From: | Tommy |
---|---|
Date: | 1/13/21 9:58 PM |
Topic: | 【SUGGESTION】Recipient account in From header filter |
Type: | General Discussions |
Post a follow up |
Some hackers using thousands of hotmail.com accunts to send spams,all emails are SPF,DKIM passed,that means it is 100% sure from microsoft's server. For example,if my domain is abcde.com,they are sending as below From: jacket <hotmail email> To:jacket@abcde.com From: tommy <hotmail email> To:tommy@abcde.com From: steven <hotmail email> To:steven@abcde.com The account part before @abcde.com is usd at From header. Is it possible to add new filter for this? |
|
Top |
From: | Anonymous |
---|---|
Date: | 1/13/21 10:01 PM |
Topic: | 【SUGGESTION】Recipient account in From header filter |
Type: | General Discussions |
Post a follow up |
the mail subject,content is random,only few words,i think they are using this method to validate the email account of my domain. |
|
Top |
From: | Synametrics Support |
---|---|
Date: | 1/14/21 7:30 AM |
Topic: | 【SUGGESTION】Recipient account in From header filter |
Type: | General Discussions |
Post a follow up |
No, these emails forged. They are not coming from Hotmail's server. I assume you're looking at the "From" header in the email message. Look at the MAIL FROM value in the SMTP envelope instead. Most likely that will not say Hotmail.com. Check https://www.xeams.com/difference-envelope-header.htm to see the difference between email header and smtp envelope. I can confidently say this is a forgery because the example you sent is a common method of deceiving the recipient to think the message came from Hotmail. In fact, Xeams has a filter that looks for such tricks and assigns a score. |
|
Top |
From: | Tommy |
---|---|
Date: | 1/14/21 9:17 AM |
Topic: | 【SUGGESTION】Recipient account in From header filter |
Type: | General Discussions |
Post a follow up |
It is 100% sure from microsoft's server. Those spammers batch rigister hotmail and gmail account with 10~20 length with random letter. All thse accounts are used to send few emails per day,the microsoft is hard to catch spam hehavier. Sometimes they only send email with few letter in subject and content to valid the recipient. |
|
Top |
From: | Tommy |
---|---|
Date: | 1/14/21 9:19 AM |
Topic: | 【SUGGESTION】Recipient account in From header filter |
Type: | General Discussions |
Post a follow up |
X-SM_EnvelopeFrom: noseslwlit@hotmail.com |
|
Top |
From: | Synametrics Support |
---|---|
Date: | 1/14/21 9:30 AM |
Topic: | 【SUGGESTION】Recipient account in From header filter |
Type: | General Discussions |
Post a follow up |
Yes, this example came from Microsoft. I recommend you report this Microsoft as mentioned on What score did you get in Xeams? Was the message blocked? |
|
Top |
From: | Tommy |
---|---|
Date: | 1/14/21 9:45 AM |
Topic: | 【SUGGESTION】Recipient account in From header filter |
Type: | General Discussions |
Post a follow up |
It is about -50 when they sending with only very few word in subject and content. Bayesian thinks it good and SPF pass. But when they are really sending AD,it is easy to catch them by body key word filter.
|
|
Top |
From: | Synametrics Support |
---|---|
Date: | 1/14/21 10:10 AM |
Topic: | 【SUGGESTION】Recipient account in From header filter |
Type: | General Discussions |
Post a follow up |
I see the following line in the header that you posted earlier:
This means they are an email client on their desktop rather than Hotmail's web interface. Look at the sender's IP address in these emails. If they are coming from a handful of IP addresses, you can create a Header filter to look for them.
|
|
Top |
From: | Tommy |
---|---|
Date: | 1/14/21 9:28 AM |
Topic: | 【SUGGESTION】Recipient account in From header filter |
Type: | General Discussions |
Post a follow up |
I have collected about 3000 hotmail accounts that are sending spams,the email first part is random letter,such as: nesledojuub@hotmail.com |
|
Top |
From: | Synametrics Support |
---|---|
Date: | 1/14/21 10:29 AM |
Topic: | 【SUGGESTION】Recipient account in From header filter |
Type: | General Discussions |
Post a follow up |
One more suggestion. I see that the IP address 222.67.186.87 is black listed on SpamHaus XBL. You could add an XBL filter in Xeams using the following configuration:
VERY IMPORTANT: Under normal circumstances we do NOT recommend checking the "Check only first IP in the header" box. That can result in many false positives. However, since you're under attack, do this temporarily and remove it once done. You could also enable RBLServer.log in Xeams. Check https://xeams.com/xeams-log-files.htm , select the tab for Additional Logging and see RBL Servers.
|
|
Top |
From: | Tommy |
---|---|
Date: | 3/24/22 3:20 AM |
Topic: | 【SUGGESTION】Recipient account in From header filter |
Type: | General Discussions |
Post a follow up |
Huh |
|
Top |