cancel
Showing results for 
Search instead for 
Did you mean: 

Email with Links to Trojan Site Not Blocked & Uswitch Emails Sent to Spam Folder

Capvermell
Grafter
Posts: 417
Registered: 16-12-2007

Email with Links to Trojan Site Not Blocked & Uswitch Emails Sent to Spam Folder

I have just received the below email with links to a site known by Mozilla (Firefox) to contain Trojans (Firefox gave a warning message with a Get Me Out of Here option) but where the link was not recognised as being harmful and so the email not blocked by Ironport, even though I have maximum strength 5 spam filtering in operation.
Conversely I have just found three perfectly normal emails from Uswitch sent out over the last couple of weeks in my Spam folder today, even though uswitch.com is already in my whitelisted sending email addresses.  Yes I agree Uswitch do behave a bit like a spammer at times in the amount of email they send out but they do honour unsubscribe requests (so far as I am aware) and their emails are not in themselves inherently spam like in content so Ironport should not be putting them in my Spam folder, especially not if Uswitch.com is in my whitelisted email addresses.
The email with the Trojan came about due to a spammer joining a very small and inactive Yahoo group for leaseholders (a group I have now ended my  membership of) but nonetheless the content of the email should surely still have been recognised as being of a spam like nature?
Any thoughts on the above from Bob and co would be appreciated:-
Quote
-------- Original Message --------
From: - Tue Nov 17 09:56:16 2009
X-Account-Key: account4
X-UIDL: UID26498-1149066516
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-path: <3LE0CSxMJAMY1mzw3m5m7ux07uotq7Gsymux.o0y@groups.bounces.google.com>
Envelope-to: xx@xxxxxx.plus.com
Delivery-date: Tue, 17 Nov 2009 07:14:50 +0000
Received: from [212.159.7.98] (helo=mx.pcl-ipin02.plus.net) by pih-inmx05.plus.net with esmtp (PlusNet MXCore v2.00) id 1NAIH3-0002T6-UA for xx@xxxxxx.plus.com; Tue, 17 Nov 2009 07:14:50 +0000
Received-SPF: None identity=pra; client-ip=209.85.217.188; receiver=mx.pcl-ipin02.plus.net; envelope-from="3LE0CSxMJAMY1mzw3m5m7ux07uotq7Gsymux.o0y@groups.bounces.google.com"; x-sender="pankratavilovichev4@gmail.com"; x-conformance=sidf_compatible
Received-SPF: Pass identity=mailfrom; client-ip=209.85.217.188; receiver=mx.pcl-ipin02.plus.net; envelope-from="3LE0CSxMJAMY1mzw3m5m7ux07uotq7Gsymux.o0y@groups.bounces.google.com"; x-sender="3LE0CSxMJAMY1mzw3m5m7ux07uotq7Gsymux.o0y@groups.bounces.google.com"; x-conformance=sidf_compatible
Received-SPF: None identity=helo; client-ip=209.85.217.188; receiver=mx.pcl-ipin02.plus.net; envelope-from="3LE0CSxMJAMY1mzw3m5m7ux07uotq7Gsymux.o0y@groups.bounces.google.com"; x-sender="postmaster@mail-gx0-f188.google.com"; x-conformance=sidf_compatible
Authentication-Results: mx.pcl-ipin02.plus.net; dkim=pass (signature verified [TEST]) header.i=@gmail.com
X-SBRS: 4.7
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AucBAI7bAUvRVdm8k2dsb2JhbACSE4I5hxI/AQEBAQkJCgkTA3yoS4E5hhKIawEDAwWBeoI8BA
X-IronPort-AV: E=McAfee;i="5300,2777,5804"; a="232996393"
X-IronPort-AV: E=Sophos;i="4.44,757,1249254000"; d="scan'208";a="232996393"
Received: from mail-gx0-f188.google.com ([209.85.217.188]) by mx.pcl-ipin02.plus.net with ESMTP; 17 Nov 2009 07:13:49 +0000
Received: by gxk4 with SMTP id 4sf10509333gxk.8 for <xx@xxxxxx.plus.com>; Mon, 16 Nov 2009 23:13:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:x-beenthere:received:received:received :received:received-spf:received:mime-version:received:date:x-ip :user-agent:x-http-useragent:message-id:subject:from:to:reply-to :precedence:mailing-list:list-id:list-post:list-help:list-archive :x-thread-url:x-message-url:content-type; bh=6cbcTGsmtz/+Uad3qM1oBD/rfrQL4VPhIEpWiwRcTNk=; b=V63Og9slBY0anjRL5GR7p6A+lP/67enh/LR9d9T3afJfayg2NrMAjBp3bNUT46QmRW PhaO+kVXBzhGTT3e1wCEcN9BcsS8cqx4h4BAKp/Puj0wSL9GNTSPDNsgirquvdr5EFQJ olWwYxzW0cP90tdCWxsVLNQWKcn267Lpul43I=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=x-beenthere:received-spf:authentication-results:mime-version:date :x-ip:user-agent:x-http-useragent:message-id:subject:from:to :reply-to:precedence:mailing-list:list-id:list-post:list-help :list-archive:x-thread-url:x-message-url:content-type; b=tMr3B4AqrR33tHitCXlkUwlowyzL/5mYLxIMrexpV4h0qLVewq4MnsbbpQBmW/KSL+ /A3/uTHwoEWwskOWZ2trY83ZiCC+3MiFlEHEVDdvV7SeAlPlHYB5R9hhSD0W0inRuvPq XpoZnVgPA7fA0R337089ZUEGQLNKhdWRhx6Oc=
