cancel
Showing results for 
Search instead for 
Did you mean: 

Spam bypassing IronPort?

prthomas
Newbie
Posts: 3
Registered: 04-08-2007

Spam bypassing IronPort?

I got moved over to IronPort earlier this week and have just seen my first spam email in a long time.  Interestingly the headers show that this seems to have gone straight into the mail cores and bypassed IronPort. 
Is this actually the case or have I not intepreted the headers correctly?
Quote
From - Thu Dec 11 10:58:11 2008
X-Account-Key: account2
X-UIDL: UID13300-1063896986
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                               
Return-path: <krum@rcn.com>
Envelope-to: removed@mydomain.me.uk
Delivery-date: Thu, 11 Dec 2008 10:34:10 +0000
Received: from [85.237.38.98] (helo=host-85-237-38-98.dsl.sura.ru)
  by pih-sunmxcore17.plus.net with esmtp (PlusNet MXCore v2.00) id 1LAiry-0000LJ-EZ
  for <removed>@<mydomain>.me.uk; Thu, 11 Dec 2008 10:34:10 +0000
Message-ID: <000901c95b7c$04f07297$4d197fb3@tmkwfbsb>
From: "janus gupi" <krum@rcn.com>
To: <removed@mydomain.me.uk>
Date: Thu, 11 Dec 2008 08:46:49 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0006_01C95B7C.04ECE652"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2720.3000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300
X-PN-Virus-Filtered: by PlusNet MXCore (v4.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v4.00)
Subject: Super pills
This is a multi-part message in MIME format.
------=_NextPart_000_0006_01C95B7C.04ECE652
Content-Type: text/plain;
charset="koi8-r"
Content-Transfer-Encoding: quoted-printable
Hello !
Best Selections of Herbal Medic1nes. Faithful Service, Purchase Now
------=_NextPart_000_0006_01C95B7C.04ECE652
Content-Type: text/html;
charset="koi8-r"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dkoi8-r">
<META content=3D"MSHTML 6.00.2720.3000" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<P>Hello !</P>
<P>Best Selections of Herbal Medic1nes. Faithful Service, <A =
HREF=3D"http://oneexperiment.com">Purchase Now</A></P></BODY></HTML>
------=_NextPart_000_0006_01C95B7C.04ECE652--
9 REPLIES
Superuser
Superuser
Posts: 8,877
Thanks: 411
Fixes: 36
Registered: 06-04-2007

Re: Spam bypassing IronPort?

Yes you are correct, that email bypassed IronPort completely. The most likely reason for this is that your spam settings in Manage My Mail have Spam Filtering set to Off.
If you find this is the case obviously set it to On again, make sure the recommended settings are selected for the other options. Set Aggressiveness to 1 and Virus Checking to On. Note that turning spam filtering on requires a DNS change which can take up to 48 hours to propagate around the Internet.
David
Edit: on reflection prompted by the next reply I think the problem is that the MX Cores no longer reject direct connections for anyone some users even though IronPort filtering is on. Definitely one for Plusnet to look into.
Edit 2: corrected scope of the problem; the MX Cores reject direct connections for me (and Bob as noted in a later reply).
David
jnwright
Grafter
Posts: 281
Thanks: 1
Registered: 05-04-2007

Re: Spam bypassing IronPort?

I've had one bypass Ironport completely. My settings are correct - Spam Filtering On, Edge Protection On, Identified messages tagged [SPAM] and moved to Spam folder, Aggressive spam filter, Virus filter On, etc.  Other Spam ends up in the Spam folder. So I think this is a specially crafted message sent in order to evade Ironport. Note that the main content is the same. It needs an extra rule somewhere in Plusnet's system to avoid this method of delivery. Note that both of our messages were sent direct to pih-sunmxcoreXX.plus.net in order for them to work as the spammer intended.
Quote
Return-path: <drw4@cox.net>
Envelope-to: xxxxxx@xxxx.plus.com
Delivery-date: Tue, 09 Dec 2008 09:04:16 +0000
Received: from [91.77.190.247] (helo=ppp91-77-190-247.pppoe.mtu-net.ru)
  by pih-sunmxcore11.plus.net with esmtp (PlusNet MXCore v2.00) id 1L9yVs-0000z9-0n
  for xxxxxx@xxxx.plus.com; Tue, 09 Dec 2008 09:04:16 +0000
Message-ID: <000a01c959dd$071765c8$a6c31f9b@xqovc>
From: "frasquito ramana" <drw4@cox.net>
To: <xxxxxx@xxxx.plus.com>
Date: Tue, 09 Dec 2008 07:16:43 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C959DD.07117C44"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2720.3000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300
X-PN-Virus-Filtered: by PlusNet MXCore (v4.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v4.00)
Subject: Good medication
This is a multi-part message in MIME format.
------=_NextPart_000_0007_01C959DD.07117C44
Content-Type: text/plain;
charset="koi8-r"
Content-Transfer-Encoding: quoted-printable
Hi my dear friend!
Best Selections of Herbal Med1cines. Faithful Service, Buy Today
------=_NextPart_000_0007_01C959DD.07117C44
Content-Type: text/html;
charset="koi8-r"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dkoi8-r">
<META content=3D"MSHTML 6.00.2720.3000" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<P>Hi my dear friend!</P>
<P>Best Selections of Herbal Med1cines. Faithful Service, <A =
HREF=3D"http://oneexperiment.com">Buy Today</A></P></BODY></HTML>
------=_NextPart_000_0007_01C959DD.07117C44--
Superuser
Superuser
Posts: 8,877
Thanks: 411
Fixes: 36
Registered: 06-04-2007

