Jump to content

"No source IP address found, cannot proceed."


Lodewijk
 Share

Recommended Posts

Hi!

I am grateful that after I began reporting spam to SP -and to Knujon through SP- the tsunami of spam I was getting was stopped a few weeks ago. Since then some days go by without any spam, some days I only get 1 or 2.

But since a few days after logging in to report spam I get these messages in red:

"No source IP address found, cannot proceed.

Nothing to do."

I have not changed any settings.

Edited by Lodewijk
Link to comment
Share on other sites

If you paste your spam into the web form (rather than forwarding it via SMTP or POPping it from the server), then it's possible that there could be a glitch somewhere that ruins the (somewhat) strict format of SMTP messages.

Another problem might be a 100% internal relay (say if you were a Google user and you got spam from another Google user whose message never traversed the public network).

A tracking URL from one of these messages of yours might be of some help to us.

-- rick

Link to comment
Share on other sites

It looks like your email provider has changed some critical aspects of their service by adding a spam scanning service.

You need to register your Alice.it address with our Mailhosts system again so that SpamCop can pick up the new servers involved with your email service.

Please DO NOT DELETE the Alice.it host from your account. it is still an important part of your mail handling.

- Don D'Minion - SpamCop Admin -

- service[at]admin.spamcop.net -

.

Link to comment
Share on other sites

It looks like your email provider has changed some critical aspects of their service by adding a spam scanning service.

You need to register your Alice.it address with our Mailhosts system again so that SpamCop can pick up the new servers involved with your email service.

Please DO NOT DELETE the Alice.it host from your account. it is still an important part of your mail handling.

- Don D'Minion - SpamCop Admin -

- service[at]admin.spamcop.net -

.

I've aready told you you need to set-up your Mail-host for reporting through SpamCop?

Try

http://forum.spamcop.net/forums/index.php?...amp;#entry21169

or

http://www.spamcop.net/fom-serve/cache/397.html

Link to comment
Share on other sites

I've aready told you you need to set-up your Mail-host for reporting through SpamCop?
Really?

I don't see anything like that in this thread.

Plus, how would you know that he hasn't already set up his hosts? How would you know that his host has changed things?

I don't see how you could possibly help this user without knowing the facts.

- Don D'Minion - SpamCop Admin -

- service[at]admin.spamcop.net -

.

Link to comment
Share on other sites

Really?

I don't see anything like that in this thread.

Plus, how would you know that he hasn't already set up his hosts? How would you know that his host has changed things?

I don't see how you could possibly help this user without knowing the facts.

- Don D'Minion - SpamCop Admin -

- service[at]admin.spamcop.net -

.

Note the question mark?

I've aready told you you need to set-up your Mail-host for reporting through SpamCop?
And were as you realize referring to Lodewijk Edited by petzl
Link to comment
Share on other sites

Thank you all for your replies in an effort to help.

It looks like your email provider has changed some critical aspects of their service by adding a spam scanning service.

You need to register your Alice.it address with our Mailhosts system again so that SpamCop can pick up the new servers involved with your email service.

Please DO NOT DELETE the Alice.it host from your account. it is still an important part of your mail handling.

- Don D'Minion - SpamCop Admin -

- service[at]admin.spamcop.net -

.

The thought crossed my mind that my ISP's email service might have recently changed something in their spam scanning service.

On my log in/account page I just had my Alice email address deleted. I filled it in again, and saved the settings. I did not change anything else.

I'll report back here after I get a least 1 spam to try it out.

[duplicate post deleted]

Edited by Farelf
Link to comment
Share on other sites

Most of my spam originates from China (due to my nickname which seems to be 'common' to Chinese spammers). Unfortunately I cannot report these spams to spamcop. The standard answer is:

No source IP address found, cannot proceed.

...

Nothing to do.

I am using SPAMSOURCE for reporting. But even when I enter headers and body of the spam mail into the web-interface form(s) of SC I'll receive the same response.

As an example I will copy and paste two of those spam mails here. Maybe you can give me some advice.

