GFI
English Deutsch Français Italiano Nederlands Español
Forums  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Member List  Search  FAQ  Ticket List  Log Out

 

V1agr@1, Viawtgra... Emails

  		Logged in as: Guest
Users viewing this topic: none
  Printable Version
All Forums >> [Content Security] >> GFI MailEssentials for Exchange/SMTP >> V1agr@1, Viawtgra... Emails Page: [1]
Login
Message << Older Topic   Newer Topic >>
V1agr@1, Viawtgra... Emails - 11.May2008 7:21:15 PM   
David99

 

Posts: 13
Joined: 3.Oct.2007
Status: offline 		Hi guys,

We have been receiving a lot of spam lately with the subject along the lines of: 'Viawtgra 1.37', or 'V1agr@1 here' etc

Adding Viawtgra and V1agr@1 to the subject checking works for those specific instances, but there are thousands of variations they could come up with and to keep trying adding each to our subject checking would be extremely time consuming.

I've added 50 or so of these emails to beyasian analysis so far, but it's still not catching on (yet).
Their domains are always changing, so blacklisting doesn't help.
The body of the emails are always changing as well and often contain a 'normal' paragraph – a portion of which is a URL.

Is there any way to use wild cards in header/keyword checking? Eg Via**gra, to catch Viawtgra?

Any other suggestions on how to stop this garbage? All GFI options are currently enabled, bar new senders. Our domain isn't in the whitelist, nor are these senders.

Thanks all.

< Message edited by David99 -- 11.May2008 7:23:49 PM >
Post #: 1
RE: V1agr@1, Viawtgra... Emails - 11.May2008 10:10:43 PM   
John Letourneau

 

Posts: 807
Joined: 28.Apr.2008
From: Clayton, NC
Status: offline 		David99,

Do you mind posting some of the headers here so we can analyze the messages?  Thanks.

_____________________________

Regards,
John Letourneau - Technical Support Representative
GFI Software - www.gfi.com

(in reply to David99)
Post #: 2
RE: V1agr@1, Viawtgra... Emails - 11.May2008 11:13:25 PM   
David99

 

Posts: 13
Joined: 3.Oct.2007
Status: offline 		John,

No worries.

Here's a few headers from these spam emails which a user forwarded through to me a few minutes a go:


Microsoft Mail Internet Headers Version 2.0
Received: from r3-atm-155.sieciuch.com ([195.117.130.3]) by mail.mydomain.com with Microsoft SMTPSVC(5.0.2195.6713);
Mon, 12 May 2008 08:01:30 +1000
Received: from [195.117.130.3] by inbound30.exchangedefender.com; Sun, 11 May 2008 22:59:41 +0100
Message-ID: <01c8b3ba$b1e62c80$038275c3@hrblf>
From: "Louella Mckinley" <hrblf@bondblacktop.com>
To: <sales@mydomain.com>
Subject: Viagugra - $1.41
Date: Sun, 11 May 2008 22:59:41 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C8B3BA.B1E62C80"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.1830
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
Return-Path: hrblf@bondblacktop.com
X-OriginalArrivalTime: 11 May 2008 22:01:38.0630 (UTC) FILETIME=[963EAE60:01C8B3B2]

Microsoft Mail Internet Headers Version 2.0
Received: from [78.165.240.136] ([78.165.240.136]) by mail.mydomain.com with Microsoft SMTPSVC(5.0.2195.6713);
Mon, 12 May 2008 03:35:09 +1000
Received: from [78.165.240.136] by mx1.emailsrvr.com; Sun, 11 May 2008 19:33:14 +0200
Message-ID: <01c8b39d$daabf900$88f0a54e@jxb>
From: "May Berger" <jxb@blego.com>
To: <user@mydomain.com>
Subject: Viafzgra - $1.63
Date: Sun, 11 May 2008 19:33:14 +0200
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C8B39D.DAABF900"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
Return-Path: jxb@blego.com
X-OriginalArrivalTime: 11 May 2008 17:35:11.0088 (UTC) FILETIME=[5CED5F00:01C8B38D]

