Forum Discussion
Tenant Allow/Block Lists Versus Anti-spam List
Thank you for your message. Although I have a corporate account, I am the sole tenant. I want my blocks to apply to me and anyone else that I decide to add to my corporate account. I find the Tenant Block/Allow List easier to input data than Anti-Spam policy lists. So that is what I will use going forward.
Regarding your questions if I have checked to see if spammy (a) has a consistent sending IP address range that (b) is not shared with many more legitimate senders?
I am not sure how to do that. I have enclosed four screenshots from two different spam emails from the same sender. 1-A and 1-B are two screenshots from Message Header Analyzer for one spam email. The same applies to my screenshots 2-A and 2-B.
The IP addresses differ slightly, but that they are probably from the same range. Are they shared with legitimate senders? I do not know.
I found it interesting that both spam emails passed SPF and dkim but not dmarc.
If these screenshots are exposing sensitive information, please let me know. I can either delete this post entirely or delete the attachments.
So your problem sender is Amazon Simple Email Services. You are looking at a major mailing bureau with a very wide selection of customers varying from those sending notifications you definitely want down to those who have managed to steal or otherwise rip off an SES account to send malware phishing. Whilst it is possible to isolate some major SES customers by IP, you are not going to be able to tackle most SES problems that way.
I do see a List-Unsubscribe header, and it appears to have a consistent value. I won't post that as it might prompt the sender to change the value, but it seems a mail flow rule predicate with the value List-Unsubscribe' header matches the following patterns unsubscribe\.nuisance\.com might catch your morphing pest. Remember not to use an irrevocable mail flow action until you know the rule is reliable.