Jump to content

Valid Host discarded as forgery...


zweers

Recommended Posts

In the past we have gotten very useful reports from spamcop when a user spams. We have tried to react to the customers very quickly.

However, recently something appears to have changed (if I'm wrong about this, I'm sure I'll be corrected).

http://www.spamcop.net/sc?id=z280296275z84...7f5a52b72f0de9z

This is the "logic" behind this report being generated.

Specifically...

Received: from mshweihat (ppp120.f1.56k.execulink.com [209.239.31.120]) by gouda.execulink.net (8.11.6/8.11.6) with SMTP id i11MKbw15574; Sun, 1 Feb 2004 17:20:37 -0500

host 209.239.31.120 = ppp120.f1.56k.execulink.com (cached)

host ppp120.f1.56k.execulink.com (checking ip) = 209.239.31.120

199.166.6.56 not listed in dnsbl.njabl.org

199.166.6.56 not listed in cbl.abuseat.org

199.166.6.56 not listed in dnsbl.sorbs.net

199.166.6.56 is not an MX for nas.net

199.166.6.56 is not an MX for gouda.execulink.net

199.166.6.56 is not an MX for gouda.execulink.net

199.166.6.56 is not an MX for nas.net

199.166.6.56 not listed in dnsbl.njabl.org

Possible spammer: 209.239.31.120

209.239.31.120 is not an MX for ppp120.f1.56k.execulink.com

host ppp120.f1.56k.execulink.com (checking ip) = 209.239.31.120

host gouda.execulink.net (checking ip) = 199.166.6.56

199.166.6.56 not listed in dnsbl.njabl.org

199.166.6.56 not listed in cbl.abuseat.org

199.166.6.56 not listed in dnsbl.sorbs.net

199.166.6.56 is not an MX for nas.net

199.166.6.56 is not an MX for gouda.execulink.net

199.166.6.56 is not an MX for gouda.execulink.net

199.166.6.56 is not an MX for nas.net

199.166.6.56 not listed in dnsbl.njabl.org

Possible spammer: 209.239.31.120

209.239.31.120 is not an MX for ppp120.f1.56k.execulink.com

host ppp120.f1.56k.execulink.com (checking ip) = 209.239.31.120

host gouda.execulink.net (checking ip) = 199.166.6.56

199.166.6.56 not listed in dnsbl.njabl.org

199.166.6.56 not listed in cbl.abuseat.org

199.166.6.56 not listed in dnsbl.sorbs.net

Chain test:gouda.execulink.net =? gouda.execulink.net

gouda.execulink.net and gouda.execulink.net have same hostname - chain verified

Possible relay: 199.166.6.56

199.166.6.56 not listed in relays.ordb.org.

199.166.6.56 has already been sent to relay testers

Received line accepted

209.239.31.120 discarded as a forgery, using 199.166.6.56

In fact, this message did originate from this IP, relayed through our mail server as is the norm (I assume it is still prefered that users relay mail through their local ISP rather then direct.)

I'm not sure how this decision was made, but it has resulted in our server being listed (quite annoying).

Is there something that I'm missing here or has something changed that caused this IP address to be discarded as a forgery?

Link to comment
Share on other sites

Received: by nas.net (CommuniGate Pro PIPE 4.1.8)

  with PIPE id 18659775; Sun, 01 Feb 2004 17:35:13 -0500

Received: from [199.166.6.56] (HELO gouda.execulink.net)

  by nas.net (CommuniGate Pro SMTP 4.1.8)

  with ESMTP id 18659780; Sun, 01 Feb 2004 17:35:08 -0500

Received: from mshweihat (ppp120.f1.56k.execulink.com [209.239.31.120])

by gouda.execulink.net (8.11.6/8.11.6) with SMTP id i11MKbw15574;

Sun, 1 Feb 2004 17:20:37 -0500

Looks like the chain is being broken...

If you can fix that it would help. You might want to send an email to deputies at spamcop dot net. (It *could* be a problem with nas.net not properly adding headers)

Link to comment
Share on other sites

I believe a deputy should check it as there does seem to be a parsing problem.

There is also a user problem as people should be checking what they report before they press the submit button. It also looks like this person is reporting virus email which is not allowed.

A sample sent sometime during the 24 hours beginning Saturday, January 31, 2004 7:00:00 PM -0500:

Received: from [199.166.6.56] (- -.-.net)-

by -.net (- - SMTP -.-.-)-

with - id -6- Sun, - Feb 2004 - -

Subject: hello

From: in.. at ..er.ca

hello in the subject looks like MyDoom.

Yes the deputy should check to see why the chain breaks this is a possible misconfiguration and also to see if someone is reporting virus email.

Link to comment
Share on other sites

I'm not sure how the chain is being broken.

Our customer on 209.239.31.120 is sending to 199.166.6.56 (our server, gouda), and it is sending it on to a mcmaster.ca mail server.

I'm confused with the nas.net name in the next hop, but since its not my server (left at gouda) I'm not sure what I could do with that.

Link to comment
Share on other sites

Whats the timeframe I should or could expect some type of response and is anyone else noticing this problem. I've heard from a couple of other local companies that they have found themselves black listed as well. Since I don't see the spam reports on their systems I can't see if this is in fact the same thing though.

Link to comment
Share on other sites

Yes, sorry, I didn't give the listing for the second server (though I did forward that message to deputies)

http://www.spamcop.net/w3m?action=checkblock&ip=199.166.6.57

I've shut down this server completely, but I'm very concerned that the problem may get repeated and we have both servers listed.

http://www.spamcop.net/sc?id=z279994384zfd...c9021a7e78ebefz

Link to comment
Share on other sites

Yes, sorry, I didn't give the listing for the second server (though I did forward that message to deputies)

http://www.spamcop.net/w3m?action=checkblock&ip=199.166.6.57

I've shut down this server completely, but I'm very concerned that the problem may get repeated and we have both servers listed.

http://www.spamcop.net/sc?id=z279994384zfd...c9021a7e78ebefz

The deputies will be able to help you with this when they respond. It's not always instant, but it should be within 24 hours.

For now, I have delisted that second server.

JT

Link to comment
Share on other sites

Yes, sorry, I didn't give the listing for the second server (though I did forward that message to deputies)

http://www.spamcop.net/w3m?action=checkblock&ip=199.166.6.57

I've shut down this server completely, but I'm very concerned that the problem may get repeated and we have both servers listed.

http://www.spamcop.net/sc?id=z279994384zfd...c9021a7e78ebefz

Looks like you've got a compromised machine on your networks...

I would assume that your company would not be sending mail entitled "untold beast sex"

Unfortunately I think it's going to take a deputy to provide any additional details.

Oh, does your server(s) send out virus notifications?

Link to comment
Share on other sites

The deputies will be able to help you with this when they respond. It's not always instant, but it should be within 24 hours.

For now, I have delisted that second server.

JT

The rules for mail relays are pretty tight right now. Those hosts were getting flagged because they're not really MX's for themselves or the execulink.net domain. They've been marked as trusted relays now, though.

If spam actually originates on them, they'll still get listed. However, they won't get kicked out as forgeries any more. You can test the original parsing URLs posted above and verify that.

JT

Link to comment
Share on other sites

OK, great, thanks.

I'm a bit confused about the MX issue. I know that I can add MX's too all our dialup IP addresses. We haven't done it in the past since we don't really want these hosts to receive mail. (I realize servers will simply attempted direct delivery then).

We have several thousand IP's used for dialup, DSL, cable etc etc. I'm not sure what I need to do to prevent any activites done on these from generating a hit against the server they communicate through.

Not having an MX doesn't seem too me to be a reason for it to be considered a forgery, but I can add them. The biggest problem would be setting up our mail servers to accept mail for them. I'm wondering if/when having an MX pointing to a server that rejects all mail would be effective? We run a system that requires a match in LDAP before it will accept mail.

I just want to make sure that I know what is expected here before I do it.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...