Spamcop address spam getting through

[elind]

I am getting regular spam from one particular spammer "VIAGRA r Official Site", which appears to be addressed to my spamcop email and is then forwarded to my other address. I get lots of spam addressed to me at Spamcop.net, but that is always caught and held in my held mail for reporting. This sender gets through always. Typically they send 5 or 6 spams at the same time, each one the same except they offer varying discounts in the 70's%.

Why do these get through spamcop filtering? Source follows:

Thanks

X-IronPort: hrndva-mx02.mail.rr.com 161250344

X-RR-Connecting-IP: 216.154.195.49

Received: from c60.cesmail.net ([216.154.195.49])

by hrndva-mxlb.mail.rr.com with ESMTP; 27 Oct 2007 14:36:37 +0000

Received: from unknown (HELO blade1.cesmail.net) ([192.168.1.211])

by c60.cesmail.net with SMTP; 27 Oct 2007 10:36:37 -0400

Received: (qmail 23419 invoked by uid 1010); 27 Oct 2007 14:36:37 -0000

Date: 27 Oct 2007 14:36:37 -0000

Delivered-To: spamcop-net-elind[at]spamcop.net

Received: (qmail 23412 invoked from network); 27 Oct 2007 14:36:37 -0000

X-spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on blade1

X-spam-Level: *****************

X-spam-Status: hits=17.7 tests=HELO_DYNAMIC_DHCP,HTML_MESSAGE,

HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,MISSING_DATE,RDNS_DYNAMIC,

SARE_FROM_DRUGS,UNPARSEABLE_RELAY,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,

URIBL_SC_SURBL,URIBL_WS_SURBL version=3.2.3

Received: from unknown (192.168.1.107)

by blade1.cesmail.net with QMQP; 27 Oct 2007 14:36:37 -0000

Received: from adsl-dyn145.91-127-243.t-com.sk (91.127.243.145)

by mx70.cesmail.net with SMTP; 27 Oct 2007 14:36:36 -0000

Received: from Alberto Winter (10.16.17.14) by adsl-dyn145.91-127-243.t-com.sk (PowerMTA v3.2r4) id hfp20o83d11j09 for <elind[at]spamcop.net>; Sat, 27 Oct 2007 04:36:39 +0100

Message-Id: <20071027053639.8556.qmail[at]adsl-dyn145.91-127-243.t-com.sk>

To: <elind[at]spamcop.net>

Subject: October 76% OFF

From: VIAGRA "®" Official Site <elind[at]spamcop.net>

MIME-Version: 1.0

Content-Type: text/html; charset="iso-8859-1"

Content-Transfer-Encoding: 8bit

X-SpamCop-Checked:

X-SpamCop-Disposition: Blocked SpamAssassin=17

X-SpamCop-Whitelisted: spamcop.net

<style>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

</head>

<body>

<table width="600" border="0" cellpadding="0" cellspacing="0">

<tr>

<td>

<!-- Notice: If this text is displayed, your email client cannot display properly the format we've sent you. You may want to consider upgrading to a more recent version of your email client. If you would like to receive only plain text messages, please reply to this message and put "Change to text" in the subject.-->

</HEAD>

<BODY>

<TABLE border="0" align="center" width="610" cellPadding="0" cellSpacing="0">

<TBODY>

<TR>

<td width="610" height="39" valign="top">

<div align="right">

<img src="http://kanaweb.lhux.com/notifications/events/ccs_epay/images/bkqh_e-mail_header_610x51.gif" width="610" height="51" border="0"></div>

</td>

</TR>

<tr>

<td height="1"><img src="http://kanaweb.skrl.com/notifications/events/ccs_epay/images/blue.gif" width="610" height="1"></td>

</tr>

<TR>

<td width="135"> </td>

</TR>

<TR>

<TD>

<FONT size="2" face="Arial, Helvetica, sans-serif">

Dear Mauricio Bowles,<br>

<br>

Thank you for scheduling your recent credit card payment online. Your payment will post to your account on 01/05/2007.

<BR>

<BR>

Now that you're making your payment online, are you aware of all the convenient ways you can manage your account online?

