?
Solved

filtering spams pretending from legit domain.

Posted on 2013-06-21
4
Medium Priority
?
360 Views
Last Modified: 2013-06-24
We receive many spams pretending someone with legit domain name. How do I block this? I have GFI spam filter, but want to know what the general technique to do it such as checking reverse domain lookup or SPF. I enabled both in the past, since many sending email servers out there were not probably setup, I noticed more false positive, though.
0
Comment
Question by:crcsupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 12

Assisted Solution

by:Julian123
Julian123 earned 1000 total points
ID: 39266685
I have good results using RBLs by Spamhaus.org: http://www.spamhaus.org/. Have you tried that?
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39266716
So just add zen.spamhaus.org to get beneift of 3 block list?
I think I used it long time ago, don't know why I stopped using..
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39266737
Looking at header, how do I know if it's from legit domain or someone pretending from the forged domain? I need help to interpret the routing part of the header

"Microsoft Mail Internet Headers Version 2.0
Received: from 70-35-36-45.static.wiline.com ([70.35.36.45]) by mail.xxxxx.com with Microsoft SMTPSVC(x.x.xxx.xx..xx);
       Fri, 21 Jun 2013 12:18:35 -0400
Received: from unknown (HELO uslitintrl01.us.lexisnexis.com) ([10.69.142.113])
  by uscwygtw06.dnb.com with ESMTP; Fri, 21 Jun 2013 08:18:32 -0800
Received: from dbpliupap113.us.dnb.com ([158.151.64.113])
  by uslitintrl03.us.lexisnexis.com with ESMTP; Fri, 21 Jun 2013 08:18:32 -0800
Date: Fri, 21 Jun 2013 08:18:32 -0800"


complete header is below.



HEADER INFO
======================
X-Antivirus: xxxxx for E-mail
Microsoft Mail Internet Headers Version 2.0
Received: from 70-35-36-45.static.wiline.com ([70.35.36.45]) by mail.xxxxx.com with Microsoft SMTPSVC(x.x.xxx.xx..xx);
       Fri, 21 Jun 2013 12:18:35 -0400
Received: from unknown (HELO uslitintrl01.us.lexisnexis.com) ([10.69.142.113])
  by uscwygtw06.dnb.com with ESMTP; Fri, 21 Jun 2013 08:18:32 -0800
Received: from dbpliupap113.us.dnb.com ([158.151.64.113])
  by uslitintrl03.us.lexisnexis.com with ESMTP; Fri, 21 Jun 2013 08:18:32 -0800
Date: Fri, 21 Jun 2013 08:18:32 -0800
From: "LexisNexis" <einvoice.notification@lexisnexis.com>
To: <xxxx.xxxx@xxxxxxxx.com>,
      <xxxx@xxxxxxxxx.com>
Message-ID: <228014310.11702817837043755.JavaMail.www@smtp-gw.us.lexisnexis.com>
Subject: Invoice Notification for June 2013
MIME-Version: 1.0
Content-Type: multipart/mixed;
      boundary="----=_Part_3600_128155292.1069652046677"
X-Nonspam: None
Return-Path: no-reply@intuit.com
X-OriginalArrivalTime: 21 Jun 2013 16:18:35.0360 (UTC) FILETIME=[FAE42E00:01CE6E9A]

------=_Part_3600_128155292.1069652046677
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

------=_Part_3600_128155292.1069652046677
Content-Type: multipart/related;
 boundary="----=_Part_3600_128155292.1069652046677"

------=_Part_3600_128155292.1069652046677
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

------=_Part_3600_128155292.1069652046677
Content-Type: application/zip;
 name="LexisNexis_Invoice_06212013.zip"
Content-Transfer-Encoding: base64
Content-ID: <f5e76648a161$42c24e5b$e55413e6$SYYEELD>
Content-Disposition: inline;
 filename="LexisNexis_Invoice_06212013.zip"


------=_Part_3600_128155292.1069652046677--


------=_Part_3600_128155292.1069652046677--
==================================================
0
 
LVL 32

Accepted Solution

by:
aleghart earned 1000 total points
ID: 39267325
The hop immediately before your equipment is most likely a genuine IP address.  Hostname may be forged or not.


70.35.36.45  belongs to a furniture company "SFO Business Centers"

I don't think either Dunn and Bradstreet or Lexis-Nexis would be routing their email through a small business.

The rest of the headers are forged.

This IP is not in SORBS database yet, so a simple RBL would not have caught it.  Also, if this is a targeted attack, it will likely never get into an RBL.  A targeted attack sends out only a handful of customized messages to specific addresses...not thousands.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question