Jump to content

[Resolved] Wrong address is being detected !!!


mrwebman

Recommended Posts

Posted

Lately, Spamcop has been routinely detecting the wrong spammer - it's been detecting US as the spammer and wanting to report us to our own ISP. This is happening about 80 percent of time!! It started maybe two weeks ago. It never did it before.

Here is an example of spam that is being detected wrong:

HEADER:

Return-Path: <westernizesuzz79[at]sawadeeka.com>

X-Original-To: spamcop[at]mrwebman.com

Delivered-To: spamcop[at]mrwebman.com

Received: from smoothwall (unknown [192.168.2.1])

by mrwebman.com (Postfix) with ESMTP id 6B6BA552F

for <spamcop[at]mrwebman.com>; Thu, 21 Jan 2010 12:57:52 -0500 (EST)

X-CLAMAV-Results: Clean

X-DSPAM-Factors: 27,

sent+from, 0.00986,

sent+from, 0.00986,

Type>+<META, 0.01000,

X-Mailer*(9.0.2910.0), 0.01000,

AOL, 0.01000,

AOL, 0.01000,

account+is, 0.01000,

account+is, 0.01000,

X-Mailer*IMO+Build, 0.01000,

X-Mailer*Build+9.0.2416, 0.01000,

ll, 0.01000,

ll, 0.01000,

X-Mailer*9.0.2416+(9.0.2910.0), 0.01000,

X-Mailer*Outlook+IMO, 0.01000,

account+and, 0.01000,

account+and, 0.01000,

X-Mailer*9.0.2416, 0.01000,

X-Mailer*IMO, 0.01000,

not+monitored, 0.01000,

not+monitored, 0.01000,

Type>, 0.01000,

<META+content="text/html, 0.01000,

it’, 0.01000,

it’, 0.01000,

equiv=Content+Type>, 0.01000,

Team, 0.01230,

Team, 0.01230

X-DSPAM-Signature: 4b58959e109612757212725

X-DSPAM-Probability: 0.0000

X-DSPAM-Confidence: 0.9899

X-DSPAM-Processed: Thu Jan 21 12:57:50 2010

X-DSPAM-Result: Innocent

X-Original-From: westernizesuzz79[at]sawadeeka.com

X-Original-To: spamcop[at]mrwebman.com

X-DSPAM-Connection: 24.123.149.141:38111 --> mrwebman:25

Received-SPF: softfail (smoothwall: transitioning domain of westernizesuzz79[at]sawadeeka.com does not designate 24.123.149.141 as permitted sender)

Received: from rrcs-24-123-149-141.central.biz.rr.com (HELO server1.d4wh.net) (24.123.149.141)

by smoothwall (qpsmtpd/0.40) with ESMTP; Thu, 21 Jan 2010 12:57:54 -0500

Received: by server1.d4wh.net (Postfix)

id 7B9B02FCB488; Thu, 21 Jan 2010 12:57:50 -0500 (EST)

Delivered-To: sales[at]compudirectinc.com

Received: from smoothwall (unknown [192.168.1.1])

by server1.d4wh.net (Postfix) with ESMTP id 65DBF2FCB402

for <sales[at]compudirectinc.com>; Thu, 21 Jan 2010 12:57:50 -0500 (EST)

X-CLAMAV-Results: Clean

X-DSPAM-Factors: 27,

sent+from, 0.00986,

sent+from, 0.00986,

Type>+<META, 0.01000,

X-Mailer*(9.0.2910.0), 0.01000,

AOL, 0.01000,

AOL, 0.01000,

account+is, 0.01000,

account+is, 0.01000,

X-Mailer*IMO+Build, 0.01000,

X-Mailer*Build+9.0.2416, 0.01000,

ll, 0.01000,

ll, 0.01000,

X-Mailer*9.0.2416+(9.0.2910.0), 0.01000,

X-Mailer*Outlook+IMO, 0.01000,

account+and, 0.01000,

account+and, 0.01000,

X-Mailer*9.0.2416, 0.01000,

X-Mailer*IMO, 0.01000,

not+monitored, 0.01000,

not+monitored, 0.01000,

Type>, 0.01000,

<META+content="text/html, 0.01000,

it’, 0.01000,

it’, 0.01000,

equiv=Content+Type>, 0.01000,

Team, 0.01230,

Team, 0.01230

X-DSPAM-Signature: 4b58959e109612757212725

X-DSPAM-Probability: 0.0000

X-DSPAM-Confidence: 0.9899

X-DSPAM-Processed: Thu Jan 21 12:57:50 2010

X-DSPAM-Result: Innocent

X-Original-From: westernizesuzz79[at]sawadeeka.com

X-Original-To: sales[at]compudirectinc.com

Received-SPF: softfail (smoothwall: transitioning domain of westernizesuzz79[at]sawadeeka.com does not designate 194.126.18.147 as permitted sender)

Received: from Unknown (HELO JUPCVNSRJY) (194.126.18.147)

by smoothwall (qpsmtpd/0.40) with ESMTP; Thu, 21 Jan 2010 17:57:50 +0000

Received: from 194.126.18.147 by aspmx5.googlemail.com; Thu, 21 Jan 2010 19:57:08 +0200

