You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Jason Staudenmayer <ja...@adventureaquarium.com> on 2006/06/09 14:56:42 UTC

Gmail spam

Is anyone else getting spam from gmail? The ones I'm getting are very
lengthy but doesn't look like bayes poison.

<headers>
Microsoft Mail Internet Headers Version 2.0
Received: from mail2.adventureaquarium.com ([10.0.0.205]) by
MAIL-I.adventureaquarium.com with Microsoft SMTPSVC(5.0.2195.6713);
	 Thu, 8 Jun 2006 08:05:21 -0400
Received: (qmail 31386 invoked from network); 8 Jun 2006 12:05:21 -0000
Received: from pulse_diffeomorphism@gmail.com by
mail2.adventureaquarium.com by uid 503 with qmail-scanner-1.20 
 (clamdscan: 0.88.2/1467. spamassassin: 3.1.1.
Clear:RC:0(66.148.73.132):SA:0(2.2/7.5):. 
 Processed in 0.48126 secs); 08 Jun 2006 12:05:21 -0000
X-Spam-Status: No, hits=2.2 required=7.5
X-Qmail-Scanner-Mail-From: pulse_diffeomorphism@gmail.com via
mail2.adventureaquarium.com
X-Qmail-Scanner: 1.20 (Clear:RC:0(66.148.73.132):SA:0(2.2/7.5):.
Processed in 0.48126 secs)
Received: from unknown (HELO 192.168.0.4) (66.148.73.132)
  by mail2.adventureaquarium.com with SMTP; 8 Jun 2006 12:05:21 -0000
Received: from crysholgh.com (9.13.1/9.13.1) id XAA37462; Thu, 08 Jun
2006 05:05:20 -0800
Message-Id: <13...@gmail.com>
From: "Marcelino Crews" <pu...@gmail.com>
To: xxxxx@adventureaquarium.com
Subject: this weeks stock pick KMAG - build a strong position now 
X-Mailer: Opera/6.05 (Windows 2000; U) [fi]
Date: Thu, 08 Jun 2006 05:05:20 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
  boundary="Boundary-00=_9HReE4jIy7jpiF0"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
To: xxxxx@adventureaquarium.com
Subject: this weeks stock pick KMAG - build a strong position now 
</headers>

Maybe gmail has an open relay? Or does this look like something else?

Jason

Re: Gmail spam

Posted by jdow <jd...@earthlink.net>.

Off hand you could not convince me that this message ever got near
gmail servers.

{^_^}
----- Original Message ----- 
From: "Jason Staudenmayer" <ja...@adventureaquarium.com>


Is anyone else getting spam from gmail? The ones I'm getting are very
lengthy but doesn't look like bayes poison.

<headers>
Microsoft Mail Internet Headers Version 2.0
Received: from mail2.adventureaquarium.com ([10.0.0.205]) by
MAIL-I.adventureaquarium.com with Microsoft SMTPSVC(5.0.2195.6713);
Thu, 8 Jun 2006 08:05:21 -0400
Received: (qmail 31386 invoked from network); 8 Jun 2006 12:05:21 -0000
Received: from pulse_diffeomorphism@gmail.com by
mail2.adventureaquarium.com by uid 503 with qmail-scanner-1.20 
 (clamdscan: 0.88.2/1467. spamassassin: 3.1.1.
Clear:RC:0(66.148.73.132):SA:0(2.2/7.5):. 
 Processed in 0.48126 secs); 08 Jun 2006 12:05:21 -0000
X-Spam-Status: No, hits=2.2 required=7.5
X-Qmail-Scanner-Mail-From: pulse_diffeomorphism@gmail.com via
mail2.adventureaquarium.com
X-Qmail-Scanner: 1.20 (Clear:RC:0(66.148.73.132):SA:0(2.2/7.5):.
Processed in 0.48126 secs)
Received: from unknown (HELO 192.168.0.4) (66.148.73.132)
  by mail2.adventureaquarium.com with SMTP; 8 Jun 2006 12:05:21 -0000
Received: from crysholgh.com (9.13.1/9.13.1) id XAA37462; Thu, 08 Jun
2006 05:05:20 -0800
Message-Id: <13...@gmail.com>
From: "Marcelino Crews" <pu...@gmail.com>
To: xxxxx@adventureaquarium.com
Subject: this weeks stock pick KMAG - build a strong position now 
X-Mailer: Opera/6.05 (Windows 2000; U) [fi]
Date: Thu, 08 Jun 2006 05:05:20 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
  boundary="Boundary-00=_9HReE4jIy7jpiF0"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
To: xxxxx@adventureaquarium.com
Subject: this weeks stock pick KMAG - build a strong position now 
</headers>

Maybe gmail has an open relay? Or does this look like something else?

