Jump to content
dvv

misattribution

Recommended Posts

I hope I'm posting this in the right place.

 

The source of the following message is identified as 11.1.0.1 instead of the correct 69.85.64.2. Of course, 11.1.0.1 is not even an IP address here, and it's got nothing to do with the  DoD Network Information Center.

 

Received: from mail.gvii.net (mail.gvii.net [69.85.64.2]) by some-hostname (8.15.2/8.15.2) with ESMTPS id w9AB6TEw000831 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits) verified NO) for <some-address>; Wed, 10 Oct 2018 07:06:32 -0400 (EDT)
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.7 (some-host [192.168.1.9]); Wed, 10 Oct 2018 07:06:32 -0400 (EDT)
Received: from port174.gvii.net
        by mail.gvii.net (IceWarp 11.1.0.1 x64) with SMTP id 201810091625223366
        for <some-address>; Tue, 09 Oct 2018 16:25:22 -0600
Received: from [113.149.138.213] by m1.gns.snv.thisdomainl.com with ASMTP; Tue, 09 Oct 2018 14:14:31 -0700
Received: from m1.gns.snv.thisdomainl.com ([Tue, 09 Oct 2018 14:02:44 -0700]) by snmp.otwaloow.com with SMTP; Tue, 09 Oct 2018 14:02:44 -0700
Received: from unknown (HELO mail.webhostings4u.com) (Tue, 09 Oct 2018 13:58:32 -0700) by public.micromail.com.au with ESMTP; Tue, 09 Oct 2018 13:58:32 -0700
Message-ID: <59DD4C5C.0B7404D2@gvii.net>
Date: Tue, 09 Oct 2018 13:58:32 -0700
From: "\"Ирина\" <Erikvoaer@gvii.net>"
User-Agent: Mozilla/5.0 (Macintosh; U; PPC; en-US; rv:1.3.1) Gecko/20030701
X-Accept-Language: en-us
MIME-Version: 1.0
To: "Агния" <some-address>
Subject: Стройная жена - залог семейного счастья
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PCFkb2N0eXBlIGh0bWw+DQo8aHRtbD4NCjxoZWFkPg0KPG1ldGEgY2hhcnNldD0idXRmLTgiPg0K
PC9oZWFkPg0KDQo8Ym9keT4NCgk8dGFibGUgd2lkdGg9IjExJSIgYm9yZGVyPSIwIj48dGJvZHk+
PHRyPjx0ZD48L3RkPjx0ZD48L3RkPjx0ZD48L3RkPjx0ZD48L3RkPjwvdHI+PC90Ym9keT48L3Rh
YmxlPiANCjxoMT7vu7/QpdCj0JTQldCZ0KLQlSDQkdCV0Jcg0KHQotCg0JXQodCh0JAg0Jgg0JPQ
ntCb0J7QlNCQDQo8L2gxPg0KCTxicj4gDQo8dGFibGUgd2lkdGg9IjgwMCIgYm9yZGVyPSIxIj4N
CiAgPHRib2R5Pg0KICAgIDx0cj4NCiAgICAgIDx0ZCBoZWlnaHQ9IjQ1IiBiZ2NvbG9yPSIjRkYw
QjBGIiBzdHlsZT0iY29sb3I6ICNGRkZGRkYiPjxoMz7vu7/QlNC70Y8g0JzQo9CW0KfQmNCY0J0g
0Lgg0JbQldCd0KnQmNCdISDQkdC10Lcg0LTQuNC10YIsINGE0LjQt9C40YfQtdGB0LrQuNGFINC9
0LDQs9GA0YPQt9C+0Log0Lgg0LPQvtC70L7QtNCw0L3QuNC5ISDQlNC+IDEwINC60LMg0LfQsCDQ
tNCy0LUg0L3QtdC00LXQu9C4ITwvaDM+PHRhYmxlIHdpZHRoPSI2NiUiIGJvcmRlcj0iMCI+PHRi
b2R5Pjx0cj48dGQ+PC90ZD48dGQ+PC90ZD48dGQ+PC90ZD48L3RyPjwvdGJvZHk+PC90YWJsZT4g
PC90ZD4NCiAgICA8L3RyPg0KICA8L3Rib2R5Pg0KPC90YWJsZT4NCjxwPjxocj4NCjxwPu+7v9Cj
0L3QuNC60LDQu9GM0L3Ri9C5INCh0L7RgdGC0LDQsiDQuCDQutC+0LzQv9C70LXQutGBINC80L7R
idC90YvRhSDQutC+0LzQv9C+0L3QtdC90YLQvtCyPC9wPg0KICA8YnI+PHA+77u/0KHQvNC+0LbQ
tdGC0LUg0L3QvtGB0LjRgtGMINGD0LTQvtCx0L3Rg9GOLCDQvNC+0LTQvdGD0Y4g0Lgg0LrRgNCw
0YHQuNCy0YPRjiDQvtC00LXQttC00YM8L3A+DQogIDx0YWJsZSB3aWR0aD0iMjIlIiBib3JkZXI9
IjAiPjx0Ym9keT48dHI+PHRkPjwvdGQ+PHRkPjwvdGQ+PHRkPjwvdGQ+PC90cj48L3Rib2R5Pjwv
dGFibGU+PHA+77u/0J3QtSDQvdGD0LbQvdC+INC+0YLQutCw0LfRi9Cy0LDRgtGM0YHRjyDQvtGC
INC70Y7QsdC40LzQvtC5INC10LTRizwvcD4NCiAgPGJyPjxwPu+7v9CS0L3QuNC80LDQvdC40LUg
0LzRg9C20YfQuNC9INC4INCy0L7RgdGC0L7RgNC20LXQvdC90YvQtSDQutC+0LzQv9C70LjQvNC1
0L3RgtGLINC/0L7QtNGA0YPQszwvcD4NCiAgPGFydGljbGU+PC9hcnRpY2xlPjxwPjxhIGhyZWY9
Imh0dHA6Ly9nZXRub3cuc3Uvc2xpbS8iIHRhcmdldD0iX2JsYW5rIj48c3Ryb25nPu+7v9Cj0LfQ
vdCw0Lkg0LHQvtC70YzRiNC1INC90LAg0L3QsNGI0LXQvCDRgdCw0LnRgtC1ITwvc3Ryb25nPjwv
YT48L3A+DQo8dGFibGUgd2lkdGg9IjA1JSIgYm9yZGVyPSIwIj48dGJvZHk+PHRyPjx0ZD48L3Rk
PjwvdHI+PC90Ym9keT48L3RhYmxlPjxwPjxhIGhyZWY9Imh0dHA6Ly9nZXRub3cuc3Uvc2xpbS8i
IHRhcmdldD0iX2JsYW5rIj5odHRwOi8vZ2V0bm93LnN1L3NsaW0vPC9hPjwvcD4NCjxwPiZuYnNw
OzwvcD4NCjxwPiZuYnNwOzwvcD4NCjxwPjxhIGhyZWY9Imh0dHA6Ly9nZXRub3cuc3Uvc2xpbS8i
IHN0eWxlPSJmb250LXNpemU6IDEwcHgiPu+7v9Ce0YLQv9C40YHQsNGC0YzRgdGPPC9hPjwvcD4N
CjxwPiZuYnNwOzwvcD4NCjwvYm9keT4NCjwvaHRtbD4NCg==

Share this post


Link to post
Share on other sites

If you would provide a Tracking URL it would provide the rest of us more information to answer your implied question.  The Tracking URL will also let us see how the parser reach the answer(s) it did.

Share this post


Link to post
Share on other sites
9 hours ago, dvv said:

11.1.0.1 Needs to go to "disa.columbus.ns.mbx.arin-registrations [at] mail [dot] mil"

postmaster [ at] mail [dot]mil is a default address when SpamCop can't find one

 

Russian spam? using a compromised email server 69.85.64.2 analyst [at] gvii [dot] net

Share this post


Link to post
Share on other sites
4 hours ago, petzl said:

11.1.0.1 Needs to go to "disa.columbus.ns.mbx.arin-registrations [at] mail [dot] mil"

postmaster [ at] mail [dot]mil is a default address when SpamCop can't find one

 

Russian spam? using a compromised email server 69.85.64.2 analyst [at] gvii [dot] net

The 11.1.0.1 is not an IP address! It is the version number of the “IceWarp” system used by mail.gvii.net. SpamCop thinks that it’s an IP address because it is commented (in parentheses) after the host name... unfortunate misatribution...

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×