Jump to content

[Resolved] This Spamcop thing is quite broken!


kaz

Recommended Posts

I've submitted a few reports to Spamcop and noticed that it always retrieves the very first Received: header in the e-mail and assumes that /that/ is the source of the e-mail. It sends the complaint to the netblock administrators for that IP.

This is seems to be retarded, because those headers can be faked.

Look at this:

Return-path: <secure[at]queenshospital.co.uk.com>

Envelope-to: kaz[at]kylheku.com

Delivery-date: Tue, 14 Sep 2010 11:45:46 -0700

Received: from popondetta.com ([198.104.21.14])

by localhost with esmtp (Exim 4.69)

(envelope-from <secure[at]queenshospital.co.uk.com>)

id 1OvaVl-0006eS-87

for kaz[at]kylheku.com; Tue, 14 Sep 2010 11:45:46 -0700

Received: from test (server88-208-209-147.live-servers.net [88.208.209.147])

(authenticated bits=0)

by popondetta.com (8.14.4/8.13.1) with ESMTP id o8EIWn7C009273;

Wed, 15 Sep 2010 03:32:52 +0900

Message-Id: <201009141832.o8EIWn7C009273[at]popondetta.com>

Reply-To: <secure[at]queenshospital.co.uk.com>

From: "Queens Hospital"<secure[at]queenshospital.co.uk.com>

Subject: MRS. HALIMA LITKOWITCH

Date: Tue, 14 Sep 2010 19:37:07 +0100

MIME-Version: 1.0

If we do a whois lookup on 198.104.21.14, it's some very fishy network with no proper contact information.

It looks like it could be a spam haven. All that is listed is that they have two offices, one in San Jose and one in Florida. Moreover, the popondettal.com domain is registered to someone in Japan! Japanese registration, US hosting? Fishy.

And look at the time stamp they put on the e-mail: Wed, 15 Sep 2010 03:32:52 +0900. Do you know where that is? That's a perfectly correct Tokyo time! This suggests that the spammers really are in Japan, which matches the domain registration. But their machine is hosted in the States. (Your FAQ says that your program analyzes timestamps?)

The machine 198.104.21.14, though it accepts SMTP connections, does not allow relaying and insists on authenticated SMTP. Short of cracking the SMTP authentication, how would someone from the UK take advantage of that server?

How can we be sure that that this 198.104.21.14 host actually received anything from 88.208.209.147?

Yet, Spamcop parses out the

Received: from test (server88-208-209-147.live-servers.net [88.208.209.147])

and sends the complaint to abuse[at]fasthosts.co.uk, without bothering at all with the network that actually sent the spam.

You don't think that spammers can create a realistic Received: header, containing the correct IP address and FQDN of an innocent machine?

Needless to say, I won't be submitting reports to this Spamcop junk any more. I don't want to be responsible for annoying innocent net admins!

I've never seen a hit from your dnsbl. It's always spamhaus or sorbs which intercept junk smtp for me, never the spamcop bl. No wonder: your database is based on junk information based on digging up the oldest Received: headers, whereas the mail server's BL lookups use the actual IP address of the incoming connection as the search key!

In the current implementation, you are approximately as useful as tits on a bull, guys. Way to go!

Link to comment
Share on other sites

In the current implementation, you are approximately as useful as tits on a bull, guys. Way to go!
Thanks for the words of encouragement, but that isn't what I find at all. I've used SC for 10 years or so, and find it to be quite accurate (in fact I learned most of what I know about SMTP headers by "looking over the shoulder" at SC parses).

Of course, I submitted my e-mail addresses to the mailhosts configuration process to make sure that SpamCop could accurately parse my headers. If you haven't done this, then that might be the source of your troubles.

-- rick

Link to comment
Share on other sites

Thanks for registering your Mailhost!

Received: from test (server88-208-209-147.live-servers.net [88.208.209.147])

by popondetta.com

Now that you have registered your email provider with our Mailhost system, the parse will not accept that "Received" line because popondetta.com is not your email provider.

http://www.spamcop.net/sc?id=z4488581942z0...a2ba0b6766120cz

You can use that link to review the latest parse of the email at issue. The "View entire message" link will show you the full headers and text.

If you decide to change your mail server's name from localhost to a valid server name, you should let me know so I can add it to your kylheku.com host.

- Don D'Minion - SpamCop Admin -

- service[at]admin.spamcop.net -

.

Link to comment
Share on other sites

Oh, I do love it when a little interaction here solves someone's problem/frustration. Thanks Ric, thanks Don. Marking this 'resolved' but please let the O/P not be deterred from adding further comment should he so wish.

Link to comment
Share on other sites

Marking this 'resolved' but please let the O/P not be deterred from adding further comment should he so wish.

Yes, I am sure there is quite a bit of other "knowledge" he could transfer, proving we've been doing it all wrong for years!

Where's the popcorn smilie?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...