Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 373
  • Last Modified:

filtering spams pretending from legit domain.

We receive many spams pretending someone with legit domain name. How do I block this? I have GFI spam filter, but want to know what the general technique to do it such as checking reverse domain lookup or SPF. I enabled both in the past, since many sending email servers out there were not probably setup, I noticed more false positive, though.
0
crcsupport
Asked:
crcsupport
  • 2
2 Solutions
 
Julian123Commented:
I have good results using RBLs by Spamhaus.org: http://www.spamhaus.org/. Have you tried that?
0
 
crcsupportAuthor Commented:
So just add zen.spamhaus.org to get beneift of 3 block list?
I think I used it long time ago, don't know why I stopped using..
0
 
crcsupportAuthor Commented:
Looking at header, how do I know if it's from legit domain or someone pretending from the forged domain? I need help to interpret the routing part of the header

"Microsoft Mail Internet Headers Version 2.0
Received: from 70-35-36-45.static.wiline.com ([70.35.36.45]) by mail.xxxxx.com with Microsoft SMTPSVC(x.x.xxx.xx..xx);
       Fri, 21 Jun 2013 12:18:35 -0400
Received: from unknown (HELO uslitintrl01.us.lexisnexis.com) ([10.69.142.113])
  by uscwygtw06.dnb.com with ESMTP; Fri, 21 Jun 2013 08:18:32 -0800
Received: from dbpliupap113.us.dnb.com ([158.151.64.113])
  by uslitintrl03.us.lexisnexis.com with ESMTP; Fri, 21 Jun 2013 08:18:32 -0800
Date: Fri, 21 Jun 2013 08:18:32 -0800"


complete header is below.



HEADER INFO
======================
X-Antivirus: xxxxx for E-mail
Microsoft Mail Internet Headers Version 2.0
Received: from 70-35-36-45.static.wiline.com ([70.35.36.45]) by mail.xxxxx.com with Microsoft SMTPSVC(x.x.xxx.xx..xx);
       Fri, 21 Jun 2013 12:18:35 -0400
Received: from unknown (HELO uslitintrl01.us.lexisnexis.com) ([10.69.142.113])
  by uscwygtw06.dnb.com with ESMTP; Fri, 21 Jun 2013 08:18:32 -0800
Received: from dbpliupap113.us.dnb.com ([158.151.64.113])
  by uslitintrl03.us.lexisnexis.com with ESMTP; Fri, 21 Jun 2013 08:18:32 -0800
Date: Fri, 21 Jun 2013 08:18:32 -0800
From: "LexisNexis" <einvoice.notification@lexisnexis.com>
To: <xxxx.xxxx@xxxxxxxx.com>,
      <xxxx@xxxxxxxxx.com>
Message-ID: <228014310.11702817837043755.JavaMail.www@smtp-gw.us.lexisnexis.com>
Subject: Invoice Notification for June 2013
MIME-Version: 1.0
Content-Type: multipart/mixed;
      boundary="----=_Part_3600_128155292.1069652046677"
X-Nonspam: None
Return-Path: no-reply@intuit.com
X-OriginalArrivalTime: 21 Jun 2013 16:18:35.0360 (UTC) FILETIME=[FAE42E00:01CE6E9A]

------=_Part_3600_128155292.1069652046677
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

------=_Part_3600_128155292.1069652046677
Content-Type: multipart/related;
 boundary="----=_Part_3600_128155292.1069652046677"

------=_Part_3600_128155292.1069652046677
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

------=_Part_3600_128155292.1069652046677
Content-Type: application/zip;
 name="LexisNexis_Invoice_06212013.zip"
Content-Transfer-Encoding: base64
Content-ID: <f5e76648a161$42c24e5b$e55413e6$SYYEELD>
Content-Disposition: inline;
 filename="LexisNexis_Invoice_06212013.zip"


------=_Part_3600_128155292.1069652046677--


------=_Part_3600_128155292.1069652046677--
==================================================
0
 
aleghartCommented:
The hop immediately before your equipment is most likely a genuine IP address.  Hostname may be forged or not.


70.35.36.45  belongs to a furniture company "SFO Business Centers"

I don't think either Dunn and Bradstreet or Lexis-Nexis would be routing their email through a small business.

The rest of the headers are forged.

This IP is not in SORBS database yet, so a simple RBL would not have caught it.  Also, if this is a targeted attack, it will likely never get into an RBL.  A targeted attack sends out only a handful of customized messages to specific addresses...not thousands.
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now