Jump to content
Sign in to follow this  
dutch

Mailhosts Issues With Rackspace

Recommended Posts

Spamcop is analyzing mail headers and fails to recognize a legitimate mail host at Rackspace. The host is: smtp4.gate.iad3a.rsapps.net

I went though the mailhost list on my mailhosts tab and it doesn't appear.

Here is a snip from the analysis:

3: Received: from [134.58.240.129] ([134.58.240.129:54407] helo=cavuit01.kulnet.kuleuven.be) by smtp4.gate.iad3a.rsapps.net (envelope-from <x>) (ecelerity 2.2.3.49 r(42060/42061)) with ESMTP id 0F/73-03583-136B9755; Thu, 11 Jun 2015 12:24:17 -0400
Hostname verified: rhcavuit01.kulnet.kuleuven.be
Possible forgery. Supposed receiving system not associated with any of your mailhosts
Will not trust this Received line.

Share this post


Link to post
Share on other sites

&nbsp &nbsp&nbsp&nbsp&nbsp No expert I but as I read this, it isn't smtp4.gate.iad3a.rsapps.net about which the SpamCop Parser is complaining but, rather, rhcavuit01.kulnet.kuleuven.be. However, your best bet with any suspected issue with MailHosts and and/ or the Parser is to contact the SpamCop Deputies at e-mail address deputies[at]admin.spamcop.net.

Share this post


Link to post
Share on other sites

[at]turetzsr,

Steve T,

I am not an expert either, but reading the English, the diagnostic message was "Supposed receiving system not associated with any of your mailhosts". The address you cited is the *sender*, not the receiver. The receiver is smtp4.gate.iad3a.rsapps.net. This is a mailhost at Rackspace, which is where I host my mail, however it does not appear in the long list of mailhosts that have been registered by Spamcop's administrators as belonging to Rackspace, although there are other mailhosts that are listed in the domain rsapps.net.

If you think I am parsing this incorrectly, please explain.

dutch

Share this post


Link to post
Share on other sites

&nbsp &nbsp&nbsp&nbsp&nbsp Yes, I agree completely with what you are saying -- it's what I'm saying, as well.

  • "Received: from [134.58.240.129] ([134.58.240.129:54407] helo=cavuit01.kulnet.kuleuven.be)" -- the sending host is avuit01.kulnet.kuleuven.be.
  • "by smtp4.gate.iad3a.rsapps.net" -- the receiving host is smtp4.gate.iad3a.rsapps.net.
  • "Hostname verified: rhcavuit01.kulnet.kuleuven.be

    "Possible forgery. Supposed receiving system not associated with any of your mailhosts" -- rhcavuit01.kulnet.kuleuven.be is not trusted.

It seems to me that the SpamCop parser is saying that it suspects this sending host of misrepresentation and/ or, at minimum, is not in your list of mail hosts and therefore is a candidate as being the source of the spam.

&nbsp &nbsp&nbsp&nbsp&nbsp Did you attempt to contact Don 92456 or the SC Deputies, yet?

Share this post


Link to post
Share on other sites

I host two domains and have several email accounts at rackspace. One of the two domains is aliased to the other, but i don't that is relevant to my issue. I have registered mailhosts using the procedure which generates a test email. I get errors like this one, indicating it doesn't recognize the Rackspace mail servers:

3: Received: from [107.182.128.11] ([107.182.128.11:43375] helo=fly.flyingnewrewardpoints.link) by smtp34.gate.iad3a.rsapps.net (envelope-from <GetFlightRewards[at]fly.flyingnewrewardpoints.link>) (ecelerity 2.2.3.49 r(42060/42061)) with ESMTP id 7C/78-19582-A796D855; Fri, 26 Jun 2015 11:02:18 -0400

Hostname verified: 11-128-182-107-static.reverse.queryfoundry.net

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust this Received line.

Over the past couple of weeks I have gotten errors on these mail servers:

smtp25.gate.iad3a.rsapps.net

smtp13.gate.iad3a.rsapps.net

smtp4.gate.iad3a.rsapps.net

smtp34.gate.iad3a.rsapps.net

I have also seen a few in the domain mlsrvr.com

Using the pulldown list of mail servers from my mailhosts page, I can see a very large list of mailhosts. The domains rsapps.net and mlsrvr.com are also listed. I thought if a primary domain name is listed, spamcop is supposed to recognize any server in the domain, but it is not.

Given Rackspace's very large number of mail servers, which appears to be growing, not being able to use the primary domain name makes spamcop pretty much unusable for most of the spam I get.

I have sent this to a spamcop admin, who was the one who added the primary domain names, but that hasn't helped.

Does anybody have other suggestions?

Share this post


Link to post
Share on other sites

[at]turetzsr,

I genuinely appreciate your input on this, but we have different interpretations on what the message means.

We are most definitely not saying the same thing. My interpretation is it is the smtp4.gate.iad3a.rsapps.net that spamcop doesnt trust. I think if it were as you say, then spamcop would say "Possible forgery. Supposed sending system..." instead of "...Supposed receiving system".

Further, what spamcop is doing is generating a report for my mail hosting provider, Rackspace, which is just plain wrong. The message didn't originate at rackspace. This, to me, is further evidence that I am correctly interpreting the spamcop message.

Yes, at your suggestion and in response to Don's offer, I did contact Don, He and I have exchanged several emails, He has added the primary domain names to the LONG list of rackspace mailhosts, which I think is supposed to work, but that hasn't helped. I don't see instructions on how to enter a primary domain name, and I don't think I have anyway to do it, but I wonder if it needs something like a wildcard symbol in the name.

If indeed each mailhost has to be separately identified, for a large growing mail service like Rackspace, which chooses to keep adding mailhost names, is going to be a neverending burden for me and spamcop.

I have just made a post on this here (which seems to me the right place for this topic) SpamCop Discussion → Discussions & Observations → Mailhost Configuration of your Reporting Account

Share this post


Link to post
Share on other sites

<snip>

I genuinely appreciate your input on this, but we have different interpretations on what the message means.

We are most definitely not saying the same thing. My interpretation is it is the smtp4.gate.iad3a.rsapps.net that spamcop doesnt trust. I think if it were as you say, then spamcop would say "Possible forgery. Supposed sending system..." instead of "...Supposed receiving system".

<snip>

&nbsp &nbsp&nbsp&nbsp&nbsp Gasp! I missed that little detail -- thanks!

Yes, at your suggestion and in response to Don's offer, I did contact Don, He and I have exchanged several emails, He has added the primary domain names to the LONG list of rackspace mailhosts, which I think is supposed to work, but that hasn't helped.

<snip>

&nbsp &nbsp&nbsp&nbsp&nbsp Then you'll have to go back to Don, unfortunately; nothing else that you will be able to do about this!

If indeed each mailhost has to be separately identified, for a large growing mail service like Rackspace, which chooses to keep adding mailhost names, is going to be a neverending burden for me and spamcop.

&nbsp &nbsp&nbsp&nbsp&nbsp True that but there's really no other alternative other than to just uncheck the box referring to Rackspace when you submit the parse to send the reports or just to cancel the reports in such cases.

I have just made a post on this here (which seems to me the right place for this topic) SpamCop Discussion → Discussions & Observations → Mailhost Configuration of your Reporting Account

&nbsp &nbsp&nbsp&nbsp&nbsp Thanks! And, being (what I believe to be) the better place for all of this discussion, I have merged your Topic "Rackspace SMTP Server Not Recognized As Host" into this one! :) <g>

Share this post


Link to post
Share on other sites

There are already over 300 separate mailhosts listed for Rackspace on the my spamcop mailhosts tabs > Hosts/Domains, and I just tried to submit 7 spam emails, which failed to recognize 7 additional mailhosts. I sent emails for each of these to Don.

Previously Don entered the primary domain names in the list, but spamcop fails to recognize the FQDNs for the 7 hosts within the primary domain names that are already on this list.

Since the field name is labeled "Hosts/Domains" I am guessing there is supposed to be a way to enter a domain. If so, there is either a bug, or the documentation on how to do it is wrong or missing.

If there isn't a way to enter a primary domain name, there should be.

Share this post


Link to post
Share on other sites

As I stated in my previous post, there are 300+ mailhosts listed for Rackspace. On the evening of JUn 27 I processed ~7 emails, that went through new mailhosts not in the recognized lists. I have a hypothesis that Rackspace is generating new mailhosts (i.e. servers to process incoming mail) dynamically in response to high volumes of incoming spam from graylisted or blacklisted hosting companies as part of their security infrastructure and spam filtering system.

The reason i suspect this is that in most if not all of the cases where Spamcop detects an unregistered mailhost. Spamcop detects all of the websites as being hosted at namecheaphosting.com, and I manually looked up a few. The domains were registered within the past few days. The emails were coming from mailservers at those domains. The WHOIS records have fields like CITY and ADDRESS filled with garbage, and the person (or more likely a bot) that registered the domain names used an email address that cross references to hundreds of under 72 hour old domain names.

Rackspace's spam filtering system put all of these in my junk folder. My guess is that Rackspace's spam infrastructure is dynamically spinning up new mailhosts (likely VMs) as a counter-measure to handling very large volumes of incoming mail from ISPs with a history of hosting spammers.(or some other correlation method).

This means that if Spamcop's mailhost registration workflow requires specific server names, it will never be effective for Rackspace, and I am pretty sure Rackspace isn't the only one doing this.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×