Some sort of trusted sender bug? Spammers getting spam through suddenly.

Question asked by W. T. Leaver - 9/21/2015 at 11:08 AM

Unanswered

In the past few days I've noticed a bunch of spam suddenly slipping through the filters. The common denominator is that they're all being sent to my feedback loop address which is fbl@<mydomain>.com (SLD removed for privacy).

All of the spam slipping through contains this header:

X-Rcpt-To: <fbl@<mydomain>.com>

Similar spam without that header is filtered.

(How they got that email address is beyond me--it has only been used when signing up for an AOL feedback loop and maybe Microsoft's JMRP.)

Additionally SmarterMail is deeming this a trusted sender issue:

X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - User)

fbl@<mydomain>.com is an alias, not a mailbox. fbl@<mydomain>.com is NOT listed in my trusted sender list. Nor is any email address throughout the header. (Including staff@hotmail.com which is what SmarterMail is seeing as the sender.)

I'm at a loss to understand how this is happening. It just started late last week.

Here is the header and detail from the smpt/delivery logs:

Header:

Return-Path: <staff@hotmail.com>
Received: from BAY004-OMC4S22.hotmail.com (bay004-omc4s22.hotmail.com [65.54.190.224]) by mail.<mydomain>.com with SMTP;
   Mon, 21 Sep 2015 12:45:39 -0500
Received: from BAY0-XMR-025.phx.gbl ([65.54.190.200]) by BAY004-OMC4S22.hotmail.com with Microsoft SMTPSVC(7.5.7601.23008);
   Mon, 21 Sep 2015 10:45:48 -0700
Received: from mail pickup service by BAY0-XMR-025.phx.gbl with Microsoft SMTPSVC;
   Mon, 21 Sep 2015 10:45:48 -0700
X-HmXmrOriginalRecipient: flavia1894@hotmail.com
X-Reporter-IP: 172.56.6.69
X-Message-Guid: 8aac505b-6085-11e5-9144-6c3be5a7db75
x-store-info: qAUQJzZ73IJCLUJ+0n7ZQ5yN3wd9gk1Jrrlyy6foO00=
Authentication-Results: hotmail.com; spf=pass (sender IP is 198.1.68.245) smtp.mailfrom=hg@yjohn.hexaezone.com; dkim=none header.d=1und1.de; dkim=permerror header.d=yjohn.hexaezone.com; x-hmca=pass header.id=name@yjohn.hexaezone.com
X-SID-PRA: name@yjohn.hexaezone.com
X-AUTH-Result: PASS
X-SID-Result: PASS
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MztHRD0zO1NDTD03
X-Message-Info: v3e34AVpXcVyWCi2vud6It4sW74ZFGnnZzFUfaxms6e1h4WsOvSZZt20Mzc69zZwmsaN3vLfjTs4yDXBqa6MN9K3e/QYRAys0NkKjH6KynWfMSSEmD06nim0OpXikk8/TM7356wrN/133yJ0Kohc5HkWaQYg8aZEVWRVVCkhgfnsYCV6xnTji6nwKueVYpZhFor2gg2n6B2CUcT+lH7F5xw6YLeCqjHdeFnXJifj8r0=
Received: from yjohn.hexaezone.com ([198.1.68.245]) by BLU004-MC1F33.hotmail.com with Microsoft SMTPSVC(7.5.7601.23143);
   Mon, 21 Sep 2015 10:24:04 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=SELECTOR1; d=yjohn.hexaezone.com;
h=Subject:From:Mime-Version:List-Unsubscribe:Sender:Content-Type:To:Message-ID; i=name@yjohn.hexaezone.com;
bh=eknpZe02eB1BjAYKLjfO9p5vQVQ=;
b=kVgG/Sy/K+RIs06oxV6i/KZ2IsOujndF03hNC68QC177sqErabv5mnQ2uufsi8iXNasXeksP8qcc
