Jump to content
Sign in to follow this  
Keithj

Innocent ISP blamed?

Recommended Posts

This morning I was treated to a load of Russian-language spam. When I went to report them, each one was shown as originating from my own ISP (houxou.com) even though the headers seemed to show a different origin. I've put the header below (with my address removed) - why does Spamcop think it came from houxou rather than uni2.es? Am I misreading the header?

From - Fri Sep 01 07:03:09 2006

X-Account-Key: account5

X-UIDL: 1157090568.30575.hermes.houxou.com,S=64144

X-Mozilla-Status: 0001

X-Mozilla-Status2: 10000000

Return-Path: <info[at]ian.org>

Delivered-To: (me)

Received: (qmail 30571 invoked by uid 107); 1 Sep 2006 06:02:48 -0000

Received: from unknown (HELO hunter.houxou.com) (193.203.240.116)

by smtp2.houxou.com with SMTP; 1 Sep 2006 06:02:48 -0000

Received: from 49.pool85-50-64.dynamic.uni2.es (49.pool85-50-64.dynamic.uni2.es [85.50.64.49])

by hunter.houxou.com (8.13.1/8.13.1) with SMTP id k8162JuO021899;

Fri, 1 Sep 2006 07:02:28 +0100

Message-ID: <0d2801c6cd87$3ad58a70$1f330e0a[at]spindle>

From: "Alexey" <info[at]ian.org>

To: <(me)>

Subject: =?koi8-r?B?4snazsXTLc/C0sHaz9fBzsnFINDPIMzPx8nT1MnLxQ==?=

Date: Fri, 1 Sep 2006 09:26:51 +0400

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2900.2869

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962

X-Houxou-MailScanner-Information: Please contact the ISP for more information

X-Houxou-MailScanner: Found to be clean

X-Houxou-MailScanner-From: info[at]ian.org

X-spam-Status: No

X-Antivirus: AVG for E-mail 7.60215712.405 [268.11.7/435]

Mime-Version: 1.0

Content-Type: multipart/mixed; boundary="=======AVGMAIL-44F7CD1D5DC8======="

Share this post


Link to post
Share on other sites
... why does Spamcop think it came from houxou rather than uni2.es? Am I misreading the header?
Hi Keith. Is it possible for you to post a Tracking URL? Those things make diagnosis a whole lot easier because the message source is not additionally distorted by posting "here" plus the parser's comments and notes provide a significant part of the picture.

Share this post


Link to post
Share on other sites

http://www.spamcop.net/sc?id=z1050153152zf...31df09b678357fz wants to report to;

Report spam to:

Re: 193.203.240.116 (Administrator of network where email originates)

To: monu[at]aviators.net (Notes)

Received: from unknown (HELO hunter.houxou.com) (193.203.240.116) by smtp2.houxou.com with SMTP; 1 Sep 2006 06:02:48 -0000

193.203.240.116 found

host 193.203.240.116 (getting name) no name

85.50.64.49 is not an MX for 49.pool85-50-64.dynamic.uni2.es

Host 49.pool85-50-64.dynamic.uni2.es (checking ip) = 85.50.64.49

Host hunter.houxou.com (checking ip) = 193.203.240.116

193.203.240.116 not listed in dnsbl.njabl.org

193.203.240.116 not listed in cbl.abuseat.org

193.203.240.116 not listed in dnsbl.sorbs.net

193.203.240.116 is not an MX for smtp2.houxou.com

193.203.240.116 is not an MX for hunter.houxou.com

Chain test:hunter.houxou.com =? 193.203.240.116

193.203.240.116 is not an MX for hunter.houxou.com

Host hunter.houxou.com (checking ip) = 193.203.240.116

ips are identical

hunter.houxou.com and 193.203.240.116 have close IP addresses - chain verified

Possible relay: 193.203.240.116

193.203.240.116 not listed in relays.ordb.org.

193.203.240.116 has already been sent to relay testers

Received line accepted

85.50.64.49 discarded as a forgery, using 193.203.240.116

MailHosted Reporting account?

Could have brought up a "new" server, but SenderBase says:

Date of first message seen from this address 2006-03-09

So just for starters, the configuration 'errors' need to be fixed ....

Moving to the Reporting Help Forum section.

Share this post


Link to post
Share on other sites

It looks to me as though the parser has picked up the wrong received line by wrongly discarding 85.50.64.49 as a forgery. It looks as though it has come out of a France Telecom dynamic IP as the reverse DNS for 85.50.64.49 is indeed 49.pool85-50-64.dynamic.uni2.es. Probably a zombied machine.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×