Jump to content
Sign in to follow this  
btech

[Resolved] Parser issue

Recommended Posts

http://www.spamcop.net/sc?id=z879525076z4d...3814b266b9d905z

The IP that's being reported is: 72.22.11.69, which is the domain my mailbox is on... from what I see here, shouldn't 70.21.254.184, the initial source, have been picked up as the sender and reported?

Received:  FROM [70.21.254.184] BY newbox.selekta.com with hMailServer; Sun, 19 Feb 2006 18:05:45 -0500
no from
70.21.254.184 found
host 70.21.254.184 = static-70-21-254-184.nwrk.east.verizon.net (cached)
static-70-21-254-184.nwrk.east.verizon.net is 70.21.254.184
72.22.11.69 not listed in dnsbl.njabl.org
72.22.11.69 not listed in cbl.abuseat.org
72.22.11.69 not listed in dnsbl.sorbs.net
72.22.11.69 is not an MX for mailgate.cesmail.net
72.22.11.69 is not an MX for newbox.selekta.com
72.22.11.69 is not an MX for mailgate.cesmail.net
72.22.11.69 not listed in dnsbl.njabl.org
Possible spammer: 70.21.254.184
Host newbox.selekta.com (checking ip) = 72.22.11.66
72.22.11.66 not listed in dnsbl.njabl.org
72.22.11.66 not listed in cbl.abuseat.org
72.22.11.66 not listed in dnsbl.sorbs.net
   Chain test:newbox.selekta.com =? 72.22.11.69
   72.22.11.69 is not an MX for newbox.selekta.com
   Host newbox.selekta.com (checking ip) = 72.22.11.66
   72.22.11.69 is not an MX for newbox.selekta.com
   ips are close enough
   newbox.selekta.com and 72.22.11.69 have close IP addresses - chain verified
Possible relay: 72.22.11.69
72.22.11.69 not listed in relays.ordb.org.
72.22.11.69 has already been sent to relay testers
Received line accepted
[b]70.21.254.184 discarded as a forgery, using 72.22.11.69[/b]

THe bold part is what gets me. It's an IP listed to Verizon and even though the magnitude is negative [at] Senderbase, I fail to see how the parser would assume then that the second IP is the sender.

I really don't want to think I'm reporting spammers and actually reporting my domain to it's host.

Edited by btech

Share this post


Link to post
Share on other sites

Certainly static-70-21-254-184.nwrk.east.verizon.net should have been picked. Your 72.22.11.69 has no rDNS entry which probably doesn't help with the parser. Also I note a 3 second discrepancy

from selekta.com (HELO newbox.selekta.com) (72.22.11.69) by mailgate.cesmail.net with SMTP; 19 Feb 2006 23:05:42 -0000

FROM [70.21.254.184] BY newbox.selekta.com with hMailServer ; Sun, 19 Feb 2006 18:05:45 -0500

- though shouldn't think that would come into it. Should be reported to Deputies I think - in case something can be learned from it. Assume this sort of thing doesn't happen to you often? If it did, I wonder if registering your mailhost might be good idea. Shouldn't be necessary but the whole idea was to help overcome "clever forgeries" which evidently the parser is "assuming" this to be.

Share this post


Link to post
Share on other sites

I think I have a similar issue just discovered but probably rumbling for days or even weeks.

http://www.spamcop.net/sc?id=z875636200z75...de3bd0cf2e56b9z

A different example at:

http://www.spamcop.net/sc?id=z874322442z71...c6c06cfa9a3ab8z

It seems that an IP address roughly halfway up the headers is getting identified as the source rather than the actual source IP.

The IP is an IP address at our ISP.

The common factor here is that the IP is the one provided by our ISP when the mail item passes from their system to the SpamCop flat rate Email system. It so happens I use the function to 'POP' our ISP mailbox instead of forwarding straight onto the SpamCop Email account. Not sure if this makes a difference.

I'll make some changes and see what I can report.

Andrew

Share this post


Link to post
Share on other sites
I really don't want to think I'm reporting spammers and actually reporting my domain to it's host.

Unfortunately, that's what's happening. It's been going on for some time now. On the bright side, you're the only one reporting the IP as a spam source, so your reports haven't put the server on our blocking list.

You can compensate for that by running our Mailhost configuration utility so that SpamCop can create a list of the services that handle your email so that our system will know what servers to trust when you report your spam. You'll need to configure a host for *all* the domains you receive mail through.

You can accomplish that by logging into your SpamCop account at http://www.spamcop.net and using the Mailhosts link to tell SpamCop about *all* of your service providers, forwarding services, and webmail hosts. You need to register one email address for each host that handles your email.

Once you start configuring hosts, you can't report spam again until you get them all on your list because the Mailhost system completely changes the way SpamCop looks at your spam.

- Don D'Minion - SpamCop Admin -

service[at]admin.spamcop.net

Share this post


Link to post
Share on other sites
I think I have a similar issue just discovered but probably rumbling for days or even weeks.

http://www.spamcop.net/sc?id=z875636200z75...de3bd0cf2e56b9z

A different example at:

http://www.spamcop.net/sc?id=z874322442z71...c6c06cfa9a3ab8z

It seems that an IP address roughly halfway up the headers is getting identified as the source rather than the actual source IP.

mailout02.dsvr.x-isp.net [213.253.179.6] isn't on your list of Mailhosts.

The details I need from you are private, so I'll contact you via email.

- Don -

Share this post


Link to post
Share on other sites

*EDIT*

N/M. I've added my mail hosts to my SC interface. :)

We can change this thread to 'resolved'

Edited by btech

Share this post


Link to post
Share on other sites
N/M.  I've added my mail hosts to my SC interface.  :)

40624[/snapback]

Thanks for taking that step and letting us know.
We can change this thread to 'resolved'

40624[/snapback]

Thanks, but I'd prefer to wait until we have confirmation that Andrew's similar issue is also resolved.

Share this post


Link to post
Share on other sites
Thanks for taking that step and letting us know.Thanks, but I'd prefer to wait until we have confirmation that Andrew's similar issue is also resolved.

40630[/snapback]

You can close the issue. Andrew's problem is a Mailhost configuration detail unique to him. It's not a system or procedural problem.

- Don -

Share this post


Link to post
Share on other sites
<snip>
<snip>

We can change this thread to 'resolved'

40624[/snapback]

Thanks, but I'd prefer to wait until we have confirmation that Andrew's similar issue is also resolved.

40630[/snapback]

You can close the issue.  Andrew's problem is a Mailhost configuration detail unique to him.  It's not a system or procedural problem.

- Don -

40631[/snapback]

...Thanks, all -- this thread is now marked "Resolved."

Share this post


Link to post
Share on other sites
You can close the issue.  Andrew's problem is a Mailhost configuration detail unique to him.  It's not a system or procedural problem.

40631[/snapback]

I'm working with Don directly but wanted to record my thanks for the speedy take up to this issue posted here. Thanks Don.

Andrew

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×