Increased Spam Passing through since 8.51 Enterprise update

[Ruffs]

Hi All,


Was just wondering if anyone else had noticed an increase in spam slipping through in recent weeks since the 8.51 update was applied to any of your servers?

Have noticed a lot more coming through, and it's seemingly to do with including the receiving email addresses domain being included with an =<domainname> before the @ symbol.

For example:

MAIL+FROM:<KidsLiveSafe-scott=mydomain.com@swmdco.com>

This would allow any email through where the email being sent to the recipient was, in appearance, containing the sending email address still.

Any other people noticed this issue?


Kind regards,


S

[rfwilliams777]

Nope, but I am using MXScan to do the majority of the filtering.

[Ruffs]

Thank you Robert, but this has literally only started since the 8.51 update was applied. Prior to that we weren't receiving these levels of spam sneaking through.

The primary reason I brought it up, or wanted to bring it to attention here, was that I'm concerned that it is somehow taking advantage of a possible fault in ME's current acceptance checking, perhaps the validation of the MAIL FROM command is simply doing a Contains check in the string for the domain name and the users mailbox to validate against the recipient, and if the MAIL FROM contains the recipients primary information (domain and mailbox) then it's letting it through without the usual spam checks.

All the emails getting through seem to be using the same technique, of adding the users email address but with an = instead of an @ in the mailbox side of the stated MAIL FROM, but as the domain side matches the server from which the message is coming from, it seems to be passing the PTR back check tests as well.

I'm not sure if there is a means to submit possible technical/security issues to the team for review?

[rfwilliams777]

I would recommend sending to them; however, my point of mentioning MXScan is the fact I don't rely on ME being my frontline spam filter. It serves secondary after all the filtering MXScan does because ME's filtering is not great if you host various companies and/or accounts that have been out there for years.

[MarkM]

I agree with rfwilliams777. We are using MXScan and when we switched to b8.51 we monitored the spam for several days. No real noticeable increase in SPAM at all. The fact that ME was not filtering out enough even with SpamAssissan configured lead up to start using MXScan. Well worth the investment and not that hard to configure once you understand what is is trying to do.

Mark M.

[Ehenzel1978]

I also noticed a major uptick in the levels of spam coming through with the 8.51 upgrade. That's when I went to MXscan. Since installing and tweaking it, our spam levels are lower than ever. Although, it took about 3 weeks to get it tweaked right. I had major problems with the country blacklist overriding everything else. We have factories in China, and MXscan did not like seeing email from them. We even have a few people over there that are on our email domain, and even those were getting rejected. Once it all got sorted out though, it has been great.

[Ruffs]

Well, glad to hear I wasn't the only one that noticed the increase.

Thank you for the suggestions folks, may have to look at additional options.