A couple of things could have caused this. If you are using whitelist auth and they guess the password of the account. Also, the user could have their own email address in their address book which would cause it to be whitelisted as long as that option is enabled. Also, is it possible you may have the domain whitelisted somehow?
Darrell ------------------------------------------- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. ----- Original Message ----- From: "Kim Premuda" <[EMAIL PROTECTED]> To: "Declude JunkMail Forum" <[email protected]> Sent: Saturday, January 29, 2005 6:25 PM Subject: [Declude.JunkMail] 'X-Declude-Sender:' Question > Our IMail server trapped a spam message that was whitelisted by Declude JunkMail. The header of the message is shown below: > > Received: from fastwave.net [210.221.79.126] by ns3.fastwave.net > (SMTPD32-8.05) id AB32D5301D8; Sat, 29 Jan 2005 > 10:51:30 -0800 > Message-ID: <[EMAIL PROTECTED]> > Return-Path: [EMAIL PROTECTED] > From: "Kevin John" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: I got XP and Office Xp cheap. > Date: Sun, 30 Jan 2005 03:52:40 +0900 > X-Mailer: Version 1.32 > Content-Type: text/html; charset="ISO-8859-1" > MIME-Version: 1.0 > X-Priority: 1 > X-Declude-Sender: [EMAIL PROTECTED] [210.221.79.126] > X-Declude-Spoolname: Ddb320d5301d8d507.SMD > X-Note: -------------------------------------------------------------------- ------------ > X-Note: Scanned by Declude JunkMail, Version 1.82 > X-Spam-Tests-Failed: Whitelisted TOTAL [0] > X-Note: This E-mail was sent from [No Reverse DNS] ([210.221.79.126]). > X-Note: -------------------------------------------------------------------- ------------ > From: [EMAIL PROTECTED] > X-RCPT-TO: <[EMAIL PROTECTED]> > Status: R > X-UIDL: 397015868 > > > Note that the 'X-Declude-Sender:' line contains a valid e-mail address (altered for this list) on our IMail server, yet the originating IP address [210.221.79.126]is located in Korea. We are not whitelisting the [210.221.79.126] IP address. Is this an indication that our customer's e-mail account has been compromised and is being used to propagate spam into our network? Or, is there some other explanation? > > TIA > > > -- > Kim W. Premuda > FastWave Internet Services > San Diego, CA > > -- > --- > [This E-mail scanned for viruses by Declude Virus] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
