bbs.spamgourmet.com

[codex24]

I've been an SG user since 2003, and love it and recommended it to everyone who will listen.

However, just recently I've started getting spam delivered to my protected address from SG, which apparently believes originated from the exclusive sender for that word. I have contacted the sysadmin of the domain that is the exclusive sender, assuming that this meant that they sold their address list or had been penetrated, and they assure me that is not the case. I will include an example, but it appears the spam originates from an address that is not the exclusive sender, using a spoofed 'from:' value that also is not the exclusive sender, and never goes through the exclusive sender. So how does SG determine the address of origin so as to accept it from the exclusive sender?

Example (my real protected ISP is replaced with 'protected-isp') :

X-Apparently-To: codex24@protected-isp.com via 68.142.200.150; Thu, 04 Feb 2010 15:15:20 -0800
Return-Path: <+ableammo+codex24+49d092604e.notification#facebookmail.com@spamgourmet.com>
X-protected-ispFilteredBulk: 216.75.62.102
X-YMailISG: (a really long random alphanumeric string)
X-Originating-IP: [216.75.62.102]
Authentication-Results: mta1087.mail.sp2.protected-isp.com from=spamgourmet.com; domainkeys=neutral (no sig); from=spamgourmet.com; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO gourmet7.spamgourmet.com) (216.75.62.102) by mta1087.mail.sp2.protected-isp.com with SMTP; Thu, 04 Feb 2010 15:15:20 -0800
Received: from spamgourmet by gourmet7.spamgourmet.com with local (Exim 4.63) (envelope-from <+ableammo+codex24+49d092604e.notification#facebookmail.com@spamgourmet.com>) id 1NdB14-0002qd-JD for codex24@protected-isp.com; Thu, 04 Feb 2010 23:21:42 +0000
Received: from 185-168-223-201.adsl.terra.cl ([201.223.168.185]) by gourmet7.spamgourmet.com with smtp (Exim 4.63) (envelope-from <notification@facebookmail.com>) id 1NdB13-0002p0-Tt for ableammo.com.codex24@spamgourmet.com; Thu, 04 Feb 2010 23:21:42 +0000
Received: from localhost (127.0.0.1) by 185-168-223-201.adsl.terra.cl (201.223.168.185) with Microsoft SMTP Server id 8.0.685.25; Thu, 4 Feb 2010 20:15:19 -0300
From:
"notification@facebookmail.com" <+ableammo+codex24+49d092604e.notification#facebookmail.com@spamgourmet.com>
Add sender to Contacts
To: ableammo.com.codex24@spamgourmet.com
Subject: I want to come to you from Russia, you do not mind? (ableammo: to exclusive)
Date: Thu, 4 Feb 2010 20:15:19 -0300
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id: <E1NdB14-0002qd-JD@gourmet7.spamgourmet.com>
Content-Length: 137
Compact Headers
We were talking on the forum, remember me? I am Maria from Russia!
My Dating Site

[lwc]

The message itself is just one part of the equation. You'll also have to copy and paste your exclusive sender's field in here (although try not to use "@" because you'll expose them to spam).

[warrenn]

Is facebookmail.com one of your exclusive senders? I believe SG just looks at the "From:" header in the mail. Spammers often put legitimate domains in the From field (yahoo.com, myspace.com, etc). If they just happen to get lucky and match one of your exclusive senders in the From field, the mail gets through.

[codex24]

The disposable address is "ableammo<dot>com<dot>codex24<at>spamgourmet<dot>com"
The exclusive sender for this address is "ableammo<dot>com".
"facebookmail.com" is not an exclusive or trusted sender.
My advanced settings:

You have 0 trusted sender(s) You have 0 watchword(s)

watchword enforcement: disabled
reply address masking: enabled
eaten message log: enabled
don't log for hidden addresses: disabled
hide subject tagline: disabled
hide tagline for trusted/exclusive only: disabled

Since I first wrote, I have gotten several dozen more spams to this address, and most seem to specify "facebookmail.com" as the spoofed origin.

