Some e-mails not being scanned? {Scanned}

SW wppiphoto at wppi.com
Sun Feb 22 09:31:52 GMT 2004


Julian,

Sorry didn't see you reply until tonight. Ops! In regards to your reply,
these e-mails that bypass MS/SA don't in no way come from any place which I
have whitelisted. We use openwebmail but I'm not sure how this spammer is
using that to by pass MS/SA.

The strange thing is that only e-mails with the 'X-AntiAbuse' header seem to
bypass MS/SA. Can anyone see a pattern and possibilites of how this spammer
is bypassing MS/SA.Here are some more header info. of some recent e-mails
all from the same spammer:

Return-Path: <shelhaxr at tamil.com>
Received: from 1stbulkemail.com (pD9504F54.dip.t-dialin.net [217.80.79.84])
 by wppi.com (8.10.2/8.10.2) with SMTP id i1M7FWf10235
 for <sales at wppi.com>; Sun, 22 Feb 2004 02:15:33 -0500
Received: (from www at localhost)
    by 1stbulkemail.com (8.11.6p2/8.11.3) with ESMTP id J87Gz028030521
    for <sales at wppi.com>; Sun, 22 Feb 2004 07:15:07 +0000 (GMT)
    (envelope-from www)
Message-ID: <697663289192.4DuK9L6i87y3H4 at localhost>
From: "Shara Montoya" <shelhaxr at tamil.com>
To: sales at wppi.com
Subject: Design Your Logo {Scanned}
Date: Sun, 22 Feb 2004 07:15:07 +0000 (GMT)
X-AntiAbuse: This header was added to track abuse, please include it with
any abuse report
X-AntiAbuse: Primary Hostname - 1stbulkemail.com
X-AntiAbuse: Original Domain - 1stbulkemail.com
X-AntiAbuse: Originator/Caller UID/GID - [80 80] / [80 80]
X-AntiAbuse: Sender Address Domain -
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0222_01C3C64F.FBD71A00"

----------------------------------------------------------------------------
----

Return-Path: <hahgjkcr at gundamfan.com>
Received: from eofficemail.com ([218.157.147.241])
 by wash-photo.com (8.10.2/8.10.2) with SMTP id i1M13of25927
 for <sales at wash-photo.com>; Sat, 21 Feb 2004 20:03:51 -0500
Received: (from www at localhost)
    by eofficemail.com (Vircom SMTPRS 2.1.258) with ESMTP id J87Gz030585292
    for <sales at wash-photo.com>; Sat, 21 Feb 2004 20:04:42 -0500 (EST)
    (envelope-from www)
Message-ID: <380117213434.PbtrkS09esY7Q8 at localhost>
From: "Laquita Ewing" <hahgjkcr at gundamfan.com>
To: sales at wash-photo.com
Subject: Custom Logo Creation {Scanned}
Date: Sat, 21 Feb 2004 20:04:42 -0500 (EST)
X-AntiAbuse: This header was added to track abuse, please include it with
any abuse report
X-AntiAbuse: Primary Hostname - eofficemail.com
X-AntiAbuse: Original Domain - eofficemail.com
X-AntiAbuse: Originator/Caller UID/GID - [80 80] / [80 80]
X-AntiAbuse: Sender Address Domain -
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0222_01C3C64F.FBD71A00"



----------------------------------------------------------------------------
----

Return-Path: <zpmdewwg at netsiam.com>
Received: from emailphonebook.net
(lsanca2-ar32-4-33-033-229.lsanca2.dsl-verizon.net [4.33.33.229])
 by ultraphotos.com (8.10.2/8.10.2) with SMTP id i1LKDLf12864
 for <sales at ultraphotos.com>; Sat, 21 Feb 2004 15:13:21 -0500
Received: (from www at localhost)
    by emailphonebook.net (8.12.8/8.10.0) with ESMTP id J87Gz028821499
    for <sales at ultraphotos.com>; Sat, 21 Feb 2004 20:07:22 +0000 (GMT)
    (envelope-from www)
Message-ID: <548455242357.f8H0iBG31vW05g at localhost>
From: "Sade Rowe" <zpmdewwg at netsiam.com>
To: sales at ultraphotos.com
Subject: Flash Logo Animation {Scanned}
Date: Sat, 21 Feb 2004 20:07:22 +0000 (GMT)
X-AntiAbuse: This header was added to track abuse, please include it with
any abuse report
X-AntiAbuse: Primary Hostname - emailphonebook.net
X-AntiAbuse: Original Domain - emailphonebook.net
X-AntiAbuse: Originator/Caller UID/GID - [80 80] / [80 80]
X-AntiAbuse: Sender Address Domain -
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0222_01C3C64F.FBD71A00"

