Jump to content

ravenstar68

Members
  • Content Count

    5
  • Joined

  • Last visited

Community Reputation

0 Neutral

About ravenstar68

  • Rank
    Newbie
  1. What bothers me is that if I read the information right, While Spamcop does log the info on it's system, it does not actually send anything off to the Amazon reporting address. Does anyone know why this is? Tim
  2. Boothy I would also make sure that you post the WHOLE email rather than just the headers you think are correct. Spamcop's system does parse the mail and among other things will look for the blank line between the headers and body (as I discussed over on the VM forums earlier). The easiest way is to go into webmail and then highlight the mail in question and select view source. Click in the window that pops up and then press CTRL-A (select all) CTRL+C (Copy to clipboard) This will allow spamcop to parse the email body for links. Here's a working example https://www.spamcop.net/sc?id=z6595387734zd88c2c465869cb155be7423f95f19d0fz Here's the point at which Virgin Media's server picked up the email from the sender: 2: Received: from turn-girlmaybe.org ([3.112.155.93]) by mx2.tb.ukmail.iss.as9143.net with ESMTP id ZY86iqwyCemITZY8einp1f; Tue, 26 Nov 2019 11:32:09 +0100 Hostname verified: ec2-3-112-155-93.ap-northeast-1.compute.amazonaws.com blueyonder.co.uk received mail from sending system 3.112.155.93 However it continue to parse the mail and finds more received headers (In this case these particular mails have a particular feature in that the initial send headers appear to have been lifted from a comcast server) 3: Received: from dovdir1-asb-05o.email.comcast.net ([96.114.154.181]) 6d7242eb83c1e7a47de48e21c6757765 by dovback1-asb-21o.email.comcast.net with LMTP id 0ICZM+sGO13mPQAADPwQFg for <x>; Fri, 26 Jul 2019 13:58:04 +0000 Hostname verified: resimta-po-34v.sys.comcast.net Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust this Received line. This is a peculiar feature of the way spamcop's parsing system works. However we note that it has picked up the correct sending server previously . So I wouldn't panic that it says possible forgery here. Tim
  3. Hi Petzel Just to clarify what's going on here: 212.54.57.77 isn't a spamming server. Rather it's one of the inbound servers used by Virgin Media. AS9143 is Ziggo Internet who are another Liberty Global owned company. They run email servers in the Netherlands and when Google closed their Apps for ISP service, rather than going with one of the other big mail providers, Virgin Media effectively went in house and shifted their email provision over to Ziggo between July and December 2015. (shudders at the memory) Boothy hadn't trained Spamcop to recognise the inbound server chain by using the MailHosts tab and adding his ntlworld.com email address. He's not the only one by all means and as we can see by the thread he has corrected this.
  4. The problem is Virgin have multiple servers at each hop. So to get a full picture of the internal mail hosts, I dread to think how many mails you'd need to send
  5. Hi I came across your reporting tool yesterday, as I help out on the Virgin Media e-mail forum and one user wanted to block as9143, as your reporting tool identified it as a spammer. For the record as9143 is the Autonomous Service number of Ziggo internet, and Virgin Media actually host their email platform there as both companies are owned by Liberty Global. I've tried the reporting tool myself today with an unmodified mail source. There appears to be a problem. Looking at the header information only here: Return-Path: <julie_mendoza@android-mediacenter.com> Delivered-To: x Received: from md13.tb.ukmail.iss.local ([212.54.57.73]) by mc8.tb.ukmail.iss.local (Dovecot) with LMTP id FbnPMLTb5VcnGAAAVqD7fw for <x>; Sat, 24 Sep 2016 03:50:16 +0200 Received: from mx6.tb.ukmail.iss.as9143.net ([212.54.57.73]) by md13.tb.ukmail.iss.local (Dovecot) with LMTP id oPwyBoDWlFbNQQAAqJN26w ; Sat, 24 Sep 2016 03:50:16 +0200 Received: from android-mediacenter.com ([37.252.122.91]) by mx6.tb.ukmail.iss.as9143.net with bizsmtp id nDpu1t0041yRVcd01Dpv6m; Sat, 24 Sep 2016 03:49:56 +0200 X-spam-Action: folder spam X-SourceIP: 37.252.122.91 X-CNFS-Analysis: v=2.2 cv=TJoHcBta c=1 sm=1 tr=0 p=XV3dVy5JtiUA:10 a=XRFXrBVhVSsQnPq5ts7Q4Q==:117 a=XRFXrBVhVSsQnPq5ts7Q4Q==:17 a=2sMxTpsZAAAA:8 a=-5zWNhNOLqyU-mziGwwA:9 a=CjuIK1q_8ugA:10 a=9igu4sHJnlQA:10 a=A4GxgP0Wf4sA:10 a=qcKvcIRw2B-Flh6p21IA:9 a=_W_S_7VecoQA:10 a=tpYBpqdMaEUA:10 a=o6gHy28TGYCxXgbS0hxg:22 Date: Sat, 24 Sep 2016 01:49:52 +0000 To: x From: Julie Mendoza <julie_mendoza@android-mediacenter.com> Subject: We're Perfect Match Message-ID: <7ad1________________________45d9@android-mediacenter.com> X-Priority: 3 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1_7ad1978f4b2ef435299465152bba45d9" Content-Transfer-Encoding: 8bit Your system reports the possible spammer as being Received: from md13.tb.ukmail.iss.local ([212.54.57.73]) by mc8.tb.ukmail.iss.local (Dovecot) with LMTP id FbnPMLTb5VcnGAAAVqD7fw for <x>; Sat, 24 Sep 2016 03:50:16 +0200 host 212.54.57.73 = mx6.tb.ukmail.iss.as9143.net (cached) mx6.tb.ukmail.iss.as9143.net is 212.54.57.73 Possible spammer: 212.54.57.73 Received line accepted However as Received: lines should be read from the bottom up this is actually the last link in the delivery chain, which is one of Ziggo's internal servers delivering to the final server which stores the message in the users inbox. The actual spammers address is given in the bottom most Received line: Received: from android-mediacenter.com ([37.252.122.91]) by mx6.tb.ukmail.iss.as9143.net with bizsmtp id nDpu1t0041yRVcd01Dpv6m; Sat, 24 Sep 2016 03:49:56 +0200 Could you please take a look. Virgin Media's email system did correctly identify this message as spam BTW Thanks Ravenstar68 Edit I think I understand what's happening here. The reporting system relies on the fact that most email providers use private addresses e.g. 10.x.x.x in their internal systems. Because Ziggo uses public addresses on it's internal hops, this is confusing your reporting tool.
×