0
Some sort of trusted sender bug? Spammers getting spam through suddenly.
Question asked by W. Troy Leaver - September 21, 2015 at 11:08 AM
Unanswered
In the past few days I've noticed a bunch of spam suddenly slipping through the filters. The common denominator is that they're all being sent to my feedback loop address which is fbl@<mydomain>.com (SLD removed for privacy).
 
All of the spam slipping through contains this header:
 
X-Rcpt-To: <fbl@<mydomain>.com>
 
Similar spam without that header is filtered.
 
(How they got that email address is beyond me--it has only been used when signing up for an AOL feedback loop and maybe Microsoft's JMRP.)
 
Additionally SmarterMail is deeming this a trusted sender issue:
 
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - User)
 
fbl@<mydomain>.com is an alias, not a mailbox. fbl@<mydomain>.com is NOT listed in my trusted sender list. Nor is any email address throughout the header. (Including staff@hotmail.com which is what SmarterMail is seeing as the sender.)
 
I'm at a loss to understand how this is happening. It just started late last week.
 
Here is the header and detail from the smpt/delivery logs:
 
Header:
 
Return-Path: <staff@hotmail.com>
Received: from BAY004-OMC4S22.hotmail.com (bay004-omc4s22.hotmail.com [65.54.190.224]) by mail.<mydomain>.com with SMTP;
   Mon, 21 Sep 2015 12:45:39 -0500
Received: from BAY0-XMR-025.phx.gbl ([65.54.190.200]) by BAY004-OMC4S22.hotmail.com with Microsoft SMTPSVC(7.5.7601.23008);
     Mon, 21 Sep 2015 10:45:48 -0700
Received: from mail pickup service by BAY0-XMR-025.phx.gbl with Microsoft SMTPSVC;
     Mon, 21 Sep 2015 10:45:48 -0700
X-HmXmrOriginalRecipient: flavia1894@hotmail.com
X-Reporter-IP: 172.56.6.69
X-Message-Guid: 8aac505b-6085-11e5-9144-6c3be5a7db75
x-store-info: qAUQJzZ73IJCLUJ+0n7ZQ5yN3wd9gk1Jrrlyy6foO00=
Authentication-Results: hotmail.com; spf=pass (sender IP is 198.1.68.245) smtp.mailfrom=hg@yjohn.hexaezone.com; dkim=none header.d=1und1.de; dkim=permerror header.d=yjohn.hexaezone.com; x-hmca=pass header.id=name@yjohn.hexaezone.com
X-SID-PRA: name@yjohn.hexaezone.com
X-AUTH-Result: PASS
X-SID-Result: PASS
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MztHRD0zO1NDTD03
X-Message-Info: v3e34AVpXcVyWCi2vud6It4sW74ZFGnnZzFUfaxms6e1h4WsOvSZZt20Mzc69zZwmsaN3vLfjTs4yDXBqa6MN9K3e/QYRAys0NkKjH6KynWfMSSEmD06nim0OpXikk8/TM7356wrN/133yJ0Kohc5HkWaQYg8aZEVWRVVCkhgfnsYCV6xnTji6nwKueVYpZhFor2gg2n6B2CUcT+lH7F5xw6YLeCqjHdeFnXJifj8r0=
Received: from yjohn.hexaezone.com ([198.1.68.245]) by BLU004-MC1F33.hotmail.com with Microsoft SMTPSVC(7.5.7601.23143);
     Mon, 21 Sep 2015 10:24:04 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=SELECTOR1; d=yjohn.hexaezone.com;
 h=Subject:From:Mime-Version:List-Unsubscribe:Sender:Content-Type:To:Message-ID; i=name@yjohn.hexaezone.com;
 bh=eknpZe02eB1BjAYKLjfO9p5vQVQ=;
 b=kVgG/Sy/K+RIs06oxV6i/KZ2IsOujndF03hNC68QC177sqErabv5mnQ2uufsi8iXNasXeksP8qcc
