I reported myself?

JayEdgar · February 25, 2004

I got the following message in an email today (with my domain cleaned out):

Hello
We just received 26 spam complaints from spamcop.net regarding the server where your domain [myserver.com] is on, as being reported as the source of spam when it's actually not. (Please see below). Please be careful not to report the server where your domain is on as the source, as this is not at all good for our network, we do work hard to keep a clean spam free reputation. Continual false complaints could result in access problems from our server to other servers, and it is time consuming for us and the network to weed through, so please do be careful.

Thank you, and if you have any questions, please don't hesitate to ask.

Note: the email below is from

Received: from host162219.arnet.net.ar (host162219.arnet.net.ar for your domain

The server mercia.host4u.net ([xxx.xxx.xxx.xxx]) received the email for you.

regards

spam control at axxs.net

From: "Jay Edgar" <711636910[at]reports.spamcop.net>

To: abuse[at]axxs.net

Subject: [spamCop (216.71.64.117) id:711636910]C L E_A_R - D_R U_G Z_-_1_. 3 3_$_-_P_E R_-_D_O_S_E 61903

Date: 24 Feb 2004 03:41:48 -0000

X-SpamCop-sourceip:

X-Mailer: http://www.spamcop.net/ v1.3.4

[ SpamCop V1.3.4 ]

This message is brief for your comfort. Please use links below for details.

Email from 216.71.64.117 / 24 Feb 2004 03:41:48 -0000

http://www.spamcop.net/w3m?i=z711636910zac...76635b797a3d48z

[ Offending message ]

Return-Path: <GNCUDUTDQJMUPOTOJBTMHYYHDBX[at]fiddlersgreenorlando.com>

Delivered-To: x

Received: (qmail 7201 invoked from network); 24 Feb 2004 03:41:49 -0000

Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101)

by blade6.cesmail.net with SMTP; 24 Feb 2004 03:41:49 -0000

Received: (qmail 9238 invoked from network); 24 Feb 2004 03:41:48 -0000

Received: from mercia.host4u.net (216.71.64.117)

by mailgate.cesmail.net with SMTP; 24 Feb 2004 03:41:48 -0000

Received: from host162219.arnet.net.ar (host162219.arnet.net.ar [200.45.162.219] (may be forged))

by mercia.host4u.net (8.11.6/8.11.6) with SMTP id i1O3fir18988

for <x>; Mon, 23 Feb 2004 21:41:45 -0600

Received: from 80.195.216.195 by web941.mail.yahoo.com; Mon, 23 Feb 2004 21:32:42 -0600

Message-ID: <JPDN_________________ACZG[at]hyenafilms.net>

From: "Abe Beard" <GNCUDUTDQJMUPOTOJBTMHYYHDBX[at]fiddlersgreenorlando.com>

Reply-To: "Abe Beard" <GNCUDUTDQJMUPOTOJBTMHYYHDBX[at]fiddlersgreenorlando.com>

To: x

Subject: C L E_A_R - D_R U_G Z_-_1_. 3 3_$_-_P_E R_-_D_O_S_E 61903

Date: Tue, 24 Feb 2004 09:36:42 +0600

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="--52961433036076025839"

X-CS-IP: 98.128.91.11

X-spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on blade6

X-spam-Level: *****

X-spam-Status: hits=5.8 tests=BIZ_TLD,GAPPY_SUBJECT,HTML_60_70,HTML_FONT_BIG,

HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,LINES_OF_YELLING,MIME_HTML_ONLY,

MIME_HTML_ONLY_MULTI,SUBJ_ALL_CAPS version=2.60

X-SpamCop-Checked: 192.168.1.101 216.71.64.117

X-SpamCop-Disposition: Blocked bl.spamcop.net

----52961433036076025839

Content-Type: text/html; charset=windows-1251

Content-Transfer-Encoding: 7Bit

<BOdy>

astigmatic instable sepoy colby epigram serviceman pictorial diameter infima raft hailstorm haulage command cornucopia bold intelligent patchwork crosswalk cameramen gilbertson lamp mr monument terminus aau hector declamation scarface acrid collet 

<a href="http://viagraonline.biz/?aff=1034">

753V101ImfzA155G531R856Auhy 

ljaOhmsN842LvgwY510 5611260.mme33333790$qbl slwPstkE533Rkwm 930D864OowzScfuE230 

squVqhsIdwfAyarGpzpR024Aqys 

</a>

contravention celesta constantinople elijah james apostle coconut around ortega elute farce knew toothbrush preempt slope tempt cauliflower union oceanic hackett benny oppose bird doubleday obduracy wastrel checkerboard artificial subterranean coup paddy englishman grindstone procaine wisenheimer quadrupole actual bursty brighton cross escort fum footfall bridgeable millenarian 

</BOdy>

----52961433036076025839--

I'm pretty sure I remember reporting this spam, but I certainly didn't create the spam itself. Am I confused? Are they? Is there an error in how I reported it to spamcop? Did spamcop make a mistake? What do I do next?

