For the past several week, I have been getting a lot of spam with .hotmail.com return addresses. I don't know how to configure SpamAssassin to stop it. I have many email addresses and domains blacklisted in SpamAssassin (for example, *@domain.com and *.*@domain.com), and that usually stops spam from domains I don't want to receive email from. But it doesn't stop THESE, even though I have blacklisted *@hotmail.com and *.*@hotmail.com! Obviously these emails are not really coming from hotmail.
Here are two examples of the raw headers from these spam emails (I changed the name of my domain to "mysite.com" for this posting). I included the full headers so that you guys can look them over and perhaps find some commonality that would enable me to configure SpamAssassin to stop this. I would really appreciate some suggestions. Please remember that I am a novice at this, so if you have suggestions, please give me detailed instructions. Thank you so much!!!
Example 1:
Example 2:
Here are two examples of the raw headers from these spam emails (I changed the name of my domain to "mysite.com" for this posting). I included the full headers so that you guys can look them over and perhaps find some commonality that would enable me to configure SpamAssassin to stop this. I would really appreciate some suggestions. Please remember that I am a novice at this, so if you have suggestions, please give me detailed instructions. Thank you so much!!!
Example 1:
Code:
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from brian.securedserverspace.com
by brian.securedserverspace.com with LMTP
id iNjmK2mTrV4rrSsAFzcLkA
(envelope-from <[email protected]>)
for <[email protected]>; Sat, 02 May 2020 10:36:09 -0500
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Sat, 02 May 2020 10:36:09 -0500
Received: from mail-oln040092253030.outbound.protection.outlook.com ([40.92.253.30]:37576 helo=APC01-SG2-obe.outbound.protection.outlook.com)
by brian.securedserverspace.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.93)
(envelope-from <[email protected]>)
id 1jUuBU-00C3NC-JR
for [email protected]; Sat, 02 May 2020 10:36:09 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=gy3TAzKhVtDYPM091f+ImDb5QcVxACjoyN82WqlMYKdgjvXpF5asTQYMR9r5juZUKLjZpxZk6bcvNgjp12Npbu5/3+uVPGR/Yusj74+f8iIbaOcaObgwji3zrS8YcOvhjbI6AIOgPderp9+lql2RoAkBIq3RhQjRqlGRew4qwePdL1w57RECPpGjeCu24MGpCqlLsnwjyoE5v5+SADgvOwStZTUSk/Y4C0CSKqqe/uUM7pw+2DroV6evbXbpfA6Ig1Gbrzc3EbPs8yIV6UnvH0vleN8TNax07xwoO6xpuAVgHz0AWQfhM0NO/wVs8CVMQv0Qbp6JJNKDACTkWt8x4w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=qMhwqDi0A9Hu7+5Fs95Tq/Am06XOrQsZhDqq13gG0X4=;
b=JJiivwFj3WiWwvZD8+quAF4SWmosaYlj3dLAHOWlEhMwpNvufxkXJSnn76rRpl2BPHb7HpJWDXBVBZNe+3LHiqwQbC7/byo/QvClGMGkLsvSZKtIwoINulfRHhIqb8Z8CVJQO6zwFpPxBNg3vFvjI9DZqUCgi1nDZMrTAv+5SMftCJk2LiKXpoHfBYXyJbDnN9Z1k3ciQceE/BhYJXa0QfWI0Pf8v6Jc+9YuwZ90I4c+OqJ99Zf3Nc6Rn+44Kx94JkgkH060zfKMd75Uxj+1jb1LvBe5Z4Ny3NKHUZl/XAvSeuSf7CtuRVEjF6YAE+8Ma78Q279Uexeq+I70bsUa6Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com;
s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=qMhwqDi0A9Hu7+5Fs95Tq/Am06XOrQsZhDqq13gG0X4=;
b=F8A+EMIe+CdADkjVJsy/AKyupeMPi7Ntt5qCbUqsQflJaggkPxCmTSqIUtTXoMaGO6haJYubDwDuMfmuKaGIlDyOmvuRDeDS9+2bDZUC2SyFMwQYsJ8yH0Gu1H0Jxiz+g0kYwrm6VtSpAVzXBoMNewWGdjeAiziM4BFSByikgevXkMg7PnE4a1PMXBAQILGReyIkE4QS1V16SvfU2TIaqEiDdRQJmv0HlJkV6DlYUNbE+QC93WnvB1OLVWjmQYFxybhEhxLbF7DvdJGmQxWfQtTQ/Vyz9nZ/tGBD8IuPgJuvo8Hd5qXuUEF2cSWPL1TRz0vbOcb+zz9fLcsjqxSIGQ==
Received: from PU1APC01FT055.eop-APC01.prod.protection.outlook.com
(2a01:111:e400:7ebe::49) by
PU1APC01HT087.eop-APC01.prod.protection.outlook.com (2a01:111:e400:7ebe::376)
with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2958.19; Sat, 2 May
2020 15:34:00 +0000
Received: from HK0PR01MB2897.apcprd01.prod.exchangelabs.com
(2a01:111:e400:7ebe::47) by PU1APC01FT055.mail.protection.outlook.com
(2a01:111:e400:7ebe::362) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2958.19 via Frontend
Transport; Sat, 2 May 2020 15:34:00 +0000
Received: from HK0PR01MB2897.apcprd01.prod.exchangelabs.com
([fe80::4dae:72e3:41c3:f0ff]) by HK0PR01MB2897.apcprd01.prod.exchangelabs.com
([fe80::4dae:72e3:41c3:f0ff%6]) with mapi id 15.20.2937.037; Sat, 2 May 2020
15:33:59 +0000
From: Jasmine Dumbleton <[email protected]>
To: (a large bunch of email addresses here)
Subject: 8 Tiens W appelez-moi Eleanor
Thread-Topic: 8 Tiens W appelez-moi Eleanor
Thread-Index: AQHWIJcXSkh07NrdPUi1t2krrXYYXg==
Date: Sat, 2 May 2020 15:33:59 +0000
Message-ID:
<[email protected]od.exchangelabs.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-incomingtopheadermarker:
OriginalChecksum:73B6740F1FE9CC8CA94D1D24085E5E70B3321B7D2AAEBCADF750D02D26B62FE4;UpperCasedChecksum:CC83FDB515A534EDB8FB0F6ED99E5E5466787FC47F51D22B1C0850E97F243D59;SizeAsReceived:32605;Count:42
x-tmn: [5jR5TRqDXBow1iI4ATZnohGg0OJt7ElX]
x-ms-publictraffictype: Email
x-incomingheadercount: 42
x-eopattributedmessage: 0
x-ms-office365-filtering-correlation-id: d7f66242-b14a-4639-adce-08d7eeae3bfc
x-ms-exchange-slblob-mailprops:
dDsUU7XmuOOF6Ud+eNTYmUxNCTJ2VYogY/n4NJtAvvmdLRU0WnGUikHv61KxtKeLlPMT1abvPM23MNacVzWRsK25yfIz9nzOr6BQ3h6aYI1FE8Yzt70CY3Uuhj3w/Tkks22+vn4VlqoJzjiHWpWB6pVDdO1x21+/w5ZGgpynSnAv4+6drFuj75EYV2Wh+y4pWHGBKmeSsDYD8cV5P/58sVtC+jf+fA1PwnevyHu4uHNjXppW5ISdmG99jOxZCpmLD/DicXG06BoWpEnJE5ku3a088jbZZaDxCSNnD/7E7RYWiHAPxkALVklWkglYX+4TYicy4Xd1t9T4Qfeq5QIuJwYMxJ5/BdDEtZzASsT7FFNPmMQhsrWZPYU+fFkiMl8jfEXzfaPahYSJB1OS9E/r0g2/VMjZBn3aeevwC3kYs09S48PFKR5VaR+8BUgq6COMscE9wE2PmvnAUs9BGakR6q13rITLSf8anebghOmZ6DrQISPbsZJZC2/B1AlV6oPaEywoQkwApVr5yrlOtnX1IaRTU/NVu+QFoG6cod3Oz5c0GhGUbRw4yv2LAYeCcUpbMaXLvv/lKBytAGl9LVsPzUM2rSdLj6Dl3P7/hJ3Y3Og=
x-ms-traffictypediagnostic: PU1APC01HT087:
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info:
l7GjYFLOmvhsjNnc1ZSF4w5Rb2v8j44dIuenPot4VtZ98EfQlwxfJsBonIXylmbk5wTy+ed1wXXG4db3+YIHDxr8U4n6rCtv+uPf8VzpYl6kOV8aIKbDwMAA07gj4rEZ5KJChrv4yElOVy3ImrxAX5GAdofIyNlWJdcpM4CzN/GM+rfkmP6ZQKUtebcO16PPT7J5XOVxWT1W1h270AQIq6C5rhEDpRg5rBHKHSjD6DiHSlhDrcT/zDAUkui/atGg
x-forefront-antispam-report:
CIP:255.255.255.255;CTRY:;LANG:en;SCL:0;SRV:;IPV:NLI;SFV:NSPM;H:HK0PR01MB2897.apcprd01.prod.exchangelabs.com;PTR:;CAT:NONE;SFTY:;SFS:;DIR:OUT;SFP:1901;
x-ms-exchange-antispam-messagedata:
hKFtpHRSLvvFMIFZa2N/GchV1MQ62t8AVh0AGQYLQ+045jK6lVgMoD3UUOEIeaarTPZJYunSQ2aw5zzjd1WybuYStgyZLLtMSBtCXIOYlghD6+gVr7JwvjM49HWUHSd6zzmUoaiOGXmaoAN1Mw2jig==
x-ms-exchange-transport-forked: True
Content-Type: multipart/mixed;
boundary="_004_HK0PR01MB28970718F9E9F986E94B2C22F9A80HK0PR01MB2897apcp_"
MIME-Version: 1.0
X-OriginatorOrg: hotmail.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: d7f66242-b14a-4639-adce-08d7eeae3bfc
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 May 2020 15:33:59.1321
(UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PU1APC01HT087
--_004_HK0PR01MB28970718F9E9F986E94B2C22F9A80HK0PR01MB2897apcp_
Content-Type: multipart/alternative;
boundary="_000_HK0PR01MB28970718F9E9F986E94B2C22F9A80HK0PR01MB2897apcp_"
Code:
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from brian.securedserverspace.com
by brian.securedserverspace.com with LMTP
id xXkhEoHjq15BXSYAFzcLkA
(envelope-from <[email protected]>)
for <[email protected]>; Fri, 01 May 2020 03:53:21 -0500
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Fri, 01 May 2020 03:53:21 -0500
Received: from mail-oln040092254066.outbound.protection.outlook.com ([40.92.254.66]:25695 helo=APC01-PU1-obe.outbound.protection.outlook.com)
by brian.securedserverspace.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.93)
(envelope-from <[email protected]>)
id 1jURQ8-00AXnJ-Bk
for [email protected]; Fri, 01 May 2020 03:53:21 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=eM2aluEcK3GXdMS/PTRpFKEZGtuH49xwmlokEBaikqP3sYeY8wU+HjaR4XPvIvuEjVMFfc52mV7JivCgQrvN7PVGBX4kCXnWsepRMNN1XtkmZPwCuL/QKcdyEYJgwb4Kvg20tJ0wyek1fVgFez3jgtzqwayfVKcikJNH7aRbdmZ+D9uYWL7T/hsJfN9rKbqJZC8SdCNZqo0O3W9xa2sxFVJmmRmu2WE06r/UoFRcDnDfdSubfA4bmQQHzLpKvopql/POl23/8EeEsxw74APUfVcxYLJCcqW8c4+Hj4YhnntQKuO82z4g/54ufWNTzR7vbOmOoOW06C1DqxWE4thpiA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=BpHJOdr5I+V42UFfGoKA1/6JpY45qOgZcSZ+Pll9tBE=;
b=YSNtGr5Fr/bUPk1C5+jmYhyYG1Hqh8SHjhoBg5Kl++xq8ZIFZ6MVN9ahGKSUDxB6gI3TnEWNRgZ3vTG0ky9doEm7SHeQHcUTMiEp8d+P/jtLVIMk6Ha8rfJsA655G9cRtTk1g+YstteeXBOp0HpkSohpcxWbXUhpYkx9v80sC0+zBpni9mc9iNUoawHuVQB0TNxjN+F12q9QKQUW14fQYNqQJslZS8sEOisPTKpUILVToLYmEUyyOurA0PEYHM5cukFnViRkhrT5vlxq0rc/BozHXYQnRwkqvyPiJ4YkK4U38BW5iLO3sjMZLT7883kNZwwm3/AGiH79IHWKxLOUMQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com;
s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=BpHJOdr5I+V42UFfGoKA1/6JpY45qOgZcSZ+Pll9tBE=;
b=Q5NAXh/Xfs5XrQIjuJ+YCuyZa79mfUUkCClyHz3R9ILf83Jq3ZNQmig/PEbH6BD5b+R54ZPoUJpkmAO7a+cY5wy6NDBA/Riuk+YZEM8KvIblqK3wIO1XCL0CpeFIPYUZZzvdk+19R71AcpaCsOhfGPZstBCsTTWyCjGSx+97+rmxpvoft/xqR/4ud6SMaXu5Zh29JiOkm7TYMLWzVNhAmNDwQy7BzrEq9Xl2IC1SA5p36wX1KuhlABF6Q+4KPZzFgKe4IPMjEt0RyqbZ+smUt6yyKT5Ojr29an5xABkstbmdUPBwOHaLOtAM8r1TZ635S5sko64v0mKx6zAazTm/wg==
Received: from SG2APC01FT112.eop-APC01.prod.protection.outlook.com
(2a01:111:e400:7ebd::4e) by
SG2APC01HT073.eop-APC01.prod.protection.outlook.com (2a01:111:e400:7ebd::262)
with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2958.24; Fri, 1 May
2020 08:50:51 +0000
Received: from PS1PR0601MB3788.apcprd06.prod.outlook.com
(2a01:111:e400:7ebd::4e) by SG2APC01FT112.mail.protection.outlook.com
(2a01:111:e400:7ebd::201) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2958.19 via Frontend
Transport; Fri, 1 May 2020 08:50:50 +0000
Received: from PS1PR0601MB3788.apcprd06.prod.outlook.com
([fe80::7d06:5bf6:8df:e37e]) by PS1PR0601MB3788.apcprd06.prod.outlook.com
([fe80::7d06:5bf6:8df:e37e%4]) with mapi id 15.20.2937.028; Fri, 1 May 2020
08:50:50 +0000
From: Stella Lemm <[email protected]>
To: (large bunch of email addresses here)
Subject: =?Windows-1252?Q?F_Guten_Tag_f=FCr_Sie_00_mein_name_ist_Marian?=
Thread-Topic: =?Windows-1252?Q?F_Guten_Tag_f=FCr_Sie_00_mein_name_ist_Marian?=
Thread-Index: AQHWH5WReAgetXMdfUSaqWcDhrVvAw==
Date: Fri, 1 May 2020 08:50:50 +0000
Message-ID:
<[email protected]6.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-incomingtopheadermarker:
OriginalChecksum:E0B6BFF6F08BEBC9E821C1841B56B63210F201E573FB5DE10221CFC465EEE361;UpperCasedChecksum:DCB7A106C0A28405430AF4E5FD113877FC6AAB86BB3B0621145D7D64552BEFC6;SizeAsReceived:32018;Count:42
x-tmn: [vyQ7LNgZbp+l5egqVsT7fpHoZJKveYsn]
x-ms-publictraffictype: Email
x-incomingheadercount: 42
x-eopattributedmessage: 0
x-ms-office365-filtering-correlation-id: 9cbd6727-8858-461a-9c82-08d7edacbfcc
x-ms-exchange-slblob-mailprops:
d6LuQ8FBiBzqt8NnE9jaZIlIAY1FOZQO4YwHNX1uC6RIDlbMg5XJ7RO+DQmR2kexlLgWEUcFPW9MHJdXyrY3c0FnigxHniHnCy2vOLWAIwGd9/Fewe6SJOm+m3MzytkjSprDUxINCDOnBwfa404a/DwdBpZ71gLyeyNTBFYwhpJ4Hrrgl3v5LSzOFyAARfbKP4Z48pGrEMo9mUabHLk53ZQGeIzUSn28yMvCae5xnDPYGmDm1Y8j68hImPJwPn5qfDMhbTRQcBS+GrrviAC9Cez37q9mRCLc+++O75MfT2FtWRsbvjDR/Nk/rv59fptJoLrCjMYw0XVo/OSEmLrhphE1mOFrdwZOLaP7E5t6avJ4t6AZ5ZEPhoknBwGgwg+7Ss3e4IMp91Lw3Y+VewicYS2r9SxiyKySlkyTlkKLpS+S/CHlqXEpmjE5PjR1lSjQ93zKFuPZCkcOzCU8kB+00IAs8S0ebtHkzctxeDLbti1JLZBJKhvcyiD2+9aLHEbrvlbNm1CQPYS5Pq971BUv5fBQJGVEZGJVdmG60rYw2uZyDX7oWsrcEd9vU/zuiFjMVapTMz+fDc7FfPtS8hijIsa3U4YNmHT+4098sJjNfh2BSZVhXVMfzpOCDdsrX4kE6Baw1726ZmCVgk6ly+KRUzVUiORg+jFr0UNcsv7DlwLj5zrt8wWb2eRrd7DWLyOrCuf9zWZoE6XhoLHNIwCJdKGm38XJ3QDkTW4JId1g3Wm8YQSIlnKlLMlyOv5fZFXsKsOIJdkAY5wfx4jrMh0xtCt363i79Hk5ofPTLeASSV0q9TzFKsukgGP0iw0Kee1I
x-ms-traffictypediagnostic: SG2APC01HT073:
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info:
tXMDfzgx6Jl6u+FSqsSJd+h+858A2YpLPGSST1RIXMYXAU57AhU4plQ1aZ1TVmYdCOAloQk5ZMrEKe7Yb7M3RrnQerw8kJ6BqXDYM8tekLevwbNSxHUC5E9o7fkbbAjBmHRB1xfWThXhrpHc+Ra3CDH+ipWMtJ0qFOianKE4wReE2IxQSgHTrRo5xE7eii3hVZWi/Mh2JfcV8t3Bk6D9NlTjcoa9+Ew6jOKxl/JGw0xwpEBlqaM7pFDA6NC3QK/8
x-forefront-antispam-report:
CIP:255.255.255.255;CTRY:;LANG:en;SCL:0;SRV:;IPV:NLI;SFV:NSPM;H:PS1PR0601MB3788.apcprd06.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:;DIR:OUT;SFP:1901;
x-ms-exchange-antispam-messagedata:
vx4GeAslALsJF+kgjFRmquV7XlGAHSsUTCkIHRQLcVw1SQHN0Q165pvfruMBarOprGdjYs4TPJOfSwUoAXeYONJe4uqNOnzevELeX49LjLMHTtyFV5pRsrcNbLaw/+xYeBU6mcGkCUs4F2aSE6SZww==
x-ms-exchange-transport-forked: True
Content-Type: multipart/mixed;
boundary="_004_PS1PR0601MB37886D35F56CBAA483467B9EBDAB0PS1PR0601MB3788_"
MIME-Version: 1.0
X-OriginatorOrg: hotmail.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 9cbd6727-8858-461a-9c82-08d7edacbfcc
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 May 2020 08:50:50.1661
(UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SG2APC01HT073
--_004_PS1PR0601MB37886D35F56CBAA483467B9EBDAB0PS1PR0601MB3788_
Content-Type: multipart/alternative;
boundary="_000_PS1PR0601MB37886D35F56CBAA483467B9EBDAB0PS1PR0601MB3788_"
--_000_PS1PR0601MB37886D35F56CBAA483467B9EBDAB0PS1PR0601MB3788_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Last edited by a moderator:
