Jump to content

[Resolved] Spam???


provobis

Recommended Posts

Hello all,

Here's a really good one that driving me nuts. I registered and posted here because spam Cop has popped up more than once when I've tried to find answers to the problem(s) I have, and it seems a good idea to ask spam experts about what is apparently a spam problem. If I seem to be a greenhorn in your community it's only because I am one... so have mercy on me in any replies to this post. :blush:

I received an inquiry from someone in Poland who wanted some information about his electronic equipment. I have a website to liquidate electronic materials and service materials and receive inquiries from all over the world, so I answered the mans inquiry, but my email returned to me undelivered. The error message was YOUR MESSAGE WAS NOT DELIVERED BECAUSE THE RETURN ADDRESS WAS REFUSED

In trying to find out who or what refused my email message I looked at the returned mail message delivery status headers and the error message there was DIAGNOSTIC-CODE: SMTP; 554 5.7.1: (my email address was here which I don't post here) SENDER ADDRESS REJECTED: SPAM20040316AK

Seeing the word spam in those header diagnostics. I thought there was a problem with spam and so sent test messages to and from ALL of my Outlook Express addresses with the word TEST in the subject field. I did receive those messages back to myself but with the added word spam in the subject field, so the subject field looked like this spam:TEST. I suspected any program on my computer that had to do with security such asTrend PCcillin 2007 and Mailwasher so I exited those and tried to send my reply message to Poland again, but it still came back refused with the same header error message. However my emails to myself came back OK with no spam inserted in the subject field whenever I exited PCillin 2007. So in part, I reasoned Trend PCillin might be the problem but since my email to Poland still came back refused how could that be? :o

I didn't know if the refused message to Poland and the spam in my subject field I sent to and from myself are in any way related. I inquired at Trend as well as my own ISP but neither one has found an answer (yet) even though they suggested all sorts of solutions, none of which has worked. <_<

What can insert the word spam in the email subject field, in mail that I send to and from myself? BTW if I do not put anything in the subject field in those emails I send to and from myself using Outlook Express the word spam is not inserted. This is really weird! :unsure:

I have even thought someone has blacklisted my email address or email domain for whatever reason and that may be the reason my mail to Poland and/or mail to myself, or both, is being affected in the way(s) I describe here. :angry:

One ISP tech rep has suggested that the fault is with Microsoft. :P

Link to comment
Share on other sites

What can insert the word spam in the email subject field, in mail that I send to and from myself? BTW if I do not put anything in the subject field in those emails I send to and from myself using Outlook Express the word spam is not inserted. This is really weird! :unsure:

First, welcome.

To answer your question, the word "spam" could be added at any server your mail wnet through. That includes your machine when certain software is installed to protect against viruses and/or spyware.

Your messages would normally go from your machine, to your ISP's mail server and then to the recipients mail server. A set of headers would be helpful here to see exactly what is happening.

Link to comment
Share on other sites

I received an inquiry from someone in Poland who wanted some information about his electronic equipment. I have a website to liquidate electronic materials and service materials and receive inquiries from all over the world, so I answered the mans inquiry, but my email returned to me undelivered. The error message was YOUR MESSAGE WAS NOT DELIVERED BECAUSE THE RETURN ADDRESS WAS REFUSED

In trying to find out who or what refused my email message I looked at the returned mail message delivery status headers and the error message there was DIAGNOSTIC-CODE: SMTP; 554 5.7.1: (my email address was here which I don't post here) SENDER ADDRESS REJECTED: SPAM20040316AK

Evidently, your correspondent's mail service has a rule that rejects mail if it bears certain e-mail addreeses. Hard to say how it decides to put such addresses on the blacklist, maybe because they have been forged into spam in the past.

Whatever the case, this is not a very good way to block spam, and also affects innocent parties (as you now know). In fact, it only affects innocent parties as far as I can see, since spammers tend not to re-use their stolen from-addresses.

It is more customary to reject mail if it is offered by a mail host (or any host) whose IP address (not e-mail address) is on a blocking list.

If you wanted to, you could try to reply again after a day or two, perhaps you might be off the blacklist by that time.

As for the "spam" labels, as Steven notes these could be inserted at various points. Since we don't know what addresses you sent from, and what addresses you received at, and what these messages looked like when they were received, there isn't much to be said about them.

-- rick

Link to comment
Share on other sites

Steven and rconner, thanks for your response. So by your replies, do I understand that the "spam" inserted in my test email subject fields to and from myself is probably not related to the refused email I sent to Poland? Especially since when I exit my Trend PCcillin program there is no spam inserted in the subject fields? But then why wouldn't PCcillin insert spam in the subject field when I leave that field blank? BTW, I tried sending test email to someone I know in France and there was no problem.

I did reply to Poland's inquiry but I had to do so with a web mail service I use when for some reason I can't use my own Outlook Express which in this case as you know, gets refused back to me at this time. I have not received any response from Poland yet, and I did ask him if he has some spam filter in place that he knows of causing the problem.

But if the person in Poland emailed me first is it likely or probable his email program would could allow a spam label on my email address/domain? Doesn't a selected/chosen email address target preclude/disallow a blocking or spam label?

Steven, I would be happy to provide any headers for examination, but is it a good idea to post those here what with email addresses, names, etc which would in fact invite/enable security or spam invasion? Would you suggest a better way for me to provide headers to you? Also is there a way to determine if my address or email server have been put on a blocking/spam list? I have looked on the web for that kind of listing but it seems a complex and/or dedicated service that needs registration or membership.

Link to comment
Share on other sites

Steven and rconner, thanks for your response. So by your replies, do I understand that the "spam" inserted in my test email subject fields to and from myself is probably not related to the refused email I sent to Poland? Especially since when I exit my Trend PCcillin program there is no spam inserted in the subject fields? But then why wouldn't PCcillin insert spam in the subject field when I leave that field blank? BTW, I tried sending test email to someone I know in France and there was no problem.

Sorry, I am not familiar with the software you mention, so I don't know how it works or what causes it to tag incoming mail.

I did ask him if he has some spam filter in place that he knows of causing the problem.
Possibly it is not his filter, it may be that of his provider, and he might have not control over it or awareness of it.

But if the person in Poland emailed me first is it likely or probable his email program would could allow a spam label on my email address/domain? Doesn't a selected/chosen email address target preclude/disallow a blocking or spam label?
I don't follow your question exactly, but I think you are assuming that the typical e-mail system is a lot more centralized than it really is. Any host that is handling incoming mail on behalf of a domain can put a tag on the subject line (or elsewhere) if it beileves that the message is spam. The fact that your correspondent sent you a message first may have nothing to do with the matter, and probably wouldn't prevent your future messages from being tagged.

Steven, I would be happy to provide any headers for examination, but is it a good idea to post those here what with email addresses, names, etc which would in fact invite/enable security or spam invasion? Would you suggest a better way for me to provide headers to you?
It would be fine (by me) to munge out the e-mail addresses, perhaps replacing them with labels (like "my-hotmail-account"). This forum software will munge them (like "joe[at]domain.foo") for you anyway even if you do not.

Also is there a way to determine if my address or email server have been put on a blocking/spam list? I have looked on the web for that kind of listing but it seems a complex and/or dedicated service that needs registration or membership.
Typically, block lists do not list e-mail addresses, they list only IP addresses of computers that leave mail. If you know the IP address of your outgoing mail host, you can look it up on the website of a block list to see whether it is listed. There are many block lists, most allow you to do web-based lookups without charge. http://www.dnsstuff.com/ I think provides an "all-in-one" lookup, and I think you can still do this for free but you may have to look at a bunch of signup pitches when you do. Anyway, even if you find that your provider's mail host is on a block list, there isn't much that you can do about it yourself; this is a matter for your internet provider to take care of (or not).

-- rick

Link to comment
Share on other sites

Usually blocklists use IP addresses (that is the IP address of the mail server that your email goes through - it is not your Outlook Express program, but the email service provider you use to send mail). There are several places where you can find out about IP addresses free of charge (I don't know where to look at the moment to tell you what they are, but someone who is more organized might give you a link.)

As others have said the return message you got seems to be rejecting your email address which is generally not done because of the numerous forged addresses the spammers use.

You can mung (use an 'x' instead of the user name on your email address) any headers you may post. And, yes, it is not a good idea to post email addresses, but it doesn't matter about IP addresses.

Spamcop has a blocklist based on reports from users of spam that they have received and also on spamtraps (all these terms can be found in the glossary and the wiki). Emails are either blocked at the server level or tagged as 'spam' with the spamcop blocklist depending on how the server admin of the receiving mail server wants to use it. If they use it to reject email, you will get a rejection message that says that your IP address, not your email address, is on the spamcop blocklist.

When programs, like the ones you are using, tag an email as spam, they do so based on various rules based on the content - that's why sometimes it taggged the email and sometimes it didn't. Mailwasher does allow you to tag spam based on some blocklists. (By the way, do NOT use the 'bounce' function of Mailwasher. It sends an email to the return path which is almost always forged and the email goes to a completely innocent person - who sometimes gets hundreds of them. These 'email bounces' are reportable by spamcop and will put the email server you are using on the spamcop blocklist if reported.)

Once you give us your IP address, someone can find out if it is on any major blocklists and, if it is, Maybe why it is. Although the complete header tells more of a story, the IP address is sufficient to see if it is on a blocklist.

HTH

Miss Betsy

Link to comment
Share on other sites

Thanks all for the replies. Below is the complete header of the returned mail. My IP address is 98.16.107.254 according to a web page inquiry result and on the same web page my provider IP address is listed as h254.107.16.98 ip alltel.net

Return-Path: <>

To: (my email address)

From: Mail Administrator <Postmaster[at]windstream.net>

Reply-To: <Postmaster[at]windstream.net>

Subject: Mail System Error - Returned Mail

Date: Fri, 14 Sep 2007 07:03:57 -0500

Message-ID: <20070914120357.TKJL29331.ispmxmta06-srv.windstream.net[at]ispmxmta06-srv>

MIME-Version: 1.0

Content-Type: multipart/report;

report-type=delivery-status;

Boundary="===========================_ _= 1123657(29331)1189771437"

--===========================_ _= 1123657(29331)1189771437

Content-Type: text/plain

This Message was undeliverable due to the following reason:

Your message was not delivered because the return address was refused.

The return address was "<my email address>"

Please reply to <Postmaster[at]windstream.net>

if you feel this message to be in error.

--===========================_ _= 1123657(29331)1189771437

Content-Type: message/delivery-status

Reporting-MTA: dns; ispmxmta06.windstream.net

Arrival-Date: Fri, 14 Sep 2007 07:03:55 -0500

Received-From-MTA: dns; ispmxaamta08-gx.windstream.net (98.16.103.217)

Final-Recipient: RFC822; <Poland's email address>

Action: failed

Status: 5.1.8

Remote-MTA: dns; mx.poczta.interia.pl (80.48.65.10)

Diagnostic-Code: smtp; 554 5.7.1 <my email address>: Sender address rejected: Spam20040316AK

--===========================_ _= 1123657(29331)1189771437

Content-Type: message/rfc822

Received: from ispmxaamta08-gx.windstream.net ([98.16.103.217])

by ispmxmta06-srv.windstream.net with ESMTP

id <20070914120355.TKHL29331.ispmxmta06-srv.windstream.net[at]ispmxaamta08-gx.windstream.net>

for <Poland's email address>; Fri, 14 Sep 2007 07:03:55 -0500

Received: from radiosou266a0b ([98.16.103.217])

by ispmxaamta08-gx.windstream.net with SMTP

id <20070914120355.MAJX7089.ispmxaamta08-gx.windstream.net[at]radiosou266a0b>

for <Poland's email address>; Fri, 14 Sep 2007 07:03:55 -0500

Message-ID: <001001c7f6c7$5246e090$01fea8c0[at]radiosou266a0b>

From: "RADIOSOUND" <my email address>

To: <Poland's email address>

Subject: Fw: akai uc-w5 (UC-W5)

Date: Fri, 14 Sep 2007 08:03:53 -0400

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="----=_NextPart_000_000D_01C7F6A5.CADF7F70"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2900.3138

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138

This is a multi-part message in MIME format.

------=_NextPart_000_000D_01C7F6A5.CADF7F70

Content-Type: text/plain;

charset="iso-8859-2"

Content-Transfer-Encoding: quoted-printable

----- Original Message -----=20

From: RADIOSOUND=20

To: lem=20

Sent: Friday, September 14, 2007 8:00 AM

Subject: Re: akai uc-w5 (UC-W5)

*UC-W5* kopia instrukcji obs=B3ugi $35 + $12 op=B3ata pocztowa =

/opracowuj=B1cy (opracowanie), wp=B3ata przez Przyjaciela P=B3acy tylko, =

je=BFeli wy zatwierdzacie b=EAd=EA posy=B3a=E6 wam Przyjaciel P=B3acy =

poczty elektronowej =B3=B1czno=B6ci.=20

Roger(my web site URL)

----- Original Message -----=20

From: lem=20

To: my email address=20

Sent: Friday, September 14, 2007 5:06 AM

Subject: akai uc-w5 (UC-W5)

hallo,=20

I'm looking for circut diagram for Akai UC-W5, please send me this, if =

possible

best regards

leszek

poland

=

----------------------------------------------------------------------=20

Pieniadze czekaja na Ciebie=20

>>> http://link.interia.pl/f1bac=20

=20

------=_NextPart_000_000D_01C7F6A5.CADF7F70

Content-Type: text/html;

charset="iso-8859-2"

Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<HTML><HEAD>

<META http-equiv=3DContent-Type content=3D"text/html; =

charset=3Diso-8859-2">

<META content=3D"MSHTML 6.00.2900.3157" name=3DGENERATOR>

<STYLE></STYLE>

</HEAD>

<BODY bgColor=3D#ffffff>

<DIV><STRONG><EM><FONT face=3D"Comic Sans MS"=20

size=3D2></FONT></EM></STRONG> </DIV>

<DIV style=3D"FONT: 10pt arial">----- Original Message -----=20

<DIV style=3D"BACKGROUND: #e4e4e4; font-color: black"><B>From:</B> <A=20

title=3Dmy email address =

href=3D"mailto:my email address">RADIOSOUND</A>=20

</DIV>

<DIV><B>To:</B> <A title=3Deurolem[at]interia.pl=20

href=3D"mailto:Poland's email address">lem</A> </DIV>

<DIV><B>Sent:</B> Friday, September 14, 2007 8:00 AM</DIV>

<DIV><B>Subject:</B> Re: akai uc-w5 (UC-W5)</DIV></DIV>

<DIV><BR></DIV>

<DIV><FONT face=3D"Comic Sans MS"><STRONG><EM> *UC-W5* kopia =

instrukcji=20

obs=B3ugi $35 + $12 op=B3ata pocztowa /opracowuj=B1cy (opracowanie), =

wp=B3ata przez=20

Przyjaciela P=B3acy tylko, je=BFeli wy zatwierdzacie b=EAd=EA =

posy=B3a=E6 wam Przyjaciel=20

P=B3acy poczty elektronowej =B3=B1czno=B6ci.</EM></STRONG></FONT> </DIV>

<DIV><STRONG><EM><FONT face=3D"Comic Sans =

MS"></FONT></EM></STRONG> </DIV>

<DIV><STRONG><EM><FONT face=3D"Comic Sans MS" size=3D2>Roger <A=20

ref=3D"my web site URL">my web site URL=

m/HIFI2650/</A></FONT></EM></STRONG></DIV>

<BLOCKQUOTE=20

style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =

BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">

<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>

<DIV=20

style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =

black"><B>From:</B>=20

<A title=3DPoland's email address =

href=3D"Poland's email address">lem</A> </DIV>

<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =

title=3Dmy email address=20

href=3D"mailto:my email address">my email address</A> </DIV>

<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Friday, September 14, =

2007 5:06=20

AM</DIV>

<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> akai uc-w5 =

(UC-W5)</DIV>

<DIV><BR></DIV>

<DIV><FONT face=3DArial size=3D2>hallo, </FONT></DIV>

<DIV><FONT face=3DArial size=3D2>I'm looking for circut diagram for =

Akai UC-W5,=20

please send me this, if possible</FONT></DIV>

<DIV><FONT face=3DArial size=3D2>best regards</FONT></DIV>

<DIV><FONT face=3DArial size=3D2>leszek</FONT></DIV>

<DIV><FONT face=3DArial size=3D2>poland</FONT></DIV>

<TABLE cellPadding=3D3 bgColor=3D#ffffff>

<TBODY>

<TR>

<TD=20

style=3D"PADDING-RIGHT: 3px; PADDING-LEFT: 3px; BACKGROUND: =

#ffffff; PADDING-BOTTOM: 3px; FONT: 12px Courier New, Courier, =

monotype.com; COLOR: #000000; PADDING-TOP: =

3px">--------------------------------------------------------------------=

--=20

<BR>Pieniadze czekaja na Ciebie <BR><BR>>>> <A=20

=

href=3D"http://link.interia.pl/f1bac">http://link.interia.pl/f1bac</A>=20

<BR></TD></TR></TBODY></TABLE></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_000D_01C7F6A5.CADF7F70--

--===========================_ _= 1123657(29331)1189771437--

Anything more you can tell me by looking at those headers I would appreciate. Meanwhile I will try my luck at finding out what I can by checking with "block lists you mention. Thanks :D

Link to comment
Share on other sites

It looks to me (and I am not an expert at reading headers) that the IP address that is identified with your email is your domain address - 98.16.103.217 - which, at the moment is not in any blocklist.

