cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How'd this'un get thru?!

Luzern
Hero
Posts: 4,823
Thanks: 872
Fixes: 9
Registered: ‎31-07-2007

How'd this'un get thru?!

‎23-09-2014 11:25 AM

My email settings are:
Quote
filter on
discard obvious spam  on
tagging on
Move    on
aggressiveness level 5
  but on Sunday 2.44 a.m I received  a message that read, "http://gunluk.cucugen.com/snzi/kbanvtpgqgplnaglawh",supposedly from an acquaintance.
It looked suspicious and I know that person did not send it.
Below is the message source detail, modified for security, and I have bolded part. With that bolded detail in combination of my personal settings, I am surprised it was not dealt with as SPAM by Plusnet. Would someone care to comment?

Return-path: <xx@btinternet.com>
Envelope-to: gordon@xxx.plus.com
Delivery-date: Sun, 21 Sep 2014 01:46:00 +0100
Received: from [212.159.8.109] (helo=avasin11.plus.net)
	  by inmx15.plus.net with esmtp (PlusNet MXCore v2.00) id 1XVVHs-0002wA-2a 
	  for gordon@xxx.plus.com; Sun, 21 Sep 2014 01:46:00 +0100
Received: from mx.jbecker.it ([88.198.50.210])
	by avasin11.plus.net with Plusnet Cloudmark Gateway
	id tclx1o0094Y6bFc01clzdf; Sun, 21 Sep 2014 01:46:00 +0100
X-CM-Score: 0.00
X-CNFS-Analysis: v=2.1 cv=f5PGBYCM c=1 sm=1 tr=0
 a=2JqeM04a/UTO+FRjbZYD0Q==:117 a=2JqeM04a/UTO+FRjbZYD0Q==:17 a=0Bzu9jTXAAAA:8
 a=hjPdqB9qeRoA:10 a=EqrLs1jmFqkA:10 a=jPJDawAOAc8A:10 a=HmCT5iXHAAAA:8
 a=zh17ys4z5HAA:10 a=r77TgQKjGQsHNAKrUKIA:9 a=9iDbn-4jx3cA:10
 a=cKsnjEOsciEA:10 a=KmFo4D3ZAAAA:8 a=t-dtldfcGpSYenyEj74A:9 a=wPNLvfGTeEIA:10
 a=8bcMk9MsEi8A:10 a=20QZ6BNK6sIA:10 a=ftnrVCpXhah_o8fUY-wA:9
 a=QEXdDO2ut3YA:10 a=_W_S_7VecoQA:10 a=xwcMUg_xXycA:10 a=HdbAwMqyR8wA:10
 a=WkbPEsTqzGMA:10
Received: from [113.173.166.1] (helo=jbecker.it)
	by mx.jbecker.it with esmtpa (Exim 4.69)
	(envelope-from <judixxx@btinternet.com>)
	id 1XVVGw-0006E2-7l; Sun, 21 Sep 2014 02:45:08 +0200
Message-ID: <52907FBAEE1A36CB96D0B994CE1EB2F6@jbecker.it>
From: "JUDITH PURSELL" <judixxx@btinternet.com>
To: "enquiries" <enquiries@xxxandminstermill.com>,
 "10 addresses here
Date: Sat, 21 Sep 2014 01:44:22 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_BCB1_A78B897C.36800B7D"
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3522.110
X-MIMEOLE: Produced By Microsoft MimeOLE V16.4.3522.110
X-Spam-Score: 10.7 (++++++++++)
X-Spam-Report: Spam detection software, running on the system "mail", has
	identified this incoming email as possible spam.  The original message
	has been attached to this so you can view it (if it isn't spam) or label
	similar future email.  If you have any questions, see
	the administrator of that system for details.
	Content preview:  http://gunluk.cucugen.com/snzi/kbanvtpgqgplnaglawh http://gunluk.cucugen.com/snzi/kbanvtpgqgplnaglawh
	[...] 
	Content analysis details:   (10.7 points, 5.0 required)
	pts rule name              description
	---- ---------------------- --------------------------------------------------
	-1.8 ALL_TRUSTED            Passed through trusted hosts only via SMTP
	3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
	[score: 1.0000]
	2.0 LOCALPART_IN_SUBJECT   Local part of To: address appears in Subject
	2.6 HTML_OBFUSCATE_10_20   BODY: Message is 10% to 20% HTML obfuscation
	0.0 HTML_MESSAGE           BODY: HTML included in message
	0.7 MPART_ALT_DIFF         BODY: HTML and text parts are different
	2.2 TVD_SPACE_RATIO        BODY: TVD_SPACE_RATIO
	1.4 MIME_QP_LONG_LINE      RAW: Quoted-printable line longer than 76 chars
X-PN-Virus-Filtered: by PlusNet MXCore (v5.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v5.00)
Subject: =?ISO-8859-1?Q?Re=3A=09enquiries?=
X-Antivirus: AVG for E-mail 2014.0.4765 [4025/8247]
X-AVG-ID: ID2B3B016D-4F6819BD
This is a multi-part message in MIME format.
------=_NextPart_000_BCB1_A78B897C.36800B7D
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
http://gunluk.cucugen.com/snzi/kbanvtpgqgplnaglawh

