bbs.spamgourmet.com

[rpao]

I have spam coming into an established SG address (ebay-com.e.sguser@sgdomain.tld) with an exclusive sender set to "ebay.com".

How is spam coming from somewhere without "ebay.com" anywhere in their name getting through SG without decrementing the remaining counter (initially 5, manually reset to 20, and is now staying at 20 even after many spam like the following)? Even the subject line is forged saying exclusive (the formatting of exclusive does not match my other legitimate msgs).

Please, can someone parse out the following mail header and explain to me how they got through without decrementing the remaining counter? Please?

Redacted Notes:
sguser would be my login here at SG.
realhost.realdomain.tld would be the FQDN of my real e-mail address.
XX and x's added just in case.

Redacted Spam:

Return-Path: <+ebay-com+sguser+f80befab3a.terrycrosswhite#argosyinvestments.com@spamgourmet.com>
X-Original-To: sguser-spamgourmet.com@realdomain.tld
Delivered-To: sguser-spamgourmet.com@realdomain.tld
Received: from gourmet.spamgourmet.com (gourmet.spamgourmet.com [216.75.35.164])
by realhost.realdomain.tld (Postfix) with ESMTP id 47AEA17C098E
for <sguser-spamgourmet.com@realdomain.tld>; Fri, 1 Feb 2008 21:36:58 -0800 (PST)
Received: from gourmet.spamgourmet.com (localhost.localdomain [127.0.0.1])
by gourmet.spamgourmet.com (8.13.8/8.13.7) with ESMTP id m125Zvu4030705
for <sguser-spamgourmet.com@realdomain.tld>; Sat, 2 Feb 2008 05:35:57 GMT
Received: (from jqh1@localhost)
by gourmet.spamgourmet.com (8.13.8/8.13.8/Submit) id m125ZuR5030676
for sguser-spamgourmet.com@realdomain.tld; Sat, 2 Feb 2008 05:35:56 GMT
Received: from dsl-del-static-029.165.145.203.airtelbroadband.in (dsl-del-static-029.165.145.203.airtelbroadband.in [203.145.165.29] (may be forged))
by gourmet.spamgourmet.com (8.13.8/8.13.7) with SMTP id m125ZsRS030601
for <ebay-com.e.sguser@xoxy.net>; Sat, 2 Feb 2008 05:35:55 GMT
Received: from dob ([145.125.119.224])
by dsl-del-static-029.165.145.203.airtelbroadband.in (8.13.3/8.13.3) with SMTP id m125gnaa023654;
Sat, 2 Feb 2008 11:12:49 +0530
Message-ID: <47A40210.7080500@argosyinvestments.com>
Date: Sat, 2 Feb 2008 11:09:28 +0530
From: "terrycrosswhite@argosyinvestments.com" <+ebay-com+sguser+f80befab3a.terrycrosswhite#argosyinvestments.com@spamgourmet.com>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: ebay-com.e.sguser@xoxy.net
Subject: what Doctor recommend! (ebay-com: to exclusive)
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Looking for the best pricein medz? hXXp://x76.x119.x136.x66/jmon/

[SysKoll]

The key is in the return path:

+ebay-com+sguser+f80befab3a.terrycrossw ... ourmet.com>

This is addressed to the ebay-com disposable of user sguser, from a (probably faked) sender terrycrosswhite /at/ argosyinvestments.com. Parsing this disposable explains your counter being decremented.

[rpao]

The From address does NOT have ebay.com in it. The counter is NOT being decremented (as I expected it to be).

[SysKoll]

Hummm. Josh, would it be possible that the ebay.com string in the exclusive sender field matches ebay-com? Is the exclusive seen as a regular expression?

[Bart]

Hello,

I have a very similar problem. I modified the following header using cut and paste as follows:
- my real emailaddress has been changed to realadress@example.com
- my username at sg has been changed to sg_user_example
- the first part of the sg-mailboxname has been changed to longdomainname5678901_example
- the exclusive sender at sg is longdomainname5678901.example where .example is a valid tld instead



Return-Path: <+longdomainname567890+sg_user_example+eb211a6771._every#aismail.wustl.edu@spamgourmet.com>
Received: from TZMXS01.htp-tel.de (TZ-cyrus [172.17.50.70])
by TZMXS01 (Cyrus v2.2.12) with LMTPA;
Mon, 10 Mar 2008 08:30:02 +0100
X-Sieve: CMU Sieve 2.2
Received: from tzspa02.htp.net (tzspa02 [172.17.50.40])
by TZMXS01.htp-tel.de with ESMTP id m2A7U2FI005017
for <realadress@example.com>; Mon, 10 Mar 2008 08:30:02 +0100 (MET)
Received: from TZMXR02.htp-tel.de (TZMXR02 [81.14.243.18])
by tzspa02.htp.net with ESMTP id m2A7TuYQ017732
for <realadress@example.com>; Mon, 10 Mar 2008 08:29:56 +0100
Received: from gourmet.spamgourmet.com (gourmet.spamgourmet.com [216.75.35.164])
by TZMXR02.htp-tel.de with ESMTP id m2A7TsSi024059
for <realadress@example.com>; Mon, 10 Mar 2008 08:29:55 +0100 (CET)
Received: from gourmet.spamgourmet.com (localhost.localdomain [127.0.0.1])
by gourmet.spamgourmet.com (8.13.8/8.13.7) with ESMTP id m2A7TrTK022216
for <realadress@example.com>; Mon, 10 Mar 2008 07:29:53 GMT
Received: (from jqh1@localhost)
by gourmet.spamgourmet.com (8.13.8/8.13.8/Submit) id m2A7TqbK022178
for realadress@example.com; Mon, 10 Mar 2008 07:29:52 GMT
Received: from host154-237-static.187-82-b.business.telecomitalia.it (host154-237-static.187-82-b.business.telecomitalia.it [82.187.237.154])
by gourmet.spamgourmet.com (8.13.8/8.13.7) with ESMTP id m2A7TpK6022104
for <longdomainname5678901_example.10.sg_user_example@spamgourmet.com>; Mon, 10 Mar 2008 07:29:51 GMT
Message-ID: <000a01c88280$05e1b550$8289aeb1@xawak>
From: +longdomainname567890+sg_user_example+e ... ourmet.com
To: <longdomainname5678901_example.10.sg_user_example@spamgourmet.com>
Subject: Cyalis, Vyagra and Levytra at Bargain Prices - We Have It All! longdomainname5678901_example.10.sg_user_example's discount. (longdomainname567890: to exclusive)
Date: Mon, 10 Mar 2008 05:44:49 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C88280.05E1133A"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198


I think sg will not check for exclusive sender as we (rpao and me) expect.
Because of the part "(longdomainname567890: to exclusive)" in the subject, I think sg detected the spam incorrect as ham from the exclusive sender. In my case the string in the exclusive sender field is longer than the part of it in the return-path-headerfield. There is no exact match. Same is at the from-headerfield. Maybe sg only uses the first 20 characters of the exclusive sender string. In this case the userinterface should only accept up to 20 characters and only those, that could be occure at an emailaddress and can be handeled by sg. I can't guess the max. length of a string like that and would expect an errormessage instead of saving a to long one. Otherwise sg may search the hole header, including the subjectline, for a match. That's not expected, because a subject is no regular place for senderinformation.
In both cases in my example every mail, spam and ham, can pass sg without decreasing the counter. That result is sure not that what we expect.
It would be nice, if sg only checks the relevant headerlines _after_ decoding it to the original format. In my example it should first convert "From: +longdomainname567890+sg_user_example+e ... ourmet.com" to "From: _every@aismail.wustl.edu" and check that against the string defining the exclusive sender . The same action I would suggest with the other relevant headerfields, like return-path, sender (if exist) and so on. To compare parts of the sg-mailboxname, like "longdomainname5678901_example", or parts of the sg-username with the exclusive sender string is imho no good idea, because there might be always a match...
... and a avarage sg-user didn`t know enough about the internal handling of these strings...

Can that be changed? Thank you.
Greatings
Bart