At our company I've written a plugin for Outlook that allows our employees to blacklist the 'from' address of any email in their inbox they deem to be spam.

Recently, one employee let me know that 3 times she had blacklisted an email, but they were still coming through to her inbox. I have here the logfile, and email header from the email detailing what is going on. This spammer has a methodology I havnt personally run into before, and I'm wondering if anyone else has encountered similar emails, and if there is any way to block them aside from adding mailto:root@www.insurancehotline.com - root@www.insurancehotline.com to the blacklist, and will that even stop it? The address  mailto:romanov@insurancehotline.com - romanov@insurancehotline.com was the one that was in our blacklist while these were still coming through.

Here is the SF log:

08/31/06 13:37:32:088 -- (82924) Connection from: 66.96.28.45  -  Originating country : Canada
08/31/06 13:37:32:528 -- (82924) Resolving 66.96.28.45 - mx2.insurancehotline.com
08/31/06 13:37:32:809 -- (82924) found SPF record for http://www.insurancehotline.com - www.insurancehotline.com : v=spf1 ip4:24.215.7.112/28 a mx ptr -all
08/31/06 13:37:32:899 -- (82924) SPF query result: pass
08/31/06 13:37:32:899 -- (82924) - SPF analysis for http://www.insurancehotline.com - www.insurancehotline.com done: - pass
08/31/06 13:37:32:899 -- (82924) Mail from: mailto:root@www.insurancehotline.com - root@www.insurancehotline.com
08/31/06 13:37:37:776 -- (82932) Connection from: 12.1.226.99  -  Originating country : United States
08/31/06 13:37:38:176 -- (82924) - MAPS search done...
08/31/06 13:37:38:176 -- (82924) RCPT TO: mailto:soandso@someplace.com - soandso@someplace.com accepted
08/31/06 13:37:38:316 -- (82924) EMail from mailto:root@www.insurancehotline.com - root@www.insurancehotline.com to mailto:soandso@someplace.com - soandso@someplace.com passes Bayesian filter - 0% spam  (20ms)
08/31/06 13:37:44:685 -- (82924) EMail from mailto:root@www.insurancehotline.com - root@www.insurancehotline.com to mailto:soandso@someplace.com - soandso@someplace.com was queued. Size: 1 KB, 1024 bytes
08/31/06 13:37:44:705 -- (82932) Sending email from mailto:romanov@insurancehotline.com - romanov@insurancehotline.com to mailto:soandso@someplace.com - soandso@someplace.com
08/31/06 13:37:44:795 -- (82924) Disconnect

Here is the header info from the email:

Microsoft Mail Internet Headers Version 2.0
Received: from ourserver ([0.0.0.0]) by mailto:ourmailserver@here.com - ourmailserver@here.com with Microsoft SMTPSVC(5.0.2195.6713);
  Thu, 3 Aug 2006 01:30:49 -0400
Received: from 0.0.0.0 by here.com (LogSat Software SMTP Server) Thu, 3 Aug 2006 01:30:40 -0400
Received: by http://www.insurancehotline.com - www.insurancehotline.com (Postfix, from userid 0)
 id 7E3EADD2A9; Thu,  3 Aug 2006 01:28:01 -0400 (EDT)
To: mailto:soandso@someplace.com - soandso@someplace.com
From: mailto:romanov@insurancehotline.com - romanov@insurancehotline.com (Lee Romanov)
Subject: Romanov Report - Is out-RATE-geous
Content-type: text/plain
Message-Id: < mailto:20060803052801.7E3EADD2A9@www.insurancehotline.com - 20060803052801.7E3EADD2A9@www.insurancehotline.com >
Date: Thu,  3 Aug 2006 01:28:01 -0400 (EDT)
X-Server: LogSat Software SMTP Server
X-SF-RX-Return-Path: < mailto:root@www.insurancehotline.com - root@www.insurancehotline.com >
X-SF-HELO-Domain: http://www.insurancehotline.com - www.insurancehotline.com
Return-Path: mailto:root@www.insurancehotline.com - root@www.insurancehotline.com
X-OriginalArrivalTime: 03 Aug 2006 05:30:49.0671 (UTC) FILETIME=[FAA32D70:01C6B6BD]