Jump to content

HELP: ***spam*** in 'Subject' line???


showker
 Share

Recommended Posts

Can someone help me understand how 'spam' got into my subject line?

I was shocked to see this subject line in my Monday morning newsletter:

> [iNFO] ***spam*** InfoManager for Monday,

YES, I've listed the list in SpamCop's "Mailhost Configuration"

I've mailed this newsletter every Monday morning since 1994.

It's never been listed as "spam"

How do I read the header to find out

* how the listing got there

* Why X-SpamCop-Disposition: Blocked SpamAssassin=8

... when just under it SpamCop lists it as "Whitelisted"

* and how to remedy the situation

my email address "showker[at]spamcop.net" shows up as the SENDER

in dozens of Viagra spams -- is there any way to end that???

Very upsetting.

:-(

I've included the header below

---------------------------------------------------

Return-Path: <infomanager-bounces[at]mac-pro.net>

Delivered-To: spamcop-net-showker[at]spamcop.net

Received: (qmail 11048 invoked from network); 28 Dec 2009 04:10:23 -0000

X-spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter7

X-spam-Level: ********

X-spam-Status: hits=8.5 tests=RDNS_NONE,URIBL_BLACK,URIBL_RHS_DOB,URIBL_SBL

version=3.2.4

Received: from unknown (192.168.1.108)

by filter7.cesmail.net with QMQP; 28 Dec 2009 04:10:23 -0000

Received: from unknown (HELO fetchmail.cesmail.net) (64.88.168.84)

by mx71.cesmail.net with SMTP; 28 Dec 2009 04:10:23 -0000

Received: from 66.34.51.24 [66.34.51.24]

by fetchmail.cesmail.net with POP3 (fetchmail-6.2.1)

for showker[at]spamcop.net (single-drop); Sun, 27 Dec 2009 22:55:18 -0500 (EST)

Received: from host10.emwd.com (host10.emwd.com [72.52.172.32])

by catdig22.propagation.net (8.13.6/8.13.6) with ESMTP id nBS3us5s001885;

Sun, 27 Dec 2009 21:56:54 -0600

Received: from localhost ([127.0.0.1] helo=host10.emwd.com)

by host10.emwd.com with esmtp (Exim 4.69)

(envelope-from <infomanager-bounces[at]mac-pro.net>)

id 1NP6hT-0007um-9R; Sun, 27 Dec 2009 22:55:19 -0500

Received: from c60.cesmail.net ([216.154.195.49])

by host10.emwd.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.69)

(envelope-from <showker[at]spamcop.net>) id 1NP6hM-0007tU-39

for infomanager[at]mac-pro.net; Sun, 27 Dec 2009 22:55:17 -0500

Received: from unknown (HELO webmail2) ([192.168.1.183])

by c60.cesmail.net with ESMTP; 27 Dec 2009 22:55:05 -0500

Received: from pool-72-66-254-61.ronkva.east.verizon.net

(pool-72-66-254-61.ronkva.east.verizon.net [72.66.254.61]) by

webmail.spamcop.net (Horde MIME library) with HTTP; Sun, 27 Dec 2009

22:55:03 -0500

Message-ID: <20091227225503.m2jzxiyy8skkssoc-fubjxre[at]webmail.spamcop.net>

Date: Sun, 27 Dec 2009 22:55:03 -0500

From: showker[at]spamcop.net

To: infomanager[at]mac-pro.net

MIME-Version: 1.0

Content-Disposition: inline

User-Agent: Internet Messaging Program (IMP) H3 (4.1.4)

Subject: [iNFO] ***spam*** InfoManager for Monday, December 28, 2009

X-BeenThere: infomanager[at]mac-pro.net

X-Mailman-Version: 2.1.12.cp3

Precedence: list

List-Id: UGN InfoManager weekly news for computer users since 1994

<infomanager_mac-pro.net.mac-pro.net>

List-Unsubscribe: <http://mac-pro.net/mailman/options/infomanager_mac-pro.net>,

<mailto:infomanager-request[at]mac-pro.net?subject=unsubscribe>

List-Help: <mailto:infomanager-request[at]mac-pro.net?subject=help>

List-Subscribe: <http://mac-pro.net/mailman/listinfo/infomanager_mac-pro.net>,

<mailto:infomanager-request[at]mac-pro.net?subject=subscribe>

Content-Transfer-Encoding: 7bit

Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="Yes"

Sender: infomanager-bounces[at]mac-pro.net

Errors-To: infomanager-bounces[at]mac-pro.net

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report

X-AntiAbuse: Primary Hostname - host10.emwd.com

X-AntiAbuse: Original Domain - user-groups.net

X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]

X-AntiAbuse: Sender Address Domain - mac-pro.net

X-SpamCop-Checked:

X-SpamCop-Disposition: Blocked SpamAssassin=8

X-SpamCop-Whitelisted: showker[at]spamcop.net

Link to comment
Share on other sites

Can someone help me understand how 'spam' got into my subject line?

This almost certainly happened because a receiving Email system looked at the message and determined it to be 'spam'. Not that it is spam but a computer decided it probably is and amended the subject for the recipient.

X-spam-Status: hits=8.5 tests=RDNS_NONE,URIBL_BLACK,URIBL_RHS_DOB,URIBL_SBL

That said, I see that SpamAssassin has awarded the message a score of 8.5. That is pretty much guaranteed to flag the mail as spam. A neutral score is typically considered to be around about 5.