From: "AIM" <no_reply_aim[at]aim.com>

To: <sales[at]compudirectinc.com>

Subject: the latest update for the AIM

Date: Thu, 21 Jan 2010 19:57:08 +0200

Message-ID: <000d01ca9ac3$26108ec0$6400a8c0[at]westernizesuzz79>

MIME-Version: 1.0

X-Priority: 3 (Normal)

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)

X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4927.1200

Importance: Normal

X-CLAMAV-Signature: 62a2c97af63270a03ef160564399b38b:2854:/var/spool/mail/1264096670:10954:0

X-CLAMAV-Signature: 73f5db8a8327a4f0107d807c8ad91d43:4527:/var/spool/mail/1264096674:9153:0

X-Antivirus: AVG for E-mail 9.0.730 [271.1.1/2636]

Content-Type: multipart/mixed; boundary="=======AVGMAIL-7BF77F09======="

BODY:

Dear AOL Instant Messenger (AIM) user,

Your AIM account is flagged as inactive. Within the following 72 hours it’ll be deleted from the system.

If you plan to use this account in the future, you have to download and launch the latest update for the AIM. This update is critical.

In order to install the update use the following link. This link is generated exclusively for your account and is available within a certain period of time. As soon as this link is not available anymore you will get another letter.

<a href="http://update.aol.com.favucca.com.im/products/aimController.php?code=077737458355906842189549645745088043281291197848680042046&email=sales[at]compudirectinc.com">

Thank you,

AIM Service Team

This e-mail has been sent from an e-mail address that is not monitored. Please do not reply to this message. We are unable to respond to any replies.

When I submit this to spamcop, spamcop tries to report the spam to:

Report spam to:

Re: 24.123.149.141 (Administrator of network where email originates)

To: abuse[at]rr.com (Notes)

That is ME... it's trying to report ME...

Have the spammers figured out a way around Spamcop??? Any ideas???

Cheers.

Posted

Hi, mrwebman!

<snip>

Here is an example of spam that is being detected wrong:

...Rather than post this much detail, please post the Tracking URL.
<snip>

That is ME... it's trying to report ME...

...Please see "SpamCop FAQ" (link near tops left of each SpamCop Forum page) entry labeled "Why does SpamCop want to send a report to my own network administrator?"
Posted
Two posts gigging the user for not doing his homework, but no answer to the question.
Don, I'm glad that you were able to answer the poster's question. I'm a little less glad that you found it necessary to denigrate my contribution (which did not "gig" the poster, and which actually did offer at least a possible solution to the problem, with background info).

I'll ask you for an apology here in public where the damage was done.

-- rick

Posted
Two posts gigging the user for not doing his homework, but no answer to the question.

<snip>

...I disagree, I think the answer was given:
Please see "SpamCop FAQ" (link near tops left of each SpamCop Forum page) entry labeled "Why does SpamCop want to send a report to my own network administrator?"
and
<snip>

You're also going to want to run the mailhosts configuration process if you have not already done so.

I know that you prefer that our replies include the actual text of the solution but I personally don't agree that we need (or want) the same answer repeated in multiple places.

...Rick, thanks for also providing the solution. I didn't, but should have, taken the time to actually look at the FAQ post, and should have noticed it did not mention the "MailHosts Configuration" solution!

Posted
I'll ask you for an apology
No apology. The "Dittos to Steve" comment was unnecessary and unwarranted.

Suggesting that the user configure his Mailhosts is good advice, but as I have said many times before, if you're not going to answer the question, don't post.

- Don D'Minion - SpamCop Admin -

.

Posted
Suggesting that the user configure his Mailhosts is good advice, but as I have said many times before, if you're not going to answer the question, don't post.

Coming in late due to connectivity loss, then a power outage. However, exception has to be noted.

The actual problem was seen in the parser output http://www.spamcop.net/sc?id=z3672773088z9...4923da544933faz as;

Received: from tdev156-170.codetel.net.do (HELO speedtouch.lan) (190.80.156.170) by sw1 (qpsmtpd/0.40) with ESMTP; Sat, 22 Jan 2010 18:32:24 +0000

190.80.156.170 found

host 190.80.156.170 (getting name) = tdev156-170.codetel.net.do.

24.123.149.141 not listed in dnsbl.njabl.org ( 127.0.0.9 )

24.123.149.141 not listed in cbl.abuseat.org

24.123.149.141 not listed in dnsbl.sorbs.net

24.123.149.141 is not an MX for rrcs-24-123-149-141.central.biz.rr.com

24.123.149.141 not listed in dnsbl.njabl.org ( 127.0.0.3 )

Possible spammer: 190.80.156.170

sw1 is not a hostname (emphasis added by me)

Looks like a forgery

As seen in looking at the Tracking URL which now has had the MailHost Configuration applied to the Reporting Account, the 'solution' to the user's issue was in fact offered up in the initial Forum replies. Granted the 'real' solution would be to have the ISP/Host fix their server, but ..... the answer was in fact posted here for public view and had a successful result.

I didn't, but should have, taken the time to actually look at the FAQ post, and should have noticed it did not mention the "MailHosts Configuration" solution!

Interesting, I suppose. The "Official/Original FAQ" entry Why does SpamCop want to send a report to my own network administrator? has not been updated to include the MailHost Configuration of your Reporting Account as a possible solution. On the other hand, I also note that a Wiki page has not been developed on the same subject matter either. Looks like additional work could be done by a number of folks.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...