1
flurry of "FedEx delivery" spam; how to configure local.cf to block?
Question asked by Eric Bourland - November 5, 2016 at 8:55 AM
Answered
SmarterMail 15.3

Hi friends. Is anyone else getting bombarded with fake "FedEx delivery problems" messages, with a ZIP file attached to each message? No doubt the ZIP file contains a bad payload.
 
I use SpamAssassin, and I would like to configure local.cf to block this spam. Does anyone have a suggestion on lines I might add to local.cf to do so?

Thank you for your help. Here's a header from one of the offending messages:
 
Return-Path: <pcsmaumee@p3plcpnl0243.prod.phx3.secureserver.net>
Received: from p3nlsmtpcp01-02.prod.phx3.secureserver.net (p3nlsmtpcp01-02.prod.phx3.secureserver.net [184.168.200.140]) by tarsier.viviotech.net with SMTP
	(version=TLS\Tls12
	cipher=Aes256 bits=256);
   Sat, 5 Nov 2016 10:58:44 -0400
Received: from p3plcpnl0243.prod.phx3.secureserver.net ([50.62.161.9])
	by : HOSTING RELAY : with SMTP
	id 32OrcjbrPgB4q32OrcnOGo; Sat, 05 Nov 2016 07:56:53 -0700
Received: from pcsmaumee by p3plcpnl0243.prod.phx3.secureserver.net with local (Exim 4.87)
	(envelope-from <pcsmaumee@p3plcpnl0243.prod.phx3.secureserver.net>)
	id 1c32Or-0005ym-MJ
	for postmaster@careplanners.net; Sat, 05 Nov 2016 07:56:53 -0700
To: postmaster@careplanners.net
Subject: Problems with item delivery, n.000289623
X-PHP-Script: partnersforcleanstreams.org/post.php for 186.202.161.18
X-PHP-Filename: /home/pcsmaumee/public_html/post.php
Date: Sat, 5 Nov 2016 14:56:53 +0000
From: "FedEx International MailService" <bobby.burns@partnersforcleanstreams.org>
Reply-To: "FedEx International MailService" <bobby.burns@partnersforcleanstreams.org>
Message-ID: <cb188a880f2a151030ffb7c70692020c@partnersforcleanstreams.org>
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="b1_af728e2a1a984c8268adddaff5435d18"
Content-Transfer-Encoding: 8bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - p3plcpnl0243.prod.phx3.secureserver.net
X-AntiAbuse: Original Domain - careplanners.net
X-AntiAbuse: Originator/Caller UID/GID - [443660 956] / [47 12]
X-AntiAbuse: Sender Address Domain - p3plcpnl0243.prod.phx3.secureserver.net
X-Get-Message-Sender-Via: p3plcpnl0243.prod.phx3.secureserver.net: authenticated_id: pcsmaumee/from_h
X-Authenticated-Sender: p3plcpnl0243.prod.phx3.secureserver.net: bobby.burns@partnersforcleanstreams.org
X-Source: 
X-Source-Args: /usr/sbin/proxyexec -q -d -s /var/lib/proxyexec/cagefs.sock/socket /bin/cagefs.server
X-Source-Dir: partnersforcleanstreams.org:/public_html
X-CMAE-Envelope: MS4wfOEcg92uj7Jc4WPPpF02JMa/R5QGjJb0bjYrSLJ3U0UykyjTeXfR5lqXKiPYeJJyCJfZbXSH0naESKv5OZKELQULKWXeBy/6PoKocoFmHidqtbxDoirl
 jewVKq84pw7RaZLJCN28lnTnGaRbzNpzovyLK9puBew71sxE1alGMzqP6ZtGF8h57PYwDep4F8trSNSTHaome7rhP2flwppCYESLIGTSMOW4feaE/hGz2eXu
 7TYX1lsIy8SLWiANVS4rFA==
X-SmarterMail-Spam: SPF_None, ISpamAssassin 1 [raw: 0], SpamAssassin 1 [raw: 0], DK_None, DKIM_None
X-SmarterMail-SpamDetail: 0.7 S25R_1 S25R: Bottom of rDNS has num, non-num, num
X-SmarterMail-SpamDetail: Content analysis details:   (0.5 points, 5.0 required)
X-SmarterMail-SpamDetail: pts rule name              description
X-SmarterMail-SpamDetail: ---- ---------------------- --------------------------------------------------
X-SmarterMail-SpamDetail: 0.5 RCVD_IN_SORBS_SPAM     RBL: SORBS: sender is a spam source
X-SmarterMail-SpamDetail: [184.168.200.140 listed in dnsbl.sorbs.net]
X-SmarterMail-SpamDetail: 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
X-SmarterMail-SpamDetail: domains are different
X-SmarterMail-TotalSpamWeight: 2

4 Replies

Reply to Thread
0
Linda Pagillo Replied
November 13, 2016 at 8:06 PM
Hi Eric. Can you please post a few more example headers? Feel free to send them to me directly if you don't want to post them here. I will review them and post the answer to your question here.
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
0
Hemen Shah Replied
November 15, 2016 at 7:00 AM
@Eric,
 
Just recollected same thing few days back with one of the customer, though i was called just for cleaning the infection but this is the same mail which caused it, i am pasting the header below and it has the same pattern infact it is originating from same network as seen in your header too, this mail contains a js script which on execution encrypts all the files, basically this is a ransomeware infection by the name nemucod and then you are left with paying something to decrypt all the files, but there is solution to this without any worry, if you are infected then and need support let me know.
 
