Menu
Reply
  • 14
  • 0
  • 2
chrisfry35
On our wavelength
2,329 Views
Message 11 of 199
Flag for a moderator

Re: Spam Email - sysprem.com

On my desktop: W10, MailWasher and Outlook. MailWasher identifies these spammers, the problem arises when I get email on my phone or tablet where the only filtering is at the mailserver (VM/blueyonder). Hence my interest in this thread. Filtering has eliminated sysprem and premia for me - but I guess they won't be the last.

I think I can understand VM prioritising fraudulent VM emails in order to maintain trust among customers, but I hope they don't go on ignoring you. The fact is that spam is an ongoing battle for all of us and there is only so much an automatic filtering system can achieve.

0 Kudos
  • 14
  • 0
  • 2
chrisfry35
On our wavelength
2,325 Views
Message 12 of 199
Flag for a moderator

Re: Spam Email - sysprem.com

I guess you are saying that it takes time for the algorithms to identify new spam sources?
0 Kudos
  • 56
  • 2
  • 11
barnabee
Dialled in
2,297 Views
Message 13 of 199
Flag for a moderator

Re: Spam Email - sysprem.com

Getting loads of this spam over past few days. Rather than all the customers adding the spamming domain to their individual filters, why can't Virgin Media block it at source?

  • 1.02K
  • 132
  • 681
coenoby
Knows their stuff
2,285 Views
Message 14 of 199
Flag for a moderator

Re: Spam Email - sysprem.com

sysprem.com is registered through Godaddy:

Domain Name: sysprem.com
Registry Domain ID: 2232455510_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2019-01-15T19:07:30Z
Creation Date: 2018-02-26T01:46:50Z
Registrar Registration Expiration Date: 2020-02-26T01:46:50Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505

So if everyone who has received emails from sysprem.com sent a complaining email to abuse@godaddy.com it might move things on. Smiley Wink

Coenoby

*******************************
I am just another Virgin Media customer.
If someone posts a useful reply you can say thanks by clicking on the thumbs up sign in their post.
If someone posts a message that solves your problem it helps everyone if you mark their post as a Helpful Answer
  • 1.02K
  • 132
  • 681
coenoby
Knows their stuff
2,247 Views
Message 15 of 199
Flag for a moderator

Re: Spam Email - sysprem.com


@coenoby wrote:

So if everyone who has received emails from sysprem.com sent a complaining email to abuse@godaddy.com it might move things on. Smiley Wink


Just to expand on that if you want to forward an example sysprem.com spam email to Godaddy.com.

You can do that by:

Opening VM webmail and viewing one of the spam emails.

Click on the 3 red horiizontal bars and then click on 'View Source' from the drop down menu.

View source.png

A pop up window will open displaying the full email headers and content of the email.

Select the full contents of that box (you will need to scroll down because it will be a large block of text) and copy and paste it into a blank text document.

Save that as a text file and then ZIP the file.  

Then create a new  email, add your zipped document as an attachment and send it to abuse@godaddy.com.

That way Godaddy will have the full set of email headers and your email should not fall foul of the stringent spam filter that VM apply to outgoing emails.

Coenoby

*******************************
I am just another Virgin Media customer.
If someone posts a useful reply you can say thanks by clicking on the thumbs up sign in their post.
If someone posts a message that solves your problem it helps everyone if you mark their post as a Helpful Answer
  • 16
  • 0
  • 0
HazzaTL
Joining in
2,223 Views
Message 16 of 199
Flag for a moderator

Re: Spam Email - sysprem.com

i've had these spams for the last week too. just set up this rule hopefully it'll stop it.

0 Kudos
  • 9
  • 0
  • 0
bobcat
Joining in
2,214 Views
Message 17 of 199
Flag for a moderator

Re: Spam Email - sysprem.com

Getting lots of this rubbish last few days, some go into junk, some into the inbox, just two links in the email, from/subject a mass of random characters, have sent onto Godaddy.....

0 Kudos
  • 3
  • 0
  • 1
pf06
Tuning in
2,204 Views
Message 18 of 199
Flag for a moderator

Re: Spam Email - sysprem.com

I am getting loads of these (20 today) from sysprem, snd.dealbistro and precisionstick, to name a few.  These cannot be sent to the spam folder.  Adding them to the blacklist does not stop them.  Making filter rules using keywords from the sender, the title, the body etc are to no avail.  Surely, VM can do something about this.

  • 17.45K
  • 957
  • 7.12K
Superuser
Superuser
2,184 Views
Message 19 of 199
Flag for a moderator

Re: Spam Email - sysprem.com

When it comes to spam mails the people who need to do something about it are the administrators of the servers being used.  Not necessarily the administrators of the email domains.

I could if I wanted set up a domain in minutes, or I could look for a legitimate domain that has no brand protection in the form of DMARC/DKIM/SPF and simply spoof that domain in the From: or even the Mail-From: addresses.  If they have no mail authentication mechanisms in place, then I can send mail claiming to be from them from anywhere in the world.  But I need a mail server in order to do this.

Spammers often don't use their own servers, they either use compromised zombie machines, or compromised accounts on legitimate servers, (which is why Virgin Media and other mail providers often work tirelessly in the background to identify such instances and lock down relevant email accounts, as well as finding other means to identify spam before it leaves their system).

Having a look at the emails sent from the sysprem.com address leads me to identify factors in common with SOME other spamming domains most notably

clialis.com
raysoutdoors.com.au

There may be others, but these are mails I've received too.

Lets take a look at the headers of a couple of these mails.

 

Return-Path: <bounce+dcb514.7ce50b-************=ntlworld.com@mg.pellpax.co.uk>
Delivered-To: **********@blueyonder.co.uk
Received: from md5.tb.ukmail.iss.local ([212.54.57.73])
	by mc8.tb.ukmail.iss.local with LMTP id iPQNApRxU1wZUgAAVqD7fw
	for <********@blueyonder.co.uk>; Thu, 31 Jan 2019 23:07:16 +0100
Received: from smtpclienthelo ([212.54.57.73])
	by md5.tb.ukmail.iss.local with LMTP id OGAMLpJxU1xuBQAAeXFZqA
	; Thu, 31 Jan 2019 23:07:16 +0100
Authentication-Results: ukmail.iss.as9143.net;
 spf=softfail (13.239.182.159;mg.pellpax.co.uk);
 dkim=none (nosigs);
 dmarc=none header.from=sysprem.com (dis=no_record);
X-Env-Mailfrom: bounce+dcb514.7ce50b-**********=ntlworld.com@mg.pellpax.co.uk
X-Env-Rcptto: **********@blueyonder.co.uk
X-SourceIP: 13.239.182.159
X-CNFS-Analysis: v=2.3 cv=cqzlbGwi c=1 sm=1 tr=0
 a=Y4exAgoTgRasy1B8CRZswQ==:117 a=Y4exAgoTgRasy1B8CRZswQ==:17
 a=t1POExtVAAAA:20 a=RYO87gC1AAAA:20 a=-K4Uq4xOAAAA:20 a=HKPMkFFrAAAA:20
 a=0aE9QUaO_QmmuWBIoxcA:9 a=L03L2QfmqWoA:10 a=bCM2JLPhg1R6AXhwjVo2:22
 a=pHzHmUro8NiASowvMSCR:22 a=xoEH_sTeL_Rfw54TyV31:22
Received: from unwhetted10.com ([13.239.182.159])
	by mx6.tb.ukmail.iss.as9143.net with ESMTP
	id pKUHgmQvjdbeKpKUMgI7zs; Thu, 31 Jan 2019 23:07:16 +0100
Message-Id: <.vONQdxWC5Ich@vONQdxWC5Ich>
MIME-Version: 1.0
Subject: Enjoy Your Safe Date with Hot Russian Ladies
From: DateCuteRussian.com <contact_@sysprem.com>
Reply-to: reply@unwhetted10.com
To: **********@blueyonder.co.uk
X-Originating-IP:172.31.12.241
Content-Type: text/html;
Content-Disposition: inline
Date: Thu, 31 Jan 2019 22:08:32 +0000
X-CMAE-Envelope: MS4wfPYsJoYUFHceJp3KHjYJfXeowU73kC5XGp/yh3Hvck0QXQqkyuM85pHi/rHpXXy4gcdCaMSZudYghh1IrVpkwOMHcQrTwf1fvddWtALUoSvuMJAyjyvQ
 nE4ONPg2deqT5TMqkK74tDT/XQmnfluaHHuRXCgD0qXMjEjHawcnd/pMn4EuPspk1fCFuXHRRKz6S1LZctbbUnfXHbMCSLGGRsY6fspzvrBRr/gZ+VHdHug2
 8+MlmhU3xbnYewTsgIiAGg==

This one's interesting for a number of reasons:

 

The return-receipt address appears to identify an ntlworld.com email address (I've redacted part of the address).  There was a proposal made to rewrite sender addresses by a server that forwards mail in order to address issues with SPF, this server appears to be doing just that in this case.

 

Return-Path: <bounce+dcb514.7ce50b-************=ntlworld.com@mg.pellpax.co.uk>

I've redacted the identifying part of the address because the sender address can easily be spoofed, but I do consider it significant that this address has cropped up before.

 

Next I looked for the line where the mail arrives at Virgin Media's Mail exchangers:

 

Received: from unwhetted10.com ([13.239.182.159])
	by mx6.tb.ukmail.iss.as9143.net with ESMTP
	id pKUHgmQvjdbeKpKUMgI7zs; Thu, 31 Jan 2019 23:07:16 +0100

I could give a detailed account of why Virgin Media's mail exchangers use the as9143.net domain, but suffice it to say they do.  The key is to look for the mx<n> in the received line.  We identify the IP address of the sending server.

