6 Replies Latest reply on Sep 30, 2010 12:28 PM by runcmd

    Stopping fake domain or trademark warning messages

    bwemailsupport1

      Other than relying on Trusted Source, do you have any suggestions on how to stop e-mail that purports to be from another country's domain-registrar or trademark office?

       

      We receive messages such as these [see below].  The recipients believe the messages are legitimate so they usually get forwarded up the chain of command.

       

      Sample message:  (The real message includes one of our registered domain names.  I edited this one for posting to be 'mycompanydomain'.)

       

       

      ---------------------------

      (If you are not the person who is in charge of this, please forward to your CEO, as this is urgent, thank you.)

      Dear CEO,


      We are the department of registration service in China. We have something need to confirm with you. We formally received an application on September 6, 2010, one company which called "TEKpower trading co, ltd" is applying to register "mycompanydomain" as brand name and domain names as below :
      mycompanydomain.asia
      mycompanydomain.com.hk
      mycompanydomain.com.tw
      mycompanydomain.hk
      mycompanydomain.tw

      After our initial checking, we found the brand name and these domain names being applied are as same as your company's, so we need to get the confirmation from your company. If the aforesaid company is your business partner or your subsidiary company, please don't reply us, we will approve the application automatically. If you have no any relationship with this company, please contact us within 5 workdays. If out of the deadline, we will approve the application submitted by "TEKpower trading co, ltd" unconditionally.

      Best Regards,

       

      John Tsai
      Senior Consultant

      2010-09-07

       

      ---------------------------

        • 1. Re: Stopping fake domain or trademark warning messages
          ijahnke

          By far the most effective way to prevent spam like this would be to send these examples to Trusted Source. If you have the message ID then you can search the summary log for the TS signature that is needed. Once you have the signature you can send the example to our trusted source team. The most surefire way for this to be delivered would be to go to:

          http://www.trustedsource.org/ -> Click or hover over "About" in the top right -> Click on "FAQ's" -> scroll down until you see "Who can I contact if I think the reputation assigned to an IP should be changed?" -> Click the link "TrustedSource"

           

          You can also send an email to ts-feedback@mcafee.com

           

          To find the Trusted Source signature:

           

          show log summary | grep <msg id>

           

          show log summary | grep 41409208

          09132010 18:03:29|21|41409208|0|100|Message received. Received IP <('192.168.0.201', 4079)> From <bleh@yahoo.com> To <['blah@mydom.com']> Route Domain <mydom.com> Route Host = <10.10.130.22>|[]
          09132010 18:03:29|21|41409208|2|102|Socket communication failed with client. Connection dropped|[]
          09132010 18:03:30|230|41409208|0|100|Message ripped successfully.|[]
          09132010 18:03:30|260|41409208|1|108|Quarantined by Anti-Spam (Enterprise Spam Profiler) ESP Score:95 Values:['SHA:<0> ', 'SHA_FLAGS:<0> ', 'UHA:<10> ', 'ISC:<0> ', 'BAYES:<27> ', 'SenderID:<0> ', 'DKIM:<0> ', 'TS:<58> ', 'SIG:<gHcABoAUAAITVFMyMC0xN0w1LTJPVTQtUFNES4AEAAEAAl+mgAIABQACgAgA BAdCM1IyOEoxgBkABxhNZGJQNE5GcTZURzNQRm5YNE1DSndBPT2ADQAIDDIu MC4zLjAyLTk1M4AEAAkDSU0ggAcACgY2LjcuMiAAAAAAgI0ACYABAA8CgAgA BxnOI9psdtd9gAQAAtUVONuACAATUM0amhg3WAOACAAJUM0amhg3WAOACAAK o0gWVO7u0/+ACQALWoFHrRsrhmkAgAgACCkRYDPpr5rkgAQADAAAACGADAAD AAAAAY3VaDlaQS89gBcABAAVaHR0cDovL2dyYXRlYWdyZWUucnUAAAAAAA==> ', 'DSC:<0> ', 'TRU_watch_spam: <0>', 'TRU_legal_spam: <0>', 'TRU_marketing_spam: <0>', 'TRU_playsites: <0>', 'Profanity - LSN Custom List: <0>', 'TRU_ru_spamsubj: <0>', 'TRU_freehosting: <0>'', 'TRU_adult_spam: <0>', 'TRU_lotto_spam: <0>', 'TRU_embedded_image_spam: <0>', 'URL Real-Time Signatures: <0>', 'TRU_stock_spam: <0>', 'TRU_misc_spam: <0>', 'TRU_urllinks: <0>', 'TRU_html_image_spam: <0>', 'TRU_spam1: <0>', 'TRU_phish_spam: <0>', 'TRU_spam2: <0>', 'TRU_scam_spam: <0>', 'TRU_profanity_spam: <0>', 'TRU_money_spam: <0>', 'TRU_medical_spam: <0>']|[]
          09132010 18:03:30|210|41409208|0|100|No action|[]
          09132010 18:03:30|220|41409208|0|100|No action|[]

           

           

          For simplicity you can just copy and paste the signature in the email.

           

          Trusted Source may take some time to update, so it is possible to begin blocking by other means. Here are a couple of the simplest ways

           

          1. Create an Envelope Analysis rule under Compliance -> Content Filtering -> Envelope Analysis:
            • Here you can create a drop\quarantine rule based on From Address, Domain, Rcpt To, Subject, or Size
          2. Create Dictinary rules based on content in the email Compliance -> Content Filtering -> Content Analysis::
            • An example would be to add points to the ESP based on content in the email.
              • Here you could something like 10 points for the phrase "department of registration service in China"
              • Add points for "If you are not the person who is in charge of this, please forward  to your CEO"
          3. There are other ways to detect spam by using things like system defined header analysis and user defined header analysis, however with the information provided there isnt much more we can go with.
          1 of 1 people found this helpful
          • 2. Re: Stopping fake domain or trademark warning messages
            mac

            Ivan,

             

            Quick follow up question for you.  Does the ts-feedback@mcafee.com address replace all of the old spam reporting addresses? (fp@, phishing@, etc.)

             

            Thanks.

            • 3. Re: Stopping fake domain or trademark warning messages
              ijahnke

              No, all the old accounts are still active as far as I know.

              • 4. Re: Stopping fake domain or trademark warning messages
                bwemailsupport1

                Since you asked about the "reporting addresses"...

                 


                I received two different responses from two different teams within McAfee regarding the "correct" addresses for reporting spam, etc.:

                 


                ________


                From: Eric Peterson  [McAfee.com]
                Subject: RE: Trusted Source

                Hi Robert,

                Your best avenue for reporting any spam issue is through trusign-feedback@mcafee.com. I can confirm that you will reach a person by submitting to that address. I (and the team of Researchers) am not subscribed to the other two email distribution lists, so I can neither confirm or deny if submissions to them will find human eyes. Hope this helps.


                ....


                Robert,

                Please submit spam (including phishing) samples to trusign-feedback@mcafee.com. Submissions to Ts-feedback@mcafee.com will not reach a Spam Researcher.


                Kindest Regards,

                Eric Peterson
                Team Lead, Threat Operations Center
                Englewood, CO 80112

                ________

                ____

                 

                spamreport@mcafee.com is for reporting spam.

                Ts-feedback@mcafee.com is for Trustedsource mail reputation issues. is for comments about the configuration and other specific issues.

                Trusign-feedback@mcafee.com


                Thank you.

                David Lu
                Trusted Source Web Database
                Customer Response Team - North America
                McAfee, Inc.

                • 5. Re: Stopping fake domain or trademark warning messages
                  bwemailsupport1

                  So I understand your recommendation, that Trusted Source reporting really is the best way to stop the "trademark" or "domain" spam messages.

                   

                   

                  The problem is that I don't always have a copy of the messages that are coming in this way.  The person sending in the sample often doesn't know how to forward the message as an attachment. (Or they cannot do this, on a mobile device.)

                   

                  So is there a manageable way for me to "grab" a copy of every message going through Ironmail, so that I can have access to the message for perhaps 24-hours?  (Something like: allow the message for delivery, and keep one copy of the Ironmail.)    That way if I found a message that needs to be submitted to TrustedSource I could have a copy of it without going back to the end-user's mailbox.

                  • 6. Re: Stopping fake domain or trademark warning messages
                    runcmd

                    bwemailsupport1 wrote:

                     

                    So is there a manageable way for me to "grab" a copy of every message going through Ironmail, so that I can have access to the message for perhaps 24-hours?  (Something like: allow the message for delivery, and keep one copy of the Ironmail.)    That way if I found a message that needs to be submitted to TrustedSource I could have a copy of it without going back to the end-user's mailbox.


                    That sounds like it could potentially use up a lot of disk space on an appliance.  If you have the Trusted Source signature and then submit that through the web form that is available through the FAQ, as Ivan reference, do you still need to provide the original email?