6E9A]

------=_Part_3600_128155292.1069652046677
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

------=_Part_3600_128155292.1069652046677
Content-Type: multipart/related;
 boundary="----=_Part_3600_128155292.1069652046677"

------=_Part_3600_128155292.1069652046677
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

------=_Part_3600_128155292.1069652046677
Content-Type: application/zip;
 name="LexisNexis_Invoice_06212013.zip"
Content-Transfer-Encoding: base64
Content-ID: <f5e76648a161$42c24e5b$e55413e6$SYYEELD>
Content-Disposition: inline;
 filename="LexisNexis_Invoice_06212013.zip"


------=_Part_3600_128155292.1069652046677--


------=_Part_3600_128155292.1069652046677--
==================================================
0
 
LVL 32

Accepted Solution

by:
aleghart earned 250 total points
ID: 39267325
The hop immediately before your equipment is most likely a genuine IP address.  Hostname may be forged or not.


70.35.36.45  belongs to a furniture company "SFO Business Centers"

I don't think either Dunn and Bradstreet or Lexis-Nexis would be routing their email through a small business.

The rest of the headers are forged.

This IP is not in SORBS database yet, so a simple RBL would not have caught it.  Also, if this is a targeted attack, it will likely never get into an RBL.  A targeted attack sends out only a handful of customized messages to specific addresses...not thousands.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question