BabuNiki

Return-Path: <baal[at]citiz.net>

Received: from mailin02.aul.t-online.de (mailin02.aul.t-online.de [172.20.26.43])

by mhead909 (Cyrus v2.3.15-fun-3.2.12.0-1) with LMTPA;

Mon, 12 Sep 2011 08:57:39 +0200

X-Sieve: CMU Sieve 2.3

Received: from citiz.net ([114.222.34.2]) by 10.18.26.43

with esmtp id 1R30ST-01nMo40; Mon, 12 Sep 2011 08:57:33 +0200

From: "baal" <baal[at]citiz.net>

Subject: =?GB2312?B?1NnX97bxsNm2yKOs1OLR68rTwazQ+LGsueI=?=

To: xxxxxxxx[at]t-online.de

Content-Type: text/html;charset="GB2312"

Content-Transfer-Encoding: 8bit

Reply-To: baal[at]citiz.net

Date: Mon, 12 Sep 2011 14:57:33 +0800

X-Priority: 3

X-Mailer: Microsoft Outlook Express 6.00.2800.1106

X-TOI-spam: n;1;2011-09-12T06:57:39Z

X-TOI-VIRUSSCAN: clean

X-TOI-EXPURGATEID: 149288::1315810654-00000C21-D735FB6F/0-0/0-0

X-TOI-SPAMCLASS: CLEAN, NORMAL

X-TOI-MSGID: 57792218-165e-41b2-9db8-708098443540

X-Seen: false

X-ENVELOPE-TO: <xxxxxxxx[at]t-online.de>

Message-ID: <cmu-lmtpd-17031-1315810659-0[at]mhead909>

ÑëÊÓÆع⣬°Ù¶Èһã¬Äã¾ÃÉõ± µã»÷¿´ÑëÊÓ http://jingji.cntv.cn/20110815/107680.shtml

ÊÓƵ£ºÑëÊӳưٶÈÎÞÊÓýÌåÆعâ Î¥¹æ¶¯×÷ÒÀÈ»Èç¾É http://tech.sina.com.cn/i/2011-08-17/23435943345.shtml

Return-Path: <takagi17[at]sseweb304.crayfish.net>

Received: from mailin13.aul.t-online.de (mailin13.aul.t-online.de [172.20.27.48])

by mhead909 (Cyrus v2.3.15-fun-3.2.12.0-1) with LMTPA;

Sun, 11 Sep 2011 21:45:03 +0200

X-Sieve: CMU Sieve 2.3

Received: from mf002.crayfish.net ([210.172.136.64]) by 10.18.27.48

with esmtp id 1R2pxd-0hDhbM0; Sun, 11 Sep 2011 21:45:01 +0200

Received: from sseweb304.crayfish.net [210.172.138.227]

by mf002.crayfish.net (8.11.3/3.7W) with ESMTP id p8BJiu033608

for <xxxxxxxx[at]t-online.de>; Mon, 12 Sep 2011 04:44:57 +0900 (JST)

Received: by sseweb304.crayfish.net (Postfix, from userid 184989)

id 4BCD8499034; Mon, 12 Sep 2011 04:15:30 +0900 (JST)

To: babuniki[at]t-online.de

Subject: Dammen und Herren

From: "commerce.de" <bankinfo[at]commerce.de>

Reply-To: support[at]commerce.de

MIME-Version: 1.0

Content-Type: text/

Content-Transfer-Encoding: 8bit

Message-Id: <20110911191530.4BCD8499034[at]sseweb304.crayfish.net>

Date: Mon, 12 Sep 2011 04:15:30 +0900 (JST)

X-TOI-spam: n;1;2011-09-11T19:45:03Z

X-TOI-VIRUSSCAN: clean

X-TOI-EXPURGATEID: 149288::1315770302-00006914-DB2308A9/0-0/0-0

X-TOI-SPAMCLASS: CLEAN, NORMAL

X-TOI-MSGID: b004c9da-81f1-4165-baff-20d9e519ee8a

X-Seen: false

X-ENVELOPE-TO: <xxxxxxxx[at]t-online.de>

Deutsch Banken haben ein neues Produkt auf dem Markt der Online-Dienste angeboten.