Microsoft Mail Internet Headers Version 2.0
Received: from dsl.static.85-105-59941.ttnet.net.tr ([85.105.234.37]) by mail.mydomain.com with Microsoft SMTPSVC(5.0.2195.6713);
Sun, 11 May 2008 18:57:37 +1000
Received: from [85.105.234.37] by mail.phx2.nearlyfreespeech.net; Sun, 11 May 2008 10:55:43 +0200
Message-ID: <01c8b355$8ed56180$25ea6955@lqajxou>
From: "Tameka Doherty" <lqajxou@bonnienapoli.com>
To: <sales2@mydomain.com>
Subject: Viabegra - $1.70
Date: Sun, 11 May 2008 10:55:43 +0200
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C8B355.8ED56180"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2670
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
Return-Path: lqajxou@bonnienapoli.com
X-OriginalArrivalTime: 11 May 2008 08:57:39.0977 (UTC) FILETIME=[1105D790:01C8B345]


Thanks for your time.

(in reply to John Letourneau)
Post #: 3
RE: V1agr@1, Viawtgra... Emails - 12.May2008 8:40:36 AM   
John Letourneau

 

Posts: 807
Joined: 28.Apr.2008
From: Clayton, NC
Status: offline 		David99,

All three of those messages can be blocked by a DNS Blacklist.  What build of GFI MailEssentials are you using?  If you are using 20071005 or above I would recommend adding zen.spamhaus.org to your DNS Blacklist as all three of these messages are listed on that server.

_____________________________

Regards,
John Letourneau - Technical Support Representative
GFI Software - www.gfi.com

(in reply to David99)
Post #: 4
RE: V1agr@1, Viawtgra... Emails - 12.May2008 6:45:27 PM   
David99

 

Posts: 13
Joined: 3.Oct.2007
Status: offline 		We are using version 20070810. I have now added that server to out Blacklist section and will see how we get on.

Thanks again for your time & assistance.

(in reply to John Letourneau)
Post #: 5
RE: V1agr@1, Viawtgra... Emails - 12.May2008 8:18:11 PM   
John Letourneau

 

Posts: 807
Joined: 28.Apr.2008
From: Clayton, NC
Status: offline 		David99,

Please update your build to 20071005 before using zen.spamhaus.org.

_____________________________

Regards,
John Letourneau - Technical Support Representative
GFI Software - www.gfi.com

(in reply to David99)
Post #: 6
RE: V1agr@1, Viawtgra... Emails - 12.May2008 9:47:03 PM   
David99

 

Posts: 13
Joined: 3.Oct.2007
Status: offline 		John,

That's wierd, because we have all the automatic updates turned on, including the option under version info to check for patches every 12 hours - yet, we have never been notified of any updates were available...that is until I clicked the option to check for updates manually after reading your above post.

Anyway, updating to latest build now.

Thanks

(in reply to John Letourneau)
Post #: 7
RE: V1agr@1, Viawtgra... Emails - 13.May2008 4:11:36 PM   
John Letourneau

 

Posts: 807
Joined: 28.Apr.2008
From: Clayton, NC
Status: offline 		David99,

Updating to the latest build and using zen.spamhaus.org should eliminate a lot of these types of messages from reaching your users.  Let us know if you need assistance with this after the update.

_____________________________

Regards,
John Letourneau - Technical Support Representative
GFI Software - www.gfi.com

(in reply to David99)
Post #: 8
Page:   [1]
All Forums >> [Content Security] >> GFI MailEssentials for Exchange/SMTP >> V1agr@1, Viawtgra... Emails Page: [1]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


   © 2008. All rights reserved. GFI Software Home Products Download Trials Support Ordering Site Map About Us Contact us
GFI solutions: Exchange anti spam filter - exchange anti virus - isa server - network vulnerability scanner - event log management - USB security software - exchange archiving - fax server software