 

 

13.239.182.159

So lets look up the hostname with a PTR record - I'll use DIG

 

 

C:\Users\timdu>dig ptr 159.182.239.13.in-addr.arpa

; <<>> DiG 9.10.6-P1 <<>> ptr 159.182.239.13.in-addr.arpa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46572
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;159.182.239.13.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
159.182.239.13.in-addr.arpa. 300 IN     PTR     ec2-13-239-182-159.ap-southeast-2.compute.amazonaws.com.

;; Query time: 51 msec
;; SERVER: 194.168.4.100#53(194.168.4.100)
;; WHEN: Fri Feb 01 00:40:22 GMT Standard Time 2019
;; MSG SIZE  rcvd: 125

Although you can also use nslookup on Windows to achieve the same result.

 

 

C:\Users\timdu>nslookup 13.239.182.159
Server:  cache1.service.virginmedia.net
Address:  194.168.4.100

Name:    ec2-13-239-182-159.ap-southeast-2.compute.amazonaws.com
Address:  13.239.182.159

So look at that - it's an Amazon AWS address.

 

This isn't the first time I've seen these email addresses crop up.  The server itself isn't an open relay, it won't accept inbound connections on port 25, which is good in itself.  But IT IS sending out spam - which is bad.

Lets take a look at another spam mail.  I'm not going to post the full headers again:

 

Return-Path: <bounce+dcb514.7ce50b-**********=ntlworld.com@mg.pellpax.co.uk>
Received: from supersensuality1.net ([18.197.40.146])
	by mx7.mnd.ukmail.iss.as9143.net with ESMTP
	id pGQDgsWOjAzDvpGQEglvUO; Thu, 31 Jan 2019 18:46:42 +0100

 

 

C:\Users\timdu>dig ptr 146.40.197.18.in-addr.arpa

; <<>> DiG 9.10.6-P1 <<>> ptr 146.40.197.18.in-addr.arpa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16807
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;146.40.197.18.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
146.40.197.18.in-addr.arpa. 278 IN      PTR     ec2-18-197-40-146.eu-central-1.compute.amazonaws.com.

;; Query time: 20 msec
;; SERVER: 194.168.4.100#53(194.168.4.100)
;; WHEN: Fri Feb 01 00:52:55 GMT Standard Time 2019
;; MSG SIZE  rcvd: 121

Guess what - another Amazon AWS server!!

 

One more:

 

Return-Path: <>

Well the Return-Path is empty on this.  That's ok - it's allowed - in fact the email standards forbid rejecting empty senders and there is a good reason for this.

 

Received: from userline2.info ([52.28.53.202])
	by mx8.tb.ukmail.iss.as9143.net with ESMTP
	id pAsqgvMwwgFscpAt0gByKT; Thu, 31 Jan 2019 12:52:02 +0100
C:\Users\timdu>dig ptr 202.53.28.52.in-addr.arpa

; <<>> DiG 9.10.6-P1 <<>> ptr 202.53.28.52.in-addr.arpa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33441
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;202.53.28.52.in-addr.arpa.     IN      PTR

;; ANSWER SECTION:
202.53.28.52.in-addr.arpa. 300  IN      PTR     ec2-52-28-53-202.eu-central-1.compute.amazonaws.com.

;; Query time: 58 msec
;; SERVER: 194.168.4.100#53(194.168.4.100)
;; WHEN: Fri Feb 01 00:59:18 GMT Standard Time 2019
;; MSG SIZE  rcvd: 119

Oooooh 3 out of 3 of these servers are Amazon AWS servers.  Colour me surprised.

Looking at these three mails - I do also see another common feature:

They invariably contain a <script></script> section - which to my mind has no place in any email.

I do see a point on which Virgin Media could legitimately reject these mails anyway.  I'm not going to discuss it here, but I am going to discuss it via back channels with Virgin Media themselves because quite frankly

  1. I don't want these mails in your inboxes or even your spam folders!
  2. I don't want these mails in my inbox either.

However I would urge everyone who IS getting these mails to email Amazon to complain.

Tim

________________________________________


Only use Helpful answer if your problems been solved.

  • 55
  • 1
  • 9
Whatsisname
Dialled in
2,128 Views
Message 20 of 199
Flag for a moderator

Re: Spam Email - sysprem.com

Thanks for that Ravenstar68, 

Free Mailwasher is in place and seems to work quite well, though the icon in the taskbar says mailw'r pro! It seems to work better if you don't keep your normal mail app launched so it can capture emails unhindered, when you wash the mail it opens your mail app, rather odd way like a work around but it works well so I am pleased to deal a blow to those pesty spammer insects.

Your explanation and the use of ptr DIG is most usefull. So why does VM not use a reverse DNS lookup before accepting incoming emails as yahoo.com and gmail.com do. Would rDNSl slow down traffic with bandwidth pinchpoints or would extra domains to VM like blueyonder be a way to go. I wouldn't mind paying a few bob more if the spam service was tightened up and no I don't want more apps to do what should be done at server level. VM do a jolly good job overall seemingly with catching our outgoing spam so lets keep customers safe with******INCOMING****** at which point I dive under my desk.

Regards. 

0 Kudos