Jump to content
ravenstar68

Reporting - Wrong Received line identified as spammer

Recommended Posts

Hi

I came across your reporting tool yesterday, as I help out on the Virgin Media e-mail forum and one user wanted to block as9143, as your reporting tool identified it as a spammer.

For the record as9143 is the Autonomous Service number of Ziggo internet, and Virgin Media actually host their email platform there as both companies are owned by Liberty Global.

I've tried the reporting tool myself today with an unmodified mail source.  There appears to be a problem.  Looking at the header information only here:

Return-Path: <julie_mendoza@android-mediacenter.com>
Delivered-To: x
Received: from md13.tb.ukmail.iss.local ([212.54.57.73])
	by mc8.tb.ukmail.iss.local (Dovecot) with LMTP id FbnPMLTb5VcnGAAAVqD7fw
	for <x>; Sat, 24 Sep 2016 03:50:16 +0200
Received: from mx6.tb.ukmail.iss.as9143.net ([212.54.57.73])
	by md13.tb.ukmail.iss.local (Dovecot) with LMTP id oPwyBoDWlFbNQQAAqJN26w
	; Sat, 24 Sep 2016 03:50:16 +0200
Received: from android-mediacenter.com ([37.252.122.91])
	by mx6.tb.ukmail.iss.as9143.net with bizsmtp
	id nDpu1t0041yRVcd01Dpv6m; Sat, 24 Sep 2016 03:49:56 +0200
X-spam-Action: folder spam
X-SourceIP: 37.252.122.91
X-CNFS-Analysis: v=2.2 cv=TJoHcBta c=1 sm=1 tr=0 p=XV3dVy5JtiUA:10
 a=XRFXrBVhVSsQnPq5ts7Q4Q==:117 a=XRFXrBVhVSsQnPq5ts7Q4Q==:17 a=2sMxTpsZAAAA:8
 a=-5zWNhNOLqyU-mziGwwA:9 a=CjuIK1q_8ugA:10 a=9igu4sHJnlQA:10
 a=A4GxgP0Wf4sA:10 a=qcKvcIRw2B-Flh6p21IA:9 a=_W_S_7VecoQA:10
 a=tpYBpqdMaEUA:10 a=o6gHy28TGYCxXgbS0hxg:22
Date: Sat, 24 Sep 2016 01:49:52 +0000
To: x
From: Julie Mendoza <julie_mendoza@android-mediacenter.com>
Subject: We're Perfect Match
Message-ID: <7ad1________________________45d9@android-mediacenter.com>
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="b1_7ad1978f4b2ef435299465152bba45d9"
Content-Transfer-Encoding: 8bit

Your system reports the possible spammer as being 

Received:  from md13.tb.ukmail.iss.local ([212.54.57.73]) by mc8.tb.ukmail.iss.local (Dovecot) with LMTP id FbnPMLTb5VcnGAAAVqD7fw for <x>; Sat, 24 Sep 2016 03:50:16 +0200
host 212.54.57.73 = mx6.tb.ukmail.iss.as9143.net (cached)
mx6.tb.ukmail.iss.as9143.net is 212.54.57.73
Possible spammer: 212.54.57.73
Received line accepted

However as Received: lines should be read from the bottom up this is actually the last link in the delivery chain, which is one of Ziggo's internal servers delivering to the final server which stores the message in the users inbox.

The actual spammers address is given in the bottom most Received line:

 

Received: from android-mediacenter.com ([37.252.122.91])
	by mx6.tb.ukmail.iss.as9143.net with bizsmtp
	id nDpu1t0041yRVcd01Dpv6m; Sat, 24 Sep 2016 03:49:56 +0200

Could you please take a look.

Virgin Media's email system did correctly identify this message as spam BTW

Thanks

Ravenstar68

Edit

I think I understand what's happening here.

The reporting system relies on the fact that most email providers use private addresses e.g. 10.x.x.x in their internal systems.  Because Ziggo uses public addresses on it's internal hops, this is confusing your reporting tool.

Edited by ravenstar68

Share this post


Link to post
Share on other sites

Hi, and welcome.

The short answer is, to get SpamCop to correctly identify the actual sending mail server (rather than identifying servers within the Virgin Media mail system as the sender, or indeed from going too far down a chain of 'Received' headers and getting an earlier hop on the sender's side rather than the server that actually handed the message off from them to you) you should set up 'Mailhosts' in your SpamCop account, as described at https://www.spamcop.net/fom-serve/cache/397.html - basically, you tell it the email address(es) of yours, and it sends you a few 'probe' emails to allow it to trace how your incoming mail is routed.

Share this post


Link to post
Share on other sites

The problem is Virgin have multiple servers at each hop.  So to get a full picture of the internal mail hosts, I dread to think how many mails you'd need to send

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×