1 2 Previous Next 10 Replies Latest reply: Aug 6, 2014 12:24 PM by frankm RSS

    Dealing with ConstantContact Service Users....

    jlockie

      Ok, I have a problem I'm not quite sure how to deal with.

       

      One of our senior level management people keeps receiving spam from an organization.  He has tried to unsubscribe without success.  They send him multiple emails a day, and so he added their domain to his denied senders list (McAfee SaaS).

       

      But email kept coming from them.  So he asked me to look in to it.  I used message tracking feature to find the emails.  I discovered that the emails are coming to McAfee as from "a6cqgv6+vt1gx892vdybjaq==_1112375229771_e815ul7oeeo/mdsuunvx6g==@in.constantcont act.com".  I am assuming that this as a totally random address generated by ConstantContact.  For obvious reasons I cannot block their domain (in.constantcontact.com) because they send a lot of legitimate email.  At least I discovered why the denied sender list is not helping (there's no match!). 

       

      McAfee appears to trust ConstantContact, so I have no way to straight up block someone who might be using ConstantContact. 

       

      Or do I?

       

      I am thinking maybe using SPF enforcement, but I think the check would be made against ConstantContact not their customer.

        • 1. Re: Dealing with ConstantContact Service Users....
          jlockie

          Doing a little more research, I think that the email address ConstantContact uses contains a unique 13 digit account number that is specific to the domain they are sending emails for.  In my case it's 1112375229771.

           

          I added *1112375229771*@in.constantcontact.com to the denied sender list.  That should work I think.....?

          • 2. Re: Dealing with ConstantContact Service Users....
            kwidhalm

            Hello jlockie,

             

            If that 13 digit number is constant on all emails from this sender, your deny list entry should work.  However, as the unsubscribe requests are not being honored, I would like to encourage you to report these emails as spam.  You can open a request with your support team and provide message examples (full messages including all attachments and full internet headers) or you can send the examples directly to our Messaging Security team at SaaS_spam@mcafeesubmissions.com.

             

            Best regards,

             

            Karen Widhalm

            System Support Specialist

            SaaS Email and Web Security

            McAfee. Part of Intel Security.

            • 3. Re: Dealing with ConstantContact Service Users....
              jlockie

              How is this acceptable?

               

              The fact that we cannot block an organization from sending us email because they hide behind a service like constant contact is baffling to me.

               

              We all know that organizations abuse the subscribe/unsubscribe model by using multiple "list" types and resubscribing you to "new" lists.  As soon as you unsubscribe from one, they magically create a new list and place you on it.  Once an organization has your email they often abuse it.  The easiest way to control this spam is to block senders on our end, rather than "asking" them to remove us.  This is the entire point of using a front end service like McAfee (besides virus protection).  So if I cannot block an organization's domain, flat out, then this service is questionable....

               

              It's confusing to our staff that the "from" shows one thing, but in actuality it's from constant contact.  As I begin to ask staff, I am finding that many of them have tried to add senders to their deny list, only to find they keep getting email.  They are no longer trusting McAfee service, and complaining why we moved off our old one.

              • 4. Re: Dealing with ConstantContact Service Users....
                frankm

                It has nothing to do with McAfee or CC. If your requests for unsubscribe is not being honored, I would suggest contacting the sender directly and even CC. McAfee allows for domain blocking, not sure why you say the service is questionable and not a fair statement in my opinion.

                 

                If you look at the CC header, the From: will list the sender and that can be blocked, without blocking the whole domain. CC does use DKIM, however the FQDN in.constantcontact.com, does not have a published SPF.

                • 5. Re: Dealing with ConstantContact Service Users....
                  jlockie

                  I think it's quite a fair statement, and let me defend it from the way I see it with the information I have currently.....

                   

                  1. User receives spam from "sales@annoyingbusiness.com".
                  2. User logs in to their McAfee portal and adds sales@annoyingbusiness.com to their blocked senders list.
                  3. User continues to receive emails from sales@annoyingbusiness.com and cannot figure out why.
                  4. I discover that the emails are not blocked, because McAfee sees it as an email from garbage@constantcontact.com and therefore it does not match blocked senders list.

                   

                  Think about how this feels from the user's perspective (the people IT is supporting).

                   

                  The way I see it McAfee is not doing its job in this scenerio.  If a user receives email in their inbox from address #1, they should be able to block address #1 and be done with it.  Instead, there's some sketchy business going on with constant contact hiding the true sender, or McAfee misunderstanding header information and failing to recognize the correct sender.  Either way, it's frustrating.

                   

                  Using SPF is useless in this scenario as I have investigated the cause of this problem.

                  • 6. Re: Dealing with ConstantContact Service Users....
                    jlockie

                    Here's a detailed example.....hopefully someone can explain to me why this happens, and address this.  Because as far as I am concerned in the below example, I should only need to add *@*.ipswitch.com to my denied sender list and be on my merry way.  Unfortunately, that's not the case.

                     

                    I receive this spam message:

                    capture2.JPG

                     

                    So I add the sender to my denied sender list (in this example, nm_education@ipswitch.com).  I choose not to "unsubscribe" because frankly I'd rather not let them know I'm receiving their stupid emails I never signed up for to begin with.

                     

                    I still receive spam after adding them to blocked senders!!!!

                     

                    I look at email header and search McAfee and find the following:

                    Return-path: <307-tto-181.0.5051.0.0.7384.7.1928281@em-sj-77.mktomail.com>

                    Received: from p01c12m063.mxlogic.net ([::ffff:208.65.145.247])

                      by <removed> with ESMTP; Sat, 02 Aug 2014 04:04:04 -0700

                    Authentication-Results: p01c12m063.mxlogic.net; spf=pass

                    Received: from unknown [199.15.215.147] (EHLO elephantseal.mktdns.com)

                      by p01c12m063.mxlogic.net(mxl_mta-8.0.0-3)

                      with ESMTP id 4a5ccd35.0.1580337.00-2267.2283453.p01c12m063.mxlogic.net (envelope-from <307-tto-181.0.5051.0.0.7384.7.1928281@em-sj-77.mktomail.com>);

                      Sat, 02 Aug 2014 05:04:04 -0600 (MDT)

                    Return-Path: <nm_education@ipswitch.com>

                    DKIM-Signature: v=1; a=rsa-sha256; d=ipswitch.com; s=m1; c=relaxed/relaxed;

                      q=dns/txt; i=@ipswitch.com; t=1406977444;

                      h=From:Subject:Date:To:MIME-Version:Content-Type;

                      bh=OVqbcjhjeIQGcA4hJYZzWeA+973Dpbz56isLB9LGc94=;

                      b=uLDkIzMvhUcaGFlm4SrvBzuHuyzvgCkqR/ogL/6OIfmAuQlmcT7guEiezoRT6VDZ

                      +0F69bTysQaTddFn/cGO7aCdELp+i5oH2tlOJhOzgAxFHTG2S/S8uolos4qo9ewd

                      7bCwmblK45Z5vro8K+DrpLgPMv2lY/DUMUFo+yGbwQk=;

                    X-MSFBL: amxvY2tpZUBjZWZjdS5vcmdAZHZwLTE5OS0xNS0yMTUtMTQ3QGJnLXNqZC01MkAz

                      MDctVFRPLTE4MTozMjkyNjo1MDUxOjE2MDQ0OjA6NzM4NDo3OjE5MjgyODE=

                    Received: from [10.0.12.42] ([10.0.12.42:44113] helo=sjmas01.marketo.org)

                      by sjmta04.marketo.org (envelope-from <nm_education@ipswitch.com>)

                      (ecelerity 3.5.0.35861 r(Momo-dev:tip)) with ESMTP

                      id E6/B8-26004-3A5CCD35; Sat, 02 Aug 2014 06:04:03 -0500

                    Date: Sat, 2 Aug 2014 06:04:03 -0500 (CDT)

                    From: Ipswitch WhatsUp Gold <nm_education@ipswitch.com>

                    Reply-To: nm_education@ipswitch.com

                    .

                    Capture.JPG

                    So what's up with this? 

                     

                    While I added *@*.mktomail.com to my denied sender list, I cannot do it for the entire organization or expect our Sr. Executive team to accept that. 

                    • 7. Re: Dealing with ConstantContact Service Users....
                      kwidhalm

                      Good afternoon,

                       

                      In your example:

                      1. User receives spam from "sales@annoyingbusiness.com".
                      2. User logs in to their McAfee portal and adds sales@annoyingbusiness.com to their blocked senders list.
                      3. User continues to receive emails from sales@annoyingbusiness.com and cannot figure out why.
                      4. I discover that the emails are not blocked, because McAfee sees it as an email from garbage@constantcontact.com and therefore it does not match blocked senders list.

                       

                      Adding the address sales@annoyingbusiness.com to your user level or policy level deny list should block the messages from being delivered.  If that is not happening, please contact your support team so the issue can be further investigated!

                       

                      Karen Widhalm

                      System Support Specialist

                      SaaS Email and Web Security

                      McAfee. Part of Intel Security.

                       

                       

                      Edited to correct: deny lisy (was allow list)

                      • 8. Re: Dealing with ConstantContact Service Users....
                        kwidhalm

                        Regarding your detailed example.  When adding *@*.ipswitch.com to the deny list:  this entry is looking specifically for information after the '@' but before '.ipswitch.com' and therefore will only block email coming from an address that is from subdomain of ipswitch.com, for example, usera@email.ipswitch.com would be blocked, but userb@ipswitch.com would not.

                         

                        Adding the entry in any of the following formats would block the message example provided:

                        1. *@ipswitch.com

                        2. ipswitch.com

                        3. nm_education@ipswitch.com

                         

                        I hope this information helps!

                         

                        Karen Widhalm

                        System Support Specialist

                        SaaS Email and Web Security

                        McAfee. Part of Intel Security.

                        • 9. Re: Dealing with ConstantContact Service Users....
                          jlockie

                          Karen Widhalm wrote:

                           

                          Adding the address sales@annoyingbusiness.com to your user level or policy level deny list should block the messages from being delivered.  If that is not happening, please contact your support team so the issue can be further investigated!

                           

                           

                          I am going to have to do that then.  On the whole, I see this across the board regardless of user, and for other services besides Constant Contact.

                           

                          Regarding the syntax tip, thanks.  I misunderstood the help file.  We did add the domain using the other 2 methods too.....cause this has always been fuzzy with me, and so we throw a wide net by adding multiple types of entries. =/

                          1 2 Previous Next