Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

filtering spams pretending from legit domain.

Posted on 2013-06-21
4
346 Views
Last Modified: 2013-06-24
We receive many spams pretending someone with legit domain name. How do I block this? I have GFI spam filter, but want to know what the general technique to do it such as checking reverse domain lookup or SPF. I enabled both in the past, since many sending email servers out there were not probably setup, I noticed more false positive, though.
0
Comment
Question by:crcsupport
  • 2
4 Comments
 
LVL 12

Assisted Solution

by:Julian123
Julian123 earned 250 total points
ID: 39266685
I have good results using RBLs by Spamhaus.org: http://www.spamhaus.org/. Have you tried that?
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39266716
So just add zen.spamhaus.org to get beneift of 3 block list?
I think I used it long time ago, don't know why I stopped using..
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39266737
Looking at header, how do I know if it's from legit domain or someone pretending from the forged domain? I need help to interpret the routing part of the header

"Microsoft Mail Internet Headers Version 2.0
Received: from 70-35-36-45.static.wiline.com ([70.35.36.45]) by mail.xxxxx.com with Microsoft SMTPSVC(x.x.xxx.xx..xx);
       Fri, 21 Jun 2013 12:18:35 -0400
Received: from unknown (HELO uslitintrl01.us.lexisnexis.com) ([10.69.142.113])
  by uscwygtw06.dnb.com with ESMTP; Fri, 21 Jun 2013 08:18:32 -0800
Received: from dbpliupap113.us.dnb.com ([158.151.64.113])
  by uslitintrl03.us.lexisnexis.com with ESMTP; Fri, 21 Jun 2013 08:18:32 -0800
Date: Fri, 21 Jun 2013 08:18:32 -0800"


complete header is below.



HEADER INFO
======================
X-Antivirus: xxxxx for E-mail
Microsoft Mail Internet Headers Version 2.0
Received: from 70-35-36-45.static.wiline.com ([70.35.36.45]) by mail.xxxxx.com with Microsoft SMTPSVC(x.x.xxx.xx..xx);
       Fri, 21 Jun 2013 12:18:35 -0400
Received: from unknown (HELO uslitintrl01.us.lexisnexis.com) ([10.69.142.113])
  by uscwygtw06.dnb.com with ESMTP; Fri, 21 Jun 2013 08:18:32 -0800
Received: from dbpliupap113.us.dnb.com ([158.151.64.113])
  by uslitintrl03.us.lexisnexis.com with ESMTP; Fri, 21 Jun 2013 08:18:32 -0800
Date: Fri, 21 Jun 2013 08:18:32 -0800
From: "LexisNexis" <einvoice.notification@lexisnexis.com>
To: <xxxx.xxxx@xxxxxxxx.com>,
      <xxxx@xxxxxxxxx.com>
Message-ID: <228014310.11702817837043755.JavaMail.www@smtp-gw.us.lexisnexis.com>
Subject: Invoice Notification for June 2013
MIME-Version: 1.0
Content-Type: multipart/mixed;
      boundary="----=_Part_3600_128155292.1069652046677"
X-Nonspam: None
Return-Path: no-reply@intuit.com
X-OriginalArrivalTime: 21 Jun 2013 16:18:35.0360 (UTC) FILETIME=[FAE42E00:01CE6E9A]

------=_Part_3600_128155292.1069652046677
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

------=_Part_3600_128155292.1069652046677
Content-Type: multipart/related;
 boundary="----=_Part_3600_128155292.1069652046677"

------=_Part_3600_128155292.1069652046677
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

------=_Part_3600_128155292.1069652046677
Content-Type: application/zip;
 name="LexisNexis_Invoice_06212013.zip"
Content-Transfer-Encoding: base64
Content-ID: <f5e76648a161$42c24e5b$e55413e6$SYYEELD>
Content-Disposition: inline;
 filename="LexisNexis_Invoice_06212013.zip"


------=_Part_3600_128155292.1069652046677--


------=_Part_3600_128155292.1069652046677--
==================================================
0
 
LVL 32

Accepted Solution

by:
aleghart earned 250 total points
ID: 39267325
The hop immediately before your equipment is most likely a genuine IP address.  Hostname may be forged or not.


70.35.36.45  belongs to a furniture company "SFO Business Centers"

I don't think either Dunn and Bradstreet or Lexis-Nexis would be routing their email through a small business.

The rest of the headers are forged.

This IP is not in SORBS database yet, so a simple RBL would not have caught it.  Also, if this is a targeted attack, it will likely never get into an RBL.  A targeted attack sends out only a handful of customized messages to specific addresses...not thousands.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
This video discusses moving either the default database or any database to a new volume.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question