how to stop facebook spam emails

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

how to stop facebook spam emails

motty.cruz
Hello, users in my domain are getting lots of spam emails from facebook such as this [hidden email]

here is the header: 
Return-Path: <[hidden email]>
X-Original-To: [hidden email]
Delivered-To: user@domain
Received: from spamfilter.domain.com (spamfilter.domain.com [xx.xx.xx.xx])
by mail.domain.com (Postfix) with ESMTP id 4B11A8A03E;
Mon, 29 Jul 2013 08:25:27 -0700 (PDT)
Received: from spamfilter.domain.com (localhost [127.0.0.1])
by spamfilter.domain.com (Postfix) with ESMTP id 493644562FC;
Mon, 29 Jul 2013 08:25:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at domain.com
X-Spam-Flag: NO
X-Spam-Score: -89.515
X-Spam-Level:
X-Spam-Status: No, score=-89.515 tagged_above=-999 required=5.3
tests=[BAYES_99=4.5, DKIM_ADSP_ALL=0.8, HTML_MESSAGE=0.001,
RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_BRBL_LASTEXT=1.449,
RCVD_IN_XBL=0.375, RDNS_NONE=2.013, USER_IN_WHITELIST=-100]
autolearn=no
Received: from spamfilter.domain.com ([127.0.0.1])
by spamfilter.domain.com ( [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id HYefbh5IrXzZ; Mon, 29 Jul 2013 08:25:33 -0700 (PDT)
Received: from facebook.com (unknown [173.200.156.65])
by spamfilter.domain.com (Postfix) with ESMTP id CBE9B4562E5;
Mon, 29 Jul 2013 08:25:32 -0700 (PDT)
Received: from obpabqbbaahjoeoaocj (192.168.1.61) by obpabqbbaahjoeoaocj. (173.200.156.65) with Microsoft SMTP Server id 8.0.685.24; Mon, 29 Jul 2013 10:25:46 -0500
Message-ID: <[hidden email]>
Date: Mon, 29 Jul 2013 10:25:46 -0500
From: "Facebook" <[hidden email]>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9) Gecko/20101112 Thunderbird/3.1.4
MIME-Version: 1.0
Subject: Sara Queen wants to be friends with you on Facebook.
Content-Type: multipart/alternative;
 boundary="------------07010800404040908030205"


Thanks in advance, 

Reply | Threaded
Open this post in threaded view
|

Re: how to stop facebook spam emails

Simon Brereton-3


On 29 Jul 2013 18:38, "motty cruz" <[hidden email]> wrote:
>
> Hello, users in my domain are getting lots of spam emails from facebook such as this [hidden email]
>
> here is the header: 
> Return-Path: <[hidden email]>
> X-Original-To: [hidden email]
> Delivered-To: user@domain
> Received: from spamfilter.domain.com (spamfilter.domain.com [xx.xx.xx.xx])
> by mail.domain.com (Postfix) with ESMTP id 4B11A8A03E;
> Mon, 29 Jul 2013 08:25:27 -0700 (PDT)
> Received: from spamfilter.domain.com (localhost [127.0.0.1])
> by spamfilter.domain.com (Postfix) with ESMTP id 493644562FC;
> Mon, 29 Jul 2013 08:25:35 -0700 (PDT)
> X-Virus-Scanned: amavisd-new at domain.com
> X-Spam-Flag: NO
> X-Spam-Score: -89.515
> X-Spam-Level:
> X-Spam-Status: No, score=-89.515 tagged_above=-999 required=5.3
> tests=[BAYES_99=4.5, DKIM_ADSP_ALL=0.8, HTML_MESSAGE=0.001,
> RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_BRBL_LASTEXT=1.449,
> RCVD_IN_XBL=0.375, RDNS_NONE=2.013, USER_IN_WHITELIST=-100]

This is an amavis question, not a postfix one.  If you didn't have
USER_IN_WHITELIST=-100
In your config this mail would be trapped, or at least marked.

The postfix solution would be to use the spamcop rbl (since these mails get logged pretty quick. YMMV.

Simon

> autolearn=no
> Received: from spamfilter.domain.com ([127.0.0.1])
> by spamfilter.domain.com ( [127.0.0.1]) (amavisd-new, port 10024)
> with ESMTP id HYefbh5IrXzZ; Mon, 29 Jul 2013 08:25:33 -0700 (PDT)
> Received: from facebook.com (unknown [173.200.156.65])
> by spamfilter.domain.com (Postfix) with ESMTP id CBE9B4562E5;
> Mon, 29 Jul 2013 08:25:32 -0700 (PDT)
> Received: from obpabqbbaahjoeoaocj (192.168.1.61) by obpabqbbaahjoeoaocj. (173.200.156.65) with Microsoft SMTP Server id 8.0.685.24; Mon, 29 Jul 2013 10:25:46 -0500
> Message-ID: <[hidden email]>
> Date: Mon, 29 Jul 2013 10:25:46 -0500
> From: "Facebook" <[hidden email]>
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9) Gecko/20101112 Thunderbird/3.1.4
> MIME-Version: 1.0
> To: <[hidden email]>,
> <[hidden email]>
> Subject: Sara Queen wants to be friends with you on Facebook.
> Content-Type: multipart/alternative;
>  boundary="------------07010800404040908030205"
>
>
> Thanks in advance, 
>

Reply | Threaded
Open this post in threaded view
|

Re: how to stop facebook spam emails

motty.cruz
I apologize for the wrong list posting and thank you for your suggestion. 

