Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 8970 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Spam messages from blocked ip range still gets through

eyos

Hello,

We have blocked single ip addresses and also ip ranges (SMTP Network Blacklist). However we noticed that spam messages still getting through or being quarantined. Those Phishing messages are usually sent from the ip network clodoserver.ru or other Russian spam networks. It looks like they are abusing good sender domains for their phishing attacks.

How can we completely block ALL spam activity from 62.76.184.0/21? Why do spammer still bypass Sophos UTM Antispam, although the ip range 62.76.184.0/21 has been blocked? Blocking various IP's is working, however it is always being ignored for 62.76.184.0/21. I have attached the mail header.

I highly appreciate any help.

Received: from mail.finsky.de.fr ([5.199.133.228]:52182)
  by ********************* with esmtp (***)
  (envelope-from <ihxujvc@finsky.de.fr>)
  id 1odck0-0005i9-08
  for *********************
  Wed, 28 Sep 2022 21:29:08 +0200
Received: from finsky.de.fr (229004-4.vm.clodoserver.ru [62.76.188.243])
  by mail.finsky.de.fr (Postfix) with ESMTPA id 4E70A8073AA6;
  Wed, 28 Sep 2022 22:11:44 +0300 (EEST)
X-SASI-Hits: BODYTEXTH_SIZE_10000_LESS 0.000000,
  BODYTEXTP_SIZE_3000_LESS 0.000000, BODY_SIZE_10000_PLUS 0.000000,
  BODY_SIZE_100K_PLUS 0.000000, BODY_SIZE_25K_PLUS 0.000000,
  BODY_SIZE_500K_PLUS 0.000000, BODY_SIZE_50K_PLUS 0.000000,
  BODY_SIZE_75K_PLUS 0.000000, CS_SUSP_TLD_BODY 0.000000, CYOU_TLD 0.100000,
  DKIM_ALIGNS 0.000000, DKIM_SIGNATURE 0.000000, DOMAINKEY_SIG 0.000000,
  FROM_NAME_ONE_WORD 0.050000, HREF_LABEL_TEXT_NO_URI 0.000000,
  HREF_LABEL_TEXT_ONLY 0.000000, JPG_COMMON_HEADER_ORDER 0.000000,
  JPG_SPAMMY_SEGMENT 0.000000, JPG_SPAMMY_Y_RESOLUTION 0.000000,
  KNOWN_MSGID 0.000000, KNOWN_OTHER_CAMPAIGN 8.000000, SENDER_NO_AUTH 0.000000,
  SINGLE_HREF_URI_IN_BODY 0.000000, SINGLE_IMG_ATTACH 0.000000,
  URI_WITH_PATH_ONLY 0.000000, __ANY_URI 0.000000,
  __ATTACH_CTE_BASE64 0.000000, __BODY_NO_MAILTO 0.000000,
  __BODY_TEXT_X4 0.000000, __CT 0.000000, __CTYPE_HAS_BOUNDARY 0.000000,
  __CTYPE_MULTIPART 0.000000, __CTYPE_MULTIPART_ALT 0.000000,
  __DKIM_ALIGNS_1 0.000000, __DKIM_ALIGNS_2 0.000000, __EMBEDDED_IMG 0.000000,
  __EXTRA_MPART_TYPE_1 0.000000, __EXTRA_MPART_TYPE_N1 0.000000,
  __FRAUD_MONEY_BIG_COIN 0.000000, __FRAUD_MONEY_BIG_COIN_DIG 0.000000,
  __FROM_DOMAIN_NOT_IN_BODY 0.000000, __FROM_NAME_NOT_IN_ADDR 0.000000,
  __FUR_HEADER 0.000000, __HAS_ATTACHMENT 0.000000, __HAS_ATTACHMENT1 0.000000,
  __HAS_ATTACHMENT2 0.000000, __HAS_FROM 0.000000, __HAS_HTML 0.000000,
  __HAS_MSGID 0.000000, __HREF_LABEL_TEXT 0.000000, __HTML_AHREF_TAG 0.000000,
  __HTML_FONT_BLUE 0.000000, __HTML_FONT_RED 0.000000,
  __HTML_TAG_CENTER 0.000000, __HTML_TAG_DIV 0.000000,
  __HTML_TAG_TABLE 0.000000, __HTTPS_URI 0.000000, __IMG_ATTACHED 0.000000,
  __IMS_MSGID 0.000000, __JPG_HEIGHT_100 0.000000,
  __JPG_SPAMMY_SEGMENT_2 0.000000, __JPG_SPAMMY_Y_RESOLUTION_3 0.000000,
  __JPG_WIDTH_100 0.000000, __LOCALE_CYRILLIC_CP1251_MIME 0.000000,
  __MIME_HTML 0.000000, __MIME_TEXT_H 0.000000, __MIME_TEXT_H1 0.000000,
  __MIME_TEXT_H2 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000,
  __MIME_TEXT_P2 0.000000, __MIME_VERSION 0.000000,
  __MSGID_DIGITS_32_64 0.000000, __MSGID_SAMEAS_FROM_DOMAIN 0.000000,
  __RCVD_FROM_DOMAIN 0.000000, __SANE_MSGID 0.000000,
  __SEXTORTION_MALWARE 0.000000, __SUBJ_HIGHBIT 0.000000,
  __TAG_EXISTS_HTML 0.000000, __TO_MALFORMED_2 0.000000, __TO_NO_NAME 0.000000,
  __URI_ENDS_IN_SLASH 0.000000, __URI_IN_BODY 0.000000, __URI_NOT_IMG 0.000000,
  __URI_NO_MAILTO 0.000000, __URI_NO_WWW 0.000000, __URI_WITH_PATH 0.000000,
  __UTF8_SUBJ 0.000000
X-SASI-Probability: 82%
X-SASI-RCODE: 200
X-SASI-Version: Antispam-Engine: 4.1.4, AntispamData: 2022.9.28.185120
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=finsky.de.fr;
  s=key2; h=DomainKey-Signature:Message-ID:From:To:Subject:Date:
  MIME-Version:Content-Type; bh=4yHjYb3RMHhUIVgSx+aX3WAsSf+mXXTCyj
  fvp685YjM=; b=Fn7g5UUB4CkDgW47CxLuAblH/zmav+qssKXq7HzDHJy2ujmFoc
  nCYnMET1mP0wpJRfoLRJKyTwtB+7X65Qya4eMlslvQ3kcCMO6vX9Bg+Gv0HkIqeV
  lriTgtegq9QF2I+aJDAgxdPHtbj9ufiw/34CY76eI0p3GqdtLgWxUUfk4=
DomainKey-Signature: a=rsa-sha1; q=dns; c=simple;
  s=key1; d=finsky.de.fr;
  h=Message-ID:From:To:Subject:Date:MIME-Version:Content-Type;
  b=FYuDdHeSopA0I+yrGgGDPrIdErq4HVSlDSm0qZXaf9Fs9sMG1ltvj9UmeZPXWcY72L65CeSUZXmm6MmplcAXtolyFwmzlSLziLdfav8kRyqrdSkFogpH7JhogOVWY28U4NHe0eEmF/koJOWTiK4I8s0JwRMwoz7EIwqPODG+RIg=;
Message-ID: <1204667055650384750862225826478214523203@finsky.de.fr>
From: "Vermixin" <ihxujvc@finsky.de.fr>
To: <kastner@theater-chemnitz.de>
Subject: =?utf-8?B?VmVybWl4aW4g4oCUIEVpbiBpbm5vdmF0aXZlcyBBbnRoZWxtaW50aGlrdW0ga2FubiBTaWUgdm9yIGRlbSBWaXJ1cyBiZXdhaHJlbiE=?=
Date: Wed, 28 Sep 2022 20:12:12 +0200
MIME-Version: 1.0
Content-Type: multipart/related;
  type="multipart/alternative";
  boundary="----=_NextPart_000_0006_01D8D376.2B90EF30"
X-Spam-Result: Spam

This is a multi-part message in MIME format.



