Forged Headers

[Another.com]

We've been blacklisted by Spamcop 3 times in the last 3-4 months because some idiot has forged headers to suggest it originated from our system.

Spamcop respond within 24 hrs normally but it does not help us.

We are putting in spf records but..

another.com does not spam..

it seems convenient for spammers to suggest it is

and would like it if any accusations of this against it could be reviewed by a human and not automatically cut us off?

anyone else have this problem?

[Wazoo]

SpamCop doesn't run it's magic against Domain names, it's the IP address that's at issue. Generally, if you're being picked up as the "source" for this stuff, it was normally due to some misconfiguration in your servers that caused a break in the chain test, so that the parser wouldn't go beyond your header entries to find the next step of the spam travels. However, there is currently a major beta going on in changing some aspects of the parsing tool, largely due to some well done forgeries.

That you say that you've had previous contact with SpamCop admins (am guessing that this is what the 24 hour remark suggests) .. what was the reasoning / explanation about the situation in the past?

Is there a specific IP in question here (or in the past) ... Is the reporting /abuse address valid and maintained? Do you have a sample set of headers to provide that would allow the "rest of us" to take alook at and see what's really happening?

not automatically cut us off?

SpamCop doesn't have the power to "cut you off" ... there is a math formula involved that when met, gets an IP listed in the dnsBL, but also gets that IP unlisted when the formula is met by stopping the spew. This is the quick reaction capability and automatic de-list that makes the SpamCop dnsBL unique. And even when listed, the only impact is sen when traffic from that IP attempts to connect to another server that does use the SpamCop dnsBL in its filtering, which is definitely a 100% coverage around the world.

For any further specific answers / suggestions / details, it'd be much easier if you provided the specifics of your situation .. at least an IP address, but preferably a set of headers that shows where you say the forgery that's tripping up the SpamCop parser exists.

[Another.com]

For us we are cut off from sending mail to many common mail servers so whilst spamcop is not universal it generates a lot of support calls and work on our behalf - and it affects our credibility.

I'll get a techy to give you answers later, but the reasons why Spamcop lifts the bar is because they accept that the headers are forgeries. There is nothing wrong with our system. Likewise they are improving their system because they recognise the thing about forgeries.

Spamcop answers to no-one, which clearly makes life difficult for us. they have a system which says we have been spamming when we haven't - ......

I suppose we are just "collateral" damage. If you want to stop spam you have to label a few people spammers who aren't!

[Merlyn]

No one has labelled you a spammer. It looks like another.com shares mail servers and spamcop lists IP numbers and not names.

According to the following neither of these servers are innocent. When you share email servers with others then you must live with the fact you can get blocked if they spam.

Resolved another.com to 216.65.3.233

[another.com has 2 MX records mail3.surgeweb.com.(10) mail4.surgeweb.com.(10)]

mail3.surgeweb.com = 216.65.3.233

This IP address also has a few problems of it's own as it does not really know who it is:

Query bl.spamcop.net - 216.65.3.233

DNS error: 216.65.3.233 is netwinsite.com but netwinsite.com has no DNS information

It is not listed in Spamcop and never has been but it is listed in the following:

BLARSBL Blars Block List: block.blars.org -> 127.1.0.32

UUINTRUDERS local bl at Uppsala University: intruders.docs.uu.se -> 127.0.0.2

SPAMRBL French anti-spam site: map.spam-rbl.com -> 127.0.0.2

IP is known as spammer - See http://www.spam-rbl.com/ipstat.cgi?ip=216.65.64.234

CSMA McFadden Associates, IPs of mailservers that send spam twice in a short timefram: bl.csma.biz -> 127.0.0.2

http://bl.csma.biz/cgi-bin/listing.cgi?ip=216.65.64.234

CSMA-SBL McFadden Associates, IPs of mailservers that send spam once in a short timefram: sbl.csma.biz -> 127.0.0.2

http://bl.csma.biz/cgi-bin/listing.cgi?ip=216.65.64.234

DNSBLAUT1 Reynolds Technology Type 1: t1.dnsbl.net.au -> 127.0.0.2

PLEASE SEE http://dnsbl.net.au/lookup/?216.65.64.234

As for your second email server:

mail4.surgeweb.com = 216.65.3.237

This server is not currently listed but it has been listed in the past. It is listed in the following:

BLARSBL Blars Block List: block.blars.org -> 127.1.0.32

UUINTRUDERS local bl at Uppsala University: intruders.docs.uu.se -> 127.0.0.2

Spammers seem to spoil it for everyone.

