When
your email has been processed by SpamPal, they will have additional
header(s), which can provide very useful information about how
SpamPal (or it's plugins) processed your message
|
|
1. Viewing
SpamPal Headers
1.1 Normal SpamPal Headers: PASS
1.2 Normal SpamPal Headers: Blacklisted by a DNSBL
1.3 Normal SpamPal Headers:
1.4 Normal
SpamPal Headers: Whitelisted
2. Normal
SpamPal Plugin headers
3.
Other Header information
3.1. Using
Headers to treat spam that gets through
3.2. Fake
Headers
3.3. Reporting
Spam to SpamCop
3.4. Useful
DNSBL/IP Checker links
|
In most cases, seeing
the X-SpamPal header
in your email, means that SpamPal is correctly processing your emails. The
other two possible reasons for the lack of this header is that you
are using IMAP4 with
the Add
X-SpamPal: Header option is
disabled,
or you are filtering mails using SMTP when
the apply standard
SpamPal filters option isn't
enabled.
To
see the X-SpamPal: header,
open in your mail program an email you've received since you started
using
SpamPal and bring up the Full
Message Headers.
How to do this will differ between mail programs, however the table
below should give you a quick quide to how do this this. For more
detailed information, take a look at SpamCop
FAQ: Viewing the Full, Unmodified Email. |
Select the message
Click on File
Click on Properties
Click on Details tab |
Select the message
Right Click
Click on Options |
Select the message
Click on File
Click on Properties
Click on Internet tab |
Select the message
Press Ctrl-H |
Select the message
Click on View
Click on RFC-822 headers |
Open Message
Click on File
Click on Properties
Click on Details tab |
Open Message
Click on View
Click on Headers
Click on All |
Select the message,
Hit Alt+Enter to view headers |
Select the message,
Select View,
Tick the View Header Option |
Select the message,
Hit Ctrl-I |
Select the message,
Hit the H key to toggle header view |
Open Message
Click on "Blah Blah Blah" button |
|
The Full Message Headers
are a bit like the address and postmark on a piece of postal mail;
they give the source and destination of the email, the systems it
passed through on the way, the date, the subject, and other bits
and pieces.
They are usually placed at the top of the email message, separated from the
body by a blank line.
The X-SpamPal: header,
should be one of the last message headers in the list.
The X-SpamPal: header has the following format:
X-SpamPal: SPAM <list
code> <I.P. address>
The list code is a five-letter
code identifying which DNSBL list caused this message to
be tagged as spam. You can find which list has which code using
the DNSBL lists pane of the Options dialog.
Next to it will be the I.P. address which
was found in that DNSBL list; usually you will be able to find this I.P. address
in one of the Received lines of the message
header. |
::Top:: |
From:
my_mate@youisp.co.uk
To: yourname@yourisp.co.uk
Subject: holiday
Date: Tue, 24 Jun 2003 13:30:40 +0100
X-SpamPal: PASS |
| This
header indicates that the email wasn't marked as spam. If you
think that the email really should have been marked as spam,
then read this page
on what to expect from SpamPal. |
|
From:
anyone@isp.com
To: yourname@yourisp.co.uk
Subject: free
Date: Tue, 24 Jun 2003 13:30:40 +0100
X-SpamPal: PASS TIME-OUT 29 |
|
When
SpamPal looks up an IP number to see if it is blacklisted,
it does this by sending a request to a service called a DNSBL.
These services run on remote computers so sometimes they
will time out, just like websites and email servers do. That
could be because the server is especially busy at the time,
or because your connection is sluggish at the time, or because
the route from your PC to the remote server is especially
long and tortuous.
The error
message TIME-OUT 29 means
that 29 DNSBL queries
timed out, which may indicate the need to reduce the number
of DNSBLs you are using.
Generally you only need three or four to get really good results
with SpamPal. Try cutting back to, say, SpamCop, Easynet
Blackholes and NJABL
Also, make sure you are cacheing positive (Spam) results for, say, 3
days to ensure you are not making unnecessary queries on
the DNSBLs.
|
|
X-Apparently-To:
amadeup@yahoo.com via 216.136.173.71; Mon, 13 Oct 2003 18:17:41
-0700
X-YahooFilteredBulk: 207.178.207.210
Return-Path: <info@ebatts.com>
Received: from 207.178.207.210 (HELO TEST1) (207.178.207.210)
by mta125.mail.sc5.yahoo.com with SMTP; Mon, 13 Oct 2003 18:17:41
-0700
From: "eBatts.com" <Info@eBatts.com>
To: <amadeup@yahoo.com>
Subject: eBatts.com Fall Savings
Mime-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Date: Mon, 13 Oct 2003 18:17:40
X-SpamPal: PASS YAHOO 216.136.173.71 |
| This
header looks like the email wasn't marked as spam. However,
the PASS YAHOO means
that you are using the old Yahoo
Whitelister plugin. You should
therefore remove this plugin, in order the the email to be correctly
identified. |
|
::Top:: |
From:
i_am_a@spammer.co.uk
To: yourname@yourisp.co.uk
Subject: **SPAM** FREE
$ FOR YOU !!!
Date: Tue, 24 Jun 2003 13:30:40 +0100
X-SpamPal: SPAM CHI-KOR 211.115.216.226 |
| This
header indicates that the email was marked as spam, due to
it being a blacklisted country that has been enabled. |
|
From:
i_am_a@spammer.co.uk
To: yourname@yourisp.co.uk
Subject: **SPAM** FREE
$ FOR YOU !!!
Date: Tue, 24 Jun 2003 13:30:40 +0100
X-SpamPal: SPAM SPCOP 216.74.167.134 |
| This
header indicates that the SPAMCOP DNSBL
marked the email as spam on IP address 216.74.167.134 |
|
From:
i_am_a@spammer.co.uk
To: yourname@yourisp.co.uk
Subject: **SPAM** FREE
$ FOR YOU !!!
Date: Tue, 24 Jun 2003 13:30:40 +0100
X-SpamPal: SPAM NJABL 64.119.218.150 |
| This
header indicates that the NJABL DNSBL
marked the email as spam on IP address 64.119.218.150 |
|
From:
i_am_a@spammer.co.uk
To: yourname@yourisp.co.uk
Subject: **SPAM** FREE
$ FOR YOU !!!
Date: Tue, 24 Jun 2003 13:30:40 +0100
X-SpamPal: SPAM IPWHOIS 64.119.218.150 |
| This
header indicates that the IPWHOIS
(ipwhois.rfc-ignorant.org) DNSBL
marked the email as spam on IP address 64.119.218.150 |
|
::Top:: |
From:
test_spam@aol.com
To: yourname@yourisp.co.uk
Subject: **SPAM** FREE
$ FOR YOU !!!
Date: Tue, 24 Jun 2003 13:30:40 +0100
X-SpamPal: SPAM BLIST EMAIL
X-Blist-Pattern: test_spam@aol.com |
| This
header indicates that the email was blacklisted,
using the address test_spam@aol.com |
|
From:
test_spam@aol.com
To: yourname@yourisp.co.uk
Subject: **SPAM** FREE
$ FOR YOU !!!
Date: Tue, 24 Jun 2003 13:30:40 +0100
X-SpamPal: SPAM BLIST 200.149.176.3
X-Blist-Pattern: 200.149.176.0 - 200.149.176.255 |
| This
header indicates that the email was blacklisted (using
IP Address 200.149.176.3)
as it was in the blacklisted IP range 200.149.176.0
- 200.149.176.255 |
|
::Top:: |
From:
my_mate@aol.com
To: yourname@yourisp.co.uk
Subject: holiday again
Date: Tue, 24 Jun 2003 13:30:40 +0100
X-SpamPal: PASS WLIST EMAIL
X-Wlist-Pattern: my_mate@aol.com |
| This
header indicates that the email was whitelisted,
using the address my_mate@aol.com |
|
From:
my_mate@aol.com
To: yourname@yourisp.co.uk
Subject: holidays
Date: Tue, 24 Jun 2003 13:31:40 +0100
X-SpamPal: PASS A_WLIST EMAIL
X-Wlist-Pattern: my_mate@aol.com |
| This
header indicates that the email was auto-whitelisted,
using the address my_mate@aol.com |
|
::Top:: |
| These examples,
show the effect, various SpamPal plugins have on email headers: |
From:
i_am_a@spammer.co.uk
To: yourname@yourisp.co.uk
Subject: **SPAM** FREE
$ FOR YOU !!!
Date: Tue, 24 Jun 2003 13:30:40 +0100
X-SpamPal: SPAM REGEX ID#177202125-01 |
| This
header indicates that the RegEx plugin has marked an email
as spam. In order to find out which RegEx rule matched, look
up the ID# in the
RegEx log file. (See this FAQ
entry for more details) |
|
From:
i_am_a@spammer.co.uk
To: yourname@yourisp.co.uk
Subject: **SPAM** FREE
$ FOR YOU !!!
Date: Tue, 24 Jun 2003 13:30:40 +0100
X-SpamPal: SPAM BAYESIAN_PLUGIN BODY |
| This
header indicates that the Bayesian plugin has marked an email
as spam |
|
From:
i_am_a@spammer.co.uk
To: yourname@yourisp.co.uk
Subject: **SPAM** FREE
$ FOR YOU !!!
Date: Tue, 24 Jun 2003 13:30:40 +0100
X-SpamPal: SPAM HTMLM webbug(s) BODY |
| This
header indicates that the HTMLModify plugin has marked an email
as spam |
|
From:
i_am_a@spammer.co.uk
To: yourname@yourisp.co.uk
Subject: **SPAM** FREE
$ FOR YOU !!!
Date: Tue, 24 Jun 2003 13:30:40 +0100
X-SpamPal: SPAM UCSPCOP 69.24.239.34 |
| This
header indicates that the UnCached plugin has marked an email
as spam |
|
From:
i_am_a@spammer.co.uk
To: yourname@yourisp.co.uk
Subject: **SPAM** FREE
$ FOR YOU !!!
Date: Tue, 24 Jun 2003 13:30:40 +0100
X-SpamPal: SPAM OSIRU 202.54.195.203 BODY |
| This
header indicates that the URLBody plugin has marked an email
as spam, using the OSIRU DNSBL
on IP address 202.54.195.203 |
|
::Top:: |
| This section shows other header information
which may be useful: |
The
whitelist function only looks for email addresses in certain
headers of your email.
These headers are currently: From:, Reply-To:, Sender:,
Mailing-List: and Return-Path: |
|
::Top:: |
Obviously SpamPal
won't get 100% of all your spam, so perhaps reading this page
on what to expect from SpamPal will
be a good place to look at first.
When
you have an email which is clearly spam to you but has slipped though
SpamPal, you can use the following procedure, to see if there are
other DNSBLs which would have caught this spam.
Get the full
mail headers from your mail. How
you do that varies from email program to email program but see
this section for more detail about view full mail headers
The full mail headers means you need
to be able to view the Received: from lines,
e.g.
Return-Path: <Pamela5J@hotmail.com>
Received: from sender244 (clarksville-24-159-56-139.midtn.chartertn.net
[24.159.56.139])
by xxx.xxxxx.co.uk (8.11.6/8.11.6) with ESMTP id h6888HN06418
for <xxxxx@xxxxx.co.uk>; Tue, 8 Jul 2003 09:08:18 +0100
Message-Id: <200307080808.h6888HN06418@xxxxx.xx.xx>
Now, go to http://openrbl.org/ and
do a lookup on the IP address (24.159.56.139)
Wait for your address to be processed and look out for the following
line:
Results: Positive=9,
Negative=23
If you look for the DNSBL's in Red you
could add one of those to SpamPal's current list of DNSBL's in
order to try to improve performance of the DNSBL checks.
If none are Positive then
adding more DNSBLs to the list in SpamPal... isn't likely to have caught
the spam as it wasn't listed in the major DNSBLs at the time you checked
your mail.
You can further investigate an IP numbers by
going to this section of the manual
|
::Top:: |
A lot of spammers
use false email addresses to send their email's (that's
one reason why programs that bounce back messages are mainly a waste
of time and bandwidth)
Here is an extract of the email headers, from two email's that look like
they both came from a Yahoo user: |
| The first example has been
sent from Yahoo... the second example, wasn't sent
from Yahoo |
From:
a_user@yahoo.com
Received: from smtp014. (smtp014.mail.yahoo.com
[xxxx]) |
|
From:
a_user@yahoo.com
Received: from host192-24.pool50205. (unknown
[xxxx]) |
|
::Top:: |
| Using
SpamCop is quite easy.
Go to this url
and sign up for a free reporting
account by entering your email address into the Verify
Email Address box. SpamCop will then send you a confirmation mail
with an authorisation code and a link in it
Once you have done that
you will be able to use the reporting system to paste in the
headers and message source and SpamCop will analyse it and pick
out the places to send reports to.
Only use it to report genuine
spam, and don't abuse the service.
|
::Top:: |
If you need
to check which DNSBL's may help in marking an email as spam or you
just want to investigate more about the IP address that is sending
a message to you, the following links may help.
Example email:
Return-Path: <Pamelaxxxx5J@hotmail.com>
Received: from sender244 (clarksville-24-159-56-139.midtn.chartertn.net
[24.159.56.139])
by xxx.xxxxx.co.uk (8.11.6/8.11.6) with ESMTP id h6888HN06418
for <xxxxx@xxxxx.co.uk>; Tue, 8 Jul 2003 09:08:18 +0100
Message-Id: <200307080808.h6888HN06418@xxxxx.xx.xx>
Here are a few useful ip checker/info
sites (using the IP address eg. 24.159.56.139)
:-
http://senderbase.com/search
http://www.dnsstuff.com/
http://openrbl.org/
http://moensted.dk/spam/
This
site also looks at a lot of DNSBL (Public Blacklists) to see how
they compare
Other information for tracing spam, can be found here |
::Top:: |
