LogSat Software

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   At our company I've written a plugin for Outlook that allows our employees to blacklist the 'from' address of any email in their inbox they deem to be spam.
Recently, one employee let me know that 3 times she had blacklisted an email, but they were still coming through to her inbox. I have here the logfile, and email header from the email detailing what is going on. This spammer has a methodology I havnt personally run into before, and I'm wondering if anyone else has encountered similar emails, and if there is any way to block them aside from adding root@www.insurancehotline.com to the blacklist, and will that even stop it? The address romanov@insurancehotline.com was the one that was in our blacklist while these were still coming through.
Here is the SF log:
08/31/06 13:37:32:088 -- (82924) Connection from: 66.96.28.45  -  Originating country : Canada
08/31/06 13:37:32:528 -- (82924) Resolving 66.96.28.45 - mx2.insurancehotline.com
08/31/06 13:37:32:809 -- (82924) found SPF record for www.insurancehotline.com: v=spf1 ip4:24.215.7.112/28 a mx ptr -all
08/31/06 13:37:32:899 -- (82924) SPF query result: pass
08/31/06 13:37:32:899 -- (82924) - SPF analysis for www.insurancehotline.com done: - pass
08/31/06 13:37:32:899 -- (82924) Mail from: root@www.insurancehotline.com
08/31/06 13:37:37:776 -- (82932) Connection from: 12.1.226.99  -  Originating country : United States
08/31/06 13:37:38:176 -- (82924) - MAPS search done... 
08/31/06 13:37:38:176 -- (82924) RCPT TO: soandso@someplace.com accepted
08/31/06 13:37:38:316 -- (82924) EMail from root@www.insurancehotline.com to soandso@someplace.com passes Bayesian filter - 0% spam  (20ms)
08/31/06 13:37:44:685 -- (82924) EMail from root@www.insurancehotline.com to soandso@someplace.com was queued. Size: 1 KB, 1024 bytes
08/31/06 13:37:44:705 -- (82932) Sending email from romanov@insurancehotline.com to soandso@someplace.com 
08/31/06 13:37:44:795 -- (82924) Disconnect

Here is the header info from the email:
Microsoft Mail Internet Headers Version 2.0
Received: from ourserver ([0.0.0.0]) by ourmailserver@here.com with Microsoft SMTPSVC(5.0.2195.6713);
  Thu, 3 Aug 2006 01:30:49 -0400
Received: from 0.0.0.0 by here.com (LogSat Software SMTP Server) Thu, 3 Aug 2006 01:30:40 -0400
Received: by www.insurancehotline.com (Postfix, from userid 0)
 id 7E3EADD2A9; Thu,  3 Aug 2006 01:28:01 -0400 (EDT)
To: soandso@someplace.com
From: romanov@insurancehotline.com (Lee Romanov)
Subject: Romanov Report - Is out-RATE-geous
Content-type: text/plain
Message-Id: <20060803052801.7E3EADD2A9@www.insurancehotline.com>
Date: Thu,  3 Aug 2006 01:28:01 -0400 (EDT)
X-Server: LogSat Software SMTP Server
X-SF-RX-Return-Path: <root@www.insurancehotline.com>
X-SF-HELO-Domain: www.insurancehotline.com
Return-Path: root@www.insurancehotline.com
X-OriginalArrivalTime: 03 Aug 2006 05:30:49.0671 (UTC) FILETIME=[FAA32D70:01C6B6BD]

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
superbug73 Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 02 August 2006 Status: Offline Points: 2	Post Options Post Reply Quote superbug73 Report Post Thanks(0) Quote Reply Topic: Question about blacklist Posted: 31 August 2006 at 2:49pm
	At our company I've written a plugin for Outlook that allows our employees to blacklist the 'from' address of any email in their inbox they deem to be spam. Recently, one employee let me know that 3 times she had blacklisted an email, but they were still coming through to her inbox. I have here the logfile, and email header from the email detailing what is going on. This spammer has a methodology I havnt personally run into before, and I'm wondering if anyone else has encountered similar emails, and if there is any way to block them aside from adding root@www.insurancehotline.com to the blacklist, and will that even stop it? The address romanov@insurancehotline.com was the one that was in our blacklist while these were still coming through. Here is the SF log: 08/31/06 13:37:32:088 -- (82924) Connection from: 66.96.28.45 - Originating country : Canada 08/31/06 13:37:32:528 -- (82924) Resolving 66.96.28.45 - mx2.insurancehotline.com 08/31/06 13:37:32:809 -- (82924) found SPF record for www.insurancehotline.com: v=spf1 ip4:24.215.7.112/28 a mx ptr -all 08/31/06 13:37:32:899 -- (82924) SPF query result: pass 08/31/06 13:37:32:899 -- (82924) - SPF analysis for www.insurancehotline.com done: - pass 08/31/06 13:37:32:899 -- (82924) Mail from: root@www.insurancehotline.com 08/31/06 13:37:37:776 -- (82932) Connection from: 12.1.226.99 - Originating country : United States 08/31/06 13:37:38:176 -- (82924) - MAPS search done... 08/31/06 13:37:38:176 -- (82924) RCPT TO: soandso@someplace.com accepted 08/31/06 13:37:38:316 -- (82924) EMail from root@www.insurancehotline.com to soandso@someplace.com passes Bayesian filter - 0% spam (20ms) 08/31/06 13:37:44:685 -- (82924) EMail from root@www.insurancehotline.com to soandso@someplace.com was queued. Size: 1 KB, 1024 bytes 08/31/06 13:37:44:705 -- (82932) Sending email from romanov@insurancehotline.com to soandso@someplace.com 08/31/06 13:37:44:795 -- (82924) Disconnect Here is the header info from the email: Microsoft Mail Internet Headers Version 2.0 Received: from ourserver ([0.0.0.0]) by ourmailserver@here.com with Microsoft SMTPSVC(5.0.2195.6713); Thu, 3 Aug 2006 01:30:49 -0400 Received: from 0.0.0.0 by here.com (LogSat Software SMTP Server) Thu, 3 Aug 2006 01:30:40 -0400 Received: by www.insurancehotline.com (Postfix, from userid 0) id 7E3EADD2A9; Thu, 3 Aug 2006 01:28:01 -0400 (EDT) To: soandso@someplace.com From: romanov@insurancehotline.com (Lee Romanov) Subject: Romanov Report - Is out-RATE-geous Content-type: text/plain Message-Id: <20060803052801.7E3EADD2A9@www.insurancehotline.com> Date: Thu, 3 Aug 2006 01:28:01 -0400 (EDT) X-Server: LogSat Software SMTP Server X-SF-RX-Return-Path: <root@www.insurancehotline.com> X-SF-HELO-Domain: www.insurancehotline.com Return-Path: root@www.insurancehotline.com X-OriginalArrivalTime: 03 Aug 2006 05:30:49.0671 (UTC) FILETIME=[FAA32D70:01C6B6BD]

LogSat Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4105	Post Options Post Reply Quote LogSat Report Post Thanks(0) Quote Reply Posted: 31 August 2006 at 3:55pm
	The address "root@www.insurancehotline.com" is what was provided by the sender in the MAIL FROM command. The address "romanov@insurancehotline.com" is what was specified in the "From:" headers in the logs. This latter one is not used by mail servers as it's only used by email clients to display the address the sender wants to see displayed. Depending on how the Outlook plugin was programmed, it could be working on either one of the two.
	Roberto Franceschetti LogSat Software Spam Filter ISP

LogSat Software

Site Navigation[Skip]

Spam Filter ISP Support Forum

Question about blacklist