Inundated with Amazon Spam

General discussions and other topics.
10 posts Page 1 of 1
by bobrk » Sat Oct 02, 2021 12:05 pm
I seem to be getting these Amazon spams continuously now. The Spam score is -81! Is there a way to fix this?

I think the issue is in this area of the spam scoring:
Screen Shot 2021-10-02 at 12.02.12.png
Screen Shot 2021-10-02 at 12.02.12.png (72.89 KiB) Viewed 50073 times
Here is the general appearance of the email:
Screen Shot 2021-10-02 at 12.03.31.png
Screen Shot 2021-10-02 at 12.03.31.png (629.46 KiB) Viewed 50073 times
And here is the header source:

Return-Path: <MAILER-DAEMON>
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on e.spam.sonic.net
X-Spam-Level:
X-Spam-Status: No, score=-81.3 required=2.0 tests=DCC_CHECK,DKIM_ADSP_ALL,
FSL_BULK_SIG,GOOG_STO_NOIMG_HTML,HTML_MESSAGE,KHOP_HELO_FCRDNS,
MIME_HTML_ONLY,NORMAL_HTTP_TO_IP,NUMERIC_HTTP_ADDR,RCVD_IN_SBL,
RCVD_IN_SBL_CSS,SNF4SA,SONIC_BX_A2,SPF_HELO_NONE,USER_IN_WELCOMELIST,
USER_IN_WHITELIST shortcircuit=no autolearn=disabled version=3.4.6
X-Spam-SNF-Result: 53 (Scam Patterns)
X-Spam-MessageSniffer-Scan-Result:
X-Spam-MessageSniffer-Rules:
53-57022-104-1350-m
53-57022-0-10479-f
X-Spam-GBUdb-Analysis: 0, 157.131.224.146, Ugly c=1 p=-0.740514 Source Normal
Received: from a.mx.sonic.net (b.spam-proxy.sonic.net [157.131.224.146])
by b.local-delivery (8.14.7/8.14.7) with ESMTP id 192GMUTW024120
(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT)
for <bobrk@lds.sonic.net>; Sat, 2 Oct 2021 09:22:30 -0700
Received: from idm.telekom.com (faiytfix.com [109.237.96.204] (may be forged))
by a.mx.sonic.net (8.14.7/8.14.7) with ESMTP id 192GMLcQ143451
for <bob@bobrk.com>; Sat, 2 Oct 2021 09:22:28 -0700
From: Amazon <account-update@amazon.com>
Subject: Are my customers actually satisfied?|
Date: Sat, 02 Oct 2021 16:31:29 +0200
To: [to]@a.mx.sonic.net
Reply-To: "Adobe Creative Cloud" <mail@mail.adobe.com>
MIME-Version: 1.0
X-mailer: nlserver, Build 6.7.0
Message-ID: <UXCfmAadobein_mid_prod9@mail.adobe.com>
X-250ok-CID: P26341-121020
TenantHeader: 1d0e6311-6f98-4c5b-8b0e-8df80d5b7739
Affinity: prod.default
X-cust_MessageID: 1938757681
X-cust_DeliveryID: 350826
X-cust_InstanceName: aci_prod
MessageMaxRetry: 2
MessageRetryPeriod: 3600
MessageWebValidityDuration: 2592000
MessageValidityDuration: 432000
X-cust_IMSOrgID:
Content-Transfer-Encoding: 7bit
Content-Type: text/html; charset="UTF-8"
X-Orthrus: tar=1 grey=no co=RU os=Linux/3.11 and newer/16 spf=skip dkim=none
by virtualmike » Sat Oct 02, 2021 8:33 pm
The "USER_IN_WELCOMELIST" suggests to me that you have part or all of "account-update@amazon.com" in your mailbox's white list.

Even though the "From:" shows amazon.com, the email actually came from another source. This was not sent by Amazon. A further clue is that the "Reply-To:" was set to Adobe... Amazon certainly wouldn't want people replying to Adobe... usually Amazon's emails expect responses to go to "no-replay@amazon.com" (or a variation of that ).

This appears to be a spammer who figures that with sufficient volume, you'll give up and click the OK button. Since it's a screen shot, I can't tell, but I bet the OK button doesn't go to an Amazon web site or a well-known survey site.
by bobrk » Sat Oct 02, 2021 8:43 pm
Yeah there is an Amazon wildcard in my white list. I have my spam pretty locked down so my whitelist is very long. Still seems like this is not valid email from them so should be filterable.
by virtualmike » Sat Oct 02, 2021 10:09 pm
It's filtering on the "From:" address the sender puts into the email, which is not authenticated in any way.

If you have another email address, I think there's a way you to create a workaround by using that address to receive Amazon mail, forwarding it to your primary mailbox.
by bobrk » Mon Oct 04, 2021 1:27 pm
It took a few clicks but I was able to train my mail reader to recognize them as spam. Too bad I can't do the same thing at the server level.
by virtualmike » Mon Oct 04, 2021 9:36 pm
That's probably the most efficient way to filter, though the messages still need to be downloaded to your device to be filtered.
by bobrk » Tue Oct 05, 2021 10:29 am
I'd prefer that the server side software be at least as competent as my mail client. I receive mail on at least 3 different devices, so would love to have this stuff done server side.
by virtualmike » Tue Oct 05, 2021 8:23 pm
I guess I should have been clearer... that's the most efficient way with the current tools, at the moment. I'd also prefer that spam gets caught at the servers.
by bobrk » Fri Oct 22, 2021 8:35 am
Just as a followup, I'm seeing these emails getting caught in greymail now, not sure what butterfly caused it.
by virtualmike » Fri Oct 22, 2021 9:59 pm
The report will tell you which rule is catching them now.
10 posts Page 1 of 1

Who is online

In total there are 11 users online :: 0 registered, 0 hidden and 11 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am

Users browsing this forum: No registered users and 11 guests