Customers getting lots of spam

[kujo2123]

Over the past few months, we have been inundated by customer complaints about spam coming into their inbox. Is anyone else seeing this? Has anyone else moved to having a 3rd party anti-spam filter setup? Now that Google Apps is no longer free, we aren't able to simply move our smaller customers over there where the filter is a lot better than spamassassin that's here (Sorry JH, I realize SA is a decent product, but it's just not cutting it, and the fact that all it does it mark the message as spam instead of putting it into a spam folder (not another mailbox, that's not practical) doesn't really help normal users)..

I'd sure appreciate any help if anyone else has run into this and how they've approached the issue..

 

[Pratik]

We are working on some solution on our end as well to tackle this spam issue, which we have seen has increased in last couple of weeks. As people keep finding new ways to spam others and this is kind of out and out battle between us and them. And as for the Spam Assassin there are setting which you can enable so that it will not just mark it as spam but can reject or delete it as well. You can find those settings at http://hsphere.parallels.com/docs/3.6.1/user/html/16664.htm

 

[kujo2123]

having it reject or delete is just not an option in the real world. What if there is a false positive? That's why every hosted solution puts spam into a spam folder specific to that user..

 

[bro]

Gmail is still free, and you can use any email address as the sender without paying for Google apps. I forward most incoming mail directly there now, and send through Google SMTP. You can access it from any mail client.

 

[kujo2123]

I suppose that would be an option, to setup a gmail account, then setup an additional mail address on that account, and lastly forward all mail to the gmail account from the JH servers. Quite a bit of a workaround, but may be a good option to stop the daily calls from our frustrated customers.. Thank you!

 

[Stephen]

don't forward, that causes more issues, instead have gmail remote check if you go that route!

 

[bro]

Do you mean because Gmail might identify the forwarding server as the spammer? I don't think that's the case. All the headers I look at in Gmail show the original sender in the headers and give that as the return path.
If Gmail is just picking up mail from POP I don't know if their spam filters kick in at all. Have you ever specifically tested it out?

 

[tanmaya]

Do you mean because Gmail might identify the forwarding server as the spammer? I don't think that's the case. All the headers I look at in Gmail show the original sender in the headers and give that as the return path.
If Gmail is just picking up mail from POP I don't know if their spam filters kick in at all. Have you ever specifically tested it out?

Such headers can be faked, is why the sender IP is penalized in most cases.

 

[tanmaya]

I suppose that would be an option, to setup a gmail account, then setup an additional mail address on that account, and lastly forward all mail to the gmail account from the JH servers. Quite a bit of a workaround, but may be a good option to stop the daily calls from our frustrated customers.. Thank you!

Is the spam situation any better these days?

 

[bro]

Is the spam situation any better these days?

A lot of the spam has been reduced to virus messages in recent days, though I'm still getting plenty of mail from lonely Russian ladies who'd like to be my friend. The filtering by ClamAv is a little too enthusiastic, though, and producing false positives... For example, I just got a virus message "Virus SecuriteInfo.com.Spammer.list-manage.com.UNOFFICIAL found in attached mail by ClamAV" on an Asus newsletter that I'm subscribed to, sent by Mailchimp with an SPF Pass, and domainkey and dkim signatures intact. See the redacted headers below.

I've also had a couple of complaints from clients of legitimate mail not received in recent days, or rejected as infected. Is whitelisting through the CP enough to bypass the virus checker?

From - Tue Apr 23 10:32:57 2013
X-Account-Key: account2
X-UIDL: 1366727369.775.mail3.myhsphere.biz,S=2655
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path: <signup-mc.us1_1843761.222493-XXXXXX=[email protected]>
Delivered-To: [email protected]
Received: (qmail 772 invoked by uid 399); 23 Apr 2013 14:29:29 -0000
Delivered-To: XXXXXXXXXXXXXXX
Received: (qmail 754 invoked by uid 399); 23 Apr 2013 14:29:29 -0000
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mail3.myhsphere.biz
X-Spam-Level: **
X-Spam-Status: No, score=2.5 required=5.0 tests=AWL,HEADER_COUNT_SUBJECT
autolearn=disabled version=3.2.5
X-Virus-Scan: Scanned by ClamAV 0.97.6 (SecuriteInfo.com.Spammer.list-manage.com.UNOFFICIAL);
Tue, 23 Apr 2013 09:29:29 -0500
Received: from mail2.mcsignup.com (72.26.195.73)
by mail3.myhsphere.biz with ESMTP; 23 Apr 2013 14:29:29 -0000
Received-SPF: pass (mail3.myhsphere.biz: SPF record at mail2.mcsignup.com designates 72.26.195.73 as permitted sender)
identity=mailfrom; client-ip=72.26.195.73;
envelope-from=<signup-mc.us1_1843761.222493-XXXXXX=[email protected]>;
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=mail2.mcsignup.com;
Subject: Virus SecuriteInfo.com.Spammer.list-manage.com.UNOFFICIAL found in attached mail by ClamAV.
bh=sKCVfTkmD9h0N1+jyeeVNzBeC+M=;
b=fVYI3x7FknOHnPs5P4oSMYT0NwxvoTVqgYsUJg0tjcBpg8Ud2RUkEKgFDufHXnY4/9kliBRAUm1G
kOfAHs8oZyp39l3Zl3WL+Svn32nZblLycND+ynWFoD3oZMLURuDQT8bFr5HiPWwg0ksQITIQ9cPp
72GmfhF4QcckWKIHA6w=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=mail2.mcsignup.com;
b=Ppzr5GWmPr/J/uQMw+V20zSMpDtG2a1ZU/f/7V8TxRKCpo9yjwBCezNDNId+jUDwJvMCmnxYQVPh
ifAO9roPh6VMNT/Zbbtshhhd7t8CCjcdi0za6bFmyQy9fsD3e6SWFWDh6/XwQ89MwGRwN6p4ug19
zAikeQ48QNmmv9hEULE=;
Received: by mail2.mcsignup.com (PowerMTA(TM) v3.5r16) id heqdci0ik18p for <[email protected]>; Tue, 23 Apr 2013 14:29:28 +0000 (envelope-from <signup-mc.us1_1843761.222493-XXXXXX=[email protected]>)
Sender: signup-mc.us1_1843761.222493-XXXXXX=[email protected]
From: =?utf-8?Q?ASUS?= <[email protected]>
To: [email protected]
Subject: Virus SecuriteInfo.com.Spammer.list-manage.com.UNOFFICIAL found in attached mail by ClamAV.
Date: Tue, 23 Apr 2013 14:29:28 +0000
Content-Type: multipart/mixed;
boundary="=_5d03d3ca2e6fc60fd8e51286921abfef"
MIME-Version: 1.0
Message-ID: <[email protected]>



ClamAV anti-virus scanner has intercepted and deleted a message.

The following is a summary of the infected message:

Virus name: SecuriteInfo.com.Spammer.list-manage.com.UNOFFICIAL

Please be aware that a virus spread by email normally forges the
address of the sender. There is a good chance that the infected message
was not received from the sender listed above.

 

[bro]

Such headers can be faked, is why the sender IP is penalized in most cases.

According to Google, the forwarding IP is not penalized as long as the forwarded mail is not modified.
https://support.google.com/mail/answer/175365?hl=en

 

[tanmaya]

According to Google, the forwarding IP is not penalized as long as the forwarded mail is not modified.
https://support.google.com/mail/answer/175365?hl=en

Where they employ Postini, from my past experiences, it did not care about email being forwarded. That may not be the case with gmail's anti-spam. I haven't seen this article in the past, and said based on my experience with most providers. I think I 'have' seen Gmail penalizing sender IP in distant past.
Thanks for the link!

 

[tanmaya]

A lot of the spam has been reduced to virus messages in recent days,

I hope that's not a problem?

though I'm still getting plenty of mail from lonely Russian ladies who'd like to be my friend

Can you send headers of one such mail? I would like to see if there is some basic check that failed.

The filtering by ClamAv is a little too enthusiastic, though, and producing false positives... For example, I just got a virus message "Virus SecuriteInfo.com.Spammer.list-manage.com.UNOFFICIAL found in attached mail by ClamAV" on an Asus newsletter that I'm subscribed to, sent by Mailchimp with an SPF Pass, and domainkey and dkim signatures intact. See the redacted headers below.

I've also had a couple of complaints from clients of legitimate mail not received in recent days, or rejected as infected. Is whitelisting through the CP enough to bypass the virus checker?

We are aware ClamAV is being aggressive. We are working on isolating the signatures causing most problems.

 

[abhishek]

We have disabled virus signatures which are causing problem and will further continue to disable the problematic signatures. Please check now and update us via ticket if you still have a problem of rejecting mails due to ClamAV anti-virus.

 

[bro]

I hope that's not a problem?

No, better than spam itself, but because of the occasional false positive I still need to go through the senders' names and that takes just as long as spotting spam... also, some people get upset when they're told they're sending 'infected' mail.

Can you send headers of one such mail? I would like to see if there is some basic check that failed.

There's not much to latch on to... most of the spams are pretty innocuous. Programmatically, I guess it's difficult to tell the difference between them and a normal email, except for the .ru domain names in the text which is how I dump them using a local filter. Not so helpful for people in Russia.

From - Tue Apr 23 02:37:26 2013
X-Account-Key: account2
X-UIDL: 1366698871.25596.mail3.myhsphere.biz,S=1921
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path: <[email protected]>
Delivered-To: XXXXXXXXXXX
Received: (qmail 25589 invoked by uid 399); 23 Apr 2013 06:34:31 -0000
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mail3.myhsphere.biz
X-Spam-Level: **
X-Spam-Status: No, score=2.1 required=5.0 tests=URIBL_WS_SURBL
autolearn=disabled version=3.2.5
X-Virus-Scan: Scanned by ClamAV 0.97.6 (no viruses);
Tue, 23 Apr 2013 01:34:31 -0500
Received: from mail6.myhsphere.biz (173.0.129.11)
by mail3.myhsphere.biz with ESMTP; 23 Apr 2013 06:34:31 -0000
Received-SPF: neutral (mail3.myhsphere.biz: 173.0.129.11 is neither permitted nor denied by SPF record at 7citieshvac.com)
identity=mailfrom; client-ip=173.0.129.11;
envelope-from=<[email protected]>;
Received: (qmail 3130 invoked by uid 399); 23 Apr 2013 06:34:30 -0000
Delivered-To: [email protected]
X-RCPT-TO: [email protected]
Received: (qmail 3118 invoked by uid 399); 23 Apr 2013 06:34:30 -0000
X-Virus-Scan: Scanned by ClamAV 0.97.6 (no viruses);
Tue, 23 Apr 2013 01:34:30 -0500
Received: from unknown (HELO ?37.242.47.163?) (37.242.47.163)
by mail6.myhsphere.biz with ESMTP; 23 Apr 2013 06:34:29 -0000
Received-SPF: neutral (mail6.myhsphere.biz: 37.242.47.163 is neither permitted nor denied by SPF record at 7citieshvac.com)
identity=mailfrom; client-ip=37.242.47.163;
envelope-from=<[email protected]>;
Subject: Yo yo oy
From: Gail Ingram <[email protected]>
Content-Type: text/plain;
charset=us-ascii
X-Mailer: iPhone Mail (10B329)
Message-Id: <640F0978-AED3-18B5-70DE-1D105FC95672@FATMA>
Date: Tue, 23 Apr 2013 09:34:25 +0300
To: "[email protected]" <[email protected]>
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)

Yo do-not-reply,

I sent you a message. Click to read
http://www.datingfise.ru/?555CE6B=00AE5D0746BD091FB

I'm waiting for you xoxo

Sent from my iPhone

 

[oceanz]

Do you really mean that I have to ask every client to report every false positive? For a service that was happily working with these same emails until a short period ago?

I am fairly sure that most of them will want to vote with their feet.

Neil C.

 

[tanmaya]

Do you really mean that I have to ask every client to report every false positive?

I asked headers of an email that was not marked as spam.

 

[tanmaya]

No, better than spam itself, but because of the occasional false positive I still need to go through the senders' names and that takes just as long as spotting spam... also, some people get upset when they're told they're sending 'infected' mail.

We made more changes today. Please let us know if accuracy is any better now?

There's not much to latch on to... most of the spams are pretty innocuous. Programmatically, I guess it's difficult to tell the difference between them and a normal email, except for the .ru domain names in the text which is how I dump them using a local filter. Not so helpful for people in Russia.

If you notice the spam score is 2.1, so a very aggressive setting would have marked this email spam. Going into this further, the spam check that added the score of 2.1 is a network based check, where updates of detect such spam are frequent & possible. Also, such spam have small lifetime in terms of its content, the URL, and the sender IP. So by the time such spam becomes known enough to get a score more than 2.1, its gone.

 

[BorderWeb]

I have a solution for spam that people have started paying me for. It is outside the box. Most techs are not receptive to it. Sometimes we ignore the obvious solutions, trying to come up with a complicated solution to a simple problem.

My solution GAURANTEES zero spam, and ZERO false positives, and no spammer can crack it. Yes... Big talker

The Hshpere mail manager works with this solution, but it could be slightly more user friendly.

It is simple, whitelist only email. It uses the SMTP layer whitelist. In many cases, spam will not even leave the spammers "outbox" when addressed to a whitelist-only account, reducing the traffic load across the entire internet, and confounding the spammer. The SMTP layer blacklist uses one entry. The regular expression *@*.*

It does require the end user to get into the habit of adding authorized senders to their whitelist. ... like adding someone to their contacts.
But that's not a bad thing is it? After all, end users who reply to spam are the reason for it's existance.

It is necessary to use a website contact form to facilitate initial contact between a new customer and the end-user.
But we do this already anyway, Exposing email addresses on websites is certainly not best practice.

The solution will certainly not work for every single email account. Some accounts absolutely must allow previously unknown senders.
But it works very well for many end users, and they love the exclusivity of it. People who's email accounts have been rendered useless due to hundreds of spam messages daily, suddenly find their inbox empty, except for messages from those they wish to communicate with.

The burden on the end user is fairly minimal. How often do you add a new contact to your address book?

 

[Stephen]

interesting idea, I know it would work for some people like my Grandparents that get sick of loads of mail when they only want it from a few people in their social groups in person and family.