----- Original Message -----
From: "Julian Field" <mailscanner at ECS.SOTON.AC.UK>
To: <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Sunday, February 15, 2004 1:08 PM
Subject: Re: Some e-mails not being scanned? {Scanned}


> I suspect from the headers that you have an email-generating app (a
webmail
> system perhaps?) that is sending mail by directly invoking the sendmail
> binary. You need to get this app to send mail by talking SMTP to localhost
> instead.
> Either that or you have bypassed the MS host in some way for this mail. As
> you don't say which of the systems involved is the MS host, it is
> impossible to say for definite.
>
> At 15:42 15/02/2004, you wrote:
> >Can someone tell me why some e-mails don't get scanned by MS/SA? I know
they
> >are not being scanned because they are missing the mailscanner header
info.
> >The only thing I can think of is that there is something in mailscanner
> >which ignores e-mails that contain in the header 'X-AntiAbuse' and flags
> >them as non-spam. Not sure if I'm right but hopefully someone here can
help.
> >
> >Here is a sample e-mail header which does not get scanned by mailscanner:
> >
> >Return-Path: <txcqkkkg at boardermail.com>
> >Received: from free-web-hosting-and-free-email.com
> >(pcp07722622pcs.nrockv01.md.comcast.net [69.138.239.114])
> >  by wppi.net (8.10.2/8.10.2) with SMTP id i1BMkQA01925
> >  for <sales at wppi.net>; Wed, 11 Feb 2004 17:46:30 -0500
> >Received: (from www at localhost)
> >     by free-web-hosting-and-free-email.com (SMTPD32-7.00) with ESMTP id
> >J87Gz037587771
> >     for <sales at wppi.net>; Wed, 11 Feb 2004 17:44:37 -0500 (EST)
> >     (envelope-from www)
> >Message-ID: <823244444119.yyr36h3MgwRq8N at localhost>
> >From: "Ruthie Nixon" <txcqkkkg at boardermail.com>
> >To: sales at wppi.net
> >Subject: Website Intros and Animated Logos {Scanned}
> >Date: Wed, 11 Feb 2004 17:44:37 -0500 (EST)
> >X-AntiAbuse: This header was added to track abuse, please include it with
> >any abuse report
> >X-AntiAbuse: Primary Hostname - free-web-hosting-and-free-email.com
> >X-AntiAbuse: Original Domain - free-web-hosting-and-free-email.com
> >X-AntiAbuse: Originator/Caller UID/GID - [80 80] / [80 80]
> >X-AntiAbuse: Sender Address Domain -
> >MIME-Version: 1.0
> >Content-Type: multipart/alternative;
> >         boundary="----=_NextPart_000_0222_01C3C64F.FBD71A00"
> >
> >
> >Thanks,
> >
> >SW
> >
> >
> >
> >-------------------------------------------------
> >         WPPi.com        |        WPPi.Net
> >-------------------------------------------------
> >   http://www.wppi.com   |  http://www.wppi.net
> >-------------------------------------------------
> >WPPi.com & WPPi.Net MailScanner Signature
> >This message has been scanned for viruses
> >and dangerous content by WPPi MailScanner,
> >and has been found to be clean.
> >-------------------------------------------------
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> -------------------------------------------------
>         WPPi.com        |        WPPi.Net
> -------------------------------------------------
>   http://www.wppi.com   |  http://www.wppi.net
> -------------------------------------------------
> WPPi.com & WPPi.Net MailScanner Signature
> This message has been scanned for viruses
> and dangerous content by WPPi MailScanner,
> and has been found to be clean.
> -------------------------------------------------
>
>



-------------------------------------------------
        WPPi.com        |        WPPi.Net
-------------------------------------------------
  http://www.wppi.com   |  http://www.wppi.net
-------------------------------------------------
WPPi.com & WPPi.Net MailScanner Signature
This message has been scanned for viruses
and dangerous content by WPPi MailScanner,
and has been found to be clean.
-------------------------------------------------



More information about the MailScanner mailing list