Can't block IRS spam (Full Version)

All Forums >> [Web & Mail Security] >> GFI MailEssentials



Message

generaltab -> Can't block IRS spam (18.Sep.2009 11:41:06 AM)

I've really had great success with MailEssentials; my users hardly see any spam and there've been very few false positives. But there's this IRS spam that I just can't seem to block. I've even enabled keyword filtering, which I've never had to resort to before, for the subject, "Notice of Underreported Income", but they still come through. How should I troubleshoot this? Thanks!



RSP -> RE: Can't block IRS spam (18.Sep.2009 11:48:58 AM)

Post some headers & bodies and someone will help.



generaltab -> RE: Can't block IRS spam (18.Sep.2009 12:13:58 PM)

Microsoft Mail Internet Headers Version 2.0
Received: from 189-79-224-123.dsl.telesp.net.br ([189.79.224.123]) by mail.mydomain.com with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 18 Sep 2009 09:27:45 -0700
Received: from 189.79.224.123 by mail.stafan.com; Fri, 18 Sep 2009 13:27:43 -0300
Message-ID: <000d01ca387c$f2b48f20$6400a8c0@crustyu701>
From: "Internal Revenue Service" <no-reply@irs.gov>
To: <webmaster@mydomain.com>
Subject: Notice of Underreported Income
Date: Fri, 18 Sep 2009 13:27:43 -0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01CA387C.F2B48F20"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4807.2300
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.2300
Return-Path: crustyu701@stafan.com
X-OriginalArrivalTime: 18 Sep 2009 16:27:45.0607 (UTC) FILETIME=[F41C3570:01CA387C]

------=_NextPart_000_0007_01CA387C.F2B48F20
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

------=_NextPart_000_0007_01CA387C.F2B48F20
Content-Type: text/html;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable


------=_NextPart_000_0007_01CA387C.F2B48F20--


Taxpayer ID: webmaster-00000174073547US
Tax Type: INCOME TAX
Issue: Unreported/Underreported Income (Fraud Application)

Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):

review tax statement for taxpayer id: webmaster-00000174073547US

Internal Revenue Service



generaltab -> RE: Can't block IRS spam (18.Sep.2009 12:17:06 PM)

Obviously, they're relayed, but they seem to be bypassing all of the modules. It's as if they've been keyword whitelisted, but they have not. To test subject keyword filtering, I mailed myself (from an external account) a message with the same subject ("Notice of Underreported Income") and it wasn't blocked. Here's my module order:

Directory Harvesting (SMTP level)
IP Whitelist
Email/Domain/Auto Whitelist
Sender Policy Framework
Phishing URL Blacklist
SpamRazer
Keyword Whitelist
Custom Blacklist
DNS Blacklists (zen.spamhaus.org, bl.spamcop.net)
Spam URI Realtime Blocklists (multi.surbl.org)
Bayesian Analysis
Header Checking
Keyword Checking



RSP -> RE: Can't block IRS spam (18.Sep.2009 1:10:53 PM)

What did the dashboard say happened with the email, assuming you're running v14?

From the headers you posted I find 189.79.224.123 on zen.spamhaus.org

Post your DNSRBL.gfi_log.txt file contents for that message. "::MTAM_InitMessage" is the delimeter for records.



generaltab -> RE: Can't block IRS spam (18.Sep.2009 2:50:49 PM)

The dashboard says they were whitelisted (Whitelisted: Whitelist), but keyword-whitelist and IP-whitelist are both disabled, and of course the senders don't appear in the manual- or auto-whitelist.

From Whitelist.log:

"09/18/09 12:44:55","Whitelist","sixthsgp043@rkon.com","webmaster@mydomain.com","Notice of Underreported Income","Whitelisted","entry in white list. skipping other checks...","<000d01ca3898$3a3c8670$6400a8c0@sixthsgp043>"



RSP -> RE: Can't block IRS spam (18.Sep.2009 7:25:50 PM)

Is your webmaster@ or your entire domain whitelisted as a recpient?

Check the ase* log files, as these are more explicit, but because of this the information in them is rotated much more quickly, so you'll have to check very soon after receiving one of these emails.



bdailey68 -> RE: Can't block IRS spam (5.Oct.2009 4:10:23 PM)

I had the same problem and I found address *@*.gov was in the whitelist. Be sure to check for that. [;)]



generaltab -> RE: Can't block IRS spam (8.Oct.2009 11:55:48 AM)

Ugh, you're right, *@*.gov was whitelisted. Thanks.



Page: [1]