   xW5gMi6iLfe5dMjOkDP38lyLPJB8V02f+mvZED+NlRrp+ErA3wSbzfdcKjIJVD/WvikgNdRbp426
   k1GUwdEJi5Hbt1/szIk=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=SELECTOR1; d=yjohn.hexaezone.com;
 b=ji/+S0evgemZJKYeD9x38SztcNqKZbMWtlcaFU7vIOOonVDRZja+PS459RDP9unxXmeWEwr0j6gc
   IgcOOJR7jmwZxtEpwM5AMsnnPQSh1T3Nvu22CJdHnLV487X4UwZ//h4xKsrkg6bT6KcJH5/LpFsg
   DCvRn4YZyBMI3ZerXZk=;
Received: from localhost (127.0.0.1) by yjohn.hexaezone.com id h00uj416lt0n for <flavia1894@hotmail.com>; Mon, 21 Sep 2015 13:24:01 -0400 (envelope-from <hg@yjohn.hexaezone.com>)
Subject: flavia1894: =?UTF-8?B?R2V0IHRoZSBmYWN0cyBhYm91dCBzZWxsaW5nIHlvdXIgVGltZXNoYXJlLg==?=
From: =?UTF-8?B?SGVscCBTZWxsIE15IFRpbWVzaGFyZQ==?= <info@1und1.de>
Mime-Version:
List-Unsubscribe: <>
Sender: "flavia1894"  <name@yjohn.hexaezone.com>
Content-Type: text/html
To: flavia1894@hotmail.com
Message-ID: <SNT004-mzvfrjeq8ux2ycv@SNT004-MC2F13.hotmail.com>
X-SG-EID: cKpNRtVuzoy5iSQmZs0sHFAykSKGT77AKaNgk3O0i2Uu6DPR2oyOD5FjkVMksJi3slSQ4Mq8KahzSz
 NQ6JbLSCyaelet/mrA6oezYlLnNq7o2OgS8oex+0STuVauysm95efRkZerZC56Ke2EQ55RZ02qwD1E
 JvmmEgDU4CiWOTk=
X-SG-ID: SolyLoj4M+6t0KZQOavh+EhAg7mxK0+8s5Pxt8+oPW2ehcXKfVsMPwsv7au/gjffgQkNDl8m5u5rep
 NqTI5EB2j9o8xo9pXDdvAt/S3XwoUALL+v3Jx8sgEaPhd2i0QtcsE/bwN5MhTUb3fc8KRY9vOHRwg/
 paVEh/+HU8nlztJ6kA1pvDgramAOwZYDOVen6uXM3r5AUT3ui2+LWZHj/7BDz5hwN/e4qF8kHAgrhP
 Wgi8omFOjP6P5ptNzkipAhy/US60yoriLXjBMGdDE2m2xMx2nYSt5rZx5KNyNjq9BsPELyg/JTe/ev
 Z8G3ZmU71YV3LEcwCj2dWQbvCRZuFntpuNi2EOPr+Somxi2Ih+w=
Return-Path: hg@yjohn.hexaezone.com
X-OriginalArrivalTime: 21 Sep 2015 17:24:04.0413 (UTC) FILETIME=[505896D0:01D0F492]
Date: 21 Sep 2015 10:24:04 -0700
X-MessageSniffer-Identifier: e:\SmarterMail\Spool\proc\work\81457577.eml
X-GBUdb-Analysis: 0, 65.54.190.224, Ugly c=0.071429 p=0 Source Normal
X-MessageSniffer-Scan-Result: 62
X-MessageSniffer-Rules: 62-7272267-4414-4462-m
    62-7272267-0-17535-f
X-RBL-Warning: WEIGHT10: Weight of 33 reaches or exceeds the limit of 10.
X-RBL-Warning: WEIGHT14: Weight of 33 reaches or exceeds the limit of 14.
X-RBL-Warning: WEIGHT20: Weight of 33 reaches or exceeds the limit of 20.
X-RBL-Warning: WEIGHT30: Weight of 33 reaches or exceeds the limit of 30.
X-Declude-Sender: staff@hotmail.com [65.54.190.224]
X-Declude-Spoolname: 81457577.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.12.11
X-Declude-Scan: Incoming Score [33] at 12:45:48 on 21 Sep 2015
X-Declude-Tests: HOSTKARMA-YELLOW [5], MAILSPIKE-H2 [-2], NOPOSTMASTER [1], SPFPASS [-1], SUBCHARS-55 [1], SUBCHARS-60 [1], SUBCHARS-65 [1], NONENGLISH [5], FROMNOMATCH [2], SNIFFER-OBFUSCATION [20], WEIGHT10 [10], WEIGHT14 [14], WEIGHT20 [20], WEIGHT30 [30]
X-Country-Chain: UNITED STATES->destination
X-Declude-Code: e
X-HELO: BAY004-OMC4S22.hotmail.com
X-Identity: 65.54.190.224 | bay004-omc4s22.hotmail.com | hotmail.com
X-Rcpt-To: <fbl@<mydomain>.com>
X-SmarterMail-Spam: SPF_Pass, DK_None, DKIM_None, Declude: 33
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - User)
 
