cancel
Showing results for 
Search instead for 
Did you mean: 

Anti-Spam Broke?

David_W
Rising Star
Posts: 2,297
Thanks: 30
Registered: 19-07-2007

Anti-Spam Broke?

I've noticed a marked increase in spam that is currently sitting in my email, including a phishing email from "paypal" including a .mht document which really should have been picked up by the AV side of things?
+ Update your profile now!
Guaranteed acceptance with Think Banking
Hurry, 36 EuroMillions entries £1 + 88 Lotto entri...
Make money and build a new career.
Enrollment request for [email], new training progr...
Fed up with the office? Train for a new trade
Win free laser eye surgery in February (two of them)
$114,220.19 in 21 days?
Of 37 emails, 8 are spam which is a major increase from my usual 0 spam.  My spam folder is still getting spam but I'm getting obvious spam in my inbox.
One odd thing on the paypal one, in the headers were:
X-chiyoda-MailScanner-Information: Please contact the ISP for more information
X-chiyoda-MailScanner-ID: p1OBeK0W024964
X-chiyoda-MailScanner: Found to be clean
X-chiyoda-MailScanner-SpamScore: sss
X-chiyoda-MailScanner-From: security@paypal.com
X-Spam-Status: No

But I don't know, others have different anti-spam messages in the headers, so no idea what is going on there.
25 REPLIES
Plusnet Alumni (retired) orbrey
Plusnet Alumni (retired)
Posts: 10,540
Registered: 18-07-2007

Re: Anti-Spam Broke?

Hi there,
Can't see any changes in your spam settings so the only thing we can think of here is a change in the spam itself (given that there haven't been many spam related complaints recently). We'll certainly keep an eye out though, and I'll see if anyone in the networks team has seen anything.
Superuser
Superuser
Posts: 9,769
Thanks: 1,151
Fixes: 63
Registered: 06-04-2007

Re: Anti-Spam Broke?

Perhaps those headers were added by the sender to make it look "genuine" to anyone taking a quick look at the headers?
David
pierre_pierre
Grafter
Posts: 19,757
Registered: 30-07-2007

Re: Anti-Spam Broke?

thought that myself as PN use Ironport and a google on the avbove - well Crazy
#
CHIYODA CORPORATION
Project & Program Management, Feasibility Studies, FEED , Engineering, Procurement, Construction, Commissioning, O &M and Asset Management.
www.chiyoda-corp.com/en/ - Cached - Similar
Job / Career
Middle East
Corporate Profile
Project

Construction
Organization
Directors & Officers
EPC Phase
More results from chiyoda-corp.com »
#
Join Site Staff | CHIYODA CORPORATION
Join Chiyoda projects on construction site for your career development. We ...
www.chiyoda-corp.com/en/recruit/ - Cached
Show more results from chiyoda-corp.com
#
Chiyoda, Tokyo - Wikipedia, the free encyclopedia
Chiyoda (千代田区, Chiyoda-ku) is one of the 23 special wards in central Tokyo, Japan. In English, it is called Chiyoda ward. As of October 2007, the ward ...
en.wikipedia.org/wiki/Chiyoda,_Tokyo - Cached - Similar
#
News for chiyoda
#
Chiyoda lands Browse FEED
2 days ago
A joint venture led by Japan's Chiyoda has been awarded the front-end engineering and design contract for the onshore component of Woodside Petroleum's ...
Upstream Online - 79 related articles
#
CHIYODA
17 Nov 2010 ... Chiyoda Tokyo - Chiyoda shopping, gardens, Chiyoda parks, Chiyoda shrines, entertainment, Chiyoda pictures and Chiyoda Hotels.
www.japaneselifestyle.com.au/tokyo/chiyoda.htm - Cached - Similar
David_W
Rising Star
Posts: 2,297
Thanks: 30
Registered: 19-07-2007

Re: Anti-Spam Broke?

I collected my mail with Outlook and currently have 4 mails on the server, 2 of which are spam.  Headers say it is going through Ironport.  I'm really not used to this level of spam at all really so to get this many probably means, err, global warming is to blame?
pierre_pierre
Grafter
Posts: 19,757
Registered: 30-07-2007

Re: Anti-Spam Broke?

this is the headers from a recent genuine PayPal, nothing like yours
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AsMDAPNuU00Mgos0bWdsb2JhbACCSwyBQwOTL44dFQ0JDAcNAgUhlkaBIIU0hDWBWQEBhjaCAFuBK4NSiGQBBAKEZHaFBZIX
X-IronPort-AV: E=McAfee;i="5400,1158,6252"; a="488107228"
X-IronPort-AV: E=Sophos;i="4.60,451,1291593600";
  d="scan'208,217";a="488107228"
Received: from om-paypal-eu1.rsys4.com ([12.130.139.52])
  by mx.pcl-ipin02.plus.net with ESMTP; 10 Feb 2011 12:55:22 +0000

Note it does say IronPort,  Yours said CHIYODA
David_W
Rising Star
Posts: 2,297
Thanks: 30
Registered: 19-07-2007

Re: Anti-Spam Broke?

