EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > Runbox Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

Runbox Forum Everything related to Runbox should go here: suggestions, comments, complaints, questions, technical issues, etc.

Reply
 
Thread Tools
Old 10 Nov 2008, 05:44 AM   #1
Geir
The "e" in e-mail
 
Join Date: Sep 2001
Location: Oslo, Norway
Posts: 2,936

Representative of:
Runbox.com
Lightbulb Spam from your own address

Many users have discovered spam appearing to have been sent from their own address. This does not mean that anyone is using your account without your consent -- it is simply a consequence of the way the email system was designed, which lets anyone send email "from" any address. It's comparable to putting a random return address on an envelope, as it is very difficult to verify who actually sent the email/letter.

This type of email falsification is perpetrated by spammers to make the sender address of spam to appear legitimate, and to avoid receiving the error messages that are generated by non-existent recipient addresses (spammers tend to send large amounts of messages to more or less random addresses).

Additionally, spammers exploit the fact that many email users have whitelisted their own address, which means that spam being sent "from" their own address will categorically be perceived as legitimate email by their spam filter, thus being delivered to their Inbox.

We therefore recommend that you do not include your own address in the whitelist (in the Filter section) or in the Contacts section (which is automatically whitelisted).

Please see our Anti-spam Info page for more information about spam and how to prevent it.

- Geir
Geir is offline   Reply With Quote

Old 24 Jan 2010, 06:37 AM   #2
nanook
Junior Member
 
Join Date: Jun 2004
Posts: 13
Spam from your own address

Geir -
Thanks for the generic info in your post, however, this information is inadequate for resolving the issue. I do understand that spoofing the sender address is a huge problem and that ISPs do not have full control over this until the Anti-Spam Technical Alliance finishes developing standards for sender authentication, and until ISPs are willing to adopt them, which result in loss of anonymity for users.

Among other problems, this situation of spoofing causes a legitimate sender address to end up in many other spam filters, some at an ISP level. I note that some ISPs are blocking Runbox domain entirely. I've only dealt with one ISP who did this directly and which resulted in 'blocked' message indications to me (and it turned out to be an error on their part with IP address range provisioning in their servers), but I've noticed that when I try to sign up on some forums, I will receive a message that the Runbox email domain is blocked. This leads me to believe that the domain is blocked by some ISPs. And in some cases when I send messages to friends, they simply never receive the messages - although this can be due to filtering at their email client as well as direct ISP filtering.

One of the actions that might help, if only with messages that Runbox users get which appear to come from themselves, is for some filtering script which compares the 'from' field with the 'Received from' field. If these fields do not agree, the message should be filtered. I understand that sophisticated spammers will often forge even the 'Received from' field to further cover their tracks, but at the least, lack of agreement in these two fields is something that can be noted or filtered.

As an example, see the following header of a message I received today. This spammer used my own return address (farwest). The IP address is falsified (nslookup reports no domain exists) and they falsified the text domain, which is a school (Abraham Lincoln.edu) in Colombia, South America. The HTML message itself purported to be from an online Canadian pharmacy, but links embedded in the message indicate that the message came from China, and the links likely would invite a virus or worm attack if used.
-------------
Return-path: <[email protected]>
Received: from [10.9.9.162] (helo=pepper.runbox.com)
by takara.runbox.com with esmtp (Exim 4.69)
id 1NYexE-00076p-MH
for 'm_hench (@) runbox. com'; Sat, 23 Jan 2010 13:19:04 +0100
Received: from exim by pepper.runbox.com with spamfilter (Exim 4.50)
id 1NYex6-00021U-ID
for 'm_hench (@) runbox. com'; Sat, 23 Jan 2010 13:19:02 +0100
X-Spam-Status: No, score=-88.9 required=4.0 tests=HTML_IMAGE_ONLY_20,
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on bars.runbox.com
X-Spam-Level:
X-Spam-Status: No, score=-88.9 required=4.0 tests=HTML_IMAGE_ONLY_20,
HTML_MESSAGE,HTML_SHORT_LINK_IMG_3,MIME_HTML_ONLY,MISSING_DATE,MISSING_MID,
RDNS_NONE,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,USER_IN_WHITELIST
autolearn=disabled version=3.2.5
Received: from [109.96.220.219] (helo=abrahamlincoln.edu.co)
by pepper.runbox.com with smtp (Exim 4.50)
id 1NYex1-0001oD-N0
for 'farwest @ runbox. com'; Sat, 23 Jan 2010 13:18:52 +0100
To: <[email protected]>
Subject: ALM Works
From: Jean Haas <[email protected]>
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <[email protected]>
Date: Sat, 23 Jan 2010 13:18:59 +0100
----------------------------

I understand that filter comparison of 'from' and 'Received from' fields, and filtering on that basis, will only affect inbound messages, and won't solve the other problem of ISPs blocking Runbox because of massive amounts of mail with spoofed Runbox sender addresses. Isn't the Open Relay Data Base somehow involved with policing or blocking this? Perhaps that's part of the ASTA issue still to be resolved.

Lastly, I've noticed that login time on this forum expires very quickly. I've had to log back in twice while writing this post. Why?

Sorry if my email protocol ignorance shows. Your comments appreciated.


Moderator: Fixed "live" email address to avoid spambots.

Last edited by Sherry : 24 Jan 2010 at 05:23 PM.
nanook is offline   Reply With Quote
Old 24 Jan 2010, 09:30 AM   #3
LinuxRoot
Junior Member
 
Join Date: Aug 2009
Posts: 20
Most of the spammers use services listed in most DNSBL. Using an email service that utilizes DNS Blacklisting prevents receiving a good amount of spam.
LinuxRoot is offline   Reply With Quote
Old 25 Jan 2010, 08:37 AM   #4
Liz
The "e" in e-mail
 
Join Date: Jul 2001
Location: Los Angeles,CA
Posts: 4,652

Representative of:
Runbox.com
Hi,

As an aside, do you realize you have yourself whitelisted, as Geir mentioned, and thus this message was not labeled spam, despite the otherwise stratospheric spam score..?

I.e. the USER_IN_WHITELIST header.

Please note that having an address listed in your runbox Contacts also whitelists them.

Liz
Liz is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 09:23 PM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy