C-Command Software Forum

Why is not most basic spoofing not identified?

When switched email software Spamsieve was only junk filtering offered. Have been training this for some months now. Still the most basic and high volume spam gets through undetected. Below are two very crude phishing emails. If you take the Metro Bank there are a dozen or more things wrong with the header. The ‘NatWest’ one is easily detected by the email hosts spam software however this is not conveninet for me to use to block. After all the similar ones sent before I cannot understand why they are not automatically detected. Can you explain?


Received: from smtp-in-106.livemail.co.uk (213.171.216.202) by
exch2-ht02.email2.local (10.44.216.67) with Microsoft SMTP Server id
14.2.347.0; Thu, 18 Sep 2014 12:40:09 +0100
Received: from virus-25.livemail.co.uk (virus-cluster.livemail.co.uk
[213.171.216.10]) by smtp-in-106.livemail.co.uk (Postfix) with ESMTP id
D8EFFAE0282 for <andy@andymillerphoto.com>; Thu, 18 Sep 2014 12:40:08 +0100
(BST)
Received: from Postfix-filter-42a77884ce2a0a03efc6bb50a6dcdb21
(localhost.localdomain [127.0.0.1]) by virus-25.livemail.co.uk (Postfix) with
SMTP id A6CE51B8021 for <andy@andymillerphoto.com>; Thu, 18 Sep 2014 12:40:08
+0100 (BST)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
spam_199.livemail.co.uk
X-Spam-Level: *
X-Spam-Status: No, score=1.0 required=5.0 tests=HTML_MESSAGE,URI_WPADMIN
shortcircuit=no autolearn=disabled version=3.3.1
Received: from smtp-in-85.livemail.co.uk (smtp-in-123.livemail.co.uk
[213.171.216.123]) by smtp-in-80.livemail.co.uk (Postfix) with ESMTP id
5764BD8237 for <andy@andymillerphoto.com>; Thu, 18 Sep 2014 12:40:08 +0100
(BST)
Received: from Postfix-filter-42a77884ce2a0a03efc6bb50a6dcdb21
(localhost.localdomain [127.0.0.1]) by smtp-in-85.livemail.co.uk (Postfix)
with SMTP id 32659D8157 for <andym@andymillerphoto.com>; Thu, 18 Sep 2014
12:40:08 +0100 (BST)
Received: from mail.jeep-owners-club.co.uk (mail.jeep-owners-club.co.uk
[78.129.148.37]) by smtp-in-85.livemail.co.uk (Postfix) with ESMTP id
22A5CD81DC for <andym@andymillerphoto.com>; Thu, 18 Sep 2014 12:40:08 +0100
(BST)
X-No-Relay: not in my network
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=default; d=dash2-privatehire.co.uk;
b=KYPzv/ekqRajwDSSFBeSqb/kKZCEv48OXrOBKcbyeVsfZ5kakSK2xRTEOtRuWGNWo0x1sMS9eIvn9+47vkV4odOovvsmjD8xQhFokor+uri0K+k9Hd3SgNN9J+QGQxfUqeur7u15zix8NkBNONdPYtKvi1l9MGGAiYuz/rHniKA=;
h=X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:Received:Content-Type:MIME-Version:Subject:To:From:Date;
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
Received: from pathtrak.cgr.cgocable.ca (39-048.rl.cgocable.ca
[205.237.39.48]) by mail.jeep-owners-club.co.uk (Postfix) with ESMTPA id
A193DC513D2; Thu, 18 Sep 2014 11:42:25 +0100 (BST)
Content-Type: multipart/alternative; boundary="===============0922850219=="
Subject: Account Error :
To: Recipients <trevor@dash2-privatehire.co.uk>
From: Metro Bank Online <trevor@dash2-privatehire.co.uk>
Date: Thu, 18 Sep 2014 06:36:33 -0400
Message-ID: <20140918114008.22A5CD81DC@smtp-in-85.livemail.co.uk>
X-Original-To: andym@andymillerphoto.com
X-Virus-Scanned: ClamAV using ClamSMTP
Return-Path: trevor@dash2-privatehire.co.uk
X-MS-Exchange-Organization-AuthSource: exch2-ht02.email2.local
X-MS-Exchange-Organization-AuthAs: Anonymous
MIME-Version: 1.0

–===============0922850219==
Content-Type: text/plain; charset=“iso-8859-1”
Content-Transfer-Encoding: quoted-printable
Content-Description: Mail message body

Dear Valued Customer ,

We detected irregular activity on your Metro Bank Online Card.
For your protection, You are required to verify your account as the primar=
y owner before you can continue using your card.

We will review the activity on your account and remove any restrictions pl=
aced on your account

Please kindly review your account by following the reference link below :

Review My Account

Please do not reply to this message. For questions, We will contact you as=
soon as possible.

We hope you find our Card services easy and convenient to use.
Yours sincerely

Metro Bank PLC.

–===============0922850219==
Content-Type: text/html; charset=“iso-8859-1”
Content-Transfer-Encoding: quoted-printable
Content-Description: Mail message body

<html><head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
1"></head><p><font face=3D"Segoe UI" size=3D"2">Dear Valued Customer ,<br>
<br>
We detected irregular activity on your <b>Metro Bank Online</b> Card.<br>
For your protection, You are required to verify your account as the primary
owner before you can continue using your card.<br>
<br>
We will review the activity on your account and remove any restrictions pla=
ced
on your account<br>
<br>
Please kindly review your account by following the reference link below :<b=
r>
<br>
<b><a href=3D"http://www.rhsaludable.com/wp-admin/user/metrobank/">Review M=
y Account</a></b><br>
<br>
Please do not reply to this message. For questions, We will contact you as =
soon
as possible.<br>
<br>
We hope you find our Card services easy and convenient to use.<br>
Yours sincerely<br>
<br>
Metro Bank PLC.</font></p></html>=

–===============0922850219==–

Return-Path: <lva@bnscorp.com>
Received: from rastaban.cybrhost.com ([67.99.207.75] verified)
by cybrhost.net (CommuniGate Pro SMTP 5.4.11)
with ESMTP id 548875624 for gen@sigbiz.com; Thu, 18 Sep 2014 07:31:51 -0400
X-ASG-Debug-ID: 1411039910-06b4d910d2fe5560001-rFLzmP
Received: from onlystrategic.com (onlystrategic.com [212.110.187.89]) by rastaban.cybrhost.com with ESMTP id swjAhbj4OvHQCL8g for <gen@sigbiz.com>; Thu, 18 Sep 2014 07:31:50 -0400 (EDT)
X-Barracuda-Envelope-From: lva@bnscorp.com
X-Barracuda-Apparent-Source-IP: 212.110.187.89
Received: from 77-253-238-117.static.ip.netia.com.pl (77-253-238-117.static.ip.netia.com.pl [77.253.238.117])
by onlystrategic.com (Postfix) with ESMTP id 2AB6E6A008
for <gen@onlystrategic.com>; Thu, 18 Sep 2014 12:31:50 +0100 (BST)
Message-ID: <CICBIRZG.1990939@bnscorp.com>
Date: Thu, 18 Sep 2014 13:23:05 +0100
From: “NatWest” <secure.message@natwest.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: <gen@onlystrategic.com>
Subject: You have a new Secure Message - file-1253
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
X-ASG-Orig-Subj: You have a new Secure Message - file-1253
Content-Transfer-Encoding: 7bit
X-Barracuda-Connect: onlystrategic.com[212.110.187.89]
X-Barracuda-Start-Time: 1411039910
X-Barracuda-URL: http://spamfirewall1.cybrhost.com:8000/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at cybrhost.com
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 2.60
X-Barracuda-Spam-Status: No, SCORE=2.60 using per-user scores of TAG_LEVEL=4.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=9.0 tests=BSF_SC0_MISMATCH_TO, BSF_SC7_SA578_TXT, BSF_SC7_SA578b
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.9611
Rule breakdown below
pts rule name description
---- ---------------------- --------------------------------------------------
0.00 BSF_SC0_MISMATCH_TO Envelope rcpt doesn’t match header
0.50 BSF_SC7_SA578_TXT Custom Rule SA578_TXT
2.10 BSF_SC7_SA578b Custom Rule SA578b

You have received a encrypted message from NatWest Customer Support
In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )

Please download your ecnrypted message at:

http://fleabuster.com/dkklteqsrx/wlodznqmfc.html

(Google Disk Drive is a file hosting service operated by Google, Inc.)

If you have concerns about the validity of this message, please contact the sender directly.
For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 9602.

Typically, if obvious spam messages are getting through, something isn’t set up properly. Please see the Why is SpamSieve not catching my spam page to check for possible causes and feel free to e-mail in the requested information so that I can look into what happened in your case.

Thanks for sending the log file. The setup on your Mac seems fine from what I can see. It looks like SpamSieve is currently about 98.5% accurate for you over the last month. That’s a bit lower than normal, but SpamSieve has only been trained with 537 messages, which is also a bit lower than normal. I think the accuracy will continue to improve with time, especially since the messages that you mentioned were on the borderline of almost being caught as spam.