Anyone else having issues with spam showing up in the Xtra Webmail inbox?

Forums › Spark New Zealand › Anyone else having issues with spam showing up in the Xtra Webmail inbox?

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | ... | 20

'That VDSL Cat'
11543 posts

Uber Geek

Trusted

Spark

Subscriber

# 1947267 26-Jan-2018 17:43

One person supports this post

hey folks,

I'd like to direct your attention to a new button!

This simplifies the process of reporting spam (previously it was handled by dragging into junk which isn't as easily picked up on)

Step in the right direction, I'm very aware there is alot of push still on this end to work further on the spam filtering.

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

FOCUS0

64 posts

Master Geek

# 1947293 26-Jan-2018 19:07

Thanks for the update,

I have been looking at the regex condition and it is quite powerful - if you understand what it can do.

None of the Open-Exchange documentation I came across said how to use it fully apart from the OR ( | ) example

It has the capability to test HTML - which is what I wanted

Here's a wiki page dedicated to it https://en.wikipedia.org/wiki/Regular_expression

Cheers

pillmonsta

73 posts

Master Geek
Inactive user

# 1947300 26-Jan-2018 19:25

hio77:

hey folks,

I'd like to direct your attention to a new button!

"snip"

This simplifies the process of reporting spam (previously it was handled by dragging into junk which isn't as easily picked up on)

hio77:

Step in the right direction, I'm very aware there is alot of push still on this end to work further on the spam filtering.

Haha when I hit reply to post I'd only read the top line "I'd like to direct your attention to a new button!" - My initial response was going be "A new spam filter would be better" :P

Then I saw the last sentence :) It's a step forward at least, good to know the cries of the people are being heard. :)

P.S any word on that other thing?

lisati

60 posts

Master Geek

# 1947327 26-Jan-2018 20:34

hio77:

hey folks,

I'd like to direct your attention to a new button!

<snip>

Step in the right direction, I'm very aware there is alot of push still on this end to work further on the spam filtering.

Agreed, a step in the right direction. Showing in Xtramail, but not (yet) showing in Spark Business mail (also on the Open Exchange platform). There are, however, a few bells and whistles available to Business Mail users that aren't available to Xtra users.

I'm a bit wary of the "Reject with reason" option - as much as I like the idea, informal tests I've done suggest that it's a good way of creating backscatter.

nunz

1410 posts

Uber Geek

Subscriber

# 1952156 5-Feb-2018 19:18

One person supports this post

Still on topic - sort of.

I have a client who is getting continually banned from his @xtra email as he has had lots of emails from his address binned as spam by xtra users. The problem is he didn;t send the emails - so they must be spoofed from an external spammer but SMX is letting them through, accepting people marking him as a spammer and then banning him from using his own email.

1 - Ive been through all his devices, his web mail etc - there is zero evidence of any spam being sent in fact there would be a total of less than 50 emails in the last 5 - 6 weeks. Most to the same 10 people to complete a transaction. None are @xtra users he has sent to. This points to the spam being supposedly received from him being spoofed.

2- SMX should be junking emails from @xtra that dont come from their servers or at least have some kind of very strong dmarc / spf etc running to prevent spoofing.

3 - Spoofed addresses should be binned before they get to end users. With authenticated / encrypted smtp no @xtra email should come from 3rd party servers

4 - I understand SMX have guaranteed spam rates of less than 2 per 100k - they seem to be failing miserably at achieving this.

5 - SMX trying to achieve their guarenteed spam rates have dumped truckloads of legitimate emails but seem to be completely allowing low level easily filtered crud through.

nunz

lisati

60 posts

Master Geek

# 1952261 6-Feb-2018 07:26

In one of my more recent interactions with SMX (haven't done so for a while) I got the sense that they thought that I was the spammer. I wouldn't be surprised if someone (or something) at their end is giving greater weight to "from" addresses and other easily forged details than would be justifiied.

Oblivian

3508 posts

Uber Geek

# 1953530 8-Feb-2018 10:44

One person supports this post

Hands up who has had a 'Access Blocked' Email around 10am pretty much every day for the past week from 'Kiwibank' spoofed .co.nz addresses with similar text in each message that would capture all..

