Hi there
My wife is getting a number of emails from what appears to be my son (the 'friendly name') but where the actual email address is not correct. The friendly name (my son's name) remains the same each time but the actual email address varies.
The emails just have a single line hyper-link in them so I'm a bit surprised they aren't blocked by SPAM assassin - have submitted some examples to SPAM assassin but no joy yet, albeit only did it last night and more came today.
Have also turned on DKIM and SPF...
Here's a sample:
Return-path: <irwincarroll@yahoo.com>
Envelope-to: wife@mydomain.co.uk
Delivery-date: Tue, 22 Jan 2013 15:11:54 +0000
Received: from sun ([127.0.0.1]:58145 helo=sun.solardns.com)
by sun.solardns.com with esmtp (Exim 4.80)
(envelope-from <irwincarroll@yahoo.com>)
id 1TxfVw-0000h4-TP
for wife@mydomain.co.uk; Tue, 22 Jan 2013 15:11:54 +0000
Received: from nm34-vm7.bullet.mail.bf1.yahoo.com ([72.30.239.79]
helo=nm34-vm7.bullet.mail.bf1.yahoo.com) by sun.solardns.com with ESMTP
(ASSP 1.9); 22 Jan 2013 15:11:49 +0000
Received: from [98.139.212.148] by nm34.bullet.mail.bf1.yahoo.com with NNFMP; 22 Jan 2013 15:11:43 -0000
Received: from [98.139.211.202] by tm5.bullet.mail.bf1.yahoo.com with NNFMP; 22 Jan 2013 15:11:43 -0000
Received: from [127.0.0.1] by smtp211.mail.bf1.yahoo.com with NNFMP; 22 Jan 2013 15:11:43 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1358867503; bh=9Gr7WJD0BJVKO7OzKnbQLSs7o64Qx5q87Lhx93PIvU4=; h=X-Yahoo-Newman-Id:Message-ID:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Date:Subject:To:From; b=ZozOQxTrh3XTom+b5JnyCtKYhSepxwZxJR++UQfM+o9GHo6/mUqVQZMcFHogdvDEyjnv+wF5SsbixM4ayTayF7fjDvHZfxjh0tVJGqsQPW6qjOTv0VJthJKJykOrca0eio/N1Op3NR/TCbawPkZ0n1GjP+OI/YN/uN8uZNDEAYk=
X-Yahoo-Newman-Id:
827411.90990.bm@smtp211.mail.bf1.yahoo.com
Message-ID: <827411.90990.bm@smtp211.mail.bf1.yahoo.com>
X-Yahoo-Newman-Property: ymail-5
X-YMail-OSG: dO.eP_sVM1m9efp8GVJU5u68K.1rWe2vz.2XdpVFLHV4E7x
eaPDOwwlwYHmMx7v590_gRnDvldgNjQ6s7BUL_rVPqzl6GZeEZ7mxGuNVwWE
kKQMTu66cJzqAJoBiYOdTNqO85cP6yrzJQExR5LPQyKqT4LirSGxIBdDht.t
ZySFb.T9P66olkQdIC2rjdd0Z8A0weIiv2HuUSCgDzV5oG4jGmcmAT3XdMnu
ogpNso.Swrm7cXmlQr_0yeRiJAGbcueeOE.3yUoEdMNzfSITtue1pZ6ipsuZ
d.aEgvq1EI_dhkuNrYR.GwqLhk6zpwsWsEB871_2AcDWrEGVf4p_U.KoY1Y2
6O_N8jYRix9cmYrfHiEN2IwWbIbO_NDTN_AY0zF_FHgBVGqoMkFqeLMgCU8x
MHGKu09.JL1VVxPnPLzepV__9IKtnFBvQU36ApBUCK5Xt0nYnrwN1VJ9LS5o
qxX2vu9gHuyzSiJtqUzlPIsdOrm2zMjNkoU9ZWa6rkKQI10VkvFnGe3rpNw.
yp5K55t90mWDZBFSdqSr_WKTCI7wCXAdA.dCwZS1jrAhSIkmkZZdOSKltXiD
nbqY-
X-Yahoo-SMTP: bNlakheswBAqDyG6Q2FghU3pboHm_3qYkg--
Received: from localhost (
irwincarroll@31.176.194.229 with login)
by smtp211.mail.bf1.yahoo.com with SMTP; 22 Jan 2013 07:11:43 -0800 PST
Date: Tue, 22 Jan 2013 06:30:41 -0700 (PDT)
Subject: look at this
To: "wife@mydomain.co.uk" <wife@mydomain.co.uk>
From: Son_firstname Son_lastname <irwincarroll@yahoo.com>
X-Assp-Delay: wife@mydomain.co.uk not delayed (spamlover); 22 Jan 2013
15:11:52 +0000
X-Assp-Score: 28 (Bayesian Probability: 0.9369)
X-Assp-Spam-Level: *****
X-Assp-Envelope-From:
irwincarroll@yahoo.com
X-Assp-Intended-For: wife@mydomain.co.uk
X-Assp-ID: sun.solardns.com (id-35886-66768)
X-Assp-Version: 1.9.1.8(1.1.02)
http://focalpointcp.com/employeecommandcraigjames/
The spam score seems quite high? (I don't know what the threshold is). I wondered if I had accidentally whitelisted my son's Friendly name but as I understand it theres no way you can see the whitelist - correct?
Also I think if it had been whitelisted it would show in the thread above....?
I guess I need to make a filter/rule of some sort? Just wondering because this must be a very common spoof.
I guess I'll need to say IF {son's_friendly_name in header} AND NOT {his email1 or email2 etc} then reject. Downside of this is that if he ever gets a new email address it'll be blocked...
Anyway any thoughts appreciated - mostly because I'm surprised Spam assassin doesn't reject it.
Thanks
Max
PS Just to be clear:
irwincarroll@yahoo.com is not my son's email!