No answers yet

[WB8TYW]

Bug report:

If the spam came from another user on that uses your same mail host, the spamcop.net parser can not figure out the source.

It knows it has a problem when it encounters an obviously forged header.

I have submitted the tracker to depuites(at)....

-John

Personal Opinion Only

[Trekkie]

Hi.

I turned on mailhost because I was getting a lot of 'forged' reports from some really annoying 'christian debt collectors'

Now, none of my spam reports are successfull.

Here is what I get from the 'quick report'

From: ccsry[at]yahoo.com

Subject: sleeping aids for you non sleepers

error:You have failed to configure your own mail host, from which you pop mail

Mailhost: ( 216.27.95.50 )

I followed the instructions on each of my domains that I receive email on ([at]ansihell.com, [at]nomorestars.com and [at]earthlink.net) and received all the notes. I forwarded them as instructed and never got any feedback.

The only thing I'm thinking I might have done wrong is that my reply-to is [at]nomorestars.com.

Otherwise, I'm using Mail.app on Mac OS X 10.3.3 and have had no problems before submitting spam or anything with it.

Thanks

Tom

[localhost]

Could someone tell me what I am doing wrong? I have tried to add about 20-25 aliases, but none of them is popping up in the "Mailhosts" lists.

I am sending these kind of messages as a reply to the automated message of the Spamcop system:

Subject: (no subject)

From: <####[at]####.nl>   [ this is one of the aliases to add ]

Date: Sat, March 20, 2004 11:14  

To: <mhconf.############[at]cmds.spamcop.net>  

Priority:  Normal 

=====

mhconf.##############[at]cmds.spamcop.net

Special codes follow:

################################################################

X-SpamCop-Mx: mx3.xs4all.nl.

X-SpamCop-Mx-Ip: 194.109.24.138

X-SpamCop-Mh-Name: xs4all

X-SpamCop-Recip: ############[at]xs4all.nl (aliasname)

X-SpamCop-Unixtime: 1079775547

X-SpamCop-Conf: #############

X-SpamCop-Randomness: #############

X-SpamCop-Hash: #################

################################################################

What am I doing wrong?

When I tried to report spam at this moment, Spamcop is trying to report 192.168.1.214 (internal Spamcop system ?) as the spam source

[nobody@spamcop.net]

Q for Julian, will the new mailhost system cope with ISPs reconfiguring their MX records ?

[eric]

I can't register one of the mailhosts which feeds my inbox, apparently because that ISP has not set up an MX record for that particular host. That host does not receive email for me, but it does forward email to me. Since it does not receive email, it's reasonable for it not to have an MX RR. But it does accept incoming email on port 25.

SpamCop's test email message would get through if Spamcop, like most SMTP hosts, falls back to attempting to connect to port 25 on the named host if the host does not have an MX RR. But it doesn't do that, so I can't register that mailhost.

[gv2]

How do I configure mailhosts for configurations that contains a loop:

e.g. server1 -> server2 -> spamcop -> server2 ?

I use procmail to make sure that mail does not loop forever. And particularly, how do I do it correctly when server2 only forwards certain emails (those recognized by SpamAssasin on server2 with hits>0)?

First, the default spamcop configuration of the system is wrong: I forward any email to spamcop to server2.

Second: server2 has two appearances: it is either a forwarder to spamcop or the end of the chain. And even worse: both can appear in one email when spamcop does not recognize a spam mail and lets it through the filter.

Right now, my configuration shows SpamCop forwards to server2 (for that, I removed and added spamcop again...) and server2 with no forward. As a result, spamcop reports server2 for any spam mail forwarded from server2 to spamcop (which is basically every single spam mail...)

[localhost]

Is this a correct listing of a MailHost ?

Mailhost name: xs4all

Email address: <myalias>[at]xs4all.nl

Hosts/Domains: pearlgates.net, mail.pearlgates.net, xs4all.nl, maildrop5.xs4all.nl, maildrop7.xs4all.nl, maildrop9.xs4all.nl, mx1.xs4all.nl, mx2.xs4all.nl, mx3.xs4all.nl, mx4.xs4all.nl, mxzilla1.xs4all.nl, mxzilla2.xs4all.nl, mxzilla4.xs4all.nl, mxzilla6.xs4all.nl, mxzilla7.xs4all.nl, mxzilla8.xs4all.nl, pearlgates.xs4all.nl, pop.xs4all.nl, smtp-out5.xs4all.nl, smtp-out6.xs4all.nl, viruscheck2.xs4all.nl, viruscheck4.xs4all.nl, viruscheck8.xs4all.nl

Please look at "pearlgates.net", "mail.pearlgates.net" and "pearlgates.xs4all.nl". This is the same IP, but it is a private DSL-Modem/Mailserver of a home user (not mine, mine is listed under a different domain/mailhost name)

The provider xs4all does offer BatchedSMTP functionality (mail is dropped at mx# or one of the dozen mxzilla#s and forward as SMTP session the the DSL-Modem). The provider xs4all does also offer editting of reverse DNS records for any domain.

Just for the record, I am just guessing. But there are several users who use BSMTP. Will they all be listed in the MailHost listing? That is going to be a huge list

[m0urs]

Hi!

I configured all my mail accounts on Mailhost and I suppose all went ok. Today I got the following message when reporting two of my spam mails. I think Spamcop detected the right originator of the mail and correctly found a forged header but I am not 100% sure because of the message which was displayed. Could you please have a look and give me some hints? I do have a GMX.NET account and this mail is received by it and get via POP from Spamcop:

[... here some lines deleted ...]

5: Received: from mx0.gmx.de ([213.165.64.100] helo=mx0.gmx.net) by epsilon.mc1.hosteurope.de with smtp (Exim 4.30) id 1B6Mwn-0008EL-GE for x; Thu, 25 Mar 2004 05:58:29 +0100

Host Europe received mail from 213.165.64.100

Hostname verified: mx0.gmx.net

6: Received: from CPE00e01875d804-CM000e5ce07fc0.cpe.net.cable.rogers.com (HELO CPE00e01875d804-CM000e5ce07fc0.cpe.net.cable.rogers.com) (24.192.171.69) by mx0.gmx.net (mx002) with SMTP; 25 Mar 2004 05:58:26 +0100

gmx.net flagged as trusted, but not configured

7: Received: from celineclub.com (celineclub-com.mr.outblaze.com [205.158.62.181]) by CPE00e01875d804-CM000e5ce07fc0.cpe.net.cable.rogers.com (Postfix) with ESMTP id E3B3E6DE4D for <x>; Wed, 24 Mar 2004 13:52:23 -0800

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust anything beyond this header

24.192.171.69 not listed in dnsbl.njabl.org

24.192.171.69 not listed in cbl.abuseat.org

24.192.171.69 not listed in dnsbl.sorbs.net

Forgery detected, or mailhost configuration incomplete. Please verify source IP identified.

Tracking message source: 24.192.171.69:

Routing details for 24.192.171.69

[refresh/show] Cached whois for 24.192.171.69 : abuse[at]rogers.com

Using abuse net on abuse[at]rogers.com

abuse net rogers.com = abuse[at]rogers.com

Using best contacts abuse[at]rogers.com

Yum, this spam is fresh!

24.192.171.69 not listed in dnsbl.njabl.org

24.192.171.69 not listed in dnsbl.njabl.org

24.192.171.69 not listed in cbl.abuseat.org

24.192.171.69 not listed in dnsbl.sorbs.net

24.192.171.69 not listed in relays.ordb.org.

24.192.171.69 not listed in plus.bondedsender.org

24.192.171.69 not listed in query.bondedsender.org

24.192.171.69 not listed in iadb.isipp.com

Finding links in message body

Parsing text part

[eric]

JULIAN: Another report of a possible burp.

In attempting to report a spam, this error message was nestled in among the technical details:

3: Received: from [212.199.254.2] by web41702.mail.yahoo.com via HTTP; Wed, 24 Mar 2004 18:46:11 PST

mail.yahoo.com flagged as trusted, but not configured

It appears you have not configured your own mailhost:

Mailhost: web41702.mail.yahoo.com

Please correct this situation - register every email address where you receive spam

Host mail.yahoo.com is not one of my mailhosts, yet for some reason SpamCop decided that

it was, and that I had not configured it. The spam apparently originated from that mail.yahoo.com

host, but SpamCop did not include it in the list of reports to be sent.

SamSpade says that IPA 66.218.93.119 does belong to Yahoo, but SpamCop wants to send

the report to abuse[at]012.net.il

Tracker:

http://www.spamcop.net/sc?id=z369289928z5b...86067f35c696d8z

[kre]

Unfortunately, the mailhost setup "merged" two of my mailhosts which were separate. Now, the entry shows the email address from one, and the mailhost name of the other. The IP addresses and domains assigned seem to be the union of MX hosts.

As far as I understand the workings, this is not as intended, because the two mailhosts are not on the same distance from the inbox. And they can no longer be separately maintained, because they share the same entry. No tests have been done against the parser yet.

Because I did not need the entries yet (they are relatively quiet) I left them in the config for debugging. In the figure below, (1) and (2) are inbox accounts. (5) and (4) were merged, with the mailhost name of (4) and the email address of (5). (2) needed a waiver because of one inhouse hop which I got already (thanks alot!) and works fine.

--> (3) ----------> |

--> (5) --> (4) --> | (1)

------------------> | (2)

[vets-internet]

I'm receiving the test messages now from the mailhost routine. However when I return the message with full headers, it keep saying "Headers not found". Here is the last message I sent back minus the sensitive info. I use Eudora so I copy and paste as a new message. I have also tried it as an attachment and it bounced to.

Return-path: <service[at]admin.spamcop.net>

Received: from spamcop.net ([206.14.107.103])

         by mail.vets-internet.com (mail.vets-internet.com [208.187.215.122])

         (MDaemon.PRO.v6.8.5.R)

         with ESMTP id 19-md50000000002.tmp

         for <sales[at]vets-internet.com>; Wed, 24 Mar 2004 11:24:41 -0800

Received: from [208.187.215.122] by spamcop.net

         with HTTP; Wed, 24 Mar 2004 19:24:40 GMT

From: SpamCop robot <xxxxxxxxxxxxxxxxxxxxxx[at]cmds.spamcop.net>

To: sales[at]vets-internet.com

Subject: SpamCop account configuration email

Precedence: list

Message-ID: <<xxxxxxxxxxxxxxxx>[at]msgid.spamcop.net>

Date: Wed, 24 Mar 2004 19:24:40 GMT

Hello SpamCop user,

This email contains special codes and tracking information to help SpamCop

figure out your specific email configuration.  Do not post this email in

public.  It contains confidential information related to the security of

your SpamCop account.

Please return this complete email, preserving full headers and the special

tracking codes below.  Forwarding as an attachment is the preferred

method.  Forward it to this address:

xxxxxxxxxxxxxxxxxxxxxx[at]cmds.spamcop.net

Alternately, you may create a new message and paste this email into it. 

Address the message to:

xxxxxxxxxxxxxxxxxxxxxx[at]cmds.spamcop.net

Special codes follow:

################################################################

X-SpamCop-Mx:

X-SpamCop-Mx-Ip:

X-SpamCop-Mh-Name:

X-SpamCop-Recip:

X-SpamCop-Unixtime:

X-SpamCop-Conf:

X-SpamCop-Randomness:

X-SpamCop-Hash:

################################################################

[A.J.Mechelynck]

Help me test SpamCop's new mailhost system. 

[...]

Hi Julian

We already exchanged private mail about this thing, but I thought I'd post it here.

Whenever my ISP's incoming mail routers get a spam from a "trusted" site (such as hotmail.com) I get scolded by red lines in the parse telling me I must configure all my mailhosts (including, in the example cited, the hotmail.com outgoing-mail servers). Of course, no matter how many times I configure my belgacom.net and skynet.be mail accounts, the SpamCop test email won't reach them via hotmail.com.

Apparently (AFAICT, which isn't much) the parser robot does "the right thing" anyway and accepts the (hotmail) received-line. What rubs me the wrong way is just the red lines telling me I've been a "bad boy" and not done all my homework :-/ .

This is a low-incidence event (one case past Wednesday and one today [sunday, time zone +0002 MET DST], maybe an hour or two ago; both involving handoffs from hotmail.com) over (IIRC) between 100 and 200 spams/24h. Apart from this small problem, the mailhost system seems to be working correctly for me -- AFAICT, and for the time being.

--

Best regards,

Tony.

