In last one month, we are facing a very big spam attack and we cannot take any actions for it.
We got emails, which pretend that are sent by our domain (masking like our colleagues) ... in sort of firstname.lastname@example.org@kk-sano.co.jp.
MXScan and SPF dont match this as spam , which is strange, because this is obviously not sent by our domain.
Here is the full email properties:
Code: Select all
Received-SPF: pass (ourdomain.com: domain of kk-sano.co.jp designates 18.104.22.168 as permitted sender) client-ip=22.214.171.124 Received: from dc56.etius.jp ([126.96.36.199]) by ourdomain.com with MailEnable ESMTP; Thu, 4 Oct 2018 06:56:49 +0300 Received: (qmail 19350 invoked by SAV 20181003.001 by uid 0); 4 Oct 2018 12:56:46 +0900 Received: from unknown (HELO 10.14.51.18) (email@example.com@188.8.131.52) by dc56.etius.jp (184.108.40.206) with ESMTPA; 4 Oct 2018 12:56:46 +0900 Date: Wed, 03 Oct 2018 23:50:35 -0400 From: Domain.com <firstname.lastname@example.org> <email@example.com> To: firstname.lastname@example.org Message-ID: <3745744969174119589.D4AEF1AEE7C16F93@ourdomain.com> Subject: Sales Receipt MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_11561_3398992923.19995388301088820257" X-Envelope-Sender: email@example.com X-MXScan-Scan: Scanned by MxScan 220.127.116.11 for SERVERME X-MXScan-Msgid: 03BCFE23D05A49A5B45E30427849022E_ X-MXScan-Country-Sequence: JAPAN->Destination X-MXScan-AntiSpam: CLAM_SANE [Pass], KEYWORD [Pass], COUNTRYFILTER [Pass], URLBL [Pass], SPAMASSASSIN [1.3 (RDNS_NONE)], DCC_CHECK [Body=1 Fuz1=1 Fuz2=42 (1)], BACKSCATTER [Pass], SENDERBASE [SB_PASS] X-MXScan-SpamScore: 2.3 X-MXScan-ProcessingTime: 1.484 sec(s) Return-Path: <firstname.lastname@example.org>
We cannot filter them by IP or domain, because every mail is from different IP address or domain.
Spam attack sends email almost every night in non-working time and they are about like 40-50 emails per day to different mailboxes and groups.