Diese revolutionäre Lösung in die Aspekte der Sicherheit und Funktionalität...

http://www.commerceinfo.byethost9.com

Link to comment
Share on other sites

I had followed the above given instructions, and received this SC reply:

------------------------------------------------------------

"Hello SpamCop user,

Sorry, but SpamCop has encountered errors:

Headers mangled

It appears that the sample you provided has been altered. Often, extra

line-breaks are inserted by your software in an invalid format. Part of

the reason for this proceedure is to ensure that you and your software are

submitting spam in an error-free format. Please review the relevant FAQ

for your software and ensure you are following a proceedure which returns

intact spam content to SpamCop.

In this sample, the problem was found near the line:

[217.149.192.70])

by deliver101.mer-nm.internl.net (Postfix) with ESMTP id 85FA745B

Email software FAQs:

http://www.spamcop.net/fom-serve/cache/19.html

(Etc.)

---------------------------------------------------------------------------

I have been using Opera, and it's integrated email software does not render headings. So I used MailWasher for reporting spam to SC, and until this difficulty started a few days ago, it always worked fine.

I wonder if "X-Virus-Scanned: Debian amavisd-new at mailscanner9.nijmegen.internl.net" -which also appeared in the header- might be indicating the source of the problem.

If so, I could contact my ISP. Otherwise I have no idea how to fix this 'Headers mangled' problem.

Edited by Lodewijk
Link to comment
Share on other sites

---------------------------------------------------------------------------

I have been using Opera, and it's integrated email software does not render headings. So I used MailWasher for reporting spam to SC, and until this difficulty started a few days ago, it always worked fine.

I wonder if "X-Virus-Scanned: Debian amavisd-new at mailscanner9.nijmegen.internl.net" -which also appeared in the header- might be indicating the source of the problem.

If so, I could contact my ISP. Otherwise I have no idea how to fix this 'Headers mangled' problem.

Is this happening from MailWasher sent headers? If it is your ISP's mail server is mangling headers

When you go to SpamCop reporting page there should be a tracking URL. Like

http://www.spamcop.net/sc?id=z5113808366zd...df4886f3c1f480z

If you provide this it will let us see what is happening (your email address should be removed, check first)

Edited by petzl
Link to comment
Share on other sites

Most of my spam originates from China (due to my nickname which seems to be 'common' to Chinese spammers). Unfortunately I cannot report these spams to spamcop. The standard answer is:
No source IP address found, cannot proceed.

...

Nothing to do.

...
As in petzl's response to Lodewijk, immediately above, we need to see your tracking URL. Even when you receive the "nothing to do" message, you should have near the top of the page something like:

Here is your TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/sc?id=z5113980628zf...6b1735cc62591bz

You need to grab it then, you can't go back and get it from your report history like you usually can.

Incidentally, that example is a "reconstructed" spam submission based on pasting your first example into the web-interface form. You will see it parses just fine. I'm sure it will be easy to get you up and running once we can find out a little more from you. Maybe (as far as the web form is concerned) you are simply using the 2-part ("outlook/eudora workaround form") instead of the single-part form?

Link to comment
Share on other sites

...As in petzl's response to Lodewijk, immediately above, we need to see your tracking URL. Even when you receive the "nothing to do" message, you should have near the top of the page something like ...:

Thanx for your hint:

Here are 3 tracking URLs of the same spam mail -

1. Sent through SPAMSOURCE

2. Entered in the all-in-one submission form

3. Entered seperately (headers and body) submission form

ad1) http://www.spamcop.net/sc?id=z5115034615z8...fad22aef923071z

ad2) http://www.spamcop.net/sc?id=z5115035771z5...5e4efad2235e32z

ad3) http://www.spamcop.net/sc?id=z5115041449z4...1cbae2a9cb7e65z

Return-Path: <temp[at]t.cn>

Received: from mailin25.aul.t-online.de (mailin25.aul.t-online.de [172.20.27.131])

by mhead909 (Cyrus v2.3.15-fun-3.2.12.0-1) with LMTPA;

