Having trouble blocking certain emails - ORF Forums

Having trouble blocking certain emails RSS Back to forum

1

One of our users is getting a lot of the same type of spam, but I can't see any real consistency that can be used for filtering it, nor are any of our current settings doing the job.

If anyone can give me some pointers, that would be great. I apologize if this has already been covered. I did a quick search, but not a thorough one. I'm juggling a lot right now some I'm reaching out! Thanks. -Steven, IT Manager

Here are three examples of emails he gets:

---------------------------------------------------------

From: "" <>
Date: December 17, 2013 at 3:42:11 AM PST
To: Nick Koranda <>
Subject: New Pick Coming! But First I need your help, details inside
This Stock Getting Close To Breaking Out!!! A Huge Campaign Is Starting
On...

Date: December 17th
Company: Registered Express, Corp.
Stock: RG_T X
Now: .014

This Stock Getting Close To Breaking Out!!! A Huge Campaign Is Starting
On...

-----------------------------------------------------------

From: "" <>
Date: January 22, 2014 at 12:12:53 PM PST
To: Nick Koranda <>
Subject: Have a bright pleasure in bed
The greatest method to please your lover
http://coronary.tabletsmedshealth.ru/

--------------------------------------------------------------------------------------

From: "" <>
Date: January 20, 2014 at 12:26:04 AM PST
To: Nick Koranda <>
Subject: Keep your girl pleased at night
http://late.tabletsmedshealth.ru/ You will excite her easierA great way to
be best for her

by calvarycch more than 10 years ago
2

Quick note: I've followed all of the Best Practices on this site (as of a month ago), as well as some things that we're suggested if Best Practices weren't getting the job done. This user has yet been experiencing the same emails for the past four months or so.

by calvarycch more than 10 years ago
3

@calvarycch: The domain in the URL of your second and third example is blacklisted by Spamhaus DBL, SURBL: Combined, and uribl.com (though it is possible it was not when the email arrived and ORF looked it up). What does the log indicate for these emails (http://vamsoft.com/support/docs/knowledge-base/using-the-log-viewer): were they whitelisted or simply passed checks? Do you see any errors logged (e.g., DNS lookups failing)?

please send us the following files:

• Your current configuration file called orfent.ini (located in Program Files (x86)\ORF Fusion by default)
• Your recent log files from the past few days (e.g., orfee-2014-01-23.log, orfee-2014-01-22.log, etc. located in Program Files (x86)\ORF Fusion by default). Please send raw .log files, Log Viewer CSV exports are not suitable.
• A few spam samples which made it through filtering, which consist of the original emails in EML or MSG format (EML preferred) and the original MIME header in a separate TXT file. (Forwarded emails are not suitable). The MIME header can be retrieved by opening the email in Outlook and selecting View | Options... (or Message options) from the menu. If you use another email client and do not know how to retrieve the email headers, please visit http://www.spamcop.net/fom-serve/cache/19.html for instructions.

We will take a look.

by Krisztián Fekete (Vamsoft) more than 10 years ago
(in reply to this post)

4

@Krisztián Fekete (Vamsoft): Thank you very much for your response.

It looks like some where whitelisted, as they had blank senders, and some were marked "Warning" with DNS errors and such.

I just emailed the user to get the last two parts you asked for.

I'm sorry but how do I send you these files?

by calvarycch more than 10 years ago
(in reply to this post)

5

I sent them to

by calvarycch more than 10 years ago
6

@calvarycch: Oops, I forgot to include our email address in my reply, sorry. I will get back to you in email with my suggestions.

by Krisztián Fekete (Vamsoft) more than 10 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2