Back to Community Threads
9
Spammers impersonation of users - what should I do
Question asked by Michael Robinson - 2/25/2019 at 7:56 PM
Unanswered
I frequently get nasty threatening emails from hackers that look like I sent an email to myself.

The From is:  michael@mydomain.com  which is me.

The Send To is the same.

Here is my version:  

Any suggestions....


Here is an example of the message header.

Return-Path: <Jessica-Thevenin@usefulblogging.com>
Received: from usefulblogging.com (wimax-cpe-189-208-103-162.gdljal.static.axtel.net [189.208.103.162]) by mail.mydomain.com with SMTP;
   Mon, 25 Feb 2019 07:51:50 -0800
Received: from [58.04.79.74] (helo=[192.168.1.26])
    by relay.risp.gov with esmtpa     envelope from <rolnek@belleriveacresmo.gov>    authenticated with stivfraf@crestoniowa.gov    message id 1gyIXj-0000qs-ra    for michael@mydomain; Mon, 25 Feb 2019 15:34:10 +0100Received: from [28.36.64.60] (helo=[192.168.1.40])
    by relay.capecoralfl.gov with esmtpa     envelope from <tralprat@townofwarren-ri.gov>    authenticated with modshav@daughertytownship-pa.gov    message id 1gyIXj-0000zq-hr    for michael@mydomain.com; Mon, 25 Feb 2019 15:34:10 +0100Mime-Version: 1.0
Message-ID: <qveokutqdxbs-dsjnuny-i@koi--.ovh>
X-priptkoh: swoontglaft
Date: Mon, 25 Feb 2019 18:51:47 +0300
From: "michael" <michael@mydomain.com>
To: "michael" <michael@mydomain.com>
X-mompstoft: jubstral
X-prooskruch: grentber
Subject: accounts kooglost
Content-Transfer-Encoding: base64
X-doofthesp: hegflomp
Content-Type: text/html; charset="utf-8"
X-Organization: munshooss
X-SmarterMail-Spam: Commtouch 30 [value: Confirmed], ISpamAssassin 1 [raw: 0], SPF_PermError, DKIM_None, Custom Rules []
X-SmarterMail-SpamDetail: 0.7 S25R_1
X-CTCH-RefId: str=0001.0A090201.5C740F1F.0059,ss=1,re=0.000,recu=0.000,reip=0.000,pt=R_662990,cl=4,cld=1,fgs=0
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - System)

52 Replies

Reply to Thread
1
Linda Pagillo Replied
2/26/2019 at 1:53 PM
Hi Michael. I have seen this a lot lately. As you can see, this message was scored with a zero because the sender's domain is in the Smartermail Trusted Sender's List at the top level...

X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - System) 

There should be no reason for you to have your own domain or email address in the Trusted Sender's List. I feel that if you would not have had your domain or email address in the TSL, this would have been filtered out as spam. I hope this helps. Thanks!
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller
0
Kyle Kerst Replied
2/26/2019 at 4:42 PM
Employee Post
Another possibility on this is that your SMTP protocol settings have not been configured securely. Navigate to Settings>Protocols>SMTP In and verify that both SMTP authentication and "enable domain's SMTP auth setting for local deliveries" are enabled and set. You can also set the "Require Auth Match" to email address, and this will prevent users from sending email from any account other than the one they've authenticated with. Please keep in mind that enabling these settings may cause delivery issues on scanners/printers/websites that have not had SMTP authentication configured on them. 
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Webio Replied
2/27/2019 at 12:15 AM
@Michael Robinson - do you use incoming gateways in your environment?
1
Webio Replied
2/27/2019 at 12:19 AM
@Linda Pagillo - IMHO here problem lies somewhere else. I have ticket opened (two months with multiple replies because of some things that changed between v15 v16 and v17) in SmarterTools for spooffed messages being delivered from remote locations through incoming gateways. In SMTP session is passed different email address as sender than in FROM header in email content. SmarterMail is passing message to main SmarterMail server because sender in SMTP session is remote and when message is delivered to end user he is seeing his email in FROM because FROM field contains his own email address. This message should not even reach SMTP checking because it should be bounced on SMTP connection level while receiving message or after receive and checking both sender in SMTP and FROM in email header inside email message.
0
Steve Norton Replied
2/27/2019 at 3:33 AM
I believe DMARC is the answer here, the "MAIL FROM" (aka senderEmail(2)) address is used to lookup the DMARC policy, you will see the matching entries in the SMTP log with "senderEmail(2): michael@mydomain.com ….."
To protect your domain from being used to Spam anyone you should use DMARC, this can enforce that an email is from a specific set of IP addresses and is correctly signed by the sending domain and if not it can be denied at an early stage in the transfer ('reject' policy).
Ensure 'Settings/Antispam/Options/Options/Enable DMARC policy compliance check' is enabled and with DMARC enabled you would see the following in the STMP log;
[2019.02.25] 07:51:50 [189.208.103.162][22539524] rsp: 550 Message rejected due to senders DMARC policy
[2019.02.25] 07:51:50 [189.208.103.162][22539524] A trace of the DMARC processing follows.
[2019.02.25] 07:51:50 [189.208.103.162][22539524] Beginning DMARC check for michael@mydomain.com from IP 189.208.103.162...
[2019.02.25] 07:51:50 [189.208.103.162][22539524] The from field for the message is ""michael" <michael@mydomain.com>".  Will look for DMARC policy record at _dmarc.mydomain.com
[2019.02.25] 07:51:50 [189.208.103.162][22539524] Retrieved the following DMARC policy record for "mydomain.com": v=DMARC1; p=reject
[2019.02.25] 07:51:50 [189.208.103.162][22539524] DMARC: SPF failure.
[2019.02.25] 07:51:50 [189.208.103.162][22539524] DMARC: Bad DKIM signature.
[2019.02.25] 07:51:50 [189.208.103.162][22539524] Data transfer succeeded but message rejected by DMARC

And to all others who've read this far on... set-up DMARC on your domain and enforce a 'reject' policy.
3
kevind Replied
2/27/2019 at 7:30 AM
Michael,

This has been a long-time issue with SM, but it was fixed in version 16.3.6543 (Nov 30, 2017). See this thread for a lengthy discussion:

If you're running v15, you're SOL.

Since you're on 16.3.6558, Linda's suggestion to remove trusted sender should help because Commtouch is scoring it at 30 and it will go to spam folder. Maybe a good feature request would be to not allow you to trust/whitelist your own domain?

Kevin
1
ScottF Replied
2/27/2019 at 9:11 AM
I did a test with Build 6996 (Feb 26, 2019) and was able to deliver a spoofed message like Michael's. Below is a simple telnet spoof test. Maybe I'm missing a SmarterMail setting?

I tested again with a strict DMARC policy and then the message was blocked by SmarterMail. This is good, but would take some time to set up with a SM server with hundreds of domains. A SM feature to score or block these type of messages would be better.

Spoof Test:
telnet [Your SM Server] 25
EHLO Spoofer.net
MAIL From:<rolnek@belleriveacresmo.gov>
RCPT To:<scott@mySMdomain.com>
DATA
From: "Scott" <scott@mySMdomain.com>
To: "Scott" <scott@mySMdomain.com>
Subject: Test Message Sent From Manual Telnet Session
Date: Wed, 27 Feb 2019 10:50:57 -0500
Testing Testing
.Return.
0
Steve Norton Replied
2/27/2019 at 9:51 AM
The DMARC policy is used to protect your domain globally to prevent your domain being used by Spammers and to prevent your domain from ending up on block lists due to abuse. Hundreds of domains would take some time but once a script has been created to do the first it can be reused for the others. There are ways to get SM to flag these messages but DMARC is the way it should be done, the better configured you mail domain is the less of a target you become to threat actors and DMARC is part of that (they have their own lists of who's easy to target and who's not).
2
Webio Replied
2/27/2019 at 11:18 AM
In shared hosting environment which I'm running this is not possible to make it happen (DMARC) and IMHO in scenario where are used incoming gateways with Web Service User and Domain Verification it should be quite simple to drop connections from spoofed e-mail addresses. Actually in single server scenario too (if some domain is configured locally just drop connection from remote server which tries to deliver message from domain configured locally).
1
Matt Petty Replied
2/27/2019 at 12:10 PM
Employee Post
Webio, without DMARC we can't really know if an email is coming from a spoofed address. To you what is a spoofed address? What are the markers you believe we should look (without using SPF and DKIM) at to determine a session is a bad session that should be terminated. These tools that you can't use unfortunately are the industry standard methods to determine a message has been spoofed. 
Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Steve Norton Replied
2/27/2019 at 12:53 PM
Is there a documented and easy way via the API or the like to setup DKIM at scale?
0
Linda Pagillo Replied
2/27/2019 at 1:05 PM
Hey guys.. I may have shared this with you before, but in case I have not, we put together a write-up for a few customers explaining some of the different types of spoofing and what can be done about it. I hope this is helpful to at least a few of you...

1.) [Real User's Display Name on FROM line (realuser@realdomain.com)]   To prevent spoofing from your own domain setup SPF / DMARC / DKIM on each of your domains using DNS.
 
2.) [Real User's Display Name on FROM line BUT... (spammer@spammerdomain.com)]   To prevent spoofing from another domain is difficult because as in this example how would software know that this is an invalid address?  Below are some solutions:

a.) Add another layer of Security. Message Sniffer will catch most of these but the ones that get through are because Message Sniffer did not have the signature of the spoof. This is the problem with all signature based security products. By adding an additional layer the hope is the second security product will catch the unwanted email. If you were to do this our first suggestion would be CYREN antispam as it is signature less and works on traffic patterns, again it’s an extra layer which helps but the question becomes cost vs return.

b.) We can use Declude to block terms or similar.

c.) User training. At the end of the line the user is the weak part of the chain. To fix this users need to be able to identify fishing attempts. Here are some companies that help with that:

Here is some additional info you can use or share with your customers: 

What’s the difference between Phishing and Spear Phishing?

  • Phishing emails are sent to the general public. They often impersonate a government agency, bank, the IRS, social networking site or store like Amazon.
  • Spear Phishing emails target specific individuals.  They are personalized with facts about you or your business to draw you in.  And they appear to come from a company or person you do business with.  It could come in the form of an email from your CEO.

A Phishing or Spear Phishing Email:

  • Is the one that you didn’t initiate.
  • May contain strange URLs and email addresses.
  • Often uses improper grammar and misspellings.
  • Typically contains attachments that you don’t recognize as legitimate.
  • Contains a link or email address that you don’t recognize.
  • May use language that is urgent or threatening.
  • Phishing and Spear Phishing are popular among cybercriminals because they usually succeed.

10 messages have a better than:

  • 90% chance of getting a click.
  • 8% chance of users clicking on an attachment.
  • 8% chance users will fill out a web form.
  • 18% chance that users will click a malicious link in an email.
  • Even high-level executives get spoofed and share usernames and passwords.

The average cost of a Phishing Scam is $1.6 million. It’s a top security concern for businesses today:

  • 1 in 3 companies are affected.
  • 30% of Phishing emails get opened.
  • Phishing is now the #1 vehicle for ransomware and other forms of malware.

Prevent being a victim of phishing or spear phishing. Here are 8 important things to remember:

1. Stay informed about phishing techniques. Different phishing scams are being sent out every day. Ongoing security awareness training should be a top priority for your organization. 

2. Think before you click a link. Don’t click on links from random emails or text messages. Hover your mouse arrow over a link to see who sent it. Most phishing emails begin with “Dear Customer” so watch out for these. Verify the website’s phone number before placing any calls. Remember, the secure website always starts with “https.”

3. Never divulge personal information requested by email, such as your name or credit card number. Typically, phishing emails will direct you to a web page to enter your financial or personal information. When in doubt, visit the main website of the company in the email, and give them a call.  And, never send sensitive information in an email to anyone. (A secure website always starts with “https”.)

4. Consider installing an anti-phishing toolbar and security tools. Some Internet browsers offer free, anti-phishing toolbars that can run quick checks on the sites you visit. If a malicious site shows up, the toolbar will alert you. They will drastically reduce the chances of hackers and phishers infiltrating your computer or your network.

5. Never download files from suspicious emails or websites. Double check the website URL for legitimacy by typing the actual address into your Web browser. Check the site’s security certificate.  Also, beware of pop-ups as they may be phishing attempts. Your browser settings allow you to block pop-ups, where you can allow them on a case-by-case basis. If one gets through, don’t click on the “cancel” button as this is a ploy to lead you to a phishing site. Click the small “x” in the upper corner of the window, instead.

6. Get into the habit of changing your passwords often. You can also use a password manager like Dashlane or Last Pass that will automatically insert new, hard-to-crack passwords for you.

