Email Malware

[hafa]

Across all 130+ domains we currently host with Jodohost, the prevalence of email with malware attachments* is reaching epidemic proportions, with the majority of domains reporting that these malicious emails constitute 20-30% of all emails received.

We have anti-virus enabled globally in all domains, but it's clearly not doing its job. What is Jodohost doing to address this issue?

* The vast majority of malware loads are ransomware.

 

[Stephen]

These arent being detected at gmail either, I've gotten over 18 copies of these at gmail recently too. Something with it is changing up very frequently making detection by the scans near impossible.

 

[dlrmartin]

Same issue here. Tons of SPAM, tons of malware.
After 11 years as JH customer, I'm starting to move to other provider. So sad for me.
But miles of tickets and JH no solve the issue.
JH has changed a lot this year.

 

[Stephen]

This is not due to us, we have acted, we are not ignoring this, but there is not much we can do to improve it with the ancient software which is why we are making new software that we control and keep updated.
Your 'miles of tickets' aren't ignored, there is just limited action we can take to improve it with the limits imposed by the back end and the fact that the software won't function with hsphere if it is updated.

 

[hafa]

Hey, Stephen

Please take the following questions as genuine curiosity, rather than antagonism, as it would be helpful to us resellers to understand the steps being taken. I also understand that there's some things that cannot be divulged in a (semi) public forum, but any information is truly appreciated.

This is not due to us, we have acted...

Please delineate actions that have been taken to ameliorate the deluge of malware and spam.

...but there is not much we can do to improve it with the ancient software which is why we are making new software that we control and keep updated.

Is this a reference to the new ticket system, or something else? If the later, please elaborate.

... there is just limited action we can take to improve it with the limits imposed by the back end and the fact that the software won't function with hsphere if it is updated.

Once again, please clarify if this is referring to the new ticket system, or something else. If the later, please also elaborate.

 

[Stephen]

I understand hafa

I am saying not that the emails coming through isn't an issue, but we have worked extensively to upgrade the email backend Hsphere uses, but certain portions of it are just outdated and will not update to the latest versions and continue working with the control panel.


Answer to rest, has nothing at all to do with the ticket system. We are building a complete automation system in house and have been for quite some time, but it isn't yet ready for public consumption, and will be rolled out in phases.

 

[cc9]

same here. customers are complaining!!!

what should I do? just accept this?

 

[Stephen]

cc9, We are testing some optional (but will not be added cost) changes to put a filtering system in front of your domains. This will block those malwares from copier, scanner, xerox etc that are coming, and maybe even initially a couple good mails, but it does have a way for you to get those good mails and mark them as good so such doesn't happen again. It's done a good job so far on one resellers testing domains by looking at the blocked logs, but we are awaiting feedback on it still, expect it to be a few days.

 

[cc9]

Stephen:

1. is it gonna be based on request? can we set it by our self with some kind of admin panel / hsphere?

2. mail from copier, xerox, are usually from the same domain. what about spam from external domain? with subject like: {Filename?} fixed invoice ... or Invoice ... attached

me & my clients receive spams from same & external domain every day!

3. there are a lot of emails with: Warning: This message has had one or more attachments removed (webmaster_260.zip, AT0000B49.wsf). Please read the "AntiSpam-Attachment-Warning.txt" attachment(s) for more information.

those messages are spam anyway. can't we just block the email?

4. on 1 of my domain, I always receive email from "[email protected]" where NN are random numbers.

I have set blacklist in hsphere "*@foxmail.com" ... but those emails are still coming!! what should I do?

5. can I set a block on all emails with chinese characters? 100% spam for me.

Please advise

 

[Stephen]

Stephen:

1. is it gonna be based on request? can we set it by our self with some kind of admin panel / hsphere?


2. mail from copier, xerox, are usually from the same domain. what about spam from external domain? with subject like: {Filename?} fixed invoice ... or Invoice ... attached

me & my clients receive spams from same & external domain every day!

3. there are a lot of emails with: Warning: This message has had one or more attachments removed (webmaster_260.zip, AT0000B49.wsf). Please read the "AntiSpam-Attachment-Warning.txt" attachment(s) for more information.

those messages are spam anyway. can't we just block the email?

4. on 1 of my domain, I always receive email from "[email protected]" where NN are random numbers.

I have set blacklist in hsphere "*@foxmail.com" ... but those emails are still coming!! what should I do?

5. can I set a block on all emails with chinese characters? 100% spam for me.

Please advise

1.

Ticket based request, cannot do from Hsphere as of now, not sure if ever.

2. All those get blocked.

3. I haven't seen these but it should certainly block them with or without the attachment.

4. If it was not blocked by default you could train it to BAD folder 2-3 times and it would then learn and be blocked.

5. No we can't do such, but it is likely it would be blocked in the gateway in any case.

 

[cc9]

3. I haven't seen these but it should certainly block them with or without the attachment.

4. If it was not blocked by default you could train it to BAD folder 2-3 times and it would then learn and be blocked.

5. No we can't do such, but it is likely it would be blocked in the gateway in any case.

3. the spam email still got through the inbox. The antispam only remove the attachment and add that message to the email body, at the beginning of the email.

anti spam replaced the attachment with "AntiSpam-Attachment-Warning.txt", it contains:
=====
This is a message from the MailScanner E-Mail Virus Protection Service
----------------------------------------------------------------------
The original e-mail attachment "webmaster_98422.zip"
is on the list of unacceptable attachments for this site and has been
replaced by this warning message.

If you wish to receive a copy of the original attachment, please
e-mail helpdesk and include the whole of this message
in your request. Alternatively, you can call them, with
the contents of this message to hand when you call.

At Fri Jul 22 16:03:22 2016 the virus scanner said:
MailScanner: Windows Script Host files are dangerous in email (salesreport727.wsf)

Note to Help Desk: Look on the AntiSpam (smarthost4.myhsphere.biz) MailScanner in /var/spool/MailScanner/quarantine/20160722 (message 10C64B6A74.A598C).

SpamAssassin
spamassassin.apache.org
=====

how do I block the email right away?

4. how do you do / train it? is this the new filter or the one in hsphere?

As I said, I have already black list the domain in antispam in HSPHERE, but all emails from that domain still coming in!

5. nah, all spam with chinese letters still got through the inbox -_-

 

[Stephen]

This is not related to hsphere, at all, none of my answers. All about antispam gateway optional.

 

[cc9]

This is not related to hsphere, at all, none of my answers. All about antispam gateway optional.

OK. I'll be waiting for the new antispam.

 

[Stephen]

The anti spam gateway is working really well, do you have a ticket in about the more important domains you need for the anti malware and spam filtering? Please give a ticket reference number for us to check.

 

[cc9]

Ticket Created #885230

 

[Pratik]

It seems Manoj did reply to you on the ticket, so please do hope on live chat anytime so we can do this for you.

 

[cc9]

OK, I got 1 domain running the new spam filter. we'll see how it goes for the next few days.

4. If it was not blocked by default you could train it to BAD folder 2-3 times and it would then learn and be blocked.

Stephen, how do I "train" it?

Gaurav Garg told me on live chat: "sorry, but you can't train the spam filter on the shared server, this is possible only if you buy your own dedicated spam filter server."

 

[cc9]

problem with the new anti spam:

I got 2 spam emails delivered to the quarantine account, BUT for every email, there is another email from "Scrollout F1 at ScrolloutF1.jodohost.com <[email protected]>"

can't you just NOT send that email?

1. not good for reseller. the client will ask about this.

2. it's redundant. the mails are already quarantined anyway. why do you need to send email to the quarantine account again?

 

[Stephen]

Thanks for the input.

 

[cc9]

please let me know when the above email from Scrollout has been turned off. I need to put my client's domain on the new anti spam