Mon, 12 Sep 2011 10:03:36 +0200

X-Sieve: CMU Sieve 2.3

Received: from t.cn ([119.39.205.4]) by 10.18.27.131

with esmtp id 1R31UE-027zTU0; Mon, 12 Sep 2011 10:03:26 +0200

From: "temp" <temp[at]t.cn>

Subject: =?GB2312?B?zKvR9MTcyMjLrsb3?=

To: xxxxxxxx[at]t-online.de

Content-Type: text/plain;charset="GB2312"

Date: Mon, 12 Sep 2011 16:03:26 +0800

X-Priority: 3

X-Mailer: FoxMail 3.11 Release [cn]

X-TOI-spam: n;1;2011-09-12T08:03:36Z

X-TOI-VIRUSSCAN: clean

X-TOI-EXPURGATEID: 149288::1315814607-000013A6-22ACA05C/0-0/0-0

X-TOI-SPAMCLASS: CLEAN, NORMAL

X-TOI-MSGID: 96dfd8b9-d6be-43c2-a8c7-312285d5e54a

X-Seen: false

X-ENVELOPE-TO: <xxxxxxxx[at]t-online.de>

Message-ID: <cmu-lmtpd-16045-1315814616-0[at]mhead909>

您好ï¼{欢迎查询-晴尔太阳能-产å“介ç»}

◆晴尔太阳能中央热水器适用范围◆

宾馆ã€å·¥åŽ‚ã€å­¦æ ¡ã€åŒ»é™¢ã€åˆ«å¢…ã€å¤å¼æˆ¿ç­‰ç”¨æˆ·

我们为您æ供:

1ï¼ï¼ï¼ å…费为您æ供专业咨询æœåŠ¡ï¼›

2ï¼ï¼ï¼ å…费上门测é‡ã€è®¾è®¡å·¥ç¨‹æ–¹æ¡ˆï¼›

3ï¼ï¼ï¼ 我们在国内有上百家大型安装现场案例å¯ä¾›è€ƒå¯Ÿï¼

4ï¼ï¼ï¼ å…费专人专车实地考察工程安装现场ï¼

实力造就专业ï¼ç”¨å¿ƒæœåŠ¡ï¼æ‰“造最优工程ï¼

工程咨询电è¯ï¼š400 666 0204

更多详细资料和工程图片请æµè§ˆï¼š http://www.chineseSUN.net ========================================================

创维电å­åŸŽ(一)期 广州新å®å®‰èŒä¸šæŠ€æœ¯å­¦é™¢

创维电å­åŸŽ(二)期 深圳观澜医院

深圳海关三门岛基地 彩æ°å°åˆ·åŽ‚

ç æµ·å¨å£«èŒ‚工业园 淇誉电å­åŽ‚

广州新白云机场(一)期 迎春招待所

广州新白云机场(二)期 安比达公å¸

æ–°å®é¾™å¤§é…’店 大亚电线厂

东江环ä¿å…¬å¸ 广州花都光国电器有é™å…¬å¸

å›é€¸é…’店 乔奥åŽå¡‘胶制å“有é™å…¬å¸

é¾™åŽä¿¡éš†é›†å›¢ 顺德明月轩酒店

东莞比安达五金厂 深圳武警学校

石化集团丽星丰达厂 嘉英电å­åŽ‚

石化集团丽星丰达厂 湛江å“先水产厂

...........

ã€ä¸“业造就å“è´¨ï¼å“质展现专业ï¼ã€‘

欢迎æ¥ç”µå’¨è¯¢ï¼Œæˆ‘们为您æ供最专业的æœåŠ¡ï¼

工程咨询电è¯ï¼š400 666 0204

更多详细资料和工程图片请æµè§ˆï¼š http://www.chineseSUN.net

Maybe now you can detect why the spam mail I receive from China is rejected by SC.

BabuNiki

Link to comment
Share on other sites

...

Here are 3 tracking URLs of the same spam mail -

1. Sent through SPAMSOURCE

2. Entered in the all-in-one submission form

3. Entered seperately (headers and body) submission form

ad1) http://www.spamcop.net/sc?id=z5115034615z8...fad22aef923071z

ad2) http://www.spamcop.net/sc?id=z5115035771z5...5e4efad2235e32z

ad3) http://www.spamcop.net/sc?id=z5115041449z4...1cbae2a9cb7e65z

... Maybe now you can detect why the spam mail I receive from China is rejected by SC.