[Derek T]

What's all this about? I've had this response twice today and a few yesterday. In all cases they are from servers that I've never heard of, have no account with and have never (to my knowledge) flagged as 'trusted'.

tia

Derek

Processing spam:

From: auretagio[at]wp.pl

Subject: =?windows-1251?B?SGV0ZXIwIGd1eXMgaGF2IW5nIHRoZWlyIGYhcnN0IGdheSBmLi5jaw==?=

0: Received: from unknown (192.168.1.101) by blade4.cesmail.net with QMQP; 25 Mar 2004 20:06:54 -0000

Internal handoff at SpamCop

1: Received: from smtp.wp.pl (212.77.101.160) by mailgate.cesmail.net with SMTP; 25 Mar 2004 20:06:53 -0000

SpamCop received mail from 212.77.101.160

Hostname verified: smtp.wp.pl

2: Received: from 69.37.212.196.adsl.snet.net (auretagio[at][69.37.212.196]) (envelope-sender <auretagio[at]wp.pl>) by smtp.wp.pl (wp-smtpd) with SMTP for <frd[at]aol.com>; 25 Mar 2004 20:44:37 +0100

error:smtp.wp.pl flagged as trusted, but not configured

error:It appears you have not configured your own mailhost:

Mailhost: smtp.wp.pl

Please correct this situation - register every email address where you receive spam

Tracking message source:69.37.212.196:

Cached whois for 69.37.212.196 : abuse[at]snet.net

Using abuse net on abuse[at]snet.net

abuse net snet.net = abuse[at]snet.net

Using best contacts abuse[at]snet.net

69.37.212.196 not listed in dnsbl.njabl.org

69.37.212.196 not listed in dnsbl.njabl.org

69.37.212.196 listed in cbl.abuseat.org ( 127.0.0.2 )

spam report id 825390508 sent to: abuse[at]snet.net

May be saved for future reference:

http://www.spamcop.net/sc?id=z371487326z1f...255615e017226cz

[ferret]

Hey there, just been using the mailhost thingy, but when I submitted an Australian

address, mailhost broke down the address domain(s) right down to even including

the domain org.au (which is a country TLD). Is this normal behavour?

Example: (note the 4th entry in Hosts/Domains)

-----

Mailhost name: Local

Email address: <removed>[at]member.sage-au.org.au

Hosts/Domains: uq.edu.au, mailhub1.uq.edu.au, mailhub2.uq.edu.au, org.au, sage-au.org.au, glenn.sage-au.org.au, sagemx.sage-au.org.au

Relaying IPs: 130.102.5.58, 130.102.5.59, 131.170.24.210

-----

Cheers,

Jamie

[SeanC]

Just browsing my mailhost page after configuring it (perhaps incorrectly). I've noticed a few interesting things:

First off, the SpamCop entry appears as such:

Mailhost name: SpamCop

Email address: [snip][at]hotmail.com

Hosts/Domains: cesmail.net, blade1.cesmail.net, blade3.cesmail.net, blade4.cesmail.net, blade6.cesmail.net, c60.cesmail.net, mailgate.cesmail.net, mx.cesmail.net, mx2.cesmail.net, spamcop.net, bulkmx2.spamcop.net 

Relaying IPs: 206.14.107.118, 216.154.195.36, 216.154.195.44, 216.154.195.49 

That may be from trying to configure my hotmail acct twice, but still...

Second, I also tried to configure my yahoo acct twice and have a blank entry for Yahoo! with nothing but the mailhost name and email address. BTW the valid entry for my yahoo acct is listed as Yahoo (w/o the !).

Thanks for the help,

Sean

spamcop.net user

[dbiel]

I have just finished setting up my mailhosts.

I believe that everything is working OK but at a bit confused as to the way registered domains get deleted when registering new domains that use the same mail hosts.

I registered my email address xxx[at]earthlink.net 12 times (select all the boxes)

with the result of one large entry in the configution file which would appear to be correct.

I then registed my address xxx[at]uffdaxx.com which recieved a successful message and was listed in the mailhosts list but replaced my earthlink.net address entry.

Uffdaxx.com does not have its own mailhost but uses earthlink's mailhosts

Is this the way the system is set up to work?

Thank you

Also I noted that quick reporting remained available and worked immediately after setting up my mailhost and without sending out any full reports first. This seems to be contrary to what you say should be happening.

Thank you

[AlphaCentauri]

Sorry about the #'s in the following. I'm blocking out a four-letter word for intercourse (and it isn't "talk"). I find it hard to believe that ####.fm is an "internal handoff at verizon." This was sent to my Verizon email address.

0: Received: from ####.fm ([192.168.1.2]) by mta002.verizon.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id <20040405230603.MZGF960.mta002.verizon.net[at]####.fm> for <x>; Mon, 5 Apr 2004 18:06:03 -0500

Internal handoff at Verizon

1: Received: from ####.fm (80.32.224.162) by sc008pub.verizon.net (MailPass SMTP server v1.1.1 - 121803235448JY) with SMTP id <4-28322-24-28322-260603-1-1081206360> for mta002.verizon.net; Mon, 5 Apr 2004 18:06:04 -0500

Verizon received mail from 80.32.224.162

All mail hosts in chain recognized.

[AlphaCentauri]

Now, sent at almost the same time to another email address is an ad for the same URL with the same message format. I would have expected both to come from the same source. And are "dodgethis" and "####" attempts to thumb their noses at us?

0: Received: from dodgethis.de (bzq-80-9-91.red.bezeqint.net [82.80.9.91]) by host2.capital-computers.com (8.12.10/8.12.10) with SMTP id i35N1WQC009803 for <x>; Mon, 5 Apr 2004 19:01:38 -0400

Capital Hosting received mail from 82.80.9.91

Hostname verified: bzq-80-9-91.red.bezeqint.net

All mail hosts in chain recognized.

[jhermans]

I'm jhermans(AT)spamcop.net and I'm a paying member for several years. I'm using 2 different forwarding services, and I have problems with both, when using the new Mailhost feature :

1 : advalvas.be

I'm using jo.hermans(AT)advalvas.be, but I can't register them as a mailhost, because they seem to be blocking all traffic from spamcop. See this report (munged) :

Sorry, all tests failed.

We cannot deliver mail to the address you provided: jo.hermans(AT)advalvas.be. Double check the address provided or try again later. Your mailhost appears to be offline.

Detailed errors:

Connecting to meel.advalvas.be.:
smtpSend:smtpEnvelope (service(AT)admin.spamcop.net, jo.hermans(AT)advalvas.be): smtpTo rcpt to:jo.hermans(AT)advalvas.be (553 Your ip is blocked by internal advalvas rbl. Offending ip: 206.14.107.102 ) 

So, the test-message will never be accepted by their mailserver. How can this be fixed ?

2 : spamgourmet.com

I'm also using spamgourmet.com for their forwarding service, I have several dozen of forwarding emailaddress, like XXX.N.jhermans(AT)spamgourmet.com. XXX is a keyword that keeps changing. My question is, will the "Mailhost" feature work, even when the email-address keep changing ? Can I register once, and will Spamcop then keep accepting mails form thats erver, even when the email-address keeps changing ? Would it help if I route these mails through a different mailserver first (forwarding them to advalvas.be for example) ?

Thank you very much !

[AlphaCentauri]

http://www.spamcop.net/sc?id=z394388305z89...b2a5b13871f3a4z

The above page is from a spam I reported. It came to my CapitalComputer email address. But it was not forwarded from my Verizon address. Because I have a Verizon address, this IP was considered good. So did it report the wrong IP?

[jules]

I tried to add hosts to my mailhosts. But there seems to be a problem. At the mailserver of my isp amavisd-new is in use. If i add a host and the test emails were sent, Spamcop only lists the backup-mailserver of the isp, which are not his own. The first mailserver is missing. But 'local' is listed as mailserver. The ip address of the first mailserver is listed as relaying ip for localhost. Maybe this occures, because amavisd-new is running on the first mailserver and adds an own received line in the header. This behavior of the Spamcop parser seems to be a bug. Isn't it?

