Why the user received this mail, is this spam?

This is using ms exchange 2010 server. We are using the native anti-spam as well. However, users still feedback that they received some weird mail. For example, a user forwarded an email as follows:

Email header:
Received: from rediffmail.com (114.31.224.102) by MAILSVR.abc.local
 (192.168.1.20) with Microsoft SMTP Server id 14.3.174.1; Tue, 25 Feb 2014
 20:10:35 +0800
Received: (qmail 23568 invoked by uid 510); 25 Feb 2014 12:18:45 -0000
Received: from unknown 116.203.11.178 by rediffmail.com via HTTP; 25 Feb 2014
 12:18:44 -0000
From: "rbitransfernitnewdlhi@admin.in.th" <rbitransfernitnewdlhi@admin.in.th>
To: "info@rbi.india" <info@rbi.india>
Subject: =?utf-8?B?UkVTRVJWRSBCQU5LIE9GIElORElBIE9GRklDSUFMIFBBWU1FTlQgTk9USUZJ?=
 =?utf-8?B?Q0FUSU9OISHigI8=?=
Thread-Topic: =?utf-8?B?UkVTRVJWRSBCQU5LIE9GIElORElBIE9GRklDSUFMIFBBWU1FTlQgTk9USUZJ?=
 =?utf-8?B?Q0FUSU9OISHigI8=?=
Thread-Index: AQHPMiKXX3U/4WsqxUK76Dw/2veJEg==
Sender: "mishra_ashush27@rediffmail.com" <mishra_ashush27@rediffmail.com>
Date: Tue, 25 Feb 2014 12:18:44 +0000
Message-ID: <20140225121844.23532.qmail@f5mail-224-102.rediffmail.com>
Reply-To: "rbitransfernitnewdlhi@admin.in.th"
      <rbitransfernitnewdlhi@admin.in.th>
Content-Language: en-SG
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-AuthSource: MAILSVR.abc.local
X-MS-Has-Attach: yes
X-MS-Exchange-Organization-SenderIdResult: Pass
X-MS-Exchange-Organization-PRD: rediffmail.com
X-MS-TNEF-Correlator:
received-spf: Pass (MAILSVR.abc.local: domain of
 mishra_ashush27@rediffmail.com designates 114.31.224.102 as permitted
 sender) receiver=MAILSVR.abc.local; client-ip=114.31.224.102;
 helo=rediffmail.com;
Content-Type: multipart/mixed;
      boundary="_004_2014022512184423532qmailf5mail224102rediffmailcom_"
MIME-Version: 1.0

Please see the sender/recipient in the outlook as attached.
Spam.bmp
LVL 1
MichaelBalackAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
It is without any doubt at all a spam message and the attachment may include a virus.  116.203.11.178 is in India.  Do your customers normally get mail from there?
0
MichaelBalackAuthor Commented:
Hi Dave,

My users always received such mails. I didn't really pay much attention to the ip. Just wondering why this kind of spam can't be stopped.
0
Simon Butler (Sembee)ConsultantCommented:
This is why:
X-MS-Exchange-Organization-SenderIdResult: Pass

It has passed the SenderID test.

Most spam would fail that test.

Simon.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Marcus BointonCommented:
These days it's not unusual for spam to pass SPF and DKIM checks - spammers are clever enough to realise that helps their delivery rates. This kind of spam is best trapped by bayesian filtering (where it can learn to recognise new kinds of spam), but in order for that to work your recipients need to have some means of reporting spam back to your server, such as a forwarding address, or a mailbox that the spam filter reads if users move messages into it.
0
MichaelBalackAuthor Commented:
Hi Squinky,

Please elaborate how can this type of spam can be effectively stopped.
0
Marcus BointonCommented:
By having a spam filter that can learn from user actions: users know what is spam better than any program with static rules. SpamAssassin will do this, but only if you enable a way of allowing users to report what is spam and what is not (in order to correct false positives).

You should also make sure your spam filter makes use of real-time blacklists (RBLs) so that you can identify spam that has been spotted by other users.

All that said, no spam filter is perfect, and spammers change behaviour all the tim. You will always get a certain amount of spam getting through, and a certain amount of legitimate email getting blocked. There is no easy answer.
0
Dave BaldwinFixer of ProblemsCommented:
@Squinky is right, there is no 'permanent' fix for spam because they evolve as the anti-spam efforts do.  It's an ongoing process for both sides.
0
MichaelBalackAuthor Commented:
Hi all,

Talk about the RBLs, I put in 2 more RBLs as follows:

     Existing RBLs:

         zen.spamhaus.org
         bl.spamcop.net

     Newly-added:

         psbl.surriel.com
         dnsbl.sorbs.net

Will this help?
0
Simon Butler (Sembee)ConsultantCommented:
Depends if you are happy for an unaccountable organisation to decide what email you can and cannot receive. Personally I don't use any blacklists unless I control what gets listed.

Simon.
0
Marcus BointonCommented:
The point of RBLs is to reject mail before you have wasted resources receiving it. If you're managing it yourself, that's not possible, so you're effectively back to manual content filtering. Sure, some RBLs are overzealous (some deliberately so), but you'll figure out which they are pretty quickly (and they are generally documented) and they are nearly all dynamic (the real-time in RBL). Chances are if 50,000 other people report something as a spam source, they're probably right. The sender will be told they're blacklisted, so false positives get flagged quickly.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Simon Butler (Sembee)ConsultantCommented:
I use software that blacklists email that I receive, which I control completely. It isn't manual filtering.
However I am just raising the business risk - because I have seen it time and time again. People start using blacklists then get a phone call because their biggest customer is unable to email them because they are using a host that is listed on a blacklist.

Blacklists are not the "magic" solution to spam that people think they are.
As for the false positives getting flagged quickly, that does make me laugh as it would do at some of the major email providers. Loads of stories of someone getting pissed off with a major provider and blacklisting their entire block. I don't think a day goes by without the Hotmail, AOL and Office365 servers getting blacklisted and GoDaddy has a dedicated team.

Simon.
0
Marcus BointonCommented:
"then get a phone call because their biggest customer is unable to email them because they are using a host that is listed on a blacklist" - sounds like a great opportunity to sell them an email system that isn't total junk? :)
0
MichaelBalackAuthor Commented:
It works
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.