salamandir Posted January 6, 2012 Share Posted January 6, 2012 i got this extremely strange email this morning: http://www.spamcop.net/sc?id=z5215712483z6...43f5e492b0ffedz ----- IronPort spam Quarantine Notification Hi x, The message(s) below have been Quarantined by Mail Protect System as suspected spam. There are 1 new messages in your Email Quarantine since you received your last Mail Protect Quarantine Notification. If the messages below are spam, you do not need to take any action. Messages will be automatically removed from the quarantine after 15 day(s). If any of the messages below are not spam, click the Not spam link to have them sent to your Inbox. To see all quarantined messages view your email quarantine. Quarantined Email From "Louis" <kanasnzc74heananji[at]msn.com... Subject [SUSPECTED spam] Animated Movie/TV Series - Cartoon Movie/TV... Date 06 Jan 2012 Release View All Quarantined Messages (1) Note: This message has been sent by a notification only system. Please do not reply If the above links do not work, please copy and paste the following URL into a Web browser: https://antispam5.rilinfo.net/Search?h=77915fe0914d3ac12751eace080c1e6a&email=x ----- i didn't believe it for a minute, but the email address replaced above by an x was my actual email address, and i wasn't sure until it resolved to an email server in india... anybody else seeing this? Link to comment Share on other sites More sharing options...
Farelf Posted January 7, 2012 Share Posted January 7, 2012 Seems like this is a new one. IronPort spam Quarantine is a real service for implementation by local mail administrators, looks like it is being spoofed or misdirected in your case. An e-mail address is contained in the HTML Base64 encoded part of that message by the way (but it is not a SC mail address). Details of the real service in what looks like a typical implementation: http://www.csueastbay.edu/its/training/spa..._Spam_Guide.pdf Seems to be popular with educational institutions. Link to comment Share on other sites More sharing options...
salamandir Posted January 7, 2012 Author Share Posted January 7, 2012 Details of the real service in what looks like a typical implementation: http://www.csueastbay.edu/its/training/spa..._Spam_Guide.pdf well, according to that, i would suspect somebody has an installation that they have subverted, because the message looked exactly the same, but the link immediately brought up a firefox "untrusted connection" message that said "The certificate is only valid for IronPort Appliance Demo Certificate"... Link to comment Share on other sites More sharing options...
petzl Posted January 7, 2012 Share Posted January 7, 2012 well, according to that, i would suspect somebody has an installation that they have subverted, because the message looked exactly the same, but the link immediately brought up a firefox "untrusted connection" message that said "The certificate is only valid for IronPort Appliance Demo Certificate"... Well SpamCop has recorded three spams today 7th Jan from 202.138.96.73 with subject "IronPort spam Quarantine Notification". So there appears to be a security issue! Keep reporting all as spam Link to comment Share on other sites More sharing options...
StevenUnderwood Posted January 10, 2012 Share Posted January 10, 2012 Well SpamCop has recorded three spams today 7th Jan from 202.138.96.73 with subject "IronPort spam Quarantine Notification". So there appears to be a security issue! Keep reporting all as spam I got one of these as well (one of the 3 reports, likely) and forwarded to deputies. The reply I got back indicated that the IronPort devices have an option to reply to the spam which was insisted upon by engineering, but is at least turned off by default and hidden in the settings. Apparently one of their customers is using that option and it will likely get them listed. Link to comment Share on other sites More sharing options...
Farelf Posted January 10, 2012 Share Posted January 10, 2012 Looks like rilinfo.net might have dedicated servers for those replies, if so they will not be particularly concerned should they be blocked. Goodness knows what they think they are doing, can only suppose this initiative of theirs is somewhat experimental and (hopefully) adaptive - ie they will stop bothering the innocent. Maybe they are actually relying on their mis-directed responses getting blocked but I can't actually see the point of such a strategy (though I think IronPort users might be able to implement something to gracefully synchronise with such a thing - at least iiNet, an IronPort user, is able to block all misdirected responses). [/thed] Fwd/Rev Daily Monthly DNSBL [thed]AddressHostname DNS Match Magnitude Magnitude Listings SBRS 202.138.96.33 antispam.rilinfo.net Y 3.9 3.5 0 Neutral 202.138.96.34 antispam2.rilinfo.net - 0 0 0 N/A 202.138.96.71 antispam3.rilinfo.net Y 3.5 3.3 0 Good 202.138.96.72 antispam4.rilinfo.net Y 3.5 3.2 0 Good 202.138.96.73 antispam5.rilinfo.net Y 3.3 3.1 0 Neutral Oh - O/T but for general information I added a [ THED ] tag to implement <th> for tables in the BB Code. Link to comment Share on other sites More sharing options...
SpamCop 98 Posted February 6, 2013 Share Posted February 6, 2013 I had never seen one of these before, but got one today. Link to comment Share on other sites More sharing options...
Farelf Posted February 7, 2013 Share Posted February 7, 2013 Bizarre - I get the feeling there's a lot more activity taking place in the way of anti-spam implementation at the transport level than most of us know about, just the occasional glitch/forgery giving some hints. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.