No unique hostname found for source

[Magna atque magnifica Oz]

Hello,

A few days ago, I started encountering spam messages which cannot be processed due to what appears to be a problem with resolving an ipv6 address.

Here is the tracking link: https://www.spamcop.net/sc?id=z6437392727zd5176b494aaf328f9c8ad3ba8a7727ebz

The error I received with this particular one was:

No unique hostname found for source: 2002:a17:902:aa4a:0:0:0:0

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust this Received line.

Mailhost configuration problem, identified internal IP as source

 

The receiving account is a gmail account, and the sending IP (according to gmail) is 114.147.58.100, which belongs to ocn.ad.jp aka the ISP from Hell. There are also numerous references to ocn throughout the header, so I am confident that they are the source.

The only place that the aforementioned ipv6 address occurs in the entire header is a single X-Received: line. Every gmail message I've checked has an X-Received: line (invariably with a 10.xxx.xxx.xxx IP address), so I don't know if it's a google error, or if ocn spammers have figured out how to spoof this field, or if the problem is internal to Spamcop. I couldn't find anybody having a similar problem in the forum. I even tried going through the spamcop registration  process again, but that didn't solve the problem.

The only thing that seems consistent is that these errors only occur with spams sent from ocn.

Hopefully, somebody out there has some ideas.

 

[lisati]

When I checked the link you provided, I noticed this line:

Mailhost configuration problem, identified internal IP as source

Have you configured the mailhost(s) for your email accounts?

[Magna atque magnifica Oz]

22 hours ago, lisati said:

When I checked the link you provided, I noticed this line:

 

 

Have you configured the mailhost(s) for your email accounts?

Yes. That's what I meant when I said I went through the Spamcop registration process again. Sorry if I was unclear.

It's cropped up again with invision7.com, and ISP out of Malaysia. So, for the moment, it seems to be isolated to ISPs in east asia.

 

I am certain that the problem originates with the X-Received line that Gmail throws into its headers. The usual ipv4 10.xxx.xxx.xxx works fine, but an ipv6 address seems to give the parser indigestion. The X-Received line is the ONLY place that the ipv6 address appears in these problem emails.

While composing this message, I did some digging, and discovered that the ipv6 address that's been causing me grief ( 2002:a17:902: xxxx) is reserved for 6to4 conversion and translates, interestingly enough, back to ipv4 10.xxx.xxx.xxx. So, it's starting to look like an oversight in the parser where the 6to4 conversion is concerned.

[petzl]

1 hour ago, Magna atque magnifica Oz said:

Yes. That's what I meant when I said I went through the Spamcop registration process again. Sorry if I was unclear.

It's cropped up again with invision7.com, and ISP out of Malaysia. So, for the moment, it seems to be isolated to ISPs in east asia.

 

I am certain that the problem originates with the X-Received line that Gmail throws into its headers. The usual ipv4 10.xxx.xxx.xxx works fine, but an ipv6 address seems to give the parser indigestion. The X-Received line is the ONLY place that the ipv6 address appears in these problem emails.

While composing this message, I did some digging, and discovered that the ipv6 address that's been causing me grief ( 2002:a17:902: xxxx) is reserved for 6to4 conversion and translates, interestingly enough, back to ipv4 10.xxx.xxx.xxx. So, it's starting to look like an oversight in the parser where the 6to4 conversion is concerned.

Yes Gmail has "upgraded(downgraded)" its headers for customers?

[A.J.Mechelynck]

See also

 

[Magna atque magnifica Oz]

6 hours ago, petzl said:

Yes Gmail has "upgraded(downgraded)" its headers for customers?

Not really. I have some old Gmail messages from 2013 with the same type of X-Received field. It seems to be an unintended consequence of the transition to ipv6 which Spamcop was unprepared to deal with.

Understandable, because this IP range was designated for private use, and Spamcop would have no reason to expect to see them. 

[petzl]

8 hours ago, Magna atque magnifica Oz said:

Not really. I have some old Gmail messages from 2013 with the same type of X-Received field. It seems to be an unintended consequence of the transition to ipv6 which Spamcop was unprepared to deal with.

Understandable, because this IP range was designated for private use, and Spamcop would have no reason to expect to see them. 

OK just got one of those when it was posted here? No troubles since

[Magna atque magnifica Oz]

Update: The situation is getting worse. It started with only ISPs on the Asia/Pacific rim, and now it's cropping up in spams from ISPs in the continental U.S. Half of the spam emails I received today were unreportable  because of this.

[Cowboy Bob]

Am I to understand from this discussion that this is a rapidly escalating problem that is beyond my control, and that all I can do when I get the "nothing to report" message from SpamCop is to ignore it, and hope that sometime soon Google and/or SpamCop can figure out how to fix the problem?

 

[Cowboy Bob]

Is anyone aware of any blog posts, news articles, news releases, or any other indication that Google and/or SpamCop is aware of this new kind of spam and that they are doing anything about it (or have decided not to)?

I'm very uneasy living in a world where the evidence points to the conclusion that the bad guys are winning.

[A.J.Mechelynck]

Cowboy Bob: As described in the thread "IPv6 still unsupported?" mentioned a few posts earlier in this thread, when SpamCop fails because the spam had an "X-Received" line with an (unroutable) address in IPv6 format, just cut that line and any continuatuion (i.e. indented) line(s) following it: the parse will then succeed and you can paste the offending line(s) into the user's comment box at the bottom of the parse, perhaps with a title like "The following line had to be snipped to avoid spamcop malfunction:" or something, before you send the reports.

We can hope that someday the parser logic will be slightly modified to take care of this automagically, but AFAIK SpamCop maintenance is a low-priority business, so don't put your hopes too high.

[Cowboy Bob]

Thanks A.J.Mecheynck, That worked for me. I use Google's Inbox for Gmail, and this only adds about 2 mouse clicks and less than 5 seconds to the time it takes me to submit a spam to SpamCop. I only paste the X-Received line into the comment box; I don't type anything, and that has never raised any problems. My guess would be that deleting the X-Received line is all that matters, and that the user's comment isn't needed at all.