<BR>

<BR>

Just log in to www.wyec.com today. Using the "I'd like to..." links for your credit card account, you can access more than a dozen features, including links to:

<UL>

<LI>

<B>See Statements</B> - View your statement and choose to stop receiving paper statements.</LI>

</style>

<center>

<a href="http://www.masterfigure.com"><img src="http://www.sharphere.com/1.gif">

<style>

<LI>

<B>Manage automatic payments</B> - Set up monthly payments to be made automatically.</LI>

<LI>

<B>Transfer a balance</B> - Transfer a balance to your credit card account.</LI>

<LI>

<B>Go to Free Alerts</B> - Schedule alerts to be reminded of key account activity.</LI>

</UL>

You can also view past payments you have made online by logging on to www.pzfq.com and clicking "See payment history" under "I'd like to ..." .

<BR>

<BR>

If you have any problems or questions, please call the Customer Service number on the back of your credit card. <BR>

<BR>

Thanks again for using online payments.

<br>

<br>

Sincerely,

<br>

Cardmember Services

</FONT>

</TD>

</TR>

</TBODY>

</TABLE>

<TABLE border="0" align="center" width="610" cellPadding="0" cellSpacing="0">

<tr>

<td height="1"><img src="http://kanaweb.zyhv.com/notifications/events/ccs_epay/images/blue.gif" width="610" height="1"></td>

</tr>

<TR>

<TD>

<br>

<FONT size="1" face="Arial, Helvetica, sans-serif">

This email was sent to: elind[at]spamcop.net<br>

</style>

[StevenUnderwood]

Why do these get through spamcop filtering?

From: VIAGRA "®" Official Site <elind[at]spamcop.net>

X-SpamCop-Whitelisted: spamcop.net

Remove spamcop.net from your whitelist.

[elind]

X-SpamCop-Whitelisted: spamcop.net

Remove spamcop.net from your whitelist.

Sorry, I don't understand, but the spam doesn't originate with spamcop. Surely it is the sender that needs to be whitelisted, or not, and spam is detected not only by the sender? I get plenty of other spam addressed to me at spamcop but 99+% of it is held correctly as spam.

I removed the first few lines in the source identifying where spamcop forwarded this email to my other main account, so as to not leave that email address visible. I didn't think it would be relevant?

This is what was removed, with the email it was forwarded to by spamcop blanked out.

X-McAfeeVS-TimeoutProtection: 0

Return-Path: <elindse[at]uiuc.edu>

Received: from hrndva-mxlb.mail.rr.com ([71.74.56.243])

by hrndva-imta02.mail.rr.com with ESMTP

id <20071027152938.KCYI25847.hrndva-imta02.mail.rr.com[at]hrndva-mxlb.mail.rr.com>

for <********************>; Sat, 27 Oct 2007 15:29:38 +0000

X-IronPort: hrndva-mx14.mail.rr.com 35204424

Here are the headers for another different spam but one which was held by spamcop in the held mail folder.

I can't see the differences, but there must be something.

Thanks again

X-McAfeeVS-TimeoutProtection: 0

Return-Path: <dfgrgcoyivsg[at]boddy-ryerson.com>

Received: from hrndva-mxlb.mail.rr.com ([71.74.56.243])

by hrndva-imta11.mail.rr.com with ESMTP

id <20071027160002.SFJS25600.hrndva-imta11.mail.rr.com[at]hrndva-mxlb.mail.rr.com>

for <*****************>; Sat, 27 Oct 2007 16:00:02 +0000

X-IronPort: hrndva-mx11.mail.rr.com 35263511

X-RR-Connecting-IP: 216.154.195.49

Received: from c60.cesmail.net ([216.154.195.49])

by hrndva-mxlb.mail.rr.com with ESMTP; 27 Oct 2007 16:00:01 +0000

Received: from unknown (HELO beta.cesmail.net) ([192.168.1.150])

by c60.cesmail.net with SMTP; 27 Oct 2007 12:00:01 -0400

Received: (qmail 27371 invoked by uid 0); 27 Oct 2007 16:00:01 -0000

Delivered-To: spamcop-net-elind[at]spamcop.net

Received: (qmail 22105 invoked from network); 27 Oct 2007 15:49:38 -0000

X-spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on filter8

X-spam-Level: *********************************

X-spam-Status: hits=33.8 tests=DC_GIF_UNO_LARGO,DC_IMAGE_SPAM_HTML,

DC_IMAGE_SPAM_TEXT,DYN_RDNS_AND_INLINE_IMAGE,DYN_RDNS_SHORT_HELO_HTML,

DYN_RDNS_SHORT_HELO_IMAGE,EXTRA_MPART_TYPE,HTML_IMAGE_ONLY_08,HTML_MESSAGE,

HTML_SHORT_LINK_IMG_1,MIME_HTML_MOSTLY,MPART_ALT_DIFF,MY_CID_AND_STYLE,

PART_CID_STOCK,RDNS_DYNAMIC,SHORT_HELO_AND_INLINE_IMAGE,SPAMMY_XMAILER,

T_TVD_FW_GRAPHIC_ID1,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,

URIBL_RHS_DOB,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL,

XMAILER_MIMEOLE_OL_91287 version=3.2.3

Received: from unknown (192.168.1.108)