Jason

Re: Gmail spam

Posted by Alejandro Lengua <al...@gmail.com>.

BTW,
email coming from Gmail servers (including valid one) is already being blocked
by several real time blacklists (RBLs)

On 6/9/06, Jason Staudenmayer <ja...@adventureaquarium.com> wrote:
> Is anyone else getting spam from gmail? The ones I'm getting are very
> lengthy but doesn't look like bayes poison.
>


-- 
Atentamente / Kind regards

Alejandro Lengua,
Virtual Orbis eBusiness Services

www.virtualorbis.com, www.vohosting.com

Re: Gmail spam

Posted by Rick Macdougall <ri...@ummm-beer.com>.

Jason Staudenmayer wrote:
> Is anyone else getting spam from gmail? The ones I'm getting are very
> lengthy but doesn't look like bayes poison.
> 
> <headers>
> Microsoft Mail Internet Headers Version 2.0
> Received: from mail2.adventureaquarium.com ([10.0.0.205]) by
> MAIL-I.adventureaquarium.com with Microsoft SMTPSVC(5.0.2195.6713);
> 	 Thu, 8 Jun 2006 08:05:21 -0400
> Received: (qmail 31386 invoked from network); 8 Jun 2006 12:05:21 -0000
> Received: from pulse_diffeomorphism@gmail.com by
> mail2.adventureaquarium.com by uid 503 with qmail-scanner-1.20 
>  (clamdscan: 0.88.2/1467. spamassassin: 3.1.1.
> Clear:RC:0(66.148.73.132):SA:0(2.2/7.5):. 
>  Processed in 0.48126 secs); 08 Jun 2006 12:05:21 -0000
> X-Spam-Status: No, hits=2.2 required=7.5
> X-Qmail-Scanner-Mail-From: pulse_diffeomorphism@gmail.com via
> mail2.adventureaquarium.com
> X-Qmail-Scanner: 1.20 (Clear:RC:0(66.148.73.132):SA:0(2.2/7.5):.
> Processed in 0.48126 secs)
> Received: from unknown (HELO 192.168.0.4) (66.148.73.132)
>   by mail2.adventureaquarium.com with SMTP; 8 Jun 2006 12:05:21 -0000

Hi,

What makes you think it came from gmail ?  I see no signs of it 
originating from there.

Regards,

Rick

Re: Gmail spam

Posted by "Jamie L. Penman-Smithson" <li...@silverdream.org>.

On 9 Jun 2006, at 13:56, Jason Staudenmayer wrote:
> Is anyone else getting spam from gmail? The ones I'm getting are very
> lengthy but doesn't look like bayes poison.

It's _not from_ GMail.

<snip>
> Received: from unknown (HELO 192.168.0.4) (66.148.73.132)
>   by mail2.adventureaquarium.com with SMTP; 8 Jun 2006 12:05:21 -0000
> Received: from crysholgh.com (9.13.1/9.13.1) id XAA37462; Thu, 08 Jun
> 2006 05:05:20 -0800
> Message-Id: <13...@gmail.com>
> From: "Marcelino Crews" <pu...@gmail.com>
> To: xxxxx@adventureaquarium.com
> Subject: this weeks stock pick KMAG - build a strong position now
<snip>
>
> Maybe gmail has an open relay? Or does this look like something else?

No, you should be looking at this header:

> Received: from unknown (HELO 192.168.0.4) (66.148.73.132)
>   by mail2.adventureaquarium.com with SMTP; 8 Jun 2006 12:05:21 -0000

This message was received from [66.148.73.132] with no rDNS and using  
a private non-routable IP in HELO.

The IP in question is owned by HopOne:

NetRange:   66.148.64.0 - 66.148.127.255
CIDR:       66.148.64.0/18
OrgName:    HopOne Internet Corporation
OrgID:      HOPO
Address:    1010 Wisconsin Avenue N.W.
City:       Washington
StateProv:  DC
PostalCode: 20007-3603
Country:    US

It doesn't match the SPF record for gmail.com either:

_spf.google.com.        300     IN      TXT     "v=spf1  
ip4:216.239.56.0/23 ip4:64.233.160.0/19 ip4:66.249.80.0/20  
ip4:72.14.192.0/18 ?all"

The sender address is forged, as is common.

IOW it should have been rejected outright before it even got to SA,  
either because it has no rDNS, or because it used an invalid address  
literal (1.2.3.4 instead of [1.2.3.4]), or because it used a private  
non-routable IP in HELO.

-j