mrwebman Posted January 21, 2010 Posted January 21, 2010 Lately, Spamcop has been routinely detecting the wrong spammer - it's been detecting US as the spammer and wanting to report us to our own ISP. This is happening about 80 percent of time!! It started maybe two weeks ago. It never did it before. Here is an example of spam that is being detected wrong: HEADER: Return-Path: <westernizesuzz79[at]sawadeeka.com> X-Original-To: spamcop[at]mrwebman.com Delivered-To: spamcop[at]mrwebman.com Received: from smoothwall (unknown [192.168.2.1]) by mrwebman.com (Postfix) with ESMTP id 6B6BA552F for <spamcop[at]mrwebman.com>; Thu, 21 Jan 2010 12:57:52 -0500 (EST) X-CLAMAV-Results: Clean X-DSPAM-Factors: 27, sent+from, 0.00986, sent+from, 0.00986, Type>+<META, 0.01000, X-Mailer*(9.0.2910.0), 0.01000, AOL, 0.01000, AOL, 0.01000, account+is, 0.01000, account+is, 0.01000, X-Mailer*IMO+Build, 0.01000, X-Mailer*Build+9.0.2416, 0.01000, ll, 0.01000, ll, 0.01000, X-Mailer*9.0.2416+(9.0.2910.0), 0.01000, X-Mailer*Outlook+IMO, 0.01000, account+and, 0.01000, account+and, 0.01000, X-Mailer*9.0.2416, 0.01000, X-Mailer*IMO, 0.01000, not+monitored, 0.01000, not+monitored, 0.01000, Type>, 0.01000, <META+content="text/html, 0.01000, it’, 0.01000, it’, 0.01000, equiv=Content+Type>, 0.01000, Team, 0.01230, Team, 0.01230 X-DSPAM-Signature: 4b58959e109612757212725 X-DSPAM-Probability: 0.0000 X-DSPAM-Confidence: 0.9899 X-DSPAM-Processed: Thu Jan 21 12:57:50 2010 X-DSPAM-Result: Innocent X-Original-From: westernizesuzz79[at]sawadeeka.com X-Original-To: spamcop[at]mrwebman.com X-DSPAM-Connection: 24.123.149.141:38111 --> mrwebman:25 Received-SPF: softfail (smoothwall: transitioning domain of westernizesuzz79[at]sawadeeka.com does not designate 24.123.149.141 as permitted sender) Received: from rrcs-24-123-149-141.central.biz.rr.com (HELO server1.d4wh.net) (24.123.149.141) by smoothwall (qpsmtpd/0.40) with ESMTP; Thu, 21 Jan 2010 12:57:54 -0500 Received: by server1.d4wh.net (Postfix) id 7B9B02FCB488; Thu, 21 Jan 2010 12:57:50 -0500 (EST) Delivered-To: sales[at]compudirectinc.com Received: from smoothwall (unknown [192.168.1.1]) by server1.d4wh.net (Postfix) with ESMTP id 65DBF2FCB402 for <sales[at]compudirectinc.com>; Thu, 21 Jan 2010 12:57:50 -0500 (EST) X-CLAMAV-Results: Clean X-DSPAM-Factors: 27, sent+from, 0.00986, sent+from, 0.00986, Type>+<META, 0.01000, X-Mailer*(9.0.2910.0), 0.01000, AOL, 0.01000, AOL, 0.01000, account+is, 0.01000, account+is, 0.01000, X-Mailer*IMO+Build, 0.01000, X-Mailer*Build+9.0.2416, 0.01000, ll, 0.01000, ll, 0.01000, X-Mailer*9.0.2416+(9.0.2910.0), 0.01000, X-Mailer*Outlook+IMO, 0.01000, account+and, 0.01000, account+and, 0.01000, X-Mailer*9.0.2416, 0.01000, X-Mailer*IMO, 0.01000, not+monitored, 0.01000, not+monitored, 0.01000, Type>, 0.01000, <META+content="text/html, 0.01000, it’, 0.01000, it’, 0.01000, equiv=Content+Type>, 0.01000, Team, 0.01230, Team, 0.01230 X-DSPAM-Signature: 4b58959e109612757212725 X-DSPAM-Probability: 0.0000 X-DSPAM-Confidence: 0.9899 X-DSPAM-Processed: Thu Jan 21 12:57:50 2010 X-DSPAM-Result: Innocent X-Original-From: westernizesuzz79[at]sawadeeka.com X-Original-To: sales[at]compudirectinc.com Received-SPF: softfail (smoothwall: transitioning domain of westernizesuzz79[at]sawadeeka.com does not designate 194.126.18.147 as permitted sender) Received: from Unknown (HELO JUPCVNSRJY) (194.126.18.147) by smoothwall (qpsmtpd/0.40) with ESMTP; Thu, 21 Jan 2010 17:57:50 +0000 Received: from 194.126.18.147 by aspmx5.googlemail.com; Thu, 21 Jan 2010 19:57:08 +0200 From: "AIM" <no_reply_aim[at]aim.com> To: <sales[at]compudirectinc.com> Subject: the latest update for the AIM Date: Thu, 21 Jan 2010 19:57:08 +0200 Message-ID: <000d01ca9ac3$26108ec0$6400a8c0[at]westernizesuzz79> MIME-Version: 1.0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4927.1200 Importance: Normal X-CLAMAV-Signature: 62a2c97af63270a03ef160564399b38b:2854:/var/spool/mail/1264096670:10954:0 X-CLAMAV-Signature: 73f5db8a8327a4f0107d807c8ad91d43:4527:/var/spool/mail/1264096674:9153:0 X-Antivirus: AVG for E-mail 9.0.730 [271.1.1/2636] Content-Type: multipart/mixed; boundary="=======AVGMAIL-7BF77F09=======" BODY: Dear AOL Instant Messenger (AIM) user, Your AIM account is flagged as inactive. Within the following 72 hours it’ll be deleted from the system. If you plan to use this account in the future, you have to download and launch the latest update for the AIM. This update is critical. In order to install the update use the following link. This link is generated exclusively for your account and is available within a certain period of time. As soon as this link is not available anymore you will get another letter. <a href="http://update.aol.com.favucca.com.im/products/aimController.php?code=077737458355906842189549645745088043281291197848680042046&email=sales[at]compudirectinc.com"> Thank you, AIM Service Team This e-mail has been sent from an e-mail address that is not monitored. Please do not reply to this message. We are unable to respond to any replies. When I submit this to spamcop, spamcop tries to report the spam to: Report spam to: Re: 24.123.149.141 (Administrator of network where email originates) To: abuse[at]rr.com (Notes) That is ME... it's trying to report ME... Have the spammers figured out a way around Spamcop??? Any ideas??? Cheers.
turetzsr Posted January 21, 2010 Posted January 21, 2010 Hi, mrwebman! <snip> Here is an example of spam that is being detected wrong: ...Rather than post this much detail, please post the Tracking URL.<snip> That is ME... it's trying to report ME... ...Please see "SpamCop FAQ" (link near tops left of each SpamCop Forum page) entry labeled "Why does SpamCop want to send a report to my own network administrator?"
rconner Posted January 21, 2010 Posted January 21, 2010 Dittos to Steve. You're also going to want to run the mailhosts configuration process if you have not already done so. -- rick
SpamCopAdmin Posted January 21, 2010 Posted January 21, 2010 Two posts gigging the user for not doing his homework, but no answer to the question. Here is the Tracking URL: http://www.spamcop.net/sc?id=z3660778099z2...6a819863ee0a9ez Handled by email. - Don D'Minion - SpamCop Admin - .
