That's what I am trying to figure out. I have never whitelisted our domain or any individual account. So if it is whitelisting now I have a problem somewhere.
Kyle -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, May 26, 2006 12:42 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Spam says it was whitelisted Well, there you go: Skipping4 E-mail from [EMAIL PROTECTED] ; whitelisted [EMAIL PROTECTED] ]. It appears that you are whitelisting your own domain or username as a sender! This particular spam was spoofing your own address. Whitelisting based on the MAILFROM addresses is a bad idea, as you've just seen. It's too easily and frequently abused. Andrew 8) > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kyle Fisher > Sent: Friday, May 26, 2006 10:31 AM > To: Declude.JunkMail@declude.com > Subject: RE: [Declude.JunkMail] Spam says it was whitelisted > > Here is the Declude log > > 05/26/2006 00:16:57.630 q8f41090e0000cd10.smd BADHEADERS:5 > INV-URIBL:15 . > Total weight = 20. > 05/26/2006 00:16:57.630 q8f41090e0000cd10.smd Tests failed > [weight=20]: > BADHEADERS=IGNORE[5] IPNOTINMX=IGNORE[0] > NOLEGITCONTENT=IGNORE[0] INV-URIBL=IGNORE[15] > WEIGHT10=IGNORE[10] WEIGHT20=IGNORE[20] CATCHALLMAILS=IGNORE[0] > 05/26/2006 00:16:57.630 q8f41090e0000cd10.smd R1 Message OK > 05/26/2006 00:16:57.630 q8f41090e0000cd10.smd Subject: We > cure any desease! > 05/26/2006 00:16:57.630 q8f41090e0000cd10.smd From: > [EMAIL PROTECTED] To: > IP: 68.250.139.149 ID: M3Q3-r2OV5CP-oX > > 05/26/2006 00:16:57.630 q8f41090e0000cd10.smd Action(s) taken > for [copyall_account] = IGNORE [LAST ACTION=IGNORE] > 05/26/2006 00:16:57.630 q8f41090e0000cd10.smd Skipping4 E-mail from > [EMAIL PROTECTED] ; whitelisted [EMAIL PROTECTED] ]. > 05/26/2006 00:16:57.630 q8f41090e0000cd10.smd Tests failed [weight=0]: > CATCHALLMAILS=IGNORE[0] > 05/26/2006 00:16:57.630 q8f41090e0000cd10.smd L2 Message OK > 05/26/2006 00:16:57.630 q8f41090e0000cd10.smd Subject: We > cure any desease! > 05/26/2006 00:16:57.630 q8f41090e0000cd10.smd From: > [EMAIL PROTECTED] To: > [EMAIL PROTECTED] IP: 68.250.139.149 ID: M3Q3-r2OV5CP-oX > > 05/26/2006 00:16:57.630 q8f41090e0000cd10.smd Action(s) taken > for [EMAIL PROTECTED] = WHITELISTED [LAST ACTION=WHITELISTED] > 05/26/2006 00:16:57.630 q8f41090e0000cd10.smd Cumulative > action(s) taken on this email = IGNORE [LAST ACTION=IGNORE] > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Colbeck, Andrew > Sent: Friday, May 26, 2006 11:28 AM > To: Declude.JunkMail@declude.com > Subject: RE: [Declude.JunkMail] Spam says it was whitelisted > > And what does the Declude log show if you do a: > > > Find /I "8f41090e0000cd10" dec0526.log > > > Andrew 8) > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Kyle Fisher > > Sent: Friday, May 26, 2006 9:07 AM > > To: Declude.JunkMail@declude.com > > Subject: RE: [Declude.JunkMail] Spam says it was whitelisted > > > > Here is one I received. I not seeing the AUTH in the log > so I don't > > think they used my account. > > > > > > 05:26 00:16 SMTPD(8f41090e0000cd10) [208.191.89.12] connect > > 68.250.139.149 port 1835 > > 05:26 00:16 SMTPD(8f41090e0000cd10) [68.250.139.149] EHLO > > 68-250-139-149.ded.ameritech.net > > 05:26 00:16 SMTPD(8f41090e0000cd10) [68.250.139.149] MAIL > > FROM:<[EMAIL PROTECTED]> > > 05:26 00:16 SMTPD(8f41090e0000cd10) [68.250.139.149] RCPT > > TO:<[EMAIL PROTECTED]> > > 05:26 00:16 SMTPD(8f41090e0000cd10) [68.250.139.149] DATA > > > > 05:26 00:16 SMTPD(8f41090e0000cd10) [68.250.139.149] > > D:\IMail\spool\D8f41090e0000cd10.SMD 8585 > > > > 05:26 00:16 SMTPD(8f41090e0000cd10) performing antispam checks > > > > 05:26 00:16 SMTP-(8f41090e0000cd10) processing > > D:\IMail\spool\q8f41090e0000cd10.smd > > > > 05:26 00:16 SMTP-(8f41090e0000cd10) ldeliver esc5.net > kfisher-main (1) > > [EMAIL PROTECTED] 9099 > > > > > > > > Received: from 68-250-139-149.ded.ameritech.net [68.250.139.149] by > > esc5.net with ESMTP > > (SMTPD-8.22) id AF4233E8; Fri, 26 May 2006 00:16:50 -0500 > > Return-path: <[EMAIL PROTECTED]> > > Envelope-to: [EMAIL PROTECTED] > > Delivery-date: Fri, 26 May 2006 00:16:34 -0600 > > Received: from [54.202.40.178] (helo=67403648) > > by 68-250-139-149.ded.ameritech.net with smtp (Exim 4.60 > > (FreeBSD)) > > (envelope-from <[EMAIL PROTECTED]>) > > id M3Q3-r2OV5CP-oX > > for [EMAIL PROTECTED]; Fri, 26 May 2006 00:16:34 -0600 > > Received: from muzieknummeriek.nl (27477441257 [8355651465]) > > by 82.165.167.174 (Qmailv1) with ESMTP id 1I6HR1W6 > > for <[EMAIL PROTECTED]>; Fri, 26 May 2006 00:16:19 -0600 > > Date: Fri, 26 May 2006 00:16:19 -0600 > > From: "Jay T Malloy" <[EMAIL PROTECTED]> > > X-Mailer: The Bat! (v2.00.4) Personal > > X-Priority: 3 > > Message-ID: <[EMAIL PROTECTED]> > > Subject: We cure any desease! > > MIME-Version: 1.0 > > Content-Type: multipart/alternative; > > boundary="----------SIC3WNR0DUSQYT6" > > X-Declude-Sender: [EMAIL PROTECTED] [68.250.139.149] > > X-Declude-Spoolname: D8f41090e0000cd10.smd > > X-Note: This E-mail was scanned by Region 5 ESC using > Declude JunkMail > > for spam. > > X-Country-Chain: UNITED STATES->destination > > X-Note: Total spam weight of this E-mail is 0 > > X-Note: Spam tests: Whitelisted > > X-Note: Reverse DNS: 68-250-139-149.ded.ameritech.net > > ([68.250.139.149]) > > X-Note: HELO/EHLO Received: 68-250-139-149.ded.ameritech.net > > X-Note: Header code: 8400000a > > X-Note: Queue name: D8f41090e0000cd10.smd > > X-RCPT-TO: <[EMAIL PROTECTED]> > > Status: U > > X-UIDL: 448590122 > > X-IMail-ThreadID: 8f41090e0000cd10 > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Darrell > > ([EMAIL PROTECTED]) > > Sent: Friday, May 26, 2006 8:59 AM > > To: Declude.JunkMail@declude.com > > Subject: Re: [Declude.JunkMail] Spam says it was whitelisted > > > > Kyle, > > > > What do the logs say? WHITELIST AUTH? Whitelisted due to a users > > address book? Only the logs will say for sure. > > > > Darrell > > ------------------------------------------- > > Quickly and easily review false positives with fpReview. > > http://www.invariantsystems.com > > > > Kyle Fisher writes: > > > > > I am checking over this header and trying to determine > how it could > > > have been whitelisted. One thing I don't understand is > > that I delete > > everything > > > from Vietnam. But if it shows its whitelisted I'm sure all other > > > tests stop. > > > > > > > > > > > > Thanks > > > > > > > > > > > > Kyle > > > > > > > > > > > > > > > > > > Received: from localhost [203.210.153.25] by esc5.net with ESMTP > > > > > > (SMTPD-8.22) id AB1435B4; Thu, 25 May 2006 20:34:12 -0500 > > > > > > Return-path: <[EMAIL PROTECTED]> > > > > > > Envelope-to: [EMAIL PROTECTED] > > > > > > Delivery-date: Fri, 26 May 2006 20:35:40 +0700 > > > > > > Received: from [112.61.205.8] (helo=23216878) > > > > > > by localhost with smtp (Exim 4.60 (FreeBSD)) > > > > > > (envelope-from <[EMAIL PROTECTED]>) > > > > > > id 8alMf-61wVc1-A2 > > > > > > for [EMAIL PROTECTED]; Fri, 26 May 2006 20:35:40 +0700 > > > > > > Received: from 888teleman.com (12611570 [238713367]) > > > > > > by 127.38.184.174 (Qmailv1) with ESMTP id BGSV3NCW > > > > > > for <[EMAIL PROTECTED]>; Fri, 26 May 2006 19:35:25 +0700 > > > > > > Date: Fri, 26 May 2006 19:35:25 +0700 > > > > > > From: "Marvin B. Vasquez" <[EMAIL PROTECTED]> > > > > > > X-Mailer: The Bat! (v2.00.4) Personal > > > > > > X-Priority: 3 > > > > > > Message-ID: <[EMAIL PROTECTED]> > > > > > > Subject: Full of health. > > > > > > MIME-Version: 1.0 > > > > > > Content-Type: multipart/alternative; > > > > > > boundary="----------FQW2ETB3DIRHR11GCT0" > > > > > > X-Declude-Sender: [EMAIL PROTECTED] [203.210.153.25] > > > > > > X-Declude-Spoolname: D5b130a170000b677.smd > > > > > > X-Note: This E-mail was scanned by Region 5 ESC using > > Declude JunkMail > > > for spam. > > > > > > X-Country-Chain: [IANA Reserved]->VIET NAM->destination > > > > > > X-Note: Total spam weight of this E-mail is 0 > > > > > > X-Note: Spam tests: Whitelisted > > > > > > X-Note: Reverse DNS: adsl.hnpt.com.vn ([203.210.153.25]) > > > > > > X-Note: HELO/EHLO Received: localhost > > > > > > X-Note: Header code: a400010b > > > > > > X-Note: Queue name: D5b130a170000b677.smd > > > > > > X-RCPT-TO: <[EMAIL PROTECTED]> > > > > > > Status: U > > > > > > X-UIDL: 448590113 > > > > > > X-IMail-ThreadID: 5b130a170000b677 > > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > > "unsubscribe Declude.JunkMail". The archives can be found at > > http://www.mail-archive.com. > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > > "unsubscribe Declude.JunkMail". The archives can be found at > > http://www.mail-archive.com. > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
