flurry of "FedEx delivery" spam; how to configure local.cf to block?

Question asked by Eric Bourland - 11/5/2016 at 8:55 AM

Answered

SmarterMail 15.3

Hi friends. Is anyone else getting bombarded with fake "FedEx delivery problems" messages, with a ZIP file attached to each message? No doubt the ZIP file contains a bad payload.

I use SpamAssassin, and I would like to configure local.cf to block this spam. Does anyone have a suggestion on lines I might add to local.cf to do so?

Thank you for your help. Here's a header from one of the offending messages:

To: postmaster@careplanners.net
Subject: Problems with item delivery, n.000289623
Date: Sat, 5 Nov 2016 14:56:53 +0000
From: "FedEx International MailService" <bobby.burns@partnersforcleanstreams.org>
Reply-To: "FedEx International MailService" <bobby.burns@partnersforcleanstreams.org>
Message-ID: <cb188a880f2a151030ffb7c70692020c@partnersforcleanstreams.org>
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="b1_af728e2a1a984c8268adddaff5435d18"
Content-Transfer-Encoding: 8bit

9 Replies

Reply to Thread

Linda Pagillo Replied

11/13/2016 at 8:06 PM

Marked As Answer

Hi Eric. Can you please post a few more example headers? Feel free to send them to me directly if you don't want to post them here. I will review them and post the answer to your question here.

Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller

Hemen Shah Replied

11/15/2016 at 7:00 AM

@Eric,

Just recollected same thing few days back with one of the customer, though i was called just for cleaning the infection but this is the same mail which caused it, i am pasting the header below and it has the same pattern infact it is originating from same network as seen in your header too, this mail contains a js script which on execution encrypts all the files, basically this is a ransomeware infection by the name nemucod and then you are left with paying something to decrypt all the files, but there is solution to this without any worry, if you are infected then and need support let me know.

Return-Path: <pghmarines1775@p3plcpnl0454.prod.phx3.secureserver.net>
Received: from p3nlsmtpcp01-01.prod.phx3.secureserver.net (p3nlsmtpcp01-01.prod.phx3.secureserver.net [184.168.200.138]) by mailserver.abc.com with SMTP
   (version=TLS\Tls12
   cipher=Aes256 bits=256);
Mon, 7 Nov 2016 19:51:16 -0500
Received: from p3plcpnl0454.prod.phx3.secureserver.net ([50.62.161.221])
   by : HOSTING RELAY : with SMTP
   id 3uTXcf5XAxfCP3uTXczXOo; Mon, 07 Nov 2016 17:41:19 -0700
Received: from pghmarines1775 by p3plcpnl0454.prod.phx3.secureserver.net with local (Exim 4.87)
   (envelope-from <pghmarines1775@p3plcpnl0454.prod.phx3.secureserver.net>)
   id 1c3uTX-0005WR-AJ
   for customer@abc.com; Mon, 07 Nov 2016 17:41:19 -0700
To: customer@abc.com
Subject: Problem with parcel shipping, ID:00000750279
X-PHP-Script: steelcitymarines.org/post.php for 5.135.140.187
Date: Tue, 8 Nov 2016 00:41:19 +0000
From: "FedEx International MailService" <javier.crane@steelcitymarines.org>
Reply-To: "FedEx International MailService" <javier.crane@steelcitymarines.org>
Message-ID: <bd49462df9474e0d5da038592f168614@steelcitymarines.org>
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/mixed;
   boundary="b1_8b8377533da5b31e6da35435711ee4df"
Content-Transfer-Encoding: 8bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - p3plcpnl0454.prod.phx3.secureserver.net
X-AntiAbuse: Original Domain - abc.com
X-AntiAbuse: Originator/Caller UID/GID - [557186 956] / [47 12]
X-AntiAbuse: Sender Address Domain - p3plcpnl0454.prod.phx3.secureserver.net
X-Get-Message-Sender-Via: p3plcpnl0454.prod.phx3.secureserver.net: authenticated_id: pghmarines1775/from_h
X-Authenticated-Sender: p3plcpnl0454.prod.phx3.secureserver.net: javier.crane@steelcitymarines.org
X-Source:
X-Source-Args: /usr/sbin/proxyexec -q -d -s /var/lib/proxyexec/cagefs.sock/socket /bin/cagefs.server
X-Source-Dir: steelcitymarines.org:/public_html
X-CMAE-Envelope: MS4wfPtH+wHDwt2XAxZgY7wSQsRaRH0IjIPFOVHq6MEMaVDmZexnunrrMd5AoIjCbOEHB8qHi9Xs5eFvjaWAYBa4ECLhZDdvcnEKl/r7p7RwyWAimJWXyG72
S1XAw7kn3rv54rOmK3G69UPuXvWQORPUKeN5iMziwUCEIrh6TpCxk1RNxicwVYeTR0BvFYUHWHGCIxTENyRwMDW32k3bbU1HSoBPZUYvpgcT57utRvh64ckJ
VnCYUBcwNv7Cmfc/5mSTKQ==
X-Declude-Sender: pghmarines1775@p3plcpnl0454.prod.phx3.secureserver.net [184.168.200.138]
X-Declude-Spoolname: 3175836383.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.12.11
X-Declude-Scan: Incoming Score [5] at 19:51:49 on 07 Nov 2016
X-Declude-Tests: MAILSPIKE-H2 [-2], SORBS-RECENT [3], UBL [4], FROMNOMATCH [2], HAM-INDICATOR [-2]
X-Country-Chain: UNITED STATES->destination
X-Declude-Code: e
X-HELO: p3nlsmtpcp01-01.prod.phx3.secureserver.net
X-Identity: 184.168.200.138 | p3nlsmtpcp01-01.prod.phx3.secureserver.net | p3plcpnl0454.prod.phx3.secureserver.net

Curtis Kropar www.HawaiianHope.org Replied

11/15/2016 at 11:08 AM

Yep, we are getting hit with these too. I get at least one every day. Been forwarding them over to "abuse@fedex.com" as well so hopefully they are investigating

www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !

Eric Bourland Replied

11/16/2016 at 12:58 PM

Linda, another one just came in today. I had been getting many of them, but they trailed off. But here is another example:

Return-Path: <belinszk@wx150.cpserver.net>
Received: from wx150.cpserver.net (wx150.cpserver.net [87.229.73.150]) by tarsier.viviotech.net with SMTP
(version=TLS\Tls12
cipher=Aes256 bits=256);
Wed, 16 Nov 2016 14:39:57 -0500
Received: from belinszk by wx150.cpserver.net with local (Exim 4.87)
(envelope-from <belinszk@wx150.cpserver.net>)
id 1c75o8-002vK4-VL
for eb@hwaet.com; Wed, 16 Nov 2016 20:23:44 +0100
To: <eb@hwaet.com>
Subject: Problems with item delivery, n.45892726
X-PHP-Script: tlm.hu/jpg.php for 138.201.125.177
X-PHP-Filename: /home/belinszk/public_html/tlm.hu/jpg.php
Message-ID: <FD07435F3EEAC467BBBEF74AEECA3BF9@freemanwebb.com>
From: "FedEx 2Day A.M." <deborah.maddux@freemanwebb.com>
Date: Wed, 16 Nov 2016 23:23:28 +0300
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="94e44a5e7e6dbb80cc815b0600c0"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - wx150.cpserver.net
X-AntiAbuse: Original Domain - hwaet.com
X-AntiAbuse: Originator/Caller UID/GID - [532 535] / [47 12]
X-AntiAbuse: Sender Address Domain - wx150.cpserver.net
X-Get-Message-Sender-Via: wx150.cpserver.net: authenticated_id: belinszk/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: wx150.cpserver.net: belinszk
X-SmarterMail-Spam: SPF_None, ISpamAssassin 0 [raw: 0], SpamAssassin 0 [raw: 0], DK_None, DKIM_None
X-SmarterMail-SpamDetail: Content analysis details: (0.0 points, 5.0 required)
X-SmarterMail-SpamDetail: pts rule name description
X-SmarterMail-SpamDetail: ---- ---------------------- --------------------------------------------------
X-SmarterMail-SpamDetail: 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
X-SmarterMail-SpamDetail: domains are different
X-SmarterMail-TotalSpamWeight: 0

Linda Pagillo Replied

11/16/2016 at 9:32 PM

Eric, try these in your local.cf file...

header FEDEX_SPAM_SUBJECT Subject =~ /(Problems with item delivery|Problem with parcel shipping)/i
describe FEDEX_SPAM_SUBJECT Subject consistant with FedEx spam
score FEDEX_SPAM_SUBJECT 3.0

header FEDEX_SPAM_FROM FROM =~ /(FedEx International MailService|FedEx 2Day A.M.)/i
describe FEDEX_SPAM_FROM FROM consistant with FedEx spam
score FEDEX_SPAM_FROM 3.0

Hemen, you can create a filter in Declude to filter these out. Here are the instructions...

1.) Open a new Notepad doc.
2.) Add the following line: HEADERS 10 CONTAINS FedEx International MailService
3.) Save the file to your Declude\Filters folder as FEDEX-SPAM.txt
4.) Open your global.cfg and add the following line in the filters section:

FEDEX-SPAM filter [PATH]\Declude\filters\FEDEX-SPAM.txt x 0 0

5.) Be sure to change [PATH] to the path of your Filters directory.

If you simply would like to delete these spam messages instead of adding 10 points to them, you should use the following filter line instead of the one I gave you in Step 2...

HEADERS 0 CONTAINS FedEx International MailService

Then you would add the line to your global.cfg as stated in Step 4 and then you would open your $default$.junkmail file and add the following:

FEDEX-SPAM DELETE

I hope these things help you guys. Take care :)

Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller

Eric Bourland Replied

11/17/2016 at 10:55 AM

Dear Linda, I'll try it out! Thank you so much. I hope your day is going very well. Eric

Linda Pagillo Replied

11/17/2016 at 11:06 AM

My pleasure, Eric! Have a great day!

Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller

Bruce Barnes Replied

12/14/2016 at 9:26 AM

See: https://portal.chicagonettech.com/kb/a171/smartermail-antispam-settings-document.aspx And don't intermix with any other antispam programs or settings. New version to be posted upon release, and review, of SmarterMail 16.X

Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting

Eric Bourland Replied

12/14/2016 at 10:44 AM

Thank you, Bruce! Looking forward. =)

Back to Community Threads

Please leave this box unchecked

9 Replies

Reply to Thread

Tags

Related Knowledge Base Articles