Spam coming in says it is in Contact list but it isn't
Problem reported by Barbara Renowden - December 18, 2017 at 12:36 PM
Submitted
I have a client that is getting constant spam that she marks as spam but still gets the spam.  Then this morning she got an email that CommTouch says is 40 percent spam.  Should have been deleted per our rules.  However, the last line says it is in the contact list.  I have looked at her list and this email address does not exist in her contact list. here are the headers.
 
Return-Path: <gfgsgdgfd@kth.se>
Received: from clicsports.net (clicsports.net [199.115.100.70]) by mail.centricweb.net with SMTP;
Mon, 18 Dec 2017 12:37:59 -0600
MIME-Version: 1.0
Precedence: Normal
From: "Get it hard" <myuser@theirdomain.com>
To: myuser@theirdomain.com
Subject: :=?UTF-8?B?IOKdpO+4jyBT?==?UTF-8?B?aGUgc3Q=?==?UTF-8?B?YXJ0?==?UTF-8?B?ZWQgbGE=?==?UTF-8?B?dWdoaQ==?==?UTF-8?B?bmcgYW4=?==?UTF-8?B?ZCBjcg==?==?UTF-8?B?eWluZyBhdA==?==?UTF-8?B?IHRoZQ==?==?UTF-8?B?IHNhbQ==?==?UTF-8?B?ZSB0?==?UTF-8?B?aW1l?==?UTF-8?B?IC4uLg==?==?UTF-8?B?IOKdpO+4jw==?=
Content-Type: text/html
X-CTCH-RefId: str=0001.0A020202.5A36E429.003F,ss=4,sh,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=8
X-CTCH-AVLevel: Unknown
Message-ID: <8b7cc9bd5fc44f93990139633eb4a415@com>
X-Exim-Id: 8b7cc9bd5fc44f93990139633eb4a415
X-SmarterMail-Spam: Bayesian Filtering, Commtouch 40 [value: Confirmed], ISpamAssassin 0 [raw: 0], SPF_SoftFail, DK_None, DKIM_None
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - Contact)
 
I am curious why it is looking at the from address rather than the returned path for valid sender?  Maybe it has always been this way but if it is looking at the from which is our user it automatically accepts the emails.  Or am I missing something here.

Barbara Renowden President / Co-Founder Centric Web, Inc. https://www.centricweb.com

7 Replies

Reply to Thread
0
echoDreamz Replied
This looks like an issue I had were I was getting email from "myself". https://portal.smartertools.com/community/a86864/why-not-validate-trusted-senders.aspx#100133 you can see my post here.

Christopher

0
Barbara Renowden Replied
It seems to be the same issue but I do have the latest update installed and these emails are still slipping by for some reason because it says it is coming from a trusted user.  So bad. 

Barbara Renowden President / Co-Founder Centric Web, Inc. https://www.centricweb.com

0
kevind Replied
This is a known issue and looks like it's being fixed. See:
https://portal.smartertools.com/community/a87739/vulnerability-local-domains-being-spoofed.aspx

Here's another thread on the subject:
https://portal.smartertools.com/community/a89857/spam-from-the-own-user.aspx
0
Matt Petty Replied
Employee Post
Hello Barbara,
 
We have some checks in place that will fail the trusted sender if there is a SPF_FAIL, SPF_SOFTFAIL, or DKIM_FAIL.
I tested this behavior on our server and these were the relevant headers.
X-SmarterMail-Spam: SPF_SoftFail, DKIM_None
X-SmarterMail-TotalSpamWeight: 3 (Trusted Sender - Contact, failed SPF)
The behavior you pointed out, was that on the latest release?
 
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Matt Petty Replied
Employee Post
Also if it is the case that you saw this behavior on the latest release, could you privately send me the full header unchanged?
I can run it through locally and potentially see why it did not fail the SPF-trusted sender check.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
echoDreamz Replied
Matt, I assume this means nothing if we block SMTP on SPF failures?

Christopher

0
Matt Petty Replied
Employee Post
If you block on SPF failures, this should not affect you. The trusted sender stuff happens later on during the delivery session, after SMTP.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com

Reply to Thread