How can we deal with Amazon SES? RSS

1

Hello

We get hundreds of emails from *@amazonses.com per day. Half are legit and half are spam. Obviously amazon hosted email solutions doesn't care about hosting spammers

My problem is, i dont know how to filter the good from the bad... block all and some people are badly affected... allow all and others complain about getting spam.

the message Id closely resembles the smtp-envelope address (orf log "sender" field), and ip addresses are shared and random, all 5.240.x.x/16.

a block of junk trying to sell discounted security cameras looks like:



(every id is slightly different)

HOWEVER... a block of legit emails look like:




it would be easy if amazon would stick their spammers on one subnet and keep their legit customers on another subnet, but they dont

any advice?

by Bryon 4 months ago
2

@Bryon: Hello Bryon,

The MXs of Amazon SES regularly end up on public DNS Blacklists due to the above-mentioned spam issue, so I really cannot fathom why would anyone rely on this service for business communications. That being said...

If you have all of the recommended DNSBLs enabled (see: https://vamsoft.com/support/docs/knowledge-base/recommended-dnsbls-surbls-agents) and a lot of this "ses-spam" is still getting trough, then I think the best solution would be the following:

1) Add the IP ranges of the outbound SMTP's of amazonses.com to the IP Blacklist of ORF (Blacklists > IP Blacklist): 199.255.192.0/22; 199.127.232.0/22; 54.240.0.0/18

2) Whitelist the emails of legitimate senders that still use Amazon SES by adding the following regex pattern to the Keyword Blacklist of ORF with an “Email header (raw MIME)” search scope (Filter Properties tab):

To whitelist emails from a specific email address:
.*^From:[^\r\n]*\b[^\r\n]EXAMPLE@DOMAIN\.TLD\b[^\r\n]*\s$

To whitelist any email from a specific domain:
.*^From:[^\r\n]*\b[^\r\n]*@DOMAIN\.TLD\b[^\r\n]*\s$

The regex above will match for the specified address in the 'From:' field of the message header. Make sure to replace the placeholder (UPPERCASE) text with the actual address you wish to whitelist, though.

3) Enable the 'SPF Test' in the Whitelist Test Exceptions dialog (Tests > Whitelist Test Exceptions | Configure) to mitigate the risk of spoofed emails getting through due to the new whitelist policy. NOTE: Tests that are enabled in the Whitelist Test Exception dialog are performed *before* any of the whitelist tests. Legitimate senders that fail the SPF test due to faulty SPF records should be added to the SPF exceptions lists (Blacklists > SPF Test > Settings > Exceptions tab).

I hope the above proves helpful to you, but let me know if you need further assistance.

by Daniel Novak (Vamsoft) 4 months ago
(in reply to this post)

3

@Daniel Novak (Vamsoft): Thank you for this, it's exactly what i was hoping for

by Bryon 4 months ago
(in reply to this post)

4

I am glad I was able to help.

by Daniel Novak (Vamsoft) 4 months ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Nickname:
Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed