1
Spam messages delivered - Skipping spam filter - Trusted Sender (system leverl)
Problem reported by Jennifer Morandi - 12/9/2015 at 10:42 AM
Submitted
Over the past few days, messages with .zip attachments are being delivered.  While we have a domain level filter in place to clearly flag messages with ZIP or EXE files attached, I'm concerned that these messages appear to be bypassing the spam filter by being identified as being on the Trusted Sender list - they are not on the list.   

Here's the delivery log for one such message: 
[2015.12.08] 15:30:04 [27384] Delivery started for chandlerchris041@fotoscasamentos.com.br at 3:30:04 PM
[2015.12.08] 15:30:07 [27384] Spam check results: [_SPF: Neutral], [SORBS - ABUSE: passed], [SPAMCOP: passed], [SPAMHAUS - XBL: passed], [_REVERSEDNSLOOKUP: passed], [_BAYESIANFILTERING: passed], [_COMMTOUCH: 0,Unknown], [_INTERNALSPAMASSASSIN: 0:0], [_DK: None], [_DKIM: None], [_CUSTOMRULES: ]
[2015.12.08] 15:30:10 [27384] Starting local delivery to cfurey@
<my domain>.com
[2015.12.08] 15:30:10 [27384] Skipping spam filtering: Trusted Sender (system level)
[2015.12.08] 15:30:10 [27384] Delivery for chandlerchris041@fotoscasamentos.com.br to cfurey@virtualdensity.com has completed (Delivered) Filter: .zip and .exe
[2015.12.08] 15:30:10 [27384] End delivery to cfurey@
<my domain>.com
[2015.12.08] 15:30:10 [27384] Starting local delivery to jmorandi@
<my domain>.com
[2015.12.08] 15:30:10 [27384] Skipping spam filtering: Trusted Sender (system level)
[2015.12.08] 15:30:10 [27384] Delivery for chandlerchris041@fotoscasamentos.com.br to jmorandi@
<my domain>.com has completed (Delivered) Filter: .zip and .exe
[2015.12.08] 15:30:10 [27384] End delivery to jmorandi@<my domain>.com
[2015.12.08] 15:30:10 [27384] Delivery finished for chandlerchris041@fotoscasamentos.com.br at 3:30:10 PM    [id:83727384]
 
Here's the header information for the same message:
Return-Path: <chandlerchris041@fotoscasamentos.com.br>
Received: from mail.internal.<my domain>.net (mail.internal.<my domain>.net [66.181.192.73]) by mail.<my domain>.com with SMTP;
   Tue, 8 Dec 2015 15:30:04 -0500
Received: from [36.73.21.1] ([36.73.21.1]) by internal.<my domain>.net with MailEnable ESMTP; Tue, 8 Dec 2015 15:29:45 -0500
Message-ID: <1979272820.SIM_A9F41958D333@<my domain>.com>
From: =?UTF-8?B?Q2hyaXMgQ2hhbmRsZXI=?= <ChandlerChris041@fotoscasamentos.com.br>
To: =?UTF-8?B?YWNjb3VudGluZw==?= <accounting@<my domain>.com>
Subject: {Dangerous content attached} =?UTF-8?B?SW52b2ljZSAjNjE4ODE3MjM=?=
Date: Wed, 09 Dec 2015 03:29:56 +0700
Reply-To: =?UTF-8?B?YWNjb3VudGluZw==?= <accounting@<my domain>.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NexPart_002"
X-MXScan-Scan: Scanned by MxScan 2.5.100.0 for VD-MONITOR
X-MXScan-Msgid: D2F0E8E88BF1474E990EB09323FE2C7D_
X-MXScan-License: {Unregistered Version} Only for personal and non-commercial use. Commercial use is PROHIBITED and requires a license.
X-MXScan-Country-Sequence: AUSTRALIA->Destination
X-MXScan-AntiVirus: ClamAV 0.96.5/21136/Fri Dec 04 16:36:48 2015 [Clean]
X-MXScan-AntiSpam: KEYWORD [Pass], RDNSBL [JMF-Black(5),Zen(6)], URLBL [Pass], SPAMASSASSIN [1.4 (FROM_EXCESS_BASE64,HELO_MISC_IP,HTML_MESSAGE,RDNS_NONE,T_TVD_MIME_EPI)], DCC_CHECK [Body=1 Fuz1=1 Fuz2=many (5)]
X-MXScan-SpamScore: 17.4
X-MXScan-ProcessingTime: 0.601 sec(s)
X-CTCH-RefId: str=0001.0A010201.56673DD0.0141:SCFSTAT29552747,ss=1,re=-4.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
X-CTCH-AVLevel: Unknown
X-SmarterMail-Spam: SPF_Neutral, Commtouch 0 [value: Unknown], ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, Custom Rules []
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - System)

7 Replies

Reply to Thread
1
Chintan K Replied
Hello, 
We are also having the same issue. Were in the spam emails are getting delivered to the client. Upon checking the logs, we found that Spam filtering was skipped due to Trusted Sender (domain level). Upon checking the trusted sender list I didn't found any domain or user email address with Sky.com. Below are the logs for the same.
 
=====================================================================
[2015.12.10] 13:50:41 [75773] Delivery started for daltonelsa5755@sky.com at 1:50:41 PM
[2015.12.10] 13:51:22 [75773] Spam check results: [_SPF: None], [FIVE-TEN: passed], [HOSTKARMA - BLACKLIST: failed], [HOSTKARMA - BROWNLIST: passed], [HOSTKARMA - WHITELIST: passed], [SORBS - DYNAMIC IP: failed], [SORBS - PROXY: passed], [SORBS - SOCKS: passed], [SPAMCOP: passed], [SPAMHAUS - PBL: failed], [SPAMHAUS - PBL2: passed], [SPAMHAUS - SBL: passed], [UCEPROTECT LEVEL 1: failed], [UCEPROTECT LEVEL 2: passed], [UCEPROTECT LEVEL 3: passed], [_REVERSEDNSLOOKUP: passed], [_BAYESIANFILTERING: failed], [_COMMTOUCH: 30,Bulk], [_DK: None], [_DKIM: None], [BONDEDSENDER: passed], [SORBS: failed], [SPAMHAUS SBL+XBL: failed]
[2015.12.10] 13:51:25 [75773] Starting local delivery to leang@<my domain>.com
[2015.12.10] 13:51:25 [75773] Skipping spam filtering: Trusted Sender (domain level)
[2015.12.10] 13:51:25 [75773] Delivery for daltonelsa5755@sky.com to leang@<my domain>.com has completed (Delivered) Filter: None
[2015.12.10] 13:51:25 [75773] End delivery to leang@<my domain>.com
[2015.12.10] 13:51:25 [75773] Delivery finished for daltonelsa5755@sky.com at 1:51:25 PM    [id:679450675773]
========================================================================
 
Message Header. 
========================================================================
Return-Path: <daltonelsa5755@sky.com>
Received: from 5ac1394a.bb.sky.com (5ac1394a.bb.sky.com [90.193.57.74]) by <my domain>.com with SMTP;
Thu, 10 Dec 2015 13:50:39 -0500
Message-ID: <6464781087.SIM_0016D41D4F6B@<my domain>.com>
From: =?UTF-8?B?RWxzYSBEYWx0b24=?= <DaltonElsa5755@sky.com>
To: =?UTF-8?B?bGVhbmc=?= <leang@<my domain>.com>
Subject: =?UTF-8?B?UGF5bWVudCBSZXF1ZXN0LCBSZWYuIG5yOiA1OTI2ODc2NC8yMDE1?=
Date: Thu, 10 Dec 2015 10:50:45 -0700
Reply-To: =?UTF-8?B?bGVhbmc=?= <leang@<my domain>.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NexPart_002"
X-SmarterMail-Spam: SPF_None, HostKarma - Blacklist, SORBS - Dynamic IP, Spamhaus - PBL, UCEProtect Level 1, Bayesian Filtering, Commtouch 30 [value: Bulk], DK_None, DKIM_None, SORBS, SpamHaus SBL+XBL
X-CTCH-RefId: str=0001.0A010203.5669BF4F.01DE,ss=3,sh,re=0.000,recu=0.000,reip=0.000,cl=3,cld=1,fgs=512
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - Domain)
========================================================================
0
Matt Petty Replied
Employee Post
Is <my domain> in the trusted senders list?
SmarterMail is seeing Reply-To: =?UTF-8?B?bGVhbmc=?= <leang@<my domain>.com> and seeing <my domain> and might be seeing that as a trusted sender.
Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
kevind Replied
If that's the case, looks like the spammer is spoofing the Reply To. Another reason to validate Trusted Senders. Vote for it here:
http://portal.smartertools.com/community/a86864/why-not-validate-trusted-senders.aspx
0
Chintan K Replied
Nope, that domain is neither added in user's trusted senders list, domain's trusted sender's list nor system's trusted senders list.
0
Chintan K Replied
Hey Matt,

Sorry for the confusion here. Yes, the <mydomain> is in the trusted sender list but not on User level. Its added in Domain level trusted sender list.
0
Matt Petty Replied
Employee Post
Removing that would prevent the spammer from being able to bypass the spam checks.
Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Jennifer Morandi Replied
Yes <mydoman> is a trusted sender. I'll remove it and see how that works. Thanks for the response :)

Reply to Thread