[Wazoo]

Spamcop answers to no-one, which clearly makes life difficult for us. they have a system which says we have been spamming when we haven't - ......

That's not really a fair statement. You say you've had responses in the past, there's current dialog going on, and you agree to the knowledge that work is on-going to resolve this current issue of 'interesting' header forgeries.

I suppose we are just "collateral" damage. If you want to stop spam you have to label a few people spammers who aren't!

No one has labeled "you" as anything ... at best, the peer servers that reject your e-mail are only looking at an IP that traffic from which is not desired, rejection note sent, and that server then moves on to the next item in the queue.

That said, without seeing the "techy" things, will have to reserve any statements on why there might be a reaon that something "special" has not yet been accomplished in resolving your particular issue in a more permanent fashion. There must be a bit more to the story, and would hope that some of those "techy" things may offer up some of those needed clues.

[Another.com]

once a kid at school said to a teacher - i did not kick him, i merely pushed him with my foot. of course you are blocking us. you've put yourselves up as spam champions and blocking "spammers" is what you do

i dont particularly like my customers shouting at me that my systems broken when the reality is it is yours that is not working properly. there is nothing more to it than you are fooled by forged headers - and that we are responsible email service providers that if there is a real problem from our system we will deal with it - you don't need to block us to get our attention.

tell me when you'll stop being fooled by forged headers?

[Ellen]

For us we are cut off from sending mail to many common mail servers so whilst spamcop is not universal it generates a lot of support calls and work on our behalf - and it affects our credibility.

I'll get a techy to give you answers later, but the reasons why Spamcop lifts the bar is because they accept that the headers are forgeries.  There is nothing wrong with our system.  Likewise they are improving their system because they recognise the thing about forgeries.

Spamcop answers to no-one, which clearly makes life difficult for us.  they have a system which says we have been spamming when we haven't - ......

I suppose we are just "collateral" damage.  If you want to stop spam you have to label a few people spammers who aren't!

If you don't want to mention the IP here or provide the specifics here in a public forum, then send them to deputies <at> spamcop.net -- we would like to see the forged headers

[Merlyn]

once a kid at school said to a teacher - i did not kick him, i merely pushed him with my foot.  of course you are blocking us. you've put yourselves up as spam champions and blocking "spammers" is what you do

i dont particularly like my customers shouting at me that my systems broken when the reality is it is yours that is not working properly.  there is nothing more to it than you are fooled by forged headers - and that we are responsible email service providers that if there is a real problem from our system we will deal with it - you don't need to block us to get our attention.

tell me when you'll stop being fooled by forged headers?

What makes you think this is a case of forged headers?

Evidence please........

Here is some evidence (Lots of it) of spam coming from 216.65.64.234 and according to your domain records that is one of your mail servers.

http://bl.csma.biz/cgi-bin/listing.cgi?ip=216.65.64.234

[Another.com]

Do you good people accept it is possibe to forge headers?

If you do, can you tell me when spamcop will stop blocking sites that are spoofed by forgers as spam senders?

Enclosed something from one of our technical advisors. hope it makes sense.

>Return-Path: <rebuilt[at]scottish-and-proud.com>

>Received: from ilovedominic.com ([24.86.137.21])

> by mamo (EarthLink SMTP Server) with SMTP id 1b9Zrm2bK3NZFk70

> for <jmrubin[at]ix.netcom.com>; Sat, 3 Apr 2004 20:40:45 -0800 (PST)

(***RHP This first received header can be trusted by recipient as its put

there by the recieving email server but all it really tells you is that it

got it from ip 24.86.137.21 )

spamcop of course has to start by deciding whether recipients smtp server

can be trusted - but lets assume it trust that by default

then before looking at any other received headers it should decided whether

24.86.137.21 is a valid SMTP server

if it is it can believe next received header if not it should take no

notice of other headers as they could be forged as they are in this example

well turns out 24.86.137.21 is h24-86-137-21.vs.shawcable.net which

looks like some temp ip given to a subscriber not an smtp server at all

and not ilovedominic.com as claimed in the helo which is

actually 212.62.7.9

could it be ilovedominic.coms smtp sending mail server - obviously not.

so rest of message is irrelevant as it coould and is forged

>Received: from scottish-and-proud.com (mail3.surgeweb.com [216.65.64.234])

> by ilovedominic.com (Postfix) with ESMTP id A24E3BC239

> for <jmrubin[at]ix.netcom.com>; Sat, 03 Apr 2004 20:40:24 -0800

(***RHP so then this next pretend header was believed and it sais well i got

the mail from (mail3.surgeweb.com [216.65.64.234])

but it could equally well have said i got it from the president so he must

be a spammer.

and of course every message like this that gets bounced gets bounced back

at another.com mail3...

not the machine that sent it.

Thats how the system works - spf records should help in that anyone who

accepts incoming mail supposedly from another.com

but via an ip not listed in your spf records shouldnt accept it. )

>Date: Sat, 03 Apr 2004 20:40:24 -0800

>From: "Outperforms V. Cosmologists" <rebuilt[at]scottish-and-proud.com>

>X-Mailer: The Bat! (v2.00.8) Personal

>X-Priority: 3

>Message-ID: <9953773239.20040403204024[at]scottish-and-proud.com>

>To: Jmrubin <jmrubin[at]ix.netcom.com>

>Subject: Save on software, Jmrubin !

>MIME-Version: 1.0

>Content-Type: multipart/alternative;

> boundary="----------F3C76A6BB35A498"

>

>This is a multi-part message in MIME format.

>

>------------F3C76A6BB35A498

>Content-Type: text/plain

>Content-Transfer-Encoding: 7bit

>

>Hello, handsome!

>Dreams will get you nowhere, a good kick in the pants will take you a

long way.

>

>Low rates on Software

>

>Searching for not expensive high-quality software?

>Our site might be just what you need.

>http://www.soft-dindon.biz

>

>We offer Software to download or it can be shipped to you on CD.

>Here is some of the software you can get on our site:

>Norton SystemWorks Pro 2004 - 25$

>Borland Delphi 8 Architect Edition - 50$

>Microsoft Exchange Server 2003 Enterprise Edition - 55$

>http://www.soft-dindon.biz And more!

>We are able to ship worldwide.

>All that tread, the globe are but a handful to the tribes, that slumber

in its bosom.

>A good title is the title of a successful book.

>

>

>------------F3C76A6BB35A498

>Content-Type: text/html

>Content-Transfer-Encoding: 7bit

>

><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

><HTML><HEAD>

><META http-equiv=Content-Type content="text/html; charset=windows-1250">

><META content="MSHTML 6.00.2720.3000" name=GENERATOR>

><STYLE></STYLE>

></HEAD>

><BODY bgColor=#ffffff>

><DIV><FONT face=Arial

>size=2>Have at you!<BR>A woman's always younger than a man at equal

years.<BR></FONT></DIV>

><DIV><FONT face=Arial size=2>Low rates on Software</FONT></DIV>

><DIV><FONT face=Arial size=2><BR>Searching for

>not expensive high-quality software?</FONT></DIV>

><DIV><FONT face=Arial size=2>Our site might be just what you

>need.<BR></FONT><FONT face=Arial size=2><A

>href="http://upflash.soft-dindon.biz"; >http://www.soft-dindon.biz/</A></FONT></DIV>

><DIV><FONT face=Arial size=2></FONT> </DIV>

><DIV><FONT face=Arial size=2>We offer Software to download or it can be

shipped

>to you on CD.<BR>Here is some of the software you can get on our

>site:<BR>Microsoft Windows XP Media Center Edition 2004 - 40$<BR>3D

Studio Max 6.0 - 60$</FONT></DIV>

><DIV><FONT face=Arial size=2>Macromedia Studio MX 2004 -

55$</FONT></DIV><DIV><FONT face=Arial size=2><A

>href="http://longirostrate.soft-dindon.biz";>And

>more!</A><BR>We ship

>worldwide.<BR>Hope is the parent of faith.<BR>Lord, make me to know mine

end, and the measure of my days, what it is that I may know how frail I am.

