How to block this amazon AWS spam, what can i key off of? RSS


So since just before Christmas, we've been receiving a HUGE amount of spam advertising counterfeit high-end brand products (tiffany, coach, pandora, etc)

Each smtp-envelope from address is obviously different each time, but it's a new and legit domain each time, which even has a valid SPF record allowing the amazon aws servers to send from that domain.

The body is completely base64 so i can't key off of any image sources, body text or anything

There are two X headers that are always the same:
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.3.9600.18538

I've contacted amazon aws support () and they said forward samples with headers. So i did, 180 of them by hand, individually. Each one generated a new support ticket, which was promptly closed as "We've determined that an amazon EC2 instance was running at the IP address you provided in your report...we'll investigate..."

But nothing changes, the spam keeps coming in. I dont think amazonaws support cares, because someone's paying for the ability to send this spam.

I'm half tempted to just block all of amazonaws, and if any legit sender complains i'll tell them to contact amazonaws support... but that's just a grudge and won't really solve it.

So what can i do?

original headers of one sample:

Received: from ( by ( with Microsoft SMTP Server id
14.3.319.2; Wed, 18 Jan 2017 15:16:19 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key;;
h=Message-ID:From:To:Subject:Date:Mime-Version:Content-Type; i=;
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=key;;
Received: from lxacepcu ( by id hfv6h80e97ge for
; Wed, 18 Jan 2017 13:26:01 -0500 (envelope-from
From: "TIFFANY&Co. Online"
Subject: Be the first to shop the RESORT 2017 collection.
Date: Wed, 18 Jan 2017 19:25:50 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.3.9600.18538
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-SenderIdResult: Pass
Received-SPF: Pass ( domain of
designates as permitted sender); client-ip=;;
X-MS-Exchange-Organization-SCL: 4
X-MS-Exchange-Organization-PCL: 2
X-EsetId: 37303A290704736A647463

MIME-Version: 1.0

Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64


Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

...and on and on with base64...

by Bryon 1 year ago

Hello Bryon,

According to a quick DNSBL query (, the source IP is listed on the ProtectedSky and Truncate DNS Blacklists, so one approach would be making sure that ORF is checking the incoming emails against these two DNS blacklists as well. The Truncate blacklist is part of the DNSBL definition file which can be downloaded (and imported into ORF) from:

ProtectedSky's DNS Blacklist (, on the other hand, should be added manually:

1. Start the ORF Administration Tool, navigate to the Blacklists > DNS Blacklists page and click New.

2. On the 'General' tab enter a shorthand identifier that should be displayed in the logs (e.g. PSKY), and the full name for the DNSBL entry (e.g. ProtectedSky).

3. On the 'Lookup' tab, enter '' for the lookup domain and mark the 'Reverse the IP address for lookups' checkbox enabled.

4. On the 'Blacklist Web' tab, enter the URL "" into the first field. The second should be left blank (there is no lookup URL for this DNSBL)

5. On the 'SMTP Actions' tab add the IP and to the list with an appropriate SMTP response (default: "5.7.1 Mailbox unavailable. Your IP address {IP} is blacklisted using {BLACKLISTNAME}. Details: {TXTDATAORWEBLOOKUP}.")

6. Click OK, mark the new DNSBL enabled and save the ORF configuration (Ctrl + S)

In addition to the above, make sure that you have all of the recommended DNS Blacklists enabled as well:

- Spamhaus ZEN
- Hostkarma (JMF) Blacklist
- Weighted Private Block List
- Passive Spam Block List
- Mailspike Combined List
- Barracuda Reputation Block List

Please, let me know if this has helped.

by Daniel Novak (Vamsoft) 1 year ago

@Daniel Novak (Vamsoft): Thanks for the reply

Will this by definition block amazonaws itself? We do get a number of legit emails from their servers - i guess they're pretty popular as a host. This is the first time we've received spam from their stuff, but it's an insane amount.

If this will block amazonaws completely, i'd really like to find a way to filter just this junk while not blocking them as a whole... but on the other hand if their own support department cant do anything about it maybe there's just no choice but to block them as a company.

by Bryon 1 year ago
(in reply to this post)


@Bryon: Hi Bryon,

In addition to the RBLs, here is another technique to consider, depending on your risk tolerance for false positives.

In your header I noticed Outlook Express as the sending agent. Some time ago I had a similar problem with emails from Outlook Express to Undisclosed recipients so the regex below helped me. In your header there is no recipient declared, only "To:" so you would need to adapt the regex for that (seeking a new line character like [\r\n]) I have had no trouble with my regex but monitor this to be sure it does what you expect.

Good luck,

Keyword Filter, Header, RegEx
(?!.*exceptthisdomain)(?=.*((To\: Undisclosed recipients\:\;|X\-Mailer\: Microsoft Outlook Express (4|5|6)).*){2,})

by Sam Russo 1 year ago
(in reply to this post)


@Sam Russo: I like that, i didnt know how to check headers in an orf rule

My tolerance says anyone using outlook express can be blocked on principal.

Since all of these spam emails have the exact same OE version, i'm going to try this:

keyword black, header, regex:
.*X\-Mailer\: Microsoft Outlook Express 6\.00\.2900\.5512.*

In fact i might just make that an exchange transport rule and anything that matches, automatically redirect to
(assuming my it only catches amazon junk over the next few days)

Did a quick search of our entire email archive and didnt see any legit emails with that header so, think we're going to be golden on this

by Bryon 1 year ago
(in reply to this post)


@Bryon: ProtectedSky certainly won't block the entire amazonaws IP range. I would be surprised if Truncate would. I suggest you enable both DNSBLs and monitor the ORF logs for a while to see if any legitimate emails are blocked.

by Daniel Novak (Vamsoft) 1 year ago
(in reply to this post)


@Daniel Novak (Vamsoft): Perfect chance to update my dns blacklists and surbl definitions. Just re-set them up as per the suggestions in the KB

by Bryon 1 year ago
(in reply to this post)


After 6 hours, PSKY is blocking every single one of them... fantastic!

by Bryon 1 year ago

@Bryon: Nice!!

by Karen 3 months ago
(in reply to this post)


@Karen: Note that PSKY seems to pirate data from other well-known DNSBLs, so we do not recommend actually using it. For more on this, see:

by Daniel Novak (Vamsoft) 3 months ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed