How to simulate spam mail? 5/5 (3)

Let’s start with the most obvious question – why should I try to simulate spam mail?
And the answer is – to test our existing mail security infrastructure.

In a modern mail environment, the need for implementing some “security mechanism” which will protect our mail infrastructure from spam mail and other threats, consider as a mandatory need.

Given that we implement a mail security gateway; the big question could be – how do I know if our mail security gateway is functioning and how he “react” to the event of spam mail?

For example, a scenario in which we define a particular rule in which, when our mail security gateway recognizes spam mail, a notification will be sent to a designated recipient and so on.

The good news is that the option of creating an email message that will be identified as – “spam mail” is existing, and the implementation of simulating a scenario of “spam mail,” is quite simple.

All we need to do is to create an E-mail message that includes a predefined text string and sends this E-mail message to the destination recipient which is “protected” by our mail security gateway.

This nice trick is implemented via a special procedure that was defended by Apache SpamAssassin organization.

his is the GTUBE — the Generic Test for Unsolicited Bulk Email.

If your spam filter supports it, the GTUBE provides a test by which you can verify that the filter is installed correctly and is detecting incoming spam, in a similar fashion to the EICAR anti-virus test file.

Spam filter developers should add a rule, where possible, to recognize the following 68-byte string in the message body, and trigger on it:

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

Note that this should be reproduced in one line, without whitespace or line breaks. A suitable mail message in RFC-822 format can be downloaded here.

This string and mail can be reproduced freely, without attribution; they are hereby placed in the public domain.

[Source of information – GTUBE]

Simulate spam mail

In the following section, we will simulate a scenario in which recipient A send spam E-mail message to recipient B

simulate spam mail | Scenario description

In our scenario, Justin will send “spam mail” (Justin@thankyouforsharing.org ) to a recipient in another organization named – Bob (bob@o365pilot.com).

Bob is a user whom his mailbox is hosted in Office 365 (Exchange Online server).

Note – to be able to simulate the scenario of spam mail, the “sender” and the “recipient” need to be recipients from different organizations. For example, we cannot test the option of spam mail in case that the sender and the destination recipient belong to the same Office 365 tenet because, in this case, the verification check is not implemented by the EOP server.

Sending the spam mail

In the mail body, we will add the following text string:

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

And send the E-mail message.

How to simulate spam mail -01

Receiving the spam mail

In the following screenshot, we can see the E-mail message that was sent to Bob.

As we can see, the E-mail message was sent to the Junk mail folder.

The reason for that is because, in an Office 365 based environment, the component that serves as a mail security gateway is – the EOP (Exchange Online Protection) server.

Each E-mail message that is sent to Office 365 recipient is examined and checked by the EOP server.

EOP recognizes the text string in the E-mail message, and classifies the E-mail message as “spam mail,” by setting the value of the SCL (spam confidence level) to “9.”
When the E-mail message reaches the recipient mailbox, because the high value of the SCL, the mail will be sent to the junk mail folder.

How to simulate spam mail -02

Viewing and analyzing the content of the E-mail message by using E-mail header

In this section, I would like to demonstrate the “behind the scenes” of the spam E-mail message, so we will be able to understand better that way that the Office 365 EOP server use for “stamping” specific E-mail message as “spam mail.”

In Exchange based environment, the method for classifying E-mail message as “spam mail” is, by define a particular value in the SCL parameter.
In our specific scenario, Exchange Online will set the SCL value to “9”.

Viewing the information of the mail header.

To be able to see the information that is included in the E-mail message, we will be using the OWA mail client. We will “fetch” the content of the mail header of the spam mail that was sent to Bob.

Open the specific E-mail message and select the small arrow that appears in the right part of the E-mail message (close the Reply all option).

How to simulate spam mail – view E-mail message header - 01

  • Select the menu – View message details.

How to simulate spam mail – view E-mail message header - 02

In the following screenshot, we can see the content if the specific E-mail mail header.

How to simulate spam mail – view E-mail message header - 03

  • Select the content of the mail header (CTRL + A)
  • Copy the content by using right mouse click and the menu – Copy (or CTRL + A)

How to simulate spam mail – view E-mail message header - 04

Using the Microsoft Remote Connectivity Analyzer | Message analyzer

In the following section, we will demonstrate how to use a very useful web-based tool named – Microsoft Remote Connectivity Analyzer for analyzing the mail header content.

Technically speaking, there are a couple of free web-based tool that we can use for the purpose of analyzing a mail header. The Microsoft Remote Connectivity Analyzer tool is just my personal preference.

Access the Microsoft Remote Connectivity Analyzer by using the following URL address: https://testconnectivity.microsoft.com/

  • Select the Message Analyzer tab
  • Right click on the “white space” and choose – Paste.

How to simulate spam mail – analyze E-mail header – using Microsoft Remote Connectivity Analyzer - 01

  • Select the button – Analyze headers

How to simulate spam mail – analyze E-mail header – using Microsoft Remote Connectivity Analyzer - 02

In the following screenshot, we can see the various mail fields that included in the mail header.

The specific mail field that we look for named- X-Forefront-Antispam-Report-Untrusted

In this field, we can see that the SCL value of the E-mail message is “9” meaning the E-mail message was steamed as spam mail by the EOP server.

How to simulate spam mail – analyze E-mail header – using Microsoft Remote Connectivity Analyzer - 03

Now it’s Your Turn!
We really want to know what you think about the article

Summary
Article Name
How to simulate spam mail?
Description
Let’s start with the most obvious question – why should I try to simulate spam mail? And the answer is – to test our existing mail security infrastructure.In a modern mail environment, the need for implementing some “security mechanism” which will protect our mail infrastructure from spam mail and other threats, consider as a mandatory need.
Author
Publisher Name
o365info.com
Publisher Logo
Print Friendly

Related Post

Please rate this

Eyal Doron on EmailEyal Doron on FacebookEyal Doron on GoogleEyal Doron on LinkedinEyal Doron on PinterestEyal Doron on RssEyal Doron on TwitterEyal Doron on WordpressEyal Doron on Youtube
Eyal Doron
Share your knowledge.
It’s a way to achieve immortality.
Dalai Lama

Leave a Reply

Your email address will not be published. Required fields are marked *