[Psalms 39:4]</FONT></DIV></BODY></HTML>

>

>

>------------F3C76A6BB35A498--

>

[Farelf]

Thanks Another.com - you were asked for evidence and there it is.

Afraid my knowledge is inadequate but I can at least help by reconstituting that spam and parsing it - here is the result:

Confirmation (cancelled)

To my inexpert eye, I would not have thought that one would get you into the reports at all - reports sent re 24.86.137.21 only.

… and of course every message like this that gets bounced gets bounced back at another.com mail3...

doesn't seem to happen at all, least ways not from anything implicated by the SpamCop source. Others, hopefully, will flock here and explain further ...

[Wazoo]

Sorry, but I'll have to back up Farelf's response ... I also took what you posted, reconstructed what you say was the original spam, ran it through the parser, and all I got for a result was;

Re: 24.86.137.21 (Administrator of network where email originates)

To: internet.abuse[at]sjrb.ca (refuses munged reports) (Notes)

Re: 24.86.137.21 (Third party interested in email source)

To: Cyveillance spam collection (Notes)

Re: 24.86.137.21 (Administrator of network where email originates)

To: internet.abuse#sjrb.ca[at]devnull.spamcop.net (Notes)

Shaw cable is the only target made available as a reporting target (this isn't the place to get into a Cyveillance debate) .. I can't come up with why you'd be getting anything direct from SpamCop for being anywhere near the source of this one.

Even playing harder to make the whole thing actually usable by the parser, even the spamvertised web-site would have only generated complaints to;

ipadm[at]gddc.com.cn

ct-abuse[at]sprint.net

And neither of those can I track back to another.com ...

Either there's something missing in what you were supplied with or something got lost in the transition from your tech guy to the screen here ...

[Another.com]

Hope this makes sense! Why not show all the headers in the spamcop report?

From my technical staff:

"So if they dont think that email would get one listed

what is the email that did get another.com listed

On the site all they show is the bit below with

headers mostly munged so you cant tell anything - and it looks like same

style email to me

I think there system is basically flawed.

Did anyone disagree that only the first received header is of any relevance.

SO unless there is an example someone can show me with

first received header listing our ip

and from a source that can be trusted. "

216.65.64.234 listed in bl.spamcop.net (127.0.0.2)

Since SpamCop started counting, this system has been reported about 1780

times by about 20 users. It has been sending mail consistently for at least

11.4 days. In the past 46 hours, it has been listed 3 times for a total of

33 hours

In the past week, this system has:

· Been reported as a source of spam about 10 times

· Been detected sending mail to spam traps

· Been witnessed sending mail about 1630 times

A sample sent sometime during the 24 hours beginning Sat Apr 3 00:00:00

2004 GMT 04/03/2004 12:00:00 +1200:

Received: from -.-.- (-.-.com [216.65.64.234])

by -.-.- (Postfix) with - id -

for <-[at]-.net>- Sat, - Apr 2004 - -

Subject: i - a hot wife looking - date someone

From: br.. at ..co.uk

[Another.com]

Wazoo do you accept it is possible for people to forge headers?

I think my technical staff are preety good, and would be telling me if one of our accounts were being used to send spam. Sorting out a miscreant account is a darn site easier than coming cap in hand asking spamcop to correct their error.

2-300 emails per second are currently being rejected on the back of this block, and you guys are responsible.

Sad thing is, the response here is not, there is an error in spamcop (which there is), we take it seriously, we'll fix it by such and such a date, but the presumption that another.com is guilty as charged is clearly there.

[Miss Betsy]

Here is a reply from a non-tech person.

You may be right that the spammer has forged your headers since spamcop is concerned enough about forged headers to radically change the way spam is reported. Unfortunately since the spammers are learning how to forge headers from the examples posted, the only way to find out for sure that you have been listed because of a forgery is to contact the deputies who can see that email.

However, you are wrong that spamcop has in any way labeled you as a spammer. They have reported that spam seems to be coming from your IP address. No one likes spam and something has to be done about it. If spam causes an 'outage' it is no different than any other negative thing that causes outages. The place to direct your anger at is the spammer and the place to 'fix' the problem is at the *sending* end.

If you and your technical staff cooperated with spamcop - especially by being RFC compliant about things like reverse DNS and MX records - then the spammers instead of you and spamcop would be the ones having trouble.

Since I am a non-tech person, this may be way off base, but in the listing of other places this IP address is listed, one of them is a computer that spews spam for a short time. That sounds to me like a trojan. The most common problem of admins coming to spamcop who are 'not spammers' is that there has been a vulnerability exploited that they have not been able to find.

Don't you have a spamcop report that you can post? That would help also in seeing if the parser got hung up.

And if it is true that someone is forging your headers, who did you make so mad? Perhaps it is as common as forging return addresses, but it sounds to me like revenge.

Miss Betsy

[Merlyn]

I believe if you check your logs you will see tons of email coming from 216.65.64.234. I believe you have someone that has either authenticated themselves and are using your machine to spam or relay from or you have a trojaned/hijacked machine.

Want some proof?

Click here for public sightings with full headers!

Do not start blaming others for forged headers just because you cannot figure out what is happening.

[Merlyn]

2-300 emails per second are currently being rejected on the back of this block, and you guys are responsible.

You are not blocking 2-300 email per second from Spamcop those are mostly rejects from the spam run by persons using the Spamcop BL on their server and other BL's. Ther are more being blocked than being reported. According to the the last reported one was from the 2'nd.

Do you know how to read your outgoing logs?

Can you capture a few hundred from your outgoing? That should only take a second or two if the spam run is still going.........

[Merlyn]

Looks like some of the spamvertised sites in the email point to the following people.

Ref: SBL14946

202.104.242.0/24 is listed on the Spamhaus Block List (SBL)

04-Apr-2004 16:41 GMT | SR02

bruterape.biz / zanza.biz / mckpay.com / cardbillquery.com

Ref: SBL10264

211.158.0.0/17 is listed on the Spamhaus Block List (SBL)

04-Apr-2004 11:36 GMT | SR

cqnet.com.cn corporate servers escalation listing

Ref: SBL15082

211.158.15.0/24 is listed on the Spamhaus Block List (SBL)

25-Mar-2004 09:50 GMT | SR14

mosteffective.biz

I would say some spam group running out of China are authenticating themselves on your server.

[Ellen]

Wazoo do you accept it is possible for people to forge headers?

I think my technical staff are preety good, and would be telling me if one of our accounts were being used to send spam.  Sorting out a miscreant account is a darn site easier than coming cap in hand asking spamcop to correct their error.

2-300 emails per second are currently being rejected on the back of this block, and you guys are responsible.

Sad thing is, the response here is not, there is an error in spamcop (which there is), we take it seriously, we'll fix it by such and such a date, but the presumption that another.com is  guilty as charged is clearly there.

I just sent you email -- yes the headers are forged. I delisted your IP. Please, in the future, if you have any listing problems write to deputies <at> spamcop.net

My apologies that the forgery wasn't being picked up by the parser in all cases.

[Merlyn]

Many of those in sightings do not look like forged headers????

[Merlyn]

Maybe someone can help me and tell me what is forged on these:

Example1:

From plaids[at]sheep-land.com Mon Apr 5 03:27:24 2004

Return-Path: <plaids[at]sheep-land.com>

Received: from backto-school.com (218-170-140-50.HINET-IP.hinet.net [218.170.140.50])

by tarpit.thrush.com (8.12.6/8.12.6) with SMTP id i357RG1F018303

for <spamvictim[at]target.site>; Mon, 5 Apr 2004 03:27:20 -0400 (EDT)

Received: from sheep-land.com (mail3.surgeweb.com [216.65.64.234])

by backto-school.com (Postfix) with ESMTP id 2D45F6F7DB

for <spamvictim[at]target.site>; Mon, 05 Apr 2004 01:18:32 -0700

X-Mailer: The Bat! (v2.00.2) Personal

X-Priority: 3

Message-ID: <5283376359.20040405011832[at]sheep-land.com>

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="----------621F53A5390F3E4"

From: "Nirenberg H. Patrimonies" <plaids[at]sheep-land.com>

To: spamvictim[at]target.site

Subject: Rd, cheap software for you.

Date: Mon, 05 Apr 2004 01:18:32 -0700

Example 2:

Microsoft Mail Internet Headers Version 2.0

Received: from va-martinsville5b-138.chvlva.adelphia.net ([67.21.155.138])

by myserver with Microsoft SMTPSVC(5.0.2195.6713);

Sun, 4 Apr 2004 02:20:41 +0100

Received: from noncapisco.com (mail3.surgeweb.com [216.65.64.234])

by va-martinsville5b-138.chvlva.adelphia.net (Postfix) with ESMTP id

222FB2DB02

for <me[at]mydomain>; Sat, 03 Apr 2004 17:17:09 -0800

Message-ID: <110001c419e2$0e48e67a$7d3a5886[at]noncapisco.com>

From: "Stalemates M. Salved" <vacancy[at]noncapisco.com>

To: Neilh <me[at]mydomain>

Subject: Neilh, Best offers for medication.

Date: Sat, 03 Apr 2004 17:17:09 -0800

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="----=_NextPart_000_0016_E8B9F8CA.D4239AFF"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2600.0000

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1082

Return-Path: vacancy[at]noncapisco.com

X-OriginalArrivalTime: 04 Apr 2004 01:20:46.0504 (UTC)

FILETIME=[0E845280:01C419E3]

[Merlyn]

Wazoo do you accept it is possible for people to forge headers?

I think my technical staff are preety good, and would be telling me if one of our accounts were being used to send spam.  Sorting out a miscreant account is a darn site easier than coming cap in hand asking spamcop to correct their error.

2-300 emails per second are currently being rejected on the back of this block, and you guys are responsible.

Sad thing is, the response here is not, there is an error in spamcop (which there is), we take it seriously, we'll fix it by such and such a date, but the presumption that another.com is  guilty as charged is clearly there.

I just sent you email -- yes the headers are forged. I delisted your IP. Please, in the future, if you have any listing problems write to deputies <at> spamcop.net

My apologies that the forgery wasn't being picked up by the parser in all cases.

I am sure you also know there are 5 email/webmail servers for that IP:

http://VISIT-EASTTIMOR.COM

http://www.visit-timor.com/

http://www.surgeweb.com/

mail3.surgeweb.com

mail3.netwinsite.com

Looks like mail is going out of the mail3.surgeweb.com domain and mail3.netwinsite.com domain, could it be his neighbor has the spammer or has the leak in the system and yes another.com is a victim because of others sharing the server? If it is marked and cleared and the spam happens to come through one of them then they are still innocent because they share the same server.

I believe the only person that can view all the logs to get a answer is a tech person at maxim.net.

There is way too many examples in sightings that are not forged headers and none of them are from another.com but mostly from mail3.surgeweb.com who is now innocent.

I do not believe blars would block forged headers.

Another.com could absolutely be innocent but now all the other mailhosts on that server are innocent also

IMHO of course....

[Spambo]

Maybe someone can help me and tell me what is forged on these:

In both cases it appears that the spam was relayed and both relays appear to be dial-up (or at least non-MX) machines.