Please reply to <Postmaster[at]windstream.net> if you feel this message to be in error.

I don't remember that you said that you had contacted this person. If, indeed, they are rejecting your email based on your email address, they should be able to tell you. And that means that your Polish correspondent either made a mistake (added you to his blocklist rather than his whitelist, for instance) or really doesn't want to hear from you any more.

However, you said that sometimes your emails were, on occasion, rejected (or, at least, that's what I have understood) and that, sometimes, but not this time, the reason had to do with the spamcop blocklist.

Although your IP address is not blocked by spamcop or other blocklists at this time, there could still be reasons why it has been blocked in the past. Using the 'bounce' feature on Mailwasher or having a trojanned machine that isn't sending spam right now are two that come to mind. It might be helpful if you explained what you meant that "...because spam Cop has popped up more than once when I've tried to find answers to the problem(s) I have..."

Or, as rconner suggested, the content filters (not blocklists) are catching your emails because there is a problem with the way you are wording your messages (not likely, but, as an example, using all caps). My personal opinion is that content filters are as much a nuisance as spam. Blocklists can reject at the server level so that you do get a rejection message if there is a problem and you, as sender, can easily find out what the problem is. There is often no way to find out why a content filter tagged or dropped a message - if you ever do find out that it wasn't received.

When Monday comes, there will be people who know more than I do about exactly why you might have gotten that message or, if you post them, previous messages.

Miss Betsy

Link to comment
Share on other sites

Please reply to &lt;Postmaster[at]windstream.net&gt;
if you feel this message to be in error.

I agree with Miss Betsy, you probably couldn’t go wrong sending a note to this party and asking for a specific reason for your mail's being blocked.

If the blockage was done by the Windstream service on its own initiative, and was based only on your e-mail address, this is a poor way to run a railroad. On the other hand, if your address was somehow blocked by the user (however misguidedly), you may not have much recourse.

I suspected a challenge/response filter gone wrong, but a proper C/R filter would not reject the message out of hand, at least not before sending you a challenge (which I assume was not done). So, I think we can rule out a C/R filter.

Received: from radiosou266a0b ([98.16.103.217])
		  by ispmxaamta08-gx.windstream.net with SMTP
		  id &lt;20070914120355.MAJX7089.ispmxaamta08-gx.windstream.net[at]radiosou266a0b&gt;
		  for &lt;Poland's email address&gt;; Fri, 14 Sep 2007 07:03:55 -0500

Miss Betsy has already cleared your mail host's IP address (at least it was clear when she looked it up), so I won't duplicate the effort. I do note that your mail host seems to be reporting an improper HELO name (that is, "radiosou266a0b"), one that is not a full mail host name as one would expect. Are you using your own computer as a mail host (outgoing MTA)? If so, I'd recommend against this, it is too easy to get into trouble vis-a-vis spam filters. It is better to send all your mail through an outgoing MTA (sometimes called 'SMTP host' or simliar) operated by your provider.

(Apple Darwin shell command)
rconner$ host 98.16.103.217
217.103.16.98.in-addr.arpa domain name pointer h217.103.16.98.ip.alltel.net.

Here, we see that your mail host's IP address is reverse-resolving to the name shown above, which isn't even close to the HELO name. Some spam filters may get itchy if they see a HELO name that does not resolve to the indicated address, and if the address does not properly reverse-resolve back to the same host name (or at least something in the same domain). This might be a problem for some receiving domains, but in this case you've already taken the hit for a "bad" e-mail address so perhaps the HELO name isn't a problem (plus, guessing from the header line above, windstream may not even have tried to reverse-resolve your mail host's address). However, it is probably worth taking the matter up with alltel to see whether they can help get you a proper HELO name for your host (or, better yet, help you hook up with their own outgoing MTAs). This may spare you a problem or two in the future.

Added on edit: I saw this after posting, it may be worth an edit:

----- Original Message -----=20
From: RADIOSOUND=20
To: lem=20
Sent: Friday, September 14, 2007 8:00 AM
Subject: Re: akai uc-w5 (UC-W5)

This is quoted from the original message you sent. It shows that the only thing in the From: field is a nickname (RADIOSOUND) and that there is no e-mail addres there. Was this what the original outgoing message looked like, or did you remove any data from it before posting?

Normally, mail hosts aren't supposed to peek inside messages for transmission-related data, but there's an outside chance that this particular host has decided to block any messages that don't have proper from-addreses inside the message. The answer here might be to make sure that you actually put your from-address inside the message, and not just the nickname.

-- rick

Link to comment
Share on other sites

Thanks rconner (?) ... I've got a ton load of windows opened up trying to tie that "radiosou266a0b" to something, anything. I was finally going to give up and generate a post containing most of what you already made known .... lack of FQDNs, lousy address, on and on ... So I'll just toss in what ytou didn't ...

The "error messages" provided are based on what the maintainer of the e-mail server actually configures that server to provide for whatever error it comes across. What I believe you are seeing is a 'status; message from what seems to be your web-hosting (with an associated e-mail Account for that web-site) ISP. Their e-mail server saw the "Rejection" code from the .pl e-mail server, so it generated this response to you.

