Some sort of trusted sender bug? Spammers getting spam through suddenly.
Question asked by W. T. Leaver - 9/21/2015 at 11:08 AM
In the past few days I've noticed a bunch of spam suddenly slipping through the filters. The common denominator is that they're all being sent to my feedback loop address which is fbl@<mydomain>.com (SLD removed for privacy).
All of the spam slipping through contains this header:
X-Rcpt-To: <fbl@<mydomain>.com>
Similar spam without that header is filtered.
(How they got that email address is beyond me--it has only been used when signing up for an AOL feedback loop and maybe Microsoft's JMRP.)
Additionally SmarterMail is deeming this a trusted sender issue:
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - User)
fbl@<mydomain>.com is an alias, not a mailbox. fbl@<mydomain>.com is NOT listed in my trusted sender list. Nor is any email address throughout the header. (Including staff@hotmail.com which is what SmarterMail is seeing as the sender.)
I'm at a loss to understand how this is happening. It just started late last week.
Here is the header and detail from the smpt/delivery logs:
Return-Path: <staff@hotmail.com>
Received: from BAY004-OMC4S22.hotmail.com (bay004-omc4s22.hotmail.com []) by mail.<mydomain>.com with SMTP;
   Mon, 21 Sep 2015 12:45:39 -0500
Received: from BAY0-XMR-025.phx.gbl ([]) by BAY004-OMC4S22.hotmail.com with Microsoft SMTPSVC(7.5.7601.23008);
     Mon, 21 Sep 2015 10:45:48 -0700
Received: from mail pickup service by BAY0-XMR-025.phx.gbl with Microsoft SMTPSVC;
     Mon, 21 Sep 2015 10:45:48 -0700
X-HmXmrOriginalRecipient: flavia1894@hotmail.com
X-Message-Guid: 8aac505b-6085-11e5-9144-6c3be5a7db75
x-store-info: qAUQJzZ73IJCLUJ+0n7ZQ5yN3wd9gk1Jrrlyy6foO00=
Authentication-Results: hotmail.com; spf=pass (sender IP is smtp.mailfrom=hg@yjohn.hexaezone.com; dkim=none header.d=1und1.de; dkim=permerror header.d=yjohn.hexaezone.com; x-hmca=pass header.id=name@yjohn.hexaezone.com
X-SID-PRA: name@yjohn.hexaezone.com
X-SID-Result: PASS
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MztHRD0zO1NDTD03
X-Message-Info: v3e34AVpXcVyWCi2vud6It4sW74ZFGnnZzFUfaxms6e1h4WsOvSZZt20Mzc69zZwmsaN3vLfjTs4yDXBqa6MN9K3e/QYRAys0NkKjH6KynWfMSSEmD06nim0OpXikk8/TM7356wrN/133yJ0Kohc5HkWaQYg8aZEVWRVVCkhgfnsYCV6xnTji6nwKueVYpZhFor2gg2n6B2CUcT+lH7F5xw6YLeCqjHdeFnXJifj8r0=
Received: from yjohn.hexaezone.com ([]) by BLU004-MC1F33.hotmail.com with Microsoft SMTPSVC(7.5.7601.23143);
     Mon, 21 Sep 2015 10:24:04 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=SELECTOR1; d=yjohn.hexaezone.com;
 h=Subject:From:Mime-Version:List-Unsubscribe:Sender:Content-Type:To:Message-ID; i=name@yjohn.hexaezone.com;
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=SELECTOR1; d=yjohn.hexaezone.com;
Received: from localhost ( by yjohn.hexaezone.com id h00uj416lt0n for <flavia1894@hotmail.com>; Mon, 21 Sep 2015 13:24:01 -0400 (envelope-from <hg@yjohn.hexaezone.com>)
Subject: flavia1894: =?UTF-8?B?R2V0IHRoZSBmYWN0cyBhYm91dCBzZWxsaW5nIHlvdXIgVGltZXNoYXJlLg==?=
From: =?UTF-8?B?SGVscCBTZWxsIE15IFRpbWVzaGFyZQ==?= <info@1und1.de>
List-Unsubscribe: <>
Sender: "flavia1894"  <name@yjohn.hexaezone.com>
Content-Type: text/html
To: flavia1894@hotmail.com