Example1:

From plaids[at]sheep-land.com  Mon Apr  5 03:27:24 2004

Return-Path: <plaids[at]sheep-land.com>

Received: from backto-school.com (218-170-140-50.HINET-IP.hinet.net [218.170.140.50])

by tarpit.thrush.com (8.12.6/8.12.6) with SMTP id i357RG1F018303

for <spamvictim[at]target.site>; Mon, 5 Apr 2004 03:27:20 -0400 (EDT)

Received: from sheep-land.com (mail3.surgeweb.com [216.65.64.234])

by backto-school.com (Postfix) with ESMTP id 2D45F6F7DB

for <spamvictim[at]target.site>; Mon, 05 Apr 2004 01:18:32 -0700

[snip]

Example 2:

Microsoft Mail Internet Headers Version 2.0

Received: from va-martinsville5b-138.chvlva.adelphia.net ([67.21.155.138])

by myserver with Microsoft SMTPSVC(5.0.2195.6713);

  Sun, 4 Apr 2004 02:20:41 +0100

Received: from noncapisco.com (mail3.surgeweb.com [216.65.64.234])

by va-martinsville5b-138.chvlva.adelphia.net (Postfix) with ESMTP id

222FB2DB02

for <me[at]mydomain>; Sat, 03 Apr 2004 17:17:09 -0800

[snip]

[Wazoo]

Wazoo do you accept it is possible for people to forge headers?

Of course, I do. Even mentioned that Julian is doing some major work in trying to handle this issue as we speak.

I think my technical staff are preety good, and would be telling me if one of our accounts were being used to send spam.

The posting I and farelf responded to lacked that certain "something" to show either of us as to how another.com was involved at all. No dispariging of your staff from either of those postings. That there's a ton load of dialog after your next "samples" saya that this reply is limited to the time of "this posting"

Sorting out a miscreant account is a darn site easier than coming cap in hand asking spamcop to correct their error.

Absolutely agree, though haven't seen how this statement ties into your original query and the sample just referenced. Unless you're now adding an additional tidbit that the sample being discussed here actually originated from "your server" and that's the part that was left out of your posting????

Sad thing is, the response here is not, there is an error in spamcop (which there is), we take it seriously, we'll fix it by such and such a date, but the presumption that another.com is  guilty as charged is clearly there.

Ummm, to repeat both farelf's response and mine to that spam sample, there is no way to accuse another.com of anything .. as neither of us noted any connection or targetting of another.com in the parsing of what you provided. But again, I note that there's much more dialog to wade through ...

[Wazoo]

Hope this makes sense!  Why not show  all the headers in the spamcop report?

They are available ...???

From my technical staff:

"So if they dont think that email would get one listed

what is the email that did get another.com listed

On the site all they show is the bit below with

headers mostly munged so you cant tell anything

True, the "evidence" these days actually sucks ... all that munging and no longer real time, but that's based on spammers abusing this data in order to keep their spew runs going. That's what led to this current problem .. in that only the Deputies can actually see the real data. The rest of us here can only work with this same limited view.

Did anyone disagree that only the first received header is of any relevance.

SO unless there is an example someone can show me with

first received header listing our ip

and from a source that can be trusted.

And once again, I'll agree with your guy and the Spamcop parse of what you provided in this first "sample" ... there is NO connection from that spam to another.com. SpamCop parser noted right off the bat that the first line was crap.

216.65.64.234 listed in bl.spamcop.net (127.0.0.2)

Since SpamCop started counting, this system has been reported about 1780

times by about 20 users. It has been sending mail consistently for at least

11.4 days. In the past 46 hours, it has been listed 3 times for a total of

33 hours

In the case of your posted first sample, so? As stated a couple of times now, the SpamCop parser never got beyond the first line as being a "source" of that spam. The IP you reference here was a few lines down the header and SpamCop didn't care, it went after the IP in the very first line, again the shaw cable outfit.

At this point, I'd suggest you asking your tech guy to come look at wht you posted, the initial responses to that 'sample' and ask him if what you posted was indeed the "whole, complete, raw spam header" of the spam in question. From all you've said and what you said "he" said, I'm standing on the "there's something missing" remark.

[Another.com]

I've had a very helpful message from Ellen and hope the "forged header" issue will be permanently fixed soon.