Please help me prove that Postini is not allowing this Spam through

[bkinney_usa]

I think they're forging headers with Postini references, otherwise
Postini has a serious leak.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Received: from psmtp.com (64.18.2.126) by mse19fe2.mse19.exchange.ms
(172.29.12.55) with Microsoft SMTP Server id 8.1.263.0; Mon, 9 Feb
2009
11:39:07 -0500
Received: from source ([200.125.125.64]) by exprod7mx168.postini.com
([64.18.6.10]) with SMTP; Mon, 09 Feb 2009 11:39:07 EST
To: <br...@playphone.com>
Subject: from admin

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

The 172.29.12.55 address is the "inside" interface to the Microsoft
SMTP server.

All of this spam has the "from" and "to" addresses identical.

The source Addresses are always on the XBL.

My MSP for Exchange wants to sell me Anti-spam and AV, so, they're not
interested in these facts.

--brian--

[FrankM - Power Poster]

What service are you using, Premier or one of the Google Security
services?

Postini received the message from 200.125.125.64. Your server,
172.29.12.55 received the message from Postini from 64.18.2.126.

I'll assume you are describing message domain spoofing with the same
"to" and "from". I would need to know the service you are using to
help further.


FrankM

[bkinney_usa]

I believe it was the Google Services - $3/yr/user.

I have no trouble identifying the incoming spam visually, and even the
Outlook Junk Filter is picking them up.

Please let me know if you need more headers or original e-mails to
help confirm that Postini let them through.

On Feb 9, 12:51 pm, FrankM - Power Poster <Frank.M...@gmail.com>
wrote:

> > --brian--- Hide quoted text -
>
> - Show quoted text -

[FrankM - Power Poster]

A full header would be nice, as to see the Postini header tags.

> > - Show quoted text -- Hide quoted text -

[Cliff]

The full headers would be very useful. A few things to look for in
the headers:

x-pstn-addresses-from: <em...@domain.com> (user good) or (org
good)

This would indicate an approved sender at the User level (user good)
or the Org level (org good)

Another big one is for users not listed within Postini. One
indication of this is a single recipient email that doesn't have the
following Postini tag:

x-pstn-settings: <followed by a number"

Additionally, within the Admin Console (if you have access) is a link
to the Header Analyzer. Running the full internet headers through the
Header Analyzer could highlight some configuration issues that could
cause spam messages to come through.

Cliff

On Feb 12, 12:15 am, FrankM - Power Poster <Frank.M...@gmail.com>

[FrankM - Power Poster]

Postini Header Analyzer
https://www.postini.com/support/header_analyzer.php

FrankM

[bkinney_usa]

The first message WAS the full header. Like I said, I thought it was
forged, I was hoping to find a simple way to prove it to my MSP for
Exchange.


On Feb 11, 10:15 pm, FrankM - Power Poster <Frank.M...@gmail.com>

[bkinney_usa]

I just took the most recent spam, which had far more bits of
information than the last ones, and it says Postini did review it, but
sent it to me anyway. This means any spammer can send e-mails to and
from same person and Whitelist it? We are getting whumped here from
these.

If you need an account which is 99% spam from this one group, let me
know.

>>>>>>>>>>>>>>> Header Begins >>>>>>>>>>>>>>>>>>>>>>>>>>>>
Received: from psmtp.com (64.18.2.84) by mse18fe2.mse18.exchange.ms
(172.29.12.55) with Microsoft SMTP Server id 8.1.263.0; Thu, 12 Feb
2009
04:55:04 -0500
Received: from source ([86.34.217.9]) by exprod7mx192.postini.com
([64.18.6.13]) with SMTP; Thu, 12 Feb 2009 01:55:03 PST
To: <br...@playphone.com>
Subject: Customer Receipt/Purchase Confirmation
From: <br...@playphone.com>
MIME-Version: 1.0
Importance: High
Content-Type: text/html
X-pstn-levels: (S: 0.00000/89.31937 CV:99.9000 FC:95.5390 LC:95.5390 R:
95.9108 P:95.9108 M:95.5423 C:98.6951 )
X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c
X-pstn-addresses: from <br...@playphone.com> forward (org good)
[309/14]
Message-ID:
<e49c720a-2f1c-4327...@mse18fe2.mse18.exchange.ms>
Return-Path: br...@playphone.com
Date: Thu, 12 Feb 2009 04:55:04 -0500
X-MS-Exchange-Organization-PRD: playphone.com
X-MS-Exchange-Organization-SenderIdResult: None
Received-SPF: None (mse18fe2.mse18.exchange.ms: br...@playphone.com
does not
designate permitted sender hosts)
X-MS-Exchange-Organization-SCL: 2
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:
3.3.5705.600;SID:SenderIDStatus None;OrigIP:64.18.2.84

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Header Ends >>>>>>>>>>>>>>>>>>>>>>>>

On Feb 12, 7:33 am, FrankM - Power Poster <Frank.M...@gmail.com>
wrote:
> Postini Header Analyzerhttps://www.postini.com/support/header_analyzer.php

[FrankM - Power Poster]

It sent it to you because you have the domain white listed; X-pstn-
addresses: from <br...@playphone.com> forward (org good) [309/14] Not
much Postini can do if you do this.

> <e49c720a-2f1c-4327-82a5-246be5fc8...@mse18fe2.mse18.exchange.ms>

[bkinney_usa]

Well, I've removed our own Domain from my whitelist. I will warn
those who have to route through their ISP's SMTP gateways that they
should look in the Quarantined items more closely now.

