Answer
PROBLEM
Receiving large quantity of SPAM emails appear to come around from the ATO. Example emails are similar to the description provided by the recent ATO online article, http://www.ato.gov.au/onlineservices/distributor.aspx?menuid=0&doc=/content/62347.htm&page=7#P224_10964, but can differ in content.
ENVIRONMENT
- GFI MailEssentials
- All supported environments
SOLUTION
Note: The details below are suggestions which we have found effective. It is possible there are other adjustments which could be equally efficient.
- Open MailEssentials Dashboard and find anything that is from ATO matches the description here: http://www.ato.gov.au/onlineservices/distributor.aspx?menuid=0&doc=/content/62347.htm&page=7#P224_10964
- There should be a few spoofed email accounts from ATO the Spammers are using:
- admin@ato.gov.au
- info@ato.gov.au
- subscribe@ato.gov.au
- noreply@ato.gov.au
- donotreply@ato.gov.au
- (There are the ones we are aware of, there might be more)
- Confirm the email senders you found in step 1 and see if any of them come from the ones listed in step 2.
- If so, are these senders being whitelisted? You can determine if they are by looking at the description of the email in MailEssentials Dashboard.
- If they are whitelisted in Dashboard, please navigate to GFI MailEssentials Configuration > Whitelist > Properties > Whitelist Tab > In the Search field type in the send email addresses you found from ATO
- Remove the whitelist entry, if it exists
- Navigate to GFI MailEssentials Configuration > Filter Priority > Properties > adjust the filters by using the UP and DOWN arrow. The most important ones you can utilize are:
- Sender Policy Framework
- SpamRazer
- Phishing
- IP DNS Blocklist
- Note that MailEssentials 2012 does not have a separate Sender Policy Framework filter; it has been rolled into the Spamrazer filter.
- Here is an example list for your consideration:
- Essentially, what we suggest is that you have the filters mentioned in step 7 to be on higher position in the priority list:
- Directory Harvesting
- Greylist
- SpamRazer
- Sender Policy Framework
- IP DNS Blocklist
- Phishing
- IP Whitelist
- Keyword Whitelist
- Email Blocklist
- Email\Domain\Auto Whitelist
- URI DNS Blocklist
- Bayesian Analysis
- Header Checking
- Keyword Checking
- Essentially, what we suggest is that you have the filters mentioned in step 7 to be on higher position in the priority list:
- Navigate to GFI MailEssentials Configuration > Anti-Spam Filters > SpamRazer > Properties > Updates Tab > click Download updates now and a message will pop up confirming it is running successfully in the background
- Navigate to GFI MailEssentials Configuration > Anti-Spam Filters > Phishing > Properties > Updates Tab > click Download updates now and a message will pop up confirming its progress and acknowledge its completion
CAUSE
ATO entries in the whitelist and inaffective filter priorities.