"Possible Forgery"?

[Justin42 0]

I am having similar problems as posted before. I've registered all of my accounts with mailhost, and one of the accounts ([at]ucla.edu) is reporting EVERY spam as a forgery. It appears there are mail servers that Spamcop doesn't pick up to test, but are used a lot in receiving of other emails.

Here's the link to an example report: spamcop at ucla

EVERY spam I have received into that account since activating mailhosts has been showing as having forged headers, so something's definitely up.

I also have another email address that even when I try to add it to Mailhosts, and get the "Success!" email, never shows up in the list of addresses (when you click the "Mailhosts" link). Who can I send that info to?

Thanks for any help...

[agsteele 0]

I have a number of Email servers registered with the mailhost system. Mostly they seem to have registered OK and mail arrives and is then reported where needed without trouble.

I have one address ***[at]icmc.org The domain is registered and in my list of mailhosts. Any spam arriving at this address is either forwarded for reporting as an Email attachment or even pasted in the web form is not reported. The system reports that:

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust anything beyond this header

No source IP address found, cannot proceed.

This happens with all mail arriving at this address. A typical set of headers follows is ncase there is a bug to fix :-)

Andrew

Received: from spooler by mercury.eelholme.hopto.org (Mercury/32 v4.01a); 1 Apr 2004 12:58:18 +0100

X-Envelope-To: icmc

Received: from qmail1.zwallet.com [216.66.64.4] by mail.icmc.org

(SMTPD32-8.03) id A3B315803F8; Thu, 01 Apr 2004 06:57:39 -0500

Received: from web1.zwallet.com

by qmail1.zwallet.com with SMTP; 1 Apr 2004 12:14:42 -0000

From: yasmine d dasir <yasminedasir[at]zwallet.com>

X-Originating-IP: [216.250.204.76]

To: donbally[at]hotmail.com

Subject: TOP URGENT.

Date: Thu, 01 Apr 2004 06:59:57 -0500

Message-Id: <1080820797.961165.60738.zmail[at]web1.zwallet.com>

X-IMAIL-spam-DNSBL: (SpamCop,22545400,127.0.0.2)

X-RCPT-TO: <***[at]icmc.org>

Status: U

X-UIDL: 380046212

X-PMFLAGS: 35668096 0 1 YX57Z1QK.CNM

Edited April 2, 2004 by agsteele

[Bantryblue 0]

I'm confused about how the AT&T/Comcast merger last year affects Mailhosts. Last year, when Comcast took over the AT&T mail accounts, it decided to forward any mail sent to an AT&T account for a specified period of time. (I think for a year, but possibly longer.) I still receive spam messages that were sent to my AT&T account, because Comcast automatically forwards them to my new Comcast account. However, I can no longer send mail from my AT&T account. The Comcast domain is comcast.net, and the AT&T one was attbi.com.

I tried to report spam sent to my old attbi.com account and forwarded to my comcast.net account. The top of the report said:

Received: from 25.65.250.204 by 63.240.76.6; Sat, 10 Apr 2004 22:54:53 -0400 <br> </Span> <Span CLASS=EUDORAHEADER>

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust anything beyond this header

Trivial forgery

But the bottom of the report seemed OK--it identified someone from admcablemas.com.mx as the administrator of the network where the e-mail originated.

Should I be concerned about the "possible forgery" and "trivial forgery" notes at the top of the report? Do they mean that I can't report spam sent to my old AT&T account? I configured both comcast.net and attbi.com as mailhost hosts. However, for some reason, after I configured attbi.com, comcast.net no longer showed up when I view my mailhost page.

Cheryl

[Dana 0]

After successfully adding my mailhost, I've submitted several spam emails (as attachments, via email).

On most (but not all) of the reports, I am getting a message like the following, when I log in to the web site to Report them (masking IP addresses):

1: Received: from x.x.x.x ([x.x.x.x]) by mxsf20.cluster1.charter.net (8.12.11/8.12.11) with SMTP id i3HCWul8057868; Sat, 17 Apr 2004 08:33:01 -0400 (EDT)

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust anything beyond this header

No source IP address found, cannot proceed.

Nothing to do.

I think that it is odd that this is only happening on some mails, but not others (this is happening on "most", perhaps 75-80% of them).

Any suggestions?

I'm quite new that this, so it's very possible that my ignorange is to blame.

[Wazoo 0]

That you chose not to read and follow Ellen's last Pinned item at http://forum.spamcop.net/forums/index.php?showtopic=1096 says that you are asking for anyone's help. And in that case, only providing a single line and then munging that line doesn't allow for anyone else to even take a guess as to what may be going on ... sorry.

[Dana 0]

That you chose not to read and follow Ellen's last Pinned item at http://forum.spamcop.net/forums/index.php?showtopic=1096 says that you are asking for anyone's help.  And in that case, only providing a single line and then munging that line doesn't allow for anyone else to even take a guess as to what may be going on ... sorry.

Ooookay. Do you always make it a point to be rude to new people? :angry: Nothing in your post was actually "helpful" to me.

How about specifically requesting the information that you need? As I openly said, I am new to this and I am not sure what I need to include and what I don't.

I DID read her pinned post. Just because someone has a question, please don't assume that they did't LOOK for an answer first. Did it ocur to you that I am posting because I DIDN'T understand her post? And her post did say to post any questions... which is what I did.

I have seen several people "munging" their posts (I am assuming that that means masking or removing personal data). I'm not sure if that is "the usual" when posting, so I erred on the cautious side and removed mine as well.

As I said, if you need more info ASK for it instead of making a jab at someone new at this.

The only thing that I can tell that I "didn't" do was to include the tracking URL thing. Because I wanted to remove the personal data, I left that out as well, thinking that someone else may have a reason for this without having to provide my data.

If this is requested of me, I will post it. But until then, is there someone else who has anything helpful to suggest beyond "read the other posts"?

Thank you.

[dra007 0]

don't worry about his rudeness, he says he is on pain medication, occasionally he has a marginally useful insight, but rearly does he give a direct answer....such is life, you can't expect compation and empathy from evryone...

Edited April 17, 2004 by dra007

[dbiel 0]

Dana

You may or may not be aware that spam Cop has actually four different "sections" (not sure is sections is actually the best term or not)

1) free account - spam reporting only

2) paid account - spam reporting only

3) paid e-mail account - spam filtering and reporting

4) advanced services for domain administrators

It is helpful to indicate which of those "sections" you are using as there are some differences between them.

If I am guessing correctly I would say that you are using the free reporting service.

If your goal is to reduce the amount of spam that you recieve I would strongly suggest that you register for the e-mail account services ([at] $30.00/year it is a great bargin and you do not have to change your e-mail address, only make minor changes in how you access your mail).

But back to your original question

Forgeries have gotten so good lately (and so numerous) that reporting e-mail (spam) based on the headers alone has created a bad situation in that the innocent get reported as be spammers. To avoid this the mail host system has been set up to try to identify the actual source (path) of the spam while ignoring all possible forgeries. Unfortuatly the result is that at times the source can not be identified with the result being the message you received

Will not trust anything beyond this header

No source IP address found, cannot proceed.

Nothing to do.

I hope this helps a bit.

[Dana 0]

Forgeries have gotten so good lately (and so numerous) that reporting e-mail (spam)  based on the headers alone has created a bad situation in that the innocent get reported as be spammers.  To avoid this the mail host system has been set up to try to identify the actual source (path) of the spam while ignoring all possible forgeries.  Unfortuatly the result is that at times the source can not be identified with the result being the message you received

Dbiel,

I'm not entirely sure which "section" I am using, but I think it is #2. I have paid for "fuel" (about 15MB), which has slowly diminished over time as I have been submitting spam to be reported.

So do you think that what I am experiencing is on the "normal" side? I am going to remove my mailhost and re-try, in case something was messed up (I think I registered my mailhost before they moved to the "web form" that Ellen mentioned in her Sticky post).

The mail that I received after adding my mailhost was not very helpful ("Mailhost successfully added" or something similar) so perhaps me re-doing the registration will provide a better explaination, if they have made some changes.

And yes, thank you Dbiel, if I'm understanding your post right, that was helpful.

[dbiel 0]

I would not remove your mail host.

The last thing that you want to do is to report yourself as a spammer which can easily happen due to forgeries if your mail hosts are not registered.

It would appear that your mail hosts are set up correctly. and the result you are getting is normal.

[Miss Betsy 0]

You will have to excuse Wazoo. He has a toothache. He also tends not to put 'pretty words' or emoticons in his posts - techie types tend to be blunt and to the point.

It sounds to me as though you have not registered all your email addresses that you report spam from (actually it is the servers that get registered, but if you are new, it is probably easier to explain it that way).

It sounds to me as though you are a paid reporting only reporter.

If you have registered (gone through the registration process) for all the email addresses you report spam from, then it is a problem that cannot be solved in the web forum.

Ellen:

However other than very general responses I will need you to write to deputies <at> spamcop.net with "mailhosts" in the subject line.

That quote comes from the second from the top pinned response. The pinned response also includes all the information that you will need if you email her. If you are not sure where to find the information she asks for, post here.

It is not a good idea to post personal information in the forum. Certain problems cannot be solved without it so have to be handled by the deputies.

Miss Betsy

[Dana 0]

You will have to excuse Wazoo.  He has a toothache. He also tends not to put 'pretty words' or emoticons in his posts - techie types tend to be blunt and to the point.

Thank you, Miss Betsy.

lol I'm a "techie type" myself, just not on this subject, but I also don't take kindly to posts like his and won't "excuse" him in the future (but I'm not one to openly attack, so don't worry).

I am a little confused, though. While I have several web-based email accounts, I only report email from my home address and my work address. Since adding my home mailhost, I have not reported any mail from my work (and since it's the weekend, I'm not AT work, and I refused to check work email from home - they don't pay me enough).

Since I am only receiving my home ISPs email in Outlook, I should only have to register that one host (until I get to work on Monday)... is that correct?

And IF that is correct and I am still getting those forgery messages, there's nothing I can do about that... right?

[StevenUnderwood 0]

There is not much help that can be provided with what you started with. The tracking URL is needed in order to fully figure out what is going on. That URL should munge your personal email address and unless your IP is yor own and your username is similiar to your ID here, it wll be very difficult to cause you problems from divulging that information. If you are still uncomfortable, then the only resource is to email the deputies.

Is charter.net your ISP? If it is, then there is probably a problem that not all of the servers you use are listed in your mailhost configuration and you should contact the deputies to report this. I have charter myself, but have never used it and only get an infrequent dictonary attack message on it, so I have not seen this error myself.

I use webmail to collect and report my spam, so almost all of my spam start with parse 0 being an internal spamcop relay. Parse 1 is usually my forwarder servers sending to spamcop. Parse 3 is the source sending to my forwarder servers and the one that gets reported. The next line, if present always starts the same as your error message.

[Wazoo 0]

Do you always make it a point to be rude to new people?

but rearly does he give a direct answer

Thank you both for the humor injected into the day. Appreciate the effort. The "no direct answer" definitly brought a bit of a chuckle, seeing as I read this just after offering up an e-mail address to look at "virus-laden spam" to/for that poster ...

I DID read her pinned post.

and my comment was "read and follow" ... a bit of a difference there

making a jab at someone new at this

???? you're emtitled to your own opinion and perspective .... you go on to make note that you "looked" at other posts, noticed the munging of some data, but I don't see how that translates to me pointing out that the munging of 50% of any tech data in a single line vice a more complete set of headers (that you have now admitted to seeing) can be construed as a "jab"

Rather than going on and ticking you off even further ... what "focus" I can muster right now is trying to break up the approximately 300 post long Topic first opened up for this mail-host thing ... so that someone can figure out what's been handled, what's still open, and oh yeah, perhaps someone can find "their" situation already addressed in what was just too massive and intertwined for most folks to deal with. And actually, the situation you bring up is in fact in there from several others, some have answers, some are still floating in the wind ... so actually, here in a bit (or probably later than that) the Topic you started may actually be "merged" into one someone started within the last month or so ... as it covers some same ground.

[Dana 0]

Glad I could help put some humour in your day. I don't care to go back and forth with you, Wazoo, unless you can help me with my predicament, so I'll ignore the parts of your post that would tick me off. Life's too short to go tit-for-tat if it really doesn't matter.

In reading your last two paragraphs I realize that I am more confused than I thought, since I understood maybe half of it. But then again, it is Saturday and I have no brain on the weekends.

Is there a post or spot where I can look up what all of the jargon means?

If I notice that the Mailhost isn't recognizing legitimate IP addresses for Charter (and yes, that is my ISP) I'll report it to the deputies.

[Miss Betsy 0]

What Wazoo is dealing with is trying to separate the original thread into 'logical' groupings of questions and answers - and apparently, there might be an answer to your question in the that tangled skein.

I am a little confused, though. While I have several web-based email accounts, I only report email from my home address and my work address. Since adding my home mailhost, I have not reported any mail from my work (and since it's the weekend, I'm not AT work, and I refused to check work email from home - they don't pay me enough).

If you have several web-based email accounts, then you need to register them all - no matter where you access them from - if I understand your confusion correctly.

IOW, I have 3 hotmail accounts, a home account, and two work accounts. I can access all 3 of the hotmail accounts from home and 2 of the hotmail accounts from work. When I registered, I registered my hotmail account that gets spam and the account from work that gets spam and my home account (which doesn't get spam but sometimes I like to look up viruses). Then I added the second work account which started getting spam. (that's another story - I told them how to put email addresses on a web site, but they didn't listen).

I am not sure whether I have to add my other two hotmail accounts or not, but since they don't get spam, I can't really test it. The reason I wouldn't have to register the email addresses is because I have already registered the hotmail servers, IIUC.

It didn't seem to matter that I registered them from home and work (although the confirmation email address went to home address which I can't see from work; the hotmail registration went to hotmail - at any rate Ellen's second post was that there won't be a need for confirmation emails any longer so it is a moot point).

HTH

Miss Betsy

[Wazoo 0]

not sure of what you consider jargon ... so looking at the words I used;

mung = mung until no good ... ancient recursive phrase to make something unrecognizable

header = email consists of two major "sections" .. that which you normally see in your e-mail reader and the part normally "hidden" that hsows all the traffic, format, other specific data that shows how the e-mail made it's travels, how your e-mail app should "handle" displaying the "body part" etc ... it's this section that also causes the most heartbreak ... between the "how to get it", "how to show it", "how screwed up is it", and as in your concern .. "how much data should I 'mung' so that no personal stuff is revealed" as balanced against "munging so much that it's not usable" ...

Topic - in the case, this web-based board has been divided up into a )too small) set of "Forums" .... under each Forum, one can "start a new" or "add to an existing" Topic ... a specific point of issue ... to which others can add to .. In this case, you started a Topic, and this continuing dialog is "under" the item you started. The "work" I was referencing is the single Topic originally started by Julian under the Help Forum ... and he asked that "all" dialog take place "there" .... which meant that everybody's issues were lumped into that one long chain, and any responses were also mixed in ... I'm trying to extract each "conversation" and put it under this New Forum as a separate Topic ... again, so somebody can figure out if each issue is resolved, open, or even been touched by anyone with a response at all ...

don't see any other words that stand out as other than conversational english .. sorry if I missed any

That said, you've had plenty of suggestions that would seem to require you to go take a look at, see if things have been taken care of yet ... if not, then we're back to - if it's a "general" problem, usually "we" can help ... but if it's a "specific" issue with your ISP, your set-up, your configuration, then at present it's the note to Deputies with sufficient detail that they can readily see what's up.

[dbiel 0]

If I notice that the Mailhost isn't recognizing legitimate IP addresses for Charter

Keep in mind that the only IP addresses that will be listed are the relay IP address used by the mail servers, not yours or anybodies individual IP addresses or for that matter not even the IP address of the mail server itself as it is only listed by name.

As a result, even additional domains will not be listed if they use the same mail servers as hosts

I also use Charter as one of my providers, the following is the host listing from my account. you will note that Charter indicates only 2 relay IP addresses. Earthlink (which is listed as Mindspring), uses a lot of relay IP addresses

Also keep in mind that if you have several e-mail address (using the same or different domain names) that use the same mailhost name, only the last e-mail name processed will be retained in the mailhost list

Example

Address one: tom[at]earthlink.net

Address two: tom[at]toms-personal-domain.com (domain hosted by earthlink and uses earthlink's mail servers)

If you register tom[at]earthlink.net first, the e-mail address tom[at]earthlink.net will appear in the mailhost listing. As soon as you register tom[at]toms-personal-domain.com the e-mail address tom[at]earthlink.net will be replaced with tom[at]toms-personal-domain.com

Mailhost name: SpamCop

Email address: xxxxxxxx[at]spamcop.net

Hosts/Domains: mx2.cesmail.net blade3.cesmail.net blade4.cesmail.net blade6.cesmail.net blade1.cesmail.net cesmail.net mailgate.cesmail.net spamcop.net c60.cesmail.net main.ermann.org bulkmx2.spamcop.net mx.cesmail.net

Relaying IPs: 216.154.195.50 206.14.107.118 216.154.195.44 216.154.195.36 216.154.195.49

Mailhost name: Mindspring

Email address: xxxxxxx[at]uffdaxxxx.com

Hosts/Domains: peoplepc.com severus.mspring.net bunting.earthlink.net mx8.earthlink.net netcom.com penguin.earthlink.net sten.org new.mail.atl.earthlink.net summerfield.mail.atl.earthlink.net killdeer.earthlink.net pas.earthlink.net onemain-mx.earthlink.net mx00.pipeline.com cockatoo.earthlink.net mail.mindspring.net mx00.peoplepc.com mx9.earthlink.net mx1.earthlink.net fowl.mail.pas.earthlink.net hazard.mail.atl.earthlink.net mxb.earthlink.net earthlink.net pop16.earthlink.net merlin.earthlink.net dove.earthlink.net degraw.mail.atl.earthlink.net montgomery.mail.atl.earthlink.net albert.mail.atl.earthlink.net watson.mail.atl.earthlink.net mspring.net kingbird.earthlink.net mamo.earthlink.net pipeline.com samuel.mail.atl.earthlink.net gideon.mail.atl.earthlink.net mxd.earthlink.net kite.earthlink.net ix.netcom.com mail.pas.earthlink.net mx01.peoplepc.com robin.earthlink.net condor.earthlink.net mx04.netcom.com mx06.netcom.com toucan.earthlink.net mail.atl.earthlink.net obrien.mail.atl.earthlink.net atl.earthlink.net mindspring.com waxbill.mail.pas.earthlink.net mindspring.net mx6.earthlink.net mx5.earthlink.net mxc.earthlink.net mx12.netcom.com vespasian.mspring.net timothy.mail.atl.earthlink.net carus.mspring.net crow.earthlink.net vulture.earthlink.net mxe.earthlink.net mx4.earthlink.net mail03.peoplepc.com numerianus.mspring.net hubert.mail.atl.earthlink.net mx12.mindspring.com cave.mail.atl.earthlink.net tanager.earthlink.net sparrow.earthlink.net mx7.earthlink.net mxa.earthlink.net mx3.earthlink.net eagle.earthlink.net james.mail.atl.earthlink.net urbanus.mspring.net blackbird.mail.pas.earthlink.net mx2.earthlink.net tern.earthlink.net wanamaker.mail.atl.earthlink.net skylark.earthlink.net aaron.mail.atl.earthlink.net mx00.mindspring.com kestrel.earthlink.net

Relaying IPs: 207.69.231.92 207.217.121.50 207.69.200.161 207.217.125.18 207.69.200.152 207.69.200.186 207.69.200.133 198.185.2.71 207.217.125.17 207.217.120.66 207.217.125.21 207.217.120.41 198.185.2.84 207.69.200.159 207.217.125.24 207.217.125.26 207.69.200.154 207.69.200.198 207.217.125.22 207.69.200.65 207.217.125.16 207.217.121.224 207.217.120.102 207.69.231.78 207.217.125.28 207.217.125.20 207.69.200.66 207.69.200.17 198.185.2.85 198.185.2.70 198.185.2.67 207.69.200.106 207.69.200.93 207.69.200.31 207.69.231.74 207.217.120.51 207.217.125.25 207.69.200.80 207.217.125.19 207.69.200.45 207.217.125.27 207.217.120.57 207.217.120.183 207.217.125.29 207.69.231.93 207.69.200.165 207.217.125.23 207.217.121.215

