Some sort of trusted sender bug? Spammers getting spam through suddenly.
Question asked by W. Troy Leaver - September 21, 2015 at 11:08 AM
In the past few days I've noticed a bunch of spam suddenly slipping through the filters. The common denominator is that they're all being sent to my feedback loop address which is fbl@<mydomain>.com (SLD removed for privacy).
All of the spam slipping through contains this header:
X-Rcpt-To: <fbl@<mydomain>.com>
Similar spam without that header is filtered.
(How they got that email address is beyond me--it has only been used when signing up for an AOL feedback loop and maybe Microsoft's JMRP.)
Additionally SmarterMail is deeming this a trusted sender issue:
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - User)
fbl@<mydomain>.com is an alias, not a mailbox. fbl@<mydomain>.com is NOT listed in my trusted sender list. Nor is any email address throughout the header. (Including which is what SmarterMail is seeing as the sender.)
I'm at a loss to understand how this is happening. It just started late last week.
Here is the header and detail from the smpt/delivery logs:
Return-Path: <>
Received: from ( []) by mail.<mydomain>.com with SMTP;
   Mon, 21 Sep 2015 12:45:39 -0500
Received: from BAY0-XMR-025.phx.gbl ([]) by with Microsoft SMTPSVC(7.5.7601.23008);
     Mon, 21 Sep 2015 10:45:48 -0700
Received: from mail pickup service by BAY0-XMR-025.phx.gbl with Microsoft SMTPSVC;
     Mon, 21 Sep 2015 10:45:48 -0700
X-Message-Guid: 8aac505b-6085-11e5-9144-6c3be5a7db75
x-store-info: qAUQJzZ73IJCLUJ+0n7ZQ5yN3wd9gk1Jrrlyy6foO00=
Authentication-Results:; spf=pass (sender IP is; dkim=none; dkim=permerror; x-hmca=pass
X-SID-Result: PASS
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MztHRD0zO1NDTD03
X-Message-Info: v3e34AVpXcVyWCi2vud6It4sW74ZFGnnZzFUfaxms6e1h4WsOvSZZt20Mzc69zZwmsaN3vLfjTs4yDXBqa6MN9K3e/QYRAys0NkKjH6KynWfMSSEmD06nim0OpXikk8/TM7356wrN/133yJ0Kohc5HkWaQYg8aZEVWRVVCkhgfnsYCV6xnTji6nwKueVYpZhFor2gg2n6B2CUcT+lH7F5xw6YLeCqjHdeFnXJifj8r0=
Received: from ([]) by with Microsoft SMTPSVC(7.5.7601.23143);
     Mon, 21 Sep 2015 10:24:04 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=SELECTOR1;;
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=SELECTOR1;;
Received: from localhost ( by id h00uj416lt0n for <>; Mon, 21 Sep 2015 13:24:01 -0400 (envelope-from <>)
Subject: flavia1894: =?UTF-8?B?R2V0IHRoZSBmYWN0cyBhYm91dCBzZWxsaW5nIHlvdXIgVGltZXNoYXJlLg==?=
From: =?UTF-8?B?SGVscCBTZWxsIE15IFRpbWVzaGFyZQ==?= <>
List-Unsubscribe: <>
Sender: "flavia1894"  <>
Content-Type: text/html
Message-ID: <>
X-SG-EID: cKpNRtVuzoy5iSQmZs0sHFAykSKGT77AKaNgk3O0i2Uu6DPR2oyOD5FjkVMksJi3slSQ4Mq8KahzSz
X-SG-ID: SolyLoj4M+6t0KZQOavh+EhAg7mxK0+8s5Pxt8+oPW2ehcXKfVsMPwsv7au/gjffgQkNDl8m5u5rep
X-OriginalArrivalTime: 21 Sep 2015 17:24:04.0413 (UTC) FILETIME=[505896D0:01D0F492]
Date: 21 Sep 2015 10:24:04 -0700
X-MessageSniffer-Identifier: e:\SmarterMail\Spool\proc\work\81457577.eml
X-GBUdb-Analysis: 0,, Ugly c=0.071429 p=0 Source Normal
X-MessageSniffer-Scan-Result: 62
X-MessageSniffer-Rules: 62-7272267-4414-4462-m
X-RBL-Warning: WEIGHT10: Weight of 33 reaches or exceeds the limit of 10.
X-RBL-Warning: WEIGHT14: Weight of 33 reaches or exceeds the limit of 14.
X-RBL-Warning: WEIGHT20: Weight of 33 reaches or exceeds the limit of 20.
X-RBL-Warning: WEIGHT30: Weight of 33 reaches or exceeds the limit of 30.
X-Declude-Sender: []
X-Declude-Spoolname: 81457577.eml
X-Declude-Note: Scanned by Declude 4.12.11
X-Declude-Scan: Incoming Score [33] at 12:45:48 on 21 Sep 2015
X-Country-Chain: UNITED STATES->destination
X-Declude-Code: e
X-Identity: | |
X-Rcpt-To: <fbl@<mydomain>.com>
X-SmarterMail-Spam: SPF_Pass, DK_None, DKIM_None, Declude: 33
X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender - User)
[2015.09.21] 12:45:39 [][37508174] rsp: 220 mail.<mydomain>.com
[2015.09.21] 12:45:39 [][37508174] connected at 9/21/2015 12:45:39 PM
[2015.09.21] 12:45:39 [][37508174] cmd: EHLO
[2015.09.21] 12:45:39 [][37508174] rsp: 250-mail.<mydomain>.com Hello []250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2015.09.21] 12:45:39 [][37508174] cmd: MAIL FROM:<> SIZE=11444
[2015.09.21] 12:45:39 [][37508174] rsp: 250 OK <> Sender ok
[2015.09.21] 12:45:39 [][37508174] cmd: RCPT TO:<fbl@<mydomain>.com>
[2015.09.21] 12:45:39 [][37508174] rsp: 250 OK <fbl@<mydomain>.com> Recipient ok
[2015.09.21] 12:45:39 [][37508174] cmd: DATA
[2015.09.21] 12:45:39 [][37508174] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2015.09.21] 12:45:39 [][37508174] rsp: 250 OK
[2015.09.21] 12:45:39 [][37508174] Data transfer succeeded, writing mail to 81457577.eml
[2015.09.21] 12:45:39 [][37508174] cmd: QUIT
[2015.09.21] 12:45:39 [][37508174] rsp: 221 Service closing transmission channel
[2015.09.21] 12:45:39 [][37508174] disconnected at 9/21/2015 12:45:39 PM
Delivery Log:
[2015.09.21] 12:45:50 [57577] Delivery started for at 12:45:50 PM
[2015.09.21] 12:45:57 [57577] DKIM TempFail: An error of type  occured during lookup of the domains DKIM public key. DKIM verification for this message will be skipped.
[2015.09.21] 12:45:57 [57577] Spam check results: [_SPF: Pass], [_REVERSEDNSLOOKUP: passed], [_BAYESIANFILTERING: passed], [_DK: None], [_DKIM: None]
[2015.09.21] 12:46:01 [57577] Starting local delivery to wt@<mydomain>.com
[2015.09.21] 12:46:01 [57577] Skipping spam filtering: Trusted Sender (user level)
[2015.09.21] 12:46:01 [57577] Delivery for to wt@<mydomain>.com has completed (Delivered) Filter: None

2 Replies

Reply to Thread
Without the actual e-mail address the spam is being sent to, there's not much anyone can do to help you with the provide information.
Bruce Barnes
ChicagoNetTech Inc

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal:
Security Blog:

Web and E-Mail Hosting, E-Mail Security and Consulting
The emails you are receiving are from Hotmail's Feedback Loop. They are addressed as coming from to These are emails that have been reported by users of Hotmail as Spam, and as they are spoofing a domain whose MX Records resolve to the IP that you used when you signed up for their Feedback Loop, they are being sent to your Feedback Loop address that you provided.
They will all have text similar to the following:
This is an email abuse report for an email message received from IP on Tue, 22 Sep 2015 07:49:39 -0700.
The message below did not meet the sending domain's authentication policy.
For more information about this format please see
Each email will include an attachment with the original email.
In almost all cases these are reports of emails that are spoofed and using one of the domains that you host on your mail server. You can safely ignore these and just want to eyeball them to make sure that none report being received from your Mail Server's IP Address. (I have them moved to a folder and once a day do a search for my Mail Server's IP Address.)
The reason they are marked as Trusted Sender is because you have marked as a Trusted Sender for your fbl or wt account, (Trusted Senders can also be added to the entire domain, or in your server's SECURITY > TRUSTED SENDERS list)..but the log specifically says "User Level".

Reply to Thread