SPAM & Phish Messages from the Club List

Hi FTH, 

We seem to be getting a few SPAM and PHISH messages which look like they're from Members sent around to other Members advertising numerous items such with external links.

I won't post anything here but let me know what you require to analyse or let us know the best way to fix. 

It's coming from members-26@toastmastersclubs.org as well as an individual Members email. 

Cheers,

Toastmaster Stephan Barrie
Member - Croydon Yarra Valley Toastmasters Club 26
District 73

Nothing can original from @toastmastersclub.org as there is no email server here. FTH only forwards those club address email aliases to a members personal address. Anyone in the world (including spammers) can send to a public address (the officer addresses, site admin, contact-##@, etc)

FTH provides tools for each club to manage this;

support.toastmastersclubs.org/doc/item/reducing-spam

However, members-26@toastmastersclubs.org is a private address. Only club members can sent to it from their personal address that is listed in the club site.

If the spam came through this address then it originated from a member's email. The member can check their sent folder to see if they accidentally sent it. Otherwise, they may have a larger security issue with their system or email service.

In our case, it's email spoofing then sending to the list.
I understand password changes would be the most effective in this instance, do you agree?

SB.

All good, after header analysis , I now sort of see the point of origin , so who sent it actually.

I can try to block on this end.

Thanks for your help.

SB.

Id you post the full headers we can block the server farm IP from FTH

Sure, here's the message with full headers as follows -

Original Message
Message ID <202512042336.5B4NZwH2005826@toastmastersclubs.org>
Created at: Fri, Dec 5, 2025 at 10:35 AM (Delivered after 53 seconds)
From: Marlene via Toastmasters Club 26 <server@toastmastersclubs.org> Using Microsoft Outlook 16.0
To: "members-26@toastmastersclubs.org"
Subject: CroydonTM If you buy ham at Christmas!
SPF: PASS with IP 50.19.253.65 Learn more
DKIM: 'PASS' with domain toastmastersclubs.org Learn more
DMARC: 'PASS' Learn more


Delivered-To: stephan.barrie@gmail.com
Received: by 2002:a05:7300:cc0e:b0:2a4:5c6e:ec64 with SMTP id na14csp975256dyb;
Thu, 4 Dec 2025 15:36:46 -0800 (PST)
X-Google-Smtp-Source: AGHT+IHzEF218T5B6heqYLF1QzXzHDkALChLl7hnJ3vDPBt9cNOx7qqr1Mqj8nFxpnKzj+6Kvdup
X-Received: by 2002:a05:620a:1909:b0:89f:1204:504a with SMTP id af79cd13be357-8b5e6c851c8mr1120791285a.57.1764891406130;
Thu, 04 Dec 2025 15:36:46 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1764891406; cv=none;
d=google.com; s=arc-20240605;
b=f+WMdzEnRWoiLSriLwgUW86aKS0U2cszFDJYKYoAL1yTgNIOd7n6ZOl4biop6Jrys8
M9qKzJMOmCAcJv8pD13QQsyIGWwwXGzSrU50BhIWC/Zsh2l8WDjZpc01hoyAVUPflIaQ
muw2rxEA/y4QveTB7e8koO15DISduGRmMgx49ABkOpAxmBH9LdF8PuOwPWtCGRQoukxJ
9vznQXEAUpXBXbFWtcpP/MKdl+a7tg7f6yYOk5yOwhLL1ktCa48/BC6lQL5X9oF1sHZq
iLHpFNZ+4SMkWt6zSonq3RsriQLIrUeIpwasrGiiOwRZslY5pKtIJMPTD+STiuHnsj43
R6Zw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=dkim-signature:to:content-transfer-encoding:reply-to:errors-to
:sender:from:content-language:thread-index:mime-version:date:subject
:in-reply-to:references:message-id;
bh=BLTRHIb/B+kybIHk01LBBcb2NTpkbvdMECB0Rguqq/4=;
fh=4ZhQ9+Fbua8xm3OkozI9QOdUTZ0TNgcsg0yV2psGZtQ=;
b=EE8nta5uXcyPvTA0c1KhXLc1mUOqqv4nlmsxduqmxWXnz0ffRMQuLz+vk+d8+WCpC9
8Uq3xkvQiYOTW2q/UAHgXrIYQyZry9LvVQve/xva2jR0Rkn2L590/kVVuhuSNCrXFUxD
q6T62zLGidO0GQPzGDUbLZ4XoyzGIBPlVpds+Z65IF5LvHMC4pTj6yj7BLuF71I8ErJ3
UOBo0yDOVTVeVTlUTJdSJIoYTkv2ShjRJII+/X7e4hnh/Dr85TB2p2qmyt7aIjqOqXnM
zGhNhJoYCty7sHYd3kGRKIbMvuRtkDanjKq//EWyPh27Lo1TBZirVH2C5uzt01O4ELO/
XXjw==;
dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@toastmastersclubs.org header.s=default header.b=I8ZXNoyO;
spf=pass (google.com: domain of server@toastmastersclubs.org designates 50.19.253.65 as permitted sender) smtp.mailfrom=server@toastmastersclubs.org;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=toastmastersclubs.org
Return-Path: <server@toastmastersclubs.org>
Received: from toastmastersclubs.org (toastmastersclubs.org. [50.19.253.65])
by mx.google.com with ESMTPS id af79cd13be357-8b627a8829esi91631785a.887.2025.12.04.15.36.46
for <stephan.barrie@gmail.com>
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Thu, 04 Dec 2025 15:36:46 -0800 (PST)
Received-SPF: pass (google.com: domain of server@toastmastersclubs.org designates 50.19.253.65 as permitted sender) client-ip=50.19.253.65;
Authentication-Results: mx.google.com;
dkim=pass header.i=@toastmastersclubs.org header.s=default header.b=I8ZXNoyO;
spf=pass (google.com: domain of server@toastmastersclubs.org designates 50.19.253.65 as permitted sender) smtp.mailfrom=server@toastmastersclubs.org;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=toastmastersclubs.org
Received: from localhost.localdomain (toastmastersclubs.org [127.0.0.1]) by toastmastersclubs.org (8.14.4/8.14.4) with ESMTP id 5B4NZwH2005826 for <stephan.barrie@gmail.com>; Thu, 4 Dec 2025 23:36:45 GMT
Message-Id: <202512042336.5B4NZwH2005826@toastmastersclubs.org>
Received: from clamta04.bpe.bigpond.com (clamta04.bpe.bigpond.com [203.42.22.20]) by toastmastersclubs.org (8.14.4/8.14.4) with ESMTP id 5B4NZswB005776 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 4 Dec 2025 23:35:56 GMT
Received: from claprdcmr11
by claprdomr04 with esmtp
(envelope-from <marlenes.smallfish@bigpond.com>)
id 1vRIrZ-0001q8-2w
for ; Fri, 05 Dec 2025 10:35:53 +1100
Received: from [1.145.163.27] (helo=MARLENEPC21)
by claprdcmr11 with esmtpa (envelope-from <marlenes.smallfish@bigpond.com>) id 1vRIrZ-0003lQ-2K; Fri, 05 Dec 2025 10:35:53 +1100
