Spam from

Use this forum to get help.

Spam from

Postby Bunchan » Sun Mar 27, 2016 7:45 pm

Increasing quantities of spam have recently appeared in my inbox (via my ISP – Time Warner – to Microsoft Outlook [Office 365 edition] running on Windows 7). All of this spam appears to be from, to, or associated with

My first thought was that spamgourmet is broken or has been hacked. That seems unlikely but not impossible. It’s also possible my PC has malware that is somehow harvesting my spamgourmet addresses. Or I might simply be using spamgourmet in a nonoptimal way that unnecessarily allows some spam to get through. Can someone help me analyze the symptoms and suggest which of these scenarios (if any) is most likely?

In Outlook, the From and To fields for the spam consistently show the same spamgourmet disposable address. Different messages use different addresses, but each individual message shows the same address in the To and From fields. I think these fields can be faked, so I do not assume the displayed values are accurate. (If I knew more about tracing e-mail routing, I would try to do that, but I don’t have that expertise; my impression is that it’s difficult even for experts.)

Based on the Outlook To and From fields, all the recent spam appears to be from senders who are not on my trusted senders list and to disposable addresses that (for a long time) have been configured to allow 0 messages to be forwarded. Again I think these apparent “facts” could be misleading. When I send e-mail myself to the relevant disposable addresses, spamgourmet correctly eats the messages.

I saved a few of the most recent spam messages. The three messages I saved appear to be addressed to two of my most abused disposable addresses. By “most abused”, I mean that I zeroed allowed messages for those addresses years ago due to the flood of spam coming through those addresses. The count of eaten messages for both addresses is currently close to 500.

Here's what Outlook displays in the From, To, Subject, and Received [date] fields for these messages in its index. I’ve replaced the business names I used in my disposable addresses with CorruptBusiness1 and CorruptBusiness2 (to indicate the businesses that leaked, sold, or otherwise abused my address). MySGName represents my spamgourmet account name, to which I add prefixes to create disposable addresses. The spam notifications from Norton and Outlook are included.

From: Modesto Mcneil –
To: CorruptBusiness1.MySGName
Subject: [Norton AntiSpam]FW: Invoice Copy (trusted:
Received: Fri 3/25/2016 5:28 AM

From: Freddy Noble –
To: CorruptBusiness2.MySGName
Subject: [Norton AntiSpam]SPAM: FW: Invoice Copy (trusted:
Received: Fri 3/25/2016 8:21 AM

Subject: SPAM: 100% FREE (trusted:
Received: Sun 3/27/2016 5:27 AM

The first and second messages, received within 3 hours of each other, have the same Subject (except for the “SPAM” tag) and the same contents (identified as JS.Downloader by Norton). I suspect (but am not certain) these two messages came from the same spammer.

All three of these messages show “trusted:” in the Subject field. I do have in my trusted senders list, which may be a mistake. (I think I added to that list when I signed up on the Spamgourmet BBS, hoping to make sure I received all relevant e-mail from the BBS.)

Questions and conjectures:

Is it a bad idea to have in my trusted senders list?

I’m guessing that one or more spammers who know one or more of my disposable addresses surmised that I might also have on my trusted senders list and faked the origin of the spam to show as the sender. Is this possible and, if so, is it likely to explain how the recent spam penetrates and gets to my inbox? Or is it possible that is actually generating and sending spam? Is it likely I can solve the problem be removing from the trusted senders list?

Assuming did not generate the recent spam, it’s not clear to me how one of the spammers would have access to multiple disposable addresses. As noted above, the Subject and contents of messages 1 and 2 described above are the same, indicating they might come from the same source. But they are addressed to two different disposable addresses, which makes me wonder whether the spammer has access to my list of disposable addresses. My best guess (which could be way off base) is that even though I gave only one address to each corrupt business, both of the address were so widely abused and disseminated that they might have both fallen into the hands of the same spammer. Is this the most likely explanation for the symptoms I see? If not, what explanation do you think is better?

In general, I haven’t paid close attention to the Subject lines in message routed through spamgourmet, except for the “trusted” tag or count of allowed messages for the relevant address. Two of the three messages described above include “FW” (forwarded?) in the Subject; one does not. Is the presence or absence of “FW” meaningful and important in some way? If the “FW” messages were forwarded, I don’t know who they were forwarded by, or why the third, “unforwarded”, message was handled differently.

Thanks for any help and clarification you can offer.
Posts: 3
Joined: Fri Oct 25, 2013 2:51 pm

Re: Spam from

Postby End User » Tue Mar 29, 2016 6:42 pm

Hello Bunchan

It is true that some of the addresses we have have been compromised. The question is how were they compromised? Was it 1)SpamGourmet was compromised? or 2)one or more of our addressees computers were compromised (they could have Trojan(s) reaping email addresses and other information and sending it home)? or 3)several ISPs have employees that have sought to enrich their income by selling information gathered by the ISP? or 4)was our Wifi intercepted for example with a Man-In-The-Middle Attack? or 5)our own computers are compromised? There are several possibilities as to how the situation that you describe could be happening to you, us and the myriads of other SpamGourmet users like us.