This thread was automatically locked due to age.
  • 0

    I have attached another spam example. 91.215.170.152 has been blocked, but still gets quarantined. Thinking

    Received: from mail.nodabilke.hz.cz ([37.157.255.62]:35750)
  by ********************* with esmtp (*******)
  (envelope-from <uxjenjf@nodabilke.hz.cz>)
  id 1ofod4-0003rY-2V
  for *********************;
  Tue, 04 Oct 2022 22:35:03 +0200
Received: from nodabilke.hz.cz (dubl.rosihe.quest [91.215.170.152])
  by mail.nodabilke.hz.cz (Postfix) with ESMTPA id 4581D80CBF87;
  Tue,  4 Oct 2022 23:34:32 +0300 (EEST)
X-SASI-Hits: BODYTEXTH_SIZE_10000_LESS 0.000000,
  BODYTEXTP_SIZE_3000_LESS 0.000000, BODY_SIZE_10000_PLUS 0.000000,
  BODY_SIZE_25K_PLUS 0.000000, BODY_SIZE_50K_PLUS 0.000000,
  BODY_SIZE_75K_PLUS 0.000000, DKIM_ALIGNS 0.000000, DKIM_SIGNATURE 0.000000,
  DOMAINKEY_SIG 0.000000, FROM_NAME_ONE_WORD 0.050000,
  HREF_LABEL_TEXT_NO_URI 0.000000, HREF_LABEL_TEXT_ONLY 0.000000,
  HTML_50_70 0.100000, JPG_COMMON_HEADER_ORDER 0.000000,
  JPG_SPAMMY_SEGMENT 0.000000, JPG_SPAMMY_Y_RESOLUTION 0.000000,
  KNOWN_MSGID 0.000000, KNOWN_OTHER_CAMPAIGN 8.000000, SENDER_NO_AUTH 0.000000,
  SINGLE_HREF_URI_IN_BODY 0.000000, SINGLE_IMG_ATTACH 0.000000,
  URI_WITH_PATH_ONLY 0.000000, UTF8_SUBJ_OBFU 0.100000, __ANY_URI 0.000000,
  __ATTACH_CTE_BASE64 0.000000, __BODY_NO_MAILTO 0.000000,
  __BODY_TEXT_X4 0.000000, __CT 0.000000, __CTYPE_HAS_BOUNDARY 0.000000,
  __CTYPE_MULTIPART 0.000000, __CTYPE_MULTIPART_ALT 0.000000,
  __DKIM_ALIGNS_1 0.000000, __DKIM_ALIGNS_2 0.000000, __EMBEDDED_IMG 0.000000,
  __EXTRA_MPART_TYPE_1 0.000000, __EXTRA_MPART_TYPE_N1 0.000000,
  __FRAUD_MONEY_BIG_COIN 0.000000, __FRAUD_MONEY_BIG_COIN_DIG 0.000000,
  __FROM_DOMAIN_NOT_IN_BODY 0.000000, __FROM_NAME_NOT_IN_ADDR 0.000000,
  __FUR_HEADER 0.000000, __HAS_ATTACHMENT 0.000000, __HAS_ATTACHMENT1 0.000000,
  __HAS_ATTACHMENT2 0.000000, __HAS_FROM 0.000000, __HAS_HTML 0.000000,
  __HAS_MSGID 0.000000, __HREF_LABEL_TEXT 0.000000, __HTML_AHREF_TAG 0.000000,
  __HTML_FONT_BLUE 0.000000, __HTML_TAG_CENTER 0.000000,
  __HTML_TAG_DIV 0.000000, __HTML_TAG_TABLE 0.000000, __HTTPS_URI 0.000000,
  __IMG_ATTACHED 0.000000, __IMS_MSGID 0.000000, __JPG_HEIGHT_100 0.000000,
  __JPG_SPAMMY_SEGMENT_2 0.000000, __JPG_SPAMMY_Y_RESOLUTION_3 0.000000,
  __JPG_WIDTH_100 0.000000, __LOCALE_CYRILLIC_CP1251_MIME 0.000000,
  __MIME_HTML 0.000000, __MIME_TEXT_H 0.000000, __MIME_TEXT_H1 0.000000,
  __MIME_TEXT_H2 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000,
  __MIME_TEXT_P2 0.000000, __MIME_VERSION 0.000000,
  __MSGID_DIGITS_32_64 0.000000, __MSGID_SAMEAS_FROM_DOMAIN 0.000000,
  __RCVD_FROM_DOMAIN 0.000000, __SANE_MSGID 0.000000,
  __SUBJ_ALPHA_END 0.000000, __SUBJ_ALPHA_END2 0.000000,
  __SUBJ_HIGHBIT 0.000000, __TAG_EXISTS_HTML 0.000000,
  __TO_MALFORMED_2 0.000000, __TO_NO_NAME 0.000000,
  __URI_ENDS_IN_SLASH 0.000000, __URI_IN_BODY 0.000000, __URI_NOT_IMG 0.000000,
  __URI_NO_MAILTO 0.000000, __URI_NO_WWW 0.000000, __URI_WITH_PATH 0.000000,
  __UTF8_SUBJ 0.000000
X-SASI-Probability: 83%
X-SASI-RCODE: 200
X-SASI-Version: Antispam-Engine: 4.1.4, AntispamData: 2022.10.4.200920
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=nodabilke.hz.cz;
  s=key2; h=DomainKey-Signature:Message-ID:From:To:Subject:Date:
  MIME-Version:Content-Type; bh=nqDIebK0tAHFz9e4SEa3OZefpxye1FwcIb
  r60//L0Ls=; b=AJQ5oNrU3mJcItFuJaMyElZ7VlvG9NV0n/bImknBRXRVv0/1Z4
  /unWqaMieiRbe+exGxHCEdZ3NhX5pbcSKUWYr4PIGcupVwoBnlE50T13lZKgk3B1
  wvdcTucj9PUHMuVrngtDUfMdwvnShUlYbHxz31WBADs0MeXbmyarZ3E1c=
DomainKey-Signature: a=rsa-sha1; q=dns; c=simple;
  s=key1; d=nodabilke.hz.cz;
  h=Message-ID:From:To:Subject:Date:MIME-Version:Content-Type;
  b=FymoAhItnoD0Xu/DkVUQsH5XYfTF8zixtDyrUH/vcqlqcesipL+LgT9dK1yyk6fsOLmhvf/UZx/jZkwHiONQMwptEUv6GEGLNuTJdOPDnLt2+TIB5kyb1EMPLT1IXJizZUMefsc4XXvG7kGMoHtwr/OYnxHxGYvTbKL4R8rARog=;
Message-ID: <3266285880528867535068785671508650482031@nodabilke.hz.cz>
From: "Cannabisvital" <uxjenjf@nodabilke.hz.cz>
To: <antrag@weltwaerts.de>
Subject: =?utf-8?B?SG9jaGtvbnplbnRyaWVydGVzIENhbm5hYmlzw7ZsIENBTk5BQklTVklUQUwgT0lM?=
Date: Tue, 04 Oct 2022 21:35:12 +0200
MIME-Version: 1.0
Content-Type: multipart/related;
  type="multipart/alternative";
  boundary="----=_NextPart_000_0006_01D8D837.57B23F90"
X-Spam-Result: Spam

