EmailDiscussions.com - View Single Post

nanook · 24 Jan 2010, 06:37 AM

Geir -
Thanks for the generic info in your post, however, this information is inadequate for resolving the issue. I do understand that spoofing the sender address is a huge problem and that ISPs do not have full control over this until the Anti-Spam Technical Alliance finishes developing standards for sender authentication, and until ISPs are willing to adopt them, which result in loss of anonymity for users.

Among other problems, this situation of spoofing causes a legitimate sender address to end up in many other spam filters, some at an ISP level. I note that some ISPs are blocking Runbox domain entirely. I've only dealt with one ISP who did this directly and which resulted in 'blocked' message indications to me (and it turned out to be an error on their part with IP address range provisioning in their servers), but I've noticed that when I try to sign up on some forums, I will receive a message that the Runbox email domain is blocked. This leads me to believe that the domain is blocked by some ISPs. And in some cases when I send messages to friends, they simply never receive the messages - although this can be due to filtering at their email client as well as direct ISP filtering.

One of the actions that might help, if only with messages that Runbox users get which appear to come from themselves, is for some filtering script which compares the 'from' field with the 'Received from' field. If these fields do not agree, the message should be filtered. I understand that sophisticated spammers will often forge even the 'Received from' field to further cover their tracks, but at the least, lack of agreement in these two fields is something that can be noted or filtered.

As an example, see the following header of a message I received today. This spammer used my own return address (farwest). The IP address is falsified (nslookup reports no domain exists) and they falsified the text domain, which is a school (Abraham Lincoln.edu) in Colombia, South America. The HTML message itself purported to be from an online Canadian pharmacy, but links embedded in the message indicate that the message came from China, and the links likely would invite a virus or worm attack if used.
-------------
Return-path: <farwest@runbox.com>
Received: from [10.9.9.162] (helo=pepper.runbox.com)
by takara.runbox.com with esmtp (Exim 4.69)
id 1NYexE-00076p-MH
for 'm_hench (@) runbox. com'; Sat, 23 Jan 2010 13:19:04 +0100
Received: from exim by pepper.runbox.com with spamfilter (Exim 4.50)
id 1NYex6-00021U-ID
for 'm_hench (@) runbox. com'; Sat, 23 Jan 2010 13:19:02 +0100
X-Spam-Status: No, score=-88.9 required=4.0 tests=HTML_IMAGE_ONLY_20,
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on bars.runbox.com
X-Spam-Level:
X-Spam-Status: No, score=-88.9 required=4.0 tests=HTML_IMAGE_ONLY_20,
HTML_MESSAGE,HTML_SHORT_LINK_IMG_3,MIME_HTML_ONLY,MISSING_DATE,MISSING_MID,
RDNS_NONE,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,USER_IN_WHITELIST
autolearn=disabled version=3.2.5
Received: from [109.96.220.219] (helo=abrahamlincoln.edu.co)
by pepper.runbox.com with smtp (Exim 4.50)
id 1NYex1-0001oD-N0
for 'farwest @ runbox. com'; Sat, 23 Jan 2010 13:18:52 +0100
To: <farwest@runbox.com>
Subject: ALM Works
From: Jean Haas <farwest@runbox.com>
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <E1NYex6-00021U-ID@pepper.runbox.com>
Date: Sat, 23 Jan 2010 13:18:59 +0100
----------------------------

I understand that filter comparison of 'from' and 'Received from' fields, and filtering on that basis, will only affect inbound messages, and won't solve the other problem of ISPs blocking Runbox because of massive amounts of mail with spoofed Runbox sender addresses. Isn't the Open Relay Data Base somehow involved with policing or blocking this? Perhaps that's part of the ASTA issue still to be resolved.

Lastly, I've noticed that login time on this forum expires very quickly. I've had to log back in twice while writing this post. Why?

Sorry if my email protocol ignorance shows. Your comments appreciated.

Moderator: Fixed "live" email address to avoid spambots.