by filter8.cesmail.net with QMQP; 27 Oct 2007 15:49:38 -0000

Received: from pppoe-43.7.110.89-adsl.spbnit.ru (HELO tanya) (89.110.7.43)

by mx71.cesmail.net with SMTP; 27 Oct 2007 15:49:33 -0000

Received: from [89.110.7.43] by mxmta.bellnet.ca; Sat, 27 Oct 2007 18:51:08 +0300

Message-ID: <01c818ca$55d56d10$2b076e59[at]dfgrgcoyivsg>

From: "Bonnie Hearn" <dfgrgcoyivsg[at]boddy-ryerson.com>

To: <elind[at]spamcop.net>

Subject: To: elind

Date: Sat, 27 Oct 2007 18:51:08 +0300

MIME-Version: 1.0

Content-Type: multipart/related;

type="multipart/alternative";

boundary="----=_NextPart_000_0006_01C818CA.55D56D10"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 5.50.4807.2300

X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.2300

X-SpamCop-Checked:

X-SpamCop-Disposition: Blocked SpamAssassin=33

[StevenUnderwood]

Sorry, I don't understand, but the spam doesn't originate with spamcop. Surely it is the sender that needs to be whitelisted, or not, and spam is detected not only by the sender? I get plenty of other spam addressed to me at spamcop but 99+% of it is held correctly as spam.

As I left in the original quote, while the message did not originate from spamcop, the from address was FORGED to be from there:

From: VIAGRA "®" Official Site <elind[at]spamcop.net>

Spamcop checks From, Reply-to, and Return-Path headers for this match.

[elind]

As I left in the original quote, while the message did not originate from spamcop, the from address was FORGED to be from there:

From: VIAGRA "®" Official Site <elind[at]spamcop.net>

Spamcop checks From, Reply-to, and Return-Path headers for this match.

OK. I see, but if I remove spamcop from my whitelist, what will happen to legitimate mail? Will I then have to vet it in the held mail list? That's not much different from what I do now anyway.

I take it there is no way to detect forged addresses like that? How do you know, for example, without verifying against everything that was legitimately sent?

[DavidT]

OK. I see, but if I remove spamcop from my whitelist, what will happen to legitimate mail?

Legitimate mail should pass right through to your inbox, unless your settings (such as your SpamAssassin threshhold) are too severe, in which case you should whitelist individual senders, but *not* your own address, because then, any spam messages coming in with your address spoofed into the From will get through.

DT

[StevenUnderwood]

OK. I see, but if I remove spamcop from my whitelist, what will happen to legitimate mail? Will I then have to vet it in the held mail list? That's not much different from what I do now anyway.

I take it there is no way to detect forged addresses like that? How do you know, for example, without verifying against everything that was legitimately sent?

How many valid messages from spamcop.net have you had sent to your Held Mail?

You could minimize these false positives by whitelisting specific addresses instead.

My whitelist has: deputies[at]admin.spamcop.net, devnull.spamcop.net, mhconf.<secret_address>[at]cmds.spamcop.net, news[at]news.spamcop.net, underwood+reports[at]spamcop.net

[elind]

How many valid messages from spamcop.net have you had sent to your Held Mail?

You could minimize these false positives by whitelisting specific addresses instead.

My whitelist has: deputies[at]admin.spamcop.net, devnull.spamcop.net, mhconf.<secret_address>[at]cmds.spamcop.net, news[at]news.spamcop.net, underwood+reports[at]spamcop.net

I think I've been dense. I've been mentally confusing what I receive at my regular mail to that received at spamcop. I should not be receiving any email at spamcop FROM spamcop, right?

If these spammers are so smart, why do they think it works to send multiple messages of the same type at the same time to the same recipient???

OK. I'll try that.