Wazoo Posted April 5, 2004 Share Posted April 5, 2004 Re: Merlyn's samples .... again, I'm confused ... I copied off the data, had to play with it a bit to make it "parsable" .. and ran both of them trhough the tool set. Sample #1 comes back with; Report spam to: Re: 218.170.140.50 (Administrator of network where email originates) To: spam[at]ms1.hinet.net (Notes) Sample #2 comes back with; Report spam to: Re: 67.21.155.138 (Administrator of network where email originates) To: spamcop[at]adelphia.net (Notes) Neither offer up another.com as a target for a complaint, as the parser sees the open proxy crap right on the first line .... Agreed there is "the another.com IP" further down, but none of the parsings I (and farelf) has done leads to a report going out to another.com ... Are the reports that another.com are referencing possibly from a user(s) that have determined that the SpamCop parser isn't going far enough and they're adding in additional complaint targets? Link to comment Share on other sites More sharing options...
Merlyn Posted April 5, 2004 Share Posted April 5, 2004 Maybe it is not picking up 216.65.64.234 because of the fix that was made when it was de-listed. I believe another.com might be innocent but not other email hosts on that IP. Time will tell. They are starting to get blocked by others and it will not be long before they are blocked by more if that IP is not innocent. The final descisions are not ours and that is probably good. I do feel bad for another.com if they are innocent and the have a spammy neighbor because in the end it will cost them. On their site is says the system has been very slow lately but it will clear itself up. It should say it will clear up when the unknown spam run is over and all the fall-out has cleared up I will be personally following this IP for the next few weeks. If they were the only mail host on that IP I would agree 100% but they aren't. Link to comment Share on other sites More sharing options...
Merlyn Posted April 6, 2004 Share Posted April 6, 2004 Need someone else to check these also: I would like comments from some of the Pro's here in this group (Wazoo, Spambo). There seems to be some kind of "something" here. Looking at every posting in sightings (We will get to your ilovedominic.com example above in a while) First lets assume: domain: ANOTHER.COM owner-address: Funmail Ltd Now lets check these: Received: from backto-school.com (218-170-140-50.HINET-IP.hinet.net [218.170.140.50]) by tarpit.thrush.com (8.12.6/8.12.6) with SMTP id i357RG1F018303 for <spamvictim[at]target.site>; Mon, 5 Apr 2004 03:27:20 -0400 (EDT) Received: from sheep-land.com (mail3.surgeweb.com [216.65.64.234]) by backto-school.com (Postfix) with ESMTP id 2D45F6F7DB for <spamvictim[at]target.site>; Mon, 05 Apr 2004 01:18:32 -0700 second (topmost) received line. Query : www.backto-school.com Offical Name = www.backto-school.com Aliases = Addresses = 212.62.7.9 NAME: NET-FUNMAIL-COLO-01-GB NUMBER: 212.62.7.0 - 212.62.7.127 Registrant: Another.com Registered through: domainbank.com Domain Name: backto-school.com But this had a Hinet IP number (hmmmmmmm) forged Header? Maybe but they were smart enough to use one of your registered domain names. First received line: Received: from sheep-land.com (mail3.surgeweb.com [216.65.64.234]) by backto-school.com (Postfix) with ESMTP id 2D45F6F7DB for <spamvictim[at]target.site>; Mon, 05 Apr 2004 01:18:32 -0700 Query : www.sheep-land.com Offical Name = www.sheep-land.com Aliases = Addresses = 212.62.7.9 TARGET: 212.62.7.9 NAME: NET-FUNMAIL-COLO-01-GB NUMBER: 212.62.7.0 - 212.62.7.127 Registrant: Another.com Registered through: domainbank.com Domain Name: sheep-land.com It seems as if every example is exactly the same where both names are registered to Fun Mail (Another.com) and it looks as if the topmost header is forged because the name that belongs to another.com does not relate to the IP addy and not the first(originating) header which is also another - another.com name. So which header is forged? Me thinks you have some mail problems, or maybe you don't It's getting late and I will put them together another time. The first "Topmost" header can only be trusted if you know the receiving machine. NOW, we will use your example from above: You say: well turns out 24.86.137.21 is h24-86-137-21.vs.shawcable.net which looks like some temp ip given to a subscriber not an smtp server at all and not ilovedominic.com as claimed in the helo which is actually 212.62.7.9 could it be ilovedominic.coms smtp sending mail server - obviously not. so rest of message is irrelevant as it coould and is forged Well my pal ilovedominic.com is 212.62.7.9 like you say but it is also owned by you! Query : ilovedominic.com Offical Name = ilovedominic.com Aliases = Addresses = 212.62.7.9 TARGET: 212.62.7.9 NAME: NET-FUNMAIL-COLO-01-GB NUMBER: 212.62.7.0 - 212.62.7.127 Just like all the "many" examples in NANAS I think you are forwarding/relaying for all of your domain names. I think the spam is coming from your server. You say: "I've had a very helpful message from Ellen and hope the "forged header" issue will be permanently fixed soon." How can you fix somebody forging headers unless the problem begins with you? Link to comment Share on other sites More sharing options...
Wazoo Posted April 6, 2004 Share Posted April 6, 2004 Maybe it is not picking up 216.65.64.234 because of the fix that was made when it was de-listed. Farelf's and my initial parse results predated Ellen's post by a number of hours, if I recall. But, I still don't see that the "fix" mattered, as the parser saw the mismatch between the FQDN and IP immediately, and of course, the broken chain with the open proxy from the cl list identified. Link to comment Share on other sites More sharing options...
dra007 Posted April 6, 2004 Share Posted April 6, 2004 long but interesting Merlyn...something struck me as suspicious about this whole discussion...and somehow I remember seeing similar things in some spam I reported...so would you conclude that the enemy is within? Link to comment Share on other sites More sharing options...
WB8TYW Posted April 6, 2004 Share Posted April 6, 2004 The parser knows not to trust a known open proxy, or an I.P. address it thinks is a DHCP allocated one. And if the I.P. address is not known to be an open proxy at the time of the initial report, and the parser does not detect it as dynamic, it could cause a forgery to be believed. Now the parser is checking dnsbl.sorbs.net. dnsbl.sorbs.net returns a 127.0.0.10 code if the I.P. address is in their dynamic zone. If the parser would treat that as an indication that the I.P. is dynamic, it would probably cut down on the errors. The SORBS.NET dynamic zone is pretty accurate, and is used enough that if there is an error for a static address, that address is very unlikely to show up as a relay point for a routable address, unless it is an open relay. -John Personal Opinion Only Link to comment Share on other sites More sharing options...
A.J.Mechelynck Posted April 6, 2004 Share Posted April 6, 2004 Need someone else to check these also: I would like comments from some of the Pro's here in this group (Wazoo, Spambo). [...] Merlyn, I'm not a pro but I think I know that the thing outside the brackets is the HELO. The spammer can set that to anything and the next server in line will copy it to its received-line. The rDNS is inside the round brackets, just before the IP addy (which is in square brackets). Link to comment Share on other sites More sharing options...
Merlyn Posted April 6, 2004 Share Posted April 6, 2004 long but interesting Merlyn...something struck me as suspicious about this whole discussion...and somehow I remember seeing similar things in some spam I reported...so would you conclude that the enemy is within? not really, I am just saying that all these domains are related and this is not just coincidence. This is a spammy server and as usual there is no responsible party. What comes to mind is spammers lie! Link to comment Share on other sites More sharing options...
Another.com Posted April 6, 2004 Author Share Posted April 6, 2004 <B>This is a "spammy" server Spammers lie.</B> Seems you are getting desperate to find the witch. Link to comment Share on other sites More sharing options...
Merlyn Posted April 6, 2004 Share Posted April 6, 2004 <B>This is a "spammy" server Spammers lie.</B> Seems you are getting desperate to find the witch. The Witch is 212.62.7.9 because in every sighting the domain names point to that IP. That IP(212.62.7.9) is www.funmail.co.uk which is actually funmail which is actually another.com that claims they are innocent. I know the witch I am just trying to figure out the brew. But now I think I know,,,,,,,,, Thanks! Link to comment Share on other sites More sharing options...
Miss Betsy Posted April 6, 2004 Share Posted April 6, 2004 I haven't had time to follow the technical arguments. But, it seems to me, that in order to really understand the problem, one would need to know how the forgery was made. I understand that revealing that kind of information might help the forger. However, somehow one needs to know how to recognize the forgery. Not everyone uses the spamcop parser so it won't stop reports about another.com. But perhaps they don't care unless they are listed on a blocklist. And what did blars say about the forgery? It also seems to me that there is something peculiar happening. Does another.com seem interested in pinpointing who is the forger? Would not that be something that an innocent person would do? Look this happened to me! It could happen to you! Here is how to avoid it! Or what you need to tell the deputies right away! If another.com's purpose in coming to the web forum instead of directly to the deputies was to discredit spamcop, they have raised more questions about their sincerity in fighting spam. Miss Betsy Link to comment Share on other sites More sharing options...
Ellen Posted April 6, 2004 Share Posted April 6, 2004 Need someone else to check these also: I would like comments from some of the Pro's here in this group (Wazoo, Spambo). There seems to be some kind of "something" here. Looking at every posting in sightings (We will get to your ilovedominic.com example above in a while) First lets assume: domain: ANOTHER.COM owner-address: Funmail Ltd Now lets check these: Received: from backto-school.com (218-170-140-50.HINET-IP.hinet.net [218.170.140.50]) by tarpit.thrush.com (8.12.6/8.12.6) with SMTP id i357RG1F018303 for <spamvictim[at]target.site>; Mon, 5 Apr 2004 03:27:20 -0400 (EDT) Received: from sheep-land.com (mail3.surgeweb.com [216.65.64.234]) by backto-school.com (Postfix) with ESMTP id 2D45F6F7DB for <spamvictim[at]target.site>; Mon, 05 Apr 2004 01:18:32 -0700 second (topmost) received line. Query    : www.backto-school.com Offical Name = www.backto-school.com Aliases   = Addresses  = 212.62.7.9 NAME:     NET-FUNMAIL-COLO-01-GB NUMBER:    212.62.7.0 - 212.62.7.127 Registrant:  Another.com  Registered through: domainbank.com  Domain Name: backto-school.com But this had a Hinet IP number (hmmmmmmm) forged Header? Maybe but they were smart enough to use one of your registered domain names. First received line: Received: from sheep-land.com (mail3.surgeweb.com [216.65.64.234]) by backto-school.com (Postfix) with ESMTP id 2D45F6F7DB for <spamvictim[at]target.site>; Mon, 05 Apr 2004 01:18:32 -0700 Query    : www.sheep-land.com Offical Name = www.sheep-land.com Aliases   = Addresses  = 212.62.7.9 TARGET:    212.62.7.9 NAME:     NET-FUNMAIL-COLO-01-GB NUMBER:    212.62.7.0 - 212.62.7.127 Registrant:  Another.com  Registered through: domainbank.com  Domain Name: sheep-land.com   It seems as if every example is exactly the same where both names are registered to Fun Mail (Another.com) and it looks as if the topmost header is forged because the name that belongs to another.com does not relate to the IP addy and not the first(originating) header which is also another - another.com name. So which header is forged? Me thinks you have some mail problems, or maybe you don't It's getting late and I will put them together another time. The first "Topmost" header can only be trusted if you know the receiving machine. NOW, we will use your example from above: You say: well turns out 24.86.137.21 is h24-86-137-21.vs.shawcable.net which looks like some temp ip given to a subscriber not an smtp server at all and not ilovedominic.com as claimed in the helo which is actually 212.62.7.9 could it be ilovedominic.coms smtp sending mail server - obviously not. so rest of message is irrelevant as it coould and is forged Well my pal ilovedominic.com is 212.62.7.9 like you say but it is also owned by you! Query    : ilovedominic.com Offical Name = ilovedominic.com Aliases   = Addresses  = 212.62.7.9 TARGET:    212.62.7.9 NAME:     NET-FUNMAIL-COLO-01-GB NUMBER:    212.62.7.0 - 212.62.7.127 Just like all the "many" examples in NANAS I think you are forwarding/relaying for all of your domain names. I think the spam is coming from your server. You say: "I've had a very helpful message from Ellen and hope the "forged header" issue will be permanently fixed soon." How can you fix somebody forging headers unless the problem begins with you? I don't have time to go into a lot of detail but yes the bottommost headers are forged -- they have the characteristics of other forged headers that are being seen which try to point to other large mailers including most of the freemailers. Because of the always increasing number of compromised machines which are used by this spammer the compromised machines are not always on the proxy lists when the spams are first parsed but do show up soon after. So recognizing them is a combination of having seen many of these previously plus some characteristics that I do not want to discuss publicly plus talking to the supposed injection point admin ... Link to comment Share on other sites More sharing options...
Wazoo Posted April 6, 2004 Share Posted April 6, 2004 OK, I give up. I know Ellen has access to the real data and many more datum, but ... when all the examples I've played with in the Topic fail the chain test long before they get to anything touching another.com's admittedly bogus lines (but again, so's the first line in these samples) ... I'm just not up to speed on this issue. As noted before, none of the samples I've toyed with made it past the first line for finding a major problem, and none ended up targetting another.com as a comlpaint target. And not even needing to get into the open proxy issue, as the parse errors I've gotten all point to the MX doesn't match the IP (which has alos been pretty dang obvious in some of the samples) and Merlyn's searching around has sure brought up some interesting background facts. Link to comment Share on other sites More sharing options...
Merlyn Posted April 6, 2004 Share Posted April 6, 2004 If it is true it gives a whole new meaning to "Joe Job" Link to comment Share on other sites More sharing options...
Miss Betsy Posted April 6, 2004 Share Posted April 6, 2004 Exactly what I was thinking! Do you suppose another.com is the first of a series of "innocent" victims of this spammer? Or, what did they do to someone to make them do such a Joe Job? Lots of questions. Do you suppose there will ever be published answers? Miss Betsy PS Wish I saved my spam so that I could find it again. Funmail sounds familiar. Link to comment Share on other sites More sharing options...
dra007 Posted April 6, 2004 Share Posted April 6, 2004 PS Wish I saved my spam so that I could find it again. Funmail sounds familiar. I said that myself, there is also something that sounds almost self-incriminating in the hole thread, just a huntch...But as you said: <<we are all victims>> in the end, something must be done to stop this scum spammers, fraud and criminal content...The internet was started with very noble goals, like any other human endavor it was bound to be pestered by criminal minds, and our pejorative is to find the means to protect ourselves from those crimes...but I degress... The bottom line is that our frustration may push us to action, and that will benefit everybody in the end.. Link to comment Share on other sites More sharing options...
dra007 Posted April 6, 2004 Share Posted April 6, 2004 excuse my spelling, you oughta add a spell checker to this! Link to comment Share on other sites More sharing options...
Merlyn Posted April 7, 2004 Share Posted April 7, 2004 excuse my spelling, you oughta add a spell checker to this! I second that! Link to comment Share on other sites More sharing options...
Ellen Posted April 7, 2004 Share Posted April 7, 2004 Exactly what I was thinking! Do you suppose another.com is the first of a series of "innocent" victims of this spammer? Or, what did they do to someone to make them do such a Joe Job? Lots of questions. Do you suppose there will ever be published answers? Miss Betsy PS Wish I saved my spam so that I could find it again. Funmail sounds familiar. Actually there have been many victiims of this spammer. Link to comment Share on other sites More sharing options...
Merlyn Posted April 7, 2004 Share Posted April 7, 2004 Actually there have been many victiims of this spammer. One is too many. Link to comment Share on other sites More sharing options...
Another.com Posted April 13, 2004 Author Share Posted April 13, 2004 Spamcop are very efficient at responding to my requests to unblock us, but as indicated before we are powerless to stop people forging headers, and whilst spamcop interpret these as coming from our IP we are going to get blocked every other day or so. Spamcop has achieved a significant position as an authority on which IPs are sending out spam so if they say we are sending out spam it is taken seriously. I wonder what others on this BB would say was a reasonable amount of time for Spamcop to fix this and adjust their system so it wasn't fooled? Link to comment Share on other sites More sharing options...
Miss Betsy Posted April 13, 2004 Share Posted April 13, 2004 I wonder what others on this BB would say was a reasonable amount of time for Spamcop to fix this and adjust their system so it wasn't fooled? It all depends on how tricky the problem is - and perhaps, how cooperative the victims are. Some people are willing to cooperate so that the problem can be resolved - rather like evacuating a building while police look for a criminal. Others demand that the search be shortened so that *they* are not inconvenienced. Never mind anyone else who may be attacked by the criminal who gets away. Look at the poor grandmothers who are searched at airports because of terrorists. If I thought about all the ways that I am inconvenienced and can't do what I would like to do or have to add umpteen actions in order to do something because of the safeguards, etc. that have been put into place against unscrupulous people, I would be a very grumpy person. So, you have to check on the scbl constantly and call them every other day as soon as your IP address reappears. How does that compare with the people who spend as much time sorting through their incoming mail? Or wake up to 300 bounces in their inbox? Miss Betsy Link to comment Share on other sites More sharing options...
Ellen Posted April 13, 2004 Share Posted April 13, 2004 Spamcop are very efficient at responding to my requests to unblock us, but as indicated before we are powerless to stop people forging headers, and whilst spamcop interpret these as coming from our IP we are going to get blocked every other day or so. Spamcop has achieved a significant position as an authority on which IPs are sending out spam so if they say we are sending out spam it is taken seriously. I wonder what others on this BB would say was a reasonable amount of time for Spamcop to fix this and adjust their system so it wasn't fooled? Please email me at deputies at> spamcop.net with the IPs -- I know you already have but it would be of assistance if you would do it again. TIA Link to comment Share on other sites More sharing options...
Another.com Posted April 14, 2004 Author Share Posted April 14, 2004 Miss Betsy, Just in case you have not got it yet (which you seem to be incapable of understanding), we (that is another.com) can do absolutely nothing to stop people forging headers with our IP address in. It is 100% outside of our control. Hope you are able to take this simple concept on board. Regards Peter Link to comment Share on other sites More sharing options...
Another.com Posted April 14, 2004 Author Share Posted April 14, 2004 I would add that Spamcop have responded well to our situation and although I am not happy that our members have been inconvenienced, Spamcop have sorted out the problem. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.