Hi Andrew:
We have Microsoft in our spam domains- but the problem is Microsoft sends
email from so many different reverse DNS.
ISV, MSDN, MSN, Office Newsletter-- all are sent from different
providers. For example:
Here is our MS filter:
MINWEIGHTTOFAIL 2
MAILFROM 1 ENDSWITH @microsoft.com
MAILFROM 1 ENDSWITH .microsoft.com
MAILFROM 1 ENDSWITH .arvatousa.net
MAILFROM 1 ENDSWITH .microsoft.com
MAILFROM 1 ENDSWITH .arvatousa.net
REVDNS 1 ENDSWITH .microsoft.com
REVDNS 1 ENDSWITH .zomax.com
REVDNS 1 ENDSWITH .zomax.com
But I have seen them send from other reverse dns.
So it is not that easy- at least I don't think it is.
These emails are being held at 30+ weight in our system. All these
emails will go to a spam folder for the user (under weight 50) and are deleted
at 50. I am afraid they can think it is a valid email in their spam
folder.. who knows.
I think we should track this one closely.
Regards,
Kami
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
Sent: Sunday, April 10, 2005 6:03 PM
To: Declude.Virus@declude.com
Subject: RE: [Declude.Virus] Windows Update!
No,
that email address is not valid. Those emails have been easily held over
on my system.
You
can certainly block that bogus MAILFROM but since the bad guys will continue to
change it as they hatch new spoofs, why not split out your SPAMDOMAINS into
groups that are likely to be abused, and weight those high enough to meet your
HOLD weight?
Andrew
8)
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan
Sent: Sunday, April 10, 2005 12:38 PM
To: Declude.Virus@declude.com
Subject: [Declude.Virus] Windows Update!Hi;In the past hour I have seen several emails caught as spam but the weight still not high enough to be deleted with subject: Urgent Windows Update.As everyone (?) knows this is the recent attempt to install a worm on the visitor's computer- there is a link to the Express install and no attachments.The link is an IP address.I think ClamAV detects such behavior but it is not catching it yet and I just checked the update.I think for now I created a filter that if the email is from Microsoft and there is an IP address in the body for the email to be blocked.This one email came from [EMAIL PROTECTED] - I really don't think that is a valid MS address. Anyone knows if this is a valid address? May be it is worthwhile to block it for now.This week MS will be releasing some major updates and from what I read this scam was about to be released today.. so it is starting at least one our system.Regards,Kami