Solved

Why the user received this mail, is this spam?

Posted on 2014-02-27
13
559 Views
Last Modified: 2014-03-24
This is using ms exchange 2010 server. We are using the native anti-spam as well. However, users still feedback that they received some weird mail. For example, a user forwarded an email as follows:

Email header:
Received: from rediffmail.com (114.31.224.102) by MAILSVR.abc.local
 (192.168.1.20) with Microsoft SMTP Server id 14.3.174.1; Tue, 25 Feb 2014
 20:10:35 +0800
Received: (qmail 23568 invoked by uid 510); 25 Feb 2014 12:18:45 -0000
Received: from unknown 116.203.11.178 by rediffmail.com via HTTP; 25 Feb 2014
 12:18:44 -0000
From: "rbitransfernitnewdlhi@admin.in.th" <rbitransfernitnewdlhi@admin.in.th>
To: "info@rbi.india" <info@rbi.india>
Subject: =?utf-8?B?UkVTRVJWRSBCQU5LIE9GIElORElBIE9GRklDSUFMIFBBWU1FTlQgTk9USUZJ?=
 =?utf-8?B?Q0FUSU9OISHigI8=?=
Thread-Topic: =?utf-8?B?UkVTRVJWRSBCQU5LIE9GIElORElBIE9GRklDSUFMIFBBWU1FTlQgTk9USUZJ?=
 =?utf-8?B?Q0FUSU9OISHigI8=?=
Thread-Index: AQHPMiKXX3U/4WsqxUK76Dw/2veJEg==
Sender: "mishra_ashush27@rediffmail.com" <mishra_ashush27@rediffmail.com>
Date: Tue, 25 Feb 2014 12:18:44 +0000
Message-ID: <20140225121844.23532.qmail@f5mail-224-102.rediffmail.com>
Reply-To: "rbitransfernitnewdlhi@admin.in.th"
      <rbitransfernitnewdlhi@admin.in.th>
Content-Language: en-SG
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-AuthSource: MAILSVR.abc.local
X-MS-Has-Attach: yes
X-MS-Exchange-Organization-SenderIdResult: Pass
X-MS-Exchange-Organization-PRD: rediffmail.com
X-MS-TNEF-Correlator:
received-spf: Pass (MAILSVR.abc.local: domain of
 mishra_ashush27@rediffmail.com designates 114.31.224.102 as permitted
 sender) receiver=MAILSVR.abc.local; client-ip=114.31.224.102;
 helo=rediffmail.com;
Content-Type: multipart/mixed;
      boundary="_004_2014022512184423532qmailf5mail224102rediffmailcom_"
MIME-Version: 1.0

Please see the sender/recipient in the outlook as attached.
Spam.bmp
0
Comment
Question by:MichaelBalack
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +1
13 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39891224
It is without any doubt at all a spam message and the attachment may include a virus.  116.203.11.178 is in India.  Do your customers normally get mail from there?
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39891239
Hi Dave,

My users always received such mails. I didn't really pay much attention to the ip. Just wondering why this kind of spam can't be stopped.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39891249
This is why:
X-MS-Exchange-Organization-SenderIdResult: Pass

It has passed the SenderID test.

Most spam would fail that test.

Simon.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 25

Expert Comment

by:Marcus Bointon
ID: 39891425
These days it's not unusual for spam to pass SPF and DKIM checks - spammers are clever enough to realise that helps their delivery rates. This kind of spam is best trapped by bayesian filtering (where it can learn to recognise new kinds of spam), but in order for that to work your recipients need to have some means of reporting spam back to your server, such as a forwarding address, or a mailbox that the spam filter reads if users move messages into it.
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39894377
Hi Squinky,

Please elaborate how can this type of spam can be effectively stopped.
0
 
LVL 25

Expert Comment

by:Marcus Bointon
ID: 39894405
By having a spam filter that can learn from user actions: users know what is spam better than any program with static rules. SpamAssassin will do this, but only if you enable a way of allowing users to report what is spam and what is not (in order to correct false positives).

You should also make sure your spam filter makes use of real-time blacklists (RBLs) so that you can identify spam that has been spotted by other users.

All that said, no spam filter is perfect, and spammers change behaviour all the tim. You will always get a certain amount of spam getting through, and a certain amount of legitimate email getting blocked. There is no easy answer.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39895575
@Squinky is right, there is no 'permanent' fix for spam because they evolve as the anti-spam efforts do.  It's an ongoing process for both sides.
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39916555
Hi all,

Talk about the RBLs, I put in 2 more RBLs as follows:

     Existing RBLs:

         zen.spamhaus.org
         bl.spamcop.net

     Newly-added:

         psbl.surriel.com
         dnsbl.sorbs.net

Will this help?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39917819
Depends if you are happy for an unaccountable organisation to decide what email you can and cannot receive. Personally I don't use any blacklists unless I control what gets listed.

Simon.
0
 
LVL 25

Accepted Solution

by:
Marcus Bointon earned 500 total points
ID: 39917851
The point of RBLs is to reject mail before you have wasted resources receiving it. If you're managing it yourself, that's not possible, so you're effectively back to manual content filtering. Sure, some RBLs are overzealous (some deliberately so), but you'll figure out which they are pretty quickly (and they are generally documented) and they are nearly all dynamic (the real-time in RBL). Chances are if 50,000 other people report something as a spam source, they're probably right. The sender will be told they're blacklisted, so false positives get flagged quickly.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39917891
I use software that blacklists email that I receive, which I control completely. It isn't manual filtering.
However I am just raising the business risk - because I have seen it time and time again. People start using blacklists then get a phone call because their biggest customer is unable to email them because they are using a host that is listed on a blacklist.

Blacklists are not the "magic" solution to spam that people think they are.
As for the false positives getting flagged quickly, that does make me laugh as it would do at some of the major email providers. Loads of stories of someone getting pissed off with a major provider and blacklisting their entire block. I don't think a day goes by without the Hotmail, AOL and Office365 servers getting blacklisted and GoDaddy has a dedicated team.

Simon.
0
 
LVL 25

Expert Comment

by:Marcus Bointon
ID: 39917925
"then get a phone call because their biggest customer is unable to email them because they are using a host that is listed on a blacklist" - sounds like a great opportunity to sell them an email system that isn't total junk? :)
0
 
LVL 1

Author Closing Comment

by:MichaelBalack
ID: 39949701
It works
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses
Course of the Month8 days, 21 hours left to enroll

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question