rconner Posted January 21, 2010 Posted January 21, 2010 Two posts gigging the user for not doing his homework, but no answer to the question.Don, I'm glad that you were able to answer the poster's question. I'm a little less glad that you found it necessary to denigrate my contribution (which did not "gig" the poster, and which actually did offer at least a possible solution to the problem, with background info). I'll ask you for an apology here in public where the damage was done. -- rick
mrwebman Posted January 21, 2010 Author Posted January 21, 2010 Thanks for the quick and accurate response. As was mentioned elsewhere also, I went through the mailhost procedure and it fixed the problem. Again, thanks for the help! You guys are tops!! Cheers. Two posts gigging the user for not doing his homework, but no answer to the question. Here is the Tracking URL: http://www.spamcop.net/sc?id=z3660778099z2...6a819863ee0a9ez Handled by email.
turetzsr Posted January 21, 2010 Posted January 21, 2010 Two posts gigging the user for not doing his homework, but no answer to the question. <snip> ...I disagree, I think the answer was given:Please see "SpamCop FAQ" (link near tops left of each SpamCop Forum page) entry labeled "Why does SpamCop want to send a report to my own network administrator?"and<snip> You're also going to want to run the mailhosts configuration process if you have not already done so. I know that you prefer that our replies include the actual text of the solution but I personally don't agree that we need (or want) the same answer repeated in multiple places. ...Rick, thanks for also providing the solution. I didn't, but should have, taken the time to actually look at the FAQ post, and should have noticed it did not mention the "MailHosts Configuration" solution!
SpamCopAdmin Posted January 21, 2010 Posted January 21, 2010 I'll ask you for an apologyNo apology. The "Dittos to Steve" comment was unnecessary and unwarranted. Suggesting that the user configure his Mailhosts is good advice, but as I have said many times before, if you're not going to answer the question, don't post. - Don D'Minion - SpamCop Admin - .
turetzsr Posted January 21, 2010 Posted January 21, 2010 ...Follow-up to the side conversation (above linear posts 4, 5, 7 and 8) is in SpamCop Lounge Forum.
Wazoo Posted January 22, 2010 Posted January 22, 2010 Suggesting that the user configure his Mailhosts is good advice, but as I have said many times before, if you're not going to answer the question, don't post. Coming in late due to connectivity loss, then a power outage. However, exception has to be noted. The actual problem was seen in the parser output http://www.spamcop.net/sc?id=z3672773088z9...4923da544933faz as; Received: from tdev156-170.codetel.net.do (HELO speedtouch.lan) (190.80.156.170) by sw1 (qpsmtpd/0.40) with ESMTP; Sat, 22 Jan 2010 18:32:24 +0000 190.80.156.170 found host 190.80.156.170 (getting name) = tdev156-170.codetel.net.do. 24.123.149.141 not listed in dnsbl.njabl.org ( 127.0.0.9 ) 24.123.149.141 not listed in cbl.abuseat.org 24.123.149.141 not listed in dnsbl.sorbs.net 24.123.149.141 is not an MX for rrcs-24-123-149-141.central.biz.rr.com 24.123.149.141 not listed in dnsbl.njabl.org ( 127.0.0.3 ) Possible spammer: 190.80.156.170 sw1 is not a hostname (emphasis added by me) Looks like a forgery As seen in looking at the Tracking URL which now has had the MailHost Configuration applied to the Reporting Account, the 'solution' to the user's issue was in fact offered up in the initial Forum replies. Granted the 'real' solution would be to have the ISP/Host fix their server, but ..... the answer was in fact posted here for public view and had a successful result. I didn't, but should have, taken the time to actually look at the FAQ post, and should have noticed it did not mention the "MailHosts Configuration" solution! Interesting, I suppose. The "Official/Original FAQ" entry Why does SpamCop want to send a report to my own network administrator? has not been updated to include the MailHost Configuration of your Reporting Account as a possible solution. On the other hand, I also note that a Wiki page has not been developed on the same subject matter either. Looks like additional work could be done by a number of folks.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.