Misuse of my domain.

[Peter Bonivart]

Erik Jakobsen wrote:
> This is what I see, but I haven't seen the whole headers. What is the
> "envelope from address" ?.

Compare it to regular mail, you can write what you want on the paper
inside the envelope, it will still be delivered to the address on the
envelope. You can find the envelope information in your server logs.

This is from a fresh spam of mine (some info edited out with x):

Nov  9 12:17:28 kleenex sendmail[23204]: [ID 801593 mail.info]
hA9BHR7u023204: from=<bounce-fsd-459798 at blast1.myfree.com>, size=7298,
class=0, nrcpts=1,
msgid=<LYRIS-459798-1269238-2003.11.09-02.20.05--x at blast1.myfree.com>,
bodytype=8BITMIME, proto=ESMTP, daemon=MTA-v4, relay=x.x.x [x.x.x.x]

Nov  9 12:17:29 kleenex MailScanner[15265]: Message hA9BHR7u023204 from
x.x.x.x (bounce-fsd-459798 at blast1.myfree.com) to x.x is spam,
SpamAssassin (score=10.901, required 5, BAYES_99 5.40, CLICK_BELOW 0.10,
HTML_60_70 0.11, HTML_FONTCOLOR_BLUE 0.10, HTML_FONTCOLOR_UNKNOWN 0.10,
HTML_FONTCOLOR_UNSAFE 0.10, HTML_FONT_BIG 0.27, HTML_IMAGE_ONLY_10 0.02,
HTML_IMAGE_RATIO_08 0.36, HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.10,
MIME_HTML_ONLY 0.32, NO_COST 1.67, NO_REAL_NAME 0.16, SUB_FREE_OFFER
1.66, SUPPLIES_LIMITED 0.33)

Look at the first line from Sendmail, it says it's from
bounce... at blast1.myfree.com, that's the envelope address and the one you
should block, note on the second line that MS logs that address too. Now
look at this:

H??From: <MyFreeStuffDaily at MyFree.com>

It's taken from my quarantine and is the header file (qf) for the same
message, that's what they want me to see in my mail client. It will not
help to block that address since it can be anything and has nothing to
do with the actual delivery of the message, it's common for spammers to
use the same for from and to.

I hope that helps.

/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.23-11,
SpamAssassin 2.60 + DCC 1.2.9, ClamAV 20030829