AntiSpam

Various techniques are used to prevent email spam (unsolicited bulk email). No technique is a complete solution to the spam problem, and each has trade-offs between incorrectly rejecting legitimate email (false positives) vs. not rejecting all spam (false negatives) - and the associated costs in time and effort. Anti-spam techniques can be broken into four broad categories: those that require actions by individuals, those that can be automated by email administrators, those that can be automated by email senders and those employed by researchers and law enforcement officials.

A client received this email, its spam.   I pulled the header from the email, and I was wondering if someone can assist in identifying which line shows a bogus inbound or outbound sending line? I went through it a couple times and this is my only source to identify where the sender came  from.

Received: from BN6PR2201MB1137.namprd22.prod.outlook.com
 (2603:10b6:404:8d::27) by BN6PR2201MB1746.namprd22.prod.outlook.com with
 HTTPS via BN6PR04CA0077.NAMPRD04.PROD.OUTLOOK.COM; Tue, 25 Feb 2020 19:51:11
 +0000
Received: from DM3PR14CA0133.namprd14.prod.outlook.com (2603:10b6:0:53::17) by
 BN6PR2201MB1137.namprd22.prod.outlook.com (2603:10b6:405:36::29) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.21; Tue, 25 Feb
 2020 19:51:09 +0000
Received: from DM3NAM05FT043.eop-nam05.prod.protection.outlook.com
 (2603:10b6:0:53:cafe::96) by DM3PR14CA0133.outlook.office365.com
 (2603:10b6:0:53::17) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.18 via Frontend
 Transport; Tue, 25 Feb 2020 19:51:08 +0000
Authentication-Results: spf=fail (sender IP is 65.170.60.123)
 smtp.mailfrom=birdair.com; superiorsiti.mail.onmicrosoft.com; dkim=pass
 (signature was verified)
 header.d=birdair.onmicrosoft.com;superiorsiti.mail.onmicrosoft.com;
 dmarc=none action=none header.from=birdair.com;
Received-SPF: Fail (protection.outlook.com: domain of birdair.com does not
 designate 

Open in new window

0
Hi,

My iPhone just recently go hit by a spam or virus, don't know which.  But started noticing the message "iphone virus protection expired" in my calendar and no way of deleting the event.  Eventually I did get to delete it.  And that's where my great experts come in.  In early morning I did noticed that my iPhone calendar popped up a "suscribe" message and I clicked it assuming it was part of the work I was doing, but now I know it wasn't.  Just some time back I I start seeing in my calendar "iphone virus protection expired" with no hope of deleting.

I googled the problem and found that by deleting the created account in "Password & Accounts", that would resolved (and it seem it did, no more event).  Prior deleting the account I noticed a long line starting with arisinglytos.pro then a long random numbers etc.

So a couple questions:
  • How is it that just by clicking on Subscribe, the the "virus or spam" had access to my Password & Accounts in iPhone 11 ios13.3?
  • By deleting the account, am I done? Is it solved? Anything else to do?
  • What is arisinglytos.pro?
0
Dear All,

In the past few weeks, I noticed the mailcleaner gateway was being targeted with bruteforce and spam attacks from Russia and Iran, I deployed country block plugin on my firewall and blocked entire CIDR for both Russia and Iran and kept an eye on Mailcleaner for any attacks with authentication attempts.

Since then, I noticed the mailcleaner disk has went up from 25% to 76% with the path /var/mailcleaner/spam/ and all domains included full of spam files with size up to 35 GB.

I have few questions to clean some space and prior to that also.

Are those spam files ?
Are they released or not?
Is it safe to delete them?

Thank you
0
Hi:

Our WordPress site contains a blog offering reCaptcha.  

Despite having reCaptcha in place, spam is coming through to our blog.  Of course, this is increasing the amount of time that we have to spend in administering our site.

We were having mail relay problems and IT created a new SMTP account. I wonder if that somehow is interfering with the reCaptcha... maybe it's tied to an older account. This spam stuff seems to have just started after the smtp account was updated

With all of this in mind, what is the means of filtering out spam from our blog in WordPress?

Thank you!  Much appreciated!

Software Engineer
0
Hi expert,

I deployed exchange 2016 into production environment and deployed antispam into the exchange server as well. Now i'm having issue that certain external sender email can't be delivered to our mailbox and the logs show that the message can't be delivered.

I suspect this might be antispam causing problem, may i know what is the proper way to disable them?

please advise.

Thanks.
0
Hi expert,

I'm trying to enable exchange 2016 antispam, when i run cmdlet get-transportagent, below are the result, however there's spam email coming in to my mailbox..

Identity                                           Enabled         Priority
--------                                           -------         --------
Transport Rule Agent                               True            1
DLP Policy Agent                                   True            2
Retention Policy Agent                             True            3
Supervisory Review Agent                           True            4
Malware Agent                                      True            5
Text Messaging Routing Agent                       True            6
Text Messaging Delivery Agent                      True            7
System Probe Drop Smtp Agent                       True            8
System Probe Drop Routing Agent                    True            9
Content Filter Agent                               True            10
Sender Id Agent                                    True            11
Sender Filter Agent                                True            12
Recipient Filter Agent                             True            13
Protocol Analysis Agent                            True            14

When i run cmdlet get-contentfilterconfig | fl enabled, the result show FALSE
Does this mean i must get contentfilter agent to be activated, only the spam email will be rejected …
0
We have a situation where our IPS and sometimes our SPAM filter blocks specific IP addresses that are sending mail from GMail and Google mail. In every instance these blocked IP's are on an Internet black list. Googles' solution is to white list these servers and any other Google servers (literally thousands of them), this is insane to me. I am sure others have encountered this situation and I am wondering how do you handle it.
0
Is use DMARC and SPF to protect my domain, however a client recently became infected with malware and propogated the malware via spoofed email.  Now clients of mine are receiving mail addressed as me.  The question is how, what have I missed here.

Details
DMARC Record
v=DMARC1; p=none; rua=mailto:helpdesk@mydomain,mailto:7ffa0582@mxtoolbox.dmarc-report.com; ruf=mailto:My.name@mydomain,mailto:7ffa0582@forensics.dmarc-report.com; fo=1

SPF
v=spf1 +a +mx +ip4:M111.111.111.111 ~all
where
  • IP is my public IP address
  • MX is my cload spam filter provider.
0
Hello, is there any new updates or anything going on, I got two separate customers that are G Suite customers that use Outlook 2010 / 2019 and I am getting a few users that are saying they are starting to get normal emails going into their spam folder. Some of the emails are from users organization and in their contact list but something is starting to send more emails into the spam folder, I am wondering has Outlook done some sort of update or is something else going on or by chance more than one customer is experiencing the same problem?
0
We have dmarc implemented and I usually collect and review the reports weekly. About 3 weeks ago, the number of threat reports massively jumped and remains alarmingly high. Looking at a 2 month period: October-November, 7k emails passed dmarc, 70k have been reported as threats. This all looks like someone external has tried to use my domain and is failing the spf and dkim checks and I am getting the reports about it. I expect dmarc is working as it should but the volume of emails and the sudden increase around 3 weeks ago is what has got be concerned. Unfortunately I have had no reports from humans in that time of fake email coming from my domain. I do not even know the content of the emails or the recipients. All I know from dmarc is that they exist. My dmarc policy is set to quarantine rather than reject so conceivably people are still seeing the emails. I would appreciate any advice from the email experts here.
0
I think the autotask was added later by someone? How do i merge the two SPFs?

v=spf1 +a +mx +ip4:66.147.2.2 ?all
v=spf1 include:autotask.net ~all
0
Hi expert,

In our environment, we have exchange 2016 with symantec messaging gateway (SMG)

Since we have the symantec messaging gateway, we thought of turning off the antispam feature in SMG but keep the antimalware feature.

How can i verify if my exchange has antispam turned off completely?

When i run get-transportagent cmdlet in exchange cmdlet, below is the result, is the spam enabled?

