Help with spam filtering
December 4, 2004 8:44 AM Subscribe
SpamFilterFilter: Like you, I hate spam. I put together a system to deal with it by forwarding my e-mails through multiple accounts. It seemed to work, but somehow I'm getting other people's spam now. How is this possible, and how do I fix it?
Basically, all e-mail's forward through a gmail account or two, with filtering along the way. But for some reason, I'm getting mail addressed to other gmail accounts with similar addresses. Like if my final address is john@xxxxx.com, I get mail that seems to be directed to johr34@gmail.com and johns123@gmail.com. I don't get it. Help.
Basically, all e-mail's forward through a gmail account or two, with filtering along the way. But for some reason, I'm getting mail addressed to other gmail accounts with similar addresses. Like if my final address is john@xxxxx.com, I get mail that seems to be directed to johr34@gmail.com and johns123@gmail.com. I don't get it. Help.
The thing grouse is talking about above is what you probably already know as "Bcc". Just like you get mail sent to mailing lists even though your name isn't in the To: header, you can get spam even though your name isn't in the To: header.
The addresses listed in the To: and From: headers are informational; it's the dialogue between the sending mailserver and the receiving mailserver that really determines the recipients.
It's safe to assume, unless there's a big screwup and you're getting other people's legitimate mail too, that if it's ending up in your mailbox it's your spam, even though it might have been sent to other people too.
posted by mendel at 10:01 AM on December 4, 2004
The addresses listed in the To: and From: headers are informational; it's the dialogue between the sending mailserver and the receiving mailserver that really determines the recipients.
It's safe to assume, unless there's a big screwup and you're getting other people's legitimate mail too, that if it's ending up in your mailbox it's your spam, even though it might have been sent to other people too.
posted by mendel at 10:01 AM on December 4, 2004
Response by poster: I figured it was like a bcc thing, but I couldn't make sense of it in the header myself. Below is an example with my final destination address being ?????@ucla.edu, receiving forwarded mail from ?????1@gmail.com...
Return-Path: < ?????1+caf_?????=ucla.edu@gmail.com>
Received: from mail.ucla.edu (mail.ucla.edu [169.232.46.135])
by hyacinth (Cyrus v2.2.10) with LMTPA;
Sat, 04 Dec 2004 03:12:29 -0800
X-Sieve: CMU Sieve 2.2
Received: from smtp.ucla.edu (smtp.ucla.edu [169.232.48.137])
by mail.ucla.edu (8.13.1/8.13.1) with ESMTP id iB4BCTHr003364
for < ?????@ucla.edu>; Sat, 4 Dec 2004 03:12:29 -0800
Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.201])
by smtp.ucla.edu (8.13.1/8.13.1) with ESMTP id iB4BCSb4005492
for < ?????@ucla.edu>; Sat, 4 Dec 2004 03:12:29 -0800
Received: by rproxy.gmail.com with SMTP id g11so14350rne
for < ?????@ucla.edu>; Sat, 04 Dec 2004 03:12:28 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=beta; d=gmail.com;
h=received:x-forwarded-to:x-gmail-received:delivered-to:return-path:received-spf:distribution:content-description:newsgroups:message-id:from:to:subject:date:mime-version:content-type;
b=aMJ43/vNvajbd3/EL6rD4QF8jjNu84HkJ0Z1rnvn1r/ZkXkR7F71Go2h06HB09/fT1L7prctgXeAfJI3UuVgu1+fsyaIHABqo2aoly9Wiy9kIGAaWaFMRHcuDXVf2yoXUFSsgnCaV+KbzbLm6uwGwBPiEx7YnsU7fGQmnAT6+Jo=
Received: by 10.38.22.35 with SMTP id 35mr1142229rnv;
Sat, 04 Dec 2004 03:12:28 -0800 (PST)
X-Forwarded-To: ?????@ucla.edu
X-Gmail-Received: b67bc92480917e295f9d0a28af4ce89c1096d195
Delivered-To: ?????1@gmail.com
Received: by 10.38.90.4 with SMTP id n4cs8483rnb;
Sat, 4 Dec 2004 03:12:27 -0800 (PST)
Received: by 10.54.42.5 with SMTP id p5mr271619wrp;
Sat, 04 Dec 2004 03:12:26 -0800 (PST)
Received: from 64.233.185.27 ([207.72.141.14])
by mx.gmail.com with SMTP id 35si189342wra;
Sat, 04 Dec 2004 03:12:26 -0800 (PST)
Received-SPF: neutral (gmail.com: 207.72.141.14 is neither permitted nor denied by domain of mfeg@earthlink.com)
Received: (qmail 9854 invoked by uid 6394); Sat, 04 Dec 2004 04:03:21 -0700
Distribution: World
Content-Description: pauper prevail sybarite eavesdropping cardiology shrike
Newsgroups: teletypesetting rabbit claremont atom buckley arsenide celebrate mesquite brave doctrine adsorption anastasia
Message-ID:
From: "Angelica Moser"
To: ?????13@gmail.com
Subject: ?????13 Get Vicodin here now
Date: Sat, 04 Dec 2004 17:03:21 +0600
MIME-Version: 1.0 (footstoolvitrify cyprus impregnate.7)
Content-Type: multipart/alternative;
boundary="--7669066707343426"
X-Probable-Spam: yes
X-Spam-Hits: 18.169
X-Spam-Score: ******************
X-Scanned-By: smtp.ucla.edu
----7669066707343426
Content-Type: text/html;
charset="iso-8576-6"
Content-Transfer-Encoding: quoted-printable
You need Vicodin? No need to wait any longer when you need vicodin!
Here is your opportunity to save on vicodin and other medications up to 80=
%.
It is not just about saving on vicodin. It is about boosting your health c=
lick here!.
posted by drpynchon at 10:18 AM on December 4, 2004
Return-Path: < ?????1+caf_?????=ucla.edu@gmail.com>
Received: from mail.ucla.edu (mail.ucla.edu [169.232.46.135])
by hyacinth (Cyrus v2.2.10) with LMTPA;
Sat, 04 Dec 2004 03:12:29 -0800
X-Sieve: CMU Sieve 2.2
Received: from smtp.ucla.edu (smtp.ucla.edu [169.232.48.137])
by mail.ucla.edu (8.13.1/8.13.1) with ESMTP id iB4BCTHr003364
for < ?????@ucla.edu>; Sat, 4 Dec 2004 03:12:29 -0800
Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.201])
by smtp.ucla.edu (8.13.1/8.13.1) with ESMTP id iB4BCSb4005492
for < ?????@ucla.edu>; Sat, 4 Dec 2004 03:12:29 -0800
Received: by rproxy.gmail.com with SMTP id g11so14350rne
for < ?????@ucla.edu>; Sat, 04 Dec 2004 03:12:28 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=beta; d=gmail.com;
h=received:x-forwarded-to:x-gmail-received:delivered-to:return-path:received-spf:distribution:content-description:newsgroups:message-id:from:to:subject:date:mime-version:content-type;
b=aMJ43/vNvajbd3/EL6rD4QF8jjNu84HkJ0Z1rnvn1r/ZkXkR7F71Go2h06HB09/fT1L7prctgXeAfJI3UuVgu1+fsyaIHABqo2aoly9Wiy9kIGAaWaFMRHcuDXVf2yoXUFSsgnCaV+KbzbLm6uwGwBPiEx7YnsU7fGQmnAT6+Jo=
Received: by 10.38.22.35 with SMTP id 35mr1142229rnv;
Sat, 04 Dec 2004 03:12:28 -0800 (PST)
X-Forwarded-To: ?????@ucla.edu
X-Gmail-Received: b67bc92480917e295f9d0a28af4ce89c1096d195
Delivered-To: ?????1@gmail.com
Received: by 10.38.90.4 with SMTP id n4cs8483rnb;
Sat, 4 Dec 2004 03:12:27 -0800 (PST)
Received: by 10.54.42.5 with SMTP id p5mr271619wrp;
Sat, 04 Dec 2004 03:12:26 -0800 (PST)
Received: from 64.233.185.27 ([207.72.141.14])
by mx.gmail.com with SMTP id 35si189342wra;
Sat, 04 Dec 2004 03:12:26 -0800 (PST)
Received-SPF: neutral (gmail.com: 207.72.141.14 is neither permitted nor denied by domain of mfeg@earthlink.com)
Received: (qmail 9854 invoked by uid 6394); Sat, 04 Dec 2004 04:03:21 -0700
Distribution: World
Content-Description: pauper prevail sybarite eavesdropping cardiology shrike
Newsgroups: teletypesetting rabbit claremont atom buckley arsenide celebrate mesquite brave doctrine adsorption anastasia
Message-ID:
From: "Angelica Moser"
To: ?????13@gmail.com
Subject: ?????13 Get Vicodin here now
Date: Sat, 04 Dec 2004 17:03:21 +0600
MIME-Version: 1.0 (footstoolvitrify cyprus impregnate.7)
Content-Type: multipart/alternative;
boundary="--7669066707343426"
X-Probable-Spam: yes
X-Spam-Hits: 18.169
X-Spam-Score: ******************
X-Scanned-By: smtp.ucla.edu
----7669066707343426
Content-Type: text/html;
charset="iso-8576-6"
Content-Transfer-Encoding: quoted-printable
You need Vicodin? No need to wait any longer when you need vicodin!
Here is your opportunity to save on vicodin and other medications up to 80=
%.
It is not just about saving on vicodin. It is about boosting your health c=
lick here!.
posted by drpynchon at 10:18 AM on December 4, 2004
Gmail is putting the original envelope address in the "Delivered-To" header. It is to ?????1@gmail.com even though the To: is ?????13@gmail.com. Nothing mysterious here, just spammers trying to obfuscate.
posted by grouse at 10:34 AM on December 4, 2004
posted by grouse at 10:34 AM on December 4, 2004
Addendum: one of the reasons spammers might try to do this is that they want to send one message to a bunch of people so as to be more efficient, but having a big list of these people in the message both wastes bandwidth/processing and probably tips off spam filters. This way, you have no way of knowing how many people received that particular message.
posted by grouse at 10:41 AM on December 4, 2004
posted by grouse at 10:41 AM on December 4, 2004
Is there a good plain-English guide out there to how to read these e-mail headers? Because I'd love to try to figure out what's going on up there.
posted by Vidiot at 11:39 AM on December 4, 2004
posted by Vidiot at 11:39 AM on December 4, 2004
Return-Path is where bounces should go.
Received lines are added by every mail server along the way, and identify the server, when it was received, and from where.
Headers beginning with X- are non-standard, and generally for local use.
DomainKey-Signature is part of an email authentication scheme called Yahoo DomainKeys, designed to allow recipients to verify the true sender.
Received-SPF is the status of the SPF (sender policy framework) check that gmail ran when it was received. SPF allows a domain administrator to say something like 'all email from foo.com comes from 10.5.3.14 and mail.monkeys.net'. SPF verifying recipients will then know that mail from foo.com is forged if it is not from one of those sources.
Oddly, the From And To lines displayed in the headers are NOT neccesarily who the message is from, or to. During an SMTP session, the alleged sender and recipient are both specified prior to setting up the 'data' phase. This does not, however, generate the From and To headers. Those are specified by the data itself. As such, an SMTP session can look like this:
220 This server is waiting to receiver your mail
EHLO spammy-server.com
220 HELO spammy-server.com OK
MAIL FROM: banana@spammy-server.com
220 Sender OK
RCPT TO: lemur@marmoset.com
220 Recipient OK
DATA
From: MILF Hunter
To: Big Stud
Subject: SPAM SPAM SPAM SPAM SPAM
SPAM
.
220 OK
QUIT
220 GOODBYE
the result would be delivered to lemur@marmoset.com, but would show up as being to rod@twobytwelve.com. Since multiple RCPT TO lines can be used, spammers sometimes do that and end up with the message appearing to be to somebody other than the intended recipient, even though that is not the case.
posted by mosch at 11:58 AM on December 4, 2004
Received lines are added by every mail server along the way, and identify the server, when it was received, and from where.
Headers beginning with X- are non-standard, and generally for local use.
DomainKey-Signature is part of an email authentication scheme called Yahoo DomainKeys, designed to allow recipients to verify the true sender.
Received-SPF is the status of the SPF (sender policy framework) check that gmail ran when it was received. SPF allows a domain administrator to say something like 'all email from foo.com comes from 10.5.3.14 and mail.monkeys.net'. SPF verifying recipients will then know that mail from foo.com is forged if it is not from one of those sources.
Oddly, the From And To lines displayed in the headers are NOT neccesarily who the message is from, or to. During an SMTP session, the alleged sender and recipient are both specified prior to setting up the 'data' phase. This does not, however, generate the From and To headers. Those are specified by the data itself. As such, an SMTP session can look like this:
220 This server is waiting to receiver your mail
EHLO spammy-server.com
220 HELO spammy-server.com OK
MAIL FROM: banana@spammy-server.com
220 Sender OK
RCPT TO: lemur@marmoset.com
220 Recipient OK
DATA
From: MILF Hunter
To: Big Stud
Subject: SPAM SPAM SPAM SPAM SPAM
SPAM
.
220 OK
QUIT
220 GOODBYE
the result would be delivered to lemur@marmoset.com, but would show up as being to rod@twobytwelve.com. Since multiple RCPT TO lines can be used, spammers sometimes do that and end up with the message appearing to be to somebody other than the intended recipient, even though that is not the case.
posted by mosch at 11:58 AM on December 4, 2004
"somehow I'm getting other people's spam now."
No you aren't. You're getting your very own spam with, of course, forged headers. Welcome to the world of Bcc:.
posted by majick at 4:14 PM on December 4, 2004
No you aren't. You're getting your very own spam with, of course, forged headers. Welcome to the world of Bcc:.
posted by majick at 4:14 PM on December 4, 2004
Hrmm. I'm getting the exact same Vicodin spam. Is that typical...or...is that a mefi thing? My addy is in my profile, altho with the usual AT and DOT...
posted by stray at 11:36 PM on December 4, 2004
posted by stray at 11:36 PM on December 4, 2004
« Older Default browser settings in Microsoft Office 2003? | What's a good way of getting rid of ear hair? Newer »
This thread is closed to new comments.
Can't you just get decent enough filtering on one account?
posted by grouse at 9:03 AM on December 4, 2004