Thursday, January 31, 2008

Email from yourself. Have you got one?

I have a customer installed with IMSS 7.0 (NRS enabled). NRS and spam policy are working fine; able to catch spam emails. However,this particular spam is still coming through. It looks like it was sent from the recipient himself (sender and recipient of the same email address). However when I looked at the full header, the originating IP address is a foreign IP. Why IMSS doesn't flag this email as a spam?

Take a careful look on the full header. In case you are not sure on how to retrieve the full header, please refer here.

--------header starts here------------
Microsoft Mail Internet Headers Version 2.0
Received: from ns ([85.90.197.67]) by xxxx.abc.com.my with Microsoft SMTPSVC(5.0.2195.6713);
Wed, 16 Jan 2008 23:15:32 +0800
Content-Return: allowed
X-Mailer: CME-V6.5.4.3; MSN
Return-Path: communications_msn_cs_enus@cimail15.msn.com
Received: (qmail 24413 by uid 417); Wed, 16 Jan 2008 05:16:32 +0200
Message-Id: <20080116071632.24415.qmail@ns>
To:
Subject: SALE 73% OFF on Pfizer
From: admin@Viagra.com < myself @abc.com.my>
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 16 Jan 2008 15:15:33.0406 (UTC) FILETIME=[A3858BE0:01C85852]
Date: 16 Jan 2008 23:15:33 +0800
--------------header ends here--------

This kind of spam technique may really be delivered by IMSS to recipient since the sender is an internal address.

Recommendation:
This can be prevented by enabling Reverse DNS Lookup. RDNS will reverse query the IP Address of the sender. If the IP Address does not have or does not match with the domain name registered on the Internet, IMSS will block the mail. For sure, that IP Address is not registered on the Internet with your domain name.

To enable RDNS on IMSS:

- Login to IMSS console
- Click Administration > IMSS Configuration > SMTP Routing
- Click Meesage Rule tab
- Enable Reverse DNS Lookup
- Click Save

This has not solved the problem because customer already enabled the RDNS long time ago. :D

Anyway, I have rechecked the header of the sample spam mail and I noticed that there's no signs in the header that IMSS has scanned or processed the mail.

IMSS will add "x-imss" on the header after processing the mails.

It's possible that there's a mail server in your network that is open for relay. Can you try to check your mail servers regarding their relay settings? Indeed there was one exchange server as the culprit.

Case closed.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)