Jump to content

dutch

Members
  • Content Count

    11
  • Joined

  • Last visited

Community Reputation

0 Neutral

About dutch

  • Rank
    Member
  1. As I stated in my previous post, there are 300+ mailhosts listed for Rackspace. On the evening of JUn 27 I processed ~7 emails, that went through new mailhosts not in the recognized lists. I have a hypothesis that Rackspace is generating new mailhosts (i.e. servers to process incoming mail) dynamically in response to high volumes of incoming spam from graylisted or blacklisted hosting companies as part of their security infrastructure and spam filtering system. The reason i suspect this is that in most if not all of the cases where Spamcop detects an unregistered mailhost. Spamcop detects all of the websites as being hosted at namecheaphosting.com, and I manually looked up a few. The domains were registered within the past few days. The emails were coming from mailservers at those domains. The WHOIS records have fields like CITY and ADDRESS filled with garbage, and the person (or more likely a bot) that registered the domain names used an email address that cross references to hundreds of under 72 hour old domain names. Rackspace's spam filtering system put all of these in my junk folder. My guess is that Rackspace's spam infrastructure is dynamically spinning up new mailhosts (likely VMs) as a counter-measure to handling very large volumes of incoming mail from ISPs with a history of hosting spammers.(or some other correlation method). This means that if Spamcop's mailhost registration workflow requires specific server names, it will never be effective for Rackspace, and I am pretty sure Rackspace isn't the only one doing this.
  2. There are already over 300 separate mailhosts listed for Rackspace on the my spamcop mailhosts tabs > Hosts/Domains, and I just tried to submit 7 spam emails, which failed to recognize 7 additional mailhosts. I sent emails for each of these to Don. Previously Don entered the primary domain names in the list, but spamcop fails to recognize the FQDNs for the 7 hosts within the primary domain names that are already on this list. Since the field name is labeled "Hosts/Domains" I am guessing there is supposed to be a way to enter a domain. If so, there is either a bug, or the documentation on how to do it is wrong or missing. If there isn't a way to enter a primary domain name, there should be.
  3. [at]turetzsr, I genuinely appreciate your input on this, but we have different interpretations on what the message means. We are most definitely not saying the same thing. My interpretation is it is the smtp4.gate.iad3a.rsapps.net that spamcop doesnt trust. I think if it were as you say, then spamcop would say "Possible forgery. Supposed sending system..." instead of "...Supposed receiving system". Further, what spamcop is doing is generating a report for my mail hosting provider, Rackspace, which is just plain wrong. The message didn't originate at rackspace. This, to me, is further evidence that I am correctly interpreting the spamcop message. Yes, at your suggestion and in response to Don's offer, I did contact Don, He and I have exchanged several emails, He has added the primary domain names to the LONG list of rackspace mailhosts, which I think is supposed to work, but that hasn't helped. I don't see instructions on how to enter a primary domain name, and I don't think I have anyway to do it, but I wonder if it needs something like a wildcard symbol in the name. If indeed each mailhost has to be separately identified, for a large growing mail service like Rackspace, which chooses to keep adding mailhost names, is going to be a neverending burden for me and spamcop. I have just made a post on this here (which seems to me the right place for this topic) SpamCop Discussion → Discussions & Observations → Mailhost Configuration of your Reporting Account
  4. I host two domains and have several email accounts at rackspace. One of the two domains is aliased to the other, but i don't that is relevant to my issue. I have registered mailhosts using the procedure which generates a test email. I get errors like this one, indicating it doesn't recognize the Rackspace mail servers: 3: Received: from [107.182.128.11] ([107.182.128.11:43375] helo=fly.flyingnewrewardpoints.link) by smtp34.gate.iad3a.rsapps.net (envelope-from <GetFlightRewards[at]fly.flyingnewrewardpoints.link>) (ecelerity 2.2.3.49 r(42060/42061)) with ESMTP id 7C/78-19582-A796D855; Fri, 26 Jun 2015 11:02:18 -0400 Hostname verified: 11-128-182-107-static.reverse.queryfoundry.net Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust this Received line. Over the past couple of weeks I have gotten errors on these mail servers: smtp25.gate.iad3a.rsapps.net smtp13.gate.iad3a.rsapps.net smtp4.gate.iad3a.rsapps.net smtp34.gate.iad3a.rsapps.net I have also seen a few in the domain mlsrvr.com Using the pulldown list of mail servers from my mailhosts page, I can see a very large list of mailhosts. The domains rsapps.net and mlsrvr.com are also listed. I thought if a primary domain name is listed, spamcop is supposed to recognize any server in the domain, but it is not. Given Rackspace's very large number of mail servers, which appears to be growing, not being able to use the primary domain name makes spamcop pretty much unusable for most of the spam I get. I have sent this to a spamcop admin, who was the one who added the primary domain names, but that hasn't helped. Does anybody have other suggestions?
  5. [at]turetzsr, Steve T, I am not an expert either, but reading the English, the diagnostic message was "Supposed receiving system not associated with any of your mailhosts". The address you cited is the *sender*, not the receiver. The receiver is smtp4.gate.iad3a.rsapps.net. This is a mailhost at Rackspace, which is where I host my mail, however it does not appear in the long list of mailhosts that have been registered by Spamcop's administrators as belonging to Rackspace, although there are other mailhosts that are listed in the domain rsapps.net. If you think I am parsing this incorrectly, please explain. dutch
  6. Spamcop is analyzing mail headers and fails to recognize a legitimate mail host at Rackspace. The host is: smtp4.gate.iad3a.rsapps.net I went though the mailhost list on my mailhosts tab and it doesn't appear. Here is a snip from the analysis: 3: Received: from [134.58.240.129] ([134.58.240.129:54407] helo=cavuit01.kulnet.kuleuven.be) by smtp4.gate.iad3a.rsapps.net (envelope-from <x>) (ecelerity 2.2.3.49 r(42060/42061)) with ESMTP id 0F/73-03583-136B9755; Thu, 11 Jun 2015 12:24:17 -0400 Hostname verified: rhcavuit01.kulnet.kuleuven.be Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust this Received line.
  7. Farelf, Thanks for the response.Your pointer to robtex is appreciated. As I am sure both you and Lking (his attempt at a bluff notwithstanding) know, finding out where servers are really located is not easy. For example, forum.spamcop.net appears to be hosted at Liquid Web, Inc., based in Michigan, and CDNs such as Akamai are popular in part because they allow businesses to hide behind them from DDoS attacks, and other things. FWIW with respect to Accretive, my question was based on more than just the ten year old announcement that pre-dates the IronPort/Cisco acquisition. There is what appears to be a current FAQ entry at spamcop.net that makes reference to a router on Accretive's network.
  8. Lking, Thanks for the info. Answering your questions in reverse order: I am definately asking a pointed question, but it wasn't intended to be a trick question. However, if Spamcop is indeed hosted at Accretive Networks, it seems a bit odd to me that apparently Spamcop does not have an open communications channel with their own ISP to resolve spam complaints. Second, although I appreciate that with the amount of porn hosted on the Internet, finding an ISP that doesn't host porn may not be so easy, I additionally find it odd that Spamcop would choose to host its service with a company that, based on an email to me from them, asserts that the domains I cited in my email to them and listed above are legitimate businesses that they are defending, when as an industry (and specifically, the domains I listed) are so highly correlated with spam. With respect to your first question, I was asking the question about whether they *are* hosted at Accretive Networks because in 2005 Spamcop announced that had changed hosting providers to "Accretive Technology Group", which maps to the domain name accretive-networks.net. See: https://www.spamcop.net/spamnews.shtml Quoting from Spamcop's post: SpamCop hosted by Accretive SpamCop has been moved to a new colocation facility, Accretive Technology Group.
  9. I have been getting spam emails advertising porn sites (I infer they are porn sites based on the claims of the emails and the suggestive names of the sites). Spamcop's analysis says the links for the sites in the emails are hosted at accretive-networks.net. The emails are sent from various addresses. Spamcop does send reports to the email senders' ISPs, but doesn't send reports to the Accretive Networks abuse address. Spamcop says the ISP does not wish to receive reports, that the domain has been appealed previously. One today is for the domain 18asianz.com. Spamcop tracker: 6270915194 Spamcop and Accretive Networks website both show reporting address of abuse <at> accretive-networks.net, however, when I submit directly, their mail server rejects my report because of content. A week ago, I found another reporting address, noc <at> accretive-networks.net, and sent an email which elicited a response. The response said their client (meaning the porn site) is a legitimate business, which is being subjected to a "joejob" attack and I should direct my complaints to the ISP of the email sender. Further they said they are continuing to investigate and work with Spamcop to resolve this series of what they say they believe is a "joejob" attack. Other emails contain websites for these domains, all, according to Spamcop's analysis, are hosted at Accretive Networks. 18andabused.com 18pov.com facialsz.com milfz.com bbwtime.com 18lesbianz.com boobiesz.com inchlovers.com Questions: Why would the ISP refuse reports from Spamcop? Is Spamcop working with Accretive Networks to resolve this situation? If so, what is the disposition? Is it normal for an ISP's abuse address to block reports like the ones I sent directly? Is Spamcop still hosted at Accretive Networks?
  10. I got 7 spam messages from IP addresses 173.232.242.194 173.232.242.195 173.232.242.197 173.232.242.199 173.232.242.198 173.232.242.200 Spamcop reports the cached WHOIS as bestwebostinghub.com. This is owned by bluehost.com, a hosting company in Provo UT. I contacted them via chat and email, and got to their "terms of service" tech group, who asserts these IPs are not hosted by them. Here is a snip from one of the reports, all 7, except for the 6 different IPs look the same. 2: Received: from gate.forward.smtp.ord1c.emailsrvr.com (108.166.43.128) by CAS06-ORD1.mex06.mlsrvr.com (172.29.0.45) with Microsoft SMTP Server (TLS) id 15.0.847.32 via Frontend Transport; Fri, 5 Sep 2014 08:40:27 -0500 Hostname verified: gate.forward.smtp.ord1c.emailsrvr.com emailsrvr.com received mail from emailsrvr.com ( 108.166.43.128 ) 3: Received: from [173.232.242.195] ([173.232.242.195:47770] helo=ns5.myblueskydns.com) by smtp17.gate.ord1c.rsapps.net (envelope-from <yourbloombergbusinessweek[at]myblueskydns.com>) (ecelerity 2.2.3.49 r(42060/42061)) with ESMTP id 63/B3-28107-34DB9045; Fri, 05 Sep 2014 09:40:19 -0400 No unique hostname found for source: 173.232.242.195 emailsrvr.com received mail from sending system 173.232.242.195 Tracking message source: 173.232.242.195: Routing details for 173.232.242.195 Using smaller IP block (/ 8 vs. / 16 ) Removing 1 larger (> / 8 ) route(s) from cache [refresh/show] Cached whois for 173.232.242.195 : support[at]bestwebhostinghub.com Using abuse net on support[at]bestwebhostinghub.com No abuse net record for bestwebhostinghub.com Using default postmaster contacts postmaster[at]bestwebhostinghub.com http://www.spamcop.net/sc?id=z5962000805z7...101d6a22124a1fz 2/2 Message is 24 hours old 173.232.242.195 not listed in cbl.abuseat.org 173.232.242.195 not listed in dnsbl.sorbs.net 173.232.242.195 not listed in accredit.habeas.com 173.232.242.195 not listed in plus.bondedsender.org 173.232.242.195 not listed in iadb.isipp.com
×