Jump to content

IronPort spam Quarantine Notification


salamandir

Recommended Posts

i got this extremely strange email this morning:

http://www.spamcop.net/sc?id=z5215712483z6...43f5e492b0ffedz

-----

IronPort spam Quarantine Notification 

Hi x,

The message(s) below have been Quarantined by Mail Protect System as suspected spam.

There are 1 new messages in your Email Quarantine since you received your last Mail Protect Quarantine Notification. If the messages below are spam, you do not need to take any action. Messages will be automatically removed from the quarantine after 15 day(s).

If any of the messages below are not spam, click the Not spam link to have them sent to your Inbox. To see all quarantined messages view your email quarantine.

Quarantined Email 

From "Louis" <kanasnzc74heananji[at]msn.com...
Subject [SUSPECTED spam] Animated Movie/TV Series - Cartoon Movie/TV...
Date 06 Jan 2012
Release	  

View All Quarantined Messages (1) 

Note: This message has been sent by a notification only system. Please do not reply

If the above links do not work, please copy and paste the following URL into a Web browser: https://antispam5.rilinfo.net/Search?h=77915fe0914d3ac12751eace080c1e6a&email=x

-----

i didn't believe it for a minute, but the email address replaced above by an x was my actual email address, and i wasn't sure until it resolved to an email server in india...

anybody else seeing this?

Link to comment
Share on other sites

Seems like this is a new one. IronPort spam Quarantine is a real service for implementation by local mail administrators, looks like it is being spoofed or misdirected in your case. An e-mail address is contained in the HTML Base64 encoded part of that message by the way (but it is not a SC mail address).

Details of the real service in what looks like a typical implementation:

http://www.csueastbay.edu/its/training/spa..._Spam_Guide.pdf

Seems to be popular with educational institutions.

Link to comment
Share on other sites

Details of the real service in what looks like a typical implementation:

http://www.csueastbay.edu/its/training/spa..._Spam_Guide.pdf

well, according to that, i would suspect somebody has an installation that they have subverted, because the message looked exactly the same, but the link immediately brought up a firefox "untrusted connection" message that said "The certificate is only valid for IronPort Appliance Demo Certificate"...

Link to comment
Share on other sites

well, according to that, i would suspect somebody has an installation that they have subverted, because the message looked exactly the same, but the link immediately brought up a firefox "untrusted connection" message that said "The certificate is only valid for IronPort Appliance Demo Certificate"...

Well SpamCop has recorded three spams today 7th Jan from 202.138.96.73 with subject "IronPort spam Quarantine Notification". So there appears to be a security issue! Keep reporting all as spam

Link to comment
Share on other sites

Well SpamCop has recorded three spams today 7th Jan from 202.138.96.73 with subject "IronPort spam Quarantine Notification". So there appears to be a security issue! Keep reporting all as spam

I got one of these as well (one of the 3 reports, likely) and forwarded to deputies. The reply I got back indicated that the IronPort devices have an option to reply to the spam which was insisted upon by engineering, but is at least turned off by default and hidden in the settings. Apparently one of their customers is using that option and it will likely get them listed.

Link to comment
Share on other sites

Looks like rilinfo.net might have dedicated servers for those replies, if so they will not be particularly concerned should they be blocked. Goodness knows what they think they are doing, can only suppose this initiative of theirs is somewhat experimental and (hopefully) adaptive - ie they will stop bothering the innocent. Maybe they are actually relying on their mis-directed responses getting blocked but I can't actually see the point of such a strategy (though I think IronPort users might be able to implement something to gracefully synchronise with such a thing - at least iiNet, an IronPort user, is able to block all misdirected responses).

[thed]Address
[/thed] Fwd/Rev Daily Monthly DNSBL
Hostname DNS Match Magnitude Magnitude Listings SBRS
202.138.96.33 antispam.rilinfo.net Y 3.9 3.5 0 Neutral
202.138.96.34 antispam2.rilinfo.net - 0 0 0 N/A
202.138.96.71 antispam3.rilinfo.net Y 3.5 3.3 0 Good
202.138.96.72 antispam4.rilinfo.net Y 3.5 3.2 0 Good
202.138.96.73 antispam5.rilinfo.net Y 3.3 3.1 0 Neutral

Oh - O/T but for general information I added a [ THED ] tag to implement <th> for tables in the BB Code.

Link to comment
Share on other sites

  • 1 year later...

Bizarre - I get the feeling there's a lot more activity taking place in the way of anti-spam implementation at the transport level than most of us know about, just the occasional glitch/forgery giving some hints.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...