Jump to content


Photo

Best way to block "Helpdesk Program" Spam?


This topic has been archived. This means that you cannot reply to this topic.
6 replies to this topic

#1 Chuck Reed

Chuck Reed
  • Members
  • 55 posts

Posted 17 March 2010 - 11:31 AM

This is the second time that I've seen this message come past my filter. It's not a particularly effective piece of Spam, but it's fairly well worded and looks somewhat legit. I would like to block it, and I'm not sure what the best way is. Header? Body? What is your opinions?
X-ASG-Debug-ID: 1268790832-3387343e0001-D5LArSReceived: from mail.xxxxxx (ncck.xxxxxx [80.240.xxx.xxx]) by cuda.xxxxxx with SMTP id 9nlOR8PlCOKh3gCx for <person@xxxxxx>; Tue, 16 Mar 2010 18:53:52 -0700 (PDT)X-Barracuda-Envelope-From: info@help.comReceived: from mail.xxxxxx (mail.xxxxxx [127.0.0.1])	by mail.xxxxxx (Postfix) with ESMTP id F2CE143C2BC;	Wed, 17 Mar 2010 04:43:11 +0300 (EAT)Received: from 196.220.xxx.xxx        (SquirrelMail authenticated user gsoffice)        by mail.xxxxxx with HTTP;        Wed, 17 Mar 2010 04:43:21 +0300 (EAT)Message-ID: <58649.196.220.xxx.xxx.1268790201.squirrel@mail.xxxxxx>Date: Wed, 17 Mar 2010 04:43:21 +0300 (EAT)X-ASG-Orig-Subj:  Subject: From: "Helpdesk Program" <info@help.com>Reply-To: upgraden_009@discuz.orgUser-Agent: SquirrelMail/1.4.8-5.el4.centos.8MIME-Version: 1.0Content-Type: text/plain;charset=iso-8859-1X-Priority: 3 (Normal)Importance: NormalTo: undisclosed-recipients:;X-ncck_org-MailScanner-Information: Please contact the ISP for more informationX-ncck_org-MailScanner: Found to be cleanX-ncck_org-MailScanner-SpamScore: sssX-ncck_org-MailScanner-From: info@help.comX-Spam-Status: NoContent-Transfer-Encoding: quoted-printableX-Barracuda-Connect: ncck.sxxxxxx[80.240.xxx.xxx]X-Barracuda-Start-Time: 1268790832X-Barracuda-URL: http://cuda.xxxxxx:8000/cgi-mod/mark.cgiX-Barracuda-Orig-Rcpt: person@xxxxxxX-Virus-Scanned: by bsmtpd at xxxxxxX-Barracuda-Spam-Score: 1.29X-Barracuda-Spam-Status: No, SCORE=1.29 using global scores of TAG_LEVEL=9.0 QUARANTINE_LEVEL=3.5 KILL_LEVEL=7.0 tests=MISSING_SUBJECT, MISSING_SUBJECT_2X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.25067	Rule breakdown below	 pts rule name              description	---- ---------------------- --------------------------------------------------	0.01 MISSING_SUBJECT        Missing Subject: header	1.28 MISSING_SUBJECT_2      Missing Subject: headerThe Helpdesk Program that periodically checks the size of your e-mailspace is sending you this information. The program runs weekly toensure your inbox does not grow too large, thus preventing you fromreceiving or sending new e-mail. As this message is being sent, youhave 18 megabytes (MB) or more stored in your inbox. To help us resetyour space in our database, please enter your currentuser name(_________________)  password (_______________)You will receive a periodic alert if your inbox size is between 18 and20 MB. If your inbox size is 20 MB, a program on your Webmail willmove your oldest e-mails to a folder in your home directory to ensureyou can continue receiving incoming e-mail. You will be notified thishas taken place.If your inbox grows to 25 MB, you will be unable to receive new e-mailand it will be returned to sender. All this is programmed to ensureyour e-mail continues to function well.Thank you for your cooperation.Help Desk.upgraden_009@discuz.orgImportant: Email Account Verification Update ! ! !--=20This message has been scanned for viruses anddangerous content by MailScanner, and isbelieved to be clean.


#2 kwyrick

kwyrick
  • Members
  • 10 posts

Posted 18 March 2010 - 05:02 PM

Enabling SPF checking would have blocked that one.

#3 Chuck Reed

Chuck Reed
  • Members
  • 55 posts

Posted 19 March 2010 - 05:20 PM

I suppose I should have included that I'm on firmware v4.0.3.003 (2010-01-12 10:09:10)...What you're suggesting would be the settings in "Block/Accept" - "Sender Authentication":Sender Policy Framework (SPF): Yes NoTag On SPF: Tag BlockI had the settings in bold above. Should I change the one to Block instead of Tag?

#4 kwyrick

kwyrick
  • Members
  • 10 posts

Posted 22 March 2010 - 10:37 AM

I suppose I should have included that I'm on firmware v4.0.3.003 (2010-01-12 10:09:10)...What you're suggesting would be the settings in "Block/Accept" - "Sender Authentication":Sender Policy Framework (SPF): Yes NoTag On SPF: Tag BlockI had the settings in bold above. Should I change the one to Block instead of Tag?

How did it come across, did it get tagged? help.com doesn't have a spf record listed so, even if it were ligit, it should have been tagged. In my environment, I don't care if a message gets blocked because of a missing SPF record and I don't really care if it was a valid message. Companies will eventually get on board and have valid spf records. I have mine set to <b>block</b>. For the most part it works but even with block, I still get some invalids. Not to long ago, one of those fake greeting card mails made it through and we were 4 days getting it cleaned up. That isn't the only thing that has made it thru but I'm now using two products, Barracuda and then another vendor behind that one. It's expensive but then again, it's what was necessary.

#5 kwyrick

kwyrick
  • Members
  • 10 posts

Posted 22 March 2010 - 02:36 PM

I suppose I should have included that I'm on firmware v4.0.3.003 (2010-01-12 10:09:10)...What you're suggesting would be the settings in "Block/Accept" - "Sender Authentication":Sender Policy Framework (SPF): Yes NoTag On SPF: Tag BlockI had the settings in bold above. Should I change the one to Block instead of Tag?

Was the message tagged? My earlier response didn't post.

#6 Chuck Reed

Chuck Reed
  • Members
  • 55 posts

Posted 24 March 2010 - 05:40 PM

Hi kwyrick, no it didn't get tagged. And it wasn't white listed. (That would be odd though.)Its strange, because I do get a lot of messages from domains without SFP records configured, and they're not being tagged either. I never gave that much though until now. I wonder why that is?

#7 kwyrick

kwyrick
  • Members
  • 10 posts

Posted 25 March 2010 - 12:39 PM

Hi kwyrick, no it didn't get tagged. And it wasn't white listed. (That would be odd though.)Its strange, because I do get a lot of messages from domains without SFP records configured, and they're not being tagged either. I never gave that much though until now. I wonder why that is?

About the only thing I can figure is if a company doesn't have any SPF record, mail would be allowed since there weren't any SPF violations. I haven't attempted to verify that but it would make sense. A few basic things to check would beblock/accept > IP reputation > Block on barracuda ip reputation and Barracuda IP Whitelist set to On.I use zen.spamhaus.org as my external RBLDeep header scan is set to Yes.Sender Authentication SPF=YesTag on SPF set to BlockAnd here is the biggie. In Advanced > Email Protocol Sender Spoof Protection set to YesThere are a few other settings I have skipped. These were mainly tuning for my specific domain. I have a rather large IP block list. As usual, any time you change a setting, keep a good eye on your message log for the next week.