You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "NW7US, Tomas" <nw...@hfradio.org> on 2006/06/08 08:42:07 UTC
Another example...
Here are headers from another example of spam, that is marked STRONGLY as
NOT being spam. What is VERY interesting about THIS one, is that it seems
to actually be FROM me!!! However, it made its rounds on other servers,
first. Is it possible someone is spoofing my email address?? Or, is
there a gateway e-mail hole on my server?
Here are the headers: (and, I deleted my whitelists, like the auto learn
one, etc.)
> Return-Path: <nw...@hfradio.org>
> X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01)
> on helios.hfradio.org
> X-Spam-Level:
> X-Spam-Status: No, score=-86.2 required=1.0 tests=HTML_MESSAGE,
> MIME_HTML_ONLY, MIME_HTML_ONLY_MULTI,
> MPART_ALT_DIFF,RCVD_ILLEGAL_IP,RCVD_NUMERIC_HELO,
> UNPARSEABLE_RELAY,URIBL_JP_SURBL,URIBL_OB_SURBL,
> URIBL_SBL, URIBL_SC_SURBL,URIBL_WS_SURBL,
> USER_IN_WHITELIST autolearn=no version=3.1.3
> Received: from 60.234.111.150 ([60.234.111.150]) by helios.hfradio.org
> (8.12.11/8.12.11) with ESMTP id k586UPVE019859 for
> <nw...@hfradio.org>; Wed, 7 Jun 2006 23:30:28 -0700
> Envelope-to: nw7us@hfradio.org
> Delivery-date: Thu, 08 Jun 2006 18:36:11 +1200
> Received: from [242.112.30.100] (helo=86678721) by 60.234.111.150
> with smtp (Exim 4.60 (FreeBSD)) (envelope-from
> <tn...@gallery48.freeserve.co.uk>) id
> W3mNJ-2xnyDQA-8Kx for nw7us@hfradio.org; Thu, 08 Jun 2006
> 18:36:11 +1200
> Received: from gallery48.freeserve.co.uk (02055232 [17238173668])
> by 124.1.211.112 (Qmailv1) with ESMTP id 0FJ2Y8TBN for
> <nw...@hfradio.org>; Thu, 08 Jun 2006 17:36:07 +1200
> Date: Thu, 08 Jun 2006 17:36:07 +1200
> From: "Jon R. Pirrello Jr" <tn...@gallery48.freeserve.co.uk>
> X-Mailer: The Bat! (v2.12.00) Personal
> X-Priority: 3
> Message-ID: <25...@gallery48.freeserve.co.uk>
> To: nw7us@hfradio.org
> Subject: General health store
> X-IMAPbase: 1148015368 4545
> Status: O
> X-UID: 4545
> Content-Length: 11005
> X-Keywords:
> X-Antivirus: AVG for E-mail 7.1.394 [268.8.2/357]
> Mime-Version: 1.0
> Content-Type: multipart=mixed;
> b0undary="=======AVGMAIL-4487C4C83823======="
(I changed the last header, in case it might case a problem... the message
has an attachment that contained a virus or trojan.)
I could really use some help in figuring out how to end this sort of
activity.
Thanks,
73 de Tomas, NW7US ( http://ic-discipleship-ministries.org/ )
: Propagation Editor for CQ, CQ VHF, Popular Communications :
: Creator; live propagation center http://prop.hfradio.org/ :
: Associate Member of Propagation Studies Committee of RSGB :
: 122.93W 47.67N / Brinnon, Washington USA CN87 CW/SSB/DIGI :
: 10x56526, FISTS 7055, FISTS NW 57, Lighthouse Society 144 :
: Technical Writer for http://entirenet.net (Microsoft KB) :
Re: Another example...
Posted by Michael Monnerie <mi...@it-management.at>.
On Donnerstag, 8. Juni 2006 17:33 Gary V wrote:
> What's surprising is that you are surprised that someone can make
> mail appear to come from you. There is nothing stopping them.
That's not true: SPF. Of course, only if the recipient checks for SPF
records, but lots of sites check it now (anyway still too few).
mfg zmi
--
// Michael Monnerie, Ing.BSc ----- http://it-management.at
// Tel: 0660/4156531 .network.your.ideas.
// PGP Key: "lynx -source http://zmi.at/zmi3.asc | gpg --import"
// Fingerprint: 44A3 C1EC B71E C71A B4C2 9AA6 C818 847C 55CB A4EE
// Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE
Re: Another example...
Posted by Gary V <mr...@hotmail.com>.
>>Looks like you have nw7us@hfradio.org whitelisted somewhere. That's
>>probably a bad idea. Spam usually uses a spoofed address.
>
>NW7US, Tomas wrote:
>>Here are headers from another example of spam, that is marked STRONGLY as
>>NOT being spam. What is VERY interesting about THIS one, is that it seems
>>to actually be FROM me!!! However, it made its rounds on other servers,
>>first. Is it possible someone is spoofing my email address??
What's surprising is that you are surprised that someone can make mail
appear to come from you. There is nothing stopping them.
Gary V
_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
Re: Another example...
Posted by Stuart Johnston <st...@ebby.com>.
Looks like you have nw7us@hfradio.org whitelisted somewhere. That's
probably a bad idea. Spam usually uses a spoofed address.
NW7US, Tomas wrote:
> Here are headers from another example of spam, that is marked STRONGLY
> as NOT being spam. What is VERY interesting about THIS one, is that it
> seems to actually be FROM me!!! However, it made its rounds on other
> servers, first. Is it possible someone is spoofing my email address??
> Or, is there a gateway e-mail hole on my server?
>
> Here are the headers: (and, I deleted my whitelists, like the auto learn
> one, etc.)
>
>> Return-Path: <nw...@hfradio.org>
>> X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01)
>> on helios.hfradio.org
>> X-Spam-Level:
>> X-Spam-Status: No, score=-86.2 required=1.0 tests=HTML_MESSAGE,
>> MIME_HTML_ONLY, MIME_HTML_ONLY_MULTI,
>>
>> MPART_ALT_DIFF,RCVD_ILLEGAL_IP,RCVD_NUMERIC_HELO,
>> UNPARSEABLE_RELAY,URIBL_JP_SURBL,URIBL_OB_SURBL,
>> URIBL_SBL, URIBL_SC_SURBL,URIBL_WS_SURBL,
>> USER_IN_WHITELIST autolearn=no version=3.1.3
>> Received: from 60.234.111.150 ([60.234.111.150]) by
>> helios.hfradio.org
>> (8.12.11/8.12.11) with ESMTP id k586UPVE019859 for
>> <nw...@hfradio.org>; Wed, 7 Jun 2006 23:30:28 -0700
>> Envelope-to: nw7us@hfradio.org
>> Delivery-date: Thu, 08 Jun 2006 18:36:11 +1200
>> Received: from [242.112.30.100] (helo=86678721) by 60.234.111.150
>> with smtp (Exim 4.60 (FreeBSD))
>> (envelope-from
>> <tn...@gallery48.freeserve.co.uk>) id
>> W3mNJ-2xnyDQA-8Kx for nw7us@hfradio.org; Thu, 08 Jun
>> 2006 18:36:11 +1200
>> Received: from gallery48.freeserve.co.uk (02055232 [17238173668])
>> by 124.1.211.112 (Qmailv1) with ESMTP id 0FJ2Y8TBN for
>> <nw...@hfradio.org>; Thu, 08 Jun 2006 17:36:07 +1200
>> Date: Thu, 08 Jun 2006 17:36:07 +1200
>> From: "Jon R. Pirrello Jr" <tn...@gallery48.freeserve.co.uk>
>> X-Mailer: The Bat! (v2.12.00) Personal
>> X-Priority: 3
>> Message-ID: <25...@gallery48.freeserve.co.uk>
>> To: nw7us@hfradio.org
>> Subject: General health store
>> X-IMAPbase: 1148015368 4545
>> Status: O
>> X-UID: 4545
>> Content-Length: 11005
>> X-Keywords:
>> X-Antivirus: AVG for E-mail 7.1.394 [268.8.2/357]
>> Mime-Version: 1.0
>> Content-Type: multipart=mixed;
>> b0undary="=======AVGMAIL-4487C4C83823======="
>
> (I changed the last header, in case it might case a problem... the
> message has an attachment that contained a virus or trojan.)
>
>
> I could really use some help in figuring out how to end this sort of
> activity.
>
> Thanks,
>
> 73 de Tomas, NW7US ( http://ic-discipleship-ministries.org/ )
>
> : Propagation Editor for CQ, CQ VHF, Popular Communications :
> : Creator; live propagation center http://prop.hfradio.org/ :
> : Associate Member of Propagation Studies Committee of RSGB :
> : 122.93W 47.67N / Brinnon, Washington USA CN87 CW/SSB/DIGI :
> : 10x56526, FISTS 7055, FISTS NW 57, Lighthouse Society 144 :
> : Technical Writer for http://entirenet.net (Microsoft KB) :
Re: Another example...
Posted by jdow <jd...@earthlink.net>.
I'm semi-asleep at the switch. The autolearn=no means you do indeed
have Bayes turned off or completely untrained. Very seriously, a well
trained Bayes is your BEST spam fighting friend. So are the rule sets
at http://www.rulesemporium.com/.
I am still back on 3.0.6. I have not had a stock spam get by the filters
in over a year. Both Bayes and the SARE rules I run seem to nail them.
But the SINGLE most RELIABLE spam catcher is BAYES_99 set to 5.0, per
user Bayes well trained, and spoon feeding salearn with known cases of
missed spam that do not contain a preponderance of unique words typical
for what I consider ham.
(I have gotten Bayes to the state that it has not flagged a single ham
in the last month while it has flagged about 90.65% of all spam. Likewise
BAYES_00 has flagged about 0.04% of spam and 81.17% of ham. This is on
about 100,000 messages over 10.5 weeks.)
{^_^} Joanne
----- Original Message -----
From: "NW7US, Tomas" <nw...@hfradio.org>
To: <us...@spamassassin.apache.org>
Sent: Wednesday, June 07, 2006 23:42
Subject: Another example...
> Here are headers from another example of spam, that is marked STRONGLY as
> NOT being spam. What is VERY interesting about THIS one, is that it seems
> to actually be FROM me!!! However, it made its rounds on other servers,
> first. Is it possible someone is spoofing my email address?? Or, is
> there a gateway e-mail hole on my server?
>
> Here are the headers: (and, I deleted my whitelists, like the auto learn
> one, etc.)
>
>> Return-Path: <nw...@hfradio.org>
>> X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01)
>> on helios.hfradio.org
>> X-Spam-Level:
>> X-Spam-Status: No, score=-86.2 required=1.0 tests=HTML_MESSAGE,
>> MIME_HTML_ONLY, MIME_HTML_ONLY_MULTI,
>> MPART_ALT_DIFF,RCVD_ILLEGAL_IP,RCVD_NUMERIC_HELO,
>> UNPARSEABLE_RELAY,URIBL_JP_SURBL,URIBL_OB_SURBL,
>> URIBL_SBL, URIBL_SC_SURBL,URIBL_WS_SURBL,
>> USER_IN_WHITELIST autolearn=no version=3.1.3
>> Received: from 60.234.111.150 ([60.234.111.150]) by helios.hfradio.org
>> (8.12.11/8.12.11) with ESMTP id k586UPVE019859 for
>> <nw...@hfradio.org>; Wed, 7 Jun 2006 23:30:28 -0700
>> Envelope-to: nw7us@hfradio.org
>> Delivery-date: Thu, 08 Jun 2006 18:36:11 +1200
>> Received: from [242.112.30.100] (helo=86678721) by 60.234.111.150
>> with smtp (Exim 4.60 (FreeBSD)) (envelope-from
>> <tn...@gallery48.freeserve.co.uk>) id
>> W3mNJ-2xnyDQA-8Kx for nw7us@hfradio.org; Thu, 08 Jun 2006
>> 18:36:11 +1200
>> Received: from gallery48.freeserve.co.uk (02055232 [17238173668])
>> by 124.1.211.112 (Qmailv1) with ESMTP id 0FJ2Y8TBN for
>> <nw...@hfradio.org>; Thu, 08 Jun 2006 17:36:07 +1200
>> Date: Thu, 08 Jun 2006 17:36:07 +1200
>> From: "Jon R. Pirrello Jr" <tn...@gallery48.freeserve.co.uk>
>> X-Mailer: The Bat! (v2.12.00) Personal
>> X-Priority: 3
>> Message-ID: <25...@gallery48.freeserve.co.uk>
>> To: nw7us@hfradio.org
>> Subject: General health store
>> X-IMAPbase: 1148015368 4545
>> Status: O
>> X-UID: 4545
>> Content-Length: 11005
>> X-Keywords:
>> X-Antivirus: AVG for E-mail 7.1.394 [268.8.2/357]
>> Mime-Version: 1.0
>> Content-Type: multipart=mixed;
>> b0undary="=======AVGMAIL-4487C4C83823======="
>
> (I changed the last header, in case it might case a problem... the message
> has an attachment that contained a virus or trojan.)
>
>
> I could really use some help in figuring out how to end this sort of
> activity.
>
> Thanks,
>
> 73 de Tomas, NW7US ( http://ic-discipleship-ministries.org/ )
>
> : Propagation Editor for CQ, CQ VHF, Popular Communications :
> : Creator; live propagation center http://prop.hfradio.org/ :
> : Associate Member of Propagation Studies Committee of RSGB :
> : 122.93W 47.67N / Brinnon, Washington USA CN87 CW/SSB/DIGI :
> : 10x56526, FISTS 7055, FISTS NW 57, Lighthouse Society 144 :
> : Technical Writer for http://entirenet.net (Microsoft KB) :