Solved

Why the user received this mail, is this spam?

Posted on 2014-02-27
13
549 Views
Last Modified: 2014-03-24
This is using ms exchange 2010 server. We are using the native anti-spam as well. However, users still feedback that they received some weird mail. For example, a user forwarded an email as follows:

Email header:
Received: from rediffmail.com (114.31.224.102) by MAILSVR.abc.local
 (192.168.1.20) with Microsoft SMTP Server id 14.3.174.1; Tue, 25 Feb 2014
 20:10:35 +0800
Received: (qmail 23568 invoked by uid 510); 25 Feb 2014 12:18:45 -0000
Received: from unknown 116.203.11.178 by rediffmail.com via HTTP; 25 Feb 2014
 12:18:44 -0000
From: "rbitransfernitnewdlhi@admin.in.th" <rbitransfernitnewdlhi@admin.in.th>
To: "info@rbi.india" <info@rbi.india>
Subject: =?utf-8?B?UkVTRVJWRSBCQU5LIE9GIElORElBIE9GRklDSUFMIFBBWU1FTlQgTk9USUZJ?=
 =?utf-8?B?Q0FUSU9OISHigI8=?=
Thread-Topic: =?utf-8?B?UkVTRVJWRSBCQU5LIE9GIElORElBIE9GRklDSUFMIFBBWU1FTlQgTk9USUZJ?=
 =?utf-8?B?Q0FUSU9OISHigI8=?=
Thread-Index: AQHPMiKXX3U/4WsqxUK76Dw/2veJEg==
Sender: "mishra_ashush27@rediffmail.com" <mishra_ashush27@rediffmail.com>
Date: Tue, 25 Feb 2014 12:18:44 +0000
Message-ID: <20140225121844.23532.qmail@f5mail-224-102.rediffmail.com>
Reply-To: "rbitransfernitnewdlhi@admin.in.th"
      <rbitransfernitnewdlhi@admin.in.th>
Content-Language: en-SG
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-AuthSource: MAILSVR.abc.local
X-MS-Has-Attach: yes
X-MS-Exchange-Organization-SenderIdResult: Pass
X-MS-Exchange-Organization-PRD: rediffmail.com
X-MS-TNEF-Correlator:
received-spf: Pass (MAILSVR.abc.local: domain of
 mishra_ashush27@rediffmail.com designates 114.31.224.102 as permitted
 sender) receiver=MAILSVR.abc.local; client-ip=114.31.224.102;
 helo=rediffmail.com;
Content-Type: multipart/mixed;
      boundary="_004_2014022512184423532qmailf5mail224102rediffmailcom_"
MIME-Version: 1.0

Please see the sender/recipient in the outlook as attached.
Spam.bmp
0
Comment
Question by:MichaelBalack
  • 4
  • 4
  • 3
  • +1
13 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39891224
It is without any doubt at all a spam message and the attachment may include a virus.  116.203.11.178 is in India.  Do your customers normally get mail from there?
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39891239
Hi Dave,

My users always received such mails. I didn't really pay much attention to the ip. Just wondering why this kind of spam can't be stopped.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39891249
This is why:
X-MS-Exchange-Organization-SenderIdResult: Pass

It has passed the SenderID test.

Most spam would fail that test.

Simon.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 25

Expert Comment

by:Marcus Bointon
ID: 39891425
These days it's not unusual for spam to pass SPF and DKIM checks - spammers are clever enough to realise that helps their delivery rates. This kind of spam is best trapped by bayesian filtering (where it can learn to recognise new kinds of spam), but in order for that to work your recipients need to have some means of reporting spam back to your server, such as a forwarding address, or a mailbox that the spam filter reads if users move messages into it.
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39894377
Hi Squinky,

Please elaborate how can this type of spam can be effectively stopped.
0
 
LVL 25

Expert Comment

by:Marcus Bointon
ID: 39894405
By having a spam filter that can learn from user actions: users know what is spam better than any program with static rules. SpamAssassin will do this, but only if you enable a way of allowing users to report what is spam and what is not (in order to correct false positives).

You should also make sure your spam filter makes use of real-time blacklists (RBLs) so that you can identify spam that has been spotted by other users.

All that said, no spam filter is perfect, and spammers change behaviour all the tim. You will always get a certain amount of spam getting through, and a certain amount of legitimate email getting blocked. There is no easy answer.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39895575
@Squinky is right, there is no 'permanent' fix for spam because they evolve as the anti-spam efforts do.  It's an ongoing process for both sides.
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 39916555
Hi all,

Talk about the RBLs, I put in 2 more RBLs as follows:

     Existing RBLs:

         zen.spamhaus.org
         bl.spamcop.net

     Newly-added:

         psbl.surriel.com
         dnsbl.sorbs.net

Will this help?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39917819
Depends if you are happy for an unaccountable organisation to decide what email you can and cannot receive. Personally I don't use any blacklists unless I control what gets listed.

Simon.
0
 
LVL 25

Accepted Solution

by:
Marcus Bointon earned 500 total points
ID: 39917851
The point of RBLs is to reject mail before you have wasted resources receiving it. If you're managing it yourself, that's not possible, so you're effectively back to manual content filtering. Sure, some RBLs are overzealous (some deliberately so), but you'll figure out which they are pretty quickly (and they are generally documented) and they are nearly all dynamic (the real-time in RBL). Chances are if 50,000 other people report something as a spam source, they're probably right. The sender will be told they're blacklisted, so false positives get flagged quickly.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39917891
I use software that blacklists email that I receive, which I control completely. It isn't manual filtering.
However I am just raising the business risk - because I have seen it time and time again. People start using blacklists then get a phone call because their biggest customer is unable to email them because they are using a host that is listed on a blacklist.

Blacklists are not the "magic" solution to spam that people think they are.
As for the false positives getting flagged quickly, that does make me laugh as it would do at some of the major email providers. Loads of stories of someone getting pissed off with a major provider and blacklisting their entire block. I don't think a day goes by without the Hotmail, AOL and Office365 servers getting blacklisted and GoDaddy has a dedicated team.

Simon.
0
 
LVL 25

Expert Comment

by:Marcus Bointon
ID: 39917925
"then get a phone call because their biggest customer is unable to email them because they are using a host that is listed on a blacklist" - sounds like a great opportunity to sell them an email system that isn't total junk? :)
0
 
LVL 1

Author Closing Comment

by:MichaelBalack
ID: 39949701
It works
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Exchange Server logs 5 37
exchange 2007 - Message not received 10 31
Exchange - Retention Policy 4 33
Lync 2010 4 22
Utilizing an array to gracefully append to a list of EmailAddresses
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
how to add IIS SMTP to handle application/Scanner relays into office 365.

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question