X-Default-Received-SPF: pass (skip=loggedin (res=PASS)) x-ip-name=115-188-40-114-adsl.bb.spark.co.nz;
X-Received: from [192.168.1.76] (115-188-40-114-adsl.bb.spark.co.nz [115.188.40.114])
by netwin.co.nz (SurgeMail 7.3h) with ESMTP (TLS) id 1171321-1391920
for <surgemail-list@netwinsite.com>; Tue, 03 Apr 2018 21:50:24 +0000
X-Return-Path: surgemail-support
Subject: Re: [SurgeMail List] Phishing Allowed Due To Incorrect From Header
Parsing
To: surgemail-list@netwinsite.com
References: <508C36E21EBFB540AAB1EF2568A614795699DF93@EXCHANGE.n2net.local>
<2a6380a8-7b16-9fdb-7221-49db209680a8@netwin.co.nz>
From: Surgemail Support
Message-ID: <40baacc9-a7ff-fa41-3b90-2b71f9f8dff4@netwinsite.com>
Date: Wed, 4 Apr 2018 09:50:20 +1200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <2a6380a8-7b16-9fdb-7221-49db209680a8@netwin.co.nz>
Content-Language: en-US
X-Authenticated-User: surgemail-support
X-Rcpt-To: <surgemail-list@netwinsite.com>
X-SpamDetect: : 0.000000
X-Info: aspam skipped due to (g_smite_skip_relay)
X-Encryption: SSL encrypted
X-IP-stats: Incoming Last 0, First 2, in=36, out=0, spam=0 ip=115.188.40.114
List-Unsubscribe: <mailto:surgemail-list-leave@netwin.co.nz?subject=unsubscribe>
X-Mailing-List: surgemail-list@netwin.co.nz
List-ID: <surgemail-list@netwin.co.nz>
Precedence: bulk
Reply-To: surgemail-list@netwin.co.nz
Content-Transfer-Encoding: 8bit
Content-Transfer-Encoding: 8bit
On 4/04/2018 3:35 AM, Jim Lohiser wrote:
NetWin,
A customer is reporting phishing messages that are slipping
through the spam filters in SurgeMail. I had them send the
headers for an example message. It appears that SurgeMail is
incorrectly parsing the From header and that is allowing the
message to slip through. A copy of the From header and the spam
log for this message is included below.
From: "towens@" <somedomain.tld steven-girard@Bbox.fr>
2018-04-03 08:39:32.00 ALLOWED [150150307] ip(194.158.98.45) from(steven-girard@bbox.fr,towens@somedomain.tld)
subject(inv # xz-9988187676) friend is known
(friend_known.deliver_local wild (*@somedomain.tld) in users
friend.lst)
It looks like the spammers are sending bad From headers in order
to intentionally trick your spam filter. How can we prevent this
from happening?
Yes remove the *@somedomani.tld from the exceptions if at all
possible
We have had similar issues in the past with SurgeMail parsing
using the "display" portion of From headers instead of only using
the actual email address and this has caused other problems,
including blocking emails from the Wall Street Journal. Can the
From header parsing be made more strict so that it *ONLY* looks at the email address
portion of the From header?
Can you give the headers of an example message and I'll run some
tests. But fundamentally that isn't going to make a big difference I
don't think. The problem is the wild card rule means the spammers
random guess of a return address will usually work.
There are some other settings that may help, if I can see the full
headers of a problem message then I may be able to offer something
useful to cut these down.
Send headers etc to
surgemail-support@netwinsite.com
ChrsiP.