Sub-Domain issues

[Firefly 0]

The new Mailhosts thing is working fine for mail that is sent to my personal accounts, all of which forward to Spamcop. But I also have been reporting mail I receive at work, which gets to me through an ever-changing variety of corporate internal relays.

The Mailhost setup doesn't seem to be able to deal with this. No matter how many test messages I send and process, a limited number (3) of the internal relays get on the list and just about every spam I report ends up wanting to complain to my corporate admins.

How do I deal with this? Or should I just give up on reporting my work spam?

[ASmith 0]

I too am having problems with the new Mailhost system. I think they're similar to the problems Firefly describes, but this is not a corporate account - it's a university account. Setting things up appeard to go well - I got the test e-mail, replied, and got a "success" response. I now have the following mailhost set up:

Hosts/Domains: utoronto.ca, bureau15.ns.utoronto.ca, smtp2.ns.utoronto.ca, bureau22.ns.utoronto.ca, bureau18.ns.utoronto.ca

Relaying IPs: 128.100.132.43, 128.100.132.51

The problem is this: there are several "bureau##.ns.utoronto.ca" hosts listed above, but the list is not exhaustive. Other common ones are bureau23, bureau24, etc. I tried sending an additional test message, and it said that I got another "success" response that said it had been "combined with my existing mailhost configuration", but it lied! The configuration above did not change. In particular, the second test message went through bureau23 instead of bureau22, but I still only see bureau22 above. As a result, I can't report any e-mail that does not just happen to go through bureau22, or it will report .utoronto.ca as the source, which is incorrect.

Please help?

Thanks,

Alexander

[cynicalscientist 0]

FYI...

I just registered a MailHost using a tomclegg.net email address. It lost the Mailhost name which I gave it ("KICS") and ended up with something else instead ("IslandTech"). It also acquired two entries in its "hosts/domains" list which shouldn't be there ("mailhost.islandtech.bc.ca" and "bc.ca").

The configuration message which I returned to spamcop said this:

X-SpamCop-Mx: hira.mx.tomclegg.net.
X-SpamCop-Mx-Ip: 204.244.102.66
X-SpamCop-Mh-Name: KICS

That looks fine.

However, when I looked at my MailHosts page, I got this:

Mailhost name: IslandTech
Email address: (removed)
Hosts/Domains: tomclegg.net, duo.kics.bc.ca, mailhost.islandtech.bc.ca, red.tomclegg.net, hira.mx.tomclegg.net, bc.ca
Relaying IPs: 204.244.102.66 
Forwards into:

duo.kics.bc.ca (204.244.102.66) and red.tomclegg.net (204.244.102.57) really did relay the message.

I can guess where "bc.ca" came from. It probably shouldn't be there.

I don't know where the IslandTech stuff came from. My relevant forward/reverse DNS entries are all at least a year old, and IslandTech is nowhere near my network, so I don't think it's a DNS problem. As far as I can tell, the only thing I have in common with IslandTech is ".bc.ca"...

Here are the "Received" headers from the original configuration message.

Received: (qmail 8635 invoked from network); 22 Mar 2004 05:41:31 -0000
Received: from duo.kics.bc.ca (204.244.102.66)
  by red.tomclegg.net with SMTP; 22 Mar 2004 05:41:31 -0000
Received: (qmail 74751 invoked from network); 22 Mar 2004 05:41:27 -0000
Received: from victor2.ironport.com (HELO spamcop.net) (206.14.107.103)
  by duo.kics.bc.ca with SMTP; 22 Mar 2004 05:41:27 -0000

[skellam 0]

Received: from unknown (192.168.1.101) by blade4.cesmail.net with QMQP; 22 Mar 2004 14:05:49 -0000

Internal handoff at SpamCop

Received: from mta133.mail.dcn.yahoo.com (216.155.197.33) by mailgate.cesmail.net with SMTP; 22 Mar 2004 14:05:48 -0000

SpamCop received mail from 216.155.197.33

Hostname verified: mta133.mail.dcn.yahoo.com

Received: from 207.178.13.25 (HELO opmweb2) (207.178.13.25) by mta133.mail.dcn.yahoo.com with SMTP; Mon, 22 Mar 2004 06:00:49 -0800

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Please ensure that yahoo.com is not your own service provider.

Will not trust anything beyond this header

Forgery detected, or mailhost configuration incomplete. Please verify source IP identified.

I am still trying to understand this new mailhost system and must admit that I am struggling a bit. I use my spamcop address as my address and forward mail from three different alias accounts. I sent and confirmed configuration emails from all the accounts. When I look at the parsing above, it appears that Spamcop verifies the mailhost server mta133.mail.dcn.yahoo.com. Then in the next block it stops and says that it is a possible forgery because the receiving system (which I assume is mta133.mail.dcn.yahoo.com) is _not_ a verified mailhost. Yahoo is one of my mailhosts. Will I be reporting them if I proceed with the submission? This happens with every spam that I have submitted from yahoo so far. I am little unsure exactly what is occurring.

Thank you for any help.

[ZenoP 0]

I attempted on Monday to register my corporate e-mail servers. I was unable to get both servers added, no matter what I did.

During the registration process, the form presented the two MX records:

b.mx.rowman.com

a.mx.rowman.com

(only the first was selected by default). I checked the other record and did receive two e-mails with instructions. Both e-mails had the same mhconf.xxxxx address (which is probably the problem). I forwarded both e-mails per the instructions, but only the a.mx.rowman.com addresses/hostnames were added. I reran the configuration using strictly the b.ms.rowman.com address (agains the same mhconf.xxxxx address as before), but that server was not added.

While I was in this partial state, I attempted to report some messages. The a.mx received message worked fine; the b.mx received messages did not. I have since deleted all records (so I could go back to reporting spam).

HTH

John

[peters1956 0]

The following has cropped up in my mailhosts config - it is patently

wrong and it wasn't put there by me... I set this up as ETO and there

was no mention of IEE in there at all. The org.uk TLD entry is

particularly worrying! The address 193.130.181.12 is bogus (not one of my servers), and I am the one and only teleworkforum-owner...

Mailhost name: IEE

Email address: teleworkforum-owner[at]eto.org.uk

Hosts/Domains: org.uk, eto.org.uk, babcom.eto.org.uk,

mailgate.eto.org.uk, henry.iee.org.uk

Relaying IPs: 193.130.181.12, 213.208.124.41

[peters1956 0]

Further to my earlier message, I deleted the IEE mailhost and restarted the process with teleworkforum-owner[at]eto.org.uk giving it a common name of ETO. The eto.org.uk mailserver has an IP address of 213.208.124.41 and the confirmation email had the correct info. The mailhost entry is exactly as before:

Mailhost name: IEE

Email address: teleworkforum-owner[at]eto.org.uk

Hosts/Domains: org.uk, eto.org.uk, babcom.eto.org.uk, mailgate.eto.org.uk, henry.iee.org.uk

Relaying IPs: 193.130.181.12, 213.208.124.41

The IP address 193.130.181.12 is nothing to do with me and is in a different RIPE block altogether. I do not administer the org.uk domain either! IEE is not one of my customers and does not use any of my facilities.

[ptwithy 0]

One thing to understand about this system (if you care) is that these mailhost configurations are *shared*.  So that once I adapt mailhost X to use strange domains a b and c, anyone else on mailhost X should be recognized without anyone having to do anything special.

One question about the shared hosts: wouldn't this permit a clever spammer to infect the database? Could a spammer sign up for a SpamCop account, get his mailhost trusted, and then continue to forge headers?

[jefft 0]

One thing to understand about this system (if you care) is that these mailhost configurations are *shared*.  So that once I adapt mailhost X to use strange domains a b and c, anyone else on mailhost X should be recognized without anyone having to do anything special.

One question about the shared hosts: wouldn't this permit a clever spammer to infect the database? Could a spammer sign up for a SpamCop account, get his mailhost trusted, and then continue to forge headers?

They aren't shared and trusted quite like that. If you set up yahoo and I set up yahoo, then there is a shared yahoo mailhost. If a new machine gets added to the global "yahoo" mailhost then it gets added to both our accounts.

However, you and I (and others who explicitly set it up) are the only ones marked as using Yahoo. If someone else who never set up Yahoo gets a spam from Yahoo, then the Yahoo server will be marked as the source.

JT

[eric 0]

One thing to understand about this system (if you care) is that these mailhost configurations are *shared*.  So that once I adapt mailhost X to use strange domains a b and c, anyone else on mailhost X should be recognized without anyone having to do anything special.

One question about the shared hosts: wouldn't this permit a clever spammer to infect the database? Could a spammer sign up for a SpamCop account, get his mailhost trusted, and then continue to forge headers?

They aren't shared and trusted quite like that. If you set up yahoo and I set up yahoo, then there is a shared yahoo mailhost. If a new machine gets added to the global "yahoo" mailhost then it gets added to both our accounts.

However, you and I (and others who explicitly set it up) are the only ones marked as using Yahoo. If someone else who never set up Yahoo gets a spam from Yahoo, then the Yahoo server will be marked as the source.

JT

If that's the intent, then it isn't working quite right. I reported above that SC thinks that Yahoo is one of my mailhosts but I have not configured it yet. It isn't, so of course I haven't. It does look like SC trusts the Yahoo mailhost because other users have registered it. But I have not registered it, and as far as I am concerned it is the source of the spam I attempted to report.

Again, the message I got from the parser was:

3: Received: from [212.199.254.2] by web41702.mail.yahoo.com via HTTP; Wed, 24 Mar 2004 18:46:11 PST

mail.yahoo.com flagged as trusted, but not configured

It appears you have not configured your own mailhost:

Mailhost: web41702.mail.yahoo.com

Please correct this situation - register every email address where you receive spam

I do not receive email from mailhost web41702.mail.yahoo.com, yet it connected to my SMTP server and fed it spam. It's not one of my mailhosts, even though it might be a mailhost for one or more other SpamCop users.

So it looks to me like the "trustedness" has leaked through in the way you said is not supposed to happen.

And then the parser decided that the report should to go to abuse -at- 012.net.il since 212.199.254.2 is 212.199.254.2.forward.012.net.il and not web41702.mail.yahoo.com after all!

Tracker: http://www.spamcop.net/sc?id=z369289928z5b...86067f35c696d8z

Edited March 26, 2004 by eric

[agsteele 0]

I've been gradually getting to grips with the Mailhost functions and think I now everything set up. I find it astonishing to see how many different hosts I have to include - do I really use that many different Email addresses/servers :-) ??

Anyway, I see that the list of hosts provides the domain names and relating ip addresses for all my domains except one. This one shows just the name and no relating IP address.

When the confirmation file is submitted it includes an IP number but this isn't appearing on the configuration listing.

I'm not sure if this is a problem but since , Julian, you asked for feedback I'm letting you know what I've found.

The domain in question is my primary Email domain so receives much of my junk :-(

cnet.org - ip 66.219.163.80

Andrew

[agsteele 0]

When the confirmation file is submitted it includes an IP number but this isn't appearing on the configuration listing.

OK, I've woken up a bit more this morning ;-)

I deleted the whole entry for this domain and then resubmitted it and all is well now.

Andrew

[mariuz 0]

Hello SpamCop user,

Thank you for registering your mailhost. This submission has

been combined with your existing mailhost configuration:

Nuclearzone

I have to domains at the same box. But at the mailhost page I only see one of the domains.

I have trench dot no and trench dot org

Rather strange that the system combine the two of them.

mariuz

a very happy spamcop user.

[bstock 0]

Have just taken the plunge with this mailhost system and have registered by main account as well as spamcop of course.

Question

All my sites (several different domains) are hosted with the same people on the same webserver. I tend to forward from all these other domains to my main domain before forwarding on to spamcop. Having just registered my main domain do I still have to register each separate domain or will just the first one do.

Look forward to hearing from you

Cheers

-

Brian

Edited April 4, 2004 by bstock

[Wazoo 0]

do I still have to register each separate domain or will just the first one do

I'll admit my ignorance ... on one hand, thinking that eventually you'll have forwarded from them all and "perhaps" all that will eventually get "mapped" ...

I tend to forward from all these other domains to my main domain

However, the word "tend" in there kind of clouds that issue. I'd say that if there's the chance that you might actually report "driectly" from one of these other domains, then it'd seem to me you'd want to get them all "registered" .... but again, that's just my take on it, and I know othing about this mail-host thing short of what I've read here and over in the newsgroups.