Full headers incoming!
Return-path: <security@paypal.com>
Envelope-to: my-email.address
Delivery-date: Thu, 24 Feb 2011 11:43:05 +0000
Received: from [212.159.7.38] (helo=mx.ptn-ipin03.plus.net)
  by inmx21.plus.net with esmtp (PlusNet MXCore v2.00) id 1PsZb3-00051x-4u
  for my-email.address; Thu, 24 Feb 2011 11:43:03 +0000
Received-SPF: PermError identity=pra; client-ip=210.187.82.35;
  receiver=mx.ptn-ipin03.plus.net;
  envelope-from="security@paypal.com";
  x-sender="security@paypal.com";
  x-conformance=sidf_compatible;
  x-record-type="spf2.0"
Received-SPF: SoftFail identity=mailfrom; client-ip=210.187.82.35;
  receiver=mx.ptn-ipin03.plus.net;
  envelope-from="security@paypal.com";
  x-sender="security@paypal.com";
  x-conformance=sidf_compatible;
  x-record-type="v=spf1"
Received-SPF: None identity=helo; client-ip=210.187.82.35;
  receiver=mx.ptn-ipin03.plus.net;
  envelope-from="security@paypal.com";
  x-sender="postmaster@mail.cipenang.com";
  x-conformance=sidf_compatible
X-SBRS: -0.5
X-IronPort-AV: E=McAfee;i="5400,1158,6266"; a="444829681"
X-IronPort-AV: E=Sophos;i="4.62,216,1297036800";
  d="mht'208?scan'208,208,217,147";a="444829681"
Received: from mail.cipenang.com ([210.187.82.35])
  by mx.ptn-ipin03.plus.net with ESMTP; 24 Feb 2011 11:42:56 +0000
Received: from User (ip-107-107-net.express.net.id [203.153.107.107])
(authenticated bits=0)
by mail.cipenang.com (8.14.3/8.14.3) with ESMTP id p1OBeK0W024964;
Thu, 24 Feb 2011 19:40:26 +0800
Message-Id: <201102241140.p1OBeK0W024964@mail.cipenang.com>
Reply-To: <no-reply@paypal.com>
From: "PayPal"<security@paypal.com>
Date: Thu, 24 Feb 2011 18:41:41 +0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_00E6_01C2A9A6.128A1C3C"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-chiyoda-MailScanner-Information: Please contact the ISP for more information
X-chiyoda-MailScanner-ID: p1OBeK0W024964
X-chiyoda-MailScanner: Found to be clean
X-chiyoda-MailScanner-SpamScore: sss
X-chiyoda-MailScanner-From: security@paypal.com
X-Spam-Status: No
To:
X-PN-Virus-Filtered: by PlusNet MXCore (v5.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v5.00)
Subject: Update your profile now!

Just a visual inspection shouts spam to me, though it could be the X-chiyoda (Yoda? Star Wars?) is an outbound anti-spam which also wouldn't make much sense, actually, isn't it missing something?
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result

For some reason, PN's spam servers didn't scan it or am I misreading?
Superuser
Superuser
Posts: 9,769
Thanks: 1,151
Fixes: 63
Registered: 06-04-2007

Re: Anti-Spam Broke?

Yes, I would expect those two IronPort-Anti-Spam lines to immediately follow the X-SBRS: line (SenderBase Reputation Score). Since this is -0.5 it looks like the IronPorts were suspicious, but not suspicious enough (the SenderBase reputation of the sending mail server is Neutral).
From the headers it looks like spam checking is not being done, but antivirus is - I didn't think the latter could be "on" without the former. Do your MMM Spam settings look to be OK?
David
ChrisL
Grafter
Posts: 734
Thanks: 4
Registered: 13-12-2007

Re: Anti-Spam Broke?

Spam filtering must be switched on in MMM or you wouldn't get an SBRS, or this line:
Quote
X-PN-Spam-Filtered: by PlusNet MXCore (v5.00)

I'd have thought the only way to get these and yet avoid the 'X-Ironport-Anti-Spam-Result' would be a clear pass by the SenderBase filter (I think SBRS >= 7).  Anyway, something definitely amiss here....
Chris
robcr
Grafter
Posts: 30
Registered: 22-08-2007

Re: Anti-Spam Broke?

I've certainly noticed an increase in spam email received lately.
Community Veteran
Posts: 38,460
Thanks: 1,030
Fixes: 62
Registered: 15-06-2007

Re: Anti-Spam Broke?