References: <CABSXbWN+8868GsqohJAHBsUvivhfr2kSTM5A7w43Q_Fn3SPiPA@mail.gmail.com>
In-Reply-To: <CABSXbWN+8868GsqohJAHBsUvivhfr2kSTM5A7w43Q_Fn3SPiPA@mail.gmail.com>
Subject: CroydonTM If you buy ham at Christmas!
Date: Fri, 5 Dec 2025 10:35:53 +1100
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0010_01DC65D2.EF4AB360"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: Adxldqt8k6J4ZLSUQO+odOlruE73GA==
Content-Language: en-au
X-Antivirus: AVG (VPS 251204-8, 5/12/2025), Outbound message
X-Antivirus-Status: Clean
X-tce-id: marlenes.smallfish@bigpond.com
X-tce-ares-id: e{843e872e-fd19-4578-acca-7619f137cce0}1
X-tce-spam-action-v: no action
X-tce-spam-score-v: 0.0
X-tce-spam-report-v: Content-length: 1033
X-VR-SPAM-STATE: 0
X-VR-SPAM-SCORE: 0
X-VR-SPAM-CAUSE: gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgdeikeelucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuvffgnffuvfftteenuceurghilhhouhhtmecupfdsteenucenucfjughrpefhvfhfjgfufffkgggtofhtsegrtdhgpedvtdejnecuhfhrohhmpedfofgrrhhlvghnvgcuufhinhgtlhgrihhrfdcuoehmrghrlhgvnhgvshdrshhmrghllhhfihhshhessghighhpohhnugdrtghomheqnecuggftrfgrthhtvghrnhepudeiudetffejteelgffhueejheetffeiledtgeetfffhvdffvdfgueethffhhedvnecuffhomhgrihhnpegrvhhgrdgtohhmnecukfhppedurddugeehrdduieefrddvjeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmrghrlhgvnhgvshdrshhmrghllhhfihhshhessghighhpohhnugdrtghomhdpnhgspghrtghpthhtohepgedprhgtphhtthhopehmvghmsggvrhhsqdejudeiheeikeesthhorghsthhmrghsthgvrhhstghluhgsshdrohhrghdprhgtphhtthhopehmvghmsggvrhhsqddvieesthhorghsthhmrghsthgvrhhstghluhgsshdrohhrghdprhgtphhtthhopehmvghmsggvrhhsqdeftdduudeliedvsehtohgrshhtmhgrshhtvghrshgtlhhusghsrdhorhhgpdhrtghpthhtohepmhgvmhgsvghrshdqfeeljeelsehtohgrshhtmhgrshhtvghrshgtlhhusghsrdhorhhgpdhmohguvgepshhmthhpohhu! th
X-tce-spam-action-c: no action
X-tce-spam-score-c: 0.0
X-tce-spam-report-c: Action: no action
X-Cm-Analysis: v=2.4 cv=DIpE4DNb c=1 sm=1 tr=0 ts=69321ad9 a=/+BY8GOZUd8395/bDjx1Eg==:117 a=/+BY8GOZUd8395/bDjx1Eg==:17 a=wP3pNCr1ah4A:10 a=DAwyPP_o2Byb1YXLmDAA:9 a=oCcaPWc0AAAA:8 a=g3OatRpwgZ0gK12IJlAA:9 a=QEXdDO2ut3YA:10 a=4d2D4LtiAAAA:8 a=yMhMjlubAAAA:8 a=SSmOFEACAAAA:8 a=-_RiKv5TAVvYWHgkMA0A:9 a=gh3lvic8r1wve77I:21 a=gKO2Hq4RSVkA:10 a=UiCQ7L4-1S4A:10 a=hTZeC7Yk6K0A:10 a=frz4AuCg-hUA:10 a=lqcHg5cX4UMA:10
X-Cm-Envelope: MS4xfAiRFDdRMbHeSpZ8C2x/ypV3ymR6wCk7U5ZzPFF7KJAIefB0E6VHW1WJmXpZf2hcOafUVP16a/qjv/VJuCJ4gXYwF2GYrql2D5+yH/H6kEw/+XQOiYuZ I10P2fPT7sxLIBRQCMnlXLQlounmbtrAYmA/Dwtca6P11xWyncH9FfrTIR9gdOdBs3/aTtobBHa6BIVpHZU0ui6nslegObVvAf8=
X-Spam-Status: No, score=0.0 required=5.0 tests=FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,RCVD_IN_ZEN_BLOCKED_OPENDNS, SPF_HELO_PASS,SPF_PASS,T_REMOTE_IMAGE,URIBL_DBL_BLOCKED_OPENDNS, URIBL_ZEN_BLOCKED_OPENDNS autolearn=unavailable autolearn_force=no version=3.4.3
X-Spam-Checker-Version: SpamAssassin 3.4.3 (2019-12-06) on toastmastersclubs.org
From: Marlene via Toastmasters Club 26 <server@toastmastersclubs.org>
X-Loop: server@toastmastersclubs.org
Sender: marlenes.smallfish@bigpond.com
Errors-To: marlenes.smallfish@bigpond.com
Reply-To: marlenes.smallfish@bigpond.com
Content-Transfer-Encoding: 7bit
To: "members-26@toastmastersclubs.org"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=toastmastersclubs.org;
h=content-transfer-encoding:content-type:date:from:in-reply-to :mime-version:references:reply-to:sender:subject:to; s=default;
bh=eY3HKpB54UxyKXePm7h0m1GifAo03qoTY3fk8ppuGqM=; b=I8ZXNoyOOS8k v1npmmaYhLXFTr0MbXRiHhO75czF07cG6UG9o7axpHoiet+BeS37z/mHWQKXLcz6 Pw2h+1LbC+DAuoW7RrHtQr3/rB0aoCRtaQ2KvLJv3ewdaKcqqLL3166nn4CVD1wV CP8rinctAIQyJOuDhF8Uc9z8wLCJ2m8=

