cancel
Showing results for 
Search instead for 
Did you mean: 

How'd this'un get thru?!

Luzern
Seasoned Pro
Posts: 3,378
Thanks: 351
Fixes: 3
Registered: 31-07-2007

How'd this'un get thru?!

My email settings are:
Quote
filter on
discard obvious spam  on
tagging on
Move    on
aggressiveness level 5
  but on Sunday 2.44 a.m I received  a message that read, "http://gunluk.cucugen.com/snzi/kbanvtpgqgplnaglawh",supposedly from an acquaintance.
It looked suspicious and I know that person did not send it.
Below is the message source detail, modified for security, and I have bolded part. With that bolded detail in combination of my personal settings, I am surprised it was not dealt with as SPAM by Plusnet. Would someone care to comment?

Return-path: <xx@btinternet.com>
Envelope-to: gordon@xxx.plus.com
Delivery-date: Sun, 21 Sep 2014 01:46:00 +0100
Received: from [212.159.8.109] (helo=avasin11.plus.net)
  by inmx15.plus.net with esmtp (PlusNet MXCore v2.00) id 1XVVHs-0002wA-2a
  for gordon@xxx.plus.com; Sun, 21 Sep 2014 01:46:00 +0100
Received: from mx.jbecker.it ([88.198.50.210])
by avasin11.plus.net with Plusnet Cloudmark Gateway
id tclx1o0094Y6bFc01clzdf; Sun, 21 Sep 2014 01:46:00 +0100
X-CM-Score: 0.00
X-CNFS-Analysis: v=2.1 cv=f5PGBYCM c=1 sm=1 tr=0
a=2JqeM04a/UTO+FRjbZYD0Q==:117 a=2JqeM04a/UTO+FRjbZYD0Q==:17 a=0Bzu9jTXAAAA:8
a=hjPdqB9qeRoA:10 a=EqrLs1jmFqkA:10 a=jPJDawAOAc8A:10 a=HmCT5iXHAAAA:8
a=zh17ys4z5HAA:10 a=r77TgQKjGQsHNAKrUKIA:9 a=9iDbn-4jx3cA:10
a=cKsnjEOsciEA:10 a=KmFo4D3ZAAAA:8 a=t-dtldfcGpSYenyEj74A:9 a=wPNLvfGTeEIA:10
a=8bcMk9MsEi8A:10 a=20QZ6BNK6sIA:10 a=ftnrVCpXhah_o8fUY-wA:9
a=QEXdDO2ut3YA:10 a=_W_S_7VecoQA:10 a=xwcMUg_xXycA:10 a=HdbAwMqyR8wA:10
a=WkbPEsTqzGMA:10
Received: from [113.173.166.1] (helo=jbecker.it)
by mx.jbecker.it with esmtpa (Exim 4.69)
(envelope-from <judixxx@btinternet.com>)
id 1XVVGw-0006E2-7l; Sun, 21 Sep 2014 02:45:08 +0200
Message-ID: <52907FBAEE1A36CB96D0B994CE1EB2F6@jbecker.it>
From: "JUDITH PURSELL" <judixxx@btinternet.com>
To: "enquiries" <enquiries@xxxandminstermill.com>,
"10 addresses here
Date: Sat, 21 Sep 2014 01:44:22 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_BCB1_A78B897C.36800B7D"
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3522.110
X-MIMEOLE: Produced By Microsoft MimeOLE V16.4.3522.110
X-Spam-Score: 10.7 (++++++++++)
X-Spam-Report: Spam detection software, running on the system "mail", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.
Content preview:  http://gunluk.cucugen.com/snzi/kbanvtpgqgplnaglawh http://gunluk.cucugen.com/snzi/kbanvtpgqgplnaglawh
[...]
Content analysis details:  (10.7 points, 5.0 required)
pts rule name              description
---- ---------------------- --------------------------------------------------
-1.8 ALL_TRUSTED            Passed through trusted hosts only via SMTP
3.5 BAYES_99              BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
2.0 LOCALPART_IN_SUBJECT  Local part of To: address appears in Subject
2.6 HTML_OBFUSCATE_10_20  BODY: Message is 10% to 20% HTML obfuscation
0.0 HTML_MESSAGE          BODY: HTML included in message
0.7 MPART_ALT_DIFF        BODY: HTML and text parts are different
2.2 TVD_SPACE_RATIO        BODY: TVD_SPACE_RATIO
1.4 MIME_QP_LONG_LINE      RAW: Quoted-printable line longer than 76 chars
X-PN-Virus-Filtered: by PlusNet MXCore (v5.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v5.00)
Subject: =?ISO-8859-1?Q?Re=3A=09enquiries?=
X-Antivirus: AVG for E-mail 2014.0.4765 [4025/8247]
X-AVG-ID: ID2B3B016D-4F6819BD
This is a multi-part message in MIME format.
------=_NextPart_000_BCB1_A78B897C.36800B7D
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
http://gunluk.cucugen.com/snzi/kbanvtpgqgplnaglawh

