Jump to content

i got the following spam message, which had some rather unusual headers...


salamandir
 Share

Recommended Posts

i got the following spam message, which had some rather unusual headers prior to the ones that actually indicated where the message came from. they were:

X-spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on spam2.ipns.com
X-spam-Level: *****************************
X-spam-Status: No, score=29.0 required=30.0 tests=RAZOR2_CF_RANGE_51_100,
	RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,UNPARSEABLE_RELAY,URIBL_BLACK,
	URIBL_JP_SURBL,URIBL_PH_SURBL,URIBL_WS_SURBL autolearn=disabled version=3.2.4
X-spam-Summary:  0.0 UNPARSEABLE_RELAY	  Informational: message has unparseable relay lines
	1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
	above 50%
	[cf: 100]
	0.5 RAZOR2_CHECK		   Listed in Razor2 (http://razor.sf.net/)
	3.0 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
	[cf: 100]
	6.0 URIBL_BLACK			Contains an URL listed in the URIBL blacklist
	[URIs: casinosead.com]
	6.0 URIBL_PH_SURBL		 Contains an URL listed in the PH SURBL blocklist
	[URIs: casinosead.com]
	6.0 URIBL_WS_SURBL		 Contains an URL listed in the WS SURBL blocklist
	[URIs: casinosead.com]
	6.0 URIBL_JP_SURBL		 Contains an URL listed in the JP SURBL blocklist
	[URIs: casinosead.com]
X-Original-To: slmndr[at]drizzle.com
Received: from mx02.csolutions.net (mx02.csolutions.net [208.110.132.70])
	by mail01.ipns.com (Postfix) with ESMTP id 86A0E3C00F
	for <slmndr[at]drizzle.com>; Sat, 25 Jun 2011 07:42:57 -0600 (MDT)
X-Warning: RFC compliance checks disabled due to whitelist
X-Warning: Reverse-Path DNS check skipped due to whitelist
X-Warning: Maximum message size check skipped due to whitelist
X-Warning: Realtime Block Lists skipped due to whitelist
X-Warning: System filters skipped due to whitelist
X-Warning: Domain filters skipped due to whitelist
X-Warning: User filters skipped due to whitelist
X-Warning: Anti-spam check skipped due to whitelist
X-Whitelist: 2147483645

if i am reading this correctly, they were put there by the MTA at ipns.com (my ISP), but their instance of spamassassin is set to an unreasonably high number (30 - my personal instance of spamassassin is set to 5), and then there are the "X-Warning: ...due to whitelist" lines, which make it look like it would have qualified as spam if it weren't for whitelisting...

it was DEFINITELY spam, no question about it...

what i'm wondering is, where did these comments actually come from? were they inserted into the message prior to sending? is my MTAs version of spamassassin really set to 30? and if so, how do i change it??

or is this just something to distract me from the fact that the message really originated in argentina, with a spoofed facebook return address? the tracking URI is here, if you're interested...

Edited by salamandir
Link to comment
Share on other sites

Looks to me like you are reading it correctly and that you most likely need to check your ipns.com account to see if there is anything there concerning filtering configuration and whitelisting that is "user configurable", that is, by you.

Possibly the most common cause of stuff getting through on whitelisting is when you have your own address or addresses in the whitelist. Can't tell if this is the case - you might recall from previous discussions that what you have posted is NOT the tracking URL. That is the url which identifies itself as the tracking URL near the top of the SC parse for that spam (which you can recover from that report number). That's OK if you're happy that only SC staff can see the report you're talking about. That usually boils down to Don D'Minion but he's said before he doesn't look at this forum section - "SpamCop Lounge". He's happy to help users but he can't be everywhere.

Tests indicate your mail (addressed as indicated in the headers you post) goes through a mail exchange at csolutions.net which is presumably part of the ipns.com relay. It is possible some of that stuff is inserted there (but probably not).

Alternative to all above, yes, it might be forged, all or in part, otherwise you should be seeing similar headers on at least some of your regular mail (perhaps depending on inwards and outwards routing). If it was forged I would really expect it to be further down within the headers - but strange things can happen with headers.

Link to comment
Share on other sites

Looks to me like you are reading it correctly and that you most likely need to check your ipns.com account to see if there is anything there concerning filtering configuration and whitelisting that is "user configurable", that is, by you.

grr... i've dealt with these people before, and they're not particularly knowledgeable, particularly when it comes to dealing with spam filtering. unfortunately, at this point, they're the best of a lot of really bad options for an ISP, so i can't really change...

Can't tell if this is the case - you might recall from previous discussions that what you have posted is NOT the tracking URL. That is the url which identifies itself as the tracking URL near the top of the SC parse for that spam (which you can recover from that report number). That's OK if you're happy that only SC staff can see the report you're talking about.

d'oh! here it is - for real this time... :blush:

Tests indicate your mail (addressed as indicated in the headers you post) goes through a mail exchange at csolutions.net which is presumably part of the ipns.com relay.

yes, csolutions.net is owned by internet professionals and network solutions (ipns.com)

Alternative to all above, yes, it might be forged, all or in part, otherwise you should be seeing similar headers on at least some of your regular mail (perhaps depending on inwards and outwards routing). If it was forged I would really expect it to be further down within the headers - but strange things can happen with headers.

this is the only message i've received, that i've actually noticed the strange headers, but i don't really pay that much attention to things that get delivered directly to the trash bin anyway, so i may not have noticed... but i'll (cringe) attempt to communicate with ipns to see if they have a clue.

Link to comment
Share on other sites

Thanks for the tracking URL. Looks like the upper part, the "spam checker" lines were inserted by spam2.ipns.com (208.110.132.168) which would probably be beyond your reach - but it looks like the critical whitelist notations and corresponding (lack of) actions come from mail01.ipns.com (208.110.132.145) which should be reaching and reading the configuration of your mail account for that information, if I've got it right.

In other words, the whitelist it refers to is maybe under your control via your mail account configuration settings - but based on the whitelisting of some or all facebookmail.com addresses rather than an address of your own as I suggested when I was flying blind. Whitelists typically don't care if the "From:" address is forged. The whitelisting process may not always be apparent but hopefully the list is editable.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...