Loading ...
Sorry, an error occurred while loading the content.

how to stop facebook spam emails

Expand Messages
  • motty cruz
    Hello, users in my domain are getting lots of spam emails from facebook such as this update+zj4o40c2_aay@facebookmail.com here is the header: Return-Path:
    Message 1 of 7 , Jul 29, 2013
    • 0 Attachment
      Hello, users in my domain are getting lots of spam emails from facebook such as this update+zj4o40c2_aay@...

      here is the header: 
      Return-Path: <no-reply@...>
      X-Original-To: user@...
      Delivered-To: user@domain
      Received: from spamfilter.domain.com (spamfilter.domain.com [xx.xx.xx.xx])
      by mail.domain.com (Postfix) with ESMTP id 4B11A8A03E;
      Mon, 29 Jul 2013 08:25:27 -0700 (PDT)
      Received: from spamfilter.domain.com (localhost [127.0.0.1])
      by spamfilter.domain.com (Postfix) with ESMTP id 493644562FC;
      Mon, 29 Jul 2013 08:25:35 -0700 (PDT)
      X-Virus-Scanned: amavisd-new at domain.com
      X-Spam-Flag: NO
      X-Spam-Score: -89.515
      X-Spam-Level:
      X-Spam-Status: No, score=-89.515 tagged_above=-999 required=5.3
      tests=[BAYES_99=4.5, DKIM_ADSP_ALL=0.8, HTML_MESSAGE=0.001,
      RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_BRBL_LASTEXT=1.449,
      RCVD_IN_XBL=0.375, RDNS_NONE=2.013, USER_IN_WHITELIST=-100]
      autolearn=no
      Received: from spamfilter.domain.com ([127.0.0.1])
      by spamfilter.domain.com ( [127.0.0.1]) (amavisd-new, port 10024)
      with ESMTP id HYefbh5IrXzZ; Mon, 29 Jul 2013 08:25:33 -0700 (PDT)
      Received: from facebook.com (unknown [173.200.156.65])
      by spamfilter.domain.com (Postfix) with ESMTP id CBE9B4562E5;
      Mon, 29 Jul 2013 08:25:32 -0700 (PDT)
      Received: from obpabqbbaahjoeoaocj (192.168.1.61) by obpabqbbaahjoeoaocj. (173.200.156.65) with Microsoft SMTP Server id 8.0.685.24; Mon, 29 Jul 2013 10:25:46 -0500
      Message-ID: <51F67C1D.203050@...>
      Date: Mon, 29 Jul 2013 10:25:46 -0500
      From: "Facebook" <update+zj4o40c2_aay@...>
      User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9) Gecko/20101112 Thunderbird/3.1.4
      MIME-Version: 1.0
      To: <user@...>,
      Subject: Sara Queen wants to be friends with you on Facebook.
      Content-Type: multipart/alternative;
       boundary="------------07010800404040908030205"


      Thanks in advance, 

    • Simon B
      ... such as this update+zj4o40c2_aay@facebookmail.com ... This is an amavis question, not a postfix one. If you didn t have USER_IN_WHITELIST=-100 In your
      Message 2 of 7 , Jul 29, 2013
      • 0 Attachment


        On 29 Jul 2013 18:38, "motty cruz" <motty.cruz@...> wrote:
        >
        > Hello, users in my domain are getting lots of spam emails from facebook such as this update+zj4o40c2_aay@...
        >
        > here is the header: 
        > Return-Path: <no-reply@...>
        > X-Original-To: user@...
        > Delivered-To: user@domain
        > Received: from spamfilter.domain.com (spamfilter.domain.com [xx.xx.xx.xx])
        > by mail.domain.com (Postfix) with ESMTP id 4B11A8A03E;
        > Mon, 29 Jul 2013 08:25:27 -0700 (PDT)
        > Received: from spamfilter.domain.com (localhost [127.0.0.1])
        > by spamfilter.domain.com (Postfix) with ESMTP id 493644562FC;
        > Mon, 29 Jul 2013 08:25:35 -0700 (PDT)
        > X-Virus-Scanned: amavisd-new at domain.com
        > X-Spam-Flag: NO
        > X-Spam-Score: -89.515
        > X-Spam-Level:
        > X-Spam-Status: No, score=-89.515 tagged_above=-999 required=5.3
        > tests=[BAYES_99=4.5, DKIM_ADSP_ALL=0.8, HTML_MESSAGE=0.001,
        > RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_BRBL_LASTEXT=1.449,
        > RCVD_IN_XBL=0.375, RDNS_NONE=2.013, USER_IN_WHITELIST=-100]

        This is an amavis question, not a postfix one.  If you didn't have
        USER_IN_WHITELIST=-100
        In your config this mail would be trapped, or at least marked.

        The postfix solution would be to use the spamcop rbl (since these mails get logged pretty quick. YMMV.

        Simon

        > autolearn=no
        > Received: from spamfilter.domain.com ([127.0.0.1])
        > by spamfilter.domain.com ( [127.0.0.1]) (amavisd-new, port 10024)
        > with ESMTP id HYefbh5IrXzZ; Mon, 29 Jul 2013 08:25:33 -0700 (PDT)
        > Received: from facebook.com (unknown [173.200.156.65])
        > by spamfilter.domain.com (Postfix) with ESMTP id CBE9B4562E5;
        > Mon, 29 Jul 2013 08:25:32 -0700 (PDT)
        > Received: from obpabqbbaahjoeoaocj (192.168.1.61) by obpabqbbaahjoeoaocj. (173.200.156.65) with Microsoft SMTP Server id 8.0.685.24; Mon, 29 Jul 2013 10:25:46 -0500
        > Message-ID: <51F67C1D.203050@...>
        > Date: Mon, 29 Jul 2013 10:25:46 -0500
        > From: "Facebook" <update+zj4o40c2_aay@...>
        > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9) Gecko/20101112 Thunderbird/3.1.4
        > MIME-Version: 1.0
        > To: <user@...>,
        > <user@...>
        > Subject: Sara Queen wants to be friends with you on Facebook.
        > Content-Type: multipart/alternative;
        >  boundary="------------07010800404040908030205"
        >
        >
        > Thanks in advance, 
        >

      • motty cruz
        I apologize for the wrong list posting and thank you for your suggestion. -motty
        Message 3 of 7 , Jul 29, 2013
        • 0 Attachment
          I apologize for the wrong list posting and thank you for your suggestion. 

          -motty


          On Mon, Jul 29, 2013 at 9:47 AM, Simon B <simon.buongiorno@...> wrote:


          On 29 Jul 2013 18:38, "motty cruz" <motty.cruz@...> wrote:
          >
          > Hello, users in my domain are getting lots of spam emails from facebook such as this update+zj4o40c2_aay@...
          >
          > here is the header: 
          > Return-Path: <no-reply@...>
          > X-Original-To: user@...
          > Delivered-To: user@domain
          > Received: from spamfilter.domain.com (spamfilter.domain.com [xx.xx.xx.xx])
          > by mail.domain.com (Postfix) with ESMTP id 4B11A8A03E;
          > Mon, 29 Jul 2013 08:25:27 -0700 (PDT)
          > Received: from spamfilter.domain.com (localhost [127.0.0.1])
          > by spamfilter.domain.com (Postfix) with ESMTP id 493644562FC;
          > Mon, 29 Jul 2013 08:25:35 -0700 (PDT)
          > X-Virus-Scanned: amavisd-new at domain.com
          > X-Spam-Flag: NO
          > X-Spam-Score: -89.515
          > X-Spam-Level:
          > X-Spam-Status: No, score=-89.515 tagged_above=-999 required=5.3
          > tests=[BAYES_99=4.5, DKIM_ADSP_ALL=0.8, HTML_MESSAGE=0.001,
          > RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_BRBL_LASTEXT=1.449,
          > RCVD_IN_XBL=0.375, RDNS_NONE=2.013, USER_IN_WHITELIST=-100]

          This is an amavis question, not a postfix one.  If you didn't have
          USER_IN_WHITELIST=-100
          In your config this mail would be trapped, or at least marked.

          The postfix solution would be to use the spamcop rbl (since these mails get logged pretty quick. YMMV.

          Simon

          > autolearn=no
          > Received: from spamfilter.domain.com ([127.0.0.1])
          > by spamfilter.domain.com ( [127.0.0.1]) (amavisd-new, port 10024)
          > with ESMTP id HYefbh5IrXzZ; Mon, 29 Jul 2013 08:25:33 -0700 (PDT)
          > Received: from facebook.com (unknown [173.200.156.65])
          > by spamfilter.domain.com (Postfix) with ESMTP id CBE9B4562E5;
          > Mon, 29 Jul 2013 08:25:32 -0700 (PDT)
          > Received: from obpabqbbaahjoeoaocj (192.168.1.61) by obpabqbbaahjoeoaocj. (173.200.156.65) with Microsoft SMTP Server id 8.0.685.24; Mon, 29 Jul 2013 10:25:46 -0500
          > Message-ID: <51F67C1D.203050@...>
          > Date: Mon, 29 Jul 2013 10:25:46 -0500
          > From: "Facebook" <update+zj4o40c2_aay@...>
          > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9) Gecko/20101112 Thunderbird/3.1.4
          > MIME-Version: 1.0
          > To: <user@...>,
          > <user@...>
          > Subject: Sara Queen wants to be friends with you on Facebook.
          > Content-Type: multipart/alternative;
          >  boundary="------------07010800404040908030205"
          >
          >
          > Thanks in advance, 
          >


        • Viktor Dukhovni
          ... Note, this is not actually from facebook, the mail is a forgery and may be a phishing scam. %rwhois V-1.5:003eff:00 rwhois.cbeyond.net (by Network
          Message 4 of 7 , Jul 29, 2013
          • 0 Attachment
            On Mon, Jul 29, 2013 at 09:37:19AM -0700, motty cruz wrote:

            > Hello, users in my domain are getting lots of spam emails from facebook
            > such as this update+zj4o40c2_aay@...
            >
            > Received: from facebook.com (unknown [173.200.156.65])
            > by spamfilter.domain.com (Postfix) with ESMTP id CBE9B4562E5;
            > Mon, 29 Jul 2013 08:25:32 -0700 (PDT)

            Note, this is not actually from facebook, the mail is a forgery
            and may be a phishing scam.

            %rwhois V-1.5:003eff:00 rwhois.cbeyond.net (by Network Solutions, Inc. V-1.5.9.5)
            network:Class-Name:network
            network:ID:NET-173-200-0-0-1
            network:Auth-Area:173.200.0.0
            network:Network-Name:CBEY-173.200.156.64
            network:IP-Network:173.200.156.64/30
            network:IP-Network-Block:173.200.156.64 - 173.200.156.67
            network:Org-Name:American Building Restoration Inc
            network:Street-Address:7371 Lockport Place Suite K
            network:City:Lorton
            network:State:VA
            network:Postal-Code:22079
            network:Country-Code:US
            network:Tech-Contact;I:ip-admin@...
            network:Admin-Contact;I:ip-admin@...
            network:Abuse-Contact;I:abuse@...
            network:Created:09/15/2009
            network:Updated:20130726
            network:Updated-By:ip-admin@...

            If none of the RBLs list this and lots of similar sources, you need
            a spam content filter or milter that does.

            --
            Viktor.
          • Wietse Venema
            ... The IP address is listed at zen.spamhaus.org, bl.spamcop.net, and b.barracudacentral.org, and perhaps more. Wietse
            Message 5 of 7 , Jul 29, 2013
            • 0 Attachment
              Viktor Dukhovni:
              > On Mon, Jul 29, 2013 at 09:37:19AM -0700, motty cruz wrote:
              >
              > > Hello, users in my domain are getting lots of spam emails from facebook
              > > such as this update+zj4o40c2_aay@...
              > >
              > > Received: from facebook.com (unknown [173.200.156.65])
              > > by spamfilter.domain.com (Postfix) with ESMTP id CBE9B4562E5;
              > > Mon, 29 Jul 2013 08:25:32 -0700 (PDT)
              >
              > Note, this is not actually from facebook, the mail is a forgery
              > and may be a phishing scam.
              ...
              > If none of the RBLs list this and lots of similar sources, you need
              > a spam content filter or milter that does.

              The IP address is listed at zen.spamhaus.org, bl.spamcop.net, and
              b.barracudacentral.org, and perhaps more.

              Wietse
            • motty cruz
              Thank you Mr. Wietse, I added spamcop to my rbl since to be holding the line for now. Thank you very much!
              Message 6 of 7 , Jul 29, 2013
              • 0 Attachment
                Thank you Mr. Wietse,
                I added spamcop to my rbl since to be holding the line for now. 

                Thank you very much!


                On Mon, Jul 29, 2013 at 12:04 PM, Wietse Venema <wietse@...> wrote:
                Viktor Dukhovni:
                > On Mon, Jul 29, 2013 at 09:37:19AM -0700, motty cruz wrote:
                >
                > > Hello, users in my domain are getting lots of spam emails from facebook
                > > such as this update+zj4o40c2_aay@...
                > >
                > > Received: from facebook.com (unknown [173.200.156.65])
                > >   by spamfilter.domain.com (Postfix) with ESMTP id CBE9B4562E5;
                > >   Mon, 29 Jul 2013 08:25:32 -0700 (PDT)
                >
                > Note, this is not actually from facebook, the mail is a forgery
                > and may be a phishing scam.
                ...
                > If none of the RBLs list this and lots of similar sources, you need
                > a spam content filter or milter that does.

                The IP address is listed at zen.spamhaus.org, bl.spamcop.net, and
                b.barracudacentral.org, and perhaps more.

                        Wietse

              • Stan Hoeppner
                ... Motty, note that using bl.spamcop.net for direct rejection is discouraged by the Spamcop team. The chance of FPs is pretty high with this DNSBL. It is
                Message 7 of 7 , Jul 29, 2013
                • 0 Attachment
                  On 7/29/2013 2:16 PM, motty cruz wrote:
                  > Thank you Mr. Wietse,
                  > I added spamcop to my rbl since to be holding the line for now.

                  Motty, note that using bl.spamcop.net for direct rejection is
                  discouraged by the Spamcop team. The chance of FPs is pretty high with
                  this DNSBL. It is recommended that you use bl.spamcop.net only in a
                  scoring system such as SA and with a relatively low score. SA in fact
                  does this with spamcop in the default configuration.

                  Using Postscreen w/Zen and BRBL, along with client/sender/helo rhsbl
                  checks against dbl.spamhaus.org, should REJECT 90-95% of your inbound
                  spam connections including all bot spam. Then all you have to worry
                  about is snowshoe. For that you'll need a good content filter, and/or
                  much manual work building CIDR tables of revealed snowshoe networks.
                  There exist both public and private mailing lists that specialize in
                  publishing such snowshoe spammer CIDR ranges.

                  > On Mon, Jul 29, 2013 at 12:04 PM, Wietse Venema <wietse@...>wrote:

                  >> The IP address is listed at zen.spamhaus.org, bl.spamcop.net, and
                  >> b.barracudacentral.org, and perhaps more.

                  Just a few. ;) I omitted the APEWS listing, for obvious reasons.

                  173.200.156.65 abuse.ch combined zone Listed
                  173.200.156.65 abuse.ch spam blacklist Listed
                  173.200.156.65 Barracuda Reputation Block List Listed
                  173.200.156.65 CBL Listed
                  173.200.156.65 Mailspike Blacklist Listed
                  173.200.156.65 McAfee RBL Listed
                  173.200.156.65 nsZones.com SBL Listed
                  173.200.156.65 nsZones.com SBL+Dyn Listed
                  173.200.156.65 Project Honey Pot (http:BL) Listed
                  173.200.156.65 SORBS Aggregate zone (problems) Listed
                  173.200.156.65 SORBS Spamhost (any time) Listed
                  173.200.156.65 SORBS Spamhost (last 28 days) Listed
                  173.200.156.65 SORBS Spamhost (last year) Listed
                  173.200.156.65 SpamCop Blocking List Listed
                  173.200.156.65 Spamhaus SBL-XBL Combined Block List Listed
                  173.200.156.65 Spamhaus XBL Exploits Block List Listed
                  173.200.156.65 Spamhaus ZEN Combined Block List Listed
                  173.200.156.65 Unsubscribe Blacklist UBL Listed
                  173.200.156.65 V4BL/DDNSBL Listed
                  173.200.156.65 Hostkarma Listed
                  173.200.156.65 Mailspike Reputation Listed
                  173.200.156.65 Quorum.to Listed

                  The fact that just about everyone in the DNSBL world is listing this IP,
                  and you accepted mail from it, would suggest that you are fairly new to
                  using DNSBLs, and anti-spam controls in general. It may prove valuable
                  to search the list archives for "DNSBL" and/or "spam".

                  --
                  Stan
                Your message has been successfully submitted and would be delivered to recipients shortly.