Facebook
TwitterChange Maker
Basic Pleskian
- Server operating system version
- Ubuntu 22.04.4 LTS
- Plesk version and microupdate number
- Version 18.0.60 Update #1
I'm looking to find out how to correctly analyse who is sending email spam using the Mail Headers.
I get torn between blocking the correct IP that sends this stuff that's detected on my server, and/or adding the email address to the Spam Blacklist on the Server.
I realise that Phishing is going on and that there is no point in blocking the wrong email or IP if it's used for Spoofing, so can anyone throw some light on this please?
Thanks
______________________________________________________________________________________
Spam detection software, running on the system "myserver.domain.co.uk", has identified this incoming email as possible spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details.
Content preview: CENTRAL BANK OF NIGERIA (CBN). CORPORATE HEADQUARTERS: CBN
HOUSE, TINUBU SQUARE, DATE:09/07/2024 ATTENTION:BENEFICIARY WHAT IS GOING
ON? WHY YOU ABANDON THIS YOUR MONEY WHICH WORTHY $5.6M DOLLARS,I AM CONTACTING
YOU PERSONAL TO NOTIFY YOU OF OUR OUT-COMING MEETING WITH OUR HEAD OFFICE
CONCERN YOUR CHECK WHICH ISSUED W [...]
Content analysis details: (8.4 points, 5.2 required) pts rule name description
---- ---------------------- --------------------------------------------------
0.0 DEAR_BENEFICIARY BODY: Dear Beneficiary:
0.0 MILLION_USD BODY: Talks about millions of dollars
0.0 RCVD_IN_ZEN_BLOCKED_OPENDNS RBL: ADMINISTRATOR NOTICE: The query
to zen.spamhaus.org was blocked due to
usage of an open resolver. See
[209.85.218.41 listed in zen.spamhaus.org]
0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
[209.85.218.41 listed in wl.mailspike.net]
-5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at dnswl.org – E-Mail Reputation – Protect against false positives, high trust [209.85.218.41 listed in list.dnswl.org]
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
0.5 SUBJ_ALL_CAPS Subject is all capitals
0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit [tonyebere238[at]yahoo.com]
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [philipezechairmanbd[at]gmail.com]
0.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain
0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
1.2 UPPERCASE_75_100 message body is 75-100% uppercase 0.0 LOTS_OF_MONEY Huge... sums of money
3.1 UNDISC_FREEM Undisclosed recipients + freemail reply-to
0.7 MONEY_FREEMAIL_REPTO Lots of money from someone using free email?
1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain different freemails
0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal
information
0.0 MONEY_FORM_SHORT Lots of money if you fill out a short form
0.0 T_FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
3.0 ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money
1.0 UNDISC_MONEY Undisclosed recipients + money/fraud signs
2.9 FORM_FRAUD_5 Fill a form and many fraud phrases
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
I get torn between blocking the correct IP that sends this stuff that's detected on my server, and/or adding the email address to the Spam Blacklist on the Server.
I realise that Phishing is going on and that there is no point in blocking the wrong email or IP if it's used for Spoofing, so can anyone throw some light on this please?
Thanks
______________________________________________________________________________________
Spam detection software, running on the system "myserver.domain.co.uk", has identified this incoming email as possible spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details.
Content preview: CENTRAL BANK OF NIGERIA (CBN). CORPORATE HEADQUARTERS: CBN
HOUSE, TINUBU SQUARE, DATE:09/07/2024 ATTENTION:BENEFICIARY WHAT IS GOING
ON? WHY YOU ABANDON THIS YOUR MONEY WHICH WORTHY $5.6M DOLLARS,I AM CONTACTING
YOU PERSONAL TO NOTIFY YOU OF OUR OUT-COMING MEETING WITH OUR HEAD OFFICE
CONCERN YOUR CHECK WHICH ISSUED W [...]
Content analysis details: (8.4 points, 5.2 required) pts rule name description
---- ---------------------- --------------------------------------------------
0.0 DEAR_BENEFICIARY BODY: Dear Beneficiary:
0.0 MILLION_USD BODY: Talks about millions of dollars
0.0 RCVD_IN_ZEN_BLOCKED_OPENDNS RBL: ADMINISTRATOR NOTICE: The query
to zen.spamhaus.org was blocked due to
usage of an open resolver. See
[209.85.218.41 listed in zen.spamhaus.org]
0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
[209.85.218.41 listed in wl.mailspike.net]
-5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at dnswl.org – E-Mail Reputation – Protect against false positives, high trust [209.85.218.41 listed in list.dnswl.org]
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
0.5 SUBJ_ALL_CAPS Subject is all capitals
0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit [tonyebere238[at]yahoo.com]
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [philipezechairmanbd[at]gmail.com]
0.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain
0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
1.2 UPPERCASE_75_100 message body is 75-100% uppercase 0.0 LOTS_OF_MONEY Huge... sums of money
3.1 UNDISC_FREEM Undisclosed recipients + freemail reply-to
0.7 MONEY_FREEMAIL_REPTO Lots of money from someone using free email?
1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain different freemails
0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal
information
0.0 MONEY_FORM_SHORT Lots of money if you fill out a short form
0.0 T_FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
3.0 ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money
1.0 UNDISC_MONEY Undisclosed recipients + money/fraud signs
2.9 FORM_FRAUD_5 Fill a form and many fraud phrases
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
