MIAB getting inundated with SPAM e-mails with virus attached

1

My MIAB has been running for about 5 months now with no issues. In the last week several e-mail accounts have been receiving e-mails which should be caught by the SPAM filters or Blacklist check. I’m including the e-mail header below and when I check the received from IP address at Blacklist check it is listed on several Blacklist networks. Anyone has any insight into this?

Return-Path: <uemura-hironori@farmers-factory.com>
Delivered-To: bmeade@legacycminc.com
Received: from box.legacycminc.com ([127.0.0.1])
	by box.legacycminc.com with LMTP id WLYSEUAG6F1JWQAAN/b7Og
	for <bmeade@legacycminc.com>; Wed, 04 Dec 2019 14:17:20 -0500
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on box.legacycminc.com
X-Spam-Level: 
X-Spam-Status: No, score=0.3 required=5.0 tests=MIME_BOUND_DD_DIGITS,
	SPF_HELO_NONE autolearn=no autolearn_force=no version=3.4.2
X-Spam-Report: 
	*  0.3 MIME_BOUND_DD_DIGITS Spam tool pattern in MIME boundary
	*  0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
X-Spam-Score: 0.3
X-Greylist: delayed 985 seconds by postgrey-1.36 at box.legacycminc.com; Wed, 04 Dec 2019 14:17:18 EST
Authentication-Results: box.legacycminc.com; dmarc=none (p=none dis=none) header.from=farmers-factory.com
Received: from mail26.heteml.jp (mail26.heteml.jp [157.7.188.42])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by box.legacycminc.com (Postfix) with ESMTPS id AEC8BFB1CB
	for <bmeade@legacycminc.com>; Wed,  4 Dec 2019 14:17:18 -0500 (EST)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by mail26.heteml.jp (Postfix) with QMQP id 9B9E94841062
	for <bmeade@legacycminc.com>; Thu,  5 Dec 2019 04:00:49 +0900 (JST)
Received: from unknown (HELO mail26.heteml.jp) (uemura-hironori@farmers-factory.com@127.0.0.1)
  by mail26.heteml.jp with SMTP; 5 Dec 2019 04:00:49 +0900
Received: from 27.123.136.200 (27.123.136.200)
 by mail26.heteml.jp (HETEML-Fsecure);
 Thu, 05 Dec 2019 04:00:45 +0900 (JST)
X-Virus-Status: clean(HETEML-Fsecure)
Date: Thu, 05 Dec 2019 08:00:51 +1200
From: "Peter Rendel" <uemura-hironori@farmers-factory.com>
To: "Brian Meade" <bmeade@legacycminc.com>
Subject: RE: MPS, HVAC Upgrade
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--909254750422736273102312587377243"
Message-Id: <20191204190049.9B9E94841062@mail26.heteml.jp>

----909254750422736273102312587377243
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Please see attached and thanks!
2

No - Spamassassin wouldn’t block that, the X-Spam-Score is too low. You can use IPTABLES to block that email server or report them to spamhaus.

Otherwise, check your websites - make sure users emails are NOT on any publicly facing web page. this doesn’t completely stop spam, but it helps a lot.

3

But the IP address is on a bunch of Blacklists (e.g. Spamhaus) so shouldn’t that have prevented the e-mail from being accepted?

4

No, this is not on Spamhaus (MIAB only uses spamhaus) RBL - so it would not be blocked.

5

Okay but we are receiving a bunch from all different IP addresses, here is a better one 27.123.136.200 that is blocked by a whole host of services. This one is blocked by Spamhaus ZEN, is that different than RBL?

I have forwarded these e-mails to all the big e-mail service providers and they all bounced it back as flagged as SPAM. That is why I am bringing this up. It could potentially make MIAB even better.