1101: I have to ask, why cant SMX filter out spoofed email claiming to be from @xtra.co.nz Surely to god that would be the easiest thing to filter/block ?

You would think so, but actually it's not so simple (nothing ever is). 

I assume you're referring to the case where the Envelope sender is for a valid external domain that passes SPF, but the From header has been set to an @xtra address?  The problem with this is that, if all incoming mails of this sort were dropped, you'd break many mailing lists.  There are valid scenari where the From header holds a different address to the sending domain - the RFC states that in this case, the Sender header should be set appropriately, but many mailing lists do not do this. In any case, DMARC gets broken whichever way you do it.  Dropping legitimate messages for false-positive is seen as worse than accidentally letting some spam through, and so the rule err on the side of caution.

If you want, you could set up your own filter rule (do this via webmail) to delete or quarantine messages with '@xtra.co.nz' in the From header and 'mx.xtra.co.nz' in the Received header (this excludes direct messages form other Xtra users).  This should catch all the messages with spoofed From headers, but be warned that it will also potentially catch mailing list messages and other bulk or automated messages that you may want.  Consider adding a test that the Header 'Sender' does not exist as well, and excluding any other special cases.  Initially you'd want to just flag the messages rather than delete until you're sure you have a working rule.

Hammerer:

cheshirecat:

 

Making value judgements (e.g. "is this spam?") is notoriously difficult for AI to do accurately, the Xtra filters are actually catching a huge amount that you don't see and only a small fraction are getting through.

 

Xtra mail also bounces most of my emails from gmail/hotmail so that I now don't bother responding to email from xtra addresses - mainly elderly relatives.

One answer I got from Spark a few months back was to have the Xtra customer log in to webmail, and add your email address to their Xtra address book. This also sometimes seems to work if you're running into problems forwarding mail to the DIA or spamcop from your Xtra account.

It's been a while since I've checked in. Here's a tip or two for filters (e.g. move to a folder, reject with reason):

• Uncheck the "Process subsequent rules" checkbox when creating the rule
• Move the rule so it gets processed before any rules that have the "process subsequent rules" checked

cheshirecat: If you want, you could set up your own filter rule (do this via webmail)

 

 

lisati:

 

One answer I got from Spark a few months back was to have the Xtra customer log in to webmail, and add your email address to their Xtra address book. This also sometimes seems to work if you're running into problems forwarding mail to the DIA or spamcop from your Xtra account.

 

This is correct; addresses in your address book are given a positive score when calculating the chance of the message being spam.

1101:

 

You could argue (I would), since this @xtra is really for personal , NOT business email, it shouldnt be used for bulk emails sent via a 3rd party system. And so email spoofing should be blocked .

 

Unfortunately there is a huge range of subscribers to Xtramail, spanning home users, hobbyists, and businesses.  Some use mailing lists and subscribe to bulk notifications from various businesses.  It is impossible to make any useful generalisation about Xtramail users as they span all of the different groups in our population; you can't even say they live in New Zealand as some live overseas for parts of the year, and many go on holiday all over the world.

@hio77 , Had this come through today.

 

Return-Path: <rfcouch@xtra.co.nz>
Received: from 10.23.40.101 ([10.23.30.21])
by 10.23.40.245 with LMTP id uNsdJhqzCl1WLwAADFX+yw
; Wed, 19 Jun 2019 22:11:38 +0000
Received: from 10.23.30.43 ([10.23.30.21])
by 10.23.40.101 with LMTP id 4MDUJRqzCl2XFwAAq/qbSg
; Wed, 19 Jun 2019 22:11:38 +0000
Received: from xtra.co.nz ([10.23.30.21])
by 10.23.30.43 with LMTP id 2EY0JRqzCl3RFAAAu83VPg
; Wed, 19 Jun 2019 22:11:38 +0000
Received: from internal ([10.23.30.56]) by xtra.co.nz with ESMTP
id 5D0AB313-8CEA1DA5@mta2306; Wed, 19 Jun 2019 22:11:34 +0000
DKIM-Signature: v=1; a=rsa-sha256; d=xtra.co.nz; s=alpha; c=relaxed/relaxed;
q=dns/txt; i=@xtra.co.nz; t=1560982288;
h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc;
bh=pJqqTZAys3OTIWrN4tdGDOxbCvmJqUQJhgRhUJmeZqY=;
b=HR6WSo2gcP5FtAKUu+pObTXVvD1CjzI+r7WCD9Lg1NwxNvRakGJG8+N/BaCOgDqk
v7K5kYB5rXnxjPmxiQDRLAEEg6XvkXAYiDJ2S5/iKWK7VkUckFQ8CvMqxBl5o2H1
VeOt48G+PiYLZJ1UkuKxE8aP+0UIVh2myAaEFHoaymU=;
SMX-S1C:
SMX-S1V:
SMX-S1S:
Received: from [10.23.30.21] by shared.xtra.co.nz with ESMTP
id 5D0AB30D-E35B0D6D@mta2306.omr;
Wed, 19 Jun 2019 22:11:28 +0000
Date: Thu, 20 Jun 2019 10:11:23 +1200 (NZST)
From: SparkTM <rfcouch@xtra.co.nz>
Message-ID: <290413481.1543424.1560982283925@webmail.xtra.co.nz>
Subject: Re :
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_1543422_1342856324.1560982283897"
X-Priority: 3
Importance: Medium
X-Mailer: Open-Xchange Mailer v7.8.4-Rev41
X-Originating-Client: open-xchange-appsuite

 

------=_Part_1543422_1342856324.1560982283897
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit 

 

Dear Customer,
Important notification available on your SparkEmail .

 

To view it please click on the link below .

 

Acces to your account https://qhsb.com.my/zab.html

 

Sincerely,
SparkTM

The other cat will likely see this :)

Just another phishing attempt. Hit the report spam button

hio77:

The other cat will likely see this :)

 

Just another phishing attempt. Hit the report spam button

hio77:

The other cat will likely see this :)

 

Just another phishing attempt. Hit the report spam button

eracode: Does marking as spam get noticed &/or actioned by xtra - or just at the user’s device end? Sorry have no idea how these things work.

If you 'Mark as Spam' then the notification will automatically feed back into the Spam analysis system and help detect future spams.  So don't do it as a replacement for the delete button, only if it is really UCE

Specifically Spark-targetted phishing emails can be reported to the Spark service desk as they might originate from compromised Xtra accounts, and Spark should probably know about any attacks targetting their customers.

I believe that there are other processes in action that are working to target and prevent this sort of phishing spam in the future, though it would be hard with emails like the one above that appears to have originated on webmail from a compromised account, but sadly I am not able to go into details here

so what do you do about emails that end up in your spam folder, you cant report them as spam and they just keep coming.....

Jase2985:

 

so what do you do about emails that end up in your spam folder, you cant report them as spam and they just keep coming.....

 

Mails in your spam folder have already been identified as spam, though they are in the 'probably spam' category rather than the 'definitely spam' category (which are already discarded).  The spam folder is intended to help you identify false-positives, just in case there is an error.  If you're confident (or reckless) like I am, you'll just ignore the spam folder entirely.

False-negatives are when the spam ends up in your Inbox - these, you use the Spam button to report, so that the algorithms can be improved.

I know the spam just keeps coming.  At least almost all of it is filtered out by the system before hitting the inbox.  If you know any way to stop them sending it, please let us all know :(

For those of us not using webmail

Is there anyway to stop email going into the spam filter ?
Those using POP3, dont get to see whats in the spam folder

Id rather get a few more spams than have legit email go to the unseen(POP3) spam folder .
Or do I just need to use IMAP instead & also sync the (webmails)spam folder ?

1101:

 

Is there anyway to stop email going into the spam filter ?
Those using POP3, dont get to see whats in the spam folder

 

The system sends "probable spam" into the Spam folder by default.  This is email that previously would have been dropped, but now is put into the Spam folder for you to optionally review, before it is autodeleted after a couple of weeks.

Of course, only webmail and IMAP users can see the spam folder as POP3 does not have the concept of folders.  So, if you're using POP3 but want to see these mails, you have a problem.

Options -

• Just forget about them.  They are probably spam anyway.
• Switch to using IMAP - its a better protocol anyway
• Use POP3 normally, but every so often (weekly?) go onto webmail to review the spam folder content
• Set up a custom filter (using webmail) to catch messages with the spam flag, and then move them into the INBOX (and probably tag them in some way else you'll be getting lots of spam in your inbox).  This is a bit awkward as they are hard to identify.