On Feb 12, 1:08 pm, FrankM - Power Poster <Frank.M...@gmail.com>

[bkinney_usa]

Frank,

It's four days after changing the "approved senders" list (and
removing my domain), and Postini STILL ASSUMES I should be
whitelisted!

How do I get some help from Postini?!


Received: from psmtp.com (64.18.2.102) by mse18fe1.mse18.exchange.ms
(172.29.12.54) with Microsoft SMTP Server id 8.1.263.0; Mon, 16 Feb
2009
14:13:39 -0500
Received: from source ([88.254.197.192]) by exprod7mx248.postini.com
([64.18.6.11]) with SMTP; Mon, 16 Feb 2009 13:13:39 CST
To: <bri...@playphone.com>
Subject: Re: answer 9
From: <bri...@playphone.com>

MIME-Version: 1.0
Importance: High
Content-Type: text/html

X-pstn-levels: (S: 0.00000/87.74409 CV:99.9000 FC:95.5390 LC:95.5390 R:

95.9108 P:95.9108 M:95.5423 C:98.6951 )
X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c

X-pstn-addresses: from <bri...@playphone.com> forward (org good)
[309/14]
Message-ID:
<229a9ff2-0715-4738...@mse18fe1.mse18.exchange.ms>
Return-Path: bri...@playphone.com
Date: Mon, 16 Feb 2009 14:13:39 -0500
X-MS-Exchange-Organization-PRD: playphone.com
X-MS-Exchange-Organization-SenderIdResult: None
Received-SPF: None (mse18fe1.mse18.exchange.ms: bri...@playphone.com

does
not designate permitted sender hosts)

X-MS-Exchange-Organization-SCL: 5
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report:
DV:3.3.5705.600;SID:SenderIDStatus None;OrigIP:64.18.2.102


On Feb 12, 1:08 pm, FrankM - Power Poster <Frank.M...@gmail.com>

[FrankM - Power Poster]

It has to be listed somewhere. This setting is effective only on the
orgs user level.


Frank

On Feb 16, 2:32 pm, bkinney_usa <bri...@playphone.com> wrote:
> Frank,
>
> It's four days after changing the "approved senders" list (and
> removing my domain), and Postini STILL ASSUMES I should be
> whitelisted!
>
> How do I get some help from Postini?!
>
> Received: from psmtp.com (64.18.2.102) by mse18fe1.mse18.exchange.ms
>  (172.29.12.54) with Microsoft SMTP Server id 8.1.263.0; Mon, 16 Feb
> 2009
>  14:13:39 -0500
> Received: from source ([88.254.197.192]) by exprod7mx248.postini.com
>  ([64.18.6.11]) with SMTP;      Mon, 16 Feb 2009 13:13:39 CST
> To: <bri...@playphone.com>
> Subject: Re: answer 9
> From: <bri...@playphone.com>
> MIME-Version: 1.0
> Importance: High
> Content-Type: text/html
> X-pstn-levels: (S: 0.00000/87.74409 CV:99.9000 FC:95.5390 LC:95.5390 R:
> 95.9108 P:95.9108 M:95.5423 C:98.6951 )
> X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c
> X-pstn-addresses: from <bri...@playphone.com> forward (org good)
> [309/14]
> Message-ID:

> <229a9ff2-0715-4738-892f-08dcb50e8...@mse18fe1.mse18.exchange.ms>

[bkinney_usa]

Thanks to your information, I believe someone officially needs to fill
out a bug report.

I had done my changes at the "E-mail Config" level, and then selected
the checkbox to push it down to all sub orgs.

I went into the "org users" level, and confirmed the domain was NOT on
the list. However, it was still letting them through as "org good."

*After I got your reply,* I went in and modified the "org users" level
approved senders list (added an item actually) and the filter tools
started working properly.

Maybe you have to "checkbox" BEFORE you remove approved senders in
order to make the push effective?

Does the checkbox have an order of preference perhaps? I used the
"back to overview" button, but that did not make a difference.

Thank you for being there to help me/us out!

Brian

On Feb 16, 11:47 am, FrankM - Power Poster <Frank.M...@gmail.com>

[FrankM]

There is no bug IMO. Any changes done at the top level that are pushed
down will overwrite existing lists. You can also create a spreadsheet
to create batch command template to make unique changes to an Org's
approved senders list. You can run a batch command for just one Org,
or more than one. By creating a template, you can add and delete as
needed without losing your current listings.

An example of a batch code for modifying an Org approved senders list;
modifyorg org name, approved_senders=sender

Org name = the Org to be modified and sender is the approved sender,
with additional senders separated by a comma.

By keeping a template of each Org's approved senders, the use of a
batch command makes your work easier. Just remember to update the
template when the Org's list is changed.


FrankM

[bkinney_usa]

Frank,
I have to disagree with you on this. It's a process flow issue.

Unless you click the checkbox FIRST, then make the changes to the
approved senders list, the interface only updates the displayed lists
for each level, but does NOT update the functionality at the lowest
level.

It does not commit the changes downstream unless that checkbox is
marked before you change the approved senders list.

The checkbox does not perform a commit to the sub-orgs, only the Add/
Remove button does.

I'll let you make the call on whether it's worth reworking the
interface.

Brian

> ...
>
> read more »- Hide quoted text -

[FrankM]

I don't disagree.