Jump to content

[Resolved] Header parsing incorrectly?


milkboy

Recommended Posts

The report (not sent) is at http://www.spamcop.net/sc?id=z2418169598zc...4493d6215965dcz

The header parsing is fine up until #2.

#3 is marked as "trusted site" for some reason? SpamCop trusts this host?

#4 is marked as Internal handoff at IKI, IKI being one of my mailhosts, but smtp5.jaring.my has absolutely nothing to do with my mailhosts, so this is incorrect

#5 might or might not be faked

As I see it, 61.6.32.55 should be the sender and not just "intermediary" handler? Someone correct me if I'm wrong

----------

0: Received: from emh01.mail.saunalahti.fi (emh01.mail.saunalahti.fi [62.142.5.107]) by be35.mail.saunalahti.fi (Postfix) with ESMTP id D58FE910AB for <x>; Tue, 25 Nov 2008 02:45:35 +0200 (EET)

Hostname verified: emh01.mail.saunalahti.fi

Saunalahti2 received mail from Saunalahti2 ( 62.142.5.107 )

1: Received: from jatkuu.iki.fi (jatkuu.iki.fi [212.16.98.53]) by emh01.mail.saunalahti.fi (Postfix) with ESMTP id C45464BB47 for <x>; Tue, 25 Nov 2008 02:45:35 +0200 (EET)

Hostname verified: jatkuu.iki.fi

Saunalahti2 received mail from IKI ( 212.16.98.53 )

2: Received: from smtp5.jaring.my (smtp5.jaring.my [61.6.32.55]) by jatkuu.iki.fi (8.14.2/8.14.2) with ESMTP id mAP0jUdQ000988 for <x>; Tue, 25 Nov 2008 02:45:33 +0200 (EET)

Hostname verified: smtp5.jaring.my

IKI received mail from sending system 61.6.32.55

3: Received: from localhost (localhost.jaring.my [127.0.0.1]) by smtp5.jaring.my (8.13.8/8.13.8) with ESMTP id mAP0hZIg011176; Tue, 25 Nov 2008 08:43:35 +0800 (MYT) (envelope-from hicktom[at]googlemail.com)

Internal handoff by trusted site 61.6.32.55

4: Received: from smtp5.jaring.my ([127.0.0.1]) by localhost (smtp5.jaring.my [127.0.0.1]) (amavisd-new, port 10024) with LMTP id QBdCuSngWsw9; Tue, 25 Nov 2008 08:43:33 +0800 (MYT)

Internal handoff at IKI

5: Received: from User ([41.6.31.123]) (authenticated bits=0) by smtp5.jaring.my (8.13.8/8.13.8) with ESMTP id mAP0gpn6010729; Tue, 25 Nov 2008 08:42:57 +0800 (MYT) (envelope-from hicktom[at]googlemail.com)

No unique hostname found for source: 41.6.31.123

Trusted site 61.6.32.55 received mail from 41.6.31.123

Edit: #4 -> 61.6.32.55, which was the original intention

Link to comment
Share on other sites

The report (not sent) is at http://www.spamcop.net/sc?id=z2418169598zc...4493d6215965dcz

The header parsing is fine up until #2.

#3 is marked as "trusted site" for some reason? SpamCop trusts this host?

#4 is marked as Internal handoff at IKI, IKI being one of my mailhosts, but smtp5.jaring.my has absolutely nothing to do with my mailhosts, so this is incorrect

#5 might or might not be faked

As I see it, #4 should be the sender and not just "intermediary" handler? Someone correct me if I'm wrong

----------

#4 could never be the source as it is an internal handoff, there is no IP address to report. The mention of IKI is really just a factor of SpamCop trying to "humanize" the parse and part of the mailhost system. You are correct it is not part of IKI, but it is likely that 127.0.0.1 is in your mailhost configuration as it is in most.

#3 does appear to be trusted... if you do not trust it your manual report should go to the ISP of 61.6.32.55 because: IKI received mail from sending system 61.6.32.55.

I have seen very few cases where the manually set trusted flag needed to be turned back off, so I usually trust the parse. All it means is that host is known to correctly include the source where it got the message. As such, the original source is 41.6.31.123

Link to comment
Share on other sites

#4 could never be the source as it is an internal handoff, there is no IP address to report. The mention of IKI is really just a factor of SpamCop trying to "humanize" the parse and part of the mailhost system. You are correct it is not part of IKI, but it is likely that 127.0.0.1 is in your mailhost configuration as it is in most.

#3 does appear to be trusted... if you do not trust it your manual report should go to the ISP of 61.6.32.55 because: IKI received mail from sending system 61.6.32.55.

I have seen very few cases where the manually set trusted flag needed to be turned back off, so I usually trust the parse. All it means is that host is known to correctly include the source where it got the message. As such, the original source is 41.6.31.123

127.0.0.1 does not appear in any of my mailhosts IP lists? Nor does 61.6.32.55. This is what is confusing me. Afaik, anything starting from #3 could be faked..

Link to comment
Share on other sites

127.0.0.1 does not appear in any of my mailhosts IP lists? Nor does 61.6.32.55. This is what is confusing me. Afaik, anything starting from #3 could be faked..

Nothing said that 61.6.32.55 was in your mailhost. SpamCop has a list of trusted hosts that have been found to correctly indicate where the message came from.

As I said earlier, #3 provides no information... it is internal to the server... You could have that same line in headers caused by your own machine if you havve certain AV products, for instance.

It is possible it could be faked, but SpamCop has gone out of their way (setting the trusted flag) to make the parse go beyond that point. You trust IKI placed the correct IP on its messages, SpamCop trusts that 61.6.32.55 nplaced the correct IP on its messages.

Again, you can manually report to anyplace you like. SpamCop trusts all the way to step 5 on this parse.

Link to comment
Share on other sites

Sounds perfectly reasonable. Thanks. Reports go to both places anyway (intermediary and original sender).

So I suppose the bottom line is that "Internal handoff at IKI" in #4 should be read as "Internal handoff at some-spamcop-trusted-host".

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...