Jump to content

212.107.32.204 listed in spamcop


zyxtarmo

Recommended Posts

I understand, that spamtrap info is confidential .... I only want to have couple e-mail headers from that mail that caused our listing.

mail.ee (212.107.32.204) is free e-mail service for ~100,000 users, using service mainly via webmailer. some "niggerian spam" a***oles were sending e-mails (did their life miserable) but technically it is impossible that 212.107.32.204 is sending out spam since it is load balancer e.g. all mails that are sent out have real server aadresses (_not_ 212.107.32.204).

beacuse of that, I would appreciate if couple first Received: headers could be provided, do not need to know anything about "hops" to spamtrap ...

Thank you!

Link to comment
Share on other sites

Edited the profane ... status check on the IP you quote comes back as;

http://www.spamcop.net/w3m?action=checkblo...=212.107.32.204

212.107.32.204 not listed in bl.spamcop.net

http://www.senderbase.org/?searchBy=ipaddr...=212.107.32.204 shows traffic coming down (and that it is listed) .. so will guess that as of this moment, there's that bit of lag going on between systems/mirrors/etc.

What I don't really understand is your comment "all mails that are sent out have real server aadresses (_not_ 212.107.32.204)"

Anyway, per the FAQ (read before posting) and as offered in many other queries/discussion on this subject / request, there is no one 'here' that can offer the answers you ask ... one would have to request help from one of the Deputies ... on the other hand, there is evidence over in sightings ... http://groups-beta.google.com/groups?q=212.107.32.204&hl=en .. definitely shows traffic leaving from this IP ....

Link to comment
Share on other sites

What I don't really understand is your comment "all mails that are sent out have real server aadresses (_not_ 212.107.32.204)" 

.204 is "virtual" address. if e-mail is recieved, header shows real server ip (tcp connection to .204 is forwarded to real server and real server adds headers).

a la: Received: from c60.cesmail.net (216.154.195.49) by mail-fe82.tele2.ee with (RC4-SHA encrypted) SMTP; Fri, 22 Apr 2005 10:46:33 +0300

Virtual address .204 never "makes" to the legitimate e-mail traffic headers, since smtp servers add their DNS name / IP to headers. No traffic is originated from .204 address.

Anyway, per the FAQ (read before posting) and as offered in many other queries/discussion on this subject / request, there is no one 'here' that can offer the answers you ask ... one would have to request help from one of the Deputies ... on the other hand, there is evidence over in sightings ... http://groups-beta.google.com/groups?q=212.107.32.204&hl=en .. definitely shows traffic leaving from this IP ....

26805[/snapback]

Yep, all these letters have unfortunately fake headers. It is unfortunate, that e-mail servers do not verify DNS data these days :-(

from this (google...) list:

- nexus.hu ([212.107.32.204]) - not related w. mail.ee

- lima.consulcom.qc.ca ([212.107.32.204]) - not related w. mail.ee

- etc .. etc ..

Anyway, thank you for the answer.

Link to comment
Share on other sites

OK, agreed, I spoke too quickly ... analysis of a couple of the sightings samples does show that tthey were injected via an open proxy ... so perhaps one could go with that your Nigerian spammers were using a list that included spamtraps. If you shut them down, then perhaps a bit more time and things will clear up ..???

Your description talks of incoming e-mail, which should have no bearing on anything (unless you've got a reporter there that's reporting him/her-self (though you characterize that this IP shouldn't exist) .... but I should caution you on the statement "No traffic is originated from .204 address" ... that kind of thing has been said before, only to later be proven wrong .... firewall logs perhaps to 'prove' that there is no outgoing e-mail from this system? One worst case was a spammer uploading a scri_pt to a compromised machine, starting the spam spew run, then deleting the scri_pt (and other evidence) ... only caught by the Admin being on-site at the right time and noticing the extra running tasks in a ps output .....

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...