Jump to content

Parsing errors


danmoran

Recommended Posts

Besides the on-going issue of the spam source going undetected because the parser has erroneously identified it as a forgery, I'm now finding that the abuse-reporting addresses of certain subnets are also being mis-identified.

For example, the email address amabusemail4[at]gmail.com, is dismissed and replaced with abuse[at]gmail.com.

I'm sorry that I can't provide the actual report, but SC wrongly identified both the source and the reporting address for the spamvertised URL, so I canceled the report.

Link to comment
Share on other sites

Okay, that abuse address seems to belong to a Romanian outfit that is currently being used/abused to send malware:

(ripe.net)

inetnum: 89.114.9.0 - 89.114.9.255

netname: ENTER-NET-TEAM

role: Power Host

address: Bucharest, Sector.3 Romania

e-mail: amabusemail4[at]gmail.com

We had another case (similar) a while back - which I think Don was able to fix. Hopefully he can do the same with this one too, or there may a reason the thing is devnulled. SC currently says like:

Removing old cache entries.

Tracking details

Display data:

"whois 89.114.9.33[at]whois.ripe.net" (Getting contact from whois.ripe.net)

pph7-ripe = amabusemail4[at]gmail.com

Lookup bc1743-ripe[at]whois.ripe.net

Display data:

"whois bc1743-ripe[at]whois.ripe.net" (Getting contact from whois.ripe.net)

bc1743-ripe = ttnnet[at]yahoo.com

Lookup vrs2-ripe[at]whois.ripe.net

Display data:

"whois vrs2-ripe[at]whois.ripe.net" (Getting contact from whois.ripe.net)

vrs2-ripe =

whois.ripe.net 89.114.9.33 = amabusemail4[at]gmail.com, ttnnet[at]yahoo.com

whois: 89.114.9.0 - 89.114.9.255 = amabusemail4[at]gmail.com, ttnnet[at]yahoo.com

Routing details for 89.114.9.33

Using abuse net on amabusemail4[at]gmail.com

abuse net gmail.com = gmail-abuse[at]google.com

Using abuse net on ttnnet[at]yahoo.com

abuse net yahoo.com = abuse[at]yahoo.com

Using best contacts abuse[at]yahoo.com gmail-abuse[at]google.com

abuse[at]yahoo.com redirects to network-abuse[at]cc.yahoo-inc.com

network-abuse[at]cc.yahoo-inc.com redirects to spamcop[at]mailservices.yahoo.com

Reports disabled for gmail-abuse[at]google.com

Using gmail-abuse#google.com[at]devnull.spamcop.net for statistical tracking.

Now the supposed misidentified spam sources is far more significant from SC's point of view. If you click on the report ID of the cancelled report (from the Past Reports tab on your member's page) you can pull up the detail of any report sent or cancelled for the past 90 days. You then need to click on the Parse link to get the tacking URL from near the top of the parse page. If you can get that there can be some more discussion of your problems.

Link to comment
Share on other sites

Now the supposed misidentified spam sources is far more significant from SC's point of view. If you click on the report ID of the cancelled report (from the Past Reports tab on your member's page) you can pull up the detail of any report sent or cancelled for the past 90 days. You then need to click on the Parse link to get the tacking URL from near the top of the parse page. If you can get that there can be some more discussion of your problems.

Okay, the tracking URL is:

http://www.spamcop.net/sc?id=z4908666257zd...fa17b911b273ffz

Taking a look at the header:

X-Apparently-To: x via 76.13.11.67; Sat, 26 Feb 2011 23:13:00 -0800

Return-Path: <kenjimadoka8[at]aim.com>

X-YahooFilteredBulk: 195.4.92.98

Received-SPF: pass (mta1253.mail.mud.yahoo.com: domain of kenjimadoka8[at]aim.com designates 195.4.92.98 as permitted sender)

X-YMailISG: G9FM5XccZApSJLD.UqUyRyWHVcpWHK0PE8JqyvGkjLzEp2.v vFHVSrsAkApidHKnZqHDRCMp7MuKWtYkOv2nDmjpDQEzp7RKfutAC._rs2ed Jwm6uWd7WJv_gCCHs_WcmAqJyoap6GsoMmmUtKOce6qTRcY9NcigUe10aqvg 51F3oEB8ly7aCRrDgcKhLFZZuN2n4._43_ZJSh0YXYGxPWmxtKTOy5Lpbk78 baEdNev3hsXZI1CM.laLKlldoerY2xAa2cFCAskTNBVGlvu6VpVqFdYIsl69 R8qyoiuaMf5L1LIL8BoHl_80CaYGoJ9B04xQypfgrGcBnbhP37LAt6djuBsi 3xsaFLPVXRRsqte.aPcWu94NixbrxjClnDzeg24lJSQFmq2P.mZq4ts4MHjv YWK6A4cpNCzpH16xbl76R_2CtpSrHSyUXwmGx.Xox7Ns8rnAFa.7gZ4Mm5H3 r_bTk7dUehlhEGLoD9m890YY9FRmOqucv1btfCKBNu0QaD4LO1RNt._TbBeO A.dOy4pqEFlHV.CKPKXUAIGVD8VvwDd7lonFr4mZp8CJC6Vz8Dczr9oQALP7 7RqfdBYnrVWDHp5Et3xwFfJfSJpHk0iMXmCsvbto0aK75nVIDUhbqQLzCx22 YDSqasUuspMs49ETJ.oSznCc8CbbidDzCwAlMFIdMYh85mNZNSgPm1yBJF_Z 2vQ_pAMrmy1TY4.omLHGqmEEohwqN0ui7T4a7L7SUK5zNSbCfFjdVZkIa_kR hqXLYnm07qZR_EKAAYb2I0SmULae2P5HKRscmMARmslrCg7lxNARgNeSdN30 pcFlzBZ_PfLSyHTXcg9rJw3fYcYLTZ.9vjnVbBpf0siahKKj8zlSL2lrDN8v RsYGrvNBtHcjFYAO5qFYDNk7OWOkWzGWtxqOB65ASx4tUqt_gzOuhikH9rqN C8JIsQ9kkF3N2qAiJox.9_dTtP0ebS1t1m.pOerWeTtF6Hpmr3N2IiiFJAnB rC4eB4W6vJ.JUMWurhRI_mqWrlHTacsZN1kMBamph5WrtN.rIXf.DROg4L95 XvmvR6o3IjFgg5Cuy5WFJQtEZyWXzaJXZL8grZJ5F8SWRpw7KoDWND8_CayP 6hsBCGGapHheEs.zSFditiXT8D_WV_phKAxAo_Ew7Xhq9BnGir00nRy0

X-Originating-IP: [195.4.92.98]

Authentication-Results: mta1253.mail.mud.yahoo.com from=aim.com; domainkeys=neutral (no sig); from=aim.com; dkim=neutral (no sig)

Received: from 127.0.0.1 (EHLO mout8.freenet.de) (195.4.92.98) by mta1253.mail.mud.yahoo.com with SMTP; Sat, 26 Feb 2011 23:12:54 -0800

Received: from [195.4.92.23] (helo=13.mx.freenet.de) by mout8.freenet.de with esmtpa (ID webmaster[at]donationformulagmbh01.de) (port 25) (Exim 4.72 #3) id 1PtaoF-00047K-6G; Sun, 27 Feb 2011 08:12:51 +0100

Received: from [74.63.125.204] (port=2798 helo=User) by 13.mx.freenet.de with esmtpa (ID webmaster[at]donationformulagmbh01.de) (port 587) (Exim 4.72 #3) id 1PtaoE-0002ZC-LL; Sun, 27 Feb 2011 08:12:51 +0100

Reply-To: <kenjimadoka2[at]yahoo.co.jp>

From: "Kenji Madoka"<kenjimadoka8[at]aim.com> Add sender to Contacts

Subject: LOST LOTTERY TICKET.

Date: Sun, 27 Feb 2011 01:12:36 -0800

MIME-Version: 1.0

X-Content-Type: multipart/mixed; boundary="----=_NextPart_000_00C0_01C2A9A6.65DE4AF6"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2600.0000

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

Message-ID: <1Pta________C-LL[at]13.mx.freenet.de>

Content-Length: 5217

Content-Type: text/plain

X-SpamCop-note: Converted to text/plain by SpamCop (outlook/eudora hack)

The source is 74.63.125.204, which is listed in the CBL as running SendSafe malware, which fits in with this 419 spam.

But SC:

1: Received: from [195.4.92.23] (helo=13.mx.freenet.de) by mout8.freenet.de with esmtpa (ID webmaster[at]donationformulagmbh01.de) (port 25) (Exim 4.72 #3) id 1PtaoF-00047K-6G; Sun, 27 Feb 2011 08:12:51 +0100

Hostname verified: 13.mx.freenet.de

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust anything beyond this header

Link to comment
Share on other sites

Okay, the tracking URL is:

http://www.spamcop.net/sc?id=z4908666257zd...fa17b911b273ffz

...

The source is 74.63.125.204, which is listed in the CBL as running SendSafe malware, which fits in with this 419 spam.

But SC:

1: Received: from [195.4.92.23] (helo=13.mx.freenet.de) by mout8.freenet.de with esmtpa (ID webmaster[at]donationformulagmbh01.de) (port 25) (Exim 4.72 #3) id 1PtaoF-00047K-6G; Sun, 27 Feb 2011 08:12:51 +0100

Hostname verified: 13.mx.freenet.de

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust anything beyond this header

Thanks for the tracking URL. I agree the source appears to be 74.63.125.204 - and in fact a parse without mailhosts set gets through to that:

http://www.spamcop.net/sc?id=z4909579427z0...850043f93418b2z

The reason mailhosting was brought in was over concerns that spammers were using some pretty smart forgeries to divert SC and others. I'm afraid it is a bit beyond me to analyse these headers to tell with confidence whether or not there might be forgery in this case. Others will have a far better idea than I, hopefully, and I look forward to their comment.

Link to comment
Share on other sites

Besides the on-going issue of the spam source going undetected because the parser has erroneously identified it as a forgery,

Thanks fhe Tracking URL. The initial (perhaps too easy) guess is that freenet.de has changed/added to their e-mail server farm. This in turn has caused your current MailHost Configuration of your Reporting Account invalid. You can try to add this MailHost in once again .. or it may take a hands-on action by Don/Deputies to get (in this case 13.mx.freenet.de) added to your (and actually anyone else connected as the database is shared) MailHost Configuration.

Link to comment
Share on other sites

You can try to add this MailHost in once again .. or it may take a hands-on action by Don/Deputies to get (in this case 13.mx.freenet.de) added to your (and actually anyone else connected as the database is shared) MailHost Configuration.

Freenet.de is not one of my mailhosts, but this issue often happens when spam is relayed through freenet.de.

Link to comment
Share on other sites

Freenet.de is not one of my mailhosts, but this issue often happens when spam is relayed through freenet.de.
...As no one here seems to be in a position to help on this, my recommendation would be for you to send an inquiry about this directly to the SpamCop Deputies (deputies[at]admin.spamcop.net).
Link to comment
Share on other sites

http://www.spamcop.net/sc?id=z4908666257zd...fa17b911b273ffz

0: Received: from 127.0.0.1 (EHLO mout8.freenet.de) (195.4.92.98) by mta1253.mail.mud.yahoo.com with SMTP; Sat, 26 Feb 2011 23:12:54 -0800

Hostname verified: mout8.freenet.de

YahooMain received mail from sending system 195.4.92.98

SpamCop correctly identifies the source as 195.4.92.98

1: Received: from [195.4.92.23] (helo=13.mx.freenet.de) by mout8.freenet.de with esmtpa (ID webmaster[at]donationformulagmbh01.de) (port 25) (Exim 4.72 #3) id 1PtaoF-00047K-6G; Sun, 27 Feb 2011 08:12:51 +0100

Hostname verified: 13.mx.freenet.de

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust anything beyond this header

That is SpamCop telling you that it looked at that "Received" line, and recognized that the alleged receiving system is not registered as one of your Mailhosts, and so it will not trust that information.

If you look below that parse line, you will see where SpamCop specifically identifies the source it is reporting.

Tracking message source: 195.4.92.98:

>- For example, the email address amabusemail4[at]gmail.com,

>- is dismissed and replaced with abuse[at]gmail.com.

That's a problem we have to fix.

When SpamCop gets a reporting address that it identifies as a personal address rather than a standard abuse type address, we go to Abuse.net to get a better reporting address for the domain in the personal address.

SpamCop asks about gmail.com, and we get the Gmail abuse address, which is not correct in this case.

- Don D'Minion - SpamCop Admin -

- service[at]admin.spamcop.net -

Link to comment
Share on other sites

That is SpamCop telling you that it looked at that "Received" line, and recognized that the alleged receiving system is not registered as one of your Mailhosts, and so it will not trust that information.

If you look below that parse line, you will see where SpamCop specifically identifies the source it is reporting.

Tracking message source: 195.4.92.98:

So if I no Mailhosts are specified, then the correct source is identified, otherwise SC limits the "source" to one hop?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...