[Resolved] No Source IP address problem

[rjenkins]

Hi,

I've been using Spamcop for some time with no real problems.

Recently, every spam I try to submit returns "No source IP address found, cannot proceed."

(I'm submitting via the web form exactly as before).

I notice that a private IP (192.168.x.x) now appears in all headers on the incoming email & I wonder if this is somehow messing things up?

(Spamcop used to list an 'internal handoff' but it's not doing that any more.)

This is a typical failure report:-

Return-Path: <noreply[at]biterespond.co.uk>
Delivered-To: x
Received: (qmail 50890 invoked by uid 1024); 22 Sep 2005 10:26:02 -0000
Received: from noreply[at]biterespond.co.uk by server35.donhost.co.uk by uid 1002 with qmail-scanner-1.22 
 ( Clear:RC:0(217.174.252.50):. 
 Processed in 7.528566 secs); 22 Sep 2005 10:26:02 -0000
Received: from unknown (HELO biterespond.co.uk) (217.174.252.50)
  by 192.168.147.25 with SMTP; 22 Sep 2005 10:25:55 -0000
Message-ID: <267F________E27E[at]biterespond.co.uk>
Date: Thu, 22 Sep 2005 20:20:44 +0900
From: "Bite Size Seminars" <noreply[at]biterespond.co.uk>
User-Agent: Opera/6.05 (Windows 2000; U) [ja]
MIME-Version: 1.0
To: <x>
Subject: Do you handle sensitive employee situations with skill and diplomacy?
X-Content-Type: text/html;
	charset="us-ascii"
X-Content-Transfer-Encoding: 7bit

...

Parsing header:
0: Received: from unknown (HELO biterespond.co.uk) (217.174.252.50) by 192.168.147.25 with SMTP; 22 Sep 2005 10:25:55 -0000
No unique hostname found for source: 217.174.252.50

Possible forgery. Supposed receiving system not associated with any of your mailhosts
Will not trust anything beyond this header

No source IP address found, cannot proceed.

I have tried updating the mailhosts; this added a couple of new 81.x.x.x relaying IPs but has not helped the problem.

I've also tried submitting normal (none spam) emails, the result is exactly the same with only the '0: Received:' line having different domain & IPs.

Any help appreciated!

R Jenkins.

[StevenUnderwood]

Hi,

I've been using Spamcop for some time with no real problems.

Recently, every spam I try to submit returns "No source IP address found, cannot proceed."

(I'm submitting via the web form exactly as before).

I notice that a private IP (192.168.x.x) now appears in all headers on the incoming email & I wonder if this is somehow messing things up?

(Spamcop used to list an 'internal handoff' but it's not doing that any more.)

This is a typical failure report:-

I have tried updating the mailhosts; this added a couple of new 81.x.x.x relaying IPs but has not helped the problem.

I've also tried submitting normal (none spam) emails, the result is exactly the same with only the '0: Received:' line having different domain & IPs.

Any help appreciated!

R Jenkins.

33070[/snapback]

Please post a tracking URL as whitespace can be an issue when posting things here. The CODE option usually preserses this so going on that assumption.

Are you in charge of your email server or are you an end user? Did the server change recently?

This header is not formed properly as it:

a> does not indicate what server (IP) it received the message from

b> the server35.donhost.co.uk does not seem to exist

c> it does not have whitespace to start the last 2 (assumed) continuation lines

d> Probably should not have the ( Clear...6 secs) in there at all

Received: from noreply[at]biterespond.co.uk by server35.donhost.co.uk by uid 1002 with qmail-scanner-1.22

( Clear:RC:0(217.174.252.50):.

Processed in 7.528566 secs); 22 Sep 2005 10:26:02 -0000

[Jeff G.]

Part of the problem appears to be that the particular inbound Internet mailserver which handled that message thinks of itself (and identifies itself in its Received Header Line) as "192.168.147.25" (a non-routable address per RFC1918) on the one hand, and appears to others inside your network as "server35.donhost.co.uk" (which authoritatively does not exist publicly per both of your nameservers ns1.donhost.co.uk and ns2.donhost.co.uk) on the other hand. In order for SpamCop's Parser to understand their Received Header Lines (so that potential Reporters like you can use that Parser to generate Reports), inbound Internet mailservers need to identify themselves with the names that other Internet mailservers use to contact them (the names in their public A Records (as referenced by their public MX Records, if they exist), since CNAMEs and IP Addresses are not valid on the right sides of MX Records per Internet Standard #13 and RFC1035 and RFC2181).

It would also be helpful if your server3 and server12 mailservers accepted email to their own postmasters, as required by RFC2821/4.5.1.

[rjenkins]

Hi,

I can't give a tracking URL as Spamcop does not save the result when there is no valid source IP...

