Process on Message-ID header contents?

Lew Wolfgang wolfgang at sweet-haven.com
Tue Sep 28 20:26:15 IST 2010 

  On 09/28/2010 05:20 AM, Hugo van der Kooij wrote:
> On Fri, 24 Sep 2010 14:01:56 -0700, Lew Wolfgang
> <wolfgang at sweet-haven.com>
> wrote:
>> Hi Folks,
>>
>> I've been getting blasted with porn-spam from hotmail.com for the past
> few
>> weeks.
>> The spam has been getting past my (rather old) MailScanner installation.
>> It would be
>> nice to just block everything from hotmail, but that won't work due to
>> much
>> legitimate traffic from there.
> Please pastebin a sample somewhere so we can inspect all headers.
>
> Also tell us which MTA you are using so suggestions may include MTA
> specific solutions.

Hi Hugo,

I've included a paste of a recent spam below.

The "phx.gbl" in the Message-ID header is common in all these spams, as are the two addresses on the To: line.  The  live.com accounts don't exist.  There's also some Bayes spoilage in each message.    The last relay has always been in the hotmail.com domain, but different actual 
servers show up.  MTA is sendmail.

Regards,
Lew

Received: from snt0-omc4-s32.snt0.hotmail.com (snt0-omc4-s32.snt0.hotmail.com [65.55.90.235])
	by sanrail.com (8.12.11.20060308/8.12.10/SuSE Linux 0.7) with ESMTP id o8SG74a7013200
	for<wolfgang at sweet-haven.com>; Tue, 28 Sep 2010 09:07:10 -0700
Received: from SNT135-W16 ([65.55.90.200]) by snt0-omc4-s32.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
	 Tue, 28 Sep 2010 09:07:02 -0700
Message-ID:<SNT135-w1638B60BE98D980FE8A971DF660 at phx.gbl>
Content-Type: multipart/alternative;
	boundary="_8336028d-e177-48a9-8f40-59061affa14e_"
X-Originating-IP: [77.203.214.143]
From: Avis Ludwig<avilliigle at hotmail.com>
To:<wolfgang79 at live.com>,<wolfgang at sweet-haven.com>
Subject: Check Hot Russians Absiolutely Free Photos
Date: Tue, 28 Sep 2010 16:07:01 +0000
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 28 Sep 2010 16:07:02.0483 (UTC) FILETIME=[300ECA30:01CB5F27]
X-Sanrail-MailScanner-Information: Please contact postmaster at sanrail.com for more information
X-Sanrail-MailScanner: Found to be clean
X-Sanrail-MailScanner-SpamCheck: not spam, SpamAssassin (score=-2.102,
	required 3.2, autolearn=not spam, BAYES_00 -2.60, HTML_40_50 0.50,
	HTML_MESSAGE 0.00)
X-Sanrail-MailScanner-From: avilliigle at hotmail.com

--_8336028d-e177-48a9-8f40-59061affa14e_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


Check Hot Russians Absiolutely Free Photos
dog down?The top dog in this kennel=2C whom I am sure you will be meeting s=
oon=2C Was the explosion an accident? If it wasnt-who caused it? There aret=
here with us=2C singing the song. You could see that? The difference is obv=
ious I suppose=2C to someonethe note in my palm when I read it. On the seve=
nth day we did not rest. After a final round of rehearsal 		 	   		  =

--_8336028d-e177-48a9-8f40-59061affa14e_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<style><!--
.hmmessage P
{
margin:0px=3B
padding:0px
}
body.hmmessage
{
font-size: 10pt=3B
font-family:Tahoma
}
--></style>
</head>
<body class=3D'hmmessage'>
<FONT size=3D5 face=3DArial><A href=3D"http://tiddlyurl.com/m5ujq3">Check H=
ot Russians Absiolutely Free Photos</A></FONT>

<DIV>dog down?The top dog in this kennel=2C whom I am sure you will be meet=
ing soon=2C Was the explosion an accident? If it wasnt-who caused it? There=
  arethere with us=2C singing the song. You could see that? The difference i=
s obvious I suppose=2C to someonethe note in my palm when I read it. On the=
  seventh day we did not rest. After a final round of rehearsal</DIV>  		 	=
  		</body>
</html>=

--_8336028d-e177-48a9-8f40-59061affa14e_--

More information about the MailScanner mailing list