Solved

Why the user received this mail, is this spam?

Posted on 2014-02-27
13
544 Views
Last Modified: 2014-03-24
This is using ms exchange 2010 server. We are using the native anti-spam as well. However, users still feedback that they received some weird mail. For example, a user forwarded an email as follows:

Email header:
Received: from rediffmail.com (114.31.224.102) by MAILSVR.abc.local
 (192.168.1.20) with Microsoft SMTP Server id 14.3.174.1; Tue, 25 Feb 2014
 20:10:35 +0800
Received: (qmail 23568 invoked by uid 510); 25 Feb 2014 12:18:45 -0000
Received: from unknown 116.203.11.178 by rediffmail.com via HTTP; 25 Feb 2014
 12:18:44 -0000
From: "rbitransfernitnewdlhi@admin.in.th" <rbitransfernitnewdlhi@admin.in.th>
To: "info@rbi.india" <info@rbi.india>
Subject: =?utf-8?B?UkVTRVJWRSBCQU5LIE9GIElORElBIE9GRklDSUFMIFBBWU1FTlQgTk9USUZJ?=
 =?utf-8?B?Q0FUSU9OISHigI8=?=
Thread-Topic: =?utf-8?B?UkVTRVJWRSBCQU5LIE9GIElORElBIE9GRklDSUFMIFBBWU1FTlQgTk9USUZJ?=
 =?utf-8?B?Q0FUSU9OISHigI8=?=
Thread-Index: AQHPMiKXX3U/4WsqxUK76Dw/2veJEg==
Sender: "mishra_ashush27@rediffmail.com" <mishra_ashush27@rediffmail.com>
Date: Tue, 25 Feb 2014 12:18:44 +0000
Message-ID: <20140225121844.23532.qmail@f5mail-224-102.rediffmail.com>
Reply-To: "rbitransfernitnewdlhi@admin.in.th"
      <rbitransfernitnewdlhi@admin.in.th>
Content-Language: en-SG
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-AuthSource: MAILSVR.abc.local
X-MS-Has-Attach: yes
X-MS-Exchange-Organization-SenderIdResult: Pass
X-MS-Exchange-Organization-PRD: rediffmail.com
X-MS-TNEF-Correlator:
received-spf: Pass (MAILSVR.abc.local: domain of
 mishra_ashush27@rediffmail.com designates 114.31.224.102 as permitted
 sender) receiver=MAILSVR.abc.local; client-ip=114.31.224.102;
 helo=rediffmail.com;
Content-Type: multipart/mixed;
      boundary="_004_2014022512184423532qmailf5mail224102rediffmailcom_"
MIME-Version: 1.0

Please see the sender/recipient in the outlook as attached.
Spam.bmp
0
Comment
Question by:MichaelBalack
  • 4
  • 4
  • 3
  • +1
13 Comments
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 39891224
It is without any doubt at all a spam message and the attachment may include a virus.  116.203.11.178 is in India.  Do your customers normally get mail from there?
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39891239
Hi Dave,

My users always received such mails. I didn't really pay much attention to the ip. Just wondering why this kind of spam can't be stopped.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39891249
This is why:
X-MS-Exchange-Organization-SenderIdResult: Pass

It has passed the SenderID test.

Most spam would fail that test.

Simon.
0
 
LVL 25

Expert Comment

by:Squinky
ID: 39891425
These days it's not unusual for spam to pass SPF and DKIM checks - spammers are clever enough to realise that helps their delivery rates. This kind of spam is best trapped by bayesian filtering (where it can learn to recognise new kinds of spam), but in order for that to work your recipients need to have some means of reporting spam back to your server, such as a forwarding address, or a mailbox that the spam filter reads if users move messages into it.
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39894377
Hi Squinky,

Please elaborate how can this type of spam can be effectively stopped.
0
 
LVL 25

Expert Comment

by:Squinky
ID: 39894405
By having a spam filter that can learn from user actions: users know what is spam better than any program with static rules. SpamAssassin will do this, but only if you enable a way of allowing users to report what is spam and what is not (in order to correct false positives).

You should also make sure your spam filter makes use of real-time blacklists (RBLs) so that you can identify spam that has been spotted by other users.

All that said, no spam filter is perfect, and spammers change behaviour all the tim. You will always get a certain amount of spam getting through, and a certain amount of legitimate email getting blocked. There is no easy answer.
0
Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 39895575
@Squinky is right, there is no 'permanent' fix for spam because they evolve as the anti-spam efforts do.  It's an ongoing process for both sides.
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39916555
Hi all,

Talk about the RBLs, I put in 2 more RBLs as follows:

     Existing RBLs:

         zen.spamhaus.org
         bl.spamcop.net

     Newly-added:

         psbl.surriel.com
         dnsbl.sorbs.net

Will this help?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39917819
Depends if you are happy for an unaccountable organisation to decide what email you can and cannot receive. Personally I don't use any blacklists unless I control what gets listed.

Simon.
0
 
LVL 25

Accepted Solution

by:
Squinky earned 500 total points
ID: 39917851
The point of RBLs is to reject mail before you have wasted resources receiving it. If you're managing it yourself, that's not possible, so you're effectively back to manual content filtering. Sure, some RBLs are overzealous (some deliberately so), but you'll figure out which they are pretty quickly (and they are generally documented) and they are nearly all dynamic (the real-time in RBL). Chances are if 50,000 other people report something as a spam source, they're probably right. The sender will be told they're blacklisted, so false positives get flagged quickly.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39917891
I use software that blacklists email that I receive, which I control completely. It isn't manual filtering.
However I am just raising the business risk - because I have seen it time and time again. People start using blacklists then get a phone call because their biggest customer is unable to email them because they are using a host that is listed on a blacklist.

Blacklists are not the "magic" solution to spam that people think they are.
As for the false positives getting flagged quickly, that does make me laugh as it would do at some of the major email providers. Loads of stories of someone getting pissed off with a major provider and blacklisting their entire block. I don't think a day goes by without the Hotmail, AOL and Office365 servers getting blacklisted and GoDaddy has a dedicated team.

Simon.
0
 
LVL 25

Expert Comment

by:Squinky
ID: 39917925
"then get a phone call because their biggest customer is unable to email them because they are using a host that is listed on a blacklist" - sounds like a great opportunity to sell them an email system that isn't total junk? :)
0
 
LVL 1

Author Closing Comment

by:MichaelBalack
ID: 39949701
It works
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now