Message-ID: <SNT004-mzvfrjeq8ux2ycv@SNT004-MC2F13.hotmail.com>
X-SG-EID: cKpNRtVuzoy5iSQmZs0sHFAykSKGT77AKaNgk3O0i2Uu6DPR2oyOD5FjkVMksJi3slSQ4Mq8KahzSz
X-SG-ID: SolyLoj4M+6t0KZQOavh+EhAg7mxK0+8s5Pxt8+oPW2ehcXKfVsMPwsv7au/gjffgQkNDl8m5u5rep
Return-Path: hg@yjohn.hexaezone.com
X-OriginalArrivalTime: 21 Sep 2015 17:24:04.0413 (UTC) FILETIME=[505896D0:01D0F492]
Date: 21 Sep 2015 10:24:04 -0700
X-MessageSniffer-Identifier: e:\SmarterMail\Spool\proc\work\81457577.eml
X-GBUdb-Analysis: 0,, Ugly c=0.071429 p=0 Source Normal
X-MessageSniffer-Scan-Result: 62
X-MessageSniffer-Rules: 62-7272267-4414-4462-m
X-RBL-Warning: WEIGHT10: Weight of 33 reaches or exceeds the limit of 10.
X-RBL-Warning: WEIGHT14: Weight of 33 reaches or exceeds the limit of 14.
X-RBL-Warning: WEIGHT20: Weight of 33 reaches or exceeds the limit of 20.
X-RBL-Warning: WEIGHT30: Weight of 33 reaches or exceeds the limit of 30.
X-Declude-Sender: staff@hotmail.com []
X-Declude-Spoolname: 81457577.eml
X-Declude-Note: Scanned by Declude 4.12.11
X-Declude-Scan: Incoming Score [33] at 12:45:48 on 21 Sep 2015
X-Country-Chain: UNITED STATES->destination
X-Declude-Code: e
X-HELO: BAY004-OMC4S22.hotmail.com
X-Identity: | bay004-omc4s22.hotmail.com | hotmail.com
X-Rcpt-To: <fbl@<mydomain>.com>
X-SmarterMail-Spam: SPF_Pass, DK_None, DKIM_None, Declude: 33
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - User)
[2015.09.21] 12:45:39 [][37508174] rsp: 220 mail.<mydomain>.com
[2015.09.21] 12:45:39 [][37508174] connected at 9/21/2015 12:45:39 PM
[2015.09.21] 12:45:39 [][37508174] cmd: EHLO BAY004-OMC4S22.hotmail.com
[2015.09.21] 12:45:39 [][37508174] rsp: 250-mail.<mydomain>.com Hello []250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2015.09.21] 12:45:39 [][37508174] cmd: MAIL FROM:<staff@hotmail.com> SIZE=11444
[2015.09.21] 12:45:39 [][37508174] rsp: 250 OK <staff@hotmail.com> Sender ok
[2015.09.21] 12:45:39 [][37508174] cmd: RCPT TO:<fbl@<mydomain>.com>
[2015.09.21] 12:45:39 [][37508174] rsp: 250 OK <fbl@<mydomain>.com> Recipient ok
[2015.09.21] 12:45:39 [][37508174] cmd: DATA
[2015.09.21] 12:45:39 [][37508174] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2015.09.21] 12:45:39 [][37508174] rsp: 250 OK
[2015.09.21] 12:45:39 [][37508174] Data transfer succeeded, writing mail to 81457577.eml
[2015.09.21] 12:45:39 [][37508174] cmd: QUIT
[2015.09.21] 12:45:39 [][37508174] rsp: 221 Service closing transmission channel
[2015.09.21] 12:45:39 [][37508174] disconnected at 9/21/2015 12:45:39 PM
Delivery Log:
[2015.09.21] 12:45:50 [57577] Delivery started for staff@hotmail.com at 12:45:50 PM
[2015.09.21] 12:45:57 [57577] DKIM TempFail: An error of type  occured during lookup of the domains DKIM public key. DKIM verification for this message will be skipped.
[2015.09.21] 12:45:57 [57577] Spam check results: [_SPF: Pass], [_REVERSEDNSLOOKUP: passed], [_BAYESIANFILTERING: passed], [_DK: None], [_DKIM: None]
[2015.09.21] 12:46:01 [57577] Starting local delivery to wt@<mydomain>.com
[2015.09.21] 12:46:01 [57577] Skipping spam filtering: Trusted Sender (user level)
[2015.09.21] 12:46:01 [57577] Delivery for staff@hotmail.com to wt@<mydomain>.com has completed (Delivered) Filter: None

6 Replies

Reply to Thread
Bruce Barnes Replied
Without the actual e-mail address the spam is being sent to, there's not much anyone can do to help you with the provide information.
Bruce Barnes
ChicagoNetTech Inc

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
W. T. Leaver Replied
Sorry, but I have to call BS on your response. There isn't anything you could do to help determine the cause just by knowing the destination email address.

Sure you could determine whether or not we're enforcing smtp authentication (we are), and confirm that we're not an open relay (we're not), but you couldn't possibly determine whether an email you or anyone might try to send would be filtered or not based on being a trusted sender, which is what this is about.

This is really more or less for others experiencing the same issue or SmarterTools themselves to see and/or weigh in on.

In fact there are others reporting the same issue (and I probably should have piggy backed on one of those questions but I didn't search before posting.)
Bruce Barnes Replied
Then I call you out and will no longer respond to any of you posts or questions.
Bruce Barnes
ChicagoNetTech Inc

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
W. T. Leaver Replied
Thank you!
Scarab Replied
The emails you are receiving are from Hotmail's Feedback Loop. They are addressed as coming from staff@hotmail.com to fbl@yourdomain.com. These are emails that have been reported by users of Hotmail as Spam, and as they are spoofing a domain whose MX Records resolve to the IP that you used when you signed up for their Feedback Loop, they are being sent to your Feedback Loop address that you provided.
They will all have text similar to the following:
This is an email abuse report for an email message received from IP on Tue, 22 Sep 2015 07:49:39 -0700.
The message below did not meet the sending domain's authentication policy.
For more information about this format please see http://www.ietf.org/rfc/rfc5965.txt.
Each email will include an attachment with the original email.
In almost all cases these are reports of emails that are spoofed and using one of the domains that you host on your mail server. You can safely ignore these and just want to eyeball them to make sure that none report being received from your Mail Server's IP Address. (I have them moved to a folder and once a day do a search for my Mail Server's IP Address.)
The reason they are marked as Trusted Sender is because you have marked staff@hotmail.com as a Trusted Sender for your fbl or wt account, (Trusted Senders can also be added to the entire domain, or in your server's SECURITY > TRUSTED SENDERS list)..but the log specifically says "User Level".
W. T. Leaver Replied
That's an interesting idea, one that I briefly considered myself, but that doesn't appear to be it. I confess it's been a LONG time since I've actually received a spam report from JMRP, so I don't recall exactly how they're formatted, but in this case there are several arguments against it:

1. These messages are pure spam. They have no attachments, no indication anywhere that they are a JRMP report.

2. As indicated in my initial post, staff@hotmail is NOT in the trusted sender list for the recipient mailbox or the domain, or the server.

3. None of the IPs in any of them are related to ours.

4. If the spam was originating from our IP space, SNDS would show said IPs with a non-normal status, but everything is clear. (Hundreds of these messages have come in over several days so if it was an active outbreak from us they would most certainly have marked the source IP(s) as bad by now.

5. I just now looked at our JMRP setup with Microsoft and we're set to receive ARF format reports, which is most definitely not the case here. Additionally the email to which those reports are set to go is NOT the fbl@<mydomain>.com to which these spam messages are being sent. Come to think of it, that's not even the destination that our AOL feedback loop reports go to (contrary to what I was thinking when I wrote the original post.)

The one common denominator though for all the messages I've inspected is that they *ARE* in fact coming from Microsoft email properties (hotmail, msn for the ones I've checked.)

The fact that SmarterMail is marking them as trusted sender cannot be explained and is the real issue here, as these messages are being properly scored.

This is very similar to other reports such as:



Reply to Thread