That anyone running an actual e-mail server of any size that would set up an actual filter based on a list of e-mail addresses is simply too bizarre to believe, so I'm going with that the error message doesn't mean exactly what it seems to say .. but than again, it can be seen as short-hand for the same reason rconner pointed out ... the "From:" address is simply garbage. I see tons of these everyday in the attempted spam postings to the newsgroup list/archiving tool.

There is also some confusion on my part in looking at the actual content. None of my business of course, but .... question asked in English, answer provided in another language, but also using 'dollar signs' for the money amount descriptions .....

My time lost in trying to come up with something concrete was due to you munging out your alleged Domain URL. Lack of that data left me at not being able to come up with anything close to an MX record that would have possibly added some other pertinent data. Google itself, GoogleGroups, some other BLs, on and on ... I found nothing that returned anything with 'radiosou266a0b' in it ..... SenderBase showing 51 Domains with "close relationships" to Windstream .. 1151 IP Addresses seen sending e-mail from that area .... absolutely nothing close to the only data seen to be 'critical' in trying to pin this down ....

Fighting the thoughts that this may in fact be spam, the only thing I can suggest is to start with your actual DNS records and Registration data for whatever this Domain may be ... then someone needs to check the configuration of the e-mail server actually involved. The IP Addresses shown here all point back to windstream.net, but again, I have no idea just where 'radiosou266a0b' fits into all of this, beyond being the alleged source of this e-mail.

Link to comment
Share on other sites

I think I got confused reading the message, so rather than edit the earlier post (which could be messy) let me amplify it here:

It appears that provobis got the rejection from windstream who was acting as his outgoing mail service, so the business about the strange HELO is probably not an issue here (since windstream accepted it) and can probably be ignored -- likewise my advice to fix the mail setup.

Also, it still may be worth a shot to ask Windstream, but I doubt that they will be able to say any more than what was given as a reason by interia.pl, and are in no position to override inertia.pl.

This appears not to be a delayed bounce, so the rejection of the mail by mx.poczta.interia.pl was done at the MX level, and for the reason they indicated, that is: "Diagnostic-Code: smtp; 554 5.7.1 <my email address>: Sender address rejected: Spam20040316AK"

Could be a language issue at interia.pl, but I suspect not. Taking the message at face value, it appears that they really did reject on the basis of the e-mail address. And if it is true that the e-mail address did not appear in the message body, then the rejection was made on the return-path -- strange indeed.

I would still like to know exactly what appeared in the message body for a from-address.

-- rick

Link to comment
Share on other sites

rconner, I erased the email following Radiosound as well as the email address following Poland's lem

I thought the idea was to replace things in the message with labels. Just deleting them altogether leads to severe confusion. I can no longer be sure what conclusions to draw from your message.

-- rick

Link to comment
Share on other sites

I thought the idea was to replace things in the message with labels. Just deleting them altogether leads to severe confusion. I can no longer be sure what conclusions to draw from your message.

-- rick

rick, sorry, to be more exact for every one of my emails in the header I replaced with "my email address" and for every of Poland's emails I replaced with "Poland's email address", and the only thing I erased was my website URL not so much for security but I thought it would be unwelcome advertising in the forum.

Windstream denies they have anything to do with the spam word in the subject field, and they don't have a clue why my mail was refused other than because of Poland's server filter.

Wazoo, I have no objection to reposting the headers, this time only with email addresses munged if you think the names and/or URLs are OK here, or just my URL so you can see what I erased without replacing with a substitute label.

I have done some checking on various list blocking sites but cannot find any indication of my IP address or my ISP's IP address being listed, but I'm not an expert here so maybe I've missed something somewhere.

Betsy, I sent a note to Poland about the email refusal, using a free hotsheet.com account I use in emergencies and such, but have not yet received an answer, but I have to keep in mind that he's not expecting anything from my hotsheet.com server so maybe it got deleted.

Maybe I'm making a mountain out of a molehill? Maybe all this will go away on its own, but being a pessimist and a worrier I couldn't help thinking this problem might be something which may affect my computer and/or internet operations yet to come. In other words I just wanted to nail it down before it got worse.

Link to comment
Share on other sites

This is a total mess, as best as I can see right now.

I will once again try to point to one thing .... the 'radiosou266a0b' item. This is not a FQDN (Fully Qualified Domain Namw) .... it is placed into the headers as part of a HELO response, so is allegedly an e-mail server somewhere. This is the item that I was unable to associate with a Domain Name, a URL, a web-site, etc.

What has been asked is for something that identifies just where this alleged server fits into the picture. If it's 'your' web-site's assigned e-mail server, then yes, please provide the actual Domain involved. If it's some other e-mail system, please identify that other system.

Everything else at this point seems to now help with the confusion factor.

Link to comment
Share on other sites

This is a total mess, as best as I can see right now.

I will once again try to point to one thing .... the 'radiosou266a0b' item. This is not a FQDN (Fully Qualified Domain Namw) .... it is placed into the headers as part of a HELO response, so is allegedly an e-mail server somewhere. This is the item that I was unable to associate with a Domain Name, a URL, a web-site, etc.

What has been asked is for something that identifies just where this alleged server fits into the picture. If it's 'your' web-site's assigned e-mail server, then yes, please provide the actual Domain involved. If it's some other e-mail system, please identify that other system.

Everything else at this point seems to now help with the confusion factor.

Wazoo, most of what you are trying to explain to me might as well be Greek, which I don't speak. Sorry about that. But it seems to me you are referring to a web site domain name in the headers you cannot identify or track down.

My web site is a free site sponsored by an organization I happen to support. I have had it for a good 10 years and never had this problem. I never bought or registered a domain if that is what you have assumed. And if I also understand your presumption, my web site has absolutely no connection with my Outlook Express email software. If someone visits my site and sees something they want to inquire about, they either leave a message on a dedicated page there which I will later see when I log into my web site office, and I then communicate directly with them using my Outlook Express account off my web site. Or they will copy my email address which I have posted on my web site page (but coded so it is not an active link) and paste the address in their email program whatever that may be (Who knows what that is in Poland?), and we would thereafter communicate directly by personal email.

I don't know what the "radiosou266a0b" is in the headers or what it is supposed to represent, except of course I see the nd is missing from the end of radiosound and I don't know why that is if it's an issue in your effort to address my problem. Radiosound is of course the name of my company which is closed, and I have been liquidating parts, materials, and service data ever since using the free web site which is BTW served by ecomplanet.com.

Radiosound is the USER NAME which I have selected in front of that particular email address in one of five OE accounts. So I assume that's how it gets into the headers, albeit missing the last two letters.

Don't see what harm it could do at this point so I will post my URL now which is http://myweb.ecomplanet.com/HIFI2650/

I finally got an answer from Poland in reply to my question about the refused mail, but of course this was via my hotmail.com web mail account, not my Outlook Express account address which is still being bounced back. But his English is as bad as my Polish, and our translators do not help much, so he evidently does not understand what I am asking or saying and his English might as well be cryptic. I'm still trying to explain it to him but it doesn't look like I can find out anything from him. If you think my computer savvy was bad you should try him... speaking a different language no less.

Don't know if this is interesting at this point, but I disabled my Trend PCcillin and installed full AVG internet security software in its place. As I said my OE mail address is still being refused by Poland (no one else in the world that I know of) but the spam word is no longer in my subject field.

What else can I tell you? :unsure:

Link to comment
Share on other sites

I don't know what the "radiosou266a0b" is in the headers or what it is supposed to represent, except of course I see the nd is missing from the end of radiosound and I don't know why that is if it's an issue in your effort to address my problem. Radiosound is of course the name of my company which is closed, and I have been liquidating parts, materials, and service data ever since using the free web site which is BTW served by ecomplanet.com.
"radiosou266a0b" is the name by which your computer (or the one on which you prepare your e-mail) appears to be identifying itself to your outgoing mail service at Windstream (which i assume is your ISP). This is normally supposed to be a fully-qualified domain name (e.g., something.something-else.com) but in this case it is not. I don't think this is a cause of any problems, however, because you do not appear to be using this host to transfer mail directly to outside domains (that is, this outgoing message went through Windstream's mail hosts, which attempted delivery to inertial.pl). So, for my money, this is a non-issue. Wazoo may disagree.

Don't know if this is interesting at this point, but I disabled my Trend PCcillin and installed full AVG internet security software in its place. As I said my OE mail address is still being refused by Poland (no one else in the world that I know of) but the spam word is no longer in my subject field.
I don't know aything about any of this software, but if the software looks at your incoming mail, and your incoming mail stopped getting tagged after you turned it off, I would say that you have solved that mystery.

As for why your correspondent in Poland didn't get the mail, it appears to have been permanently rejected by his provider. There's nothing you can do here except to resend from an alternative address that hopefully won't be blocked. Since I still don't understand what you munged or removed from the message, I can't really hazard a guess as to the basis for the rejection. It might be some problem with your mail, or it might not be.

-- rick

Link to comment
Share on other sites

The problem with Poland might still be something that the Polish correspondent did. You might try sending a message to postmaster at interia.pl and ask them. They should know what caused the email to be rejected (and might have better translators).

In your very first post, you said that you came here because you have been having other problems where spamcop cropped up.

It is a good idea to nip any email problems in the bud. If you have had other problems, particularly if they involved spamcop (which this one doesn't), perhaps it would be a good idea to explore them to see what caused them. It might, or might not, shine some light on this problem.

It also might be a good idea to post the headers of an email you send from your normal email to your hotmail address (with the addresses munged) just to see what your normal headers look like. If it is the "radiosou266a0b" item, then it will show up in those headers as well. (My guess would be that since the email in question was from your ISP, it might be something for internal use and won't be in outgoing headers).

Miss Betsy

Link to comment
Share on other sites

I'm too lost also .... for example;

ns1.vzn.com reports the following MX records for ecomplanet.com:

Preference Host Name IP Address TTL

5 ecpsrvexh01.aacme.net 63.76.222.12 3600

09/16/07 20:14:45 Slow traceroute myweb.ecomplanet.com

Trace myweb.ecomplanet.com (63.76.222.157) ...

152.63.92.189 RTT: 49ms TTL:170 (POS6-0.GW1.KCY4.ALTER.NET ok)

63.76.222.1 RTT: 56ms TTL:170 (oc12.ecomplanet.com probable bogus rDNS: No DNS)

63.76.222.157 RTT: 58ms TTL:113 (No rDNS)

09/16/07 20:38:39 IP block 63.76.222.157

MCI Communications Services, Inc. d/b/a Verizon Business UUNET63 (NET-63-64-0-0-1)

63.64.0.0 - 63.127.255.255

VZN Technologies UU-63-76-222-D4 (NET-63-76-222-0-1)

63.76.222.0 - 63.76.222.255

But, none of this means anything, apparently. Which then apparently points things back to an alltell address, which is somehow connected to a windstream.net account, which led me nowhere last night.

As the "radiosou266a0b" in the headers wasn't sufficient to catch enough attention or drama to find out where it's coming from ... let's then move on to the possibility that the repeat of the same IP address allegedly resolving to two different 'Domains' being a possible issue ????