7. Regularly check your online bank and credit card accounts. To prevent bank phishing and credit card phishing scams, you should personally check your statements regularly. Get monthly statements for your financial accounts and check every entry carefully to ensure no fraudulent transactions have been made without your knowledge.

8. Update your browsers to the latest version. Security patches are released in response to the vulnerabilities that phishers and hackers exploit. Don’t ignore messages to update your browsers, and download the updates as soon as they’re available.
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller
2
kevind Replied
2/27/2019 at 1:18 PM
Mail from a local user should not be able to sail through the system with no authentication.  Seems like a simple fix, even for version 15.

If the From address is a local domain on the server, then this must exist in header:
X-SmarterMail-TotalSpamWeight: 0 (Authenticated)
or the From address must match the Return-Path. Otherwise, reject the message.
And as Webio said, DMARC not an option because it requires DNS modifications for hundreds of domains out of our control.
 
Thanks,
Kevin
0
Matt Petty Replied
2/27/2019 at 1:23 PM
Employee Post
@kevind
There are legitimate systems that use different values for return-path and from. So this is not a reliable way to determine spoofed behavior. Bounces, Mailing Lists, and many automated systems use a separate return-path vs from address. As for Authenticated users, you are correct a local user should not be able to sail through the system without authentication. This is why ALL system administrators should be enforcing "Require Auth Match".

If you would like SPF checks to verify the From header instead of the return-path, 16 added a new setting for SPF anti-spam check, "Scan from header instead of Return Path". This will eliminate spoofing behavior from a user's perspective however, this will cause SPF to fail for mailing lists, bounces, and probably many website automated system messages to your users. I would recommend NOT using this setting as it can be too aggressive, for the reasons stated above.
Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
2
kevind Replied
2/27/2019 at 1:29 PM
@Matt, thanks for prompt reply.

Sure, there are reasons messages could have different return-paths (mailing lists, etc.), but messages sent "from" local domains should definitely be treated with extra care to help stop phishing.

If not authenticated, maybe add a score without having to use SPF.  You could whitelist or use SPF to allow certain IPs from mailing lists, etc.  

EDIT: how about displaying a big red banner at top of message that says:
BEWARE: this message has not been authenticated so it might be fake!

There's got to be a way to stop these spoofed messages. Need to protect users because as @Linda clearly showed, phishing is out of control.
0
Linda Pagillo Replied
2/27/2019 at 2:59 PM
A big thanks to Steve Norton for pointing out a mistake in the info I just posted for you guys. I meant to say FROM line, not TO line in my spoofing examples. I have corrected it :)
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller
2
Webio Replied
2/28/2019 at 1:31 AM
I'm just saying that messages from remote mail servers should not be delivered if they contain in any place (FROM field inside message header OR/AND in MAIL FROM during SMTP session).

Take a look at v16 release notes from some time ago:

16.3.6543 (Nov 30, 2017)
....
Changed: SMTP and Delivery processes now utilize the From address in email headers if it is provided; provides better spoofing protection.
.... 

So basically when we take a look at @Scott Forsythe example which he provided:

Spoof Test:
telnet [Your SM Server] 25
EHLO Spoofer.net
MAIL From:<rolnek@belleriveacresmo.gov>
RCPT To:<scott@mySMdomain.com>
DATA
From: "Scott" <scott@mySMdomain.com>
To: "Scott" <scott@mySMdomain.com>
Subject: Test Message Sent From Manual Telnet Session
Date: Wed, 27 Feb 2019 10:50:57 -0500
Testing Testing
.Return.
then his spoofed message should not be delivered even without DMARC set up because inside message DATA we see:

From: "Scott" <scott@mySMdomain.com>
and because of mySMdomain.com existance on mail server to which he is connecting:

telnet [Your SM Server] 25
message should not be delivered at all.
1
Matt Petty Replied
2/28/2019 at 1:47 PM
Employee Post
Why should the message not be delivered?

But before you answer that question, let me state what I mentioned above in my response.
"There are legitimate systems that use different values for return-path and from. So this is not a reliable way to determine spoofed behavior. Bounces, Mailing Lists, and many automated systems use a separate return-path vs from address. "

Also side note, SPF would've caught that message and assigned a weight.

EDIT: That release note you mentioned was actually modified to be a setting instead of normal behavior, which I also referenced in my post above.

16.3.6585 (Jan 11, 2018) 
Added: Add an option to disable SPF checking on FROM field in SMTP.

"If you would like SPF checks to verify the From header instead of the return-path, 16 added a new setting for SPF anti-spam check, "Scan from header instead of Return Path". This will eliminate spoofing behavior from a user's perspective however, this will cause SPF to fail for mailing lists, bounces, and probably many website automated system messages to your users. I would recommend NOT using this setting as it can be too aggressive, for the reasons stated above. "

If you read responses both here and in our ticket you would hopefully start seeing answers.
Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
3
Webio Replied
2/28/2019 at 2:40 PM
Maybe I'm seeing this from wrong perspective. Can someone else take voice here?

As a hosting provider for many mailboxes and when I see every day customers asking (sending support tickets) why they received message "your account has been hacked" which webmail shows that this has been sent by themself and I just wanted to point this out and ask why this messages should be delivered.

Now since latest v17 build has fixed SpamAssassin I'm marking this messages as SPAM with very high level and this messages based on message content are ruled out from delivery but still as a system admin I would like to have mail server which does not allow to deliver messages from external mail servers which are sending messages to me with message content showing that they have been sent by me.

I don't see why this can't be blocked before even spam checks since clearly remote server is sending email impersonating that it was sent by my server. But again maybe I'm looking at this from wrong perspective. Can someone else take voice here?
1
Ionel Aurelian Rau Replied
3/1/2019 at 3:08 AM
We too are receiving this exact kind of messages. I see that the SPAM checks are actually working and the mail is receiving a high SPAM score, but in the end everything is reset to 0 due to the fact that the sender is a trusted sender. I think this will talk for itself:

X-SmarterMail-Spam: SPF [SoftFail]: 5, Cyren [Confirmed]: 20, Message Sniffer [code:53]: 13, ISpamAssassin [raw:2] 3, DK [None]: 0, DKIM [None]: 5, Custom Rules [], HostKarma - Blacklist: 7, SORBS - Dynamic IP: 5
X-SmarterMail-SpamDetail: 2.6 DOS_OE_TO_MX Delivered direct to MX with OE headers
X-MessageSniffer-ResultCode: 53
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - Contact)
For us, at a spam score of 15 the mail should go to the Junk folder and at 45 it is deleted outright. But in the end this is passed on to the user with no warning due to the sender being trusted. However, this "(Trusted Sender - Contact)" verdict is actually a lie because the sender is not who he pretends to be and SmarterMail already knows it because it ran all the checks. The green "Trusted Sender - Contacts" stamp in WebMail for this message is an outright recipe for disaster. How can we blame a user for believing the scammer?

So, in short, SmarterMail should be smarter and not list as trusted a sender that it has verified to be forged, just because the SPAMmer filled in a field stating that they are trusted. This is just like opening a door for someone, asking and inspecting their ID where it states that their name is John Doe from half around the world, but then he tells you outright that he is in fact yourself and you believe him regardless of his ID and the fact that you are already standing right there.
0
Steve Norton Replied
3/1/2019 at 4:00 AM
If you have paying customers who are logging tickets complaining about these messages then use those tickets to set-up DMARC and get the customers to do their DNS.
DMARC is protection of your (and paying customers) domain from abuse globally and is essential in the fight against threat actors.
Without DMARC your customers can be spammed with email that looks like it came from you.
If you charge for this service you would be 'doing the right thing' to set this up, okay so you have hundreds of domains but just set-up the ones that are currently targeted and update your 'new domain' process to have this set-up at the start. The DNS part could be passed back to the customer if you don't host the DNS.
You will get less Spam overall if you set up domains securely as the Spammers have a list too, set-up DMARC and get the SMTP filtering block as close to 30 as you can. Spammers will reduce the priority of spamming those domains that fight back, there are easier targets.
Put it as a feature on your sales page, it's good value add.
0
Ionel Aurelian Rau Replied
3/1/2019 at 5:13 AM
By the way, we are using DMARC.

It is interesting that these spoofed emails only started through after a recent update, so I guess something changed that allows it to happen. 
1
Webio Replied
3/1/2019 at 5:17 AM
@Steve Norton - you know I have 5k domains, on daily basis some domains get removed, some domains get added and I just can't monitor everything for shared hosting wages. Some customers keep their domain DNS somewhere else. It's really hard to explain customers that they need to add something in some editor in somewhere else managed by someone else.

I've switched SPF control to "Scan from header instead of Return Path"  just like Matt suggested and with this setting spoofed messages have full SPF score.

Also I must agree with @Matt when it comes to message blocking. I don't remember that I had any customer which was sending messages from somewhere else but this might happen and customers have every right to have possibility to send emails from certain domain from multiple SMTP servers and that's why we have SPF record to allow that and without DMARC set up it looks like SPF is only line of defence here (+ other spam checks).
0
Steve Norton Replied
3/1/2019 at 6:56 AM
Sounds like a billing opportunity, a one off payment of $4.99 to configure enhanced Email protection for those who have made it onto the Spammers lists.
I'm sure you've seen that other hosting companies provide DMARC.
I'll have a think about the security concerns switching from the standard SPF checks and let you know if I think of anything. It would be along the lines of sending a message 'on behalf of' and with the settings you now have nothing is checked against senderMail(1) which is where the 'on behalf of' is forged.
1
Matt Petty Replied
3/1/2019 at 7:20 AM
Employee Post
   
    I could see a potential for making the DMARC process easier. I apologize, Webio, my perspective was slightly askew as I thought you were the one dealing with these spoofed addresses, but you are talking about YOUR users getting spoofed. The answer in these two cases still stands, DMARC should be the way to go. Maybe you have some insight on how we could make the DMARC process easier as I see some potential headaches trying to set that up for 100+ domains.
Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
2
kevind Replied
3/1/2019 at 7:51 AM
@Webio -- your comments above are spot on. Keep up the fight.

DMARC is good for when you send messages outside your domain to other mail servers -- they can verify it as authentic.

But when you send messages to yourself, within your own domain, on your own server, DMARC shouldn't be necessary!
0
Matt Petty Replied
3/1/2019 at 7:56 AM
Employee Post
If you are receiving spoofed emails you need to make sure you are using SPF and assigning a weight. I'm not sure if you changed this back to a weight, Webio, but make sure your PermError isn't at 0 still. I guess maybe I'm not seeing something here. Kevind if you could provide a clear example of what you just brought up, I can try to break it down and understand it better. I'm a programmer, feed me some SMTP commands or get technical and maybe that will fire some neurons. I must be missing something here, I'm still adamant that DMARC and SPF can be used to stop both spoofing attempts of your users and SPF can detect spoofing that is being sent to your users. It should work in all cases of spoofing when properly setup. 
Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
3
kevind Replied
3/1/2019 at 8:06 AM
How about as a 1st step -- don't allow the user to add themselves or their domain as a trusted sender...

X-SmarterMail-Spam: SPF [SoftFail]: 5, Cyren [Confirmed]: 20, Message Sniffer [code:53]: 13, ISpamAssassin [raw:2] 3, DK [None]: 0, DKIM [None]: 5, Custom Rules [], HostKarma - Blacklist: 7, SORBS - Dynamic IP: 5
X-SmarterMail-SpamDetail: 2.6 DOS_OE_TO_MX Delivered direct to MX with OE headers
X-MessageSniffer-ResultCode: 53
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - Contact)
0
Matt Petty Replied
3/1/2019 at 8:11 AM
Employee Post
What version are you on? SPF failing should have broken the "Trusted" in Trusted sender, it would still have a weight. You should be seeing this "Trusted Sender - Contact, failed SPF".
Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
2
kevind Replied
3/1/2019 at 8:15 AM
Sorry, I just copied @Ionel Aurelian Rau 's code from his post earlier today. Not sure what version.

But it's the same problem in @Michael Robinson 's original post that started this thread -- Trusted Sender.
0
Matt Petty Replied
3/1/2019 at 8:21 AM
Employee Post
Yea we have code that detect SPF or DKIM failing and we don't 0 the spam score on them for trusted sender. The example you just now posted is likely from an older version of SmarterMail. That header looking at just that peice and nothing else would get caught today in modern SM (and 16) and it would say.

X-SmarterMail-TotalSpamWeight: 56 (Trusted Sender - Contact, failed spf)
So that example you linked is not valid anymore.
Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
1
Webio Replied
3/12/2019 at 1:54 AM
I'm wondering does anybody else is getting bounces from spooffed messages like this one:

Delivery has failed to these recipients:

REALEMAILADDRESSHERE

Subject: SOMESPOOFFEDMESSAGE SUBJECT

Remote Server returned: '550 Authentication is required for relay'
This scenario exists in my environment when incoming gateways are being used. I'm not sure how it looks when there is only one SmarterMail instance.

Message is being delivered through incoming gateway with SMTP SPF score 30 + probably some other checks BUT when incoming gateway is connecting to SmarterMail main instance this message is getting bounced because of 550 error. Take a look at SMTP log between incoming gateway and main SmarterMail instance:

2019.03.12 09:52:28.506 [INCOMINGGATEWAYIP][62225841] rsp: 220 MAINSMARTERMAILINSTANCEHOST
2019.03.12 09:52:28.506 [INCOMINGGATEWAYIP][62225841] connected at 2019-03-12 09:52:28
2019.03.12 09:52:28.506 [INCOMINGGATEWAYIP][62225841] Country code: pl
2019.03.12 09:52:28.506 [INCOMINGGATEWAYIP][62225841] IP in whitelist
2019.03.12 09:52:28.521 [INCOMINGGATEWAYIP][62225841] cmd: EHLO INCOMINGGATEWAYHOST
2019.03.12 09:52:28.521 [INCOMINGGATEWAYIP][62225841] rsp: 250-MAINSMARTERMAILINSTANCEHOST Hello [INCOMINGGATEWAYIP]250-SIZE 104857600250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250-DSN250 OK
2019.03.12 09:52:28.537 [INCOMINGGATEWAYIP][62225841] cmd: STARTTLS
2019.03.12 09:52:28.537 [INCOMINGGATEWAYIP][62225841] rsp: 220 Start TLS negotiation
2019.03.12 09:52:28.662 [INCOMINGGATEWAYIP][62225841] cmd: EHLO INCOMINGGATEWAYHOST
2019.03.12 09:52:28.662 [INCOMINGGATEWAYIP][62225841] rsp: 250-MAINSMARTERMAILINSTANCEHOST Hello [INCOMINGGATEWAYIP]250-SIZE 104857600250-AUTH LOGIN CRAM-MD5250-8BITMIME250-DSN250 OK
2019.03.12 09:52:28.724 [INCOMINGGATEWAYIP][62225841] cmd: MAIL FROM:<REALMAILBOXEMAILADDRESSFROMSPOOFFEDMESSAGE> RET=HDRS ENVID=b18727ed-b694-48aa-a015-30e3ab7291a1 SIZE=1039
2019.03.12 09:52:28.724 [INCOMINGGATEWAYIP][62225841] senderEmail(1): REALMAILBOXEMAILADDRESSFROMSPOOFFEDMESSAGE parsed using: <REALMAILBOXEMAILADDRESSFROMSPOOFFEDMESSAGE>
2019.03.12 09:52:28.724 [INCOMINGGATEWAYIP][62225841] rsp: 550 Authentication is required for relay
2019.03.12 09:52:28.724 [INCOMINGGATEWAYIP][62225841] disconnected at 2019-03-12 09:52:28
As you can see here because of message has REALMAILBOXEMAILADDRESSFROMSPOOFFEDMESSAGE in SMTP session main smartermail instance is bouncing this message. This has actually nothing to do with SPAM blocking etc. just simple boucing when remote server is sending email with local existing mailbox user. And now this bounce message is being sent to REALMAILBOXEMAILADDRESSFROMSPOOFFEDMESSAGE existing on local SmarterMail instance which makes users nervous and starting to ask what was that.

Now I'm wondering is anyone else is experiencing this problem too.

Interesting is also that connection from incoming gateway is being blocked and then the same incoming gateway is delivering this bounce again to main SmarterMail instance (so bounce message is not generated on main SmarterMail instance but on incoming gateway and the same incoming gateway in second SMTP session is delivering this bounce to main SmarterMail server)

I'm wondering also about another thing discussed here before. If SmarterMail should allow messages to be delivered with FROM field (in this scenario bounce is being created when "MAIL FROM" during SMTP session contains email addres existing on main SmarterMail instance) to contain mailbox name from local SmarterMail instance and spooffed messages should be rolled out by SPAM filtering like SPF and DMARC then does blocking this message is valid here with "550 Authentication is required for relay" error? In this scenario 550 blocking is totally not related to SPAM settings and SPAM mail score. If main SmarterMail server would allow this message to be delivered then this message would be marked as SPAM and deleted or moved to junk folder according to SPAM score and SPAM settings.
0
Ionel Aurelian Rau Replied
3/12/2019 at 3:11 AM
Hey Matt, my Log excerpt was from the latest build from February (the "current build" at the time of posting), not an older version! 
In previous versions this did not occur (such high spam scores to be ignored with the "trusted sender / contact" note).
2
Jamie Money Replied
3/12/2019 at 9:58 AM
At my organization after taking all the steps we can to make sure real mail spoofing isn't taking place (SPF, DMARC, DKIM) we've resorted to just stripping the "Friendly" display names out of all incoming emails so the real source address is displayed.  (We've had a significant issue with users just seeing the CEO's name and not bothering to investigate any further)

I installed Perl on the server with SmarterMail and am doing a search/replace with Perl regular expressions in a batch file which I call via the Command Line File option in the Spool settings.

Contents of the batch file:
perl.exe -p -i.bak -e "s/(?<=From:)(.*)(?=\n? <.*@.*>)/ /g" %1
del %1.bak
1
Shaun Peet Replied
3/12/2019 at 10:09 AM
How hard would it be to add Jamie's solution into SmarterMail as an option?  Even better, if the "true" sender's domain was the same as the recipient (or it's a trusted sender) then show the friendly name - and if it's from ANY other domain then automatically strip the friendly name from the raw message and thus show the sender's actual email address.
0
Ionel Aurelian Rau Replied
3/18/2019 at 2:26 AM
Hi all, 

Does anyone know if this has been fixed in the latest SM build (7008)? We`ve been waiting to see more feedback before we update, but we`re starting to see more and more of these cases:

X-SmarterMail-Spam: SPF [SoftFail]: 5, Cyren [Confirmed]: 20, Message Sniffer [code:53]: 13, ISpamAssassin [raw:2] 3, DK [None]: 0, DKIM [None]: 5, Custom Rules [], HostKarma - Blacklist: 7, SORBS - Dynamic IP: 5
X-SmarterMail-SpamDetail: 2.6 DOS_OE_TO_MX Delivered direct to MX with OE headers
X-MessageSniffer-ResultCode: 53
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - Contact)
Basically, more and more of our users are getting 1-2 of these emails per week and we can see clearly in the logs and by viewing them RAW that the mails are just spoofed, but users are freaking out because in WebMail the sender is clearly themselves, complete with a green "Trusted Sender (Contacts)" text.

This only started occurring after updating to Build 6985. Until then, such a high spam score would not have been ignored just because the email in the sender field is a contact (but SM can see that it`s not coming from that user anyway).

So, is this happening too in the latest build, or is it fixed?
0
Matt Petty Replied
3/18/2019 at 7:08 AM
Employee Post 
SPF [SoftFail] Should be triggering a failure from Trusted Sender, we fixed this I believe sometime last month.
Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Ionel Aurelian Rau Replied
3/18/2019 at 11:30 PM
OK, so we just upgraded to Build 7016 - let`s see if this occurs again.
0
Ionel Aurelian Rau Replied
4/1/2019 at 3:13 AM
So, we`ve stopped receiving these emails for some time after the upgrade, until now - maybe the spammers simply stopped sending them :)

Here is a raw content of one of these emails that we got again in build 7016:

Return-Path: <user@OurDomain.com>
Received: from 202.134.171.200.customer.7starnet.com (202.134.171.200.customer.7starnet.com [202.134.171.200]) by mail.OurDomain.com with SMTP;
   Mon, 1 Apr 2019 12:34:00 +0300
Message-ID: <8C6BE35E9B04D626C149F431AE7C8C6B@59P70QI3JP>
From: <user@OurDomain.com>
To: <user@OurDomain.com>
Subject: Security Alert. Your account was compromissed. Password must be changed.
Date: 1 Apr 2019 18:55:57 +0400
MIME-Version: 1.0
Content-Type: text/plain;
	charset="ibm852"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail 15.4.3508.1109
X-MimeOLE: Produced By Microsoft MimeOLE V15.4.3508.1109
X-CTCH-RefId: str=0001.0A0C0209.5CA1DB0C.008E,ss=4,re=0.000,recu=0.000,reip=0.000,pt=C_5646,cl=4,cld=1,fgs=12
X-CTCH-AVLevel: Unknown
X-SmarterMail-Spam: SPF [SoftFail]: 5, Barracuda BRBL: 16, CBL ABUSE SEAT: 11, SORBS - Abuse: 8, Cyren [Confirmed]: 20, Message Sniffer [code:53]: 13, ISpamAssassin [raw:11]: 16, DK [None]: 0, DKIM [None]: 5, Custom Rules [], HostKarma - Blacklist: 7, SpamCop: 4, Spamhaus - PBL SpamHaus: 8, UCEProtect Level 1: 4
X-SmarterMail-SpamDetail: 3.0 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split IP)
X-SmarterMail-SpamDetail: 2.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2)
X-SmarterMail-SpamDetail: 0.0 TVD_RCVD_IP
X-SmarterMail-SpamDetail: 3.4 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date
X-SmarterMail-SpamDetail: 0.0 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
X-SmarterMail-SpamDetail: 2.6 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS
X-MessageSniffer-ResultCode: 53
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - Contact)

Hello!

As you may have noticed, I sent you an email from your account.
This means that I have full access to your device.

I've been watching you for a few months now.
The fact is that you were infected with malware through an adult site that you visited.

If you are not familiar with this, I will explain.
Trojan Virus gives me full access and control over a computer or other device.
This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it.

I also have access to all your contacts and all your correspondence.

Why your antivirus did not detect malware?
Answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent.

I made a video showing how you satisfy yourself in the left half of the screen, and in the right half you see the video that you watched.
With one click of the mouse, I can send this video to all your emails and contacts on social networks.
I can also post access to all your e-mail correspondence and messengers that you use.

If you want to prevent this,
transfer the amount of $770 to my bitcoin address (if you do not know how to do this, write to Google: "Buy Bitcoin").

My bitcoin address (BTC Wallet) is: 1JBFFHR8tGiMgYLpnZCVG8n4cSpm591urc

After receiving the payment, I will delete the video and you will never hear me again.
I give you 50 hours (more than 2 days) to pay.
I have a notice reading this letter, and the timer will work when you see this letter.

Filing a complaint somewhere does not make sense because this email cannot be tracked like my bitcoin address.
I do not make any mistakes.

If I find that you have shared this message with someone else, the video will be immediately distributed.

Best regards!
This landed straight in the Inbox with a nice, green text stating "Trusted Sender (Contacts)" confusing the user.

Why do we receive this in the Inbox when SmarterMail itself knows it`s spam?
0
Matt Petty Replied
4/1/2019 at 7:20 AM
Employee Post
Hmm,

The `SPF [SoftFail]` should have been enough for it to fail the trusted sender check. I will try this locally and see the behavior I get.
Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Shaun Peet Replied
4/15/2019 at 10:30 AM
Hi Matt,

Wondering how the testing went?  I just received an email from myself this morning:

Return-Path: <tuhan@me22.net>
Received: from s76.xrea.com (s76.xrea.com [150.95.8.176]) by mail.OurDomain.com with SMTP
    (version=TLS\Tls12    cipher=Aes256 bits=256);   Sun, 14 Apr 2019 21:57:33 -0400
Received: (qmail 40353 invoked by uid 89); 15 Apr 2019 10:50:42 +0900
Received: from unknown (HELO ?133.167.broadband12.iol.cz?) (tuhan@me22.net@90.179.167.133)
  by s76.xrea.com with SMTP; 15 Apr 2019 10:50:42 +0900
Date: Mon, 15 Apr 2019 03:50:41 +0200
To: shaunpeet@OurDomain.com
Content-Type: multipart/related;
 boundary="--_com.android.email_36722975265772"
MIME-Version: 1.0
List-Subscribe: <http://me22.net/mailman/listinfo/hfbutjxfo>;
Message-ID: <eo6vf12-3auk1l-27@me22.net>
Organization: Wsevbynjh
Abuse-Reports-To: <abuse@me22.net>
X-aid: 1158463179
X-CSA-Complaints: whitelist-complaints@me22.net
Subject: shaunpeet
Errors-To: notification+65quq7oe_@me22.net
From: <shaunpeet@OurDomain.com>
X-SmarterMail-Spam: SPF [None]: 0, Cyren [Confirmed]: 30, Message Sniffer [code:53]: 30, ISpamAssassin [raw:3]: 6, DKIM [None]: 0
X-CTCH-RefId: str=0001.0A020212.5CB3E517.000E,ss=1,re=0.000,recu=0.000,reip=0.000,pt=R_669326,cl=4,cld=1,fgs=0
X-MessageSniffer-ResultCode: 53
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - System)

The entire body of the message is an inline image letting me know that my account has been hacked from all those adult vids I watch and turning on my camera (which I don't have) blah blah blah.


The Return-Path and the From are not the same.  Could that not be flagged somehow to avoid it being from a trusted sender?

Would really like to figure out how to prevent this going forward.  Thanks!

Shaun
1
Scarab Replied
4/15/2019 at 1:02 PM
We are experiencing the same issue with spoofed FROM: email that does not pass SPF being accepted and delivered due to being a "Trusted Sender" but are bouncing legitimate email that passes SPF with a "550 Authentication Required for Relay". (see https://portal.smartertools.com/community/a91904/sm-incoming-gateway-to-sm-gets-a-550-authentication-required-for-relay.aspx). We installed the latest SM v100 Build 7040 and the problem persists. 

Something seems backwards here.
0
Ionel Aurelian Rau Replied
4/16/2019 at 12:18 AM
Yep, this particular Spoofed messages are all the rage now and users are freaking out :)

Honestly, even if it`s not fixed I would prefer that SmarterMail would remove the green "Trusted Sender (Contacts)" text in WebMail as this is basically the stamp that allows these emails to be that more effective in SM`s WebMail compared to other mail clients.

If we cannot have emails that obviously have a spam score high enough to be deleted altogether stopped being delivered, then please just remove "Trusted Sender (Contacts)" for any and all mails.
0
Matt Petty Replied
4/16/2019 at 7:22 AM
Employee Post
Since most of these seem to be "from yourself". We could treat deliveries as not trusted IF they are from the local user but delivered without an authenticated SMTP session. Since if you were sending yourself email, it wouldn't be coming from an external service and should be an authenticated session. This would atleast plug that hole. 

Another option is instead of rejecting trusted senders on a bad SPF/DKIM check, we could ONLY allow trusted sender if it has a valid (and working) SPF/DKIM check. However, this could cause user's who trust addresses that don't set these up to not be trusted and go through the normal spam process.

I'm just trying to throw some ideas around on how we can fix this. Checking things like the return-path not matching from, could break all sorts of automated systems, mailing lists, notifications, etc.
Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Shaun Peet Replied
4/16/2019 at 7:45 AM
Hi Matt,

I don't think we're suggesting throwing the message out if only the return-path and the from don't match.  I think the simplest solution would be that IF those two don't match AND the message is something that BOTH Cyren and Message Sniffer identified as spam, THEN those wouldn't be overridden by the Trusted Sender setting.  I realize that not everyone has Cyren and Message Sniffer enabled, but the principle is that if the message itself has a very high spam score then it goes into a "suspicious" pile where the straw that breaks the camel's back is the from and return-path not matching.

it is a bit frustrating that in our case we are paying for Cyren and Message Sniffer, and both are doing their job properly, and then they're being ignored.

Personally if we can't get this fixed I'd much rather not get automated / mailing list / notification emails if that's the only way to prevent this :)

Shaun

Edited to add - I like the first option in Matt's reply too.  If that has no downsides I'd vote for that as a quick fix.
0
Ionel Aurelian Rau Replied
4/16/2019 at 8:20 AM
Yes, the first of Matt`s ideas sounds better, even though I would not like a solution that is very specific (i.e. a solution that only applies to yourself as trusted sender but does not apply to other trusted senders). The bottom line is that if the SPAM score is above the medium threshold (not to mention if it`s over the high threshold and it should be deleted anyway) there should be alarms and bells and red colors and stuff all over that message, no matter who it is from.

By the way, is there any situation in which one can receive email sent from himself from a server that is not in his allowed MXes? I mean, if an email is from server Z but I only declare to be sending mails from servers A, B and C - I do not see any situation in which such an email should be allowed though any server, let alone one of your own servers.

And one more thing: a lot of years back when I was first starting to learn about email server administration, SPAM, etc, the first thing I learned was that you should not whitelist your self (not your own IP, not your own email, etc). So, why are our own email addresses in the Trusted Senders list? Just because I`m a contact for myself? Maybe this behavior should be changed. I may have a lot of contacts for people I had some business in the past, but I would not want to get infected with a virus because one of these accounts was hacked and now is sending me SPAM and dangerous attachments and they are all getting through because he got in my list of contacts (especially when all of my filters say that this is definitely SPAM and dangerous).

I have thousands of contacts between my work account and my personal mail accounts - I most certainly do not trust even 10% of these. Over the years I`ve had plenty of suspicious mails from old friends and family that got their accounts hacked - so all in all, I think that contacts most definitely should not equal "Trusted Sender". Maybe Contacts should get like a small SPAM score reduction overall, but not a complete exemption.

I agree that there should be a "Whitelists" section where I can add addresses that I want to receive emails from no matter what. Equating the contacts list to a trusted sender`s list is not fair because for example there is no mention anywhere for users warning them that if you add this person as a contact, then you`ll receive his emails even if they are SPAM or dangerous (not to mention that you can add the contacts or sync them from other devices).

Long story short, I think that 3 things need to change:
  1. Contacts should not equal Trusted Senders
  2. One should not be able to receive email from himself that was sent from a server that does not matches his allowed MXes
  3. Medium and High SPAM scores should raise flags and warnings even for whitelisted / trusted senders. OK, maybe if I do have a whitelist for someone then his email should not be deleted even if his SPAM score racks up 500 points (and my threshold is 45) - but some warning should be shown for him too.
0
Webio Replied
4/18/2019 at 2:26 AM
I'm struggling with the same issue like @Scarab. This scenario is probably only occuring in SmarterMail using gateways.

Bottom line I've started to mark spam certain spoofed spam messages with very high score which deletes them on incoming gateways but of course different messages are coming in like this one:

Delivery has failed to these recipients:

MY EMAIL ADDRESS

Subject: Frauders known your old passwords. Access data must be changed.

Remote Server returned: '550 Authentication is required for relay' 

I even stopped to discuss with SM support which suggested me for this type of bounce messages:

I suggest adding the backscatter RBLs in all SM locations as this should help better categorize this spam. If you gateways are configured to Pass score to SmarterMail these spam checks will not be doubled up. Lastly, this is standard backscatter spam and is a very common behavior. The recommended solution is to implement the backscatter RBLs.

Can someone maybe explain to me how backscatterer can help me here if bounces are being passed between my main SmarterMail instance to SmarterMail gateway which delivers this message back to spoofed user real mail account back on main SmarterMail instance. My gateways and main SmarterMail servers are not listed on backscatter list so how this can help in this particular scenario.

My suggestion was:

So all communication is between main SmarterMail server and incoming gateway and IMHO just like I've suggested this kind of bounces could be probably resolved by disabling "enable remote bounces" on main SmarterMail server but this would kill also other bounces like mailbox size exceeded and it would be great to just disable one type of remote bounce which is "550 Authentication is required for relay" and keep others. 
0
Ionel Aurelian Rau Replied
4/22/2019 at 12:12 AM
These keep on coming, but now in Chinese:

你好!
 
 您可能已经注意到,我从您的帐户发送了一封电子邮件。
 这意味着我可以完全访问您的设备。
 
 我已经看了好几个月了。
 事实是,您通过您访问过的成人网站感染了恶意软件。
 
 如果您对此不熟悉,我会解释。
 我创建了高质量的间谍软件。 它允许我获得对您设备的完全访问权限和控制权。
 这意味着我可以在屏幕上看到所有内容,打开相机和麦克风,但您不知道。
 
 我也可以访问您的所有联系人和所有通信。
 
 为什么您的防病毒软件没有检测到恶意软件?
 回答::我的恶意软件使用驱动程序,我每4小时更新一次签名,以便您的防病毒软件无声。
 
 我制作了一个视频,展示了你如何在屏幕的左半部分让自己满意,在右半部分,你会看到你观看的视频。
 一键! 您在电子邮件和社交网络中的所有联系人都将收到此视频! 你的生活将永远改变!
 我还可以发布您使用的所有电子邮件通信和信使的访问权限。
 
 如果你想阻止这个ʌ
 将342美元的金额转入我的比特币地址(如果您不知道如何做到这一点,请写信给Google:“购买比特币”)。
 
 我的比特币地址(BTC钱包)是:1DjuN5PM9VLXCeqYrb9nxzpQ8rb2hXZiEt
 
 收到付款后,我将删除该视频,您将永远不会再听到我的声音。
 我给你50个小时(超过2天)付款。
 我收到了这封信的通知,当你看到这封信时,计时器会起作用。
 
 在某处提交投诉没有意义,因为无法像我的比特币地址那样跟踪此电子邮件。
 我没有犯任何错误。
 
 如果我发现您与其他人分享了此消息,则视频将立即分发。
 
 祝你好运,再见!

And here is the header for the above message:
Return-Path: <MyEmail@MyDomain.com>
Received: from 188.147.40.88.nat.umts.dynamic.t-mobile.pl (188.147.40.88.nat.umts.dynamic.t-mobile.pl [188.147.40.88]) by mail.MyDomain.com with SMTP;
   Fri, 19 Apr 2019 23:53:54 +0300
Message-ID: <10DE348FDCFA6567A943F8AB8D1210DE@J23A7B4KFE>
From: <MyEmail@MyDomain.com>
To: <MyEmail@MyDomain.com>
Subject: =?utf-8?B?5a6J5YWo6YCa55+l44CCIOacieS6uuWPr+S7peiuv+mXruaCqOeahOaWh+S7tuOAgg==?=
Date: 19 Apr 2019 23:38:52 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_003B_01D4F702.06759A4E"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5931
X-CTCH-RefId: str=0001.0A0C020A.5CBA3568.0058,ss=4,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=0
X-CTCH-AVLevel: Unknown
X-SmarterMail-Spam: SPF [SoftFail]: 5, Barracuda BRBL: 16, Cyren [Confirmed]: 20, Message Sniffer [code:53]: 13, ISpamAssassin [raw:13]: 19, DK [None]: 0, DKIM [None]: 5, , SORBS - Dynamic IP: 5, Spamhaus - PBL SpamHaus: 8
X-SmarterMail-SpamDetail: 3.0 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split IP)
X-SmarterMail-SpamDetail: 2.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2)
X-SmarterMail-SpamDetail: 0.0 TVD_RCVD_IP
X-SmarterMail-SpamDetail: 2.8 MPART_ALT_DIFF_COUNT HTML and text parts are different
X-SmarterMail-SpamDetail: 0.0 HTML_MESSAGE HTML included in message
X-SmarterMail-SpamDetail: 0.0 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
X-SmarterMail-SpamDetail: 0.0 TVD_SPACE_RATIO
X-SmarterMail-SpamDetail: 2.6 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS
X-SmarterMail-SpamDetail: 2.6 DOS_OE_TO_MX Delivered direct to MX with OE headers
X-MessageSniffer-ResultCode: 53
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - Contact)
Again: my "High Spam" threshold is 45 points and the action is "DELETE"

Is this investigated in any way? This behavior should simply not happen - there are so many filters triggered and so many red flags..
0
Matt Petty Replied
4/22/2019 at 7:31 AM
Employee Post
@Ionel, what version are you? I'm checking our change history and on 2-12 we put in a fix for "SPF [SOFTFAIL]" Not triggering a trusted sender failure, however, based on what I'm seeing in the email above it does not count it as a fail.
Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Ionel Aurelian Rau Replied
4/22/2019 at 7:34 AM
I`m on Build 7040 (Apr 11, 2019) 
1
Matt Petty Replied
4/22/2019 at 7:49 AM
Employee Post
Hello,

I investigated this a bit further and we have a fix for in our next release for SPF failures not triggering the Trusted Sender failures. @Ionel, I sent you a custom build with the fix. We are tentatively scheduling a release for end of week. If anyone else would like this custom build with this fix, DM me via Community (click my name)
Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Ionel Aurelian Rau Replied
4/22/2019 at 11:50 PM
Thanks Matt, I got your message. We`ll give the custom build a try in our next maintenance window.
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Messages from Trusted Senders are going to my Junk folderSmarterMail > Troubleshooting
Find a Compromised AccountSmarterMail > Troubleshooting
554 Error - MTA Poor Reputation FixesSmarterMail > Troubleshooting
Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
My spool is full of pending messages. What do I do?SmarterMail > Troubleshooting