Return-Path: <pghmarines1775@p3plcpnl0454.prod.phx3.secureserver.net>
Received: from p3nlsmtpcp01-01.prod.phx3.secureserver.net (p3nlsmtpcp01-01.prod.phx3.secureserver.net [184.168.200.138]) by mailserver.abc.com with SMTP
    (version=TLS\Tls12
    cipher=Aes256 bits=256);
   Mon, 7 Nov 2016 19:51:16 -0500
Received: from p3plcpnl0454.prod.phx3.secureserver.net ([50.62.161.221])
    by : HOSTING RELAY : with SMTP
    id 3uTXcf5XAxfCP3uTXczXOo; Mon, 07 Nov 2016 17:41:19 -0700
Received: from pghmarines1775 by p3plcpnl0454.prod.phx3.secureserver.net with local (Exim 4.87)
    (envelope-from <pghmarines1775@p3plcpnl0454.prod.phx3.secureserver.net>)
    id 1c3uTX-0005WR-AJ
    for customer@abc.com; Mon, 07 Nov 2016 17:41:19 -0700
To: customer@abc.com
Subject: Problem with parcel shipping, ID:00000750279
X-PHP-Script: steelcitymarines.org/post.php for 5.135.140.187
Date: Tue, 8 Nov 2016 00:41:19 +0000
From: "FedEx International MailService" <javier.crane@steelcitymarines.org>
Reply-To: "FedEx International MailService" <javier.crane@steelcitymarines.org>
Message-ID: <bd49462df9474e0d5da038592f168614@steelcitymarines.org>
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="b1_8b8377533da5b31e6da35435711ee4df"
Content-Transfer-Encoding: 8bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - p3plcpnl0454.prod.phx3.secureserver.net
X-AntiAbuse: Original Domain - abc.com
X-AntiAbuse: Originator/Caller UID/GID - [557186 956] / [47 12]
X-AntiAbuse: Sender Address Domain - p3plcpnl0454.prod.phx3.secureserver.net
X-Get-Message-Sender-Via: p3plcpnl0454.prod.phx3.secureserver.net: authenticated_id: pghmarines1775/from_h
X-Authenticated-Sender: p3plcpnl0454.prod.phx3.secureserver.net: javier.crane@steelcitymarines.org
X-Source: 
X-Source-Args: /usr/sbin/proxyexec -q -d -s /var/lib/proxyexec/cagefs.sock/socket /bin/cagefs.server 
X-Source-Dir: steelcitymarines.org:/public_html
X-CMAE-Envelope: MS4wfPtH+wHDwt2XAxZgY7wSQsRaRH0IjIPFOVHq6MEMaVDmZexnunrrMd5AoIjCbOEHB8qHi9Xs5eFvjaWAYBa4ECLhZDdvcnEKl/r7p7RwyWAimJWXyG72
 S1XAw7kn3rv54rOmK3G69UPuXvWQORPUKeN5iMziwUCEIrh6TpCxk1RNxicwVYeTR0BvFYUHWHGCIxTENyRwMDW32k3bbU1HSoBPZUYvpgcT57utRvh64ckJ
 VnCYUBcwNv7Cmfc/5mSTKQ==
X-Declude-Sender: pghmarines1775@p3plcpnl0454.prod.phx3.secureserver.net [184.168.200.138]
X-Declude-Spoolname: 3175836383.eml
X-Declude-RefID: 
X-Declude-Note: Scanned by Declude 4.12.11
X-Declude-Scan: Incoming Score [5] at 19:51:49 on 07 Nov 2016
X-Declude-Tests: MAILSPIKE-H2 [-2], SORBS-RECENT [3], UBL [4], FROMNOMATCH [2], HAM-INDICATOR [-2]
X-Country-Chain: UNITED STATES->destination
X-Declude-Code: e
X-HELO: p3nlsmtpcp01-01.prod.phx3.secureserver.net
X-Identity: 184.168.200.138 | p3nlsmtpcp01-01.prod.phx3.secureserver.net | p3plcpnl0454.prod.phx3.secureserver.net
 
0
Linda Pagillo Replied
November 16, 2016 at 9:32 PM
Eric, try these in your local.cf file...
 
header FEDEX_SPAM_SUBJECT    Subject =~ /(Problems with item delivery|Problem with parcel shipping)/i
describe FEDEX_SPAM_SUBJECT  Subject consistant with FedEx spam
score FEDEX_SPAM_SUBJECT     3.0
 
header FEDEX_SPAM_FROM    FROM =~ /(FedEx International MailService|FedEx 2Day A.M.)/i
describe FEDEX_SPAM_FROM  FROM consistant with FedEx spam
score FEDEX_SPAM_FROM     3.0
 
Hemen, you can create a filter in Declude to filter these out. Here are the instructions...

1.) Open a new Notepad doc.
2.) Add the following line: HEADERS   10   CONTAINS      FedEx International MailService
3.) Save the file to your Declude\Filters folder as FEDEX-SPAM.txt
4.) Open your global.cfg and add the following line in the filters section:
 
FEDEX-SPAM        filter    [PATH]\Declude\filters\FEDEX-SPAM.txt        x    0    0
 
5.) Be sure to change [PATH] to the path of your Filters directory.
 
If you simply would like to delete these spam messages instead of adding 10 points to them, you should use the following filter line instead of the one I gave you in Step 2...
 
HEADERS   0   CONTAINS      FedEx International MailService
 
Then you would add the line to your global.cfg as stated in Step 4 and then you would open your $default$.junkmail file and add the following:
 
FEDEX-SPAM    DELETE
 
I hope these things help you guys. Take care :)
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
1
Bruce Barnes Replied
December 14, 2016 at 9:26 AM
See: https://portal.chicagonettech.com/kb/a171/smartermail-antispam-settings-document.aspx And don't intermix with any other antispam programs or settings. New version to be posted upon release, and review, of SmarterMail 16.X
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

Reply to Thread