Misuse of my domain.

Erik Jakobsen eja at URBAKKEN.DK
Sun Nov 9 11:57:44 GMT 2003


Hi Peter. Here is the header from the culprit:

 From - Sun Nov  9 10:04:43 2003
X-UIDL: H>*#!]Bd"!:4K!!bf4!!
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Received: from localhost [127.0.0.1] by lajka2
        with SpamAssassin (2.55 1.174.2.19-2003-05-19-exp);
        Sun, 09 Nov 2003 10:04:06 +0100
From: john at urbakken.dk
To: Erik <erik at urbakken.dk>
Date: Sun,  9 Nov 2003 09:35:38 +0100 (CET)
Message-Id: <20031109083538.E8CEFC062 at fupA.post.tele.dk>
X-Spam-Flag: YES
X-Spam-Status: Yes, hits=5.2 required=5.0
        tests=AWL,BAYES_90,NO_REAL_NAME
        version=2.55
X-Spam-Level: *****
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_3FAE0306.3C6CC969"
X-UIDL: H>*#!]Bd"!:4K!!bf4!!

This is a multi-part message in MIME format.

------------=_3FAE0306.3C6CC969
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

This mail is probably spam.  The original message has been attached
along with this report, so you can recognize or block similar unwanted
mail in future.  See http://spamassassin.org/tag/ for more details.

Content preview:  [...]

Content analysis details:   (5.20 points, 5 required)
NO_REAL_NAME       (1.1 points)  From: does not include a real name
BAYES_90           (4.0 points)  BODY: Bayesian classifier says spam
probability is 90 to 99%
                    [score: 0.9897]
AWL                (0.1 points)  AWL: Auto-whitelist adjustment



------------=_3FAE0306.3C6CC969
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Return-Path: <john at urbakken.dk>
X-Original-To: erik at localhost
Delivered-To: erik at localhost.lajka2.local
Received: from localhost (localhost [127.0.0.1])
        by lajka2.local (Postfix) with ESMTP id 34954480F5
        for <erik at localhost>; Sun,  9 Nov 2003 10:03:47 +0100 (CET)
Delivered-To: erik at urbakken.dk
Received: from urbakken.dk [192.168.1.1]
        by localhost with POP3 (fetchmail-6.2.1)
        for erik at localhost (single-drop); Sun, 09 Nov 2003 10:03:47 +0100 (CET)
Received: from fupA.post.tele.dk (fupA.post.tele.dk [195.41.53.68])
        by gateway.urbakken.dk (Postfix) with ESMTP id 160D1AAB39
        for <erik at urbakken.dk>; Sun,  9 Nov 2003 03:35:48 -0500 (EST)
Received: from localhost (D40A6EA5.rev.stofanet.dk [212.10.110.165])
        by fupA.post.tele.dk (Postfix) with SMTP id E8CEFC062
        for <erik at urbakken.dk>; Sun,  9 Nov 2003 09:35:38 +0100 (CET)
From: john at urbakken.dk
To: Erik <erik at urbakken.dk>
Reply-To: john at urbakken.dk
Message-Id: <20031109083538.E8CEFC062 at fupA.post.tele.dk>
Date: Sun,  9 Nov 2003 09:35:38 +0100 (CET)
X-yoursite-MailScanner-Information: Please contact the ISP for more
information
X-yoursite-MailScanner: Found to be clean



------------=_3FAE0306.3C6CC969--


Peter Bonivart wrote:
> Erik Jakobsen wrote:
>
>> This is what I see, but I haven't seen the whole headers. What is the
>> "envelope from address" ?.
>
>
> Compare it to regular mail, you can write what you want on the paper
> inside the envelope, it will still be delivered to the address on the
> envelope. You can find the envelope information in your server logs.
>
> This is from a fresh spam of mine (some info edited out with x):
>
> Nov  9 12:17:28 kleenex sendmail[23204]: [ID 801593 mail.info]
> hA9BHR7u023204: from=<bounce-fsd-459798 at blast1.myfree.com>, size=7298,
> class=0, nrcpts=1,
> msgid=<LYRIS-459798-1269238-2003.11.09-02.20.05--x at blast1.myfree.com>,
> bodytype=8BITMIME, proto=ESMTP, daemon=MTA-v4, relay=x.x.x [x.x.x.x]
>
> Nov  9 12:17:29 kleenex MailScanner[15265]: Message hA9BHR7u023204 from
> x.x.x.x (bounce-fsd-459798 at blast1.myfree.com) to x.x is spam,
> SpamAssassin (score=10.901, required 5, BAYES_99 5.40, CLICK_BELOW 0.10,
> HTML_60_70 0.11, HTML_FONTCOLOR_BLUE 0.10, HTML_FONTCOLOR_UNKNOWN 0.10,
> HTML_FONTCOLOR_UNSAFE 0.10, HTML_FONT_BIG 0.27, HTML_IMAGE_ONLY_10 0.02,
> HTML_IMAGE_RATIO_08 0.36, HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.10,
> MIME_HTML_ONLY 0.32, NO_COST 1.67, NO_REAL_NAME 0.16, SUB_FREE_OFFER
> 1.66, SUPPLIES_LIMITED 0.33)
>
> Look at the first line from Sendmail, it says it's from
> bounce... at blast1.myfree.com, that's the envelope address and the one you
> should block, note on the second line that MS logs that address too. Now
> look at this:
>
> H??From: <MyFreeStuffDaily at MyFree.com>
>
> It's taken from my quarantine and is the header file (qf) for the same
> message, that's what they want me to see in my mail client. It will not
> help to block that address since it can be anything and has nothing to
> do with the actual delivery of the message, it's common for spammers to
> use the same for from and to.
>
> I hope that helps.
>
> /Peter Bonivart
>
> --Unix lovers do it in the Sun
>
> Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.23-11,
> SpamAssassin 2.60 + DCC 1.2.9, ClamAV 20030829
>
>


--
Med venlig hilsen - Best regards.
Erik Jakobsen - eja at urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.



More information about the MailScanner mailing list