There appears to be reverse DNS issue plus a number of URIBL hits that give the sending IP a poor score.

However, I cannot see that any of the IPs in the headers are currently listed in the URIBL so perhaps there is some out of date data in use. Anyone else see which IP may be the issue?

YES, I've listed the list in SpamCop's "Mailhost Configuration"

This isn't relevant to this issue. That mailhost is deigned to stop you reporting yourself rather than give you a clean bill of health to the outside world.

* Why X-SpamCop-Disposition: Blocked SpamAssassin=8 ... when just under it SpamCop lists it as "Whitelisted"

Without the whitelist entry (presumbably you've whitelisted this list in your SC Email) it would have been held in your held folder (assuming you have your SpamAssassin set to the default 5.

* and how to remedy the situation

I think this may be a one off, short term issue. You may need to wait until next Monday to see if the problem persists.

My email address "showker[at]spamcop.net" shows up as the SENDER in dozens of Viagra spams -- is there any way to end that???

As you know legitimate Email addresses often get pirated by spammers. But that isn't a problem which has caused this issue.

Andrew

Link to comment
Share on other sites

Can someone help me understand how 'spam' got into my subject line? ...
Fred, are you being bounced by the infomanager service of your own mac-pro.net site? Good Lord, I've never heard of the like. I have no idea why that might happen (your domain/site, theoretically your rules), I'm not sure I understand what is going on, but I guess the SpamAssassin results for the bounce (if that is what it is) from your SC mail account headers might give some clues.
...How do I read the header to find out

* how the listing got there...

The reasons it is tagged as spam are given in the headers:

X-spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter7

X-spam-Level: ********

X-spam-Status: hits=8.5 tests=RDNS_NONE,URIBL_BLACK,URIBL_RHS_DOB,URIBL_SBL

version=3.2.4

That is apparently objecting to

  • some routing/source for which there is no rDNS and
  • one or more web addresses (which are listed in the URIBL).

The rDNS thing might be a red herring - maybe only applying to some aspect of the infomanager-bounces disposition - 66.34.51.24 (a CI Host address) would be my guess. But is there anything (mention of a site) in the body of the newsletter which is listed in URIBL.com? - https://admin.uribl.com/?section=lookup; General advice on avoiding spam tagging of newsgroups by SpamAssassin are given at the SA site - http://wiki.apache.org/spamassassin/AvoidingFpsForSenders

...* Why X-SpamCop-Disposition: Blocked SpamAssassin=8

... when just under it SpamCop lists it as "Whitelisted"

* and how to remedy the situation...

Well, if you have your SC address whitelisted, that is going to over-ride the filter and deliver the mail no matter what the filter rules say. ...
...my email address "showker[at]spamcop.net" shows up as the SENDER

in dozens of Viagra spams -- is there any way to end that???

Very upsetting.

:-(

Fred, if you have whitelisted your address you are always going to get backscatter/bounced spam with your address spoofed delivered through your spam filters. The general advice is "never whitelist your own address" for that reason. The address is on multiple 'lists' now, there is nothing you can do about that, it will be targeted for spam and all spam targets take their turn at being the spoofed From: and Reply-to: addresses. One of the main reasons it is on those lists is because it is out there 'in clear'. This is compounded by the fact that an [at]spamcop.net is like a red rag to a bull for some in the spam 'business'. One place the address is very publicly displayed is the registrant detail for MAC-PRO.NET in the who-is record.
Link to comment
Share on other sites

As a follow up to this thread, I believe now that the newsletter was flagged as spam because of one article about spam contained in the newsletter.

However, as for email address spoofing -- I've started getting bounces and "vacation" replies from people I never mailed to. So, what worries me is that the email hijackers are using my address for spam to other people as well -- tagging ME as a spammer.

Legal tells me there is sufficient "damage" to me and our business to mount a civil suit. Problem is *who* to sue. They say "sue up the food chain until you find someone in charge" ... registrant, registrar, ISP, ISP Provider, ultimately ICANN. They're all jointly and severally responsible.

Hmmmmm.

Link to comment
Share on other sites

As a follow up to this thread, I believe now that the newsletter was flagged as spam because of one article about spam contained in the newsletter. ...
Makes sense, thanks for letting us know.
...However, as for email address spoofing -- I've started getting bounces and "vacation" replies from people I never mailed to. So, what worries me is that the email hijackers are using my address for spam to other people as well -- tagging ME as a spammer. ...
Fred, just about everyone who gets spammed gets their turn at being spoofed as the "From:" and "Reply-to" address. Nobody will believe it is actually "you" or if they do you can rub their noses in the headers which prove it wasn't.
...Legal tells me there is sufficient "damage" to me and our business to mount a civil suit. Problem is *who* to sue. They say "sue up the food chain until you find someone in charge" ... registrant, registrar, ISP, ISP Provider, ultimately ICANN. They're all jointly and severally responsible. ...
Yeah, sure - sounds like a profitable chase for some legal beagle, I'm sure they'd just love to take it on. Just ascertain the track record of delivered results in similar litigation of anyone you might engage before giving them any money and make sure you do it properly. Only people harder to sue than spammers are lawyers.
Link to comment
Share on other sites

However, as for email address spoofing -- I've started getting bounces and "vacation" replies from people I never mailed to. So, what worries me is that the email hijackers are using my address for spam to other people as well -- tagging ME as a spammer.
Welcome to the club.

If anyone complains to you directly about this, you may refer them to this page:

http://www.rickconner.net/spamweb/notmyaddress.html

-- rick

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...