(I have already tried reformatting headers so the 'Received: lines are unbroken after checking on here for similar errors; this does not help the problem).

Donhost is the hosting company, we have no control over the mailservers.

The servers have shown as "serverXX.donhost.co.uk" since the mailhost system was introduced, and spamcop reporting has worked fine until recently.

I've just sent a message to Donhost re. the invalid server names.

Thanks,

R Jenkins.

[Jeff G.]

In that case, you must stop using Mailhosts until Donhost fixes the problem.

[dbiel]

Hi,

I can't give a tracking URL as Spamcop does not save the result when there is no valid source IP...

R Jenkins.

33082[/snapback]

Try sending the message as "forward as attachment" then you will have a tracking URL

[Jeff G.]

I can't give a tracking URL as Spamcop does not save the result when there is no valid source IP

33082[/snapback]

Isn't it in your web browser's address bar?

[Wazoo]

I can't give a tracking URL as Spamcop does not save the result when there is no valid source IP...

I'm a bit confused ... the Tracking URL is offered up at the top of the parse results page. Not sure what you may mean by "SpamCop saving the result" ..???

(I have already tried reformatting headers so the 'Received: lines are unbroken after checking on here for similar errors; this does not help the problem).

Donhost is the hosting company, we have no control over the mailservers.

33082[/snapback]

On the other hand, here's my Tracking URL for a "corrected" version of what you offered as a sample; http://www.spamcop.net/sc?id=z808484921z3e...591522ffcc064bz

Query sent upstream on the "filtered" results of a SamSpade WHOIS lookup, wondering if this feeds into the 'nomaster' result.

[rjenkins]

Sorry, I must be cracking up.. I'm concentrating on the headers and missing the text above.

This is another spam, as submitted (no format changes), with the error.

http://members.spamcop.net/sc?id=z80850243...ba0c01f4845c6bz

Wazoo - What is the critical change in the headers so spamcop accepted it?

I've tried modding the headers & can get the spamcop result apparently similar to yours, but it's still not accepted.

Thanks,

R Jenkins.

*EDIT* Modified for all to use the link

[StevenUnderwood]

This is another spam, as submitted (no format changes), with the error.

Wazoo - What is the critical change in the headers so spamcop accepted it?

I've tried modding the headers & can get the spamcop result apparently similar to yours, but it's still not accepted.

33107[/snapback]

by 192.168.147.19 is not (and probably won't be) listed in mailhosts because it is a private address where a fqdn should be. Basically, without mailhosts, it simply looks at whether the sending system makes sense. You may need to delete mailhosts to report until the headers are fixed (or you contact the deputies as mentioned above).

[Wazoo]

http://www.spamcop.net/sc?id=z80850243...ba0c01f4845c6bz

Yet another item that would end up with a pretty useless report/complaint going out even if it parsed ... yet another chinatietong.com spewed item.

Wazoo - What is the critical change in the headers so spamcop accepted it?  I've tried modding the headers & can get the spamcop result apparently similar to yours, but it's still not accepted.

33107[/snapback]

Unfortunately, this happens most every time .. in the "fixing" of a posted spam sample 'here' ... I usually end up 'correcting' whatever the issue was and the dang thing parses ... however, the "major" difference in the results stems from me not using a MailHost configured account to make that parse ... and again noting that there are other issues with that particular spam/parse that I'm waiting on answers to perhaps explain ...

Not only do I really not care for the way your sample headers are looking (others have mentioned some issues) ... but I'm wondering about asking for a bunch more data that may or may not shed some light on things. For instance, your posting IP doesn't match anything in the spam samples .... noting the line;

X-SpamCop-note: Converted to text/plain by SpamCop (outlook/eudora hack) in that last sample, wondering just what applications are involved (and where) .... you don't really say how you are actually snagging your e-mail (i.e. forwarded, web-based, etc.) ... you may not want to volunteer a bunch of data, but .... there may be some other pieces involved here (and possibly other solutions?)

[Richard W]

Hi,

I've been using Spamcop for some time with no real problems.

Recently, every spam I try to submit returns "No source IP address found, cannot proceed."

(I'm submitting via the web form exactly as before).

I notice that a private IP (192.168.x.x) now appears in all headers on the incoming email & I wonder if this is somehow messing things up?

(Spamcop used to list an 'internal handoff' but it's not doing that any more.)

There's a couple of issues here.

First is the internal LAN IP's, which I've fixed for you in your account.

The second, which Wazoo wrote us about (217.174.252.50) -- RIPE now hides email addresses in their records, which the record holder can turn off. If they haven't, SpamCop comes up with "no master found, cannot send reports", because there is no address to send reports to.

Maybe I should write RIPE and ask them if we should send all such reports their way

Richard

SpamCop Deputy

[Wazoo]

Thanks Richard!

[rjenkins]

Many thanks (especially Richard & Wazoo), everything appears to be working fine now!

I understand that if there is no reporting address then reports cannot be sent, but that is a completely separate issue from the original 'no source IP' problem & it's not something that Spamcop has control over.

I assume that the sending IP would still get blacklisted, so those reports are still useful. So far I've not seen many like that.

For reference, I'm using MS Outlook & submitting to the Spamcop web form by selecting Options on the message to view the headers, copy & paste those to the form, then (often 'view source',) copy & paste the message body.

(No comments on how nasty it is please, I am well aware..)

Re. the unrelated IPs, we use one ISP for ADSL (& outgoing email) and a separate company for domain hosting, web space & incoming email servers (who don't do ADSL).

Thanks again,

Robert Jenkins.

[Wazoo]

Thank you for the follow-up and the good news <g>

[Jeff G.]

Richard, thanks for the excellent work.

If ARIN and/or its predecessors in responsibility InterNIC, ISI, Jon Postel (may he rest in peace), ARPA, and the DoD have delegated responsibility for an IP Address Range (an inetnum like 217.174.248.0 - 217.174.255.255 as a part of NetRange 217.0.0.0 - 217.255.255.255) to RIPE NCC, and RIPE NCC now refuses (via its despicable filtering) to reveal to what email address they have further delegated responsibility for that IP Address Range (except that the IP Address Range is in an Autonomous System like AS15418 for which the Administrative and Technical Contact is CREW-RIPE with Abuse Mailbox abuse[at]ripe.net), then responsibility for that IP Address Range now lies squarely in RIPE NCC's hands, and Reports concerning that IP Address Range must be sent to RIPE NCC's CREW via their Abuse Mailbox abuse[at]ripe.net, or to ARIN if RIPE NCC refuses such Reports. The responsibility has to rest somewhere; at present, it rests with RIPE NCC.

The web-based trail for IP Address 217.174.252.50 leads from http://ws.arin.net/whois?queryinput=217.174.252.50 to http://www.ripe.net/whois?form_type=simple...o_search=Search to http://www.ripe.net/whois?searchtext=AS154...orm_type=simple to http://www.ripe.net/whois?form_type=simple...o_search=Search to "abuse-mailbox: abuse[at]ripe.net", and the WHOIS-based trail is similar.

[dra007]

I have run into a similar problem today trying to re-set my mailhost. Oddly enough reporting worked fine before trying to change despite postini enetering into the mix. I have requested a waver since simple mailhost configuration only confused the robot. Question: is this waver handdled manually and how long before I can start reporting again?

Unfortunately I deleted the mailhost configuration which worked despite interim changes in the way mail traveled through my servers.

This is the mail config. that doesn't work:

Mail Host

[Wazoo]

I have requested a waver since simple mailhost configuration only confused the robot. Question: is this waver handdled manually and how long before I can start reporting again?

Yes, manually. Add your request for help to the 4-800 other non-spam e-mails a day that show up in the Deputy's InBox, add in the reseach time needed to pull the needed data together, handle the needed actions, compose and send a response e-mail .... spread that load across the huge staff (Don, Ellen, RW) ...

Unfortunately I deleted the mailhost configuration which worked despite interim changes in the way mail traveled through my servers.

This is the mail config. that doesn't work:

Mail Host

33229[/snapback]

Not sure when you actually deleted your configuration, but as noted in the Pinned entries, deleting the contents makes it rather hard to diagnose what 'was' bad' .... Having absolutly no idea what your link was going to do (or do to me) ... I choked and clicked ... got this message; "No problems found - problem has already been resolved?" .. so still no idea what it's supposed to be/do ...

[dra007]

Thanks Wazoo, seems like someone, somehow solved the issue while I was posting here.... Will keep you posted if my optimism is waranted, but I successfully reported already...no confirmation of the waver being granted yet...

[dra007]

Yes, manually. Add your request for help to the 4-800 other non-spam e-mails a day that show up in the Deputy's InBox, add in the reseach time needed to pull the needed data together, handle the needed actions, compose and send a response e-mail .... spread that load across the huge staff (Don, Ellen, RW) ...

They were very efficient, problem was resolved in the time it took me to note it and post it here, within minutes, thanks again...

[Wazoo]

They were very efficient, problem was resolved in the time it took me to note it and post it here, within minutes, thanks again...

33247[/snapback]

Anf here I'm waiting for answers from last week <g>

Glad things got worked out, thanks for the follow-up(s)

[Jeff G.]

It appears that the response time is directly proportional to the difficulty of answering the question / fixing the problem, especially if multiple Deputies, Admins and/or Ironport Employees have to get involved in formulating and approving the answer or isolating and fixing the root cause of the problem.