Re: Spam bypassing IronPort?

Thanks for that. I've edited my previous reply to add:
"… on reflection prompted by (your) reply I think the problem is that the MX Cores no longer reject direct connections for some users even though IronPort filtering is on. Definitely one for Plusnet to look into."
David
Edit: corrected scope of the problem; the MX Cores reject direct connections for me (and Bob as noted in a later reply).
David
jnwright
Grafter
Posts: 281
Thanks: 1
Registered: 05-04-2007

Re: Spam bypassing IronPort?

David, I agree totally agree with you  that Plusnet need to look into this urgently, as we have proved to the scammer, on this forum, that the method works.  Sad
prthomas
Newbie
Posts: 3
Registered: 04-08-2007

Re: Spam bypassing IronPort?

Quote from: jnwright
David, I agree totally agree with you  that Plusnet need to look into this urgently, as we have proved to the scammer, on this forum, that the method works.   Sad

I'd second this. 
I've also got Spam Filtering On, Edge Protection On and Virus Scanning On with messages quarantined.  I've never adjusted the agressiveness so presume it is at the default of 1.  Other messages have IronPort headers on them so these settings must be working for me.  I therefore expected all messages to only route via IronPort just as they used to route through Postini. 
Direct access to the mail cores was disabled when we all got moved to Postini.  I wonder why it has been turned back on now?  Bob over to you...
Philip
Community Gaffer
Community Gaffer
Posts: 12,803
Thanks: 635
Fixes: 62
Registered: 04-04-2007

Re: Spam bypassing IronPort?

I shall get a problem raised as this should not be allowed to happen. As can be seen below, it's *not* possible for me to send an email to one of my accounts directly via the mx.cores:
Connected to mx.core.plus.net.
Escape character is '^]'.
220 mx.core.plus.net ESMTP Exim Thu, 11 Dec 2008 14:09:33 +0000
ehlo cores
250-pih-sunmxcore11.plus.net Hello cores [84.93.217.165]
250-SIZE 104857600
250-8BITMIME
250-PIPELINING
250 HELP
mail from:<>
250 OK
rcpt to:<postmaster@bobpullen.force9.co.uk>
451-Plusnet: Please route email according to MX record
451 (bobpullen.force9.co.uk/84.93.217.165)

@jnwright & prthomas, your accounts don't appear to be the same as mine and *are* accepting messages Sad
220 mx.core.plus.net ESMTP Exim Thu, 11 Dec 2008 14:48:22 +0000
ehlo cores
250-fhw-sunmxcore05.plus.net Hello cores [84.93.217.165]
250-SIZE 104857600
250-8BITMIME
250-PIPELINING
250 HELP
mail from:<>
250 OK
rcpt to:<postmaster@t******k.plus.com>
250 Accepted

Edit: problem now raised (ref: 54453).

Bob Pullen
Plusnet Products Team
If I've been helpful then please give thanks ⤵

jnwright
Grafter
Posts: 281
Thanks: 1
Registered: 05-04-2007

Re: Spam bypassing IronPort?

Thanks for the info Bob and your raising of a problem over this matter. This obviously proves the problem exists with our accounts. I've had aggressiveness set to 4 for ages and was surprised at first to get the email, until I realised it wasn't going through Ironport. I wonder how many other people using a plus.com email address have no protection against this method of delivery. A spammers delight!
prthomas
Newbie
Posts: 3
Registered: 04-08-2007

Re: Spam bypassing IronPort?

Thanks for looking into this Bob.  Hopefully there aren't too many accounts like mine and jnwright's!
Philip
Community Gaffer
Community Gaffer
Posts: 12,803
Thanks: 635
Fixes: 62
Registered: 04-04-2007

Re: Spam bypassing IronPort?

During migration we switched off the blocking of email which goes around the filtering systems. Since then it looks like the script that sets this hasn't kicked in and reset the flag. We're going to check this and make sure that everybody that's been migrated for at least 2 days has the mail blocked again.

Bob Pullen
Plusnet Products Team
If I've been helpful then please give thanks ⤵