SMTP Log:
 
[2015.09.21] 12:45:39 [65.54.190.224][37508174] rsp: 220 mail.<mydomain>.com
[2015.09.21] 12:45:39 [65.54.190.224][37508174] connected at 9/21/2015 12:45:39 PM
[2015.09.21] 12:45:39 [65.54.190.224][37508174] cmd: EHLO BAY004-OMC4S22.hotmail.com
[2015.09.21] 12:45:39 [65.54.190.224][37508174] rsp: 250-mail.<mydomain>.com Hello [65.54.190.224]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2015.09.21] 12:45:39 [65.54.190.224][37508174] cmd: MAIL FROM:<staff@hotmail.com> SIZE=11444
[2015.09.21] 12:45:39 [65.54.190.224][37508174] rsp: 250 OK <staff@hotmail.com> Sender ok
[2015.09.21] 12:45:39 [65.54.190.224][37508174] cmd: RCPT TO:<fbl@<mydomain>.com>
[2015.09.21] 12:45:39 [65.54.190.224][37508174] rsp: 250 OK <fbl@<mydomain>.com> Recipient ok
[2015.09.21] 12:45:39 [65.54.190.224][37508174] cmd: DATA
[2015.09.21] 12:45:39 [65.54.190.224][37508174] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2015.09.21] 12:45:39 [65.54.190.224][37508174] rsp: 250 OK
[2015.09.21] 12:45:39 [65.54.190.224][37508174] Data transfer succeeded, writing mail to 81457577.eml
[2015.09.21] 12:45:39 [65.54.190.224][37508174] cmd: QUIT
[2015.09.21] 12:45:39 [65.54.190.224][37508174] rsp: 221 Service closing transmission channel
[2015.09.21] 12:45:39 [65.54.190.224][37508174] disconnected at 9/21/2015 12:45:39 PM
 
Delivery Log:
 
[2015.09.21] 12:45:50 [57577] Delivery started for staff@hotmail.com at 12:45:50 PM
[2015.09.21] 12:45:57 [57577] DKIM TempFail: An error of type  occured during lookup of the domains DKIM public key. DKIM verification for this message will be skipped.
[2015.09.21] 12:45:57 [57577] Spam check results: [_SPF: Pass], [_REVERSEDNSLOOKUP: passed], [_BAYESIANFILTERING: passed], [_DK: None], [_DKIM: None]
[2015.09.21] 12:46:01 [57577] Starting local delivery to wt@<mydomain>.com
[2015.09.21] 12:46:01 [57577] Skipping spam filtering: Trusted Sender (user level)
[2015.09.21] 12:46:01 [57577] Delivery for staff@hotmail.com to wt@<mydomain>.com has completed (Delivered) Filter: None

2 Replies

Reply to Thread
0
Bruce Barnes Replied
September 21, 2015 at 12:56 PM
Without the actual e-mail address the spam is being sent to, there's not much anyone can do to help you with the provide information.
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Scarab Replied
September 22, 2015 at 12:21 PM
The emails you are receiving are from Hotmail's Feedback Loop. They are addressed as coming from staff@hotmail.com to fbl@yourdomain.com. These are emails that have been reported by users of Hotmail as Spam, and as they are spoofing a domain whose MX Records resolve to the IP that you used when you signed up for their Feedback Loop, they are being sent to your Feedback Loop address that you provided.
 
They will all have text similar to the following:
 
This is an email abuse report for an email message received from IP 92.240.253.108 on Tue, 22 Sep 2015 07:49:39 -0700.
The message below did not meet the sending domain's authentication policy.
For more information about this format please see http://www.ietf.org/rfc/rfc5965.txt.
 
Each email will include an attachment with the original email.
 
In almost all cases these are reports of emails that are spoofed and using one of the domains that you host on your mail server. You can safely ignore these and just want to eyeball them to make sure that none report being received from your Mail Server's IP Address. (I have them moved to a folder and once a day do a search for my Mail Server's IP Address.)
 
The reason they are marked as Trusted Sender is because you have marked staff@hotmail.com as a Trusted Sender for your fbl or wt account, (Trusted Senders can also be added to the entire domain, or in your server's SECURITY > TRUSTED SENDERS list)..but the log specifically says "User Level".
 

Reply to Thread