I added an header for understanding:

Received: from localhost (localhost.domain.de [127.0.0.1])

by host.domain.de (Postfix) with ESMTP id 0845077AB5

for <spamcop[at]domain.de>; Sat, 10 Apr 2004 15:47:48 +0200 (CEST)

Received: from host.domain.de ([127.0.0.1])

by localhost (host.domain.de [127.0.0.1]) (amavisd-new, port 10024) with LMTP

id 91626-04 for <spamcop[at]domain.de>; Sat, 10 Apr 2004 15:47:46 +0200 (CEST)

Received: from c60.cesmail.net (c60.cesmail.net [216.154.195.49])

by host.domain.de (Postfix) with ESMTP id EEF3D77AB0

for <spamcop[at]jules.de>; Sat, 10 Apr 2004 15:47:45 +0200 (CEST)

Received: from unknown (HELO blade6.cesmail.net) (192.168.1.216)

by c60.cesmail.net with SMTP; 10 Apr 2004 09:47:45 -0400

Received: (qmail 22502 invoked from network); 10 Apr 2004 13:47:43 -0000

Received: from unknown (192.168.1.101)

by blade6.cesmail.net with QMQP; 10 Apr 2004 13:47:43 -0000

Received: from unknown (216.154.195.59)

by mailgate.cesmail.net with QMQP; 10 Apr 2004 13:47:43 -0000

[chyoung]

When trying to register softhome.net as a mail host, I get this error;

Detailed errors:

Connecting to a.mx.softhome.net.:

smtpSend:smtpEnvelope (service[at]admin.spamcop.net, somebody[at]softhome.net): smtpTo rcpt to:somebody[at]softhome.net (451 message delayed as part of spam avoidance measure )

I wonder if softhome realizes that their "spam avoidance measure" is preventing spam from being reported? This is a free account, so maybe they don't care.

[PeterJ]

Can someone take a quick look at this, is it an example of too much trust by the mailhost system?

http://www.spamcop.net/sc?id=z409328054zb8...b07c89d581a600z

I do have an Ameritech email address, however this piece of spam was received directly by my spamcop address. I am not quite sure why it trusted the ppp-68-251-42-210.dsl.chcgil.ameritech.net...

I suppose I could list my mailhosts that I have set up, but they are very long.

Thanks.

[Aric]

I use my corporate e-mail address to report spam I receive there, but your new mailhosts feature doesn't work with my corporate mail setup.

I respond to the message as requested, but I get back a message telling me that my mail seems to span multiple domains and to click on a link in the e-mail to continue.

I do so and I am asked to add another mailhost.

The mailhost is preconfigured and is set to the word "the" -- no valid e-mail address.

I am then told this isn't a valid e-mail address and can't go any further.

The word "the" doesn't appear anywhere in the original e-mail I sent in, so I don't know where SC is getting that.

We use outlook, but I am pasting in the Internet headers properly, so I believe.

[Wazoo]

Is this a correct listing of a MailHost ?

Mailhost name: xs4all

Email address: <myalias>[at]xs4all.nl

Hosts/Domains: pearlgates.net, mail.pearlgates.net, xs4all.nl, maildrop5.xs4all.nl, maildrop7.xs4all.nl, maildrop9.xs4all.nl, mx1.xs4all.nl, mx2.xs4all.nl, mx3.xs4all.nl, mx4.xs4all.nl, mxzilla1.xs4all.nl, mxzilla2.xs4all.nl, mxzilla4.xs4all.nl, mxzilla6.xs4all.nl, mxzilla7.xs4all.nl, mxzilla8.xs4all.nl, pearlgates.xs4all.nl, pop.xs4all.nl, smtp-out5.xs4all.nl, smtp-out6.xs4all.nl, viruscheck2.xs4all.nl, viruscheck4.xs4all.nl, viruscheck8.xs4all.nl

Please look at "pearlgates.net", "mail.pearlgates.net" and "pearlgates.xs4all.nl". This is the same IP, but it is a private DSL-Modem/Mailserver of a home user (not mine, mine is listed under a different domain/mailhost name)

The provider xs4all does offer BatchedSMTP functionality (mail is dropped at mx# or one of the dozen mxzilla#s and forward as SMTP session the the DSL-Modem). The provider xs4all does also offer editting of reverse DNS records for any domain.

Just for the record, I am just guessing. But there are several users who use BSMTP. Will they all be listed in the MailHost listing? That is going to be a huge list

For comparison, check out dbiel's post at http://forum.spamcop.net/forums/index.php?...t=15entry7139 to see that monster of a mail-host list.

Can't help with your other questions .... but hoping that being placed into this "No answers yet" Topic will get someone's attention.