Misuse of my domain.

Erik Jakobsen eja at URBAKKEN.DK
Sun Nov 9 11:57:44 GMT 2003

Hi Peter. Here is the header from the culprit:

 From - Sun Nov  9 10:04:43 2003
X-UIDL: H>*#!]Bd"!:4K!!bf4!!
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Received: from localhost [] by lajka2
        with SpamAssassin (2.55;
        Sun, 09 Nov 2003 10:04:06 +0100
From: john at urbakken.dk
To: Erik <erik at urbakken.dk>
Date: Sun,  9 Nov 2003 09:35:38 +0100 (CET)
Message-Id: <20031109083538.E8CEFC062 at fupA.post.tele.dk>
X-Spam-Flag: YES
X-Spam-Status: Yes, hits=5.2 required=5.0
X-Spam-Level: *****
X-Spam-Checker-Version: SpamAssassin 2.55 (
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_3FAE0306.3C6CC969"
X-UIDL: H>*#!]Bd"!:4K!!bf4!!

This is a multi-part message in MIME format.

Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

This mail is probably spam.  The original message has been attached
along with this report, so you can recognize or block similar unwanted
mail in future.  See http://spamassassin.org/tag/ for more details.

Content preview:  [...]

Content analysis details:   (5.20 points, 5 required)
NO_REAL_NAME       (1.1 points)  From: does not include a real name
BAYES_90           (4.0 points)  BODY: Bayesian classifier says spam
probability is 90 to 99%
                    [score: 0.9897]
AWL                (0.1 points)  AWL: Auto-whitelist adjustment

Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Return-Path: <john at urbakken.dk>
X-Original-To: erik at localhost
Delivered-To: erik at localhost.lajka2.local
Received: from localhost (localhost [])
        by lajka2.local (Postfix) with ESMTP id 34954480F5
        for <erik at localhost>; Sun,  9 Nov 2003 10:03:47 +0100 (CET)
Delivered-To: erik at urbakken.dk
Received: from urbakken.dk []
        by localhost with POP3 (fetchmail-6.2.1)
        for erik at localhost (single-drop); Sun, 09 Nov 2003 10:03:47 +0100 (CET)
Received: from fupA.post.tele.dk (fupA.post.tele.dk [])
        by gateway.urbakken.dk (Postfix) with ESMTP id 160D1AAB39
        for <erik at urbakken.dk>; Sun,  9 Nov 2003 03:35:48 -0500 (EST)
Received: from localhost (D40A6EA5.rev.stofanet.dk [])
        by fupA.post.tele.dk (Postfix) with SMTP id E8CEFC062
        for <erik at urbakken.dk>; Sun,  9 Nov 2003 09:35:38 +0100 (CET)
From: john at urbakken.dk
To: Erik <erik at urbakken.dk>
Reply-To: john at urbakken.dk
Message-Id: <20031109083538.E8CEFC062 at fupA.post.tele.dk>
Date: Sun,  9 Nov 2003 09:35:38 +0100 (CET)
X-yoursite-MailScanner-Information: Please contact the ISP for more
X-yoursite-MailScanner: Found to be clean


Peter Bonivart wrote:
> Erik Jakobsen wrote:
>> This is what I see, but I haven't seen the whole headers. What is the
>> "envelope from address" ?.
> Compare it to regular mail, you can write what you want on the paper
> inside the envelope, it will still be delivered to the address on the
> envelope. You can find the envelope information in your server logs.
> This is from a fresh spam of mine (some info edited out with x):
> Nov  9 12:17:28 kleenex sendmail[23204]: [ID 801593 mail.info]
> hA9BHR7u023204: from=<bounce-fsd-459798 at blast1.myfree.com>, size=7298,
> class=0, nrcpts=1,
> msgid=<LYRIS-459798-1269238-2003.11.09-02.20.05--x at blast1.myfree.com>,
> bodytype=8BITMIME, proto=ESMTP, daemon=MTA-v4, relay=x.x.x [x.x.x.x]
> Nov  9 12:17:29 kleenex MailScanner[15265]: Message hA9BHR7u023204 from
> x.x.x.x (bounce-fsd-459798 at blast1.myfree.com) to x.x is spam,
> SpamAssassin (score=10.901, required 5, BAYES_99 5.40, CLICK_BELOW 0.10,
> 1.66, SUPPLIES_LIMITED 0.33)
> Look at the first line from Sendmail, it says it's from
> bounce... at blast1.myfree.com, that's the envelope address and the one you
> should block, note on the second line that MS logs that address too. Now
> look at this:
> H??From: <MyFreeStuffDaily at MyFree.com>
> It's taken from my quarantine and is the header file (qf) for the same
> message, that's what they want me to see in my mail client. It will not
> help to block that address since it can be anything and has nothing to
> do with the actual delivery of the message, it's common for spammers to
> use the same for from and to.
> I hope that helps.
> /Peter Bonivart
> --Unix lovers do it in the Sun
> Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.23-11,
> SpamAssassin 2.60 + DCC 1.2.9, ClamAV 20030829

Med venlig hilsen - Best regards.
Erik Jakobsen - eja at urbakken.dk.
Licensed radioamateur with the callsign OZ4KK.
SuSE Linux 8.2 Proff.
Registered as user #319488 with the Linux Counter, http://counter.li.org.

More information about the MailScanner mailing list