zyxtarmo Posted April 22, 2005 Share Posted April 22, 2005 I understand, that spamtrap info is confidential .... I only want to have couple e-mail headers from that mail that caused our listing. mail.ee (212.107.32.204) is free e-mail service for ~100,000 users, using service mainly via webmailer. some "niggerian spam" a***oles were sending e-mails (did their life miserable) but technically it is impossible that 212.107.32.204 is sending out spam since it is load balancer e.g. all mails that are sent out have real server aadresses (_not_ 212.107.32.204). beacuse of that, I would appreciate if couple first Received: headers could be provided, do not need to know anything about "hops" to spamtrap ... Thank you! Link to comment Share on other sites More sharing options...
Wazoo Posted April 22, 2005 Share Posted April 22, 2005 Edited the profane ... status check on the IP you quote comes back as; http://www.spamcop.net/w3m?action=checkblo...=212.107.32.204 212.107.32.204 not listed in bl.spamcop.net http://www.senderbase.org/?searchBy=ipaddr...=212.107.32.204 shows traffic coming down (and that it is listed) .. so will guess that as of this moment, there's that bit of lag going on between systems/mirrors/etc. What I don't really understand is your comment "all mails that are sent out have real server aadresses (_not_ 212.107.32.204)" Anyway, per the FAQ (read before posting) and as offered in many other queries/discussion on this subject / request, there is no one 'here' that can offer the answers you ask ... one would have to request help from one of the Deputies ... on the other hand, there is evidence over in sightings ... http://groups-beta.google.com/groups?q=212.107.32.204&hl=en .. definitely shows traffic leaving from this IP .... Link to comment Share on other sites More sharing options...
zyxtarmo Posted April 22, 2005 Author Share Posted April 22, 2005 What I don't really understand is your comment "all mails that are sent out have real server aadresses (_not_ 212.107.32.204)" .204 is "virtual" address. if e-mail is recieved, header shows real server ip (tcp connection to .204 is forwarded to real server and real server adds headers). a la: Received: from c60.cesmail.net (216.154.195.49) by mail-fe82.tele2.ee with (RC4-SHA encrypted) SMTP; Fri, 22 Apr 2005 10:46:33 +0300 Virtual address .204 never "makes" to the legitimate e-mail traffic headers, since smtp servers add their DNS name / IP to headers. No traffic is originated from .204 address. Anyway, per the FAQ (read before posting) and as offered in many other queries/discussion on this subject / request, there is no one 'here' that can offer the answers you ask ... one would have to request help from one of the Deputies ... on the other hand, there is evidence over in sightings ... http://groups-beta.google.com/groups?q=212.107.32.204&hl=en .. definitely shows traffic leaving from this IP .... 26805[/snapback] Yep, all these letters have unfortunately fake headers. It is unfortunate, that e-mail servers do not verify DNS data these days :-( from this (google...) list: - nexus.hu ([212.107.32.204]) - not related w. mail.ee - lima.consulcom.qc.ca ([212.107.32.204]) - not related w. mail.ee - etc .. etc .. Anyway, thank you for the answer. Link to comment Share on other sites More sharing options...
Wazoo Posted April 22, 2005 Share Posted April 22, 2005 OK, agreed, I spoke too quickly ... analysis of a couple of the sightings samples does show that tthey were injected via an open proxy ... so perhaps one could go with that your Nigerian spammers were using a list that included spamtraps. If you shut them down, then perhaps a bit more time and things will clear up ..??? Your description talks of incoming e-mail, which should have no bearing on anything (unless you've got a reporter there that's reporting him/her-self (though you characterize that this IP shouldn't exist) .... but I should caution you on the statement "No traffic is originated from .204 address" ... that kind of thing has been said before, only to later be proven wrong .... firewall logs perhaps to 'prove' that there is no outgoing e-mail from this system? One worst case was a spammer uploading a scri_pt to a compromised machine, starting the spam spew run, then deleting the scri_pt (and other evidence) ... only caught by the Admin being on-site at the right time and noticing the extra running tasks in a ps output ..... Link to comment Share on other sites More sharing options...
Merlyn Posted April 22, 2005 Share Posted April 22, 2005 You want headers???????? Here ya go: http://groups-beta.google.com/group/news.a...rt=0&scoring=d& Link to comment Share on other sites More sharing options...
zyxtarmo Posted April 22, 2005 Author Share Posted April 22, 2005 You want headers???????? Here ya go: http://groups-beta.google.com/group/news.a...rt=0&scoring=d& 26817[/snapback] if ya would had read all postings on this matter ya would have noticed that your posting leads us nowhere ;-) Link to comment Share on other sites More sharing options...
Merlyn Posted April 22, 2005 Share Posted April 22, 2005 That's what happens when you turn your computer on before the coffee pot! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.