Received: by 10.101.176.6 with SMTP id d6mr493365anp.44.1258442028324; Mon, 16 Nov 2009 23:13:48 -0800 (PST)
X-BeenThere: leaseholders@googlegroups.com
Received: by 10.101.214.12 with SMTP id r12ls1554847anq.0.p; Mon, 16 Nov 2009 23:13:48 -0800 (PST)
Received: by 10.101.158.28 with SMTP id k28mr9707548ano.27.1258442027790; Mon, 16 Nov 2009 23:13:47 -0800 (PST)
Received: by 10.101.158.28 with SMTP id k28mr9707546ano.27.1258442027774; Mon, 16 Nov 2009 23:13:47 -0800 (PST)
Received: from mail-yw0-f163.google.com (mail-yw0-f163.google.com [209.85.211.163]) by gmr-mx.google.com with ESMTP id 11si1032260gxk.1.2009.11.16.23.13.47; Mon, 16 Nov 2009 23:13:47 -0800 (PST)
Received: by mail-yw0-f163.google.com with SMTP id 35so11014003ywh.8 for <leaseholders@googlegroups.com>; Mon, 16 Nov 2009 23:13:47 -0800 (PST)
MIME-Version: 1.0
Received: by 10.100.81.6 with SMTP id e6mr109403anb.15.1258442027651; Mon, 16 Nov 2009 23:13:47 -0800 (PST)
Date: Mon, 16 Nov 2009 23:13:47 -0800 (PST)
X-IP: 85.207.186.65
User-Agent: G2/1.0
X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506),gzip(gfe),gzip(gfe)
Message-ID: <7d6052e6-02d7-49a2-969f-01cd412ca4f3@r5g2000yqb.googlegroups.com>
From: Ivor <pankratavilovichev4@gmail.com>
To: uk-leaseholders <leaseholders@googlegroups.com>
Reply-To: leaseholders@googlegroups.com
Precedence: list
Mailing-list: list leaseholders@googlegroups.com; contact leaseholders+owners@googlegroups.com
List-ID: <leaseholders.googlegroups.com>
List-Post: <http://groups.google.com/group/leaseholders/post?hl=>, <mailto:leaseholders@googlegroups.com>
List-Help: <http://groups.google.com/support/?hl=>, <mailto:leaseholders+help@googlegroups.com>
List-Archive: <http://groups.google.com/group/leaseholders?hl=>
X-Thread-Url: http://groups.google.com/group/leaseholders/t/7daa1a0fd591876d
X-Message-Url: http://groups.google.com/group/leaseholders/msg/3c2ef1aad684785a
Content-Type: text/plain; charset=ISO-8859-1
X-PN-Virus-Filtered: by PlusNet MXCore (v5.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v5.00)
Subject: What are they doing?
X-Antivirus: avast! (VPS 091116-1, 16/11/2009), Inbound message
X-Antivirus-Status: Clean

Hi! Please look at this short video. What are they doing?
http://tube23441.notlong.com/
--
You received this message because you are subscribed to the Google Groups "uk-leaseholders" group.
To post to this group, send email to leaseholders@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/leaseholders?hl=.
2 REPLIES
ChrisL
Grafter
Posts: 733
Thanks: 2
Registered: 13-12-2007

Re: Email with Links to Trojan Site Not Blocked & Uswitch Emails Sent to Spam Folder

It's the anti-virus check that's fallen down in this case, since there doesn't seem to be anything spammy about the email otherwise. I don't suppose either McAfee or Sophos perform link-scanning on emails, though they might have spotted a known bad site.
More worrying are the emails being treated as spam even though from a whitelisted sender. Might they be from Uswitch sending as something other than uswitch.com -- eg uswitch.net or uswitch.subcontractor.com or some such?  Have you got the headers from any of these?
Regards
Chris
Mand
Grafter
Posts: 5,560
Thanks: 1
Registered: 05-04-2007

Re:Email with Links to Trojan Site Not Blocked Uswitch Emails Sent to Spam Folder

Hi there,
Unfortunately no spam/virus filtering is 100% and it looks like this one got missed.
Re the whitelisted addresses issue, have you got the headers of one of those please?