   xW5gMi6iLfe5dMjOkDP38lyLPJB8V02f+mvZED+NlRrp+ErA3wSbzfdcKjIJVD/WvikgNdRbp426
   k1GUwdEJi5Hbt1/szIk=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=SELECTOR1; d=yjohn.hexaezone.com;
b=ji/+S0evgemZJKYeD9x38SztcNqKZbMWtlcaFU7vIOOonVDRZja+PS459RDP9unxXmeWEwr0j6gc
   IgcOOJR7jmwZxtEpwM5AMsnnPQSh1T3Nvu22CJdHnLV487X4UwZ//h4xKsrkg6bT6KcJH5/LpFsg
   DCvRn4YZyBMI3ZerXZk=;
Received: from localhost (127.0.0.1) by yjohn.hexaezone.com id h00uj416lt0n for <flavia1894@hotmail.com>; Mon, 21 Sep 2015 13:24:01 -0400 (envelope-from <hg@yjohn.hexaezone.com>)
Subject: flavia1894: =?UTF-8?B?R2V0IHRoZSBmYWN0cyBhYm91dCBzZWxsaW5nIHlvdXIgVGltZXNoYXJlLg==?=
From: =?UTF-8?B?SGVscCBTZWxsIE15IFRpbWVzaGFyZQ==?= <info@1und1.de>
Mime-Version:
List-Unsubscribe: <>
Sender: "flavia1894" <name@yjohn.hexaezone.com>
Content-Type: text/html
To: flavia1894@hotmail.com
Message-ID: <SNT004-mzvfrjeq8ux2ycv@SNT004-MC2F13.hotmail.com>
X-SG-EID: cKpNRtVuzoy5iSQmZs0sHFAykSKGT77AKaNgk3O0i2Uu6DPR2oyOD5FjkVMksJi3slSQ4Mq8KahzSz
NQ6JbLSCyaelet/mrA6oezYlLnNq7o2OgS8oex+0STuVauysm95efRkZerZC56Ke2EQ55RZ02qwD1E
JvmmEgDU4CiWOTk=
X-SG-ID: SolyLoj4M+6t0KZQOavh+EhAg7mxK0+8s5Pxt8+oPW2ehcXKfVsMPwsv7au/gjffgQkNDl8m5u5rep
NqTI5EB2j9o8xo9pXDdvAt/S3XwoUALL+v3Jx8sgEaPhd2i0QtcsE/bwN5MhTUb3fc8KRY9vOHRwg/
paVEh/+HU8nlztJ6kA1pvDgramAOwZYDOVen6uXM3r5AUT3ui2+LWZHj/7BDz5hwN/e4qF8kHAgrhP
Wgi8omFOjP6P5ptNzkipAhy/US60yoriLXjBMGdDE2m2xMx2nYSt5rZx5KNyNjq9BsPELyg/JTe/ev
Z8G3ZmU71YV3LEcwCj2dWQbvCRZuFntpuNi2EOPr+Somxi2Ih+w=
Return-Path: hg@yjohn.hexaezone.com
X-OriginalArrivalTime: 21 Sep 2015 17:24:04.0413 (UTC) FILETIME=[505896D0:01D0F492]
Date: 21 Sep 2015 10:24:04 -0700
X-MessageSniffer-Identifier: e:\SmarterMail\Spool\proc\work\81457577.eml
X-GBUdb-Analysis: 0, 65.54.190.224, Ugly c=0.071429 p=0 Source Normal
X-MessageSniffer-Scan-Result: 62
X-MessageSniffer-Rules: 62-7272267-4414-4462-m
   62-7272267-0-17535-f
X-RBL-Warning: WEIGHT10: Weight of 33 reaches or exceeds the limit of 10.
X-RBL-Warning: WEIGHT14: Weight of 33 reaches or exceeds the limit of 14.
X-RBL-Warning: WEIGHT20: Weight of 33 reaches or exceeds the limit of 20.
X-RBL-Warning: WEIGHT30: Weight of 33 reaches or exceeds the limit of 30.
X-Declude-Sender: staff@hotmail.com [65.54.190.224]
X-Declude-Spoolname: 81457577.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.12.11
X-Declude-Scan: Incoming Score [33] at 12:45:48 on 21 Sep 2015
X-Declude-Tests: HOSTKARMA-YELLOW [5], MAILSPIKE-H2 [-2], NOPOSTMASTER [1], SPFPASS [-1], SUBCHARS-55 [1], SUBCHARS-60 [1], SUBCHARS-65 [1], NONENGLISH [5], FROMNOMATCH [2], SNIFFER-OBFUSCATION [20], WEIGHT10 [10], WEIGHT14 [14], WEIGHT20 [20], WEIGHT30 [30]
X-Country-Chain: UNITED STATES->destination
X-Declude-Code: e
X-HELO: BAY004-OMC4S22.hotmail.com
X-Identity: 65.54.190.224 | bay004-omc4s22.hotmail.com | hotmail.com
X-Rcpt-To: <fbl@<mydomain>.com>
X-SmarterMail-Spam: SPF_Pass, DK_None, DKIM_None, Declude: 33
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - User)