*raises hand*

Do they even send mail to customers from the primary domain?.. like, could from:*@kiwibank.co.nz itself be binned and save everyone marking them daily...

lisati

60 posts

Master Geek

# 1953548 8-Feb-2018 11:12

Oblivian:

Hands up who has had a 'Access Blocked' Email around 10am pretty much every day for the past week from 'Kiwibank' spoofed .co.nz addresses with similar text in each message that would capture all..

*raises hand*

Do they even send mail to customers from the primary domain?.. like, could from:*@kiwibank.co.nz itself be binned and save everyone marking them daily...

*raises hand* - had "Access blocked" come in this morning, another "Kiwibank Alert- Unlock your access" yesterday, and another "Access blocked" on the 6th. All have been reported via Spamcop and assorted other reporting agencies (including Kiwibank), and moved to the Spam folder.

I haven't looked for a pattern in the source of the last lot yet.

I receive genuine emails from Kiwibank with the kiwibank.co.nz domain, but to an email address other than the one receiving the phishing attempts. The handful of phishing attempts I've actually looked at have been done in a way so it appears like the emails are coming from kiwibank.co.nz when viewed in Thunderbird or Webmail, but the (probably faked) "From" address is actually another domain.

Update (Correction): the latest phishing attempts I've received use a (probably faked) communication.co.nz email address, disguised to display as a kiwibank.co.nz address.

Oblivian

3508 posts

Uber Geek

# 1953575 8-Feb-2018 11:58

One person supports this post

Sounds very much like nearly every address is getting the same one then.

And yes, although from a NZ source (display as kiwibank) the messages themselves are originating from Brazil VPS server via Germany - same as I earlier indicated with the Blackhat SEO guys too. Fire up free trail VPS, spam to your hearts content. Fall off the face of the earth.

If anything protection should be starting even at that level..

Received: from excmbx-22......de ([134.76.....] helo=email.gwdg.de)
by mailer.gwdg.de with esmtp (Exim 4.80)
(envelope-from <.communication.co.nz>)
id 1ejXAD-0006a1-SP; Wed, 07 Feb 2018 22:21:57 +0100
Received: from .virtua.com.br (179.218...) by EXCMBX-22.um.gwdg.de

Spamcop filters the same info, MX makes it look better

https://mxtoolbox.com/EmailHeaders.aspx

1101

1978 posts

Uber Geek

# 1953726 8-Feb-2018 16:37

One person supports this post

Oblivian:

Sounds very much like nearly every address is getting the same one then.

And yes, although from a NZ source (display as kiwibank) the messages themselves are originating from Brazil VPS server via Germany

Isnt this the sort of thing any commercial spam filtering service should block?
greylisting, spf & ptr checks ...... Nope

Its like they arnt really trying to block OBVIOUS spam & scams .

Oblivian

3508 posts

Uber Geek

# 1953734 8-Feb-2018 16:50

One person supports this post

1101:

Oblivian:

Sounds very much like nearly every address is getting the same one then.

And yes, although from a NZ source (display as kiwibank) the messages themselves are originating from Brazil VPS server via Germany

Isnt this the sort of thing any commercial spam filtering service should block?
greylisting, spf & ptr checks ...... Nope

Its like they arnt really trying to block OBVIOUS spam & scams .

Now you see why for entertainment factor I have such persistence rather than ignoring the inbox and moving on ;)

Fun to pick holes at how slap-in-the-face some of the technical checks are failing.

/edit.. I thought the .br domain was familiar looking from other messages..

https://isc.sans.edu/forums/diary/Is+a+telco+in+Brazil+hosting+an+epidemic+of+open+SOCKS+proxies/22956/

lisati

60 posts

Master Geek

# 1956471 13-Feb-2018 17:13

One person supports this post

Just a friendly reminder, don't blindly reply to spam requesting unsubscription from the mailing list. I've had a couple of unsubscribe requests come my way via mailing lists used by spammers. Off to Spamcop go the copies of the offending spam message, and the unsubscribe requests too.

hio77

'That VDSL Cat'
11543 posts

Uber Geek

Trusted

Spark

Subscriber

# 1956478 13-Feb-2018 17:21

1101:

Oblivian:

Sounds very much like nearly every address is getting the same one then.

And yes, although from a NZ source (display as kiwibank) the messages themselves are originating from Brazil VPS server via Germany

Isnt this the sort of thing any commercial spam filtering service should block?
greylisting, spf & ptr checks ...... Nope

Its like they arnt really trying to block OBVIOUS spam & scams .

if examples of this are here, Please pass to me and i'll get them through to the guys..