---

=_NextPart_000_0010_01DC65D2.EF4AB360
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi Guys,

=20

Buying a ham?

=20

The Age had taste tested 12 hams, and a Woolworths ham came in 3rd.

Well, even better news!

Choice has reviewed Christmas hams and has placed Coles Christmas hams at t=
he top of the list

=20

=20

Coles Christmas Beechwood smoked half leg ham! Da best!

=20

=20

Cheers

Marlene=20



--=20
This email has been checked for viruses by AVG antivirus software.
www.avg.com

---

=_NextPart_000_0010_01DC65D2.EF4AB360
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D" schemas.microsoft.com/office/2004/12/omml " xmlns=3D"http:=
//www.w3.org/TR/REC-html40"> =3D"text/html; charset=3Dutf-8"><meta name=3DGenerator content=3D"Microsoft=
Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
=09{font-family:"Cambria Math";
=09panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
=09{font-family:Calibri;
=09panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
=09{font-family:Aptos;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
=09{margin:0cm;
=09font-size:12.0pt;
=09font-family:"Aptos",sans-serif;}
span.EmailStyle19
=09{mso-style-type:personal-reply;
=09font-family:"Calibri",sans-serif;
=09color:windowtext;}
.MsoChpDefault
=09{mso-style-type:export-only;
=09font-size:11.0pt;
=09mso-fareast-language:EN-US;}
@page WordSection1
=09{size:612.0pt 792.0pt;
=09margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
=09{page:WordSection1;}
--></style></head><body lang=3DEN-AU link=3Dblue vlink=3Dpurple style=3D'wo=
rd-wrap:break-word'><div class=3DWordSection1><p class=3DMsoNormal>Hi Guys,=
</p><p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calib=
ri",sans-serif'><o:p> </o:p></span></p><p class=3DMsoNormal><span styl=
e=3D'font-size:11.0pt;font-family:"Calibri",sans-serif'> Buying a ham?<o:p>=
</o:p></span></p><p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-=
family:"Calibri",sans-serif'><o:p> </o:p></span></p><div><div><p class=
=3DMsoNormal>The Age had taste tested 12 hams, and a Woolworths ham came in=
3rd.<o:p></o:p></p><div><p class=3DMsoNormal>Well, even better news!<o:p><=
/o:p></p></div><div><p class=3DMsoNormal>Choice has reviewed Christmas hams=
and has placed Coles Christmas hams at the top of the list<o:p></o:p></p><=
/div><div><p class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal><s=
pan style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> =
</o:p></span></p><p class=3DMsoNormal>Coles Christmas Beechwood smoked half=
leg ham!=C2=A0=C2=A0 Da best!<o:p></o:p></p></div><div><p class=3DMsoNorma=
l><o:p> </o:p></p><p class=3DMsoNormal><span style=3D'font-size:11.0pt=
;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=3DM=
soNormal><span style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif'>=
Cheers<o:p></o:p></span></p><p class=3DMsoNormal><span style=3D'font-size:=
11.0pt;font-family:"Calibri",sans-serif'> Marlene <o:p></o:p></span></p></d=
iv></div></div></div><div id=3D"DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br /=
><table style=3D"border-top: 1px solid #D3D4DE;"><tr><td style=3D"width: 55=
px; padding-top: 13px;"><a href=3D" www.avg.com/email-signature?utm_m=
edium=3Demail&utm_source=3Dlink&utm_campaign=3Dsig-email&utm_content=3Demai=
lclient" target=3D"_blank"><img src=3D" s-install.avcdn.net/ipm/prev=
iew/icons/icon-envelope-tick-green-avg-v1.png" alt=3D"" width=3D"46" height=
=3D"29" style=3D"width: 46px; height: 29px;"/></a></td><td style=3D"width: =
470px; padding-top: 12px; color: #41424e; font-size: 13px; font-family: Ari=
al, Helvetica, sans-serif; line-height: 18px;">Virus-free.<a href=3D"http:/=
/www.avg.com/email-signature?utm_medium=3Demail&utm_source=3Dlink&utm_campa=
ign=3Dsig-email&utm_content=3Demailclient" target=3D"_blank" style=3D"color=
: #4453ea;"> www.avg.com -A1B8-4E2AA1F9FDF2" width=3D"1" height=3D"1"> </a></div></body></html>

---

=_NextPart_000_0010_01DC65D2.EF4AB360--