How do I manage spam that claims to come from my own spamcop webmail account?

[jfaughnan]

I've had a paid spamcop webmail account (jfaughnan[at]spamcop.net) for many years. For the past two years it's been redirected to my gmail account.

For several weeks I've been getting spam that claims to be originating from my spamcop account. That account has a fairly strong password and I presume it hasn't been hacked.

The problem is that since the email is coming from my spamcop account, and that account redirects non-spam email, it's messing up gmail's spam filtering algorithms. It's "poisoning" those filters, in fact the confirmation email from this forum was treated by gmail as spam.

I've included the mail header below. Note the return path of "jev[at]spamcop.net".

My questions are:

1. Is there any way to deal with the "poisoning" gmail spam filter problem?

2. Do I need to stop redirecting from spamcop (practically speaking this would mean discontinuing my piad spamcop account).

3. Is there any chance my spamcop account really has been hacked?

Thanks!

John Faughnan

jfaughnan[at]spamcop.net

Delivered-To: [redacted][at]gmail.com

Received: by 10.151.116.3 with SMTP id t3cs169734ybm;

Sat, 29 Nov 2008 07:55:40 -0800 (PST)

Received: by 10.150.201.17 with SMTP id y17mr17865205ybf.134.1227974139337;

Sat, 29 Nov 2008 07:55:39 -0800 (PST)

Return-Path: <jev[at]spamcop.net>

Received: from c60.cesmail.net (c60.cesmail.net [216.154.195.49])

by mx.google.com with ESMTP id 11si6445475gxk.94.2008.11.29.07.55.39;

Sat, 29 Nov 2008 07:55:39 -0800 (PST)

Received-SPF: pass (google.com: domain of jev[at]spamcop.net designates 216.154.195.49 as permitted sender) client-ip=216.154.195.49;

Authentication-Results: mx.google.com; spf=pass (google.com: domain of jev[at]spamcop.net designates 216.154.195.49 as permitted sender) smtp.mail=jev[at]spamcop.net

Received: from unknown (HELO filter7.cesmail.net) ([192.168.1.217])

by c60.cesmail.net with SMTP; 29 Nov 2008 10:55:38 -0500

Received: (qmail 24079 invoked by uid 1010); 29 Nov 2008 15:55:38 -0000

Date: 29 Nov 2008 15:55:38 -0000

Message-ID: <20081129155538.24078.qmail[at]filter7.cesmail.net>

Delivered-To: spamcop-net-jfaughnan[at]spamcop.net

Received: (qmail 24070 invoked from network); 29 Nov 2008 15:55:38 -0000

X-spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter7

X-spam-Level: **********************

X-spam-Status: hits=22.2 tests=HTML_EXTRA_CLOSE,HTML_IMAGE_ONLY_16,

HTML_MESSAGE,HTML_SHORT_LINK_IMG_2,JM_SOUGHT_3,MIME_HTML_ONLY,MISSING_DATE,

MISSING_MID,RDNS_NONE,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,

URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL version=3.2.4

Received: from unknown (192.168.1.86)

by filter7.cesmail.net with QMQP; 29 Nov 2008 15:55:38 -0000

Received: from unknown (HELO aennepress.it) (213.133.8.219)

by mxin2.cesmail.net with SMTP; 29 Nov 2008 15:52:06 -0000

To: <jfaughnan[at]spamcop.net>

Subject: no recurring smiles gibe in bathhouse

From: <jfaughnan[at]spamcop.net>

MIME-Version: 1.0

Importance: High

Content-Type: text/html

X-SpamCop-Checked:

X-SpamCop-Disposition: Blocked SpamAssassin=22

X-SpamCop-Whitelisted: jfaughnan[at]spamcop.net

[StevenUnderwood]

Received: from unknown (HELO aennepress.it) (213.133.8.219)

by mxin2.cesmail.net with SMTP; 29 Nov 2008 15:52:06 -0000

To: <jfaughnan[at]spamcop.net>

Subject: no recurring smiles gibe in bathhouse

From: <jfaughnan[at]spamcop.net>

This message was forged with your email address as the sender. The sending machine is 213.133.8.219. If gmail is really using the (usually forged) sender address, that is not a very useful method.

[SpamCopAdmin]

Maybe you could stop forwarding your SpamCop account to your Gmail account and collect your mail directly from the SpamCop account. Or read the mail online with the SpamCop web interface.

- Don -

.

[DavidT]

I think I see a simple and obvious solution--remove the "jfaughnan" address from your SpamCop personal whitelist settings. The message had a SA score of over 20, so it would have been caught in your SC Held mail, but I see from the headers that you've got your own address whitelisted, which is generally considered a bad idea. Remove that, and this kind of message should be forwarded to your GMail account, IIUC.

Also, you've sure been "living dangerously" in terms of spam exposure of your SC address. A Google search returns almost 1000 hits on your address, meaning that it's published (mostly on forums) all over the web. Spambots harvest email addresses posted in the open like that, so I always advise people against having their email addresses show up in search engine results. Most forum software is capable of protecting your actual email address, offering contact options through "private messages," which is much less likely to result in abuse and spam.

During the Google search, I stumbled upon this page of yours:

http://www.faughnan.com/spam.html

DT

[DavidT]

Hmmm....it seems that the OP read my latest post....he was here after I posted and edited it, but I wonder why he didn't respond? Curious....

DT

[DavidT]

Well, no matter if Mr. Faughnan ever comes back and interacts with us here (I hope he saw my solution, posted above), apropos to this topic is an announcement on the SC webmail login page today:

Dec 5, 2008

[16:01 EST] Lots of users have their own email address in their personal whitelist. This is a problem because spammers often send you spam that is forged with your own email address as the return address. Please make sure that you don't have your own email address on your personal whitelist because if it is, this spam will be whitelisted and delivered to your inbox.

...which is what appears to have been the problem in this case....but we may never know.

DT