Will need the details including Headers, Example emails, Target email etc.

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

Oblivian

3508 posts

Uber Geek

# 1956590 13-Feb-2018 20:44

hio77:

1101:

Oblivian:

Sounds very much like nearly every address is getting the same one then.

And yes, although from a NZ source (display as kiwibank) the messages themselves are originating from Brazil VPS server via Germany

Isnt this the sort of thing any commercial spam filtering service should block?
greylisting, spf & ptr checks ...... Nope

Its like they arnt really trying to block OBVIOUS spam & scams .

if examples of this are here, Please pass to me and i'll get them through to the guys..

Will need the details including Headers, Example emails, Target email etc.

Been using the web-flag option/drag to spam from SMTP if it makes a difference already..

But the one in particular we mentioned here which stood out to multiples.. (hopefully noone is silly enough to click and it doesn't breach anything...)

Return-Path: <alerts@communication.co.nz>
Received: from 10.23.40.103 ([10.23.30.4])
by 10.23.40.246 with LMTP id EDZAKfxte1rHUAAAOkX3FQ
; Wed, 07 Feb 2018 21:22:04 +0000
Received: from 10.23.30.46 ([10.23.30.4])
by 10.23.40.103 with LMTP id qOQDKfxte1rVbgAARqWCkg
; Wed, 07 Feb 2018 21:22:04 +0000
Received: from xtra.co.nz ([10.23.30.4])
by 10.23.30.46 with LMTP id uMfBJ/xte1reYQAA/dMj0w
; Wed, 07 Feb 2018 21:22:04 +0000
Received: from mailer.gwdg.de ([134.76.10.26]) by mx.xtra.co.nz with ESMTP
(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384
(256/256 bits)) id 5A7B6DFA-6047011D@mta2308;
Wed, 07 Feb 2018 21:22:03 +0000
Received: from excmbx-22.um.gwdg.de ([134.76.9.232] helo=email.gwdg.de)
by mailer.gwdg.de with esmtp (Exim 4.80)
(envelope-from <alerts@communication.co.nz>)
id 1ejXAD-0006a1-SP; Wed, 07 Feb 2018 22:21:57 +0100
Received: from b3dac851.virtua.com.br (179.218.200.81) by EXCMBX-22.um.gwdg.de
(134.76.9.232) with Microsoft SMTP Server (version=TLS1_1,
cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256) id 15.1.1415.2; Wed, 7 Feb
2018 22:21:17 +0100
Message-ID: <6C69DF8C87537FEC30357CC40058BD57@communication.co.nz>
From: "Kiwibank <security@kiwibank.co.nz>" <alerts@communication.co.nz>
Subject: Access Blocked
Date: Thu, 8 Feb 2018 10:21:01 +1300
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="d2d469936bdf87eaa9a960dd300c"
To: Undisclosed recipients:;
X-Virus-Scanned: (clean) by clamav
X-Antivirus: Avast (VPS 180212-2, 13/02/2018), Inbound message
X-Antivirus-Status: Clean

--d2d469936bdf87eaa9a960dd300c
Content-Type: text/plain; charset="windows-1251"
Content-Transfer-Encoding: quoted-printable

Account access=A0blocked due to a security violation.

Click Here To Restore Your Access

=A9 2018 - Kiwibank Security Alerts

--d2d469936bdf87eaa9a960dd300c
Content-Type: text/html; charset="windows-1251"
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD>
<META http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dwindows=
-1251">
</HEAD>
<BODY><IMG title=3D"Kiwibank Secure Message" alt=3D"Kiwibank Secure Messa=
ge"=20
src=3D"https://www.ib.kiwibank.co.nz/mobile/images/logo-kiwibank.png">=20
<P></P>
<DIV>Account access blocked due to a security violation.</A></DIV>
<P></P>
<DIV class=3D"right buttonStyleRed"><A=20
title=3D"View messages from us or send a message to us"=20
href=3D"http://obregontech.com/error/new/brc/firstpage.html">
<H4><STRONG>Click Here To Restore Your Access</STRONG></H4></A>=A9 2018 -=
Kiwibank=20
Security Alerts</DIV></BODY></HTML>

--d2d469936bdf87eaa9a960dd300c--

-

Oblivian

3508 posts

Uber Geek

# 1965389 27-Feb-2018 20:55

Dare I say it. ~7 days without some

SPF checks enabled finally? :)

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | ... | 20