Identity                                           Enabled         Priority
--------                                           -------         --------
Transport Rule Agent                               True            1
DLP Policy Agent                                   True            2
Retention Policy Agent                             True            3
Supervisory Review Agent                           True            4
Malware Agent                                      True            5
Text Messaging Routing Agent                       True            6
Text Messaging Delivery Agent                      True            7
System Probe Drop Smtp Agent                       True            8
System Probe Drop Routing Agent                    True            9
0
Hi Guys,

We have 3 x MX records (mail servers).
MX1 (MX level 10)
MX2 (MX level 20)
MX3 (MX level 30)

Is there a way to only make MX2 and MX3 available if MX1 is down?  (automatically)
Our strongest SPAM filtering & smart host is on MX1,
We don't want anyone to be able to use MX2 & MX3 if MX1 is up.
0
I am using hotmail, if I ever marked any email as Junk or Phishing or clicked Block, will hotmail automatically inform the sender’s server about I marked their emails as spam? I recently noted that a genuine sender said I marked their emails as spam previously (which I did not recall I did), and they stop delivering any emails to me now until they reverse this situation from their servers.
0
Dear Experts

I am hoping someone can assist me with the following issue. I have SPF and DKIM configured on my domain, which appear to be setup correctly but when I examine the message header of an email I sent I see the following entry "None (protection.outlook.com: za.cfao.com does not designate permitted sender hosts)"

Just to add I am using Exclaimer for signature management.

Please can someone examine the header below and advised if I configured something incorrectly.

"Delivered-To: nsadheo@gmail.com
Received: by 2002:a4f:c15:0:0:0:0:0 with SMTP id 21csp930979ivm;
        Wed, 21 Aug 2019 06:30:56 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyk6Zvuz4Zzp1WUwoJQlz3EsF/mENO5B7uNOXkWXKiQUJ9CmIl25//eS3gDvDa/NqaFIZJg
X-Received: by 2002:a17:906:158c:: with SMTP id k12mr31626198ejd.83.1566394255976;
        Wed, 21 Aug 2019 06:30:55 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1566394255; cv=pass;
        d=google.com; s=arc-20160816;
        b=lbJV6glrTA9esPnHzJRI/x2ugMmh1yM0zYOO4Hmhvpeuwblxjcnlf4yErbNS9ShdTC
         zz7tB3Tlp63d+mH95cXl0tVS6pXE852lUmxX47jdY5tuQ86Mn788xO/HP8y1VlFlamK2
         zTuOJ3ow4d264I2lPWXgueWLQOOwVvjyLOsz0hxpo4TIfLY+YLvTr2XlDUW7F4ZIC50o
         fjfU5YP15UvEHg4+YPHRqmiMQyp6DT6No71nhWhbZyCdzTWFs6A8a2QJEYYuY5hccLd7
         4sHcycJKruMu0BIGoa7e5O/BS5zXRxqoPzN9IvrMQu0IiI0hQS4Fc+iqTs+RRuRnl8Ex
         z3bA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        …
0
I'm trying to configure a rule in Cisco CES cloud platform the stops people masquerading as the CEO
for attempted Phishing. So on our previous FW we had if the mail has the sender as 'our ceo' but does not come from
our Domain, then drop. I can see where to configure this in the CES.
0
I have a user that has two AOL accounts on their Ipad and they are complaining how much spam is out of control.  To my knowledge, there is not much that can be done other than starting to unsubscribe to junk email or getting a new email account.  Am I right or is there something that can be done with a third party tool or something that can be configured within aol?  I know its a pretty junky system but I figure to ask as this is a VIP and they are tied to their choice of aol.
0
hello,
I would like to know if it is possible to find an open smtp relay in internet that i can use with telnet to test if there are any issues with our antispam hardware.
thank you in advance
0
Dear Experts,

We are using Wordpress on Bluehost for our website, and using WP Mail SMTP plug-in to send out acknowledgement emails after we receive a request.  We are having issues because our client, who is receiving this request mails use Mimecast, and they see this as spoofing, because All email for Bluehost's shared hosting customers is routed through a pool of proxy email servers.  We cannot white list a range of IPs because they seem to change all the time.
We tried other plug-ins, but the issue always remains the same.  
Please advise.
0
Yesterday I got an interesting SPAM that looked very much like the scam you see here.

I right clicked on the shortcut and copied it to the clipboard then pasted it into chrome on my test machine.  It takes me to what appears to be a legit bankofamerica website.  I have attached a screenshot.  I did not enter my passwords, but it sure looks 100% legit to me.

Here is the url:  https:/ / billpay-ui.bankofamerica.com/ imm/ PaymentCenter/ Index/ 8404?csbi=644077671&b0=20190916192841396056
I have added a space after each / to make it safe.


I've been told that some legitimate looking URL's will automatically redirect me to a bogus website, but how does that work? If the domain controller does the redirecting wouldn't bankofamerica.com avoid a bogus address? Or does the redirecting occur on the routers that the packets hop through?

In other words how can this particular link get me in trouble?
ee-bankofamerica.png
0
Working for a financial services company, our users typically send out templated marketing emails to the business contacts they interact with.

Their emails typically have the same subject and text and lately tend to end up in the recipients' Outlook junk folders. They are not bulk emails though. A single sales guy typically sends out about ten to twenty of them per day.

Our third party outbound spam filter is set to let these through but the controls that Microsoft provides at Exchange Online (Office365) appear to be pretty much non existent.

Any ideas how to circumvent this?
0
we have a single windows sbs2011 running exchange and windows 10 pro clients running outlook2007.

everything was running ok, but today, for some reason, for certain email contacts (not all), we receive a bounce back stating :-

No SMTP server defined. Use real server address instead of 127.0.0.1 in your account

I did research this and noticed an article relating to avast cloudcare, so we disabled the core shields on both the client and mail server, along with our vamsoft ORF antispam, but we still get the same error.

Can anyone advise how we go about resolving this?

Any advice much appreciated.

Thanks.
0
Can someone who understands DMARC explain to me exactly what is happening in this DMARC?

spf=neutral (google.com: 209.222.82.54 is neither permitted nor denied by best guess record for domain of 15200-bounces@bounces.ess.barracudanetworks.com) smtp.mailfrom=15200-bounces@bounces.ess.barracudanetworks.com;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mysupercompany.com
Return-Path: <15200-bounces@bounces.ess.barracudanetworks.com>
Received: from 22pmail.ess.barracuda.com (22pmail.ess.barracuda.com. [209.222.82.54])

is 209.222.82.54 not authorized/allowed to 15200-bounces@bounces.ess.barracudanetworks.com or is 15200-bounces@bounces.ess.barracudanetworks.com not authorized/allowed to 209.222.82.54.
0
We are setting up SPF, DKIM, and DMARC for our domains but just wanted to get some clarification on the best options to set for each scan result:
none, neutral, softfail, hardfail, permerror, temperror

So basically wanting to know which is the best option?
From reading it seems that HardFail would be the way to go but just wanted some insight for these settings and what is the best practice for them to set them up?
0
Hi,

I've got a client who has approached me regarding implementing DKIM and DMARC. They are already running SPF.

I have implemented simple DKIM and DMARC projects previously however this has some complications which I would like a second opinion on.

They are implementing this using a Fortinet using Fortimail to apply the DKIM signing on outgoing mail.

I have the following complications which I would like a second opinion on.

Firstly, they have three Domains which I believe gives us two options we can either create a DKIM signing key pair for all three or we can use CNAME records to use one key pair. What is the recommended best practice, I'm inclined to think using three separate key pairs would be best?

Secondly, they have two external companies which send emails on their behalf using their Domain name (allowed spoofing to a degree). This is allowed using SPF as their IP is listed in the allowed senders however to my knowledge this will not work once DKIM and DMARC are implemented. Therefore, my thoughts are these companies need to relay the Emails via the on-prem Exchange Server at the clients site, this way the Emails leave via the Fortimail and have the signing applied. I believe this is fairly easy to do using receive connectors locked down to a specific IP address. Is this the best way around this issue?

Thanks
0

AntiSpam

Various techniques are used to prevent email spam (unsolicited bulk email). No technique is a complete solution to the spam problem, and each has trade-offs between incorrectly rejecting legitimate email (false positives) vs. not rejecting all spam (false negatives) - and the associated costs in time and effort. Anti-spam techniques can be broken into four broad categories: those that require actions by individuals, those that can be automated by email administrators, those that can be automated by email senders and those employed by researchers and law enforcement officials.