Jump to content

spam before, no spam after setup


Recommended Posts

I have setup up our mailserver in the Mailhostlist and pasted the email that I received.

Strangely a spammail that we receive got marked as a spammail before I included the mailserver and it after I included it the spammail isn't even being picked up for processing.

Is this some sort of bug or did I screwup somewhere?

(edit: before i totally forget to mention this spammail was received on a different address on the same server which forwards this to my email on that same server. Would that be it?)

Before:

SpamCop v 1.456 © Ironport Systems Inc., 1998-2005 , All rights reserved.

Here is your TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/sc?id=z769630484z53...

Skip to Reports

Return-Path: <axisymmetricassembleconsanguineous[at]arcor.de>

Delivered-To: x

Received: (qmail 7654 invoked by uid 89); 31 May 2005 02:17:47 +0200

Delivered-To: src.nl-x

Received: (qmail 7644 invoked by uid 780); 31 May 2005 02:17:47 +0200

Received: from axisymmetricassembleconsanguineous[at]arcor.de by src.nl by uid 401 with qmail-scanner-1.20rc3

(clamscan: 0.60. spamassassin: 2.60-rc2.  Clear:RC:0:SA:0(4.2/5.0):.

Processed in 50.446987 secs); 31 May 2005 00:17:47 -0000

Received: from 82-33-127-89.cable.ubr05.azte.blueyonder.co.uk (82.33.127.89)

  by 10.2.1.101 with SMTP; 31 May 2005 02:16:56 +0200

Message-ID: <4769______________________________7utx[at]webmail.com.tw>

From: "Eliseo Edmonds" <axisymmetricassembleconsanguineous[at]arcor.de>

Reply-To: "Eliseo Edmonds" <axisymmetricassembleconsanguineous[at]arcor.de>

To: x, x

Subject: Never go online without the latest anti-virus protection. $15

Date: Mon, 30 May 2005 20:08:39 -0500

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="PART_2_22803670277919154842"

X-spam-DCC: WEiAPG: w3.src.nl 1072; Body=1 Fuz1=1 Fuz2=1

X-spam-Checker-Version: SpamAssassin 2.60-rc2 (1.198-2003-08-22-exp) on w3.src.nl

X-spam-Level: ****

X-spam-Status: No, hits=4.2 required=5.0 tests=HTML_30_40,HTML_COMMENT_8BITS,

HTML_FONTCOLOR_RED,HTML_FONTCOLOR_UNKNOWN,HTML_FONTCOLOR_UNSAFE,

HTML_FONT_BIG,HTML_MESSAGE,HTML_SHOUTING5,HTML_TAG_BALANCE_BODY,

HTML_TAG_BALANCE_TABLE autolearn=no version=2.60-rc2

View entire message

Parsing header:

Received: (qmail 7654 invoked by uid 89); 31 May 2005 02:17:47 +0200Removed 'by' from uid

Received: (qmail 7654 invoked (uid 89)); 31 May 2005 02:17:47 +0200no from

Ignored

Received: (qmail 7644 invoked by uid 780); 31 May 2005 02:17:47 +0200Removed 'by' from uid

Received: (qmail 7644 invoked (uid 780)); 31 May 2005 02:17:47 +0200no from

Ignored

Received: from axisymmetricassembleconsanguineous[at]arcor.de by src.nl by uid 401 with qmail-scanner-1.20rc3 (clamscan: 0.60. spamassassin: 2.60-rc2. Clear:RC:0:SA:0(4.2/5.0):. Processed in 50.446987 secs); 31 May 2005 00:17:47 -0000Removed 'by' from uid

Received: from axisymmetricassembleconsanguineous[at]arcor.de by src.nl (uid 401) with qmail-scanner-1.20rc3 (clamscan: 0.60. spamassassin: 2.60-rc2. Clear:RC:0:SA:0(4.2/5.0):. Processed in 50.446987 secs); 31 May 2005 00:17:47 -0000

Ignored

Received: from 82-33-127-89.cable.ubr05.azte.blueyonder.co.uk (82.33.127.89) by 10.2.1.101 with SMTP; 31 May 2005 02:16:56 +020082.33.127.89 found

host 82.33.127.89 = 82-33-127-89.cable.ubr05.azte.blueyonder.co.uk. (cached)

82-33-127-89.cable.ubr05.azte.blueyonder.co.uk. is 82.33.127.89

Possible spammer: 82.33.127.89

Received line accepted

Tracking message source: 82.33.127.89:Routing details for 82.33.127.89

[refresh/show] Cached whois for 82.33.127.89 : abuse[at]blueyonder.co.uk

Using abuse net on abuse[at]blueyonder.co.uk

abuse net blueyonder.co.uk = abuse[at]blueyonder.co.uk

Using best contacts abuse[at]blueyonder.co.uk

Message is 7 hours old

82.33.127.89 not listed in dnsbl.njabl.org

82.33.127.89 not listed in dnsbl.njabl.org

82.33.127.89 listed in cbl.abuseat.org ( 127.0.0.2 )

82.33.127.89 is an open proxy

82.33.127.89 not listed in accredit.habeas.com

82.33.127.89 not listed in plus.bondedsender.org

82.33.127.89 not listed in iadb.isipp.com

Finding links in message bodyRecurse multipart:

Parsing text part

Recurse multipart:

Parsing HTML part

Ignored image/gif part

Ignored image/gif part

Ignored image/gif part

Ignored image/gif part

Ignored image/gif part

Resolving link obfuscationhttp://biceps3a.bobztz.info/fghphp

http://biceps3a.bobztz.info/fgh.php

http://3abiceps.bobztz.info/?ca28827fe0f7e...

Please make sure this email IS spam:

From: "Eliseo Edmonds" <axisymmetricassembleconsanguineous[at]arcor.de> (Never go online without the latest anti-virus protection. $15)

This is a multi-part message in MIME format.

--PART_2_22803670277919154842

View full message

    

Report spam to:

Re: 82.33.127.89 (Administrator of network where email originates)

    To: abuse[at]blueyonder.co.uk (Notes)

Re: 82.33.127.89 (Third party interested in email source)

    To: Cyveillance spam collection (Notes)

After

SpamCop v 1.456 © Ironport Systems Inc., 1998-2005 , All rights reserved.

Here is your TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/sc?id=z769646322zbb...

Skip to Reports

Return-Path: <axisymmetricassembleconsanguineous[at]arcor.de>

Delivered-To: x

Received: (qmail 7654 invoked by uid 89); 31 May 2005 02:17:47 +0200

Delivered-To: src.nl-x

Received: (qmail 7644 invoked by uid 780); 31 May 2005 02:17:47 +0200

Received: from axisymmetricassembleconsanguineous[at]arcor.de by src.nl by uid 401 with qmail-scanner-1.20rc3

(clamscan: 0.60. spamassassin: 2.60-rc2.  Clear:RC:0:SA:0(4.2/5.0):.

Processed in 50.446987 secs); 31 May 2005 00:17:47 -0000

Received: from 82-33-127-89.cable.ubr05.azte.blueyonder.co.uk (82.33.127.89)

  by 10.2.1.101 with SMTP; 31 May 2005 02:16:56 +0200

Message-ID: <4769______________________________7utx[at]webmail.com.tw>

From: "Eliseo Edmonds" <axisymmetricassembleconsanguineous[at]arcor.de>

Reply-To: "Eliseo Edmonds" <axisymmetricassembleconsanguineous[at]arcor.de>

To: x, x

Subject: Never go online without the latest anti-virus protection. $15

Date: Mon, 30 May 2005 20:08:39 -0500

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="PART_2_22803670277919154842"

X-spam-DCC: WEiAPG: w3.src.nl 1072; Body=1 Fuz1=1 Fuz2=1

X-spam-Checker-Version: SpamAssassin 2.60-rc2 (1.198-2003-08-22-exp) on w3.src.nl

X-spam-Level: ****

X-spam-Status: No, hits=4.2 required=5.0 tests=HTML_30_40,HTML_COMMENT_8BITS,

HTML_FONTCOLOR_RED,HTML_FONTCOLOR_UNKNOWN,HTML_FONTCOLOR_UNSAFE,

HTML_FONT_BIG,HTML_MESSAGE,HTML_SHOUTING5,HTML_TAG_BALANCE_BODY,

HTML_TAG_BALANCE_TABLE autolearn=no version=2.60-rc2

View entire message

Parsing header:

0: Received: from 82-33-127-89.cable.ubr05.azte.blueyonder.co.uk (82.33.127.89) by 10.2.1.101 with SMTP; 31 May 2005 02:16:56 +0200Hostname verified: 82-33-127-89.cable.ubr05.azte.blueyonder.co.uk

Possible forgery. Supposed receiving system not associated with any of your mailhostsWill not trust anything beyond this header

No source IP address found, cannot proceed.Add/edit your mailhost configuration

Finding full email headers

Submitting spam via email (may work better)

Example: What spam headers should look like

Nothing to do.

Link to comment
Share on other sites

I have setup up our mailserver in the Mailhostlist and pasted the email that I received.

Strangely a spammail that we receive got marked as a spammail before I included the mailserver and it after I included it the spammail isn't even being picked up for processing.

The MailHost Configuration of (your) reporting account has to do with the "reporting" of your spam. There is no connection to incoming e-mail, filtering lists, etc ...

(edit: before i totally forget to mention this spammail was received on a different address on the same server which forwards this to my email on that same server. Would that be it?)

Had you not destroyed the Tracking URLs, perhaps something could be looked at, possibly analyzed. The stuff you posted is so screwed up (mostly by this application's handling of white space, but your cut/copy/paste methodology messed things up really bad) that I'm just not going to try to reconstruct something out of the jumble.

You say "I have setup up our mailserver"

Then you say "spammail was received on a different address on the same server which forwards this to my email on that same server."

Both of your samples only contain a single IP address in the headers .. just where else might you think that the parser is supposed to try to come up with some other address to suggest as the source of the e-mail?

No idea what your MailHost configuration must look like, but if one is to believe the "forwarded" activity, then the servers you are using are totally hosed as far as tracking the actual source. If you are going to try again, please post "only" the Tracking URLs involved.

Link to comment
Share on other sites

From the mail without mailhostconfig

Here is your TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/sc?id=z769630484z53...5f229b96df0b99z

From the mail with mailhostconfig

Here is your TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/sc?id=z769646322zbb...8510d4cf0d8130z

The tagging as spammail is done on our server by the spamassassin plugin for qmail.

:( Just noticed that this one wasn't marked as spam by it.

The interpretation of "forwarding" is probably different between us.

I ment that the email arrives on our server on mailaddress1 and gets routed to a number of mailaddresses on that server including mine (mailaddress2).

Making:

Internet -> mailserver -> mailaddress1 -> mailaddress2

I hope this will make more sense.

Link to comment
Share on other sites

The Parser is tripping on the mailserver name 10.2.1.101. Why does your mailserver insist on calling itself unrouteable IP Address 10.2.1.101 rather than w3.src.nl or some other appropriate FQDN? Thanks!

Link to comment
Share on other sites

This stuff is so over my head. I use Webmail, what is Mailhost? In fact, I usually just read the Email accnt forum.

Do we really need to become such time consumed tech wizards in order to thwart spam? You are alone compared to everyone I live with. They could never spend the time to understand this technique you mention. I myself am reading forums just to get up-to speed. But it does take lots of time away from life.

Link to comment
Share on other sites

The Parser is tripping on the mailserver name 10.2.1.101.  Why does your mailserver insist on calling itself unrouteable IP Address 10.2.1.101 rather than w3.src.nl or some other appropriate FQDN?  Thanks!

28702[/snapback]

This is where it gets ugly.

I didn't setup the server initially, but only maintain it via webmin (webbrowser based).

And until I find a decent (=newbee understandable) book/pdf/whatever on qmail I will be stuck with it.

The prev. admin of the server insisted on being as secure as possible (?) and seeing it as his own playground server.

Making that this something I would have to live with than because I really don't know what I would have to change in order to get this properly.

Should you find this to be a waste of time, then I am sorry for it.

Link to comment
Share on other sites

This is where it gets ugly.

I didn't setup the server initially, but only maintain it via webmin (webbrowser based).

And until I find a decent (=newbee understandable) book/pdf/whatever on qmail I will be stuck with it.

Start here : http://www.qmail.org/top.html#userdoc

The prev. admin of the server insisted on being as secure as possible (?) and seeing it as his own playground server.

Making that this something I would have to live with than because I really don't know what I would have to change in order to get this properly.

Internet -> mailserver -> mailaddress1 -> mailaddress2

If you look at the headers provided, abslutely none of this hand-off stuff is actually docimented within those headers. There is a bit of a 'process' list, but it simply "starts" wrong then gets worse. Being all 'internal' perhaps not that critical, but ... as the very first entry is 'wrong' ...

Should you find this to be a waste of time, then I am sorry for it.

28706[/snapback]

It's to everyone's advantage to get things resolved.

Link to comment
Share on other sites

the process is easy. Simply click the Add/Change link below and follow the instructions.

28704[/snapback]

You might confuse less if there really was a LINK. Is there *NOT* one if reading within SC webmail maybe?

I'm a smart guy, and am already feeling intimidated. :( Why are SPAMERS smarter than everyone else, well, normal people?

Link to comment
Share on other sites

You might confuse less if there really was a LINK.  Is there *NOT* one if reading within SC webmail maybe?

28716[/snapback]

Sorry, I was quoting Julian's language on http://www.spamcop.net/mcgi?action=mhedit directly. Silly me. For first-time users, the link is named "Add first hosts" and points to http://www.spamcop.net/mcgi?action=mhconf&...6charANcodeNMBR or http://members.spamcop.net/mcgi?action=mhc...6charANcodeNMBR or http://mailsc.spamcop.net/mcgi?action=mhco...6charANcodeNMBR (depending on which site you use, where, as Mike Easter would write, "16charANcodeNMBR is a 'secret' and unique 16 character

alphanumeric [case respected] which is 'attached' to your email addres[sic]."). On subsequent uses, after the instructions for at least one submission have been followed and the resulting email has been accepted, the page shows the following for each Mailhost, an "Add new hosts" link pointing to the same URL as "Add first hosts" above, a "Delete host" capability for each listed Mailhost, and a link to this Mailhosts System help forum with accompanying text "If you are having problems specifically related to the new Mailhosts verification system, post here."

  • Mailhost name: [Name used by the first person to enumerate that set of Mailhosts]
  • Email address: [The email address you had the test message sent to]
  • Hosts/Domains: [All of the FQDNs of the Mailservers associated with the Mailhost name above]
  • Relaying IPs: [All the IP Addresses of the Hosts/Domains listed above]

Please also see MailHosts System Beta Test Invitation, New Parsing Tool. Thanks!

Edit: Added "subsequent uses".

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...