cancel
Showing results for 
Search instead for 
Did you mean: 

Spam filters not blocking spam email containing trojons

Superuser
Superuser
Posts: 13,038
Thanks: 4,332
Fixes: 26
Registered: ‎22-08-2007

Spam filters not blocking spam email containing trojons

Received this today claiming to be from eFax - it is clearly SPAM and carries a virus payload... this threat / profile has been around for quite sometime, I would have hoped that the filters were detecting and dumping such emails by now.  See http://news.softpedia.com/news/Spear-Phishing-Attack-Relies-of-eFax-Messages-286811.shtml from August 2012.
Quote
Return-path: <fraud@aexp.com>
Envelope-to: witton@xxxxxxx.me.uk
Delivery-date: Thu, 20 Feb 2014 09:56:01 +0000
Received: from [212.159.8.109] (helo=avasin07.plus.net)
  by inmx01.plus.net with esmtp (PlusNet MXCore v2.00) id 1WGQMK-0007Ig-Vm
  for witton@xxxxxxxx.me.uk; Thu, 20 Feb 2014 09:56:00 +0000
Received: from 50-195-99-99-static.hfc.comcastbusiness.net ([50.195.99.99])
by avasin07.plus.net with Plusnet Cloudmark Gateway
id UZvy1n00A28fpZe01Zw080; Thu, 20 Feb 2014 09:56:00 +0000
X-CM-Score: 0.00
X-CNFS-Analysis: v=2.1 cv=ZPRZmBLb c=1 sm=1 tr=0
a=5/uzZl0tz4C4NLUh0lWImA==:117 a=5/uzZl0tz4C4NLUh0lWImA==:17 a=tS228Fp5AAAA:8
a=0Bzu9jTXAAAA:8 a=tD9LQ5CGZVIA:10 a=bLan26Z4dusA:10 a=R7qOGidaiNwA:10
a=xnwAm6YiAAAA:8 a=bQeZWJATAAAA:8 a=0-cTjWCDAAAA:8 a=GGcpBh7Jt_oA:10
a=3oD72ZtMbisA:10 a=VcLggJSdRyQVs0OxFcwA:9 a=pILNOxqGKmIA:10
a=Q-fRhH0PU6gA:10 a=RGMkQnRUZHgA:10 a=ef4nlj9suAkA:10 a=FIA4VO2zAAAA:8
a=F8AvrCCBAAAA:8 a=9cqE55EhAAAA:8 a=0cGOZIAeFjO0tSUv:21 a=_W_S_7VecoQA:10
a=tXsnliwV7b4A:10 a=FkM3Vp9O4r0A:10 a=ALLr9p5pBDnc9vFzo2sA:9
a=BqBDZBPm_nQMS4hV5kwA:14 a=IKIoO-ieCDEA:10
Received: from [89.170.79.117] (account fraud@aexp.com HELO jdmuy.zovvvffpmou.tv)
by 50-195-99-99-static.hfc.comcastbusiness.net (CommuniGate Pro SMTP 5.2.3)
with ESMTPA id 981619320 for moira@xxxxxx.me.uk; Thu, 20 Feb 2014 04:55:49 -0500
From: "eFax Corporate" <message@inbound.efax.com>
To: <moira@xxxxxxxx.me.uk>
Date: Thu, 20 Feb 2014 04:55:49 -0500
MIME-Version: 1.0
X-Priority: 3
X-Mailer: iqhnbo_40
Message-ID: <0550235382.EPNINU12971919@obxwwgec.raukgmiuv.biz>
Content-Type: multipart/mixed;
  boundary="----=a__mrggq_85_87_05"
X-PN-Virus-Filtered: by PlusNet MXCore (v5.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v5.00)
Subject: Corporate eFax message from "unknown" - 4 page(s)

If DCT need to look into this, xxxxxxx = my PN account name.
witton@ is an email address I have not used for used for years - indeed it pre-dates the webmail hack of a few years back.
moira@ is SWMOB's active email address, - it is a bit scary how the spammer has got these two addresses tied together in a single email ('envelope-to' and 'to' addresses).
Hopefully the SPAM filters can be adjusted to filter these messages.

Cheers,
Kevin