Jump to content

parser identify 1.x.x.x reserved address


efa

Recommended Posts

Hi submitted a 3 days old spam today.

Here the tracking url:

http://www.spamcop.net/sc?id=z839337921z6e...464b0b17bedc64z

The spam is too old, so the parser cannot report at all.

But I noted that the parser incorrectly identify the source as:

1.16.104.105

registered to:

OrgName: Internet Assigned Numbers Authority

OrgID: IANA

NetRange: 1.0.0.0 - 1.255.255.255

CIDR: 1.0.0.0/8

NetName: RESERVED-9

NetType: IANA Reserved

OrgAbuseEmail: abuse[at]iana.org

when the source is surely:

213.140.2.73

registered to:

inetnum: 213.140.0.0 - 213.140.2.255

netname: FASTWEB-NOC

abuse[at]fastweb.it

Clearly the header is forged inserting a hop in a private lan 10.31.40.142, and a fake source from 1.16.104.105

Link to comment
Share on other sites

I agree that this is a problem with the SpamCop Parser, in that the Parser should recognize "IANA Reserved" and "IANA Special Use" NetTypes (like Networks 1.0.0.0/8, 2.0.0.0/8, and 5.0.0.0/8), as documented in whois.arin.net responses as well as RFC3330 Special-Use IPv4 Addresses, and should discard them like it does "IANA Special Use" NetTypes (10.0.0.0/8, 192.168.0.0/16, and 172.16.0.0/12), as documented in RFC1918 Address Allocation for Private Internets and referenced in RFC3330 Special-Use IPv4 Addresses. To expedite repair of this problem, I'd suggest emailing a SpamCop Admin via How To Get Official SpamCop.Net Customer Support.

Link to comment
Share on other sites

When I click on the tracking URL, this is what I get:

If reported today, reports would be sent to:

Re: 213.140.2.73 (Administrator of IP block - statistics only)

abuse[at]fastweb.it

Re: 213.140.2.73 (Third party interested in email source)

spamcop[at]imaphost.com

Re: http://www.duniaonline.net/ (Administrator of network hosting website referenced in spam)

abuse[at]plusserver.de

abuse[at]server4you.de

Either efa was quick to contact spamcop and they were quick to fix it or it was one of those times when the parser hiccuped. Often when that happens, refreshing the parse produces a different result.

Miss Betsy

Link to comment
Share on other sites

Either efa was quick to contact spamcop and they were quick to fix it

I post here <munged> my email to spamcop admin:

---

Date: Sun, 11 Dec 2005 01:01:21 +0100

From: efa <...efa...[at]....it>

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; it-IT; rv:1.7.12) Gecko/20050915

To: <SpamCop Admin [at:-] showtopic=5517>

Subject: Referral from the SpamCop Web Forum

X-Enigmail-Version: 0.92.0.0

I wrote to the forum signaling a probable parser bug/enhancement:

http://forum.spamcop.net/forums/index.php?showtopic=5572

Jeff G. ask me to contact directly spamcop admin email to speed up the

fix of this.

regards, <efa>

---

and his fast reply (and fix):

---

From - Sun Dec 11 03:41:38 2005

X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.4 (Beta)

Date: Sat, 10 Dec 2005 19:40:46 -0700

To: efa <...efa...[at]....it>

From: SpamCop Admin <SpamCop Admin [at:-] showtopic=5517>

Subject: Re: Referral from the SpamCop Web Forum

>I wrote to the forum signaling a probable parser bug/enhancement:

>http://forum.spamcop.net/forums/index.php?showtopic=5572

>

>Jeff G. ask me to contact directly spamcop admin email to speed up the

>fix of this.

Thanks for the info. Looks like a good spammer forgery. I compensated for

it and the parse is finding 213.140.2.73 as the source now.

Also, old spam is old news. SpamCop won't process spam that's over 48

hours old, so there's no point in wasting your time with it. Feel free to

delete anything over 24 hours old.

- <Don> -

---

Now the tracking is correct also for me.

Thanks!

I received already 4 spam about duniaonline.net (whats is this?) from fastweb.it

For everyone I wrote to abuse[at]fastweb.it via spamcop, but I'm listed again.

fastweb admin work good! :-))

This time the header is clearly forged to avoid tracking.

In the mail there's no remove tag as from italian privacy act (I and server source come from Italy and the mail content is also in italian).

Normally I do not reply with remove email [dangerous],

but in this case probably I shall do as I know the provider (fiber optic incumbent national big carrier).

I was out for 4 days so I readed the spam only yesterday evening.

Spamcop refuse to send the mail because was 3.3 days old.

So I wrote myself to fastweb.it hope for the next time...

thanks again,

efa

Link to comment
Share on other sites

I post here <munged> my email to spamcop admin:

<snip>

37572[/snapback]

Hi, efa,

...Great, fast work by both you and Don -- thank you!

Normally I do not reply with remove email [dangerous],

37572[/snapback]

...and for good reason! :) <g>
but in this case probably I shall do as I know the provider (fiber optic incumbent national big carrier).

<snip>

37572[/snapback]

...Just from what you write, it still looks dangerous. The "fiber optic incumbent national big carrier" is unlikely to be able to protect you from the spammer tricks. They certainly did not protect you from being spammed! If I were you, I would reconsider the plan to reply with remove e-mail.
Link to comment
Share on other sites

  • 1 month later...

I have found a spam header that cheat the parser.

Here the tracking url:

http://www.spamcop.net/sc?id=z864389934z6c...559d2a3031fac0z

The mail clearly come from 213.140.2.69 on fastweb.it

but the parser indicate it come from iana reserved 1.16.104.109

I had already posted another example of this cheat some month ago, and seems was fixed.

Moderator Edit: Merged this "new" Topic into the Topic efa previously had opened up on the same subject ....

Link to comment
Share on other sites

query sent upstream, referencing that the same issue is being brought up again.

39715[/snapback]

Not the same issue. Different Fastwebnet IP.

Most of Fastwebnet's main servers are flagged as "trusted" relays so that SpamCop will push past them and go after the true source of the spam.

The problem is that some of them can't be trusted. When we identify one that is recording a bogus source, such as an IANA reserved IP, all we can do is go in and mark the offending server as a "liar" so the parse won't trust it anymore and tags it as the actual source.

I just did that for 213.140.2.69. The parse is finding it as the source now.

Received: from aa002msg.fastwebnet.it (213-140-2-69.ip.fastwebnet.it [213.140.2.69])

by smtp11.libero.it

Received: from ms004msg.fastwebnet.it (10.31.40.142) by aa002msg.fastwebnet.it

- Don -

Link to comment
Share on other sites

When we identify one that is recording a bogus source, such as an IANA reserved IP, all we can do is go in and mark the offending server as a "liar" so the parse won't trust it anymore and tags it as the actual source.

all the fastweb users are on a private lan, and the provider shelf use the nat.

Seems to me that the fastweb DHCP server assign the forbidden (reserved) address 1.x.x.x

Noone mail server should record a source from a reserved iana address like 1.x.

So when something similar happen, you can be sure that that server is the real source.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...