I have been getting several spam emails recently with a blank subject and this typical content
Quote
From: From To: Ta_b let of happiness is here
http://www.aprender-ingles-inglaterra.com/10eptLWa3q.html. = Visit.
and this from the header
Quote
Return-path: <yesenarias@yahoo.com>
Envelope-to:me@username.plus.com
Delivery-date: Sun, 27 Feb 2011 23:19:50 +0000
Received: from [212.159.7.39] (helo=mx.ptn-ipin04.plus.net)
 by inmx12.plus.net with esmtp (PlusNet MXCore v2.00) id 1Ptpu2-0001MM-73
 for me@username.plus.com; Sun, 27 Feb 2011 23:19:50 +0000
Received-SPF: None identity=pra; client-ip=89.200.172.58;
 receiver=mx.ptn-ipin04.plus.net;
 envelope-from="yesenarias@yahoo.com";
 x-sender="";
 x-conformance=sidf_compatible
Received-SPF: None identity=mailfrom; client-ip=89.200.172.58;
 receiver=mx.ptn-ipin04.plus.net;
 envelope-from="yesenarias@yahoo.com";
 x-sender="yesenarias@yahoo.com";
 x-conformance=sidf_compatible
Received-SPF: None identity=helo; client-ip=89.200.172.58;
 receiver=mx.ptn-ipin04.plus.net;
 envelope-from="yesenarias@yahoo.com";
 x-sender="postmaster@server23";
 x-conformance=sidf_compatible
X-SBRS: -2.1
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AuuzADtqak1ZyKw6T2dsb2JhbAA2gU8BVoFIlAsBhluGXQUEXgEBFQwHGySqVI9QgSeDRHYE
X-IronPort-AV: E=McAfee;i="5400,1158,6270"; a="140278095"
X-IronPort-AV: E=Sophos;i="4.62,235,1297036800";
  d="scan'208";a="140278095"
Received: from server23.campusspeicher.de (HELO server23) ([89.200.172.58])
 by mx.ptn-ipin04.plus.net with SMTP; 27 Feb 2011 23:19:49 +0000
Received: (from apache@localhost)
by registration.acronis.com (8.13.1/8.13.1/Submit) id n63Bux5n019850;
Fri, 3 Jul 2010 07:56:59 -0400
Message-Id: <201007032256.n63BuT5n019850@registration.acronis.com>

Date: Fri, 3 Jul 2009 07:56:59 -0400
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
To:
X-PN-Virus-Filtered: by PlusNet MXCore (v5.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v5.00)
Subject:
X-SpamFlt-Status: Spam
X-KASFlt-Status: Profiles 19584 [Feb 27 2011]
X-KASFlt-Status: Version: 4.4.2 (May 26 2010 17:02:10)
X-KASFlt-Status: Envelope from:
X-KASFlt-Status: {TO: header missing}
X-KASFlt-Status: {FROM: missing}
X-KASFlt-Status: Rate: 100
X-KASFlt-Status: Status: spam
X-KASFlt-Status: Method: headers
Why isn't the last part which identifies it as spam acted up and what is Acronis doing there
David_W
Rising Star
Posts: 2,297
Thanks: 30
Registered: 19-07-2007

Re: Anti-Spam Broke?

I think those headers are outgoing from yahoo webmail, I had similar spam from AOL which was also marked as spam by aol's headers, let me see if I can find it...
Date: Mon, 28 Feb 2011 05:36:25 -0500 (EST)
x-aol-global-disposition: S
X-SPAM-FLAG:YES
X-AOL-SCOLL-SCORE: 0:2:269530240:93952408 
X-AOL-SCOLL-URL_COUNT: 0 
X-AOL-REROUTE: YES
x-aol-sid: 3039ac1d290c4d6b7aa93926
X-PN-Virus-Filtered: by PlusNet MXCore (v5.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v5.00)
Subject: re $944,627.77 in 27 min?

Kaspersky (or Outlook) picks it up as spam and chucks it into my junk mail folder.
ChrisL
Grafter
Posts: 734
Thanks: 4
Registered: 13-12-2007

Re: Anti-Spam Broke?

Quote from: Oldjim
Why isn't the last part which identifies it as spam acted up and what is Acronis doing there

Someone's Kaspersky filter (yours?) has identified this as spam; what it then does with it depends on the Kaspersky settings -- nothing to do with Plusnet.
The headers are a mess, aren't they?  I'll have a tentative go at unravelling them....  It looks as though the message originated with a robot using the @yahoo address over six months ago, then it was disposed of, and has recently been recovered by someone using the services of Acronis. Plusnet has received it via the German hosting service Campusspeicher.
It was examined by Plusnet's Ironport anti-spam device, which gave server23.campusspeicher a SenderBase Reputation Score of -2.1 (neutral) but did not identify the message as spam.  So the relevant question is: why did the Ironports let this garbage through?
Someone else may have a better take on all this than me...?
Best wishes
Chris
David_W
Rising Star
Posts: 2,297
Thanks: 30
Registered: 19-07-2007

Re: Anti-Spam Broke?

I'm seeing an increase to of emails from PN, the "An email addressed to you has been quarantined" mails.  Usually I see maybe 1 or 2 a year, currently have 3 sitting on the server, ordinarily they would be sent to the spam folder and not quarantined right?
pierre_pierre
Grafter
Posts: 19,757
Registered: 30-07-2007

Re: Anti-Spam Broke?

it normally means that they think it has a virus payload