Recurring Spammer

Hi folks.

I got this spammer in China that’s sending me stuff that SS isn’t picking up after asking it to analyze and save in the Blocklist. So I went in to see if I could specifically set something in the corpus.

Return-Path: <house@pints.com>
Delivered-To: house@electra.pints.com
Received: from localhost (localhost [127.0.0.1])
	by electra.pints.com (Postfix) with ESMTP id 87E161C054AB
	for <house@pints.com>; Fri,  8 Jan 2016 07:10:50 -0500 (EST)
X-Virus-Scanned: amavisd-new at pints.com
X-Amavis-Alert: BAD HEADER SECTION, MIME error: error: part did not end with
	expected boundary; ; error: unexpected end of parts before epilogue
X-Spam-Flag: NO
X-Spam-Score: 5.804
X-Spam-Level: *****
X-Spam-Status: No, score=5.804 tagged_above=2 required=19
	tests=[BAYES_05=-0.5, DRUGS_ERECTILE=1.994, DRUGS_ERECTILE_OBFU=1.109,
	HTML_MESSAGE=0.001, INVALID_DATE=1.096, RCVD_IN_RP_RNBL=1.31,
	RDNS_NONE=0.793, SPF_HELO_FAIL=0.001] autolearn=no
Received: from electra.pints.com ([127.0.0.1])
	by localhost (electra.pints.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id AF6iJXfslXOy for <house@pints.com>;
	Fri,  8 Jan 2016 07:10:50 -0500 (EST)
Received: from sex.com (unknown [197.49.3.91])
	by electra.pints.com (Postfix) with ESMTP id 471741C0549A
	for <house@pints.com>; Fri,  8 Jan 2016 07:10:47 -0500 (EST)
Received: by mx.sex.com (Postfix, from uid 2)
        id 513EF4AB41D; Fri, Jan  8 2016 11:55:17 +0000 (UTC)
To: house@pints.com
From: house@pints.com
Subject: Dyna : succcess story
MIME-Version: 1.0
Message-Id: <1452254117.513EF4AB41D@mx.sex.com>
Content-Type: multipart/alternative; boundary="3B4F067692B-360710452"
Date: Fri, Jan  8 2016 11:55:17 +0000 (UTC)

--3B4F067692B-360710452
Content-Type: text/plain; charset="iso-8859-1"

Help me pls

Diianna Back into the youth - only with Vigara Prrooffessioonaal

Here: http://www383.House.xn--e1afdb7bg4a.xn--p1ai/

BB

Antiochus, Mithridates, Tigranes, and others.
Shorty turned on him.
UNDERWRITER. One who insures.
Assent yourself, and gain the royal will.

I’ve tried using “Received contains” with the value “sex.com”, didn’t work.

I tried “Body contains” with the value “house.xn”, didn’t work.

It’s spoofed from that part forward, so I’m not sure why this isn’t working.

Any advice as to how I can fix this.

Cheers

Both of those should work. You should check SpamSieve’s log to see what it says about these messages. It may be that the blocklist isn’t being used. For example, perhaps a SpamSieve filter with higher priority is saying that the message is good (e.g. the sender is in your Contacts). Or perhaps your mail program is not sending the message to SpamSieve for analysis at all (see this page). My guess is the latter, because this message looks so spammy that it should have been caught automatically, without needing a custom blocklist rule.

Well, the sender is spoofed to being me.

Just checked the log, and there’s nothing in there that I can find. Why it’s not in the log, I don’t know why. SpamSieve is the first rule in Mail.app.

I’ve kept another delivery. Not sure where to go with this.

Cheers

Please see the How do I make SpamSieve catch spams sent from my own address? page.

Mail only applies the rules to new messages that arrive unread in the inbox.

OK, this is what is says:

How can I tell whether I need to fix the setup?
The Open Log section of the manual explains how SpamSieve keeps a log of all the messages that it filtered and why it thought they were good or spam. For each incoming message that SpamSieve thought was not spam, there is a Predicted: Good entry in the log. If it says Reason: sender <address> in address book or Reason: sender <address> in Entourage address book, that means that SpamSieve thought the message was good because it was sent from an address that’s in your address book. If the address is one of your addresses, please follow the instructions below. (If there’s no Predicted entry for the message, please see the Why is SpamSieve not catching my spam? section for instructions on checking the setup in your mail program.)

Then I said:

Just checked the log, and there’s nothing in there that I can find. Why it’s not in the log, I don’t know why. SpamSieve is the first rule in Mail.app.

There is nothing in the log. Anywhere. I’ve copied it into BBEdit and checked it. Spamsieve is not seeing it. Now you can tell me to go check pages that I haven’t needed in 8 years, but all of a sudden, someone is spoofing me for the first time? The log has nothing in it. In fact I now have two messages in my inbox that didn’t make the log whatsoever. Searched by subject. I’ve found 3 instances in the log where my own email address is being used, and every time it’s added to the Corpus.

“Exclude my addresses” has been chosen for well over 5 years. I have been marked as myself for 8 years.

Something is not working.

Another spam from the same sender, no entry in the SpamSieve Log.log at all.

Quoting the page that you quoted:

If there’s no Predicted entry for the message, please see the Why is SpamSieve not catching my spam? section for instructions on checking the setup in your mail program.

There are a variety of things to check besides whether the rule is at the top. For example, do the rule’s conditions say “Every Message”?

And there is a way to test that the rule is working.

Good. That means it should work once you figure out why Mail is not applying SpamSieve to the messages.

The condition was: “Sender is not in my previous recipients” for some reason.

Just reapplied the Rules and now they are gone. I don’t know why it changed that condition. But then again, Mail does that on the smallest of changes.

Thanks for your time. It seems fixed.

Cheers