Mailhost name: Charter

Email address: xxxxxx[at]charter.net

Hosts/Domains: mxsf09.cluster1.charter.net mxsf25.cluster1.charter.net mtai03.charter.net mtao03.charter.net mxsf28.cluster1.charter.net mxsf21.cluster1.charter.net mxsf16.cluster1.charter.net mxsf02.cluster1.charter.net mtai01.charter.net mxsf20.cluster1.charter.net mtao02.charter.net cluster1.charter.net mtai05.charter.net mxsf22.cluster1.charter.net

Relaying IPs: 209.225.8.224 209.225.8.77

Add new hosts

[Wazoo 0]

Thanks for that post dbiel ... you just answered a post I'd put into an "no answers yet" Topic ... I can clear that one up with a reference to this post of yours ..

hmmmm, maybe not .... "what a mail-host listing looked like" was only one of the questions that poster asked ... dang it ...

Edited April 18, 2004 by Wazoo

[dbiel 0]

Glad I could help

[Ellen 0]

Glad I could help put some humour in your day.  I don't care to go back and forth with you, Wazoo, unless you can help me with my predicament, so I'll ignore the parts of your post that would tick me off. Life's too short to go tit-for-tat if it really doesn't matter.

In reading your last two paragraphs I realize that I am more confused than I thought, since I understood maybe half of it. But then again, it is Saturday and I have no brain on the weekends.

Is there a post or spot where I can look up what all of the jargon means?

If I notice that the Mailhost isn't recognizing legitimate IP addresses for Charter (and yes, that is my ISP) I'll report it to the deputies.

Ok I am not quite sure where we are in this discussion ... if you are seeing parses that look odd or where the comment lines make no sense send an email to deputies <at> spamcop.net with your registered SC email address, the tracking url(s) of the problem parses, any comments -- please include mailhosts somewhere in the subject line. Thanks

[tarokawa 0]

look http://www.spamcop.net/sc?id=z4264...ac21z.

• At first line, its Internal Handoff at Spamcop, yes, good.
  
• Second line, its my provider's received line, registed on my mailhost list, yes, good.
  
• Third Line, its forgery line added by spammer, it should not trusted by spamcop, yes, anaylized line shows "forgery detected", good, but...
  

BUT, why "Tracking message source: 115.254.244.248"? It's wrong. It's coming from last line that detected as forgery.

This trouble began about 24hrs ago, maybe. but not solved today, so I'm reporting here. I had to cancel almost all spam reports because spamcop would send report to wrong target...

[StevenUnderwood 0]

I see the following which looks correct to me. Looking at the last lines I pasted below, perhaps a deputy has already dealt with this error:

0: Internal handoff at SpamCop

1: SpamCop received mail from rimnet ( 202.247.191.99 ) <your ISP I assume>

2: rimnet received mail from 200.141.75.106

3: Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust anything beyond this header

Tracking message source: 200.141.75.106: <current answer I see>

Reports regarding this spam have already been sent:

Re: 115.254.244.248 (Administrator of network where email originates)

Reportid: 916283207 To: bad_tracking[at]admin.spamcop.net

[Ellen 0]

look http://www.spamcop.net/sc?id=z4264...ac21z.

• At first line, its Internal Handoff at Spamcop, yes, good.
  
• Second line, its my provider's received line, registed on my mailhost list, yes, good.
  
• Third Line,  its forgery line added by spammer, it should not trusted by spamcop, yes, anaylized line shows "forgery detected", good, but...
  

BUT, why "Tracking message source: 115.254.244.248"?  It's wrong. It's coming from last line that detected as forgery.

This trouble began about 24hrs ago, maybe.  but not solved today, so I'm reporting here.  I had to cancel almost all spam reports because spamcop would send report to wrong target... 

We found and fixed a bug this morning where the parser was extending trust too far down the header chain.