Google AdWords Spam
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
Google AdWords Spam - 23.Apr.2008 11:56:56 AM
|
|
|
pbparker
Posts: 21
Joined: 31.Aug.2006
Status: offline
|
We've successfully blocked most of our spam, except the fake Google AdWords emails that keep coming through.
Anyone else getting them and had any success in stopping them while making sure the REAL Google adwords emails get through?
Secondly, does GFI scan the underlying urls of links in emails? The visible url is of course the real google one, but the underlying one is pretty consistenly a fake one. So, I could theoretically add that false url to keyword checking if it scans the code.
|
|
|
|
|
RE: Google AdWords Spam - 24.Apr.2008 6:39:17 AM
|
|
|
monkeyman
Posts: 35
Joined: 26.Oct.2003
Status: offline
|
I'd also like to second this. We have stopped most stuff, but we are getting lots of the adword stuff, and like you say, we don't want to stop the actual google adwards but the spam is getting mental in its attacks on us!
|
|
|
|
|
RE: Google AdWords Spam - 25.Apr.2008 4:40:03 AM
|
|
|
JanZoet
Posts: 576
Joined: 20.Feb.2008
Status: offline
|
Hello,
Can you post the Header of a real Google AdWords e-mail and a fake one?
Maybe I can come up with a way of blocking these spoofed AdWords e-mails.
Kind regards,
_____________________________
Jan Zoet
Technical Support - GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: Google AdWords Spam - 25.Apr.2008 11:07:52 AM
|
|
|
pbparker
Posts: 21
Joined: 31.Aug.2006
Status: offline
|
Here's one:
Microsoft Mail Internet Headers Version 2.0
Received: from [86.142.218.233] ([86.142.218.233]) by ourdomain.com with Microsoft SMTPSVC(6.0.3790.3959);
Wed, 23 Apr 2008 10:41:55 -0500
Received: from [86.142.218.233] by f.mx.mail.yahoo.com; Wed, 23 Apr 2008 15:41:54 +0000
Message-ID: <01c8a558$8e1c8d00$e9da8e56@fcabhug2002>
From: "AdWords-NoReplay" <[email=adwords-noreply@google.com]adwords-noreply@google.com[/email]>
To: <jeff@ourdomain.com>
Subject: Update Your Billing Information.
Date: Wed, 23 Apr 2008 15:41:54 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C8A558.8E1C8D00"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2314.1300
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
Return-Path: fcabhug2002@yahoo.com
X-OriginalArrivalTime: 23 Apr 2008 15:41:56.0510 (UTC) FILETIME=[8F9B8BE0:01C8A558]
------=_NextPart_000_0007_01C8A558.8E1C8D00
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
------=_NextPart_000_0007_01C8A558.8E1C8D00
Content-Type: text/html;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
------=_NextPart_000_0007_01C8A558.8E1C8D00--
|
|
|
|
|
RE: Google AdWords Spam - 28.Apr.2008 4:26:17 AM
|
|
|
JanZoet
Posts: 576
Joined: 20.Feb.2008
Status: offline
|
Hello pbparker,
Thank you for posting this Header.
May I ask you to also post the Header of a real Adwords one?
Since this message seems to be coming from a Yahoo account it will probably be hard to find a way to block it.
I assume that you do not want to block all messages coming from Yahoo.
Kind regards,
_____________________________
Jan Zoet
Technical Support - GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: Google AdWords Spam - 29.Apr.2008 10:32:10 AM
|
|
|
pbparker
Posts: 21
Joined: 31.Aug.2006
Status: offline
|
Here's another bad one we received today.
Microsoft Mail Internet Headers Version 2.0
Received: from [85.105.161.139] ([85.105.161.139]) by ourdomain.com with Microsoft SMTPSVC(6.0.3790.3959);
Tue, 29 Apr 2008 08:47:09 -0500
Received: from [85.105.161.139] by d.mx.mail.yahoo.com; Tue, 29 Apr 2008 15:47:08 +0200
From: "AdWords-NoReplay" <[email=adwords-noreply@google.com]adwords-noreply@google.com[/email]>
To: <[email=info@ourdomain.com]info@ourdomain.com[/email]>
Subject: Update your payment information.
Date: Tue, 29 Apr 2008 15:47:08 +0200
Message-ID: <01c8aa10$47bfa600$8ba16955@flyingaway89>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0006_01C8AA10.47BFA600"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.4024
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Importance: Normal
Return-Path: [email=flyingaway89@yahoo.com]flyingaway89@yahoo.com[/email]
X-OriginalArrivalTime: 29 Apr 2008 13:47:11.0001 (UTC) FILETIME=[8600C090:01C8A9FF]
|
|
|
|
|
RE: Google AdWords Spam - 29.Apr.2008 2:41:29 PM
|
|
|
Terry Erickson
Posts: 11
Joined: 28.Apr.2008
Status: offline
|
It appears the SPF records exist for the majority (if not all) Google mail servers. What do you currently have your SPF set up to block? Also, can you verify there are no whitelist or keyword whitelists that will prevent this from running through the filters?
|
|
|
|
|
RE: Google AdWords Spam - 12.May2008 10:59:00 AM
|
|
|
pkrause
Posts: 21
Joined: 9.Oct.2006
Status: offline
|
I have been hit by these Google Adwords SPAM emails for over a month now and have had NO luck stopping them. Is there any resolution as this is about the only blemish that I have with my GFI setup?
Here is a sample of todays header that hit about 50 of my users, including the company President who is not happy about it! Also, our whitelist does not include this email address or the wildcard yahoo.com.
Microsoft Mail Internet Headers Version 2.0
Received: from ourdomain.com ([192.168.5.235]) by ourdomain.com with Microsoft SMTPSVC(5.0.2195.6713);
Mon, 12 May 2008 00:31:05 -0400
Received: from [66.74.83.60] ([66.74.83.60] RDNS failed) by ourdomain.com with Microsoft SMTPSVC(6.0.3790.3959);
Mon, 12 May 2008 00:31:04 -0400
Received: from [66.74.83.60] by a.mx.mail.yahoo.com; Sun, 11 May 2008 20:31:04 -0800
Message-ID: <01c8b3a5$eef3f400$3c534a42@flyboyman2002>
From: "Google AdWords-noreply" <[email=adwords-noreply@google.com]adwords-noreply@google.com[/email]>
To: <someone@ourdomaincom>
Subject: Submit your payment information.
Date: Sun, 11 May 2008 20:31:04 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C8B3A5.EEF3F400"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2314.1300
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
Return-Path: flyboyman2002@yahoo.com
X-OriginalArrivalTime: 12 May 2008 04:31:05.0096 (UTC) FILETIME=[FDBE7080:01C8B3E8]
------=_NextPart_000_0007_01C8B3A5.EEF3F400
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
------=_NextPart_000_0007_01C8B3A5.EEF3F400
Content-Type: text/html;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Paul
< Message edited by pkrause -- 12.May2008 11:06:48 AM >
|
|
|
|
|
RE: Google AdWords Spam - 12.May2008 3:03:53 PM
|
|
|
John Letourneau
Posts: 923
Joined: 28.Apr.2008
From: Clayton, NC
Status: offline
|
pkrause,
Looking at Terry Erickson's advise above can you tell me how you have your SPF module configured?
_____________________________
Regards,
John Letourneau - Technical Support Representative
GFI Software - www.gfi.com
|
|
|
|
|
RE: Google AdWords Spam - 12.May2008 3:15:40 PM
|
|
|
pkrause
Posts: 21
Joined: 9.Oct.2006
Status: offline
|
John,
Yes, we have our SPF set to HIGH, which flags everything that does not have an SPF record. This option works well for our environment, however these stinking Google AdWords still get through....
Paul
|
|
|
|
|
RE: Google AdWords Spam - 12.May2008 8:22:47 PM
|
|
|
John Letourneau
Posts: 923
Joined: 28.Apr.2008
From: Clayton, NC
Status: offline
|
pkrause,
Looking at the message you posted the sending mail server IP is on multiple DNS Blacklists.
66.74.83.60 is listed in the PBL, in the following records:
66.74.83.60 is listed in the XBL, because it appears in:
Which DNS Blacklists do you have enabled in GFI MailEssentials? Also, if you look at your perimeter smtp server settings in GFI MailEssentials do you have 192.168.5.235 listed here?
_____________________________
Regards,
John Letourneau - Technical Support Representative
GFI Software - www.gfi.com
|
|
|
|
|
RE: Google AdWords Spam - 13.May2008 8:28:48 AM
|
|
|
pkrause
Posts: 21
Joined: 9.Oct.2006
Status: offline
|
John,
Thank you for your reply. I have only the XBL.SPAMHAUS.ORG Blacklist selected in my DNS Blacklist. From your message I might have thought that this would have caught it. Is it wise to specify more than one blacklist from a performance perspective? Also, how would I specify a "PBL" blacklist as you mention? Is there an URL for one that is not listed in the GFI default list?
As to the Perimeter SMTP question, no 192.168.5.235 is not on the list. That IP address is for our "gateway" smtp server which processes email from the internet and passes it on to our internal Exchange 2003 server. From what I can make of the definition in GFI that means this is not a perimeter SMTP server. Is the correct?
Paul
|
|
|
|
|
RE: Google AdWords Spam - 13.May2008 4:13:53 PM
|
|
|
John Letourneau
Posts: 923
Joined: 28.Apr.2008
From: Clayton, NC
Status: offline
|
pkrause,
Which machine is GFI MailEssentials installed on? If GFI MailEssentials is installed on your gateway server then there is no need to configure the perimeter server options in GFI MailEssentials. If it is installed on the backend server then we would need to configure this.
If you have xbl.spamhaus.org configured and the message was not blocked this could be because of the perimeter servers. If you have this configured incorrectly the dns check would have been against 192.168.5.235 instead of the actual sending server IP.
_____________________________
Regards,
John Letourneau - Technical Support Representative
GFI Software - www.gfi.com
|
|
|
|
|
RE: Google AdWords Spam - 21.May2008 8:39:18 AM
|
|
|
pkrause
Posts: 21
Joined: 9.Oct.2006
Status: offline
|
Sorry John, I was on Holiday for a few days.
We have GFI Mail Essentials loaded on our Gateway server. Exchange is on another machine. We do not have the checkbox checked saying "this machine is not a perimeter smtp server". Are you saying then that this should be checked? That is kind of a confusing issue. Our gateway is the smtp server, nothing is getting relayed, so by definition it should be a perimeter server, and that box should be unchecked, right?
Paul
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
