Why the user received this mail, is this spam?

MichaelBalack
MichaelBalack used Ask the Experts™
on
This is using ms exchange 2010 server. We are using the native anti-spam as well. However, users still feedback that they received some weird mail. For example, a user forwarded an email as follows:

Email header:
Received: from rediffmail.com (114.31.224.102) by MAILSVR.abc.local
 (192.168.1.20) with Microsoft SMTP Server id 14.3.174.1; Tue, 25 Feb 2014
 20:10:35 +0800
Received: (qmail 23568 invoked by uid 510); 25 Feb 2014 12:18:45 -0000
Received: from unknown 116.203.11.178 by rediffmail.com via HTTP; 25 Feb 2014
 12:18:44 -0000
From: "rbitransfernitnewdlhi@admin.in.th" <rbitransfernitnewdlhi@admin.in.th>
To: "info@rbi.india" <info@rbi.india>
Subject: =?utf-8?B?UkVTRVJWRSBCQU5LIE9GIElORElBIE9GRklDSUFMIFBBWU1FTlQgTk9USUZJ?=
 =?utf-8?B?Q0FUSU9OISHigI8=?=
Thread-Topic: =?utf-8?B?UkVTRVJWRSBCQU5LIE9GIElORElBIE9GRklDSUFMIFBBWU1FTlQgTk9USUZJ?=
 =?utf-8?B?Q0FUSU9OISHigI8=?=
Thread-Index: AQHPMiKXX3U/4WsqxUK76Dw/2veJEg==
Sender: "mishra_ashush27@rediffmail.com" <mishra_ashush27@rediffmail.com>
Date: Tue, 25 Feb 2014 12:18:44 +0000
Message-ID: <20140225121844.23532.qmail@f5mail-224-102.rediffmail.com>
Reply-To: "rbitransfernitnewdlhi@admin.in.th"
      <rbitransfernitnewdlhi@admin.in.th>
Content-Language: en-SG
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-AuthSource: MAILSVR.abc.local
X-MS-Has-Attach: yes
X-MS-Exchange-Organization-SenderIdResult: Pass
X-MS-Exchange-Organization-PRD: rediffmail.com
X-MS-TNEF-Correlator:
received-spf: Pass (MAILSVR.abc.local: domain of
 mishra_ashush27@rediffmail.com designates 114.31.224.102 as permitted
 sender) receiver=MAILSVR.abc.local; client-ip=114.31.224.102;
 helo=rediffmail.com;
Content-Type: multipart/mixed;
      boundary="_004_2014022512184423532qmailf5mail224102rediffmailcom_"
MIME-Version: 1.0

Please see the sender/recipient in the outlook as attached.
Spam.bmp
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Dave BaldwinFixer of Problems
Most Valuable Expert 2014

Commented:
It is without any doubt at all a spam message and the attachment may include a virus.  116.203.11.178 is in India.  Do your customers normally get mail from there?
MichaelBalackSenior System Engineer

Author

Commented:
Hi Dave,

My users always received such mails. I didn't really pay much attention to the ip. Just wondering why this kind of spam can't be stopped.
Most Valuable Expert 2014

Commented:
This is why:
X-MS-Exchange-Organization-SenderIdResult: Pass

It has passed the SenderID test.

Most spam would fail that test.

Simon.
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

These days it's not unusual for spam to pass SPF and DKIM checks - spammers are clever enough to realise that helps their delivery rates. This kind of spam is best trapped by bayesian filtering (where it can learn to recognise new kinds of spam), but in order for that to work your recipients need to have some means of reporting spam back to your server, such as a forwarding address, or a mailbox that the spam filter reads if users move messages into it.
MichaelBalackSenior System Engineer

Author

Commented:
Hi Squinky,

Please elaborate how can this type of spam can be effectively stopped.
By having a spam filter that can learn from user actions: users know what is spam better than any program with static rules. SpamAssassin will do this, but only if you enable a way of allowing users to report what is spam and what is not (in order to correct false positives).

You should also make sure your spam filter makes use of real-time blacklists (RBLs) so that you can identify spam that has been spotted by other users.

All that said, no spam filter is perfect, and spammers change behaviour all the tim. You will always get a certain amount of spam getting through, and a certain amount of legitimate email getting blocked. There is no easy answer.
Dave BaldwinFixer of Problems
Most Valuable Expert 2014

Commented:
@Squinky is right, there is no 'permanent' fix for spam because they evolve as the anti-spam efforts do.  It's an ongoing process for both sides.
MichaelBalackSenior System Engineer

Author

Commented:
Hi all,

Talk about the RBLs, I put in 2 more RBLs as follows:

     Existing RBLs:

         zen.spamhaus.org
         bl.spamcop.net

     Newly-added:

         psbl.surriel.com
         dnsbl.sorbs.net

Will this help?
Most Valuable Expert 2014

Commented:
Depends if you are happy for an unaccountable organisation to decide what email you can and cannot receive. Personally I don't use any blacklists unless I control what gets listed.

Simon.
The point of RBLs is to reject mail before you have wasted resources receiving it. If you're managing it yourself, that's not possible, so you're effectively back to manual content filtering. Sure, some RBLs are overzealous (some deliberately so), but you'll figure out which they are pretty quickly (and they are generally documented) and they are nearly all dynamic (the real-time in RBL). Chances are if 50,000 other people report something as a spam source, they're probably right. The sender will be told they're blacklisted, so false positives get flagged quickly.
Most Valuable Expert 2014

Commented:
I use software that blacklists email that I receive, which I control completely. It isn't manual filtering.
However I am just raising the business risk - because I have seen it time and time again. People start using blacklists then get a phone call because their biggest customer is unable to email them because they are using a host that is listed on a blacklist.

Blacklists are not the "magic" solution to spam that people think they are.
As for the false positives getting flagged quickly, that does make me laugh as it would do at some of the major email providers. Loads of stories of someone getting pissed off with a major provider and blacklisting their entire block. I don't think a day goes by without the Hotmail, AOL and Office365 servers getting blacklisted and GoDaddy has a dedicated team.

Simon.
"then get a phone call because their biggest customer is unable to email them because they are using a host that is listed on a blacklist" - sounds like a great opportunity to sell them an email system that isn't total junk? :)
MichaelBalackSenior System Engineer

Author

Commented:
It works

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial