Customers getting lots of spam

Discussion in 'Email Support' started by kujo2123, Apr 9, 2013.

  1. kujo2123

    kujo2123 Perch

    Over the past few months, we have been inundated by customer complaints about spam coming into their inbox. Is anyone else seeing this? Has anyone else moved to having a 3rd party anti-spam filter setup? Now that Google Apps is no longer free, we aren't able to simply move our smaller customers over there where the filter is a lot better than spamassassin that's here (Sorry JH, I realize SA is a decent product, but it's just not cutting it, and the fact that all it does it mark the message as spam instead of putting it into a spam folder (not another mailbox, that's not practical) doesn't really help normal users)..

    I'd sure appreciate any help if anyone else has run into this and how they've approached the issue..
  2. Pratik

    Pratik SkyWalker Staff Member

    We are working on some solution on our end as well to tackle this spam issue, which we have seen has increased in last couple of weeks. As people keep finding new ways to spam others and this is kind of out and out battle between us and them. And as for the Spam Assassin there are setting which you can enable so that it will not just mark it as spam but can reject or delete it as well. You can find those settings at http://hsphere.parallels.com/docs/3.6.1/user/html/16664.htm
  3. kujo2123

    kujo2123 Perch

    having it reject or delete is just not an option in the real world. What if there is a false positive? That's why every hosted solution puts spam into a spam folder specific to that user..
  4. bro

    bro Perch

    Gmail is still free, and you can use any email address as the sender without paying for Google apps. I forward most incoming mail directly there now, and send through Google SMTP. You can access it from any mail client.
  5. kujo2123

    kujo2123 Perch

    I suppose that would be an option, to setup a gmail account, then setup an additional mail address on that account, and lastly forward all mail to the gmail account from the JH servers. Quite a bit of a workaround, but may be a good option to stop the daily calls from our frustrated customers.. Thank you!
  6. Stephen

    Stephen US Operations Staff Member

    don't forward, that causes more issues, instead have gmail remote check if you go that route!
  7. bro

    bro Perch

    Do you mean because Gmail might identify the forwarding server as the spammer? I don't think that's the case. All the headers I look at in Gmail show the original sender in the headers and give that as the return path.
    If Gmail is just picking up mail from POP I don't know if their spam filters kick in at all. Have you ever specifically tested it out?
  8. tanmaya

    tanmaya APAC Operations Staff Member

    Such headers can be faked, is why the sender IP is penalized in most cases.
  9. tanmaya

    tanmaya APAC Operations Staff Member

    Is the spam situation any better these days?
  10. bro

    bro Perch

    A lot of the spam has been reduced to virus messages in recent days, though I'm still getting plenty of mail from lonely Russian ladies who'd like to be my friend. The filtering by ClamAv is a little too enthusiastic, though, and producing false positives... For example, I just got a virus message "Virus SecuriteInfo.com.Spammer.list-manage.com.UNOFFICIAL found in attached mail by ClamAV" on an Asus newsletter that I'm subscribed to, sent by Mailchimp with an SPF Pass, and domainkey and dkim signatures intact. See the redacted headers below.

    I've also had a couple of complaints from clients of legitimate mail not received in recent days, or rejected as infected. Is whitelisting through the CP enough to bypass the virus checker?

    From - Tue Apr 23 10:32:57 2013
    X-Account-Key: account2
    X-UIDL: 1366727369.775.mail3.myhsphere.biz,S=2655
    X-Mozilla-Status: 0001
    X-Mozilla-Status2: 00000000
    X-Mozilla-Keys:
    Return-Path: <signup-mc.us1_1843761.222493-XXXXXX=XXXXXX.com@mail2.mcsignup.com>
    Delivered-To: XXXXX@XXXXXX.com
    Received: (qmail 772 invoked by uid 399); 23 Apr 2013 14:29:29 -0000
    Delivered-To: XXXXXXXXXXXXXXX
    Received: (qmail 754 invoked by uid 399); 23 Apr 2013 14:29:29 -0000
    X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mail3.myhsphere.biz
    X-Spam-Level: **
    X-Spam-Status: No, score=2.5 required=5.0 tests=AWL,HEADER_COUNT_SUBJECT
    autolearn=disabled version=3.2.5
    X-Virus-Scan: Scanned by ClamAV 0.97.6 (SecuriteInfo.com.Spammer.list-manage.com.UNOFFICIAL);
    Tue, 23 Apr 2013 09:29:29 -0500
    Received: from mail2.mcsignup.com (72.26.195.73)
    by mail3.myhsphere.biz with ESMTP; 23 Apr 2013 14:29:29 -0000
    Received-SPF: pass (mail3.myhsphere.biz: SPF record at mail2.mcsignup.com designates 72.26.195.73 as permitted sender)
    identity=mailfrom; client-ip=72.26.195.73;
    envelope-from=<signup-mc.us1_1843761.222493-XXXXXX=XXXXXX.com@mail2.mcsignup.com>;
    DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=mail2.mcsignup.com;
    Subject: Virus SecuriteInfo.com.Spammer.list-manage.com.UNOFFICIAL found in attached mail by ClamAV.
    bh=sKCVfTkmD9h0N1+jyeeVNzBeC+M=;
    b=fVYI3x7FknOHnPs5P4oSMYT0NwxvoTVqgYsUJg0tjcBpg8Ud2RUkEKgFDufHXnY4/9kliBRAUm1G
    kOfAHs8oZyp39l3Zl3WL+Svn32nZblLycND+ynWFoD3oZMLURuDQT8bFr5HiPWwg0ksQITIQ9cPp
    72GmfhF4QcckWKIHA6w=
    DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=mail2.mcsignup.com;
    b=Ppzr5GWmPr/J/uQMw+V20zSMpDtG2a1ZU/f/7V8TxRKCpo9yjwBCezNDNId+jUDwJvMCmnxYQVPh
    ifAO9roPh6VMNT/Zbbtshhhd7t8CCjcdi0za6bFmyQy9fsD3e6SWFWDh6/XwQ89MwGRwN6p4ug19
    zAikeQ48QNmmv9hEULE=;
    Received: by mail2.mcsignup.com (PowerMTA(TM) v3.5r16) id heqdci0ik18p for <XXXXXX@XXXXXX.com>; Tue, 23 Apr 2013 14:29:28 +0000 (envelope-from <signup-mc.us1_1843761.222493-XXXXXX=XXXXXX.com@mail2.mcsignup.com>)
    Sender: signup-mc.us1_1843761.222493-XXXXXX=XXXXXX.com@mail2.mcsignup.com
    From: =?utf-8?Q?ASUS?= <newsletter@asus.com>
    To: XXXXXX@XXXXXX.com
    Subject: Virus SecuriteInfo.com.Spammer.list-manage.com.UNOFFICIAL found in attached mail by ClamAV.
    Date: Tue, 23 Apr 2013 14:29:28 +0000
    Content-Type: multipart/mixed;
    boundary="=_5d03d3ca2e6fc60fd8e51286921abfef"
    MIME-Version: 1.0
    Message-ID: <0.2.18.898.1CE402EF6232654.0@mail2.mcsignup.com>



    ClamAV anti-virus scanner has intercepted and deleted a message.

    The following is a summary of the infected message:

    Virus name: SecuriteInfo.com.Spammer.list-manage.com.UNOFFICIAL

    Please be aware that a virus spread by email normally forges the
    address of the sender. There is a good chance that the infected message
    was not received from the sender listed above.
  11. bro

    bro Perch

  12. tanmaya

    tanmaya APAC Operations Staff Member

    Where they employ Postini, from my past experiences, it did not care about email being forwarded. That may not be the case with gmail's anti-spam. I haven't seen this article in the past, and said based on my experience with most providers. I think I 'have' seen Gmail penalizing sender IP in distant past.
    Thanks for the link!
  13. tanmaya

    tanmaya APAC Operations Staff Member

    I hope that's not a problem?

    Can you send headers of one such mail? I would like to see if there is some basic check that failed.
    We are aware ClamAV is being aggressive. We are working on isolating the signatures causing most problems.
  14. abhishek

    abhishek Administrator Staff Member

    We have disabled virus signatures which are causing problem and will further continue to disable the problematic signatures. Please check now and update us via ticket if you still have a problem of rejecting mails due to ClamAV anti-virus.
  15. bro

    bro Perch

    No, better than spam itself, but because of the occasional false positive I still need to go through the senders' names and that takes just as long as spotting spam... also, some people get upset when they're told they're sending 'infected' mail.

    There's not much to latch on to... most of the spams are pretty innocuous. Programmatically, I guess it's difficult to tell the difference between them and a normal email, except for the .ru domain names in the text which is how I dump them using a local filter. Not so helpful for people in Russia.

    From - Tue Apr 23 02:37:26 2013
    X-Account-Key: account2
    X-UIDL: 1366698871.25596.mail3.myhsphere.biz,S=1921
    X-Mozilla-Status: 0001
    X-Mozilla-Status2: 00000000
    X-Mozilla-Keys:
    Return-Path: <15d8fe4082@7citieshvac.com>
    Delivered-To: XXXXXXXXXXX
    Received: (qmail 25589 invoked by uid 399); 23 Apr 2013 06:34:31 -0000
    X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mail3.myhsphere.biz
    X-Spam-Level: **
    X-Spam-Status: No, score=2.1 required=5.0 tests=URIBL_WS_SURBL
    autolearn=disabled version=3.2.5
    X-Virus-Scan: Scanned by ClamAV 0.97.6 (no viruses);
    Tue, 23 Apr 2013 01:34:31 -0500
    Received: from mail6.myhsphere.biz (173.0.129.11)
    by mail3.myhsphere.biz with ESMTP; 23 Apr 2013 06:34:31 -0000
    Received-SPF: neutral (mail3.myhsphere.biz: 173.0.129.11 is neither permitted nor denied by SPF record at 7citieshvac.com)
    identity=mailfrom; client-ip=173.0.129.11;
    envelope-from=<15d8fe4082@7citieshvac.com>;
    Received: (qmail 3130 invoked by uid 399); 23 Apr 2013 06:34:30 -0000
    Delivered-To: pigammaXX.org-do-not-reply@pigammaXX.org
    X-RCPT-TO: do-not-reply@pigammaXX.org
    Received: (qmail 3118 invoked by uid 399); 23 Apr 2013 06:34:30 -0000
    X-Virus-Scan: Scanned by ClamAV 0.97.6 (no viruses);
    Tue, 23 Apr 2013 01:34:30 -0500
    Received: from unknown (HELO ?37.242.47.163?) (37.242.47.163)
    by mail6.myhsphere.biz with ESMTP; 23 Apr 2013 06:34:29 -0000
    Received-SPF: neutral (mail6.myhsphere.biz: 37.242.47.163 is neither permitted nor denied by SPF record at 7citieshvac.com)
    identity=mailfrom; client-ip=37.242.47.163;
    envelope-from=<15d8fe4082@7citieshvac.com>;
    Subject: Yo yo oy
    From: Gail Ingram <15D8FE4082@7citieshvac.com>
    Content-Type: text/plain;
    charset=us-ascii
    X-Mailer: iPhone Mail (10B329)
    Message-Id: <640F0978-AED3-18B5-70DE-1D105FC95672@FATMA>
    Date: Tue, 23 Apr 2013 09:34:25 +0300
    To: "do-not-reply@pigammaXX.org" <do-not-reply@pigammaXX.org>
    Content-Transfer-Encoding: 7bit
    Mime-Version: 1.0 (1.0)

    Yo do-not-reply,

    I sent you a message. Click to read
    http://www.datingfise.ru/?555CE6B=00AE5D0746BD091FB

    I'm waiting for you :) xoxo

    Sent from my iPhone
  16. oceanz

    oceanz Guppy

    Do you really mean that I have to ask every client to report every false positive? For a service that was happily working with these same emails until a short period ago?

    I am fairly sure that most of them will want to vote with their feet.

    Neil C.
  17. tanmaya

    tanmaya APAC Operations Staff Member

    I asked headers of an email that was not marked as spam.
  18. tanmaya

    tanmaya APAC Operations Staff Member

    We made more changes today. Please let us know if accuracy is any better now?


    If you notice the spam score is 2.1, so a very aggressive setting would have marked this email spam. Going into this further, the spam check that added the score of 2.1 is a network based check, where updates of detect such spam are frequent & possible. Also, such spam have small lifetime in terms of its content, the URL, and the sender IP. So by the time such spam becomes known enough to get a score more than 2.1, its gone.
  19. BorderWeb

    BorderWeb Guppy

    I have a solution for spam that people have started paying me for. It is outside the box. Most techs are not receptive to it. Sometimes we ignore the obvious solutions, trying to come up with a complicated solution to a simple problem.

    My solution GAURANTEES zero spam, and ZERO false positives, and no spammer can crack it. Yes... Big talker :)

    The Hshpere mail manager works with this solution, but it could be slightly more user friendly.

    It is simple, whitelist only email. It uses the SMTP layer whitelist. In many cases, spam will not even leave the spammers "outbox" when addressed to a whitelist-only account, reducing the traffic load across the entire internet, and confounding the spammer. The SMTP layer blacklist uses one entry. The regular expression *@*.*

    It does require the end user to get into the habit of adding authorized senders to their whitelist. ... like adding someone to their contacts.
    But that's not a bad thing is it? After all, end users who reply to spam are the reason for it's existance.

    It is necessary to use a website contact form to facilitate initial contact between a new customer and the end-user.
    But we do this already anyway, Exposing email addresses on websites is certainly not best practice.

    The solution will certainly not work for every single email account. Some accounts absolutely must allow previously unknown senders.
    But it works very well for many end users, and they love the exclusivity of it. People who's email accounts have been rendered useless due to hundreds of spam messages daily, suddenly find their inbox empty, except for messages from those they wish to communicate with.

    The burden on the end user is fairly minimal. How often do you add a new contact to your address book?
    nzkiwi likes this.
  20. Stephen

    Stephen US Operations Staff Member

    interesting idea, I know it would work for some people like my Grandparents that get sick of loads of mail when they only want it from a few people in their social groups in person and family.

Share This Page

JodoHost - 26,000 hosting end-users in 100 countries
Plesk Web Hosting
VPS Hosting
H-Sphere Web Hosting
Other Services