Incomplete Mailhost Configuration?

[phredx 0]

Here's a tracking URL for a recently submitted spam.

http://www.spamcop.net/sc?id=z808421467z1d...f2070399fbd7cfz

I've followed the Mailhost configuration for all my email addresses.

The fact that this one is telling me that ml-hw3.monsterlabs.com is not associated with any of my mailhosts makes me think that tfo[at]monsterlabs.com, which is the address that received this spam, is not completely configured, but I'm not sure what steps to take next.

[Wazoo 0]

Hard to say from here ... the Tracking URL results page includes an Add/Edit Mailhost data .. did you follow that link? Have you looked at your MailHost data? Have you read the "read before posting" items?

[StevenUnderwood 0]

alumni.brown.edu,Sep 22 2005, 12:36 PM]The fact that this one is telling me that ml-hw3.monsterlabs.com is not associated with any of my mailhosts makes me think that tfo<at>monsterlabs.com, which is the address that received this spam, is not completely configured, but I'm not sure what steps to take next.

33086[/snapback]

0: Received: from ml-hw3.monsterlabs.com (HELO listserv.moses.com) (216.183.105.184) by 0 with SMTP; 22 Sep 2005 12:02:16 -0000

Hostname verified: ml-hw3.monsterlabs.com

Possible forgery. Supposed receiving system not associated with any of your mailhosts

It is not monsterlabs it is complaining about but the machine labeled in the headers as "0" that received the message from monsterlabs (probably your system). That system should be identifying itself with fqdn.

[phredx 0]

It is not monsterlabs it is complaining about but the machine labeled in the headers as "0" that received the message from monsterlabs (probably your system).  That system should be identifying itself with fqdn.

33088[/snapback]

That's interesting. As far as I know, those headers have always reported "by 0" there. I had an older SpamCop account where emails to tfo[at]monsterlabs.com were able to be reported successfully most of the time.

Here's a current example in a spam I'd report if it were working:

Return-Path: <diljhbuuj[at]mindspring.net>

Delivered-To: tfo[at]window.monsterlabs.com

Received: (qmail 19509 invoked by alias); 22 Sep 2005 16:14:55 -0000

Delivered-To: alias-ml-tfo[at]monsterlabs.com

Received: (qmail 19496 invoked from network); 22 Sep 2005 16:14:55 -0000

Received: from ml-hw3.monsterlabs.com (HELO listserv.moses.com) (216.183.105.184)

by 0 with SMTP; 22 Sep 2005 16:14:55 -0000

Received: (qmail 15470 invoked from network); 22 Sep 2005 16:08:22 -0000

Received: from 66-214-245-79.dhcp.gldl.ca.charter.com (66.214.245.79)

by 0 with SMTP; 22 Sep 2005 16:08:22 -0000

Return-Path: <RoscoeCompton[at]attglobal.net>

Received: from flashmail-fe3.flashmail.com (mail.flashmail-fe3 [216.239.161.152])

by be3 (Cyrus v2.2.10) with LMTPA;

Thu, 22 Sep 2005 11:11:46 -0600

X-Sieve: CMU Sieve 2.2

Received: from fastermail.com (bay10-f23.bay10.fastermail.com [205.158.62.76])

by animail-fe3.animail.cnet (8.12.11/8.12.11) with ESMTP id j4BM34K2006584

for <tfo[at]monsterlabs.com>; Thu, 22 Sep 2005 21:13:46 +0400

Received: from mail pickup service by attglobal.net with Microsoft SMTPSVC;

Thu, 22 Sep 2005 11:10:46 -0600

Message-ID: <BAY10-F236A1BA982DC2A8744D6D0B9300[at]phx.gbl>

Received: from 217.115.153.194 by by10fd.bay10.attglobal.net with HTTP;

Thu, 22 Sep 2005 13:11:46 -0400

X-Originating-IP: [64.4.202.107]

X-Originating-Email: [RoscoeCompton[at]attglobal.net]

X-Sender: RoscoeCompton[at]attglobal.net

From: "Enlargment Systems Inc." <RoscoeCompton[at]attglobal.net>

To: tfo[at]monsterlabs.com

Subject: Information on Longz

Date: Thu, 22 Sep 2005 14:10:46 -0300

Mime-Version: 1.0

Content-Type: text/plain; format=flowed

X-OriginalArrivalTime: Thu, 22 Sep 2005 14:12:46 -0300 (UTC) FILETIME=[7744B350:01C55675]

Lines: 16

In this section:

Received: from 66-214-245-79.dhcp.gldl.ca.charter.com (66.214.245.79)

by 0 with SMTP; 22 Sep 2005 16:08:22 -0000

Is this saying that ml-hw3.monsterlabs.com is reporting it's fqdn as 0 since from ml-hw3.monsterlabs.com is the next host to receive mail?

The mail winds up on an IMAP server at monsterlabs.com, so as far as I know, the final delivery system is on their network.

I suppose it's possible that their system near the same time I set up a new SpamCop account, but that seems too coincidental to me.

And, yes, I read the "read before posting" stuff where I thought applicable. If I missed something, I apologize.

[Jeff G. 0]

You really need to talk to the Message Labs mail admins about this. While you're at it, ask them why qmail held on to that message for 6 minutes 33 seconds.

Edited September 22, 2005 by Jeff G.

[Wazoo 0]

For statistical purposes, http://www.spamcop.net/sc?id=z808465605z99...87eee9eec51fdaz offered up as a non-MailHosted version of a parse from the original example.

In the Pinned items, Ellen states that for issues beyond the ordinary/normal, one needs to send her (Deputies) various details as she/they are are only folks available with access to your account and the MailHost database ....

The "rest of us" try to chip in best "we" can .. some issues have been raised here, so you may want to include that you'd already been yelled at a bit here <g> .. whether there is a work-around at the SpamCop end, only Ellen/Deputies could answer that ... getting your host to fix things would solve things much cleaner.

[phredx 0]

Oh, whoops. I found a different "read before posting" somewhere else in the FAQ I guess. I missed the pinned item.

Anyway, thanks for all the feedback. The goal in the end, of course, being to prevent spam...

[Jeff G. 0]

getting your host to fix things would solve things much cleaner.

33099[/snapback]

and make your Reports more believable.