Messaging Gateway

 View Only

  • 1.  spam from hotmail

    Posted Jun 13, 2010 10:20 AM 
    We have been receiving a lot of spam lately. Typical message headers look like these:


Received: from BMGATEWAY (192.168.168.7) by servzen-clt.zenmonics.local
 (192.168.168.10) with Microsoft SMTP Server id 8.1.436.0; Sun, 13 Jun 2010
 05:46:19 -0400
X-AuditID: c0a8a807-b7c28ae000001197-16-4c14a977ffcc
Received: from snt0-omc2-s2.snt0.hotmail.com (snt0-omc2-s2.snt0.hotmail.com
 [65.55.90.77]) by BMGATEWAY (Symantec Brightmail Gateway) with SMTP id
 55.71.04503.779A41C4; Sun, 13 Jun 2010 05:48:40 -0400 (EDT)
Received: from SNT134-W8 ([65.55.90.73]) by snt0-omc2-s2.snt0.hotmail.com with
 Microsoft SMTPSVC(6.0.3790.4675);  Sun, 13 Jun 2010 02:48:39 -0700
Message-ID: <SNT134-w89F7B9CAD95329C77705CB6DB0@phx.gbl>
Return-Path: nancypzgkcsqe@hotmail.com
Content-Type: multipart/alternative;
 boundary="_ea8b06ad-7764-4aa0-aaf8-cd5bcae7a940_"
X-Originating-IP: [116.43.87.53]
From: Nancy Miller <nancypzgkcsqe@hotmail.com>
To: <zap@zenn.co.uk>
Subject: Adobe&CorelIaetstReeIsaes,DowonIadHere
Date: Sun, 13 Jun 2010 09:48:38 +0000
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 13 Jun 2010 09:48:39.0286 (UTC) FILETIME=[99B29960:01CB0ADD]
X-Brightmail-Tracker: AAAABBSiMfcUoj3/FKLAxhSi9W4=
    ---------------------------


    The spammer is using BCC fields and a fake email address. 

    Is there way to write a filter to inspect X-Originating-IP field  in the message headers?. I would like to reject messages that have X-Originating-IP addresses that are 'Global Bad Senders'.

    I don't know why Brightmail is not already rejecting these messages.

    Please help.


  • 2.  RE: spam from hotmail

    Posted Jun 13, 2010 03:42 PM

    zenmonics,

         You can easily write a compliance policy that looks for that specific header in emails.  Chances are the emails are not getting blocked because they are "new" Spam.  I would highly recomend submitting them as missed Spam. 


  • 3.  RE: spam from hotmail

    Posted Jun 14, 2010 10:42 AM

    Hi Zenmonics,

    May I know how do you know the spammers are using the BCC fields?




  • 4.  RE: spam from hotmail

    Posted Jun 14, 2010 03:16 PM
    Go to Reputation , Policies, Bad Senders, Local Bad Senders IPs,
    add the Ip 116.43.87.53

    Hope this Helps


  • 5.  RE: spam from hotmail

    Posted Jun 14, 2010 04:34 PM

    He would know because his users are reporting that their e-mail address was not displayed, and if you look at his example, the to is To: <zap@zenn.co.uk> but his domain zenmonics is in the US and India, while zenn.co.uk  is in the UK


  • 6.  RE: spam from hotmail

    Posted Jun 15, 2010 10:08 AM

    Hi,

    You can only reject messages based on the connecting IP. It would technically be possible to filter at content scanning time on the X-Originating-IP, however there are a number of barriers:

    1) this header is completely optional and may not be present on all messages
    2) It can be easily forged or a proxy can be used
    3) If present and not forged, blocking based on this IP may cause false positives. Over 80% of spam globally is sent using botnets - many IP blacklists identify either infected machines or machines which are not properly configured mail servers. However these IPs may also send legitimate email via proper mail servers.

    Where spammers are abusing legitimate mail services, filtering based on content becomes more important. I would recommend enabling the Probe Participation feature in Symantec Brightmail Gateway version 9 to provide Symantec with as much visibilty as possible into local spam patterns so that filters can be created. You can also submit the missed spam manually but obviously this is more work and introduces a delay.

    Best regards,
    Amanda