Thanks BabuNiki.

I'm afraid I don't meet Steve T's definition of skilled but taking the purely empirical approach, I can confirm that the data from any of those will parse (through the all-in-one submission form) WITHOUT mailhosting:

1) http://www.spamcop.net/sc?id=z5115433971zb...49b9ab69854125z

2) http://www.spamcop.net/sc?id=z5115435163zf...ab81ad879b52c3z

3) http://www.spamcop.net/sc?id=z5115436806z9...5107214facbdcdz

I have no doubt it would work through e-mail submission also but since my ISP won't let me try that, I can't prove it.

There are issues with character sets in one case but that does not interfere with parsing the header - which is SC's mission. In summary, the parser seems to be working with your data, when it is free to do so. I just copied the data ("View entire message") from each of your tracking URLs to create my valid (but cancelled) reports. What you are getting when you are trying is just the same as I would get if I tried those parses using MY mailhosting which of course is incorrect for YOUR spam.

I conclude there is most likely some sort of mailhosting issue and you would need the help of Don D'Minion, SpamCop Administrator, to resolve it. See any of his posts, such as --> 78775[/snapback] <-- for his contact address. Hopefully Don can sort you out quickly - I don't think there is any problem at all with the way you are reporting once the mailhosts are right, but Don will know.

Link to comment
Share on other sites

I conclude there is most likely some sort of mailhosting issue and you would need the help of Don D'Minion, SpamCop Administrator, to resolve it. See any of his posts, such as --> 78775[/snapback] <-- for his contact address. Hopefully Don can sort you out quickly - I don't think there is any problem at all with the way you are reporting once the mailhosts are right, but Don will know.

SpamCop is not seeing the mailhost in this case (and won't proceed until it can)

Received: from mailin25.aul.t-online.de (mailin25.aul.t-online.de [172.20.27.131])

Maybe he needs to renew the mailhost entry (some times ISP's change or add them) Do not delete old entries

Out of interest record the IP's in your present mailhost configuration and see if IP "172.20.27.131" is there

Link to comment
Share on other sites

Excellent petzl, thanks. I think the trouble is with mailin25.aul.t-online.de [172.20.27.131] itself - I'm currently not seeing DNS records, I'm not seeing any appropriate network allocation/inetno - the internet is seeing it as a bogon which is maybe not a huge liability for an inwards-only IP address but -

- this presumably means the appropriate mailhost registration to cover it cannot happen.

If correct, this is an ISP problem, no-one else can do anything about it,

Link to comment
Share on other sites

Excellent petzl, thanks. I think the trouble is with mailin25.aul.t-online.de [172.20.27.131] itself - I'm currently not seeing DNS records, I'm not seeing any appropriate network allocation/inetno - the internet is seeing it as a bogon which is maybe not a huge liability for an inwards-only IP address but -

- this presumably means the appropriate mailhost registration to cover it cannot happen.

If correct, this is an ISP problem, no-one else can do anything about it,

Just checked what you say is correct

172.20.27.131 is not a routeable IP address

So needs to ask the ISP what's going on?

Edited by petzl
Link to comment
Share on other sites

I have still not been able to solve the problem, as I don't know what to do about the mangled headers in the test emails I copied in both the fields on my SC reporting page and in new email messages I created and send to SP.

So I am still stuck in the renewal process of my account, and can't report spam. :(

In my 'Past Reports' I see that the spam report I send to SC on the 11th of September was handled normally by SC. So maybe Don D'Minion had fixed my problem by then, but me not being aware of that, I renewed my account's email settings again, and so it's back to square one.

If this was the case, my apologies to Don D'Minion.