-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4765 / Virus Database: 4025/8247 - Release Date: 09/20/14
------=_NextPart_000_BCB1_A78B897C.36800B7D
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
=EF=BB=BF<HTML><HEAD><META http-equiv=3D"content-type" content: text/html; =
charset=3DUTF-8></HEAD><BODY>http://gunluk.cucugen.com/snzi/kbanvtpgqgplnag=
lawh</BODY><a></a><p class=3D""avgcert"" align=3D"left" color=3D"#000000">N=
o virus found in this message.<br>
Checked by AVG - <a href=3D'http://www.avg.com'>www.avg.com</a><br>
Version: 2014.0.4765 / Virus Database: 4025/8247 - Release Date: 09/20/14</=
p></HTML>

------=_NextPart_000_BCB1_A78B897C.36800B7D--


No one has to agree with my opinion, but in the time I have left a miracle would be nice.
5 REPLIES
Community Gaffer
Community Gaffer
Posts: 13,423
Thanks: 1,182
Fixes: 92
Registered: 04-04-2007

Re: How'd this'un get thru?!

Put simply, neither the IP address the email has originated from, nor the URL in the body are considered as 'bad' by Cloudmark (yet). The email hasn't been sent from a compromised Windows machine (it's been sent from a valid mail host by the looks of things) and the mail hasn't fallen foul to other common spam traits like missing/invalid SPF/DKIM records etc.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Luzern
Seasoned Pro
Posts: 3,378
Thanks: 351
Fixes: 3
Registered: 31-07-2007

Re: How'd this'un get thru?!

Thanks for reply! I'm not sure which url you mean, but even if it's not particularly relevant becker.it is on 11 RBL black lists.
No one has to agree with my opinion, but in the time I have left a miracle would be nice.
Community Gaffer
Community Gaffer
Posts: 13,423
Thanks: 1,182
Fixes: 92
Registered: 04-04-2007

Re: How'd this'un get thru?!

A quick lookup of 88.198.50.21 against 87 blacklists only lists it on Barracuda for me. The URL I was referring to was the cucugen.com one.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Luzern
Seasoned Pro
Posts: 3,378
Thanks: 351
Fixes: 3
Registered: 31-07-2007

Re: How'd this'un get thru?!

FWLIW I used this http://dawhois.com/rbl_check/?query=88.198.50.210&p=5. which I plucked out of the air. The 11 comes after clicking on the RBL tab.
Edit
Bob The last part of the address I gave was 210. You had 21.
No one has to agree with my opinion, but in the time I have left a miracle would be nice.
Community Gaffer
Community Gaffer
Posts: 13,423
Thanks: 1,182
Fixes: 92
Registered: 04-04-2007

Re: How'd this'un get thru?!

Ah yeah, Cloudmark still doesn't see it as nasty though Huh
CSI is not currently publishing reputation for this IP address.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