On 8/17/2012 1:44 AM, Colin wrote:
> You're not the only one.
>
> As of the last day or two we've seen a number of fake efax.com messages
> getting through.
>
> Does anyone have a legitimate subscription to efax.com so that we can
> compare headers and see if there is an obvious regex for this?
>
> I first spotted this because a client was running a dnsbl using abuseat
> on their Exchange box and that blocked the messages but we have had
> problems with abuseat blocking legitimate mail so don't use it. All
> suspect messages seem to have the subject "Corporate eFax message X
> pages" so I'll add the first three words as a regex and see how it goes.
>
This is what a "real" efax looks like.
Return-Path: <mess...@inbound.efax.com>
Delivered-To: <f...@amfes.com>
Received: from mail.amfes.com
by bubba.amfeslan.local (Dovecot) with LMTP id PVD+KpR8LVAqFAAA4TDHRA
for <f...@amfes.com>; Thu, 16 Aug 2012 16:04:52 -0700
Received: from mail.amfes.com (lax2.efax.com [66.52.2.3])
(using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by Postfix-ASSP.amfeslan.local (Postfix) with ESMTPS id 60BFD404065E
for <faxrecei...@amfes.com>; Thu, 16 Aug 2012 16:04:52 -0700 (PDT)
Received: from lax2.efax.com ([66.52.2.3] helo=lax2.efax.com) by
mail.amfes.com with SMTP (2.2.2); 16 Aug 2012 16:04:52 -0700
Received: from media4.lax2.colo.j2noc.com (media4.lax2.colo.j2noc.com
[10.11.50.107])
by lax2.efax.com (Postfix) with ESMTP id EC48D10422
for <dmil...@amfes.com>; Thu, 16 Aug 2012 23:04:51 +0000 (GMT)
Received: by media4.lax2.colo.j2noc.com (Postfix, from userid 0)
id DB8ED1370F2; Thu, 16 Aug 2012 23:04:51 +0000 (GMT)
MIME-Version: 1.0
Date: Thu, 16 Aug 2012 23:04:37 +0000
To: dmil...@amfes.com
CC:
From: "eFax Corporate" <mess...@inbound.efax.com>
Subject:
=?utf-8?Q?=20Corporate=20eFax=20message=20from=20"unknown"=20-=201=20page(s)?=
Message-ID:
<lax2_did14-1345158243-7023125279-29-18865.1345158...@media4.lax2.colo.j2noc.com>
Content-Type: Multipart/Mixed;boundary="Boundary-00=_T7P340MWKGMMYJ0CCJD0"
X-J2-Header-Version: 1.0
X-J2-Phone-Number: 17023125279
X-J2-Customerkey: 42193434
X-J2-Servicekey: 76679357
X-J2-Message-Type: FAX
X-J2-Caller-Id:
X-J2-Message-Duration: 32
X-J2-Message-Size: 23442
X-J2-Message-Format: pdf
X-J2-Message-Date: 08/16/2012 23:04:37 GMT
X-J2-Accounttype: Regular
X-J2-Fax-Pages: 1
X-J2-Fax-Mode: ECM
X-J2-Fax-Csid-Remote: unknown
X-J2-Fax-Bps: 14400
X-Assp-Version: 2.2.2(12228) on mail.amfes.com
X-Assp-Server-TLS: yes
X-Assp-Re-NoProcessingDomain: efax.com
X-Assp-Recipient: recipient dmil...@amfes.com replaced with
faxrecei...@amfes.com
X-Assp-NoProcessing: YES - (noProcessingDomain 'efax.com')
X-Assp-ID: mail.amfes.com 58292-03712
X-Assp-Original-Subject:
=?utf-8?Q?=20Corporate=20eFax=20message=20from=20"unknown"=20-=201=20page(s)?=
--Boundary-00=_T7P340MWKGMMYJ0CCJD0
Content-Type: Multipart/Alternative;boundary="Boundary-00=_Z7P340MWKGMMYJ0CCJD0"
--Boundary-00=_Z7P340MWKGMMYJ0CCJD0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
You have received a 1 page fax at 2012-08-16 16:04:37 PDT.=0D=0A=0D=0A* T=
he reference number for this fax is lax2_did14-1345158243-7023125279-29.=0D=0A=
=0D=0APlease visi
--
Daniel
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
