Can't block IRS spam
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
Can't block IRS spam - 18.Sep.2009 11:41:06 AM
|
|
|
generaltab
Posts: 23
Joined: 8.Apr.2008
Status: offline
|
I've really had great success with MailEssentials; my users hardly see any spam and there've been very few false positives. But there's this IRS spam that I just can't seem to block. I've even enabled keyword filtering, which I've never had to resort to before, for the subject, "Notice of Underreported Income", but they still come through. How should I troubleshoot this? Thanks!
|
|
|
|
|
RE: Can't block IRS spam - 18.Sep.2009 11:48:58 AM
|
|
|
RSP
Posts: 1270
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline
|
Post some headers & bodies and someone will help.
_____________________________
Disclaimer: I don't work for GFI, I just use their products.
|
|
|
|
|
RE: Can't block IRS spam - 18.Sep.2009 12:13:58 PM
|
|
|
generaltab
Posts: 23
Joined: 8.Apr.2008
Status: offline
|
Microsoft Mail Internet Headers Version 2.0
Received: from 189-79-224-123.dsl.telesp.net.br ([189.79.224.123]) by mail.mydomain.com with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 18 Sep 2009 09:27:45 -0700
Received: from 189.79.224.123 by mail.stafan.com; Fri, 18 Sep 2009 13:27:43 -0300
Message-ID: <000d01ca387c$f2b48f20$6400a8c0@crustyu701>
From: "Internal Revenue Service" <no-reply@irs.gov>
To: <webmaster@mydomain.com>
Subject: Notice of Underreported Income
Date: Fri, 18 Sep 2009 13:27:43 -0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01CA387C.F2B48F20"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4807.2300
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.2300
Return-Path: crustyu701@stafan.com
X-OriginalArrivalTime: 18 Sep 2009 16:27:45.0607 (UTC) FILETIME=[F41C3570:01CA387C]
------=_NextPart_000_0007_01CA387C.F2B48F20
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
------=_NextPart_000_0007_01CA387C.F2B48F20
Content-Type: text/html;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
------=_NextPart_000_0007_01CA387C.F2B48F20--
Taxpayer ID: webmaster-00000174073547US
Tax Type: INCOME TAX
Issue: Unreported/Underreported Income (Fraud Application)
Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):
review tax statement for taxpayer id: webmaster-00000174073547US
Internal Revenue Service
|
|
|
|
|
RE: Can't block IRS spam - 18.Sep.2009 12:17:06 PM
|
|
|
generaltab
Posts: 23
Joined: 8.Apr.2008
Status: offline
|
Obviously, they're relayed, but they seem to be bypassing all of the modules. It's as if they've been keyword whitelisted, but they have not. To test subject keyword filtering, I mailed myself (from an external account) a message with the same subject ("Notice of Underreported Income") and it wasn't blocked. Here's my module order:
Directory Harvesting (SMTP level)
IP Whitelist
Email/Domain/Auto Whitelist
Sender Policy Framework
Phishing URL Blacklist
SpamRazer
Keyword Whitelist
Custom Blacklist
DNS Blacklists (zen.spamhaus.org, bl.spamcop.net)
Spam URI Realtime Blocklists (multi.surbl.org)
Bayesian Analysis
Header Checking
Keyword Checking
< Message edited by generaltab -- 18.Sep.2009 12:19:32 PM >
|
|
|
|
|
RE: Can't block IRS spam - 18.Sep.2009 1:10:53 PM
|
|
|
RSP
Posts: 1270
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline
|
What did the dashboard say happened with the email, assuming you're running v14?
From the headers you posted I find 189.79.224.123 on zen.spamhaus.org
Post your DNSRBL.gfi_log.txt file contents for that message. "::MTAM_InitMessage" is the delimeter for records.
_____________________________
Disclaimer: I don't work for GFI, I just use their products.
|
|
|
|
|
RE: Can't block IRS spam - 18.Sep.2009 2:50:49 PM
|
|
|
generaltab
Posts: 23
Joined: 8.Apr.2008
Status: offline
|
The dashboard says they were whitelisted (Whitelisted: Whitelist), but keyword-whitelist and IP-whitelist are both disabled, and of course the senders don't appear in the manual- or auto-whitelist.
From Whitelist.log:
"09/18/09 12:44:55","Whitelist","sixthsgp043@rkon.com","webmaster@mydomain.com","Notice of Underreported Income","Whitelisted","entry in white list. skipping other checks...","<000d01ca3898$3a3c8670$6400a8c0@sixthsgp043>"
|
|
|
|
|
RE: Can't block IRS spam - 18.Sep.2009 7:25:50 PM
|
|
|
RSP
Posts: 1270
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline
|
Is your webmaster@ or your entire domain whitelisted as a recpient?
Check the ase* log files, as these are more explicit, but because of this the information in them is rotated much more quickly, so you'll have to check very soon after receiving one of these emails.
_____________________________
Disclaimer: I don't work for GFI, I just use their products.
|
|
|
|
|
RE: Can't block IRS spam - 8.Oct.2009 11:55:48 AM
|
|
|
generaltab
Posts: 23
Joined: 8.Apr.2008
Status: offline
|
Ugh, you're right, *@*.gov was whitelisted. Thanks.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
