Hi,
That's my thoughts, they're showing the FQDN in the headers, not
the IP so I'm wondering how they are blocking stuff. I asked my co
worker (which is in the HQ) to call hem again and request that the IP
only was taken care of, not the FQDN. It's a forgery of the headers.
On Jan 17, 2008 12:28 PM, Steven Peck <[EMAIL PROTECTED]> wrote:
> We had a similar issue with Message labs once. A discussion involving
> our IP Addresses as shown in DNS and the source IP Addresses did
> result in us being unblocked. We are a moderately large company and
> though polite, I was obviously irritated. Not sure if that helped or
> hindered.
>
> Steven
>
>
> On Jan 17, 2008 8:46 AM, Don Andrews <[EMAIL PROTECTED]> wrote:
> > [opinion on]
> > Well, if the headers prove that the messages are not coming via your
> > mail server, you should be quite justified in requesting that
> > messagelabs unblock you and perhaps whitelist you as being part of the
> > same company.
> >
> > My perception of messagelabs is not getting any better.
> > [opinion off]
> >
> > -----Original Message-----
> > From: M Bruyere [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, January 17, 2008 8:42 AM
> > To: MS-Exchange Admin Issues
> >
> > Subject: [JUNK] Re: [JUNK] Re: [JUNK] problem with messagelabs
> >
> > Hi,
> > Ninja uses RBLs and is also discarding spams. As for the
> > Messagelabs guys, I hardly see why thay are still doing business with
> > them... They are not willing to help a lot. They were supposed to
> > investigate and create a report of their findings and the result was
> > the 3 spam sample I posted... what an investigation and report.
> > That's why I turned myself to this list to try to get outside thoughts
> > about the situations.
> >
> >
> > On Jan 17, 2008 11:26 AM, Don Andrews <[EMAIL PROTECTED]> wrote:
> > > Don't know anything about Ninja - does it or can it be configured to
> > > reject rather than discard spam?
> > >
> > > Perhaps you need to have your HQ guys get Message Labs to work with
> > > (rather than against) you to help determine what's happening.
> > >
> > > -----Original Message-----
> > > From: M Bruyere [mailto:[EMAIL PROTECTED]
> > > Sent: Thursday, January 17, 2008 8:18 AM
> > > To: MS-Exchange Admin Issues
> > >
> > > Subject: [JUNK] Re: [JUNK] problem with messagelabs
> > >
> > > Hi,
> > > At my site I use Ninja to spam filter. It can't be a station that
> > > is infected because the public IP is dedicated to the mail server
> > > using a static NAT. The workstations are actually using another IP to
> > > hit the internet.
> > >
> > > As for the headers, the only data I had from MessageLabs was the 3
> > > samples I pasted in the original post. I searched the message-id and
> > > some keywords on my exchange servers but can't find anything so they
> > > are not sent through our server.
> > >
> > > Thanks.
> > >
> > >
> > >
> > > On Jan 17, 2008 11:09 AM, Don Andrews <[EMAIL PROTECTED]> wrote:
> > > > Do you reject spam? Or is it possible that one or more machines at
> > > your
> > > > site are infected? Do the headers indicate that the spam is
> > > definitely
> > > > being sent from your server to HQ?
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: M Bruyere [mailto:[EMAIL PROTECTED]
> > > > Sent: Thursday, January 17, 2008 7:40 AM
> > > > To: MS-Exchange Admin Issues
> > > > Subject: [JUNK] problem with messagelabs
> > > >
> > > > Hi guys,
> > > > I have a problem sending messages to a site (our HQ) that
> > > > is protected by Messagelabs. In fact the problem is that they are
> > > > throttling our connections because they say that we re sending spam.
> > > > They provided the following samples to prove their point. After
> > > > looking at all the configs and all, I can't see how we could be
> > > > sending those. I suspect that the informations are spoofed "a la joe
> > > > job" and that's what affect us. Anyone can give me any inputs on how
> > > > to deal with this because I can't find anything wrong on our system
> > > > and they keep throttling over and over limiting the contacts from
> > our
> > > > site ti the HQ, which is at the very least annoying.
> > > >
> > > > If you have any ideas that could help me to stop this from
> > happening,
> > > > it would be very appreciated.
> > > >
> > > > Please note that the domain name has been changed. You can contact
> > me
> > > > off list if you need/want more specific details.
> > > >
> > > > //Spam sample 1
> > > >
> > > > Received: from desktop3 ([190.40.182.39]) by mail.MY_DOMAIN.com with
> > > > Microsoft SMTPSVC(6.0.3790.0);
> > > > Mon, 7 Jan 2008 19:42:52 -0500
> > > > Received: from 60.52.18.165 (HELO localhost.localdomain)
> > > (63.51.17.146)
> > > > by 64.53.15.110 with SMTP; Mon, 7 Jan 2008 19:42:35 +0500
> > > > Date: Mon, 7 Jan 2008 19:42:35 +0500
> > > > Message-Id: <[EMAIL PROTECTED]>
> > > > X-Mailer: MIME::Lite 3.01 (F2.72; A1.62; B3.01; Q3.01)
> > > > X-Header-CompanyDBUserName: hpccm
> > > > X-Header-MasterId: 072480
> > > > X-Header-Versions: [EMAIL PROTECTED]
> > > > X-FID: 51E85DBC-2586-39AF-B9E4-67CDEA83DCB2
> > > > Content-Type: text/plain;
> > > > charset="us-ascii"
> > > > Content-Transfer-Encoding: 7bit
> > > > To: <[EMAIL PROTECTED]>
> > > > From: "Marvin Casey" <[EMAIL PROTECTED]>
> > > > Subject: Re: Your Mortgage Refiinance
> > > > Return-Path: [EMAIL PROTECTED]
> > > > X-OriginalArrivalTime: 08 Jan 2008 00:42:52.0344 (UTC)
> > > > FILETIME=[66978B80:01C8518F]
> > > >
> > > > Morttggage - lower your rrate!
> > > >
> > > > http://0rz.tw/563qc
> > > >
> > > >
> > > > //Spam sample 2
> > > >
> > > > Received: from sufi-isis.org ([85.104.221.208]) by
> > mail.MY_DOMAIN.com
> > > > with Microsoft SMTPSVC(6.0.3790.0);
> > > > Sun, 6 Jan 2008 08:34:53 -0500
> > > > Return-Path: <[EMAIL PROTECTED]>
> > > > Received: from 206.191.20.150 (HELO magmail.travelgolf.com)
> > > > by MY_DOMAIN.com with esmtp (VZSFHPFSL NTVJQ)
> > > > id NzHz8i-bE58PW-p5
> > > > for [EMAIL PROTECTED]; Sun, 06 Jan 2008 15:34:55
> > +0200
> > > > Message-ID: <[EMAIL PROTECTED]>
> > > > From: "Rosalind J. Cody" <[EMAIL PROTECTED]>
> > > > To: "Concetta V. Baez" <[EMAIL PROTECTED]>
> > > > Subject: Get the biggest s'e)x organ in the neighborhood!
> > > > Date: Sun, 06 Jan 2008 15:34:55 +0200
> > > > MIME-Version: 1.0
> > > > Content-Type: multipart/alternative;
> > > > boundary="----=_NextPart_5463_15C1_01C85079.AFCF6A50"
> > > > X-Priority: 3
> > > > X-MSMail-Priority: Normal
> > > > X-Mailer: Microsoft Outlook Express 6.00.2900.2527
> > > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
> > > > X-OriginalArrivalTime: 06 Jan 2008 13:34:55.0133 (UTC)
> > > > FILETIME=[EC4CB4D0:01C85068]
> > > >
> > > > This is a multi-part message in MIME format.
> > > >
> > > > ------=_NextPart_5463_15C1_01C85079.AFCF6A50
> > > > Content-Type: text/plain;
> > > > charset="us-ascii"
> > > > Content-Transfer-Encoding: quoted-printable
> > > >
> > > > potential for monopoly=2E To counter the arguments thatrecalled the
> > > > incid=
> > > > ent=2E "It looks like one of
> > > >
> > > >
> > > > Maximize the volume of your dic'k by New Year!
> > > >
> > > > Great New Year prices for our super-p!ll will be a pleasant surprise
> > > for
> > > > =
> > > > you!
> > > > Don't miss it out! Our offer is definitely worth your keen interest!
> > > >
> > > > Check our amazing prices now!
> > > > http://Effesitables=2Ecom/
> > > >
> > > > contact some crisis management people," said Davidlisteners in each
> > > > local=
> > > > radio market in America=2E"around 100 passengers when it attempted
> > to
> > > > be=
> > > > rth at aof last year=2E In the West Coast, its 25 percent and
> > > > National Football League=2E I'd like to thank all myhas visited the
> > > > White=
> > > > House in 24 years=2Eshowed even a rate of 100% spam=2E
> > > > ------=_NextPart_5463_15C1_01C85079.AFCF6A50
> > > > Content-Type: text/html;
> > > > charset="us-ascii"
> > > > Content-Transfer-Encoding: quoted-printable
> > > >
> > > > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4=2E0 Transitional//EN">
> > > > <HTML><HEAD>
> > > > <META http-equiv=3DContent-Type content=3D"text/html;
> > > > charset=3Dus-ascii"=
> > > > >
> > > > <META content=3D"MSHTML 6=2E00=2E2900=2E2527" name=3DGENERATOR>
> > > > <STYLE type=3D"text/css">
> > > > =2Estyle2 {font-size: 10px; color: #8d8d8d;}
> > > > =2Em {font-family: tahoma; font-size: 12; color: #5C9CBC;
> > font-weight:
> > > > bo=
> > > > ld;}
> > > > =2Ez {font-family: tahoma; font-size: 14; color: #cc0000;
> > font-weight:
> > > > bo=
> > > > ld;}
> > > > =2Ei {font-family: tahoma; font-size: 12; color: #626262;
> > font-weight:
> > > > bo=
> > > > ld;}
> > > > =2Ex {font-family: tahoma; font-size: 12;font-weight:
> > > > bold;color:#cc0000}=
> > > >
> > > > body {background-color: #FFFFFF; color: #2B3235;
> > > > </STYLE>
> > > > </HEAD>
> > > > <BODY><span class=3D"style2">=20
> > > > <br>potential for monopoly=2E To counter the arguments thatrecalled
> > > the
> > > > i=
> > > > ncident=2E "It looks like one of</span>=20
> > > > <br><br>
> > > > <table>
> > > > <tr>
> > > > <td valign=3D"top"><div
> > > > style=3D"height:89px;width:223px;backgro=
> > > >
> > >
> > und:url(http://www=2Edoctorsmedicalgroup=2Ecom/skins/Skin_6/images/img-d
> > > > m=
> > > > gsbtryitfree=2Egif)"></div></td>
> > > > <td width=3D"15"></td>
> > > > <td valign=3D"top">
> > > > <span class=3D"z">Maximize the volume of your dic'k by New
> > > > Year!</span><b=
> > > > r><br>
> > > > Great New Year prices for our super-p!ll will be a pleasant surprise
> > > for
> > > > =
> > > > you!<br>
> > > > <b>Don't miss it out! Our offer is definitely worth your keen
> > > > interest!</=
> > > > b>
> > > > <br><a href=3D"http://Effesitables=2Ecom/";><b>Check our amazing
> > prices
> > > > no=
> > > > w!</b></a><br><br>
> > > >
> > > > </td>
> > > > </tr>
> > > > </table><br>
> > > >
> > > > <br><span class=3D"style2">contact some crisis management people,"
> > > said
> > > > D=
> > > > avidlisteners in each local radio market in America=2E"around 100
> > > > passeng=
> > > > ers when it attempted to berth at aof last year=2E In the West
> > Coast,
> > > > its=
> > > > 25 percent and<br>National Football League=2E I'd like to thank all
> > > > myha=
> > > > s visited the White House in 24 years=2Eshowed even a rate of 100%
> > > > spam=2E=
> > > > </span><BR>
> > > > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
> > > > <BR>
> > > > ~ http://www.sunbeltsoftware.com/Ninja ~
> > > > <BR>
> > > > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
> > > > <BR>
> > > > ~ http://www.sunbeltsoftware.com/Ninja ~
> > > > <BR>
> > > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
> > > <BR>
> > > ~ http://www.sunbeltsoftware.com/Ninja ~
> > > <BR>
> > > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
> > > <BR>
> > > ~ http://www.sunbeltsoftware.com/Ninja ~
> > > <BR>
> > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
> > <BR>
> > ~ http://www.sunbeltsoftware.com/Ninja ~
> > <BR>
> > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
> > <BR>
> > ~ http://www.sunbeltsoftware.com/Ninja ~
> > <BR>
> ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
> <BR>
> ~ http://www.sunbeltsoftware.com/Ninja ~
> <BR>
~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
<BR>
~ http://www.sunbeltsoftware.com/Ninja ~
</BODY></HTML>
> > > >
> > > > ------=_NextPart_5463_15C1_01C85079.AFCF6A50--
> > > >
> > > >
> > > > //Spam Sample 3
> > > >
> > > > Received: from loboxvnh8zkwfs ([88.207.56.176]) by
> > mail.MY_DOMAIN.com
> > > > with Microsoft SMTPSVC(6.0.3790.0);
> > > > Sun, 6 Jan 2008 08:35:17 -0500
> > > > From: "Mcbride, Norman" <[EMAIL PROTECTED]>
> > > > To: <[EMAIL PROTECTED]>
> > > > Date: Sun, 6 Jan 2008 14:35:00 -0100
> > > > Subject: Hot off the press.
> > > > MIME-Version: 1.0
> > > > Content-Type: text/plain
> > > > Content-Transfer-Encoding: 7bit
> > > > Return-Path: [EMAIL PROTECTED]
> > > > Message-ID: <[EMAIL PROTECTED]>
> > > > X-OriginalArrivalTime: 06 Jan 2008 13:35:17.0617 (UTC)
> > > > FILETIME=[F9B37E10:01C85068]
> > > >
> > > > Looking for a company with some good news? Here's one!
> > > >
> > > > GCME has more News that came.
> > > > Looks like G C M E is not willing to miss a beat!
> > > >
> > > > SYMBOL: GCME
> > > > CURRENT PRICE: $0.11
> > > > Short-Term : $.60-$1.00
> > > >
> > > > Last Time We Issued A Alert We SAw 200-300% Gains in 1 Day.
> > > > Please let me know if you ahve any questions regarding this.
> > > >
> > > >
> > > >
> > > > Thanks!
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
> >
> >
>
>
