Jump to content
Sign in to follow this  
Dilbertic

Reported spam says I set it Red Flags!!!

Recommended Posts

I reported my held mail as normal last night before bed and when I checked my mail today the message was flaged in my mailbox as I was the spammer and sent the message. So I have a email from my abuse desk asking whats going on.

See message below:

Return-Path: <NXBLFKYD[at]saini.com>

Delivered-To: x

Received: (qmail 5084 invoked from network); 20 Aug 2004 21:06:41 -0000

Received: from unknown (192.168.1.101)

by blade1.cesmail.net with QMQP; 20 Aug 2004 21:06:41 -0000

Received: from emailwest.com (64.62.213.111)

by mailgate.cesmail.net with SMTP; 20 Aug 2004 21:06:40 -0000

Received: from HOST ([218.14.185.67]) by emailwest.com for <x>; Fri, 20 Aug 2004 14:06:32 -0700

X-Message-Info: 1thwpwuk7sbF/wsRlwHChfrOAvbI714Jlf

Received: from bloch (46.19.109.48)

by mrm20.argentina.phenylalanine.childbear.knowhere.ch

(InterMail vY.9.70.78.02 25-6-2-89-395-88340132) with ESMTP

id <43811.AAYHN8349.cf46-mail.brevet.pa.net.cable.rogers.com[at]maximilian>

for <x>; Sat, 21 Aug 2004 10:57:13 -0200

Message-ID: <0361________________________________s999[at]agricola>

Reply-To: "Harley Rowland" <NXBLFKYD[at]saini.com>

From: "Harley Rowland" <NXBLFKYD[at]saini.com>

To: <x>

Subject: Shipped Right To You

Date: Sat, 21 Aug 2004 07:00:13 -0600

MIME-Version: 1.0

Edited by Dilbertic

Share this post


Link to post
Share on other sites

And another one from my isp abuse desk, spamcop traced it to my machine it says and it's pretty locked down, so the spammers must have found a way to fool spamcop or spamcop is not tracing the headers right:

Return-Path: <j_christian_ni[at]terena.nl>

Delivered-To: x

Received: (qmail 26484 invoked from network); 21 Aug 2004 03:20:33 -0000

Received: from unknown (192.168.1.101)

by blade2.cesmail.net with QMQP; 21 Aug 2004 03:20:33 -0000

Received: from emailwest.com (64.62.213.111)

by mailgate.cesmail.net with SMTP; 21 Aug 2004 03:20:33 -0000

Received: from star-ag.ch ([202.82.193.105]) by emailwest.com for <x>; Fri, 20 Aug 2004 20:20:24 -0700

Received: from 241.181.190.181 by smtp.terena.nl;

Sat, 21 Aug 2004 03:02:06 +0000

Message-ID: <e133______________________0e97[at]star-ag.ch>

From: "Jaclyn M. Christian" <j_christian_ni[at]terena.nl>

To: x

Subject: Buy cheap Pharmaceuticals through us!

Date: Sat, 21 Aug 2004 07:01:42 +0400

MIME-Version: 1.0

Edited by Dilbertic

Share this post


Link to post
Share on other sites

1. Are these messages that YOU have reported.

2. If so, do you have Mailhosts configuration complete?

Posting the spam here is not needed or wanted. We would need to see the tracking URL from the results report for the messages to see why it is reporting your IP address. This is another case where all reports should be at least looked at for accuracy.

Edited by StevenUnderwood

Share this post


Link to post
Share on other sites

I have no idea if I reported it or not, I might have... I have gotten abuse emails with a link to spamcop, if I respond to the spamcop message it comes into my mailbox, so I am guessing I reported it.....

This is the spamcop logic...

No idea what is needed to I copied and pasted it...

Thanks, Owen

Parsing header:

0: Received: from unknown (192.168.1.101) by blade2.cesmail.net with QMQP; 21 Aug 2004 03:20:33 -0000

Internal handoff at SpamCop

1: Received: from emailwest.com (64.62.213.111) by mailgate.cesmail.net with SMTP; 21 Aug 2004 03:20:33 -0000

Hostname verified: emailwest.com

SpamCop received mail from sending system 64.62.213.111

2: Received: from star-ag.ch ([202.82.193.105]) by emailwest.com for <x>; Fri, 20 Aug 2004 20:20:24 -0700

No unique hostname found for source: 202.82.193.105

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust anything beyond this header

Tracking message source: 64.62.213.111:

Routing details for 64.62.213.111

[refresh/show] Cached whois for 64.62.213.111 : hostmaster[at]he.net

Using best contacts abuse[at]he.net

Message is 17 hours old

64.62.213.111 not listed in dnsbl.njabl.org

64.62.213.111 not listed in dnsbl.njabl.org

64.62.213.111 not listed in cbl.abuseat.org

64.62.213.111 not listed in dnsbl.sorbs.net

64.62.213.111 not listed in relays.ordb.org.

64.62.213.111 not listed in query.bondedsender.org

64.62.213.111 not listed in iadb.isipp.com

Finding links in message body

Parsing HTML part

Resolving link obfuscation

Tracking link: http://edited

[report history]

Cannot resolve http://www.worldwidemedstoday.com/?wid=000023

Reports regarding this spam have already been sent:

Re: 64.62.213.111 (Administrator of network where email originates)

Reportid: 1186940734 To: abuse[at]he.net

If reported today, reports would be sent to:

Re: 64.62.213.111 (Administrator of network where email originates)

abuse[at]he.net

Re: 64.62.213.111 (Third party interested in email source)

Edited by Dilbertic

Share this post


Link to post
Share on other sites

I'm guessing that you might have a "Mailhosts" problem. Did you configure a "Mailhost"? If so, then the parsing problems are probably due to a problem there and you'll want to take this issue up in the Mailhosts forum.

dt

Share this post


Link to post
Share on other sites

To take DavidT's query one more level ... did you configure MailHost for "this account" I think is the issue. .. or for some reason, this account was never completed .. .. but, need to point out that you were the one that "allowed / directed" these spam reports to go out to your own ISP.

Share this post


Link to post
Share on other sites

I haven't changed a thing for sometime now with my mail setup. I completed my mailhost setup months ago!! I guess I can run it again and see what happens.

As for reporting it as spam, I get about 100 to 400 spams a day and I look down the held mail list for misstakes and then report the spam.

Owen

Share this post


Link to post
Share on other sites

I don't read "looked down the held mail list" as "checked the parsing reults and target complaint address" ... the result of which would be quite different.

Share this post


Link to post
Share on other sites
As for reporting it as spam, I get about 100 to 400 spams a day and I look down the held mail list for misstakes and then report the spam.
Unless your crystal ball works 1000 times better than mine, I have no idea how you can identify a forgery or predict exactly how the parcer is going to handle all the headers and links in each message by simply looking down the held mail list for misstakes

That approach works great for finding false positives, but thats about all

Share this post


Link to post
Share on other sites

Just a bit of update .... Dilbertic did re-do the mail-host configuration and per the Tracking URL provided in the Topic opened up in the Mail-Host Forum, this immediate issue is now resolved.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×