-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4765 / Virus Database: 4025/8247 - Release Date: 09/20/14
------=_NextPart_000_BCB1_A78B897C.36800B7D
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
=EF=BB=BF<HTML><HEAD><META http-equiv=3D"content-type" content: text/html; =
charset=3DUTF-8></HEAD><BODY>http://gunluk.cucugen.com/snzi/kbanvtpgqgplnag=
lawh</BODY><a></a><p class=3D""avgcert"" align=3D"left" color=3D"#000000">N=
o virus found in this message.<br>
Checked by AVG - <a href=3D'http://www.avg.com'>www.avg.com</a><br>
Version: 2014.0.4765 / Virus Database: 4025/8247 - Release Date: 09/20/14</=
p></HTML>

------=_NextPart_000_BCB1_A78B897C.36800B7D--


No one has to agree with my opinion, but in the time I have left a miracle would be nice.
Message 1 of 6
(1,531 Views)
0 Thanks
5 REPLIES 5
bobpullen
Community Gaffer
Community Gaffer
Posts: 16,811
Thanks: 4,842
Fixes: 314
Registered: ‎04-04-2007

Re: How'd this'un get thru?!

‎23-09-2014 11:56 AM

Put simply, neither the IP address the email has originated from, nor the URL in the body are considered as 'bad' by Cloudmark (yet). The email hasn't been sent from a compromised Windows machine (it's been sent from a valid mail host by the looks of things) and the mail hasn't fallen foul to other common spam traits like missing/invalid SPF/DKIM records etc.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Message 2 of 6
(505 Views)
0 Thanks
Luzern
Hero
Posts: 4,823
Thanks: 872
Fixes: 9
Registered: ‎31-07-2007

Re: How'd this'un get thru?!

‎23-09-2014 12:30 PM

Thanks for reply! I'm not sure which url you mean, but even if it's not particularly relevant becker.it is on 11 RBL black lists.
No one has to agree with my opinion, but in the time I have left a miracle would be nice.
Message 3 of 6
(505 Views)
0 Thanks
bobpullen
Community Gaffer
Community Gaffer
Posts: 16,811
Thanks: 4,842
Fixes: 314
Registered: ‎04-04-2007

Re: How'd this'un get thru?!

‎23-09-2014 12:35 PM

A quick lookup of 88.198.50.21 against 87 blacklists only lists it on Barracuda for me. The URL I was referring to was the cucugen.com one.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Message 4 of 6
(505 Views)
0 Thanks
Luzern
Hero
Posts: 4,823
Thanks: 872
Fixes: 9
Registered: ‎31-07-2007

Re: How'd this'un get thru?!

‎23-09-2014 3:41 PM

FWLIW I used this http://dawhois.com/rbl_check/?query=88.198.50.210&p=5. which I plucked out of the air. The 11 comes after clicking on the RBL tab.
Edit
Bob The last part of the address I gave was 210. You had 21.
No one has to agree with my opinion, but in the time I have left a miracle would be nice.
Message 5 of 6
(505 Views)
0 Thanks
bobpullen
Community Gaffer
Community Gaffer
Posts: 16,811
Thanks: 4,842
Fixes: 314
Registered: ‎04-04-2007

Re: How'd this'un get thru?!

‎23-09-2014 8:23 PM

Ah yeah, Cloudmark still doesn't see it as nasty though Huh
CSI is not currently publishing reputation for this IP address.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Message 6 of 6
(505 Views)
0 Thanks