Hi, > >>> I'm curious what people think of this: > >>> > >>> https://pastebin.com/1XjwaCY1 > >>> > >>> It's unsolicited, so that makes it spam to me, but is it dangerous? > >>> yesinsights.com appears to be a legitimate company, but the sender, > >>> e...@hrteamerus.com, is a registered domain but has no DNS record. > >>> > >>> Is it just a lame attempt to confirm email addresses? > >>> > >>> Outlook just seems to be a non-stop source of spam. I'd report it to > >>> yesinsights, but it appears it's being used exactly as the service > >>> intended? > >>> > >>> Any idea on tips to block it, other than bayes? > >>> > >> > >> Is that the entire email in the pastebin link above? I ran it through > >> my SA platform and it's missing a few headers. > >> > >> DKIM_INVALID,DKIM_SIGNED,ENA_NO_TO_CC,MISSING_DATE,MISSING_FROM, > >> MISSING_HEADERS,MISSING_MID,MISSING_SUBJECT > > > > Yes, it's the complete email - those missing headers are in the > > pastebin. It also passed DKIM. Send me a message if you want the > > original. > > > >> Since it doesn't have a valid opt-out, I would report it to SpamCop, > >> report it to yesinsights.com's abuse if SpamCop doesn't already, and add > >> a blacklist_from *@hrteamerus.com entry. > > > > Yes, we've seen an increase in these types of emails. We've reported > > it to spamcop, but there doesn't appear to be a way to communicate > > abuse to yesinsights. > > > > I checked yesinsights.com site and they don't have a way to contact them > or report abuse. They do have a free week trial so you could setup a > trial to get in touch with someone and tell them they need to have an > abuse contact setup with Spamcop or they will eventually be listed on > RBLs if they have enough shady customers sending to recipients that > haven't opted into these emails.
They have a twitter :-) SurveyGizmo was also similarly used in a fraud attempt to our users. We're also contacting them using this method because they also have no abuse contact, or really any direct support contact, on their site without registering. > If I received complaints from my customers about spam from yesinsights, > I would put a REJECT line in my Postfix config with a details > explanation as to why they were being blocked to give them feedback in > their logs in case they actually check them. That's a great idea, and we've added body rules for these specific patterns. > Another option you have if you see repeating characteristics is to > create a local meta rule that combines URLs with yesinsights.com with > the envelope-from domain of hrteamerus.com or other things you see over > and over to add some points. I've created a meta that combines yesinsights with our 'invoice' rules. > This email came via Office 365 which is a major problem for sorting out > spam. They are so large that you can't block them outright so I have > created a set of meta rules that amplify some spammy scores for O365 and > add a point or two for all O365 email then put known good O365 senders > to an exception list. It has worked pretty well for the past year. > Takes a little work up front to start the list but I haven't had to do > much lately. I mainly had to exclude senders that send odd attachments > or invoices that trigger suspicious phishing-type rules. Can they be rolled into mass-checks or the regular rules or shared here, or perhaps just more details so we can build customization locally? > > -- > David Jones
