Spam getting through
Question asked by Greg Lowthian - 1/5/2016 at 7:59 AM
Can anyone give me an idea how this made it through. This is a Euro Lottery spam, below is the header. As you can see it was flagged by a number of RBL's but the end result was a weight of (0) and it is not in my trusted senders list.
Return-Path: <test@ic-unost.ru>
Received: from i-panel.isk.net.pl (i-panel.isk.net.pl []) by mail.mycompanydomain.com with SMTP;
   Tue, 5 Jan 2016 09:25:11 -0500
Received: from bzq-82-80-146-121.red.bezeqint.net ([] helo=User)
    by i-panel.isk.net.pl with esmtpa (Exim 4.73)
    (envelope-from <test@ic-unost.ru>)
    id 1aGNZz-0006oB-2o; Tue, 05 Jan 2016 10:06:59 +0100
Reply-To: <nilestishman@gmail.com>
From: "Mrs.Maria Carlos"<test@ic-unost.ru>
Subject: Congratulation You Have Won
Date: Tue, 5 Jan 2016 11:06:26 +0200
MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Rcpt-To: <me@mycompanydomain.com>
Message-ID: <c37702aff2f84a52b071300bd58f3d42@com>
X-SmarterMail-Spam: Bayesian Filtering, ISpamAssassin 40 [raw: 25], SPF_SoftFail, DK_None, DKIM_None, Barracuda BRBL, HostKarma - Blacklist, UCEProtect Level 1
X-SmarterMail-SpamDetail: 3.3 LOTTO_AGENT Claims Agent
X-SmarterMail-SpamDetail: 0.0 T_FROM_MISSPACED From: missing whitespace
X-SmarterMail-SpamDetail: 2.3 ADVANCE_FEE_2 Appears to be advance fee fraud (Nigerian 419)
X-SmarterMail-SpamDetail: 2.7 ADVANCE_FEE_3 Appears to be advance fee fraud (Nigerian 419)
X-SmarterMail-SpamDetail: 0.0 ADVANCE_FEE_4 Appears to be advance fee fraud (Nigerian 419)
X-SmarterMail-SpamDetail: 0.6 MISSING_MID Missing Message-Id: header
X-SmarterMail-SpamDetail: 4.0 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
X-SmarterMail-SpamDetail: 3.3 FM_LOTTO_YOU_WON Talks about lotto and you won!
X-SmarterMail-SpamDetail: 0.4 FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
X-SmarterMail-SpamDetail: 3.6 HK_LOTTO
X-SmarterMail-SpamDetail: 3.0 KAM_LOTTO1 Likely to be a e-Lotto Scam Email
X-SmarterMail-SpamDetail: 1.6 KAM_LOTTO2 Highly Likely to be a e-Lotto Scam Email
X-SmarterMail-SpamDetail: 0.0 T_LOTS_OF_MONEY Huge... sums of money
X-SmarterMail-SpamDetail: 0.4 MONEY_FROM_MISSP Lots of money and misspaced From
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - Domain)

7 Replies

Reply to Thread
Bruce Barnes Replied
For the past month, I have been working on a mail server in the Cognac region of France and they were getting killed with spam and viruses.  Hosting almost 70, high-traffic, legitimate domains:  mostly building contractors and other local businesses, they were getting killed with junk e-mail.
I implemented the same antispam settings we use on our ChicagoNetTech SmarterMail server, which runs only the internal RBL and URIBLs, along with a few custom rules, used to catch some of the newer domains, and we are now trapping out almost 100% of the spam and viruses which were previously plaguing their customers.
Here's the link to our latest SmarterMail antispam settings https://portal.chicagonettech.com/kb/a171/smartermail-antispam-settings-document.aspx.  That KB article will always contain a link to the latest version of the SmarterMail antispam settings.
Make certain you follow ALL of the instructions, including blocking the ability of users to override spam settings and forcing everyone to use GREYLISTING, or you will only shoot yourself in the foot and make your frustrations greater.
You also need to make certain that you are not set for OPEN RELAY.  Enforce SMTP authentication for EVER MESSAGE SENT through your SmarterMail server - no whitelisting, no bypass: NO EXCEPTIONS!
 Make certain you are not being compromised by BRUTE FORCE PASSWORD attacks (the customer in France is now blocking 278 IP ADDRESSES - all automatically, using the SmarterMail ABUSE DETECTION capabilities, available under SECURITY ===> ADVANCED SETTINGS.  

Here's how we have their POP, SMTP, IMAP and XMPP password brute force protection setup (SmarterMail 14.4.5801) - and it catches the perpetrators and it works, blocking the offending IP addresses for 45.51 days, or until the SmarterMail service is restarted or the server rebooted:
POP Password Brute Force Protection Settings
SMTP Password Brute Force Protection Settings
IMAP Password Brute Force Protection Settings
XMPP Password Brute Force Protection Settings
In the case of my customer, one of their administrative accounts had been compromised, via a BRUTE FORCE password attack, and was being used to send more than 50K spam messages PER HOUR.   The PASSWORD BRUTE FORCE abuse detection triggers, the configuration of which is shown above, now abates that ability significantly, but there is still a small chance of someone getting someone's password.
The spam senders were also using a different IP ADDRESS and different REPLY TO ADDRESS on all of the messages, so until the client could change the user's password, we also set SmarterMail to enforce a MATCH on the SENT FROM and REPLY TO e-mail addresses.

The BOTS, which are still busy trying to send the spam messages, are not too intelligent, and still trying to use the old passwords: unsuccessfully.

You don't need to add external spam checks.  You can do so, but you will need to make certain that the spam scoring is set identical to the spam scoring we have setup in the SmarterMail RBL / URIBL checks, or you will only confuse the SmarterMail scoring and, potentially, allow more spam through.  Therefore, we use no external checks, only the internal antispam checks discussed in the document available at:  
Remember, to be effective, you must follow the protocols and procedures outlined in the document to the letter - no variances, no overrides, of any kind, for anyone.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
Greg Lowthian Replied
We have all that set and block several thousand emails a day and very rarely have anything get through. This Lotto Spam has me stumped.
Lucidio Arruda Neto Replied
There Isn't any pattern on spammer EHLO commands who can block this on SMTP level?
Assin Ontivi Replied
I have found that fighting spam on a mail server is yet another full time job in addition to the usual IT admin tasks. When a boss (or client) is too cheap to pay for a good 3rd party cloud filtering service, in my experience, it's time to find a new boss (or client). Not to mention the load that the 3rd party service takes off of your mail server and Internet circuit. The remaining IT admin business can just be too time consuming to leave room for a life as it is. And it also gives you someone to blame if piles of spam occasionally come pouring through. With a good cloud service this will be quite rare. Just my view. That is, unless you're only there to be the email admin, and then I guess it's OK - have to justify that "huge" paycheck somehow. 
Greg Lowthian Replied
Actually I have the opposite view, with enough knowledge of how spam works you can block almost all of it using what Smarter Mail has built in. With 10 domains and 450 users it takes us maybe 30 minutes a week of effort to deal with spam. Something like the spam above is a rear event. Cloud based filtering may be good at what it does but it's not always the best choice. Like everything else in IT if you don't keep up with and use the knowledge you have to relearn, which is time consuming,
Bruce Barnes Replied
We run my antispam document on about 50 client servers, with no external filters, and, once the initial clean-up and implementation phase is over, have few issues. Whilst I concur that both antispam measures, and the general operation and maintenance of MX servers are no longer "turn-key," they can be configured to operate with regular maintenance and monitoring - without the additional confusion, and costs, of external filtering services. When the international spam filtering is used exclusively, the reports within SmarterMail become invaluable to both the server operators and end users, even becoming fully automated in the Enterprise Edition of SmarterMail.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
David Fisher Replied
  I am seeing the following :
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - Domain)
  I believe that means you have a domain like gmail.com listed in your trusted senders, so it does all the spam checks and allows it anyways.  One of the email headers domains is listed in your global or user trusted senders.
  You could also block ehlo of "User", and check your logs for this email, and see if there is any other domain it is using that is listed in your trusted senders.  If you DO NOT have gmail.com or any of the ones in the logs, then you would need to open a support ticket as this would be a bug.  There always has to be a trusted sender in there that matches.
  Also be sure you are running the latest build of SmarterMail and you are running a supported version, either v14.4.5801 or 13.6.5703.

Reply to Thread