V1agr@1, Viawtgra... Emails

V1agr@1, Viawtgra... Emails (Full Version)

All Forums >> [Content Security] >> GFI MailEssentials for Exchange/SMTP

Message

David99 -> V1agr@1, Viawtgra... Emails (11.May2008 7:21:15 PM)
Hi guys, We have been receiving a lot of spam lately with the subject along the lines of: 'Viawtgra 1.37', or 'V1agr@1 here' etc Adding Viawtgra and V1agr@1 to the subject checking works for those specific instances, but there are thousands of variations they could come up with and to keep trying adding each to our subject checking would be extremely time consuming. I've added 50 or so of these emails to beyasian analysis so far, but it's still not catching on (yet). Their domains are always changing, so blacklisting doesn't help. The body of the emails are always changing as well and often contain a 'normal' paragraph – a portion of which is a URL. Is there any way to use wild cards in header/keyword checking? Eg Via**gra, to catch Viawtgra? Any other suggestions on how to stop this garbage? All GFI options are currently enabled, bar new senders. Our domain isn't in the whitelist, nor are these senders. Thanks all.

John Letourneau -> RE: V1agr@1, Viawtgra... Emails (11.May2008 10:10:43 PM)
David99, Do you mind posting some of the headers here so we can analyze the messages? Thanks.

David99 -> RE: V1agr@1, Viawtgra... Emails (11.May2008 11:13:25 PM)
John, No worries. Here's a few headers from these spam emails which a user forwarded through to me a few minutes a go: Microsoft Mail Internet Headers Version 2.0 Received: from r3-atm-155.sieciuch.com ([195.117.130.3]) by mail.mydomain.com with Microsoft SMTPSVC(5.0.2195.6713); Mon, 12 May 2008 08:01:30 +1000 Received: from [195.117.130.3] by inbound30.exchangedefender.com; Sun, 11 May 2008 22:59:41 +0100 Message-ID: <01c8b3ba$b1e62c80$038275c3@hrblf> From: "Louella Mckinley" <hrblf@bondblacktop.com> To: <sales@mydomain.com> Subject: Viagugra - $1.41 Date: Sun, 11 May 2008 22:59:41 +0100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01C8B3BA.B1E62C80" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.1830 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 Return-Path: hrblf@bondblacktop.com X-OriginalArrivalTime: 11 May 2008 22:01:38.0630 (UTC) FILETIME=[963EAE60:01C8B3B2] Microsoft Mail Internet Headers Version 2.0 Received: from [78.165.240.136] ([78.165.240.136]) by mail.mydomain.com with Microsoft SMTPSVC(5.0.2195.6713); Mon, 12 May 2008 03:35:09 +1000 Received: from [78.165.240.136] by mx1.emailsrvr.com; Sun, 11 May 2008 19:33:14 +0200 Message-ID: <01c8b39d$daabf900$88f0a54e@jxb> From: "May Berger" <jxb@blego.com> To: <user@mydomain.com> Subject: Viafzgra - $1.63 Date: Sun, 11 May 2008 19:33:14 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01C8B39D.DAABF900" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 Return-Path: jxb@blego.com X-OriginalArrivalTime: 11 May 2008 17:35:11.0088 (UTC) FILETIME=[5CED5F00:01C8B38D] Microsoft Mail Internet Headers Version 2.0 Received: from dsl.static.85-105-59941.ttnet.net.tr ([85.105.234.37]) by mail.mydomain.com with Microsoft SMTPSVC(5.0.2195.6713); Sun, 11 May 2008 18:57:37 +1000 Received: from [85.105.234.37] by mail.phx2.nearlyfreespeech.net; Sun, 11 May 2008 10:55:43 +0200 Message-ID: <01c8b355$8ed56180$25ea6955@lqajxou> From: "Tameka Doherty" <lqajxou@bonnienapoli.com> To: <sales2@mydomain.com> Subject: Viabegra - $1.70 Date: Sun, 11 May 2008 10:55:43 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01C8B355.8ED56180" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2670 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 Return-Path: lqajxou@bonnienapoli.com X-OriginalArrivalTime: 11 May 2008 08:57:39.0977 (UTC) FILETIME=[1105D790:01C8B345] Thanks for your time.

John Letourneau -> RE: V1agr@1, Viawtgra... Emails (12.May2008 8:40:36 AM)
David99, All three of those messages can be blocked by a DNS Blacklist. What build of GFI MailEssentials are you using? If you are using 20071005 or above I would recommend adding zen.spamhaus.org to your DNS Blacklist as all three of these messages are listed on that server.

David99 -> RE: V1agr@1, Viawtgra... Emails (12.May2008 6:45:27 PM)
We are using version 20070810. I have now added that server to out Blacklist section and will see how we get on. Thanks again for your time & assistance.

John Letourneau -> RE: V1agr@1, Viawtgra... Emails (12.May2008 8:18:11 PM)
David99, Please update your build to 20071005 before using zen.spamhaus.org.

David99 -> RE: V1agr@1, Viawtgra... Emails (12.May2008 9:47:03 PM)
John, That's wierd, because we have all the automatic updates turned on, including the option under version info to check for patches every 12 hours - yet, we have never been notified of any updates were available...that is until I clicked the option to check for updates manually after reading your above post. Anyway, updating to latest build now. Thanks

John Letourneau -> RE: V1agr@1, Viawtgra... Emails (13.May2008 4:11:36 PM)
David99, Updating to the latest build and using zen.spamhaus.org should eliminate a lot of these types of messages from reaching your users. Let us know if you need assistance with this after the update.

Page: [1]