-motty


On Mon, Jul 29, 2013 at 9:47 AM, Simon B <[hidden email]> wrote:


On 29 Jul 2013 18:38, "motty cruz" <[hidden email]> wrote:
>
> Hello, users in my domain are getting lots of spam emails from facebook such as this [hidden email]
>
> here is the header: 
> Return-Path: <[hidden email]>
> X-Original-To: [hidden email]
> Delivered-To: user@domain
> Received: from spamfilter.domain.com (spamfilter.domain.com [xx.xx.xx.xx])
> by mail.domain.com (Postfix) with ESMTP id 4B11A8A03E;
> Mon, 29 Jul 2013 08:25:27 -0700 (PDT)
> Received: from spamfilter.domain.com (localhost [127.0.0.1])
> by spamfilter.domain.com (Postfix) with ESMTP id 493644562FC;
> Mon, 29 Jul 2013 08:25:35 -0700 (PDT)
> X-Virus-Scanned: amavisd-new at domain.com
> X-Spam-Flag: NO
> X-Spam-Score: -89.515
> X-Spam-Level:
> X-Spam-Status: No, score=-89.515 tagged_above=-999 required=5.3
> tests=[BAYES_99=4.5, DKIM_ADSP_ALL=0.8, HTML_MESSAGE=0.001,
> RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_BRBL_LASTEXT=1.449,
> RCVD_IN_XBL=0.375, RDNS_NONE=2.013, USER_IN_WHITELIST=-100]

This is an amavis question, not a postfix one.  If you didn't have
USER_IN_WHITELIST=-100
In your config this mail would be trapped, or at least marked.

The postfix solution would be to use the spamcop rbl (since these mails get logged pretty quick. YMMV.

Simon

> autolearn=no
> Received: from spamfilter.domain.com ([127.0.0.1])
> by spamfilter.domain.com ( [127.0.0.1]) (amavisd-new, port 10024)
> with ESMTP id HYefbh5IrXzZ; Mon, 29 Jul 2013 08:25:33 -0700 (PDT)
> Received: from facebook.com (unknown [173.200.156.65])
> by spamfilter.domain.com (Postfix) with ESMTP id CBE9B4562E5;
> Mon, 29 Jul 2013 08:25:32 -0700 (PDT)
> Received: from obpabqbbaahjoeoaocj (192.168.1.61) by obpabqbbaahjoeoaocj. (173.200.156.65) with Microsoft SMTP Server id 8.0.685.24; Mon, 29 Jul 2013 10:25:46 -0500
> Message-ID: <[hidden email]>
> Date: Mon, 29 Jul 2013 10:25:46 -0500
> From: "Facebook" <[hidden email]>
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9) Gecko/20101112 Thunderbird/3.1.4
> MIME-Version: 1.0
> To: <[hidden email]>,
> <[hidden email]>
> Subject: Sara Queen wants to be friends with you on Facebook.
> Content-Type: multipart/alternative;
>  boundary="------------07010800404040908030205"
>
>
> Thanks in advance, 
>


Reply | Threaded
Open this post in threaded view
|

Re: how to stop facebook spam emails

Viktor Dukhovni
In reply to this post by motty.cruz
On Mon, Jul 29, 2013 at 09:37:19AM -0700, motty cruz wrote:

> Hello, users in my domain are getting lots of spam emails from facebook
> such as this [hidden email]
>
> Received: from facebook.com (unknown [173.200.156.65])
>   by spamfilter.domain.com (Postfix) with ESMTP id CBE9B4562E5;
>   Mon, 29 Jul 2013 08:25:32 -0700 (PDT)

Note, this is not actually from facebook, the mail is a forgery
and may be a phishing scam.

    %rwhois V-1.5:003eff:00 rwhois.cbeyond.net (by Network Solutions, Inc. V-1.5.9.5)
    network:Class-Name:network
    network:ID:NET-173-200-0-0-1
    network:Auth-Area:173.200.0.0
    network:Network-Name:CBEY-173.200.156.64
    network:IP-Network:173.200.156.64/30
    network:IP-Network-Block:173.200.156.64 - 173.200.156.67
    network:Org-Name:American Building Restoration Inc
    network:Street-Address:7371 Lockport Place Suite K
    network:City:Lorton
    network:State:VA
    network:Postal-Code:22079
    network:Country-Code:US
    network:Tech-Contact;I:[hidden email]
    network:Admin-Contact;I:[hidden email]
    network:Abuse-Contact;I:[hidden email]
    network:Created:09/15/2009
    network:Updated:20130726
    network:Updated-By:[hidden email]

If none of the RBLs list this and lots of similar sources, you need
a spam content filter or milter that does.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: how to stop facebook spam emails

Wietse Venema
Viktor Dukhovni:

> On Mon, Jul 29, 2013 at 09:37:19AM -0700, motty cruz wrote:
>
> > Hello, users in my domain are getting lots of spam emails from facebook
> > such as this [hidden email]
> >
> > Received: from facebook.com (unknown [173.200.156.65])
> >   by spamfilter.domain.com (Postfix) with ESMTP id CBE9B4562E5;
> >   Mon, 29 Jul 2013 08:25:32 -0700 (PDT)
>
> Note, this is not actually from facebook, the mail is a forgery
> and may be a phishing scam.
...
> If none of the RBLs list this and lots of similar sources, you need
> a spam content filter or milter that does.

The IP address is listed at zen.spamhaus.org, bl.spamcop.net, and
b.barracudacentral.org, and perhaps more.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: how to stop facebook spam emails

motty.cruz
Thank you Mr. Wietse,
I added spamcop to my rbl since to be holding the line for now. 

Thank you very much!


On Mon, Jul 29, 2013 at 12:04 PM, Wietse Venema <[hidden email]> wrote:
Viktor Dukhovni:
> On Mon, Jul 29, 2013 at 09:37:19AM -0700, motty cruz wrote:
>
> > Hello, users in my domain are getting lots of spam emails from facebook
> > such as this [hidden email]
> >
> > Received: from facebook.com (unknown [173.200.156.65])
> >   by spamfilter.domain.com (Postfix) with ESMTP id CBE9B4562E5;
> >   Mon, 29 Jul 2013 08:25:32 -0700 (PDT)
>
> Note, this is not actually from facebook, the mail is a forgery
> and may be a phishing scam.
...
> If none of the RBLs list this and lots of similar sources, you need
> a spam content filter or milter that does.

The IP address is listed at zen.spamhaus.org, bl.spamcop.net, and
b.barracudacentral.org, and perhaps more.

        Wietse

Reply | Threaded
Open this post in threaded view
|

Re: how to stop facebook spam emails

Stan Hoeppner
On 7/29/2013 2:16 PM, motty cruz wrote:
> Thank you Mr. Wietse,
> I added spamcop to my rbl since to be holding the line for now.

Motty, note that using bl.spamcop.net for direct rejection is
discouraged by the Spamcop team.  The chance of FPs is pretty high with
this DNSBL.  It is recommended that you use bl.spamcop.net only in a
scoring system such as SA and with a relatively low score.  SA in fact
does this with spamcop in the default configuration.

Using Postscreen w/Zen and BRBL, along with client/sender/helo rhsbl
checks against dbl.spamhaus.org, should REJECT 90-95% of your inbound
spam connections including all bot spam.  Then all you have to worry
about is snowshoe.  For that you'll need a good content filter, and/or
much manual work building CIDR tables of revealed snowshoe networks.
There exist both public and private mailing lists that specialize in
publishing such snowshoe spammer CIDR ranges.

> On Mon, Jul 29, 2013 at 12:04 PM, Wietse Venema <[hidden email]>wrote:

>> The IP address is listed at zen.spamhaus.org, bl.spamcop.net, and
>> b.barracudacentral.org, and perhaps more.

Just a few. ;)  I omitted the APEWS listing, for obvious reasons.

173.200.156.65 abuse.ch combined zone Listed
173.200.156.65 abuse.ch spam blacklist Listed
173.200.156.65 Barracuda Reputation Block List Listed
173.200.156.65 CBL Listed
173.200.156.65 Mailspike Blacklist Listed
173.200.156.65 McAfee RBL Listed
173.200.156.65 nsZones.com SBL Listed
173.200.156.65 nsZones.com SBL+Dyn Listed
173.200.156.65 Project Honey Pot (http:BL) Listed
173.200.156.65 SORBS Aggregate zone (problems) Listed
173.200.156.65 SORBS Spamhost (any time) Listed
173.200.156.65 SORBS Spamhost (last 28 days) Listed
173.200.156.65 SORBS Spamhost (last year) Listed
173.200.156.65 SpamCop Blocking List Listed
173.200.156.65 Spamhaus SBL-XBL Combined Block List Listed
173.200.156.65 Spamhaus XBL Exploits Block List Listed
173.200.156.65 Spamhaus ZEN Combined Block List Listed
173.200.156.65 Unsubscribe Blacklist UBL Listed
173.200.156.65 V4BL/DDNSBL Listed
173.200.156.65 Hostkarma Listed
173.200.156.65 Mailspike Reputation Listed
173.200.156.65 Quorum.to Listed

The fact that just about everyone in the DNSBL world is listing this IP,
and you accepted mail from it, would suggest that you are fairly new to
using DNSBLs, and anti-spam controls in general.  It may prove valuable
to search the list archives for "DNSBL" and/or "spam".

--
Stan