If I can't figure out what's happening here, I will pull the plug on this address: change the address at he sending account, blacklisting it in my mail client and removing the exclusive sender. An inconvenience to me, but this smells like a potential SG defeat.

[lwc]

I believe SG just looks at the "From:" header in the mail.

No, it also looks in the "To:" header.

As for the details, what's your remaining messages' # for this address? And are you sure the exclusive sender is just what you said, no other dots, brackets or anything?

[codex24]

As for the details, what's your remaining messages' # for this address? And are you sure the exclusive sender is just what you said, no other dots, brackets or anything?

My advance mode address detail (from the XML dump) for that address:

Code: Select all

 <DisposableAddress>
  <ID>4167171</ID>
  <Word>ableammo</Word>
  <MaxCount>8</MaxCount>
  <CountRemaining>8</CountRemaining>
  <NumForwarded>47</NumForwarded>
  <NumDeleted>0</NumDeleted>
  <Created>2009-04-28 05:03</Created>
  <FullAddress>ableammo.com.codex24@spamgourmet.com</FullAddress>
  <ExclusiveSender>ableammo.com</ExclusiveSender>
  <Hidden>0</Hidden>
  <Note></Note>
 </DisposableAddress>



[lwc]

Can you provide a screenshot? Because

<CountRemaining>8</CountRemaining>

this means anyone can send you 8 messages, thus cancelling this entire topic. Then again, your header contained the word "exclusive" instead of count.

[codex24]

Can you provide a screenshot? Because

<CountRemaining>8</CountRemaining>

this means anyone can send you 8 messages, thus cancelling this entire topic. Then again, your header contained the word "exclusive" instead of count.

That is my point. The 8 remaining count for forwarding non-exclusive senders has not changed since this issue has started, and I've received over 2 dozen spams to this address. The spams all contain "(ableammo: to exclusive)" in the subject, as if they are recognized as coming from the exclusive sender, when they are not. I have removed the exclusive sender now, to see if the counter changes when new spam arrive.

What can I provide you a a screen shot of?

[lwc]

What can I provide you a a screen shot of?

The screen that has the exclusive sender (assuming you really do have 0 trusted senders).

[codex24]

What can I provide you a a screen shot of?

The screen that has the exclusive sender (assuming you really do have 0 trusted senders).

Here are the screen shots: http://drop.io/danom2a
While I had the exclusive sender removed, a legitimate email from the exclusive sender happened to arrive with "(ableammo: message 1 of 8)" appended to the subject line, and the counter decremented.

(edited off the new spam, it arrived before I removed the exclusive)

[lwc]

You made the screenshots unreadable. If that site is the one who caused this, then it's no good for screenshots. Also, please supply the one once clicking inside that account.

[codex24]

You made the screenshots unreadable. If that site is the one who caused this, then it's no good for screenshots.

Couldn't you see the files? I didn't make them read-only for me, that drop is public, I just tested it from another machine and account.

Also, please supply the one once clicking inside that account.

I don't understand. PM me if you can't get the files.

[lwc]

I said unreadable as in too small a resolution to actually see the text in them.

I'd like to get a screenshot of the screen you get when you click that individual account inside the account list.

[codex24]

I said unreadable as in too small a resolution to actually see the text in them.

I think you are referring to the previews. When you first view the drop.io page in media view, you will thumbnails of any image files. If you click on them, you see a preview at about half-size resolution. Beneath that, or from the pull-down you get when you hover over the thumbnail, select the "Download" option. You will then get the browser-specific dialog open, save as.., etc. to view the image files in full size resolution.

I'd like to get a screenshot of the screen you get when you click that individual account inside the account list.

I assume you mean the list of all my disposable addresses that you get by clicking on "Advanced Mode">"Search Addresses" with no search value in the text box. When I do this, I get several pages worth of screen, more than will fit in a screen shot, so I have updated the drop at http://drop.io/danom2a to include a PDF of page prints from the Advanced Mode and Search Addresses pages. Again, when you click, you will see a low-res preview, just select "Download" to obtain full-res version.

[lwc]

No, the "full size" is still too small.

No, I meant when within that list you click the relevant account, then take a screenshot.