how to accurately block the RE: spams of late
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
how to accurately block the RE: spams of late - 17.Sep.2008 8:45:11 AM
|
|
|
dmacleo
Posts: 8
Joined: 16.Sep.2008
Status: offline
|
hello,
I'm not sure if this is a mailessentials or a mailsecurity issue.
what is the best way to set up rules to accurately block the spam I get lately using subject line of RE:.... making it appear that it is a legitimate reply to an email?
I did experiment with blocking anything that had just RE: in the subject line, and that had decent success. however the majority of them use a name or other wording after the RE: to make it appear legitimate.
thanks.
|
|
|
|
|
RE: how to accurately block the RE: spams of late - 17.Sep.2008 9:20:17 AM
|
|
|
Michael Alexieff
Posts: 80
Joined: 8.Sep.2008
Status: offline
|
What else can you tell that is a pattern with these emails?
_____________________________
Regards,
Michael Alexieff - Technical Support Representative
GFI Software - www.gfi.com
|
|
|
|
|
RE: how to accurately block the RE: spams of late - 17.Sep.2008 9:38:37 AM
|
|
|
dmacleo
Posts: 8
Joined: 16.Sep.2008
Status: offline
|
I'm not in an area that I can accurately get that info,
but from what I can tell (going off memory) is that there is no real discernible patter. the subject lines will read RE: or RE: a name or a topic/wording. in other words the subject lines are being disguised to make it appear to be an actual reply to someone.
one remember is subject line of RE: Lauren and that was it. another was RE: a nice day so far and body was just a bunch of jibberish wordings.
the bodies are all over the place, some medication (male enhancement) ads, some stock ads, etc.
this is what is frustrating me, there is no pattern that I can find to help me accurately deal with this. it did start approx 2 weeks ago if that is any help.
I've been manually blocking all RE: and manually approving legit ones (I am small setup) but this is eating into my time a lot.
I have not got any today, and all the others wee deleted before archiving so they are not available.
I wish I could give more info, but at this time I don't have it.
I will try to get some more specific examples as the day progresses.
< Message edited by dmacleo -- 17.Sep.2008 9:39:42 AM >
|
|
|
|
|
RE: how to accurately block the RE: spams of late - 17.Sep.2008 9:51:50 AM
|
|
|
dmacleo
Posts: 8
Joined: 16.Sep.2008
Status: offline
|
ok, I let one go through.
one is supposedly from Natasha Stringer [dwrredam@rreda.com] and subject line is Re:Natasha.
the body is:
quote:
I was born overweight and teased because of it most of my younger years. Finally at age 25 I took the initialtive and purchased a 4 month supply of Anatrim. I have since shed 22 pounds of unwanted weight and have a new enthusiasm for life! I go out more, socialize more, and have even met a special lady who I love. I credit much of my new-found happiness to the weight I lost and your product. Thank you so much!
Henry N. California
hp://w.hedalpa PERIOD cn/?vdilvmcmbomd (link edited to remove functionality)
header is here:
quote:
Microsoft Mail Internet Headers Version 2.0
Thread-Topic: Re:Natasha
Received: from exchange-pop3-connector.com ([XXX.XXX.XXX.XXX MY INFO]) by MY SERVER REMOVED with Microsoft SMTPSVC(6.0.3790.3959); Wed, 17 Sep 2008 09:38:08 -0400
Return-Path: <dwrredam@rreda.com>
Delivery-Date: Wed, 17 Sep 2008 09:33:47 -0400
Received: from outmta11.mail.tds.net (outmta11.mail.tds.net [216.170.230.231]) by mx.perfora.net (node=mxus1) with ESMTP (Nemesis) id 0MKoXI-1KfxA92BKB-00070F for MY ADDRESS REMOVED HERE ; Wed, 17 Sep 2008 09:33:46 -0400
Received: from inmta14.mail.tds.net ([216.170.230.194]) by outmta11.mail.tds.net (InterMail vM.7.05.02.00 201-2174-114-20060621) with ESMTP id <20080917133345.KMNG18446.outmta11.mail.tds.net@inmta14.mail.tds.net> for <david.macleod@macleodweb.net>; Wed, 17 Sep 2008 08:33:45 -0500
Received: from inaamta14.mail.tds.net ([216.170.230.184]) by inmta14.mail.tds.net (InterMail vM.7.08.03.00 201-2186-126-20070710) with ESMTP id <20080917133344.MDAJ32650.inmta14.mail.tds.net@inaamta14.mail.tds.net> for <dmacleo@tds.net>; Wed, 17 Sep 2008 08:33:44 -0500
Received: from dime152.dizinc.com ([66.7.206.71]) by inaamta14.mail.tds.net (InterMail vG.3.00.02.00 201-2196-120-20070322) with ESMTP id <20080917133344.LIOI20096.inaamta14.mail.tds.net@dime152.dizinc.com> for <dmacleo@tds.net>; Wed, 17 Sep 2008 08:33:44 -0500
Received: from 205.85-85-197.dynamic.clientes.euskaltel.es ([85.85.197.205] helo=iban.euskaltel.es) by dime152.dizinc.com with esmtp (Exim 4.69) (envelope-from <dwrredam@rreda.com>) id 1KfxA0-0008Lu-8Z for hr@vcnwrr.com; Wed, 17 Sep 2008 09:33:37 -0400
Received: from [85.85.197.205] by mail.rreda.com; Wed, 17 Sep 2008 14:33:38 +0100
From: "Natasha Stringer" <dwrredam@rreda.com>
To: <hr@vcnwrr.com>
Subject: Re:Natasha
Date: Wed, 17 Sep 2008 14:33:38 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
thread-index: Aca6QCQBT3U213TPC6JV1DMOJIZ4SI==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4325
Message-ID: <01c918d2$5f6dcd00$cdc55555@dwrredam>
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - dime152.dizinc.com
X-AntiAbuse: Original Domain - vcnwrr.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - rreda.com
X-PhishingScore: 0tests=
X-SpamScore: 0tests= HS_INDEX_PARAM
Envelope-To: MY ADDRESS REMOVED HERE
X-OriginalArrivalTime: 17 Sep 2008 13:38:08.0421 (UTC) FILETIME=[9ED85D50:01C918CA]
the hr at vcnwrr is a legitimate address for a domain I manage. it is not actually sending the mail though, that has been verified.
|
|
|
|
|
RE: how to accurately block the RE: spams of late - 17.Sep.2008 9:59:29 AM
|
|
|
Michael Alexieff
Posts: 80
Joined: 8.Sep.2008
Status: offline
|
Which DNS Blacklists do you have enabled and do you have rreda.com in your Whitelist?
_____________________________
Regards,
Michael Alexieff - Technical Support Representative
GFI Software - www.gfi.com
|
|
|
|
|
RE: how to accurately block the RE: spams of late - 17.Sep.2008 10:36:01 AM
|
|
|
dmacleo
Posts: 8
Joined: 16.Sep.2008
Status: offline
|
rreda.com is not in my whitelists.
for dns blacklist (listed in order):
zen.spamhaus.org
relays.ordb.org
list.dsbl.org
dnsbl.njabl.com
sbl.spamhaus.org
xbl.spamhaus.org
sbl-xbl.spamhaus.org
bl.spamcop.net
are there any suggestions for ones I should add or how they should be ordered?
thanks.
|
|
|
|
|
RE: how to accurately block the RE: spams of late - 17.Sep.2008 11:09:09 AM
|
|
|
Michael Alexieff
Posts: 80
Joined: 8.Sep.2008
Status: offline
|
You might want to trim your list since too many servers can cause lookup failures. That and the server relays.ordb.org does not exist anymore. What build of GFI MailEssentials do you have installed?
_____________________________
Regards,
Michael Alexieff - Technical Support Representative
GFI Software - www.gfi.com
|
|
|
|
|
RE: how to accurately block the RE: spams of late - 17.Sep.2008 11:13:13 AM
|
|
|
dmacleo
Posts: 8
Joined: 16.Sep.2008
Status: offline
|
its version 12.
I will play with that list (and delte the downed one) to see what happens.
the zen and spamhaus ones are usually the only ones active, 3 days or so ago I enabled all of them to see if it helped.
I'll play around and see what happens, thanks.
|
|
|
|
|
RE: how to accurately block the RE: spams of late - 18.Sep.2008 12:54:25 PM
|
|
|
RSP
Posts: 453
Joined: 31.Oct.2006
From: UK
Status: offline
|
Also remove sbl.spamhaus, xbl.spamhaus, sbl-xbl.spamhaus. They are combined in zen.spamhaus, so you're wasting computing power/bandwidth checking these also.
Lists I have used in the past are:
zen.spamhaus.org
combined.njabl.org
new.spam.dnsbl.sorbs.net
bl.spamcop.net
Also to reduce the load on your sever, change the blacklist module priority to lower in the list.
Enable debugging and check ase_action.gfi_log.txt in the debug logs to see if the whitelist has any basis on why these are let through.
|
|
|
|
|
RE: how to accurately block the RE: spams of late - 18.Sep.2008 1:01:44 PM
|
|
|
dmacleo
Posts: 8
Joined: 16.Sep.2008
Status: offline
|
I'll give those a try right now, thank you.
wish I knew of a way to look at the message headers to verify it is an actual reply to a address on my domain.
lol, just got one of those while typing this :)
|
|
|
|
|
RE: how to accurately block the RE: spams of late - 18.Sep.2008 1:04:41 PM
|
|
|
RSP
Posts: 453
Joined: 31.Oct.2006
From: UK
Status: offline
|
in-reply-to is often there in a genuine reply, and references the original message ID.
|
|
|
|
|
RE: how to accurately block the RE: spams of late - 18.Sep.2008 1:12:28 PM
|
|
|
dmacleo
Posts: 8
Joined: 16.Sep.2008
Status: offline
|
I'm new to this so please bear with me.
if I set up something stating that if RE: is in the subject line then the header will need to contain in-reply-to somewhere in the header info. is that what you're meaning?
thanks.
|
|
|
|
|
RE: how to accurately block the RE: spams of late - 18.Sep.2008 1:21:37 PM
|
|
|
RSP
Posts: 453
Joined: 31.Oct.2006
From: UK
Status: offline
|
Sorry, I was assuming you meant manually checking headers to see if a reply was genuine.
I don't believe there is a way to check automatically the contents of a specific header item, or even check if a header item exists.
As you've probably found out, having a keyword check for "RE:" is a pain for the administrator.
|
|
|
|
|
RE: how to accurately block the RE: spams of late - 18.Sep.2008 1:27:25 PM
|
|
|
dmacleo
Posts: 8
Joined: 16.Sep.2008
Status: offline
|
yeah, its funny how people want to read the actual replies to messages they send :)
I'll see how those blacklist changes work through the next day or so.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