24 Jan 2010, 06:37 AM	#2
nanook Junior Member Join Date: Jun 2004 Posts: 13	Spam from your own address Geir - Thanks for the generic info in your post, however, this information is inadequate for resolving the issue. I do understand that spoofing the sender address is a huge problem and that ISPs do not have full control over this until the Anti-Spam Technical Alliance finishes developing standards for sender authentication, and until ISPs are willing to adopt them, which result in loss of anonymity for users. Among other problems, this situation of spoofing causes a legitimate sender address to end up in many other spam filters, some at an ISP level. I note that some ISPs are blocking Runbox domain entirely. I've only dealt with one ISP who did this directly and which resulted in 'blocked' message indications to me (and it turned out to be an error on their part with IP address range provisioning in their servers), but I've noticed that when I try to sign up on some forums, I will receive a message that the Runbox email domain is blocked. This leads me to believe that the domain is blocked by some ISPs. And in some cases when I send messages to friends, they simply never receive the messages - although this can be due to filtering at their email client as well as direct ISP filtering. One of the actions that might help, if only with messages that Runbox users get which appear to come from themselves, is for some filtering script which compares the 'from' field with the 'Received from' field. If these fields do not agree, the message should be filtered. I understand that sophisticated spammers will often forge even the 'Received from' field to further cover their tracks, but at the least, lack of agreement in these two fields is something that can be noted or filtered. As an example, see the following header of a message I received today. This spammer used my own return address (farwest). The IP address is falsified (nslookup reports no domain exists) and they falsified the text domain, which is a school (Abraham Lincoln.edu) in Colombia, South America. The HTML message itself purported to be from an online Canadian pharmacy, but links embedded in the message indicate that the message came from China, and the links likely would invite a virus or worm attack if used. ------------- Return-path: <farwest@runbox.com> Received: from [10.9.9.162] (helo=pepper.runbox.com) by takara.runbox.com with esmtp (Exim 4.69) id 1NYexE-00076p-MH for 'm_hench (@) runbox. com'; Sat, 23 Jan 2010 13:19:04 +0100 Received: from exim by pepper.runbox.com with spamfilter (Exim 4.50) id 1NYex6-00021U-ID for 'm_hench (@) runbox. com'; Sat, 23 Jan 2010 13:19:02 +0100 X-Spam-Status: No, score=-88.9 required=4.0 tests=HTML_IMAGE_ONLY_20, X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on bars.runbox.com X-Spam-Level: X-Spam-Status: No, score=-88.9 required=4.0 tests=HTML_IMAGE_ONLY_20, HTML_MESSAGE,HTML_SHORT_LINK_IMG_3,MIME_HTML_ONLY,MISSING_DATE,MISSING_MID, RDNS_NONE,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,USER_IN_WHITELIST autolearn=disabled version=3.2.5 Received: from [109.96.220.219] (helo=abrahamlincoln.edu.co) by pepper.runbox.com with smtp (Exim 4.50) id 1NYex1-0001oD-N0 for 'farwest @ runbox. com'; Sat, 23 Jan 2010 13:18:52 +0100 To: <farwest@runbox.com> Subject: ALM Works From: Jean Haas <farwest@runbox.com> MIME-Version: 1.0 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <E1NYex6-00021U-ID@pepper.runbox.com> Date: Sat, 23 Jan 2010 13:18:59 +0100 ---------------------------- I understand that filter comparison of 'from' and 'Received from' fields, and filtering on that basis, will only affect inbound messages, and won't solve the other problem of ISPs blocking Runbox because of massive amounts of mail with spoofed Runbox sender addresses. Isn't the Open Relay Data Base somehow involved with policing or blocking this? Perhaps that's part of the ASTA issue still to be resolved. Lastly, I've noticed that login time on this forum expires very quickly. I've had to log back in twice while writing this post. Why? Sorry if my email protocol ignorance shows. Your comments appreciated. Moderator: Fixed "live" email address to avoid spambots. Last edited by Sherry : 24 Jan 2010 at 05:23 PM.