Edited by Lodewijk
Link to comment
Share on other sites

Thank you very much for all your help and your suggestions. One of the latter, i. e. doing the mailhosts over for this ISP and the infected address, I took up

[at] petzl: Maybe he needs to renew the mailhost entry (some times ISP's change or add them) Do not delete old entries

But the result was the same as before:

http://www.spamcop.net/sc?id=z5115800666z2...a1e462c77abfc9z

[at] petzl: Out of interest record the IPs in your present mailhost configuration and see if IP "172.20.27.131" is there

In this case (the spam mail above) it would be 172.20.27.47. But mailin11.aul.t-online.de [172.20.27.47] is not to be found in the mailhosts listing. 172.20.27.131 occurred once - before I renewd the mailhosts. (The mailhost IP seems to change with every mail.)

Here are the mailhost entries I have found for my T-Online addresses:

mx00.t-online.de 194.25.134.8

mx01.t-online.de 194.25.134.72

mx02.t-online.de 194.25.134.9

mx03.t-online.de 194.25.134.73

mailin[00-27].aul.t-online.de

Relaying IPs: 194.25.134.76 and 194.25.134.12

The IPs at which the spam mails mentioned in this thread came in were:

172.20.26.43

172.20.27.47

172.20.27.48

172.20.27.131

Following another suggestion: I will try my luck with Don :D

Link to comment
Share on other sites

Thank you very much for all your help and your suggestions. One of the latter, i. e. doing the mailhosts over for this ISP and the infected address, I took upHere are the mailhost entries I have found for my T-Online addresses:

The IPs at which the spam mails mentioned in this thread came in were:

Following another suggestion: I will try my luck with Don :D

The IP 172.20.27.47 won't be in your mailhost. It looks like it is a LAN address.

As it is not in your mailhosts SpamCop won't/can't parse it as it looks for your mailhost entries.

Checking with Don is a good idea

Link to comment
Share on other sites

The IP 172.20.27.47 won't be in your mailhost. It looks like it is a LAN address.
I think we're closing in on it. The 172.16.0.0/12 address space (172.16.0.0 - 172.31.255.255) is a Private Address space which "can be used for any subnetting scheme within the private organization". As also the 10.0.0.0/8 (10.0.0.1 - 10.255.255.254) - with 10.18.27.131 also appearing in the headers. Those two non-unique addresses are the only ones that t-online.de stamps in the headers. That is not kosher. "Private addresses are not reachable on the Internet." http://technet.microsoft.com/en-us/library/cc958825.aspx and http://www.iana.org/assignments/ipv4-addre...dress-space.xml and http://tools.ietf.org/html/rfc1918. There is at least one t-online.de receiving server not showing in those headers and it doesn't look to me like that is an "end-user fault".

... As it is not in your mailhosts SpamCop won't/can't parse it as it looks for your mailhost entries.

Checking with Don is a good idea

Yep - he can confirm the problem and, if the ISP needs "speaking to" (as may be the case), then maybe suggest the right words to lead them back to the light.
Link to comment
Share on other sites

Received: from mailin25.aul.t-online.de (mailin25.aul.t-online.de [172.20.27.131])

by mhead909

SpamCop knows that 172.20.27.131 is an internal IP, so the parse totally ignores that "Received" line.

This is the line where the parse fails:

Received: from t.cn ([119.39.205.4]) by 10.18.27.131

Notice the invalid "by" clause. The server that received the email from outside thinks its name is 10.18.27.131, which is not true. 10.18.27.131 is another internal IP, which SpamCop recognizes, and so the parse fails.

All you can do is ask t-online.de to reconfigure their server so that it uses its true name when it handles the mail.

- Don D'Minion - SpamCop Admin -

- service[at]admin.spamcop.net -

.

Link to comment
Share on other sites

I have still not been able to solve the problem, as I don't know what to do about the mangled headers in the test emails I copied in both the fields on my SC reporting page and in new email messages I created and send to SP.

So I am still stuck in the renewal process of my account, and can't report spam. :(

In my 'Past Reports' I see that the spam report I send to SC on the 11th of September was handled normally by SC. So maybe Don D'Minion had fixed my problem by then, but me not being aware of that, I renewed my account's email settings again, and so it's back to square one.

If this was the case, my apologies to Don D'Minion.

Sorry Lodewijk, your topic has sort of run off without you. Have you contacted Don again? Looks like you need to, he probably didn't see this post of yours.

Steve

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...