Trying to identify source of "SPAM-LOW" in Outlook e-mail subject line

Hello,

I do not use SmarterMail and my ISP says that they don't either but I get some e-mails, via Outlook and POP3, that have "SPAM-LOW" (or similar) in the subject line. Here is a sample SMTP header of such an e-mail:

Return-Path: <no-reply@alertsp.chase.com>
Received: from alertsp.chase.com (reverse.completel.net [92.103.81.210]) by dpmail21pro.doteasy.com with SMTP;
Tue, 7 Apr 2015 07:24:18 -0700
Message-ID: <5523E886.32211767@alertsp.chase.com>
Date: Tue, 07 Apr 2015 16:24:06 +0100
From: Chase Card Services <no-reply@alertsp.chase.com>
MIME-Version: 1.0
Subject: SPAM-LOW: Thank you for scheduling your online payment
To: <steve@xxxxxxx.net>
Content-Type: multipart/mixed;
boundary="=_------------050604050007090905030306"
X-SmarterMail-Spam: SPF_Fail, Custom Rules []
X-SmarterMail-TotalSpamWeight: 10

The "X-SmarterMail" tags are in this e-mail and I believe that SmarterMail modified the subject line, but I can't figure out where SmarterMail fits into the path my e-mail takes. The tags - but not the subject line modification - are in all my e-mails.

I only use Microsoft Security Essentials for system-wide security and I use SPAM-Reader in Outlook. Does anyone have any idea where the SmarterMail stuff is coming from?

Employee Replied

4/8/2015 at 10:43 AM

Employee Post

Steve, under System Admin | Antispam Administration | Filtering you can specify the different actions to take on the various spam levels. One of these actions is to prefix the message subject with the spam level.

Employee Replied

4/8/2015 at 10:56 AM

Employee Post Marked As Answer

Greetings,

Spam-Low is a common pre-fix used within SmarterMail when certain spam messages are received. What had likely occurred is this message had failed SPF record checks and was marked as Spam since it was addressed from chase.com but the address it was received from is not listed in Chase.com's SPF record...

If you review the Message Headers, you'll see that the message had originated from alertsp.chase.com (reverse.completel.net [92.103.81.210]) and received by dpmail21pro.doteasy.com, this does appear to be a SmarterMail server based on the responses I'm getting when I telnet to that host over port 25. I do not see any other server named in the header information. So it appears this may have been popped from their server ?

There could also be a chance that this server is mis-configured and was allowing relaying through it and a spammer was able to deliver a message to your account on your ISP's server. However, if this were the case you should see some header entries indicating that the message was in fact received by your ISP's mail server. This does not seem the be the case, unless you're hosted with DotEasy.

Based on the header information I only see that the message was received by dpmail21pro.doteasy.com - If this is not your server or your ISP's server there is likely an account on that system that's in place that could potentially be forwarding messages to your account with your ISP.

Unfortunately without more information from the dpmail21pro.doteasy.com server, it's hard to tell exactly what had happened, and how this message ended up in your Outlook POP account.

I hope this helps.

Steve Feldner Replied

4/11/2015 at 11:11 AM

My ISP is doteasy.com and they say that they do not change the subject line but I'm not sure that the support people would know if they used SmarterMail or not. In order to get my PC out of the mix, I went to the webmail page for my account and checked. All of the e-mail headers there have the X-SmarterMail tags in them too and I find it impossible to believe that they were in all the e-mails before they got to doteasy's mail server. Here is the header from a pretty generic e-mail. Would you say that doteasy's server(s) were running SmarterMail or maybe some subset of SmarterMail?

Return-Path: <bounces+644560-ffe3-steve=xxxxxxx.net@email.pinterest.com>
Received: from o18.email.pinterest.com (o18.email.pinterest.com [167.89.1.107]) by dpmail21pro.doteasy.com with SMTP;
   Sat, 11 Apr 2015 10:52:54 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=email.pinterest.com; 
	h=content-type:mime-version:subject:from:to:reply-to; 
	s=s20150106; bh=crKxgsDHewaffhx5bdQB88GUnUM=; b=TEI1kRJgcTcczmcl
	1tOcL+sn0yJRvFUqy+HBfEXxKxOwErPB/tFAzW32Erp/fuQPvd8cba9GaqUE4w7a
	rlLS6g5LXVYuJY4P8ikATaU2jnMxuLxipMbFSWFZ5P5t0VZztcabwuGUb556E9Qa
	5QSLVBCKJbKWuUr/0EyLMTmaxQs=
Received: by filter0326p1mdw1.sendgrid.net with SMTP id filter0326p1mdw1.18430.55295F685
        2015-04-11 17:52:42.696181049 +0000 UTC
Received: from jobs-weeklyemail-lines-413d94bd.ec2.pin220.com (ec2-54-198-230-59.compute-1.amazonaws.com [54.198.230.59])
	by ismtpd-031 (SG) with ESMTP id 14ca99cb82a.5f18.25463
	for <steve@xxxxxxx.net>; Sat, 11 Apr 2015 17:52:42 +0000 (UTC)
Content-Type: multipart/alternative;
 boundary="===============7054539919722713176=="
MIME-Version: 1.0
Subject: This week's top Pins
From: Pinterest <pinbot@pinterest.com>
To: steve@xxxxxxx.net
Date: Sat, 11 Apr 2015 17:52:42 -0000
Message-ID: <20150411175242.13185.24116@jobs-weeklyemail-lines-413d94bd.ec2.pin220.com>
Reply-To: pinbot@email.pinterest.com
X-SG-EID: ir5xlkLXWilTI8T/Q+xkuwQmmwXJj0ioehPyMZHcqRxezCvBtgVAE3HVaKW6oOmpV9VRLpsEL30y5V
 SO14zh8IzfJj1Oi68KFbfaQzVc96YVZdLYBkOM/6WsADFwRangLg4oO761I7zuHAYd4nGdmVy3u1xd
 9EYxqMiBbIzCF3E=
X-SG-ID: WMLztlB6QyiGaIjT5SJci+8qMjx6tQfaVWW86OalbwijeCwNEUQgjrD0g1/Lxhppw/U1pxSvhsmbtx
 WAwyyGNFRYJSOtpboiP/efS1SPhwUwW1XwXrQN+1nWQR1DKkJ8SzDAafkXEg14sBkDf9TaC20rju7w
 7L23cCy9neU8kNu2ZtE+TSIDjtHXb9vqUNTwvjABrsBUVViTOHUPI2fZcfQBz0gxxt1FPS+68u8DfH
 vtYXYDhjyoQEUlYT8oOJogfwaRd9THVa4ADFLLxrWs4w==
X-SmarterMail-Spam: SPF_Pass, Custom Rules []
X-SmarterMail-TotalSpamWeight: 0

3 Replies

Reply to Thread

Related Knowledge Base Articles

3 Replies

Reply to Thread

Tags

Related Knowledge Base Articles