This is a multi-part message in MIME format.

------=_NextPart_000_0006_01D8D837.57B23F90
Content-Type: multipart/alternative;
  boundary="----=_NextPart_000_0007_01D8D837.57B23F90"

------=_NextPart_000_0007_01D8D837.57B23F90
Content-Type: text/plain;
  charset="windows-1251"
Content-Transfer-Encoding: quoted-printable

=0D=0A=0D=0A=0D=0A=0D=0A=0D=0A=0D=0A  =0D=0A  =0D=0A    =0D=0A  =20=
   CANNABISVITAL

  • 0 in reply to eyos

    As you already noticed, "they" use other (innocent) mailservers to relay mail to you. So "blocking" ip addresses does not help against SMTP sebders you don't like. This is because of the envelope that mail gets there.

    Please show us (screnshots) how ypou "block" those IP addresses.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    Thanks for your reply. IPs are added to a separate group in Email Protection > SMTP > Network Blacklist (see Screenshot from below). It's working for most spammers, but does not work for these spammer pattern from above. I have reported multiple times spam messages to is-spam@labs.sophos.com to no avail. What else can I do? Expression Filters will decrease performance and will require constant adjustments. 

  • +1 in reply to eyos

    As said, IP blocking does not help here.

    Expression filter would do, despite the Performance impact you see.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    Thank you. I will stick with Expression filters

  • 0 in reply to eyos

    You are welcome!

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML