Are receiving considerably more SPAM than normal

Support forum for MailWasher Enterprise Server
Antoniusfm
Student Sheep
Posts: 15
Joined: Wed Jan 13, 2010 2:21 pm

Are receiving considerably more SPAM than normal

Postby Antoniusfm Thu Jun 23, 2011 3:08 pm

Hi there,

We seem to have hit a snag, since a week or so we are receiving an awful lot of SPAM, which isn't filtered by the Mailwasher ?
The emails vary quiet a bit so there isn't a common denominator.
What can we do to make the Mailwasher filter out the recent SPAM's better than it does at the moment ?

Thanks in advance,

Ton.
cliff
Evil Firetrust Employee
Posts: 31
Joined: Tue Jul 28, 2009 3:50 pm

Re: Are receiving considerably more SPAM than normal

Postby cliff Sun Jul 03, 2011 10:04 am

Hi Ton,

Sincere apologies on the delay in responding, I havent seen your post untill now.

Every time a message is passed through MWES, it is tagged with the reason why is was passed, or blocked.
Look at the headers of the email (View Source in Outlook) and look for the header starting with: X-MWES-{name here}.
In particular, the 'Reason' is often helpfull.

Make sure you also have the latest version of MWES, as the engine is often updated to prevent spam more effeciently.
Antoniusfm
Student Sheep
Posts: 15
Joined: Wed Jan 13, 2010 2:21 pm

Re: Are receiving considerably more SPAM than normal

Postby Antoniusfm Tue Jul 05, 2011 11:47 am

Cliff thanks for your response,

I am running the latest version as i am aware of ( 2.8 ). Furthermore i checked the source from a few of the SPAM emails, but i couldn't find the header you were referring to (i will attach an example below).
Is there anything i do wrong ? Also how do i check this if it concerns a plain text email (no html) ?

<span id=z>
<xhtml>
<head><title>Western Union</title></head>
<style
type="text/css">#obmessage .dummy {}
#z BODY,
#z TD {font-family: verdana,arial,helvetica,sans-serif;
font-size:12px;color: #000000;}
</style>

<table width=680 align=center>
<tr><td><A target="_blank"href="#"><IMG

src="http://hostinga.imagecross.com/image-hosting-03/722image-3414_4DFF4982-1-.jpg" alt=Western Union
border=0></A></td></tr>
</table>

<table width="100%" cellpadding=0>
<tr><td background=
"http://images.paypal.com/images/bg_clk.gif"

width=100%></td></tr>
</table>
<br>
<table align=center>
<tr>

<td width=400>
<table>

<tr><td><b>Dear Western Union Member:<br><br>Attention! Your
Western Union account
has been limited!</b><br><br>As part of our security
measures, we regularly screen activity in the
Western Union system.We recently
contacted you after noticing an issue on your
account.We requested information
from you for the following reason:<br><br>Our system detected unusual login attempts to your account.<br><br>
<b>Reference Number:
WU-882-024-774</b><br><br>
This is the Last reminder to login to your account as soon
as possible.<br><br>


Once you log in, you will be provided with steps to

restore your account access. We appreciate your understanding as we work to
ensure
account safety.<br><br>
<table width="80%" cellspacing=0 border=0 bgcolor="#FFE65C"
align=left>

<tr><td>
<table width="100%" cellpadding=4 bgcolor="#FFFECD" align=center>


<tr><td class="pp_sansserif" align=center>
<a target="_blank" href="http://host81-137-193-223.in-addr.btopenworld.com/westernunion.com.au/WUCOMWEB/account/Login/">Click
here to activate your account</a></td></tr>
</table>
</td></tr>
</table>
<br><br><BR>We thank you for your prompt attention to this matter. Please
understand that this is a security measure intended to help protect you and your
account. We apologise for any inconvenience..
<br><br>Sincerely,<br>Western Union Account Review Department
</td></tr>
<tr><td><hr class=dotted></td></tr>
<tr><td>
<tr><td class="pp_footer">Copyright (C) 2001-2011 Western Union. All rights reserved. Western Union Ltd.
Western Union FSA Register
Number: 8023405.<br></td></tr><tr><td><img
src="http://images.paypal.com/en_US/i/scr/pixel.gif" height=10 width=1
border=0></td></tr>
</td></tr>
<tr><td>Western Union Email ID WU-73892</td></tr>
</table>
</td>
<td width=190 valign=top>
<table cellspacing=0 cellpadding=1 bgcolor="#cccccc">
<td>
<table cellspacing=0 cellpadding=0 bgcolor="#ffffff">
<tr><td>
<table width="100%" cellpadding=5 bgcolor="#eeeeee">
<tr><td align=center>Protect Your Account Info</td></tr>
</table>
<table cellpadding=5>
<tr><td>* Confirm your account security info.<br><br>* Allow up to 24 hours to update.<br><br>* Enjoy Western Union services<br></td></tr>
</table></td></tr>
<tr><td>
<table width="100%" cellpadding=5 bgcolor="#eeeeee">
<tr><td align=center>E-mail: australiacustomer@westernunion.com.au</td></tr>
</table>

</td></tr>
</table>

</td></tr>
</table>
</td></tr>
</table>
</xhtml></span>
cliff
Evil Firetrust Employee
Posts: 31
Joined: Tue Jul 28, 2009 3:50 pm

Re: Are receiving considerably more SPAM than normal

Postby cliff Tue Jul 05, 2011 8:33 pm

Hi Ton,

Depending on your mail client, the view source may show different aspects.

If you are using Outlook, Right click on the message and select "Message options" to view the headers.
Antoniusfm
Student Sheep
Posts: 15
Joined: Wed Jan 13, 2010 2:21 pm

Re: Are receiving considerably more SPAM than normal

Postby Antoniusfm Mon Jul 11, 2011 11:25 am

Thanks Cliff, this way I could find it.
Below is the header of a Spam email i received today (one of many), it says it's clean and is a "Grey listed friend" ?
I am not sure what that exactly means, but the sender is definitely not an known identity to us, so how can we make the MailWasher more strict, can we train it or something like that ? Would it be a good idea to block the IP address ?

Received: from host.seconde-dns4.com (127.0.0.1) by EA-DC02.elanoraau.local
(127.0.0.1) with Microsoft SMTP Server id 8.1.240.5; Fri, 8 Jul 2011 23:52:13
+1000
Received: from nobody by host.seconde-dns4.com with local (Exim 4.69)
(envelope-from <nobody@host.seconde-dns4.com>) id 1QfBTJ-0003bb-IA for
XXXX@XXXXXX.XXX; Fri, 08 Jul 2011 15:51:57 +0200
To: <XXXX@XXXXXX.XXX>
Subject: votre carte bancaire est suspendue
Date: Fri, 8 Jul 2011 15:51:57 +0200
From: Verified By Visa <service@vbv.fr>
Reply-To:
Message-ID: <c613c55e55f8bc2db9b98418b0679487@www.japanautosperformances.fr>
X-Priority: 5
X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version ]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset="iso-8859-1"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - host.seconde-dns4.com
X-AntiAbuse: Original Domain - elanora.biz
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - host.seconde-dns4.com
X-MWES-scanned: Checked by MailWasher Enterprise Server 2.8 {W}(2011-07-08 23:52:08)
X-MWES-status: Clean
X-MWES-reason: Grey Listed Friend
X-MWES-sourceip: 94.23.203.198
X-MWES-smtp-from: <nobody@host.seconde-dns4.com>
Return-Path: nobody@host.seconde-dns4.com
Last edited by Antoniusfm on Mon Jul 18, 2011 6:57 pm, edited 1 time in total.
Antoniusfm
Student Sheep
Posts: 15
Joined: Wed Jan 13, 2010 2:21 pm

Re: Are receiving considerably more SPAM than normal

Postby Antoniusfm Mon Jul 18, 2011 6:52 pm

Any update ??
cliff
Evil Firetrust Employee
Posts: 31
Joined: Tue Jul 28, 2009 3:50 pm

Re: Are receiving considerably more SPAM than normal

Postby cliff Mon Jul 18, 2011 7:13 pm

Hi Ton,

Sorry - I missed your response.

Firstly, can you upgrade to the latest version of MWES - you're a version behind.
The upgrade process is installable over-the-top, and a simple restart of the MWES service. (doesnt hurt to stop the service initially as well)

Secondly, it looks like the spammers got through a 'real' mail server - hence the 'Greylisted friend'.
Clear the Greylist friend cache - (Settings -> Action -> Clear all grey listed friends) to purge them from the list.

If the spam is coming from a common IP, I'd block that too :)

~C
Antoniusfm
Student Sheep
Posts: 15
Joined: Wed Jan 13, 2010 2:21 pm

Re: Are receiving considerably more SPAM than normal

Postby Antoniusfm Mon Jul 25, 2011 1:41 pm

Hi Cliff, i am using 2.8, and i can't find any newer version on your website, not sure what to upgrade too ?
Also i am confused what you mean by clearing the Greylist friend cache, I can't find the option you are referring too, do you want me to disable the "Grey listing" ?
Attachments
MWES_settings.jpg
MWES_settings.jpg (103.78 KiB) Viewed 10747 times
cliff
Evil Firetrust Employee
Posts: 31
Joined: Tue Jul 28, 2009 3:50 pm

Re: Are receiving considerably more SPAM than normal

Postby cliff Mon Jul 25, 2011 1:50 pm

There was a subtle change in 2.8, not enough to create a new version - the difference was less than a day.

2.8 = First release
2.8.0.0 = Current release.
Antoniusfm
Student Sheep
Posts: 15
Joined: Wed Jan 13, 2010 2:21 pm

Re: Are receiving considerably more SPAM than normal

Postby Antoniusfm Mon Jul 25, 2011 1:53 pm

OK i will upgrade, if you think it will make a difference, what about the grey listing ?
Antoniusfm
Student Sheep
Posts: 15
Joined: Wed Jan 13, 2010 2:21 pm

Re: Are receiving considerably more SPAM than normal

Postby Antoniusfm Tue Aug 02, 2011 1:26 pm

Cliff, I still don't know how to clear the "greylist friend cache", can you please respond ?
User avatar
nick.bolton
The Big Cheese
Posts: 1707
Joined: Thu Aug 28, 2008 4:02 pm

Re: Are receiving considerably more SPAM than normal

Postby nick.bolton Tue Sep 11, 2012 7:44 pm

Sorry about the late reply, we haven't been getting notifications of new posts.

Go to Settings>>Action and click the link 'Clear all grey listing friends'

Return to “MailWasher Enterprise Server”

Who is online

Users browsing this forum: No registered users and 1 guest