It is guaranteed that this computer (which is the only one used to access our email) is not compromised since it was gone over and secured by an above-average computer security professional who advises other computer service people on advanced security methods. No tool or scanner used to find any malware has found any kind of malware at all for many, many years on this or our prior computers since the security professional started securing our computers. (Just for the computer security-conscious people out there...some of the tools used were going to be listed here but if you care to know send a PM and we can steer you to the information you may need.)

For anyone interested a good start is to download and rum Malwarebytes Anti-Malware. Use the free version and it will get you going. In order to get your computer fully checked FOR FREE go to the following website. ... t-do-i-do/ They are specialists at cleaning computers and do their work via the forum there giving instructions step by step and asking the one being helped to post logs they will help you to get so they can verify things are clean. The site is called BleepingComputer. For a list of several good sites for cleaning help please see this page: there any thing SpamGourmet can do to enhance security? Yes of course. How about starting out by using https on this forum's login page?

Some food for thought.

Best Regards
End User
Posts: 19
Joined: Sun Jan 13, 2013 8:25 pm

Re: Spam from

Postby josh » Wed Mar 30, 2016 4:32 pm

It is a bad idea to have as a trusted sender -- a lot of spam (and phishing, etc.) email messages use a fake sender, and many of those choose the recipient address as the sender. For that reason, there will be matches against any of the spamgourmet domains that they're using.

As to the state of the server, I am looking into it, but don't see anything unusual at this point.

The plan of compromising the spamgourmet server and then sending bad messages to the disposable addresses in the database has never made sense to me - why not just send directly to the real addresses in the database? We maintain a few accounts as tests that should never receive email to use as an indicator that perhaps the real address list has been compromised - if I ever see this happen, I'll flip out, but of course at that point it will be too late to do much. It hasn't happened, by the way.

On the other hand, I could see some trivial value in examining spamgourmet addresses which have been harvested on the internet, and writing a script to perturb them to come up with new spamgourmet addresses which haven't expired. In fact I am sure this has happened before. Someone can do this without compromising the spamgourmet server, of course. Our strategy to defeat this type of attack was to implement Watchwords, which probably most people (including me) don't use.

As to the security of this BBS - there isn't any - it's on a different server hosted by a different company and doesn't share any of the data with the main spamgourmet server. At one point, I ran the bbs on the same server (always separate from the data), but PHP vulnerabilities kept croppinig up and so I moved it off.
Posts: 1371
Joined: Fri Aug 29, 2003 2:28 pm

Re: Spam from

Postby josh » Wed Mar 30, 2016 4:43 pm

On further analysis, I think I know what changed.

I was receiving a lot of complaints that the spamgourmet server was too strict on incoming mail servers in that I had a rule in place which rejected the connection if the sending server didn't have matching forward and reverse DNS records in place - this filtered out huge botnet armies of cable-connected computers that don't have the full DNS record set.

It also filtered out the occasional legit mail server, including some at Amazon apparently. A few weeks ago, after years of pushing back against the complaints, I removed the rule.

Since then, the server is way busier, and yes, it probably explains these extra messages we're seeing - ones that never could get through before because of their dogdy places of origin.

I just put back the rule - let's see what happens.
Posts: 1371
Joined: Fri Aug 29, 2003 2:28 pm

Re: Spam from

Postby ace604ace » Wed Mar 30, 2016 9:29 pm

Anything else change recently?

I started getting long delays on various SG emails from different sources (e.g. craigslist, internet forum notifications).

Today at 12:15pm Pacific I received an email from the craigslist-anonymous-remailer that was several days old. The headers show no delay on any hops, so it's as if they were attempting to send and re-send in the background for several days until it finally worked today?

Other examples include delays in the header, and I can see the delay is between another entity, like and
All the hops before that have near-zero delays, and all the hops after that are also near-zero delays, but that authsmtp -> spamgourmet hop has 2-4 hours delays.

Just heavy server loads??

Or something else going on?
Posts: 5
Joined: Thu Sep 19, 2013 7:21 am

Re: Spam from

Postby josh » Thu Mar 31, 2016 12:00 am

Well yeah something changed - I put back the reverse lookup check, which reduced the server load a lot. Perhaps that explains some delayed messages getting through after the change.
Posts: 1371
Joined: Fri Aug 29, 2003 2:28 pm

Return to Support / Hilfe / ayuda / ondersteuning / ...

Who is online

Users browsing this forum: No registered users and 2 guests