Received: from ispmxaamta08-gx.windstream.net ([98.16.103.217])

by ispmxmta06-srv.windstream.net with ESMTP

then followed by;

Received: from radiosou266a0b ([98.16.103.217])

by ispmxaamta08-gx.windstream.net with SMTP

The 'flow' from ispmxaamta08-gx.windstream.net to ispmxmta06-srv.windstream.net works just fine ... but, that both lines show a reference to the same IP address as the 'source' ...?????

Again, the lack of a FQDN, the 'duplicate' IP address .... just way to close to a badly forged line, typical of a bad spam ...

Link to comment
Share on other sites

I really had to work around the issue .. here's what I have from the best 'match' I could come up with ....

The "radiosou266a0b" would apparently be your "computer name" .. no idea as to which version of Windows you are using, so not going to try to guess at which series of steps you'd have to take to find this information out for sure on your computer ....

The "problem" is that in each case I was able to work up, the IP Address showing as part of that specific Received: line was in fact "my DHCP assigned IP address from my ISP" ..... Every other IP address within the headers was in fact an IP Address of each server in the chain that handled the flow of that e-mail.

As per my previously suggested "looks like a bad forgery" .. I'd be asking windstream.net to change their configuration so as to 'fix' that specific Received: line in the outgoing headers.

That's my best guess at the moment.

Link to comment
Share on other sites

I'm too lost also .... for example;
Don't blame you, maybe I can pitch in...

ns1.vzn.com reports the following MX records for ecomplanet.com:
I think that this domain is not in question here, it was not involved in the sending of the mail. I looked at the website, provobis simply posted his address here (by the way, not very well protected from harvesting, I might add) to solicit mail from interested folks.

But, none of this means anything, apparently. Which then apparently points things back to an alltell address, which is somehow connected to a windstream.net account, which led me nowhere last night.
Whois says that the domain windstream.net is owned by Alltel, so for purposes of this discussion perhaps we can say that Windstream.net == alltel, and that one (or both) of these represent provobis' mail provider.

As the "radiosou266a0b" in the headers wasn't sufficient to catch enough attention or drama to find out where it's coming from ...
The lack of an FQDN for a HELO in an internal relay appears not to be a shooting offense these days...for example, you can find this same thing in the headers of mail that this very forum sends out for topic updates:

Received: from zeta.cesmail.net ([64.88.168.67])
	 by vms051.mailsrvcs.net (Sun Java System Messaging Server 6.2-6.01 (built Apr
	 3 2006)) with ESMTP id &lt;0JOH00LXRPP3EVA0[at]vms051.mailsrvcs.net&gt; for
	 &lt;...e-mail address omitted...&gt;; Sun,
	 16 Sep 2007 21:03:03 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1])	by zeta.cesmail.net (Postfix)
	 with SMTP id C2D68DC8056	for &lt;...e-mail address omitted...&gt;; Sun,
	 16 Sep 2007 22:03:02 -0400 (EDT)
Date: Sun, 16 Sep 2007 22:03:02 -0400
From: "SpamCop Discussion" &lt;...e-mail address omitted...&gt;
Subject: Topic Subscription Reply Notification ( SpamCop Discussion )

We see (in the lower Received: line) that zeta.cesmail.net received this from 'loopback' which is not a FQDN, but zeta.cesmail.net shows the proper "TCP data" (SMTP parlance) for the loopback host. Undoubtedly, zeta.cesmail.net trusts loopback (they're probably the same machine, actually), so there is no question of chicanery here. Likewise, I imagine that windstream.net trusts radiosou266a0b, probably because radiosou266a0b is on an IP inside the windstream.net domain.

let's then move on to the possibility that the repeat of the same IP address allegedly resolving to two different 'Domains' being a possible issue ????

(...snip...)

The 'flow' from ispmxaamta08-gx.windstream.net to ispmxmta06-srv.windstream.net works just fine ... but, that both lines show a reference to the same IP address as the 'source' ...?????

Again, the lack of a FQDN, the 'duplicate' IP address .... just way to close to a badly forged line, typical of a bad spam ...

A strict reading of the header would say (as you suggest) that this is a forgery, but I think that strict reading is just no longer possible today.

These are internal relays (i.e., within windstream.net). I've found that (for years now) we can no longer depend upon the routing chain to work where internal relays are involved. Regrettable, perhaps, but that's apparently how ISPs do business now.

I reference my recent post next door on another topic; my own ISP actually puts unrouteable (172.x.x.x.) IPs in the "incoming" side of the header, which I assume is where they go out to their (unknown to me) spam filtering service. I imagine the same sort of thing is possible on the "outgoing" side of the header (perhaps to filter outgoing mail for spam & viruses), and this may be what you see here.

So, provobis' original message looks to me like a perfectly valid outgoing e-mail transfer (notwithstanding the anomalies in the header) that was rejected at the receiving MX for reasons that remain unclear.

-- rick

Link to comment
Share on other sites

Wazoo and all,

If you, the experts are lost, for whatever reason, imagine where this newbie is.

Apparently there are several elements in my email/hosting/website issues that are not clarified well enough.

(1) My website is a free hosted site which has no IP connection/affiliation with my personal email accounts, except that my personal email address is posted (munged by code) on that site so that visitors can email me from their own email accounts. (do you think I should remove that email image, however munged, from the website pages?)

(2) Earlier this year my local telco Alltel, corporately divided its operation into two divisions, wireless and local telco called Alltel and Windstream respectively. Alltel was the original provider for both telephone (DSL & landline) and wireless (cell) until they reorganized into Alltel and Windstream, so the suffix alltel.net was on the original email address (eg provobis [at] alltel.net). When Windstream was created (still actually part of the Alltel corp) my Alltel accounts retained the alltel suffix in the account names list, but changed to Windstream in the server properties list. So Alltel IS virtually Windstream (windstream.net), however Windstream will not require that I change the account names from alltel to Windstream until sometime next year. Meanwhile any email sent to the alltel email address will be recognized as both alltel or windstream and sent to my alltel account inbox. I don't know if this clarifies some confusion in the headers about IP addresses or ID's.

I have delayed changing my account names from alltel to windstream because of all the notifications and preference changes I will have to make in address books, properties, and websites, but will have to do it eventually. It has been suggested to me (by one windstream tech) that the alltel/windstream division might be responsible for the address refusal because some servers see that as a spam issue, but another windstream tech says not! In any case I have not had any problems with regard to alltel vs windstream for almost a year now since the corporate reorganization, until now if that's in fact an issue here.

rick, I posted the website address because I thought it might be needed to follow up unanswered questions that have been expressed by you and Wazoo. By (by the way, not very well protected from harvesting, I might add) to solicit mail from interested folks) do you mean I should "protect" better from harvesting, or do you mean I should not have posted the URL in this forum?

I was not attempting to solicit inquiries or mail from "interested folks".

In my efforts to query Poland about the refusal issue, he has sent me four other email addresses which he says (in broken English) I should try to send to, but those addresses appear to be other accounts he has or other contacts he has in his address book. I do not think he has understood my query to him about the refusal issue, and do not think he has a clue about what spam is or who might be blocking/filtering within his software or ISP. So I don't think I will try sending to those addresses which might complicate matters.

Betsy, I will try your suggestion after this post just to see if the headers will clarify some issues.

Link to comment
Share on other sites

Subject: test

To: <my web mail hotsheet.com email address>

From: "RADIOSOUND" <my OE email address>

X-Eon-DM: dm15

X-Msmail-Priority: Normal

X-Priority: 3

Received: from ispmxfep01-srv.windstream.net (166.102.165.157 [166.102.165.157])by dm15.mta.everyone.net (EON-INBOUND) with ESMTP id dm15.46eb178d.b4686afor <my web mail hotsheet.com email address>; Mon, 17 Sep 2007 09:59:13 -0700

from radiosou266a0b ([98.16.109.213]) by ispmxfep01-srv.windstream.net with ESMTP id <20070917165908.QEHB24899.ispmxfep01-srv.windstream.net[at]radiosou266a0b> for <my web mail hotsheet.com email address>; Mon, 17 Sep 2007 11:59:08 -0500

Content-Type: multipart/alternative;boundary="----=_NextPart_000_0005_01C7F92A.87FE96A0"

Return-Path: <my OE user name Radiosound email address>

Mime-Version: 1.0

X-Mimeole: Produced By Microsoft MimeOLE V6.00.2900.3138

Date: Mon, 17 Sep 2007 12:59:06 -0400

X-Mailer: Microsoft Outlook Express 6.00.2900.3138

Message-Id: <000801c7f94c$0fab3e20$01fea8c0[at]radiosou266a0b>

This is a test message from my main Outlook Express (user name "Radiosound") email account to my Hotsheet web mail (user name "Cleveland Office") email account. I am posting the headers with email addresses munged per Besty's suggestion for examination.

Only the email addresses have been munged, nothing else

Roger aka provobis

Link to comment
Share on other sites

rick, I posted the website address because I thought it might be needed to follow up unanswered questions that have been expressed by you and Wazoo. By (by the way, not very well protected from harvesting, I might add) to solicit mail from interested folks) do you mean I should "protect" better from harvesting, or do you mean I should not have posted the URL in this forum?

I was not attempting to solicit inquiries or mail from "interested folks".

Don't be upset. Your post of your website info in this forum was made at the request of others, and no one here is going to interpret it as inappropriate advertising, etc. My message got garbled, but what I meant to say was simply that you posted your e-mail address on a website that has nothing to do with your e-mail domain so that people could contact you about the items you are offering. That's it.

By "not well protected from harvesting" I simply meant to point out that in putting your e-mail address on that particular website, you did not take all possible precautions to stop spammers from harvesting it to send you spam. It had "< CODE >" tags around the at-sign (better than completely naked, perhaps), but not much else in the way of protection.

See http://www.rickconner.net/spamweb/avoiding.html for more info.

-- rick

Link to comment
Share on other sites

Last section of my Linear Post #19 and Linear Post #20 ... not taken up for some reason. You will note that there is not a "duplication" of the IP addresses seen in this last sample, but then again, that part of the headers appears to have lost some details. For instance, there should be a second "Received:" line, but .... that line seems to begin with the word "from" ..... so yet again, there's a question about the full content of the headers involved .....

I thought about going into a cable or dial-up connection in one of my last posts, but figured that would just be more distraction. However, it is seen that "your" IP Address changed btween those last samples and this current one. So that question will now be asked. Just how are you connecting to your ISP?

Is there going to be any 'agreement' that your computer is 'named' "radiosou266a0b" ..????

If you, the experts are lost, for whatever reason, imagine where this newbie is.

What you are asking here is for someone to 'guess' as to just what the .pl ISP based a rejection of your e-mail on .... as stated several times, this kind of 'function' is totally under the control of the person maintaining that e-mail server. And it had been demonstrated that not all of the folks doing that maintenance are totally qualified. Then add in that 'we' are also having to guess at windstream.net's server configurations. For example, your initial sample data post showed that ispmxaamta08-gx.windstream.net and ispmxaamta06-gx.windstream.net were both involved with that e-mail. This last sample only shows ispmxfep01-srv.windstream.net as the single (windstream) server involved in handling that e-mail.

What if the 'real' reason for that rejection (which then used a wrong error description) is that your attempted translation ended up using a word that was being used as a (spam) filter ...????

Me, I'm sticking to the one I previously offered .... a line that appears to be badly forged in the original samples.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...