On 10/11/18 7:00 PM, Alex wrote: > Hi, > > On Thu, Oct 11, 2018 at 5:15 PM David Jones <djo...@ena.com> wrote: >> >> On 10/11/18 3:30 PM, Alex wrote: >>> Hi, >>> >>> I'm curious what people think of this: >>> >>> https://pastebin.com/1XjwaCY1 >>> >>> It's unsolicited, so that makes it spam to me, but is it dangerous? >>> yesinsights.com appears to be a legitimate company, but the sender, >>> e...@hrteamerus.com, is a registered domain but has no DNS record. >>> >>> Is it just a lame attempt to confirm email addresses? >>> >>> Outlook just seems to be a non-stop source of spam. I'd report it to >>> yesinsights, but it appears it's being used exactly as the service >>> intended? >>> >>> Any idea on tips to block it, other than bayes? >>> >> >> Is that the entire email in the pastebin link above? I ran it through >> my SA platform and it's missing a few headers. >> >> DKIM_INVALID,DKIM_SIGNED,ENA_NO_TO_CC,MISSING_DATE,MISSING_FROM, >> MISSING_HEADERS,MISSING_MID,MISSING_SUBJECT > > Yes, it's the complete email - those missing headers are in the > pastebin. It also passed DKIM. Send me a message if you want the > original. > >> Since it doesn't have a valid opt-out, I would report it to SpamCop, >> report it to yesinsights.com's abuse if SpamCop doesn't already, and add >> a blacklist_from *@hrteamerus.com entry. > > Yes, we've seen an increase in these types of emails. We've reported > it to spamcop, but there doesn't appear to be a way to communicate > abuse to yesinsights. >
I checked yesinsights.com site and they don't have a way to contact them or report abuse. They do have a free week trial so you could setup a trial to get in touch with someone and tell them they need to have an abuse contact setup with Spamcop or they will eventually be listed on RBLs if they have enough shady customers sending to recipients that haven't opted into these emails. If I received complaints from my customers about spam from yesinsights, I would put a REJECT line in my Postfix config with a details explanation as to why they were being blocked to give them feedback in their logs in case they actually check them. Another option you have if you see repeating characteristics is to create a local meta rule that combines URLs with yesinsights.com with the envelope-from domain of hrteamerus.com or other things you see over and over to add some points. This email came via Office 365 which is a major problem for sorting out spam. They are so large that you can't block them outright so I have created a set of meta rules that amplify some spammy scores for O365 and add a point or two for all O365 email then put known good O365 senders to an exception list. It has worked pretty well for the past year. Takes a little work up front to start the list but I haven't had to do much lately. I mainly had to exclude senders that send odd attachments or invoices that trigger suspicious phishing-type rules. -- David Jones
