Jump to content
Sign in to follow this  
caquino

Error in spamcop block

Recommended Posts

Hi, your system is blocking wrong ip address when the mailservers is configured to work in cluster.

Looking at this header you can see.

The message come from 200.189.61.5 [the real spammer] and enter my mail cluster in the machine bloco-05.gmail.comdominio.com.br this machine forward the mail to the bloco-02.gmail.comdominio.com.br because the mailbox of this user lives here.

Your system is blocking the bloco-02.gmail.comdominio.com.br instead off xena.persistelecom.com.br.

I can´t remove the headers because the cluster needs this to prevent message loop.

What can I do to remove my mailserver from the listing?

This bug is going to be corrected or I need to find any way to remove the header?

"From - Thu Aug 19 16:30:39 2004
"
X-UIDL: 1092943759.M208492P30741V0000000000000808I00009DC8_0.bloco-05,S=21309
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
Received: (qmail 30739 invoked from network); 19 Aug 2004 19:29:19 -0000
Received: from sp.200_155_11_195.datacenter1.com.br ([200.155.11.195])
          by bloco-05.gmail.comdominio.com.br (qmail-ldap-1.03) with compressed QMQP; 19 Aug 2004 19:29:19 -0000
Delivered-To: CLUSTERHOST bloco-02.gmail.comdominio.com.br agnew <at> supernet <dot> com <dot> br
Received: (qmail 25168 invoked from network); 19 Aug 2004 19:36:07 -0000
Received: from xena.persistelecom.com.br ([200.189.61.5])
          (envelope-sender <abdif[at]frizz.com.br>)
          by bloco-02.gmail.comdominio.com.br (qmail-ldap-1.03) with SMTP
          for <x>; 19 Aug 2004 19:36:05 -0000
Received: (qmail 13994 invoked by uid 111); 19 Aug 2004 19:21:11 -0000
Received: from unknown (HELO windowsukstyaw) (debora.clivati[at]londrina.net[at]200.189.60.222)
  by xena.persistelecom.com.br with SMTP; 19 Aug 2004 19:21:11 -0000
Message-ID: <01e1______________________1d0a[at]windowsukstyaw>
From: "ABDIF" <abdif[at]frizz.com.br>
To: <Undisclosed-Recipient:;>
Subject: =?iso-8859-1?Q?NS_-_A/C_Depto_Financeiro_-_Quita=E7=E3o_de_D=EDvidas_Tr?=
        =?iso-8859-1?Q?ibut=E1rias_2?=
Date: Thu, 19 Aug 2004 15:38:29 -0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_00A5_01C48602.93852690"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
X-Faxineiro: Talvez, spamlevel=0.520000, version=0.92.4

This is a multi-part message in MIME format.

------=_NextPart_000_00A5_01C48602.93852690
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

            ABDIF - Associa=E7=E3o Brasileira de Defesa de

Edited by caquino

Share this post


Link to post
Share on other sites

This will be an interesting discussion and I will follow it closely :)

I personally get a lot of spam from .br spammers.

Good luck with your efforts :)

Share this post


Link to post
Share on other sites
This will be an interesting discussion and I will follow it closely :)

I personally get a lot of spam from .br spammers.

Good luck with your efforts  :)

15756[/snapback]

We are one brazilian hosting company and we are trying to stop spam from/to our users.. we have internal rbl and various anti-spam policies.. We know that is impossible to stop it.. but we ill try! hehehe

that´s why we are bothered with one of our servers listed in spamcop.

Share this post


Link to post
Share on other sites

If you are in control of 200.128/9 then you are nothing but spam supporters. "_MANY_" of the world worst spammers are hosted within this range.

200.128/9 will be in many personal blocklists for a lifetime.

If you are only a portion of this range then what portion?

Share this post


Link to post
Share on other sites

Hey, I have friends and business connections in .br

Let's not throw the baby out with the bath water, nor let us heap all .br domains into one big trash heap.

I'm giving this poster the benefit of the doubt for now. Let's be trusting until the facts are in :)

Edited by flagginator

Share this post


Link to post
Share on other sites
If you are in control of 200.128/9 then you are nothing but spam supporters.  "_MANY_" of the world worst spammers are hosted within this range. 

200.128/9 will be in many personal blocklists for a lifetime.

If you are only a portion of this range then what portion?

15760[/snapback]

I´m not in 200.128/9

You have block 200.155.11.195 that´s is not the spammer. This is one of your cluster machines!

When some machine come into the cluster it is forwarded to the machine where the mailbox of the user resides.. and the last hop in the header is the CLUSTER machine and not the SPAMMER.

Share this post


Link to post
Share on other sites

The SpamCop parsing engine works the headers from the top down. If all you say is correct, then you should follow the flow from bottom to top and see if you can fix the "reporting/identification" of all these internal handoffs. In your example, a specific example would be (some editing done);

Received: from sp.200_155_11_195.datacenter1.com.br ([200.155.11.195])

         by bloco-05.gmail.comdominio.com.br (qmail-ldap-1.03) with compressed QMQP; 19 Aug 2004 19:29:19 -0000

Delivered-To: CLUSTERHOST bloco-02.gmail.comdominio.com.br

Received: (qmail 25168 invoked from network); 19 Aug 2004 19:36:07 -0000

Received: from xena.persistelecom.com.br ([200.189.61.5])

         by bloco-02.gmail.comdominio.com.br

There is no direct chain from the bloco-2 server to the sp.200_155 server (again, looking at it from the parser trying to do a chain test, walking from one server to the next) ... the sp.299_155 server just seems to appear out of nowhere.

Share this post


Link to post
Share on other sites
I´m not in 200.128/9

You have block 200.155.11.195 that´s is not the spammer. This is one of your cluster machines!

When some machine come into the cluster it is forwarded to the machine where the mailbox of the user resides.. and the last hop in the header is the CLUSTER machine and not the SPAMMER.

15762[/snapback]

So you are saying the cluster machine relayed the spam? If it did then it deserves to be listed.

I am just a Spamcop user who administrates email servers. I believe 200.155.11.195 falls within 200.128/9 but in any even what range is yours? If I find no spammers within your range I will remove it from the blocklists of the servers I control.

Share this post


Link to post
Share on other sites
The SpamCop parsing engine works the headers from the top down.  If all you say is correct, then you should follow the flow from bottom to top and see if you can fix the "reporting/identification" of all these internal handoffs.  In your example, a specific example would be (some editing done);

There is no direct chain from the bloco-2 server to the sp.200_155 server (again, looking at it from the parser trying to do a chain test, walking from one server to the next) ... the sp.299_155 server just seems to appear out of nowhere.

15766[/snapback]

I´m using one qmail-ldap system here .. for example:

One message comes from the internet and the load balancer put the connection in bloco-05.gmail.comdominio.com.br the message come in if the user exists, but the user account is in bloco-02.gmail.comdominio.com.br .. the machine bloco-05 forward the mail via qmtp to the machine bloco-02 and bloco-02 injects into the user mailbox.

The problem I got is that one of my machines is blocked but the spam does not come from it.. the machine just forward the mail to the user´s mailbox machine.. this machine is not multi-hop relay... it is working in an cluster enviroment

Share this post


Link to post
Share on other sites
So you are saying the cluster machine relayed the spam? If it did then it deserves to be listed.

I am just a Spamcop user who administrates email servers.  I believe 200.155.11.195 falls within 200.128/9 but in any even what range is yours?  If I find no spammers within your range I will remove it from the blocklists of the servers I control.

15767[/snapback]

we have the entire 200.155/16 block

but for my mailservers (because we have some co located servers) is 200.155.11/24

Edited by caquino

Share this post


Link to post
Share on other sites

If you look at the header the message is Deliverd-To CLUSTERHOST bloco-02.gmail.comdominio.com.br for the user agnew <at> supernet <dot> com <dot> br that an local mail account!

the problem is when one of my users reports spam to spamcop..

Received: (qmail 30739 invoked from network); 19 Aug 2004 19:29:19 -0000
Received: from sp.200_155_11_195.datacenter1.com.br ([200.155.11.195])
          by bloco-05.gmail.comdominio.com.br (qmail-ldap-1.03) with compressed QMQP; 19 Aug 2004 19:29:19 -0000
Delivered-To: CLUSTERHOST bloco-02.gmail.comdominio.com.br agnew &lt;at&gt; supernet &lt;dot&gt; com &lt;dot&gt; br
Received: (qmail 25168 invoked from network); 19 Aug 2004 19:36:07 -0000
Received: from xena.persistelecom.com.br ([200.189.61.5])
          (envelope-sender &lt;abdif[at]frizz.com.br&gt;)
          by bloco-02.gmail.comdominio.com.br (qmail-ldap-1.03) with SMTP
          for &lt;x&gt;; 19 Aug 2004 19:36:05 -0000
Received: (qmail 13994 invoked by uid 111); 19 Aug 2004 19:21:11 -0000
Received: from unknown (HELO windowsukstyaw) (debora.clivati[at]londrina.net[at]200.189.60.222)
  by xena.persistelecom.com.br with SMTP; 19 Aug 2004 19:21:11 -0000

Edited by caquino

Share this post


Link to post
Share on other sites

Bom dia, caquino,

If you look at the header the message is Deliverd-To CLUSTERHOST bloco-02.gmail.comdominio.com.br for the user agnew[at]supernet.com.br that an local mail account!

the problem is when one of my users reports spam to spamcop..

15770[/snapback]

...Your user should send a copy of this spam to a SpamCop deputy (e-mail deputies <at> spamcop <dot> net) and explain what has happened. The user should also consider going through the SpamCop "Mailhosts" configuration. There may also be steps you can take to avoid this situation -- a deputy (and perhaps one of the other participants in this forum) can explain. Edited by turetzsr

Share this post


Link to post
Share on other sites
Bom dia, caquino,

...Regarding the code that you inserted in your first post -- is that an e-mail that you believe was submitted to SpamCop as a spam report?  If so, do you know who submitted it -- was it one of your e-mail users?  If that is the case, then it is not a bug in SpamCop but there are several actions that user can take to correct the problem.  I (or one of my fellow SpamCop users) shall provide more details if you tell us that this is what is happening.

15772[/snapback]

That´s an email reported as spam.. agnew <at> supernet <dot> com <dot> br is the reporter that is one of your local users.

Edited by caquino

Share this post


Link to post
Share on other sites
Bom dia, caquino,

...Regarding the code that you inserted in your first post -- is that an e-mail that you believe was submitted to SpamCop as a spam report?  If so, do you know who submitted it -- was it one of your e-mail users?  If that is the case, then it is not a bug in SpamCop but there are several actions that user can take to correct the problem.  I (or one of my fellow SpamCop users) shall provide more details if you tell us that this is what is happening.

That´s an email reported as spam.. agnew <at> supernet <dot> com <dot> br is the reporter that is one of your local users.

15773[/snapback]

...Understood.

...Did you do as I suggested and ask your user agnew <at> supernet <dot> com <dot> br to contact the SpamCop deputies and to try the SpamCop "Mailhosts" configuration process?

...You should Edit your posts here that include the user's e-mail address to make it more difficult for worms to harvest the address.

Share this post


Link to post
Share on other sites

You've explained your setup well, you even admit seeing the problem, as you attempted to explain it again .... but you're missing the point. The SpamCop parser is an automated tool to perform this analysis, and as such, doesn't make these judgment calls, or make decisions on things that might "look" OK to you, me, or anyone else. The parser just tries to follow the flow of the spew from one server to the next .. and what I'm pointing out to you is that this "chain" is broken in your example. Instead of each server reporting where it got the e-mail from, your sample show that it came in here, ducked into a hole there, and popped out on the other side, and arrived in the user's InBox. The SpamCop parser doesn't do "holes" .....

Share this post


Link to post
Share on other sites
You've explained your setup well, you even admit seeing the problem, as you attempted to explain it again .... but you're missing the point.  The SpamCop parser is an automated tool to perform this analysis, and as such, doesn't make these judgment calls, or make decisions on things that might "look" OK to you, me, or anyone else.  The parser just tries to follow the flow of the spew from one server to the next .. and what I'm pointing out to you is that this "chain" is broken in your example.  Instead of each server reporting where it got the e-mail from, your sample show that it came in here, ducked into a hole there, and popped out on the other side, and arrived in the user's InBox.  The SpamCop parser doesn't do "holes" .....

15775[/snapback]

Well and the other users that´s uses qmail-ldap in cluster mode? what we have to do? stop using qmail-ldap because the spamcop parser does not understand what is one cluster mail system?

does not exist any hole

the message come in into the bloco-05 thats forward to bloco-02

where´s the hole?

Edited by caquino

Share this post


Link to post
Share on other sites

I haven't run that setup, so no, I can't tell you anything about that. I'm just pointing out the failure mode/point, which is what I thought your were asking about originally. That part of this "may" be resolved by this user going through the mail-host configuration may solve this one person's report issues, it doesn't solve the next user that decided to try to use SpamCop to report his/her spam.

That there's a "2" and a "5" server involved in your sample suggests that there are even more servers involved, so there's also a question as to how much work that this user might have to go through to ensure that "all" servers are identified .. again, if the chain between servers wasn't broken ....

Share this post


Link to post
Share on other sites
I haven't run that setup, so no, I can't tell you anything about that.  I'm just pointing out the failure mode/point, which is what I thought your were asking about originally.  That part of this "may" be resolved by this user going through the mail-host configuration may solve this one person's report issues, it doesn't solve the next user that decided to try to use SpamCop to report his/her spam.

That there's a "2" and a "5" server involved in your sample suggests that there are even more servers involved, so there's also a question as to how much work that this user might have to go through to ensure that "all" servers are identified .. again, if the chain between servers wasn't broken ....

15777[/snapback]

the 5 is the server where the mailbox resides the 2 is the mailserver where the mail come in..

the message can come in from 1 to 5 and the server-N will redirect to the 5 because the user mailbox resides in 5. I can´t see any hole.

internet -> bloco-02 -> bloco-05

Share this post


Link to post
Share on other sites
the 5 is the server where the mailbox resides the 2 is the mailserver where the mail come in..

the message can come in from 1 to 5 and the server-N will redirect to the 5 because the user mailbox resides in 5. I can´t see any hole.

internet -> bloco-02 -> bloco-05

Please try looking again at my first posting in here. Again, you know the machines, even I can "see" it ... but the headers don't "show" this ....

internet --> bloco-2

CLUSTERHOST

bloco-5 --> sp.200_155.....

Notice that the above doesn't match your above mentioned flow. ... There is no "direct" connection between bloco-2, CLUSTERHOST, bloco-5, or the end user's InBox as far as the parser is concerned ... it just sees separate systems inserted into the header, just like all the other spammy forged headers used to try to redirect any and all spam reporters.

Share this post


Link to post
Share on other sites
Please try looking again at my first posting in here.  Again, you know the machines, even I can "see" it ... but the headers don't "show" this ....

15782[/snapback]

Let me show what the header SHOWS

Start from the bottom

Received: (qmail 30739 invoked from network); 19 Aug 2004 19:29:19 -0000
Received: from sp.200_155_11_195.datacenter1.com.br ([200.155.11.195])
         by bloco-05.gmail.comdominio.com.br (qmail-ldap-1.03) with compressed QMQP; 19 Aug 2004 19:29:19 -0000 -&gt; THE CLUSTER MACHINE THAT HAVE THE USER MAILBOX BLOCO-05
Delivered-To: CLUSTERHOST bloco-02.gmail.comdominio.com.br agnew &lt;at&gt; supernet &lt;dot&gt; com &lt;dot&gt; br -&gt; BLOCO-02 DELIVERYNG TO THE OTHER CLUSTER MACHINE
Received: (qmail 25168 invoked from network); 19 Aug 2004 19:36:07 -0000
Received: from xena.persistelecom.com.br ([200.189.61.5])
         (envelope-sender &lt;abdif[at]frizz.com.br&gt;)
         by bloco-02.gmail.comdominio.com.br (qmail-ldap-1.03) with SMTP
         for &lt;x&gt;; 19 Aug 2004 19:36:05 -0000 -&gt; BLOCO-02 HEADER 
Received: (qmail 13994 invoked by uid 111); 19 Aug 2004 19:21:11 -0000
Received: from unknown (HELO windowsukstyaw) (debora.clivati[at]londrina.net[at]200.189.60.222)  by xena.persistelecom.com.br with SMTP; 19 Aug 2004 19:21:11 -0000 -&gt; THE USER CONNECT TO BLOCO-02

I can see everything in the headers... I don´t need to know the machines.

Share this post


Link to post
Share on other sites

Perhaps looking at some of the other discussions in here that have folks offering up a Tracking URL to look at their spam submittal might help .. compare a few of those spam headers and look at the flow of e-mail from one server to another ... notice that IP addresses and fully qualified domain names are part of that flow .... from one machine to the next ... as stated before, your sample headers show e-mail here, then over there, then over here

Share this post


Link to post
Share on other sites
Perhaps looking at some of the other discussions in here that have folks offering up a Tracking URL to look at their spam submittal might help .. compare a few of those spam headers and look at the flow of e-mail from one server to another ... notice that IP addresses and fully qualified domain names are part of that flow .... from one machine to the next ...  as stated before, your sample headers show e-mail here, then over there, then over here

15784[/snapback]

The message goes thru this way.

in this case internet -> bloco-02 -> bloco-05 -> user mailbox

internet -> load balanced machines -> machine that have the user mailbox

this is the way the message come in.. that´s nothing "hidden" in the headers.

Share this post


Link to post
Share on other sites
OK, I'm done trying to explain.

15786[/snapback]

Well ... what can I do to prevent such problem?.. I´m blocked but I´m not an spammer..

Share this post


Link to post
Share on other sites
OK, I'm done trying to explain.

Well ... what can I do to prevent such problem?.. I´m blocked but I´m not an spammer..

15787[/snapback]

...Have you done what I suggested in my reply in this thread?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×