Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » SPAM that masquerade as internal e-mail
  •  
BobH

Messages: 123
Karma: 0
Send a private message to this user
For the last month plus we've been getting a lot of SPAM that shows as an internal e-mail, mainly Viagra ads. I've included the source printout for reference. This one shows that I sent it to myself but it's just as likely to get one of these with an address of someone else in our mail domain.

I've been hoping the spam filter would adjust and start catching these things but that doesn't appear to be happening.

Anyone else getting these? If so, have you been able to come up with a technique or setting to catch these?

Thanks.


************* SPAM EXAMPLE **************************

Return-Path: <bhartung<_at_>wiscoind.com>
X-Envelope-To: bhartung<_at_>wiscoind.com
Date: Mon, 1 Feb 2010 12:12:38 -0600
X-Spam-Status: No, hits=0.0 required=1.0
tests=BAYES_99: 4.07,HTML_IMAGE_ONLY_08: 1.787,HTML_MESSAGE: 0.001,
HTML_SHORT_LINK_IMG_1: 0.001,MIME_HTML_ONLY: 0.001,MISSING_DATE: 0.001,
MISSING_MID: 0.001,RDNS_NONE: 0,TVD_SPACE_RATIO: 2.219,
URI_HEX: 0.368,CUSTOM_RULE_FROM: ALLOW,TOTAL_SCORE: 8.449,autolearn=no
X-Spam-Level:
Received: from allwebsales.be ([79.165.178.29])
by mail.wiscoind.com (Kerio MailServer 6.7.3)
for bhartung<_at_>wiscoind.com;
Mon, 1 Feb 2010 12:12:36 -0600
To: <bhartung<_at_>wiscoind.com>
Subject: Delivery Status Notification
From: <bhartung<_at_>wiscoind.com>
MIME-Version: 1.0
Importance: High
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
</HEAD>
<BODY><a href="http://cid-58752be3db3760e3.spaces.live.com" target="_blank">
<img src=" http://6prorw.blu.livefilestore.com/y1pjCUjjpx-n7JTnIomeiw_R aFlYpiS-3BBxWBOA77ba7j7FllTKseuxuzct3rEtvCuZS0BFihaavtVWcnoS MDWCGi77qu9OgIW/1.jpg" border=0 alt="Having trouble viewing this email? Click
here to view as a webpage."></a></BODY></HTML>
  •  
altivec

Messages: 98

Karma: 0
Send a private message to this user
You gotta have to enable SPF record on your DNS and then activate the DNS feature in the SPAM list.

Since 2009 we had a lot of Spam like this until we had the SPF on.
Now nothing pass and Spam went down amazingly.

KMS1 6.7.2: Xserve 10.5.8 - 150 users
KMS2 6.7.2: Xserve 10.5.8 - 50 users
KMS3 6.7.2: Xserve 10.5.8 - 10 users/MX BackUp
KMS4 Beta: Xserve 10.5.8 - MX BackUp2
iPhone/WindowsMobile/Blackberry/Nokia

KWF Beta: HP DL380 on ESXi 4.0 - 60 users
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Why do you have a custom rule allowing this through based on the From: header? The rest of the spam score would have filtered it to the Junk mail folder, or even rejected it. Also, the sending IP is in Spamhaus PBL and would have been rejected if you had zen.spamhaus.org as DNSBL.
  •  
altivec

Messages: 98

Karma: 0
Send a private message to this user
Trust me those annoying Viagra msg using the user e-mail address and always passing by.

Changing tittle, changing content, sometime with images instead of text, etc.....
There no way with "Custom Rules" or SpamList that he would get around it.

SPF is the way to go and to get rid easily of 50% of the Spam before it even get in the system.

KMS1 6.7.2: Xserve 10.5.8 - 150 users
KMS2 6.7.2: Xserve 10.5.8 - 50 users
KMS3 6.7.2: Xserve 10.5.8 - 10 users/MX BackUp
KMS4 Beta: Xserve 10.5.8 - MX BackUp2
iPhone/WindowsMobile/Blackberry/Nokia

KWF Beta: HP DL380 on ESXi 4.0 - 60 users
  •  
freakinvibe

Messages: 1524
Karma: 60
Send a private message to this user
Quote:
tests=BAYES_99: 4.07,HTML_IMAGE_ONLY_08: 1.787,HTML_MESSAGE: 0.001,
HTML_SHORT_LINK_IMG_1: 0.001,MIME_HTML_ONLY: 0.001,MISSING_DATE: 0.001,
MISSING_MID: 0.001,RDNS_NONE: 0,TVD_SPACE_RATIO: 2.219,
URI_HEX: 0.368,CUSTOM_RULE_FROM: ALLOW,TOTAL_SCORE: 8.449,autolearn=no


This shows that the mail would be classified as spam because the spam score is 8.449. But the line below tells that you have a custum rule that overrides the Spam check:

CUSTOM_RULE_FROM: ALLOW

This means that you have set a rule that skips the Spam check for any mail that comes from your domain (or address). This rule is not necessary, just delete it. If this rule stays in your config, even SPF won't help.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
BobH

Messages: 123
Karma: 0
Send a private message to this user
You are correct. I did create a custom rule to allow internal e-mails to be passed. I had an issue where someone had identified an internal user as a source of spam and messages were not being legitimately processed. I guess I was not aware of the tremendous amount of "spoofing" going on with internal e-mail addresses.

Since trusting your own domain doesn't work, I'll have to figure out a different method for dealing with blocked internal e-mail.

Thanks.
  •  
freakinvibe

Messages: 1524
Karma: 60
Send a private message to this user
Quote:
I did create a custom rule to allow internal e-mails to be passed. I had an issue where someone had identified an internal user as a source of spam and messages were not being legitimately processed.

You should not use such a rule to allow internal mails. Try to add your local client subnet to the list of trusted IP addresses in the relay options. And allow only authenticated SMTP connections for sending outbound mails.

Also, setting the the Spam threshold to 1.0 seems to low to me. Set it to 5.0. You should also add blacklists like Spamhaus to add a score of 2.0 or 3.0. And use SPF to accept only e-mail with your domain as sender address that comes from your mail server.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
Previous Topic: How to add a image/logo into the footer
Next Topic: Rejected by Windows Live
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Sep 20 03:52:22 CEST 2017

Total time taken to generate the page: 0.00476 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.