I'm confused by this, and don't really know how to figure it out. I figured some of you smart folks could direct me.

Thanks.

Jay

Wazoo · February 25, 2004

The critical part of the SpamCop parser output is;

Chain error web941.mail.yahoo.com not equal to last sender received line discarded

200.45.162.219 discarded as a forgery, using 216.71.64.117

The critical part of the SpamCop Reporting code is;

Report spam to:

Re: 216.71.64.117 (Administrator of IP block - statistics only)

To: postmaster[at]axxs.net (Notes)

To: abuse[at]axxs.net (Notes)

You are the one that should have caught this "problem" before clicking on the Send Reports Now button.

These are the lines that caused the problem;

Received: from mercia.host4u.net (216.71.64.117)

by mailgate.cesmail.net with SMTP; 24 Feb 2004 03:41:48 -0000

Received: from host162219.arnet.net.ar (host162219.arnet.net.ar [200.45.162.219] (may be forged))

by mercia.host4u.net (8.11.6/8.11.6) with SMTP id i1O3fir18988

for <x>; Mon, 23 Feb 2004 21:41:45 -0600

You need to make apologies at least, make special note to look at the addresses you're sending complaints to and make sure you're not reporting yourself. Others may chime in later about the probabilities of some configuration problems with the host4u servers .....

turetzsr · February 25, 2004

Hi, Jay!

...In addition to taking into account what Wazoo wrote, you may want to peruse Pinned: FAQ Entry: How can I unsend a report?.

JayEdgar · February 25, 2004

Wazoo and Steve:

Thanks for your responses. I think I'm beginning to understand, but I'm not there yet. Are you saying that the line you pointed out:

These are the lines that caused the problem;
Received: from mercia.host4u.net (216.71.64.117)

indicates my server, and that's what I reported?

If so, how did the email originate from me? I have up to date virus software and use adaware, spybot and spyware guard, so I don't think I've been infected and sent out emails.

Please have a bit more patience with me and lead me by the hand with this.

Thanks much,

Jay

turetzsr · February 25, 2004

Hi, Jay,

Wazoo and Steve:
Thanks for your responses. I think I'm beginning to understand, but I'm not there yet. Are you saying that the line you pointed out:

These are the lines that caused the problem;
Received: from mercia.host4u.net (216.71.64.117)

indicates my server, and that's what I reported?
If so, how did the email originate from me? I have up to date virus software and use adaware, spybot and spyware guard, so I don't think I've been infected and sent out emails.

Please have a bit more patience with me and lead me by the hand with this.

Thanks much,

Jay

...Yep, it's easy to get confused -- no need to apologize, IMHO.

...Here's the deal, as I understand it:

You received an e-mail that you considered to be spam
You (logged in as 711636910 <at> reports.spamcop.net) reported it via SpamCop
The SpamCop parser became confused due to an odd line (as referenced by Wazoo) and sent the spam report to the abuse desk of your e-mail provider (abuse[at]axxs.net)

...Does that help?

Wazoo · February 25, 2004

If so, how did the email originate from me?

No, we never said that the e-mail came from you. The SpamCop pareser tries to perform a "chain test", i.e., follow the handling of the e-mail from one server to another. It made it all the way down to your ISP ...

Received: from mercia.host4u.net (216.71.64.117)

by mailgate.cesmail.net with SMTP; 24 Feb 2004 03:41:48 -0000

Then it hit these lines;

Received: from host162219.arnet.net.ar (host162219.arnet.net.ar [200.45.162.219] (may be forged))

by mercia.host4u.net (8.11.6/8.11.6) with SMTP id i1O3fir18988

for <x>; Mon, 23 Feb 2004 21:41:45 -0600

Received: from 80.195.216.195 by web941.mail.yahoo.com; Mon, 23 Feb 2004 21:32:42 -0600

Resulting in the error condition of;

Chain error web941.mail.yahoo.com not equal to last sender received line discarded

200.45.162.219 discarded as a forgery, using 216.71.64.117

there is no handoff from the (forged) yahoo.com server to the net.ar server, and this particular bogus line construction has been seen often of late .... that host 200.45.162.219 = host162219.arnet.net.ar is probably a more likely candidate for the injection point, the parser didn't like this line, so it dropped back to the last "good" line, which unfortunately, is your ISP's server.

At this point, I would have recommended that you cancel the SpamCop complaint and send one manually, guessing to abuso[at]arnet.com.ar, but only after doing some more digging on these folks ... Guessing that you'd not be comfortable going manual, then I'd suggest that the next time you see your ISP as the complaint target, at least uncheck those boxes before hitting the Send button.

Here's hoping I explained it a bit better ...??

JayEdgar · February 25, 2004

Those are both great explanations, and thanks to the both of you. The piece I'm still stuck on is that axxs.net isn't my ISP, OLM is. Unless axxs.net is another domain with them or something. I think I have enough to dig into now.

Apparently someone has been pretty successfully spoofing my email address or something, as I'm getting a lot of failure emails bouncing back to me of the same type. Any suggestions as to what to do about that?

Thanks again. Help is much appreciated.

Jay

turetzsr · February 25, 2004

Hi, Jay,

Those are both great explanations, and thanks to the both of you.

...Happy to try to help!

Apparently someone has been pretty successfully spoofing my email address or something, as I'm getting a lot of failure emails bouncing back to me of the same type. Any suggestions as to what to do about that?

...Perhaps Pinned: FAQ Entry: Why am I getting all these bounces?

Wazoo · February 25, 2004

I'm lost ... axxs.net I can only find as manual.axxs.net, which doesn't say squat as far as hosting anything, www.host4u.net gets me a 403 error, and OLM ... oh yeah, the folks that advertise with the guy that's happy with 56k and he's never had a question that they couldn't answer ... I sure struck out in trying to find the / your connection ....

Jeff G. · February 25, 2004

http://www.abuse.net/lookup.phtml?DOMAIN=host4u.net reports:

abuse[at]host4u.net (for host4u.net)
postmaster[at]host4u.net (for host4u.net)

abuse[at]axxs.net (for host4u.net)

postmaster[at]axxs.net (for host4u.net)

turetzsr · February 25, 2004

Routing details for 216.71.64.117

Reports routes for 216.71.64.117:
routeid:7486781 216.71.0.0 - 216.71.223.255 to:dns[at]axxs.net

Administrator found from whois records

Wazoo · February 25, 2004

Yeah, I found the same data, but then I tried hitting the web sites associated with the e-mail addresses ... and then trying to sort out the connection to "OLM is my host" but axxs is the one that handled the spam complaints ... there's what I couldn't come up with ... at best, maybe something along the lines of a re-seller in there somewhere, but that connection to marry all these "hosts" together is what I was trying to resolve

Ellen · February 26, 2004

Yes you were reporting yourself altho the parser is now parsing past your header so I am not entirely sure what the problem was. You should know your own IP and not report yourself however I have also added a flag to the system to say that your IP is a valid mailserver. The headers I looked at are:

Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101)

by blade6.cesmail.net with SMTP; 24 Feb 2004 03:41:49 -0000

Received: (qmail 9238 invoked from network); 24 Feb 2004 03:41:48 -0000

Received: from mercia.host4u.net (216.71.64.117)

by mailgate.cesmail.net with SMTP; 24 Feb 2004 03:41:48 -0000

Received: from host162219.arnet.net.ar (host162219.arnet.net.ar [200.45.162.219] (may be forged))

by mercia.host4u.net (8.11.6/8.11.6) with SMTP id i1O3fir18988

for <x>; Mon, 23 Feb 2004 21:41:45 -0600

Received: from 80.195.216.195 by web941.mail.yahoo.com; Mon, 23 Feb 2004 21:32:42 -0600

Message-ID: <JPDN_________________ACZG[at]hyenafilms.net>

From: "Abe Beard" <GNCUDUTDQJMUPOTOJBTMHYYHDBX[at]fiddlersgreenorlando.com>

Reply-To: "Abe Beard" <GNCUDUTDQJMUPOTOJBTMHYYHDBX[at]fiddlersgreenorlando.com>

To: x

Subject: C L E_A_R - D_R U_G Z_-_1_. 3 3_$_-_P_E R_-_D_O_S_E 61903

Date: Tue, 24 Feb 2004 09:36:42 +0600

The injection is host162219.arnet.net.ar (host162219.arnet.net.ar [200.45.162.219] and the bottom received header with yahoo in it is forged ...

Keep an eye on your reports but they should be parsing ok now

Wazoo · February 26, 2004

Thank the gods that the dear lady seconded the opinion, and that she has the power to perform the deeds that she does! <g>

turetzsr · February 26, 2004

Thank the gods that the dear lady seconded the opinion, and that she has the power to perform the deeds that she does! <g>

...Yep, Ellen's my hero!

Ellen · February 26, 2004

:-)

JayEdgar · February 27, 2004

Wow. My post has led to so much activity and effort on others' parts!

OK, so I reported my own address somehow. Could that have happened using the 'quick report and immediately trash' option on the held email page? To be honest, I spend plenty of time reporting the email that gets through to my inbox (which is rather painful with Outlook...); I have little interest in going through each submittal manually and ensuring my IP isn't in there. Perhaps that makes me a bad little spamcopper. I do my best to be conscientious, but I have to get enough hours in at work so I can pay my mortgage.

Am I to understand that what Ellen did takes care of this concern?

Deep thanks to everyone who's been so helpful. You all are great.

Jay

Jeff G. · February 27, 2004

Am I to understand that what Ellen did takes care of this concern?

Yes.

Deep thanks to everyone who's been so helpful. You all are great.

You're welcome.

Wazoo · February 27, 2004

Am I to understand that what Ellen did takes care of this concern?

Just a small note on this .. Yes, Ellen put the "fix" in on "this"one ... It doesn't mean that you still run blindly trusting everything, cause there maybe something else that could go wrong tomorrow ... there a number of folks that suggest not using the Quick Report at all, balanced against so many others that don't run into issues.

Miss Betsy · February 27, 2004

If you do use Quick Reporting, be sure to look at the reports you get back just in case the parser hiccups so you can correct any errors.

I went for months without ever having a problem. Then two weeks before Quick Reporting started, the parser timed out and named my ISP. It never happened again, but if it happened once, it could happen again. Also sometimes ISP's change things that cause the parser to stop and you are unaware of it until you see your ISP checked (or if using Quick Reporting, reported).

I found reading the reports as tedious as reporting each spam so I would go with just reporting what you have time for (the newest first).

Miss Betsy

turetzsr · February 27, 2004

If you do use Quick Reporting, be sure to look at the reports you get back just in case the parser hiccups so you can correct any errors.
I went for months without ever having a problem. Then two weeks before Quick Reporting started, the parser timed out and named my ISP. It never happened again, but if it happened once, it could happen again. Also sometimes ISP's change things that cause the parser to stop and you are unaware of it until you see your ISP checked (or if using Quick Reporting, reported).

I found reading the reports as tedious as reporting each spam so I would go with just reporting what you have time for (the newest first).

Miss Betsy

...Great post, Miss Betsy!

...Moderators: another candidate for a FAQ.

Jeff G. · February 27, 2004

If you do use Quick Reporting, be sure to look at the reports you get back just in case the parser hiccups so you can correct any errors.
I went for months without ever having a problem. Then two weeks before Quick Reporting started, the parser timed out and named my ISP. It never happened again, but if it happened once, it could happen again. Also sometimes ISP's change things that cause the parser to stop and you are unaware of it until you see your ISP checked (or if using Quick Reporting, reported).

I found reading the reports as tedious as reporting each spam so I would go with just reporting what you have time for (the newest first).

Miss Betsy

...Great post, Miss Betsy!

...Moderators: another candidate for a FAQ.

I agree. I added it to http://forum.spamcop.net/forums/index.php?showtopic=88 as Step 16.

Miss Betsy · February 28, 2004

Golly gee! I feel really special! I'm glad I finally contributed something worthwhile!

Miss Betsy

turetzsr · February 28, 2004

Golly gee! I feel really special! I'm glad I finally contributed something worthwhile!
Miss Betsy

...Finally? Really, Miss Betsy, that smacks of false modesty! :lol:

Miss Betsy · February 28, 2004

But this is a FAQ! Most of what I contribute is just IMHO! Perhaps I should have said "practical" instead of "worthwhile"

Miss Betsy

I reported myself?

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Archived