cancel
Showing results for 
Search instead for 
Did you mean: 

Odd phising email got through....

David_W
Rising Star
Posts: 2,297
Thanks: 30
Registered: 19-07-2007

Odd phising email got through....

Strangely for Plusnet's spam filters a phising email got delivered to my inbox just now.  I just checked my junk folder in outlook and can't find any of that sort, they are usually picked out by PN.  The header is:

Return-Path: <root@wpc1044.amenworld.com>
From: "VerifiedByVisa" <Support@verifiedbyvisa.com>
To: <my_email>
Subject: Account Upgrade!
Date: Mon, 19 Jul 2010 22:13:26 +0100
Message-ID: <20100719211326.20082.qmail@wpc1044.amenworld.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_005B_01CB2796.1A201940"
X-Mailer: Microsoft Outlook 14.0
thread-index: AQGQ69JA2pNeoz42E1EXdF5vUMGoMw==
X-SpamFlt-Status: Not Detected
X-KASFlt-Status: Profiles 14729 [Jul 19 2010]
X-KASFlt-Status: Version: 4.0.6
X-KASFlt-Status: Envelope from:
X-KASFlt-Status: Rate: 0
X-KASFlt-Status: Status: not_detected
X-KASFlt-Status: Method: none

I'm struggling to see how this got through, from and return path are different so shouldn't that have it flagged as spam?
5 REPLIES
ChrisL
Grafter
Posts: 733
Thanks: 2
Registered: 13-12-2007

Re: Odd phising email got through....

Quote from: David
from and return path are different so shouldn't that have it flagged as spam?

It's actually quite common for 'from' and 'reply-to' fields to be different, especially where a (legitimate or other) sender is using a bulk mailing organisation to handle their list.
If the headers you've posted are complete, then something has gone wrong. This message appears to have avoided the Ironport spam filters altogether. The headers show it as being passed by a Kaspersky filter (nothing to do with Plusnet).  I seem to remember someone else recently having a problem with Kaspersky -- I'll try to find it and post a link.
Best wishes
Chris
edit: the other Kaspersky problem was different, but might still be relevant -- http://community.plus.net/forum/index.php/topic,86703.0.html
David_W
Rising Star
Posts: 2,297
Thanks: 30
Registered: 19-07-2007

Re: Odd phising email got through....

Valid point that, I just checked webmail.plus.net and looked in my spam folder to find a header:
Return-path: <web125f2@omikron.ibone.ch>
Envelope-to: my_email
Delivery-date: Sat, 17 Jul 2010 21:18:02 +0100
Received: from [212.159.7.38] (helo=mx.ptn-ipin03.plus.net)
    by pih-inmx01.plus.net with esmtp (PlusNet MXCore v2.00) id 1OaDpi-0006No-DM
    for my_email; Sat, 17 Jul 2010 21:18:02 +0100
Received-SPF: None identity=pra; client-ip=213.203.223.45;
    receiver=mx.ptn-ipin03.plus.net;
    envelope-from="web125f2@omikron.ibone.ch";
    x-sender="customer_service@hsbc.co.uk";
    x-conformance=sidf_compatible
Received-SPF: Pass identity=mailfrom; client-ip=213.203.223.45;
    receiver=mx.ptn-ipin03.plus.net;
    envelope-from="web125f2@omikron.ibone.ch";
    x-sender="web125f2@omikron.ibone.ch";
    x-conformance=sidf_compatible
Received-SPF: Pass identity=helo; client-ip=213.203.223.45;
    receiver=mx.ptn-ipin03.plus.net;
    envelope-from="web125f2@omikron.ibone.ch";
    x-sender="postmaster@omikron.ibone.ch";
    x-conformance=sidf_compatible
X-SBRS: -1.5
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgT1AE6tQUzVy98tVWdsb2JhbACBRJF0iFSDDgNVCwEeCwYUIg8GCASHdZlbAQGUMwKJD4I9gUUBgQoEkA4
X-IPAS: Level3
X-IronPort-AV: E=McAfee;i="5300,2777,6046"; a="329431791"
X-IronPort-AV: E=Sophos;i="4.55,219,1278284400";
    d="scan'208,217";a="329431791"
Received: from omikron.ibone.ch ([213.203.223.45])
    by mx.ptn-ipin03.plus.net with ESMTP; 17 Jul 2010 21:17:53 +0100
Received: by omikron.ibone.ch (omikron.ibone.ch, from userid 889)
    id 44F02A27054; Sat, 17 Jul 2010 22:17:54 +0200 (CEST)
To: my_email
From: Hsbc Bank Plc <customer_service@hsbc.co.uk>
Message-ID: <E1OaDpi-0006No-DM@pih-inmx01.plus.net>
X-pn-pstn: Spam 3
X-PN-Virus-Filtered: by PlusNet MXCore (v5.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v5.00)
Subject: [-SPAM-] You Have One New Message
As you can see that is going through PN but it appears the emails in my inbox are not, or the header is being stripped before delivery.  Just sent myself an email and the headers are complete, so yeah, something is happening to some emails to let them skip the spam/virus server?
Community Veteran
Posts: 2,106
Registered: 06-02-2008

Re: Odd phising email got through....

There should be no reason for emails to be bypassing our spam filter so please raise a ticket with full headers. It would be best if you could disable Kaspersky first, so we have unadulterated versions.
David_W
Rising Star
Posts: 2,297
Thanks: 30
Registered: 19-07-2007

Re: Odd phising email got through....

I ran a quick test using my gmail account, something (kaspersky maybe) is stripping the headers.  I looked at webmail.plus.net after sending me an email from gmail and webmail gave full headers, outlook on the other hand stripped them down to the basics.  I'll ask the guys at kaspersky because having the full headers can be essential sometimes!
Community Veteran
Posts: 38,460
Thanks: 1,028
Fixes: 62
Registered: 15-06-2007

Re: Odd phising email got through....

You could disable the Kaspersky Mail Dispatcher