How are spam e-mails filtered ?
Posted
by kevindqc
on Super User
See other posts from Super User
or by kevindqc
Published on 2010-04-10T16:38:44Z
Indexed on
2010/04/10
16:43 UTC
Read the original article
Hit count: 393
Hello.
I'm just wondering how some e-mails get past the spam filter, and some don't? Everyday I get World of Warcraft phishing emails that get past the filter...
For example, here's a phishing email (just the header) I got in my inbox, and not in my junk mail:
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtTQ0w9Ng==
X-Message-Status: n:0
X-SID-PRA: [email protected]
X-AUTH-Result: NONE
X-Message-Info: M98loaK0Lo27IVRxloyPIZmAwUHKn18nx0o/idLdvGYjK48i19NuvFOnRFYGWE+HdIrNJpi1XaYx0gaAV13cgRnkWSzgHKG1
Received: from blizzard.com ([204.45.59.37]) by SNT0-MC3-F21.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Sat, 10 Apr 2010 06:38:24 -0700
Received: from hxeabjlh ([192.168.1.165])
(envelope-sender <[email protected]>)
by 192.168.1.111 with ESMTP
for <[email protected]>; Sat, 10 Apr 2010 08:43:24 -0500
Reply-To: <[email protected]>
Sender: [email protected]
Message-ID: <DE567AFB9E2F3DD985A2D9A8D12D2917@hxeabjlh>
From: "[email protected]" <[email protected]>
To: <[email protected]>
Subject: World of Warcraft Account Password verification
Date: Sat, 10 Apr 2010 21:38:10 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_04EE_0137659E.1AA23350"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
Return-Path: [email protected]
X-OriginalArrivalTime: 10 Apr 2010 13:38:24.0607 (UTC) FILETIME=[17F3A6F0:01CAD8B3]
From what I understand, when you send an email with SMTP, you can specify any hostname in the "HELO" command. Here, the spammer specified "blizzard.com". And he sent his email through Hotmail using Outlook Express.
I just don't understand how this gets past the spam filter? There's this SPF thing that seems to exist... but it doesn't seem to be used by blizzard?
I'm on Windows, and if I use nslookup to look for the TXT records of blizzard.com and worldofwarcraft.com, I don't see a thing.... so blizzard is not using SPF? Why would that be?
© Super User or respective owner