[bstock 0]

What happens is I forward from several domains to one which automatically forwards everything it receives to Spamcop - so I presume I'm OK with just the main one being registered.

Am I correct?

Bye the way thanks yet again Wazoo

[Wazoo 0]

Geeze, why do all those typing mistakes look so clear now, but not so visible just before I hit the "Add Reply" button? <g> Another try, I know nothing about this mail-host thing short of what I've read here and over in the newsgroups. And based on that, my fear would be that your "registered" host will start out with mail from 'there' comes from Host-B, which gets it traffic from Host-C, which gets it's stuff from where ever. So there might be a day when you send a spam from Host-F that's going to be seen as "not in your Registered 'chain of servers'" and Host-F is going to be flagged as a bad-boy.

But again, I'm pulling this out of the air <g> .. just based on some of the issues I've already seen mentioned.

[AlphaCentauri 0]

I goofed up, and I haven't even gotten far enough to be confused yet

In entering my first email address, I put the wrong IP name in the second box by mistake. Now I have a confirmation email. Should I just delete the confirmation email and go back and start over, or do I have to undo my error somehow?

Also, I am assuming when it comes to the order of email addresses being entered, it is the SMTP address that counts?

I am currently on my home computer using my home DSL account with Verizon, but checking my email from my work account with Capitalcomputers using Mailwasher and forwarding spam to SpamCop via my work SMTP (since it will forward my home spam, but my home address won't forward my work spam).

All my mail, regardless of the address it comes TO, goes to SpamCop via the same SMTP. So that means I register the work account first, then the others in no particular order (though they don't forward to my work account, just because that's the SMTP server I'm using to send to SpamCop)?

[A.J.Mechelynck 0]

I goofed up, and I haven't even gotten far enough to be confused yet 

In entering my first email address, I put the wrong IP name in the second box by mistake.  Now I have a confirmation email.  Should I just delete the confirmation email and go back and start over, or do I have to undo my error somehow?

I think that you haven't got far enough yet to have anything to undo, but I'm not sure about that -- let's hear what (if anything) the people "in the know" are going to say.

Also, I am assuming when it comes to the order of email addresses being entered, it is the SMTP address that counts?

The way I understand it, you have to configure all (or none ) of the "email addresses" (i.e. username -at- domain.tld) where you receive spam which you submit to SpamCop. Addresses which differ only before the at-sign are not considered "different". If you use mail forwarding (including SpamCop mail filtering) they have to be defined (IIUC) in the opposite sequence to the flow of mail (i.e. if server A forwards mail to server B, then define B first, and A after B has "succeeded"). The SMTP server to which you send your outgoing mail (maybe something as "relay.example.net") has no [at] in its name and is not an "email address". Anyway, your outgoing mail isn't spam, is it?

I am currently on my home computer using my home DSL account with Verizon, but checking my email from my work account with Capitalcomputers using Mailwasher and forwarding spam to SpamCop via my work SMTP (since it will forward my home spam, but my home address won't forward my work spam). 

All my mail, regardless of the address it comes TO, goes to SpamCop via the same SMTP.  So that means I register the work account first, then the others in no particular order (though they don't forward to my work account, just because that's the SMTP server I'm using to send to SpamCop)?

How do you send spam from your other accounts to your work account? IIUC, if you send it by forward-as-attachment, then it's less important to define your work email first, because the received-lines on the spam email will be "frozen" in the state they were in when you received it at whatever other account got it. The idea is to define first the servers which write the Received-lines appearing at top in the headers of your spam (as seen by SpamCop) then the servers for the Received-lines which appear lower down. I think (correct me, somebody, if I'm wrong) that the Received-lines on the "cover-email" (the email from you to SC, TO which spam is added "as attachment") is immaterial.

OTOH, if the servers for your work account add received-lines on top of those for your home account, then SC mail adds its own Received-lines on top of that, then they have to be configured in the following sequence:

1) SpamCop, cesmail.net, etc. (this is done automatically).

2) your work account

3) your other accounts.

[bstock 0]

The way I understand it, you have to configure all (or none  ) of the "email addresses" (i.e. username -at- domain.tld) where you receive spam which you submit to SpamCop. Addresses which differ only before the at-sign are not considered "different".

Ah! that puts a different light on my query, although the other accounts (domains) are on the same server I think I'll register them anyway - just in case.

If I am doing anything wrong I'd be grateful if someone could let me know

Thanks

[bstock 0]

Still going round in circles

Hope its OK now, although I registered all my domains and they were accepted only two hosts are showing up on my account so it would seem to indicate that I needed have bothered registering all the other domains hosted on the same server.

Please tell me I'm correct

[ComCept 0]

As I report spam for hundreds of mail boxes for our company (they all

come to the same MX servers, but end up at 7 different internal mail

servers) does the new mailhost configuration mean I have to identify

every mail account in our company? If so, it's never going to happen

and I doubt I'm alone. There has to be a way for an abuse dept at a

company to report for the entire company and not just one or two mail

boxes. When an abuse report reaches my desk I pull the raw message

from the mail server logs and post it to Spamcop. How am I supposed

to setup each of the hundreds of mail boxes for this or am I just

misunderstanding something?

One final thing, this forum is VERY hard to read compared to the NNTP news.spamcop.net. Threads don't follow (you have to skip around to find replies) and you can't save posts for easy future reference. Julian, please move this back to a real NNTP reader and dump this or get an NNTP reader like others have that allow both WWW posting/reading and NNTP posting/reading. I read through the posts and didn't see any like this but who knows if I missed one with all the HTML garbage here. Thanks....

Brian Bergin

ComCept Solutions, LLC

[turetzsr 0]

Hi, Brian!

<snip>

One final thing, this forum is VERY hard to read compared to the NNTP news.spamcop.net. Threads don't follow (you have to skip around to find replies) and you can't save posts for easy future reference. Julian, please move this back to a real NNTP reader and dump this or get an NNTP reader like others have that allow both WWW posting/reading and NNTP posting/reading.

<snip>

...Are you confusing this *post* ("Replying to Mailhost system beta testing") and its replies with the *forum*? I don't have a problem with following threads in the forum. On the other hand, this post and its replies don't flow and NNTP might be a little better (if people post to sub-threads in an "appropriate" way). All in all, though, I prefer the web-based forum because my employer (where I do all my spam reporting) network folk will not permit access via NNTP to SpamCop.net.

[A.J.Mechelynck 0]

Hi, Brian!

<snip>

One final thing, this forum is VERY hard to read compared to the NNTP news.spamcop.net. Threads don't follow (you have to skip around to find replies) and you can't save posts for easy future reference. Julian, please move this back to a real NNTP reader and dump this or get an NNTP reader like others have that allow both WWW posting/reading and NNTP posting/reading.

<snip>

...Are you confusing this *post* ("Replying to Mailhost system beta testing") and its replies with the *forum*? I don't have a problem with following threads in the forum. On the other hand, this post and its replies don't flow and NNTP might be a little better (if people post to sub-threads in an "appropriate" way). All in all, though, I prefer the web-based forum because my employer (where I do all my spam reporting) network folk will not permit access via NNTP to SpamCop.net.

I think that he grumbles about the fact that these forums ("SpamCop Discussion") don't support sub-threading, which makes it difficult to relate a post (such as yours, "Mailhost system beta testing" by turetzsr, Apr 7 2004, 00:28 GMT) to its parent post when it does not immediately precede it (though in this case it does), especially in long branching threads like this one ("Mailhost system beta testing", started by julian).

I prefer these HTML forums, even with their flaws, because my mail/news client crashed Windows 4 times in an hour the last time I used its "news" function. (Its mail function is slow but at least it doesn't crash Windows, so I can report queued spam while I wait for a mail to open ). Yet this new media was hard to me on the first day or two; but I'm starting to become used to it.

[A.J.Mechelynck 0]

enter "pop.access.net.au"  ( not work) tryed... "mail.satlink.com.au" (not work)

then tried  "mail.optusnet.com.au" (no go)  then  "pop.dodo.com.au"

then the fail message was does not look like a valid email address. which in my case are valid email address  then we tried the Mail IP numbers for above and that did notwork !

You should enter your full email addresses, not only the part after the [at], even if, if you have addresses that differ from each other only before the [at], you need enter only one of them. Thus:

not

mail.satlink.com.au

but (for instance)

cyberblob[at]satlink.com.au