How to Use Full Email Headers to Block Spam - olympus.net
The purpose of this document is to show how to block spam arriving at your @olympus.net address.
Usually spam recipients block the From email address which doesn't work because the From address is forged.
It takes three steps to block spam.
1. Display the email's full headers.
2. Using the full headers, identify the sender.
3. Enter an appropriately formatted address in Webmail's Settings/Spam Settings/Blocked Senders.
Our spam example's full headers are shown in black below.
Looking only at the From field in the inbox, an email appears to be from Marine Technology.
Looking at the full headers below, notice that the first entry in the full headers is: Return-Path: firstname.lastname@example.org
Usually the real sender of an email is revealed in the Return-Path which is typically the first entry in the full headers. This is what should be entered in the Blocked Senders list, not the From address.
The format to add to your Blocked Senders list:
The "wildcard" (asterisk) is used to block any sender of spam from the domain maritimeglobalnews.com such as email@example.com or firstname.lastname@example.org.
Spam may continue to arrive from Marine Technology after blocking the Return-Path address. Open the full headers once again and check the Return-Path. It may be that Marine Technology uses other domains from which to send spam. If the domain is different, add the new one to the block list using the same format as above.
If spam continues to arrive, find the top Received: entry. In this case, that's mail.marinenewsworld.com. To your Blocked Senders list add *@*.marinenewsworld.com
You've learned how to block spam. Allowed Senders entries are derived the same way. Legitimate senders don't forge their headers, but they may alter it. In other words, apply what you've learned about blocking spam to ensuring delivery of legitimate email.
Example of Full Headers:
X-Spam: Spam detected
Authentication-Results: auth.b.hostedemail.com; dkim=none
reason="no signature"; dkim-adsp=none (insecure policy);
X-Spam-Summary: 95,0,0,,d41d8cd98f00b204,email@example.com,:,RULES_HIT,0,RBL:220.127.116.11:@maritimeglobalnews.com:.lbl8.mailshell.net-18.104.22.168 22.214.171.124,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fs,MSBL:0,DNSBL:neutral,Custom_rules:0:0:0
Received: from mail.marinenewsworld.com (mail.marinenewsworld.com [126.96.36.199])
by imf12.b.hostedemail.com (Postfix) with ESMTP
for <firstname.lastname@example.org>; Tue, 21 Jul 2015 23:26:15 +0000 (UTC)
Received: from win08vworker ([188.8.131.52]) by mail.marinenewsworld.com with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 21 Jul 2015 11:23:51 -0400
From: "Maritime Global News" <email@example.com>
Date: 21 Jul 2015 11:24:06 -0400
Subject: Tagged-as-spam Intracoastal Waterway Reopened After Barge Collision
Content-Type: text/html; charset=utf-8
X-OriginalArrivalTime: 21 Jul 2015 15:23:51.0390 (UTC) FILETIME=[3F701FE0:01D0C3C9]