10-28-2013 09:36 AM
Hello
trying to understand the mail flow looking to ironport quaranteen report:
who sent this email
where was going and how was ended up in ironport quaranteen.
Particualrry i am wondering if user's computer is infected with some malware programs.
Many thanks
X-IronPort-AV: E=Sophos;i="4.93,546,1378882800"; d="scan'208";a="14548166"
Subject: [SPAM] Environmental corporation searching for representatives worldwide.
X-IronPort-Anti-Spam-Result: AmrsAE4TZlJ4inPe/2dsb2JhbACNL51bkniGZA
X-IronPort-Anti-Spam-Filtered: true
Received: from 222-115-138-120.mysipl.com ([120.138.115.222]) by smtp1.MYCOMPANY.com with ESMTP; 21 Oct 2013 23:01:02 -0700
Received: from [84.73.175.56] (account movementgsz873@gmail.com HELO crtummz.vbefoihhdphw.com) by 222-115-138-120.mysipl.com (CommuniGate Pro SMTP 5.2.3) with ESMTPA id 705398280 for cgomez@MYCOMPANY.com; Tue, 22 Oct 2013 11:40:23 +0530
Date: Tue, 22 Oct 2013 11:40:23 +0530
From: <cgomez@MYCOMPANY.com>
X-Mailer: The Bat! (v3.0) Home
X-Priority: 3 (Normal)
Message-ID: <0782249119.3UGFV5TR374889@bmolaxpvvzww.ibbtxbwxvv.net>
To: <cgomez@MYCOMPANY.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
Environmental company looking for representation
6% commission on 200K monthly income derived from promotion and sales of proprietary environmental research information
Requirements:
- Own a company
- Daily E-mail, Skype or phone link with us
- Properly paced execution of all instructions
In case of expressing interest, please indicate these data:
- Full name
- Telephone number (including country code)
- City and Country
- Age
Please answer to: Kelley@consult-googleapps.com
Best Regards,
Liaison dept
10-28-2013 09:58 AM
Yep, looks like good ol' fashioned spam to me. Domain spoofing is extremely common. I do not allow zip files in my org without looking at the message header first and for this reason.
It ended up in the quarantine because: X-IronPort-Anti-Spam-Filtered: true
10-30-2013 01:05 PM
This email is SPAM, exactly the same as one I saw yesterday which was classified as SPAM.
The header information just tells you it was scanned by the anti-spam engine if
"X-IronPort-Anti-Spam-Filtered: true" is in the subject line. This is not an indiciation if it was filtered or not. The best indication to see the email flow is ;
login to your appliance via SSH and run the command “findevent”. You can search by envelope from, Message ID, Subject, or envelope to.
You can also access this by the GUI if you click on "Monitor" and navigate down to "message tracking". Then search for the message in question with the input fields. You should find the email in question and click "show details"
Either way will provide you with the mail flow details of that particular email.
Also, I would recommend checking out the following article on submitting SPAM samples;
By submitting the samples is how we gather the data to continue to filter new threats.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide