Jump to content

spamcop header parsing error?


agamemnus

Recommended Posts

Hello again everyone,

I am now using Mozilla Thunderbird to help me with my spam problem. I set it to autoreport spam. The vast majority is coming from 76.96.62.xx, which is a farm field in Kansas (corner of NW River Valley Rd. and NW 120th St.) and a Comcast range of addresses. However, there is a second "received" IP coming from Romania. I'm not sure which one is being faked here.. I think it would be the second one (the one Spamcop thinks is the real one)... am I right?

Here are the two recently reported spam emails in question: 2552322841__&__2552322379..

They each have two Received fields..!!

Link to comment
Share on other sites

Here are the two recently reported spam emails in question: 2552322841__&__2552322379..
One of the SC staff could no doubt pull up those spam from report IDs. But they're usually otherwise engaged (fighting spam or something). If you want other members "here" to have a look and confirm your reading of the headers you need to post a tracking URL (link). Which is one of the basic suggestions/directions about asking questions "here" and plastered all over the shop. Be a good lad or lass and give us a tracking link and we won't have to ignore you. We would rather help.

The top IP address is probably that of your own provider. If Comcast don't operate from a farm field in Kansas (corner of NW River Valley Rd. and NW 120th St.) I guess that might just show geolocation is, as yet, an inexact science.

Link to comment
Share on other sites

One of the SC staff could no doubt pull up those spam from report IDs. But they're usually otherwise engaged (fighting spam or something). If you want other members "here" to have a look and confirm your reading of the headers you need to post a tracking URL (link). Which is one of the basic suggestions/directions about asking questions "here" and plastered all over the shop. Be a good lad or lass and give us a tracking link and we won't have to ignore you. We would rather help.

The top IP address is probably that of your own provider. If Comcast don't operate from a farm field in Kansas (corner of NW River Valley Rd. and NW 120th St.) I guess that might just show geolocation is, as yet, an inexact science.

But those are the tracking ids.. eg.. http://www.spamcop.net/mcgi?action=gettrac...rtid=2552322841 or are you saying that other users can't access the id's? In that case:

http://www.spamcop.net/sc?id=z1469868693z8...d6c2b290d600f0z

http://www.spamcop.net/sc?id=z1469867047zf...e2698b28df911dz

=)

You might find this link interesting Reading email headers

So, as I understand it, the spammer in question is sending spam to a Comcast server, which then sends it to me? :excl:

Link to comment
Share on other sites

Folks have been trying to help ..... Farelf was very nice about it, even offering up a lnk for more data.

I'll just do the natural "Wazoo has been up all night again" thing and point out that there are numerous FAQ entries 'here' ... a Dictionary, a Glossary, in addition to the Wiki to explain what a Tracking URL is .. I won't even mention that those words are printed in color at the top of a parse result page, along with the reason as to why it might be useful, although not quite beating one over the head with the ovbious clue that it's a copy of the same URL of the page you are looking at when the message is showing ...

You mihjt want to take a look at Getting a Tracking URL from a Report ID just becaue the title sounds so cool.

Link to comment
Share on other sites

I am now using Mozilla Thunderbird to help me with my spam problem. I set it to autoreport spam. The vast majority is coming from 76.96.62.xx, which is a farm field in Kansas (corner of NW River Valley Rd. and NW 120th St.) and a Comcast range of addresses. However, there is a second "received" IP coming from Romania. I'm not sure which one is being faked here.. I think it would be the second one (the one Spamcop thinks is the real one)... am I right?

Here are the two recently reported spam emails in question: 2552322841__&__2552322379..

They each have two Received fields..!!

The 76.96.62.61 address in the first is a Comcast email server. Neither of those addresses appears to be faked.

To place the headers in the order they actually occured (headers in emails are reversed, work bottom up normally):

Received: from activ04links.net ([78.95.200.197]) by IMTA07.westchester.pa.mail.comcast.net

Received: from imta07.westchester.pa.mail.comcast.net ([76.96.62.61]) by sccrmxc12.comcast.net (sccrmxc12)

Comcast server IMTA07 receives the email from 78.95.200.197 which is the originator. IMTA07 then hands the message off to Comcast server sccrmxc12 which is likely a mail storage server for their customers (you). Every message you receive is likely handled in a similar manner.
Link to comment
Share on other sites

The 76.96.62.61 address in the first is a Comcast email server. Neither of those addresses appears to be faked.

To place the headers in the order they actually occured (headers in emails are reversed, work bottom up normally):Comcast server IMTA07 receives the email from 78.95.200.197 which is the originator. IMTA07 then hands the message off to Comcast server sccrmxc12 which is likely a mail storage server for their customers (you). Every message you receive is likely handled in a similar manner.

That server only has sent me spam as far as I know. Do you think if someone sent me an email from Romania it would be routed through 76.96.62.xx and then sent to me?

Link to comment
Share on other sites

That server only has sent me spam as far as I know. Do you think if someone sent me an email from Romania it would be routed through 76.96.62.xx and then sent to me?

If you look at ANY email from outside of Comcast, they should come through the same servers.

Link to comment
Share on other sites

That server only has sent me spam as far as I know. Do you think if someone sent me an email from Romania it would be routed through 76.96.62.xx and then sent to me?

Yes. All your emails are accepted by one Comcast server and then passed to another Comcast server and then to you.

I haven't looked at the headers in question because I only have a rudimentary knowledge of how to read them. However, basically the important line is where your email provider receives the email and provides the correct IP address from which it came. There may be other headers showing that it was accepted somewhere else and forwarded to you (I several accounts like that) and then additional headers that show that after your email provider accepts it, they have passed it to another computer (for virus protection sometimes; other times for other reasons) before they pass it on to you.

The parser is software that can 'read' the headers as long as they configured according to certain standards. The parser is also programmed to identify 'trusted' relays.

HTH

Miss Betsy

Link to comment
Share on other sites

I'm not sure we're talking about the same thing... I'm not talking about sccrmxc12, but 76.96.62.xx. Only spam emails come from 76.96.62.xx.
I am talking about the servers named IMTAxx which have the IP addresses 76.96.62.63 and 76.96.62.61 in your 2 examples. MTA generally will stand for Mail Transfer Agent.

Have you studied the headers of a normal message coming from the internet? I find it hard to believe that Comcast has figured out a way to route all spam through one route and all good email through another.

Could you please parse and then cancel an email you do not cosider spam.

One possibility, though I don't know how they could implement it: Perhaps IMTA is International Mail Transfer Agent and they have figured out how to populate the MX records of other countries DNS servers with different servers.

C:\Documents and Settings\sunderwood>nslookup

Default Server: resolver1.opendns.com

Address: 208.67.222.222

> set type=mx

> comcast.net

Server: resolver1.opendns.com

Address: 208.67.222.222

Non-authoritative answer:

comcast.net MX preference = 5, mail exchanger = gateway-s1.comcast.net

comcast.net MX preference = 5, mail exchanger = mx1.comcast.net

comcast.net MX preference = 5, mail exchanger = mx2.comcast.net

comcast.net MX preference = 5, mail exchanger = mx3.comcast.net

comcast.net MX preference = 5, mail exchanger = gateway-a.comcast.net

comcast.net MX preference = 5, mail exchanger = gateway-r.comcast.net

comcast.net MX preference = 5, mail exchanger = gateway-s.comcast.net

comcast.net MX preference = 5, mail exchanger = gateway-a1.comcast.net

comcast.net MX preference = 5, mail exchanger = gateway-a2.comcast.net

comcast.net MX preference = 5, mail exchanger = gateway-r1.comcast.net

comcast.net MX preference = 5, mail exchanger = gateway-r2.comcast.net

> set type=a

> mx1.comcast.net

Server: resolver1.opendns.com

Address: 208.67.222.222

Non-authoritative answer:

Name: mx1.comcast.net

Address: 76.96.62.116

At least one of the servers they advertize to the entire internet community is in the 76.96.62.* range.

Link to comment
Share on other sites

Ok, here is a normal email that is not spam.

http://www.spamcop.net/sc?id=z1471488763zb...1783950327dbbez

OK. I don't know how they do it, but I assume it is foreign email hitting that server. If it were some kind of additional spam filter, the first server would be the same, and then dir directed elsewhere.

Anyhow, IMO, spamcop is finding the correct source. You definitely do not want to report Comcast. ISP's usually don't look kindly on that sort of thing.

Link to comment
Share on other sites

One of the spam samples had notes added about non-compliance. Perhaps Comcast sends all 'suspicious' email to a particular server where, if possible, it 'makes' sense of the headers?

If you want to ask Comcast what is going on, you can try. But it is very difficult to get answers from big abuse departments. Whatever they are doing, they don't want anyone to know - either they dump a lot of spam by doing it this way or they are trying to placate customers who don't understand why some email doesn't get to them so they do what they can to make it deliverable, but don't want to explain why their system doesn't always work.

As StevenU keeps pointing out, the parser seems to understand the process and doesn't choose Comcast to report to.

I haven't heard any complaints lately about how Comcast does nothing to warn or stop customers who allow their computers to be infected, but still it is not likely that Comcast is doing anything to stop spam from happening. Whatever they are doing is for their own bottom line. If you are a Comcast customer, then your quarrel is with them about the kind of email service they are providing you. You don't need spamcop for that.

Miss Betsy

Link to comment
Share on other sites

One of the spam samples had notes added about non-compliance. Perhaps Comcast sends all 'suspicious' email to a particular server where, if possible, it 'makes' sense of the headers?

Yeah, thanks for the help. I'm good, I guess. I actually tried to contact Comcast (email) on several occasions regarding setting some sort of mail filters for my username but I was totally ignored. I decided not to persue the matter further via phone, as it probably won't do any good.

>Perhaps Comcast sends all 'suspicious' email to a particular server where, if possible, it 'makes' sense of the headers?

I asked someone I know from Romania to send me an email to see if it gets filtered or not.

Link to comment
Share on other sites

...I asked someone I know from Romania to send me an email to see if it gets filtered or not.
You might let us know if anything interesting turns up from that, if you have the chance. I tried tracert to sccrmxc12.comcast.net but I guess the little ping packets move quite 'differently', certainly I couldn't replicate anything like your spam examples' transits. And that included sending via the one working source in Romania vide TraceRoute.org - (see http://forum.spamcop.net/forums/index.php?showtopic=8216)
Link to comment
Share on other sites

You might let us know if anything interesting turns up from that, if you have the chance. I tried tracert to sccrmxc12.comcast.net but I guess the little ping packets move quite 'differently', certainly I couldn't replicate anything like your spam examples' transits. And that included sending via the one working source in Romania vide TraceRoute.org - (see http://forum.spamcop.net/forums/index.php?showtopic=8216)

He didn't send me anything yet, but I just got a normal daily email though 76.96.62.94 which I never had gotten through that server. The mystery widens..

Link to comment
Share on other sites

Update. I was sent an email from Romania, and it was at 76.96.30.xx, not 76.96.32.xx. Some regular weekly emails also started coming in from 76.96.32.xx. My theory now is that it could just be a new server that Comcast installed, and by coincidence a lot of spam went through 76.96.32.xx first.

Link to comment
Share on other sites

76.96.62.61

76.96.62.63

76.96.62.116

have been revealed in the various bits and pieces above

76.96.62.62

is another in the ownership block, all shown by SenderBase as being in comcast.net under Comcast Cable. Oddly, they're not included in the 28423 "Addresses in comcast.net used to send email" tagged by SenderBase, nor in the 28973 for Comcast Cable. I have no idea whether that is significant or not - just that it doesn't fit with "usual" observations.

Link to comment
Share on other sites

have been revealed in the various bits and pieces above

Yeah, but .... about a dozen computers here in various states of repair/install/whatever ... developing three web-sites from the ground up, diagnosing and fixing the Google search issue for both here and the www.spamcop.net Help page, phone calls, folks wanting help via IM, e-mail seemingly running at high warp, etc. etc. Seeing that whole passle of ".xx" IP addresses just stopped me cold. As you state, my thoughts were "geeze, it's ComCast that's being talked about .. the land of a billion compromised computers"

Link to comment
Share on other sites

Stand easy digger <grin>, there's others who will step up when they have a moment, in the meantime there's no great urgency in what appears to be an "evolving" situation - the IP address block having been caught sending goodmail

...Some regular weekly emails also started coming in from 76.96.32.xx. My theory now is that it could just be a new server that Comcast installed, and by coincidence a lot of spam went through 76.96.32.xx first.
I just nominated a few addresses to maybe assist anyone coming late and thinking investigation is impossible.
Link to comment
Share on other sites

I have forgotten the details, but Wazoo's remark about the "the land of a billion compromised computers" reminded me of one of my conjectures that possibly it was one of those internal things where the spam was coming from one of the computers on the Comcast network and that's why it was always the same one.

Not as likely now that he has gotten other email, but who knows maybe they are on Comcast also.

Miss Betsy

Link to comment
Share on other sites

I have forgotten the details, but Wazoo's remark about the "the land of a billion compromised computers" reminded me of one of my conjectures that possibly it was one of those internal things where the spam was coming from one of the computers on the Comcast network and that's why it was always the same one.

Not as likely now that he has gotten other email, but who knows maybe they are on Comcast also.

Well, I got one from Anthropologie (not spam) through 76.96.62.46, and it's definitely not a Comcast personal account. Perhaps it is using a Comcast business network?

http://www.spamcop.net/sc?id=z1478318100zf...dc4ae869fd3083z

The only other non-spam email using 76.96.52.xx was routed from 76.96.62.94, using mail.mlspin.com. (non-spam real estate offerings email)

On a different note, let me say that it seems SpamCop has been apparently working for me, blocking some spam emails that I've gotten that it previously didn't block before. Note: Comcast has a "Report spam" button, but I don't think it works too well. (or at all)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...