Why the user received this mail, is this spam?
This is using ms exchange 2010 server. We are using the native anti-spam as well. However, users still feedback that they received some weird mail. For example, a user forwarded an email as follows:
Email header:
Received: from rediffmail.com (114.31.224.102) by MAILSVR.abc.local
(192.168.1.20) with Microsoft SMTP Server id 14.3.174.1; Tue, 25 Feb 2014
20:10:35 +0800
Received: (qmail 23568 invoked by uid 510); 25 Feb 2014 12:18:45 -0000
Received: from unknown 116.203.11.178 by rediffmail.com via HTTP; 25 Feb 2014
12:18:44 -0000
From: "rbitransfernitnewdlhi@adm
To: "info@rbi.india" <info@rbi.india>
Subject: =?utf-8?B?UkVTRVJWRSBCQU5L
=?utf-8?B?Q0FUSU9OISHigI8=
Thread-Topic: =?utf-8?B?UkVTRVJWRSBCQU5L
=?utf-8?B?Q0FUSU9OISHigI8=
Thread-Index: AQHPMiKXX3U/4WsqxUK76Dw/2v
Sender: "mishra_ashush27@rediffmai
Date: Tue, 25 Feb 2014 12:18:44 +0000
Message-ID: <20140225121844.23532.qmai
Reply-To: "rbitransfernitnewdlhi@adm
<rbitransfernitnewdlhi@adm
Content-Language: en-SG
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Has-Attach: yes
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-TNEF-Correlator:
received-spf: Pass (MAILSVR.abc.local: domain of
mishra_ashush27@rediffmail
sender) receiver=MAILSVR.abc.local
helo=rediffmail.com;
Content-Type: multipart/mixed;
boundary="_004_20140225121
MIME-Version: 1.0
Please see the sender/recipient in the outlook as attached.
Spam.bmp
Email header:
Received: from rediffmail.com (114.31.224.102) by MAILSVR.abc.local
(192.168.1.20) with Microsoft SMTP Server id 14.3.174.1; Tue, 25 Feb 2014
20:10:35 +0800
Received: (qmail 23568 invoked by uid 510); 25 Feb 2014 12:18:45 -0000
Received: from unknown 116.203.11.178 by rediffmail.com via HTTP; 25 Feb 2014
12:18:44 -0000
From: "rbitransfernitnewdlhi@adm
To: "info@rbi.india" <info@rbi.india>
Subject: =?utf-8?B?UkVTRVJWRSBCQU5L
=?utf-8?B?Q0FUSU9OISHigI8=
Thread-Topic: =?utf-8?B?UkVTRVJWRSBCQU5L
=?utf-8?B?Q0FUSU9OISHigI8=
Thread-Index: AQHPMiKXX3U/4WsqxUK76Dw/2v
Sender: "mishra_ashush27@rediffmai
Date: Tue, 25 Feb 2014 12:18:44 +0000
Message-ID: <20140225121844.23532.qmai
Reply-To: "rbitransfernitnewdlhi@adm
<rbitransfernitnewdlhi@adm
Content-Language: en-SG
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-Has-Attach: yes
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-MS-TNEF-Correlator:
received-spf: Pass (MAILSVR.abc.local: domain of
mishra_ashush27@rediffmail
sender) receiver=MAILSVR.abc.local
helo=rediffmail.com;
Content-Type: multipart/mixed;
boundary="_004_20140225121
MIME-Version: 1.0
Please see the sender/recipient in the outlook as attached.
Spam.bmp
Dave Baldwin
It is without any doubt at all a spam message and the attachment may include a virus. 116.203.11.178 is in India. Do your customers normally get mail from there?
ASKER
Hi Dave,
My users always received such mails. I didn't really pay much attention to the ip. Just wondering why this kind of spam can't be stopped.
My users always received such mails. I didn't really pay much attention to the ip. Just wondering why this kind of spam can't be stopped.
This is why:
X-MS-Exchange-Organization
It has passed the SenderID test.
Most spam would fail that test.
Simon.
X-MS-Exchange-Organization
It has passed the SenderID test.
Most spam would fail that test.
Simon.
These days it's not unusual for spam to pass SPF and DKIM checks - spammers are clever enough to realise that helps their delivery rates. This kind of spam is best trapped by bayesian filtering (where it can learn to recognise new kinds of spam), but in order for that to work your recipients need to have some means of reporting spam back to your server, such as a forwarding address, or a mailbox that the spam filter reads if users move messages into it.
ASKER
Hi Squinky,
Please elaborate how can this type of spam can be effectively stopped.
Please elaborate how can this type of spam can be effectively stopped.
By having a spam filter that can learn from user actions: users know what is spam better than any program with static rules. SpamAssassin will do this, but only if you enable a way of allowing users to report what is spam and what is not (in order to correct false positives).
You should also make sure your spam filter makes use of real-time blacklists (RBLs) so that you can identify spam that has been spotted by other users.
All that said, no spam filter is perfect, and spammers change behaviour all the tim. You will always get a certain amount of spam getting through, and a certain amount of legitimate email getting blocked. There is no easy answer.
You should also make sure your spam filter makes use of real-time blacklists (RBLs) so that you can identify spam that has been spotted by other users.
All that said, no spam filter is perfect, and spammers change behaviour all the tim. You will always get a certain amount of spam getting through, and a certain amount of legitimate email getting blocked. There is no easy answer.
@Squinky is right, there is no 'permanent' fix for spam because they evolve as the anti-spam efforts do. It's an ongoing process for both sides.
ASKER
Hi all,
Talk about the RBLs, I put in 2 more RBLs as follows:
Existing RBLs:
zen.spamhaus.org
bl.spamcop.net
Newly-added:
psbl.surriel.com
dnsbl.sorbs.net
Will this help?
Talk about the RBLs, I put in 2 more RBLs as follows:
Existing RBLs:
zen.spamhaus.org
bl.spamcop.net
Newly-added:
psbl.surriel.com
dnsbl.sorbs.net
Will this help?
Depends if you are happy for an unaccountable organisation to decide what email you can and cannot receive. Personally I don't use any blacklists unless I control what gets listed.
Simon.
Simon.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I use software that blacklists email that I receive, which I control completely. It isn't manual filtering.
However I am just raising the business risk - because I have seen it time and time again. People start using blacklists then get a phone call because their biggest customer is unable to email them because they are using a host that is listed on a blacklist.
Blacklists are not the "magic" solution to spam that people think they are.
As for the false positives getting flagged quickly, that does make me laugh as it would do at some of the major email providers. Loads of stories of someone getting pissed off with a major provider and blacklisting their entire block. I don't think a day goes by without the Hotmail, AOL and Office365 servers getting blacklisted and GoDaddy has a dedicated team.
Simon.
However I am just raising the business risk - because I have seen it time and time again. People start using blacklists then get a phone call because their biggest customer is unable to email them because they are using a host that is listed on a blacklist.
Blacklists are not the "magic" solution to spam that people think they are.
As for the false positives getting flagged quickly, that does make me laugh as it would do at some of the major email providers. Loads of stories of someone getting pissed off with a major provider and blacklisting their entire block. I don't think a day goes by without the Hotmail, AOL and Office365 servers getting blacklisted and GoDaddy has a dedicated team.
Simon.
"then get a phone call because their biggest customer is unable to email them because they are using a host that is listed on a blacklist" - sounds like a great opportunity to sell them an email system that isn't total junk? :)
ASKER
It works