Solved

filtering spams pretending from legit domain.

Posted on 2013-06-21
4
349 Views
Last Modified: 2013-06-24
We receive many spams pretending someone with legit domain name. How do I block this? I have GFI spam filter, but want to know what the general technique to do it such as checking reverse domain lookup or SPF. I enabled both in the past, since many sending email servers out there were not probably setup, I noticed more false positive, though.
0
Comment
Question by:crcsupport
  • 2
4 Comments
 
LVL 12

Assisted Solution

by:Julian123
Julian123 earned 250 total points
ID: 39266685
I have good results using RBLs by Spamhaus.org: http://www.spamhaus.org/. Have you tried that?
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39266716
So just add zen.spamhaus.org to get beneift of 3 block list?
I think I used it long time ago, don't know why I stopped using..
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39266737
Looking at header, how do I know if it's from legit domain or someone pretending from the forged domain? I need help to interpret the routing part of the header

"Microsoft Mail Internet Headers Version 2.0
Received: from 70-35-36-45.static.wiline.com ([70.35.36.45]) by mail.xxxxx.com with Microsoft SMTPSVC(x.x.xxx.xx..xx);
       Fri, 21 Jun 2013 12:18:35 -0400
Received: from unknown (HELO uslitintrl01.us.lexisnexis.com) ([10.69.142.113])
  by uscwygtw06.dnb.com with ESMTP; Fri, 21 Jun 2013 08:18:32 -0800
Received: from dbpliupap113.us.dnb.com ([158.151.64.113])
  by uslitintrl03.us.lexisnexis.com with ESMTP; Fri, 21 Jun 2013 08:18:32 -0800
Date: Fri, 21 Jun 2013 08:18:32 -0800"


complete header is below.



HEADER INFO
======================
X-Antivirus: xxxxx for E-mail
Microsoft Mail Internet Headers Version 2.0
Received: from 70-35-36-45.static.wiline.com ([70.35.36.45]) by mail.xxxxx.com with Microsoft SMTPSVC(x.x.xxx.xx..xx);
       Fri, 21 Jun 2013 12:18:35 -0400
Received: from unknown (HELO uslitintrl01.us.lexisnexis.com) ([10.69.142.113])
  by uscwygtw06.dnb.com with ESMTP; Fri, 21 Jun 2013 08:18:32 -0800
Received: from dbpliupap113.us.dnb.com ([158.151.64.113])
  by uslitintrl03.us.lexisnexis.com with ESMTP; Fri, 21 Jun 2013 08:18:32 -0800
Date: Fri, 21 Jun 2013 08:18:32 -0800
From: "LexisNexis" <einvoice.notification@lexisnexis.com>
To: <xxxx.xxxx@xxxxxxxx.com>,
      <xxxx@xxxxxxxxx.com>
Message-ID: <228014310.11702817837043755.JavaMail.www@smtp-gw.us.lexisnexis.com>
Subject: Invoice Notification for June 2013
MIME-Version: 1.0
Content-Type: multipart/mixed;
      boundary="----=_Part_3600_128155292.1069652046677"
X-Nonspam: None
Return-Path: no-reply@intuit.com
X-OriginalArrivalTime: 21 Jun 2013 16:18:35.0360 (UTC) FILETIME=[FAE42E00:01CE6E9A]

------=_Part_3600_128155292.1069652046677
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

------=_Part_3600_128155292.1069652046677
Content-Type: multipart/related;
 boundary="----=_Part_3600_128155292.1069652046677"

------=_Part_3600_128155292.1069652046677
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

------=_Part_3600_128155292.1069652046677
Content-Type: application/zip;
 name="LexisNexis_Invoice_06212013.zip"
Content-Transfer-Encoding: base64
Content-ID: <f5e76648a161$42c24e5b$e55413e6$SYYEELD>
Content-Disposition: inline;
 filename="LexisNexis_Invoice_06212013.zip"


------=_Part_3600_128155292.1069652046677--


------=_Part_3600_128155292.1069652046677--
==================================================
0
 
LVL 32

Accepted Solution

by:
aleghart earned 250 total points
ID: 39267325
The hop immediately before your equipment is most likely a genuine IP address.  Hostname may be forged or not.


70.35.36.45  belongs to a furniture company "SFO Business Centers"

I don't think either Dunn and Bradstreet or Lexis-Nexis would be routing their email through a small business.

The rest of the headers are forged.

This IP is not in SORBS database yet, so a simple RBL would not have caught it.  Also, if this is a targeted attack, it will likely never get into an RBL.  A targeted attack sends out only a handful of customized messages to specific addresses...not thousands.
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question