Spammers are spamming using "from" addresses as random people on their spam list. This is actually more common than the first method you list, because if it doesn't reach its intended recipient, it just goes to another user on their spam list as a bounce.
-----Original Message----- From: John Schutz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 05, 2002 10:26 AM To: [EMAIL PROTECTED] Subject: [SAtalk] Spamming through returned mail One of my users has been getting these about once a day. What it looks like is happening is that since AOL doesn't immediately report back with a 550 user unknown, the spammer can fill in a return address of my user, so the bounce ends up in his mailbox. The other option is that they're trying to spam this aol address, and for some reason chose this guy's address to forge from...this seems less likely than the first. I'm using 2.31, and the spam scores 1.7 (1.3 with the AWL). I'm going to write a local rule for this particular one, but I'm wondering if anyone else has seen this kind of thing? Here's the email, his username is munged: > Received: from omr-d10.mx.aol.com (omr-d10.mx.aol.com [205.188.156.78]) > by sol.csr.utexas.edu (8.11.6/8.11.0) with ESMTP id gA52dnd01482 > for <[EMAIL PROTECTED]>; Mon, 4 Nov 2002 20:39:49 -0600 (CST) > Received: from rly-xg01.mx.aol.com (rly-xg01.mail.aol.com [172.20.115.198]) by omr-d10.mx.aol.com (v86_r1.15) with ESMTP id RELAYIN8-1104213925; Mon, 04 Nov 2002 21:39:25 -0400 > Received: from localhost (localhost) > by rly-xg01.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0) > with internal id VAA06470; > Mon, 4 Nov 2002 21:39:04 -0500 (EST) > Date: Mon, 4 Nov 2002 21:39:04 -0500 (EST) > From: Mail Delivery Subsystem <[EMAIL PROTECTED]> > Message-Id: <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > MIME-Version: 1.0 > Content-Type: multipart/report; report-type=delivery-status; > boundary="VAA06470.1036463944/rly-xg01.mx.aol.com" > Subject: Returned mail: User unknown > Auto-Submitted: auto-generated (failure) > X-Spam-Status: No, hits=1.3 required=8.5 > tests=PORN_11,PORN_3,AWL > version=2.31 > X-Spam-Level: * > X-UIDL: /?a!!/iX"!W?f"!o(b!! > > The original message was received at Mon, 4 Nov 2002 21:38:48 -0500 (EST) > from osiris.phronesys.cl [200.72.130.66] > > > *** ATTENTION *** > > Your e-mail is being returned to you because there was a problem with its > delivery. The address which was undeliverable is listed in the section > labeled: "----- The following addresses had permanent fatal errors -----". > > The reason your mail is being returned to you is listed in the section > labeled: "----- Transcript of Session Follows -----". > > The line beginning with "<<<" describes the specific reason your e-mail could > not be delivered. The next line contains a second error message which is a > general translation for other e-mail servers. > > Please direct further questions regarding this message to your e-mail > administrator. > > --AOL Postmaster > > > > ----- The following addresses had permanent fatal errors ----- > <[EMAIL PROTECTED]> > > ----- Transcript of session follows ----- > ... while talking to air-xg04.mail.aol.com.: > >>> RCPT To:<[EMAIL PROTECTED]> > <<< 550 MAILBOX NOT FOUND > 550 <[EMAIL PROTECTED]>... User unknown > Reporting-MTA: dns; rly-xg01.mx.aol.com > Arrival-Date: Mon, 4 Nov 2002 21:38:48 -0500 (EST) > > Final-Recipient: RFC822; [EMAIL PROTECTED] > Action: failed > Status: 5.1.1 > Remote-MTA: DNS; air-xg04.mail.aol.com > Diagnostic-Code: SMTP; 550 MAILBOX NOT FOUND > Last-Attempt-Date: Mon, 4 Nov 2002 21:39:04 -0500 (EST) > Received: from csr.utexas.edu (osiris.phronesys.cl [200.72.130.66]) by rly-xg01.mx.aol.com (v89.10) with ESMTP id MAILRELAYINXG16-1104213846; Mon, 04 Nov 2002 21:38:46 1900 > Reply-To: <[EMAIL PROTECTED]> > Message-ID: <002a51a63e6e$8754b1c3$6ae52cc5@ntfnlr> > From: <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Adults Only 2741sKPy9-660VFfl7-17 > Date: Mon, 04 Nov 2002 19:31:34 +0700 > MiME-Version: 1.0 > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: 8bit > X-Priority: 3 (Normal) > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) > Importance: Normal > > Hey cutie how are you its Debbie your web cam girl I wanted to let you know where you can find me now I had to move my site. > http://www.debbieshomepage.com > Come see what I can do for you!! > 6273WIsO2-494UPwO8811OUrw0-l25 ------------------------------------------------------- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk ------------------------------------------------------- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
