Successful Defeat of SpamGourmet?

Use this forum to get help.

Successful Defeat of SpamGourmet?

Postby firepower » Wed Jan 27, 2010 11:03 pm

I'm a long time SpamGourmet user and love the great results I get with it. Recently though I started getting a bunch of spam emails via one of my SpamGourmet emails that doesn't make sense. Since this forum apparently doesn't allow attachments you may want to go download this small file which will have the examples I'll refer to: http://www.paulbrandon.org/temp/SpamGourmet.zip The .zip file contains the following:

* <long name>.eml file - The actual email I received
* Email.txt - The email with headers as a text file
* MS_Configuration.jpg - Configuration of my Myspace Spamgourmet email address
* DWW_Configuration.jpg - Configuration of my DestinyWorldWide Spamgourmet email address

For SpamGourmet addresses I generally use a "word" value that relates to the domain I'm using it for (so "Myspace.20.firepower@spamgourmet.com" would be used for Myspace). In the example email, you'll see a "To" value of "destinyworldwide.20.firepower@spamgourmet.com" which sounded to me like an address I don't maintain. Sure enough, the SpamGourmet configuration for that address as attached shows 0 "Remaining" and no exclusive sender. Interestingly though, the Subject of the email includes "(trusted: myspace.com)" which normally would mean that the email is From "myspace.com" where up until yesterday I had my SpamGourmet address of "myspace.20.firepower@spamgourmet.com" set up with "myspace.com" as a "trusted sender". Yesterday though for that address I set the "Remaining" value to 0 and removed "myspace.com" as a "trusted sender" and I still received similar spam messages today.

I think that it may have something to do with the way the "from" and "envelope-from" values are constructed but I'm pretty rusty on that stuff at this point. Also, since BOTH addresses have been effectively disabled in SpamGourmet (i.e. "remaining" is set to 0) I'm not sure how they're getting around that....

Anyway, the URL above has the complete email & headers but I'll include what looks like the relevant piece here as a quote too:

Received: from gourmet7.spamgourmet.com ([216.75.62.102]) by mail.paulbrandon.org with Microsoft SMTPSVC(6.0.3790.3959);
Wed, 27 Jan 2010 03:14:16 -0600
Received: from spamgourmet by gourmet7.spamgourmet.com with local (Exim 4.63)
(envelope-from <+destinyworldwide+firepower+011d022010.noreply#message.myspace.com@spamgourmet.com>)
id 1Na42y-0000Xe-VK
for [realemail]; Wed, 27 Jan 2010 09:18:48 +0000
Received: from [122.52.169.84] (helo=122.52.169.84.pldt.net)
by gourmet7.spamgourmet.com with smtp (Exim 4.63)
(envelope-from <noreply@message.myspace.com>)
id 1Na42y-0000Vz-Bf
for destinyworldwide.20.firepower@spamgourmet.com; Wed, 27 Jan 2010 09:18:48 +0000
From: +destinyworldwide+firepower+011d022010. ... ourmet.com
To: <destinyworldwide.20.firepower@spamgourmet.com>
Subject: Elite World Casino: Bonus 3500$ USA Player Welcome!!! (trusted: myspace.com)
Date: Wed, 27 Jan 2010 16:58:59 +0800
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <E1Na42y-0000Xe-VK@gourmet7.spamgourmet.com>
Return-Path: +destinyworldwide+firepower+011d022010. ... ourmet.com
X-OriginalArrivalTime: 27 Jan 2010 09:14:16.0953 (UTC) FILETIME=[19DBCE90:01CA9F31]


Any ideas? At first glance it looks like maybe they're circumventing Spamgourmet somehow but I'll be interested to know if there's anything I (or you) can do to stop it. I've gotten pretty used to not getting Spam for a long time now so this is kind of a new experience again lol. :shock: Thanks.

Paul.
firepower
 
Posts: 4
Joined: Wed Jan 27, 2010 10:30 pm

Postby josh » Thu Jan 28, 2010 5:15 pm

do you have myspace.com as a trusted sender? It looks like the message was originally "from" the address

011d022010.noreply@message.myspace.com

- the way the trusted and exclusive sender matching logic works is that it just looks at what's in the "from" address - and you may know that a sender can put anything there, so maybe that's what's going on.
josh
 
Posts: 1371
Joined: Fri Aug 29, 2003 2:28 pm

Postby firepower » Thu Jan 28, 2010 7:12 pm

I currently do not (that was one of the screenshot .jpg files). Originally I did, however, I removed it to rule that out as the possible source. I'm still getting emails sent that way even though "myspace.com" has been removed as a trusted sender....
firepower
 
Posts: 4
Joined: Wed Jan 27, 2010 10:30 pm

Postby firepower » Thu Jan 28, 2010 7:18 pm

Interesting follow up. I was correct that I removed "myspace.com" as a trusted sender from that address BUT I noticed on the main "Advanced" page that it still was showing up there? Maybe when you delete it at the individual address level it's still keeping it someplace (i.e. maybe that's a bug)? Regardless, I removed it there as well. I'll let you know in a day or two if that stops the spam messages.
firepower
 
Posts: 4
Joined: Wed Jan 27, 2010 10:30 pm


Return to Support / Hilfe / ayuda / ondersteuning / ...

Who is online

Users browsing this forum: No registered users and 21 guests

cron