SMTP Log:

[2015.09.21] 12:45:39 [65.54.190.224][37508174] rsp: 220 mail.<mydomain>.com
[2015.09.21] 12:45:39 [65.54.190.224][37508174] connected at 9/21/2015 12:45:39 PM
[2015.09.21] 12:45:39 [65.54.190.224][37508174] cmd: EHLO BAY004-OMC4S22.hotmail.com
[2015.09.21] 12:45:39 [65.54.190.224][37508174] rsp: 250-mail.<mydomain>.com Hello [65.54.190.224]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2015.09.21] 12:45:39 [65.54.190.224][37508174] cmd: MAIL FROM:<staff@hotmail.com> SIZE=11444
[2015.09.21] 12:45:39 [65.54.190.224][37508174] rsp: 250 OK <staff@hotmail.com> Sender ok
[2015.09.21] 12:45:39 [65.54.190.224][37508174] cmd: RCPT TO:<fbl@<mydomain>.com>
[2015.09.21] 12:45:39 [65.54.190.224][37508174] rsp: 250 OK <fbl@<mydomain>.com> Recipient ok
[2015.09.21] 12:45:39 [65.54.190.224][37508174] cmd: DATA
[2015.09.21] 12:45:39 [65.54.190.224][37508174] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2015.09.21] 12:45:39 [65.54.190.224][37508174] rsp: 250 OK
[2015.09.21] 12:45:39 [65.54.190.224][37508174] Data transfer succeeded, writing mail to 81457577.eml
[2015.09.21] 12:45:39 [65.54.190.224][37508174] cmd: QUIT
[2015.09.21] 12:45:39 [65.54.190.224][37508174] rsp: 221 Service closing transmission channel
[2015.09.21] 12:45:39 [65.54.190.224][37508174] disconnected at 9/21/2015 12:45:39 PM

Delivery Log:

[2015.09.21] 12:45:50 [57577] Delivery started for staff@hotmail.com at 12:45:50 PM
[2015.09.21] 12:45:57 [57577] DKIM TempFail: An error of type occured during lookup of the domains DKIM public key. DKIM verification for this message will be skipped.
[2015.09.21] 12:45:57 [57577] Spam check results: [_SPF: Pass], [_REVERSEDNSLOOKUP: passed], [_BAYESIANFILTERING: passed], [_DK: None], [_DKIM: None]
[2015.09.21] 12:46:01 [57577] Starting local delivery to wt@<mydomain>.com
[2015.09.21] 12:46:01 [57577] Skipping spam filtering: Trusted Sender (user level)
[2015.09.21] 12:46:01 [57577] Delivery for staff@hotmail.com to wt@<mydomain>.com has completed (Delivered) Filter: None

6 Replies

Reply to Thread

Bruce Barnes Replied

9/21/2015 at 12:56 PM

Without the actual e-mail address the spam is being sent to, there's not much anyone can do to help you with the provide information.

Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting

W. T. Leaver Replied

9/21/2015 at 1:54 PM

Sorry, but I have to call BS on your response. There isn't anything you could do to help determine the cause just by knowing the destination email address.

Sure you could determine whether or not we're enforcing smtp authentication (we are), and confirm that we're not an open relay (we're not), but you couldn't possibly determine whether an email you or anyone might try to send would be filtered or not based on being a trusted sender, which is what this is about.

This is really more or less for others experiencing the same issue or SmarterTools themselves to see and/or weigh in on.

In fact there are others reporting the same issue (and I probably should have piggy backed on one of those questions but I didn't search before posting.)

Bruce Barnes Replied

9/21/2015 at 6:50 PM

Then I call you out and will no longer respond to any of you posts or questions.

W. T. Leaver Replied

9/21/2015 at 7:30 PM

Thank you!

Scarab Replied

9/22/2015 at 12:21 PM

The emails you are receiving are from Hotmail's Feedback Loop. They are addressed as coming from staff@hotmail.com to fbl@yourdomain.com. These are emails that have been reported by users of Hotmail as Spam, and as they are spoofing a domain whose MX Records resolve to the IP that you used when you signed up for their Feedback Loop, they are being sent to your Feedback Loop address that you provided.

They will all have text similar to the following:

This is an email abuse report for an email message received from IP 92.240.253.108 on Tue, 22 Sep 2015 07:49:39 -0700.
The message below did not meet the sending domain's authentication policy.
For more information about this format please see http://www.ietf.org/rfc/rfc5965.txt.

Each email will include an attachment with the original email.

In almost all cases these are reports of emails that are spoofed and using one of the domains that you host on your mail server. You can safely ignore these and just want to eyeball them to make sure that none report being received from your Mail Server's IP Address. (I have them moved to a folder and once a day do a search for my Mail Server's IP Address.)

The reason they are marked as Trusted Sender is because you have marked staff@hotmail.com as a Trusted Sender for your fbl or wt account, (Trusted Senders can also be added to the entire domain, or in your server's SECURITY > TRUSTED SENDERS list)..but the log specifically says "User Level".

W. T. Leaver Replied

9/22/2015 at 8:28 PM

That's an interesting idea, one that I briefly considered myself, but that doesn't appear to be it. I confess it's been a LONG time since I've actually received a spam report from JMRP, so I don't recall exactly how they're formatted, but in this case there are several arguments against it:

1. These messages are pure spam. They have no attachments, no indication anywhere that they are a JRMP report.

2. As indicated in my initial post, staff@hotmail is NOT in the trusted sender list for the recipient mailbox or the domain, or the server.

3. None of the IPs in any of them are related to ours.

4. If the spam was originating from our IP space, SNDS would show said IPs with a non-normal status, but everything is clear. (Hundreds of these messages have come in over several days so if it was an active outbreak from us they would most certainly have marked the source IP(s) as bad by now.

5. I just now looked at our JMRP setup with Microsoft and we're set to receive ARF format reports, which is most definitely not the case here. Additionally the email to which those reports are set to go is NOT the fbl@<mydomain>.com to which these spam messages are being sent. Come to think of it, that's not even the destination that our AOL feedback loop reports go to (contrary to what I was thinking when I wrote the original post.)

The one common denominator though for all the messages I've inspected is that they *ARE* in fact coming from Microsoft email properties (hotmail, msn for the ones I've checked.)

The fact that SmarterMail is marking them as trusted sender cannot be explained and is the real issue here, as these messages are being properly scored.

This is very similar to other reports such as:

http://portal.smartertools.com/community/a132/trusted-sender-user-level.aspx

http://portal.smartertools.com/community/a2335/email-spoofing.aspx

Back to Community Threads

Please leave this box unchecked

6 Replies

Reply to Thread

Tags

Related Knowledge Base Articles