Greetings,
I have a piece of SPAM with an obviously spoofed (obvious to me,
that is) from address ... but didn't get flagged as SPAM.
The message claims to originate from borland.com
borland.com has IP 63.175.76.152
The message actually originates from napfehfu 86.60.37.183
borland.com is listed in my whitelist.
My questions ...
(1) Shouldn't this message have been flagged as SPAM?
(2) Is the DomainKey-Signature also spoofed or fake?
(3) Which headers (types of from addresses) are compared to my whitelist?
Some of the significant header lines (I reversed the sequence)
> DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=south.disappoint;
d=borland.com;
>
b=GfpMxmdJQIBAeYlLWrgcDOJbZZJXiYVEpoeUbVUmwMrmrQbfMFvNqqczKSjQWxIoppVlOJSHMQiZhlik;
> From: "Abbey Delisa" <[EMAIL PROTECTED]>
> Received: from unknown (HELO napfehfu) (86.60.37.183)
> by rbl-mx.nac.net with SMTP; 1 May 2007 16:42:53 -0000
> Received: from 86.60.37.183 by mx2.oct.nac.net (envelope-from <[EMAIL
PROTECTED]>, uid 0) with qmail-scanner-1.25
> (clamdscan: 0.88.3/2095. f-prot: 4.6.6/3.16.14. spamassassin: 3.1.0.
> Clear:RC:0(86.60.37.183):.
Here are all of the headers ...
===============================
X-UIDL: 1178037793.M276441P78860.mx2.oct.nac.net
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on spamd1.oct
X-Spam-Level:
X-Spam-PrefsFile: nac.net/mdiehl
X-Spam-Status: No, score=-77.8 required=4.7 tests=HTML_FONT_BIG=0.256,
HTML_MESSAGE=0.001,MIME_HTML_ONLY=0.001,RAZOR2_CF_RANGE_51_100=0.5,
RAZOR2_CF_RANGE_E4_51_100=1.5,RAZOR2_CF_RANGE_E8_51_100=1.5,
RAZOR2_CHECK=0.5,RCVD_IN_SORBS_DUL=1.988,TW_ZW=0.077,
URIBL_AB_SURBL=3.306,URIBL_BLACK=3,URIBL_JP_SURBL=3.36,
URIBL_OB_SURBL=2.617,URIBL_SC_SURBL=3.6,USER_IN_WHITELIST=-100
autolearn=disabled version=3.1.7
Received: (qmail 78558 invoked by uid 0); 1 May 2007 16:42:54 -0000
Received: from 86.60.37.183 by mx2.oct.nac.net (envelope-from <[EMAIL PROTECTED]>, uid 0) with qmail-scanner-1.25
(clamdscan: 0.88.3/2095. f-prot: 4.6.6/3.16.14. spamassassin: 3.1.0.
Clear:RC:0(86.60.37.183):.
Processed in 0.524071 secs); 01 May 2007 16:42:54 -0000
X-Qmail-Scanner-Mail-From: [EMAIL PROTECTED] via mx2.oct.nac.net
X-Qmail-Scanner-Rcpt-To: [EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED]
X-Qmail-Scanner: 1.25 (Clear:RC:0(86.60.37.183):. Processed in 0.524071 secs)
X-Qmail-Scanner-NAC-Block-Zips: 1
X-Qmail-Scanner-NAC-Redirect-This: 0
X-Qmail-Scanner-NAC-Redirect-To:
X-Qmail-Scanner-NAC-Scanners-Run: clamdscan_scanner fprot_scanner
Received: from unknown (HELO napfehfu) (86.60.37.183)
by rbl-mx.nac.net with SMTP; 1 May 2007 16:42:53 -0000
To: <[EMAIL PROTECTED]>
Date: Tue, 01 May 2007 09:42:45 -0800
From: "Abbey Delisa" <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=south.disappoint;
d=borland.com;
b=GfpMxmdJQIBAeYlLWrgcDOJbZZJXiYVEpoeUbVUmwMrmrQbfMFvNqqczKSjQWxIoppVlOJSHMQiZhlik;
User-Agent: Mozilla Thunderbird 1.5 (Windows/20060111)
X-Accept-Language: en-us, en
MIME-Version: 1.0
Subject: SPECIAL PHARMACY DISCOUNT, you pay & we ship, no question asked,
established by reputable Canadian Doctor qizwx
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
===============================
Thanks for any and all comments, help, or advice.
--
MGD
