Jump to content

[Resolved] Not following though to 1st IP


Recommended Posts

spam link:

http://www.spamcop.net/sc?id=z5355407331z8...e04d869163c4f5z

Here we have part of a bigger issue of of 419 scammers using free VPN providers to hide their tracks from LE.

However in reporting these, I have noticed that the parser does not normally follow through to the source:

Received: from [204.93.60.80] by web181306.mail.ne1.yahoo.com via HTTP; Sat, 23 Jun 2012 10:04:16 PDT

The parser stops at Yahoo, reporting this to Yahoo. However in the usage of these, that is pretty useless as these issue is nLayer in this case (and most likely AnchorFree downstream) where the scammers are using disposable Yahoo email addresses to spoof banks, lottos, governments etc.

This issue also crops up when EgiHosting's services are used (where AnchorFree also has VPNs).

Once in a while the parser may track it all the way back, but this is rare.

Link to comment
Share on other sites

I may be wrong but that report looks to me like you don't have your mailhosts configuration set up. I hacked your spam for the purposes of comparison, substituting delivery lines for my provider and this is what my mailhosted parse would look like:

http://www.spamcop.net/sc?id=z5355759590z2...a06445ad64c2acz

(nLayer source found - though reports are disabled for them, at least the originating IP address gets a chance to go into the SCbl which might, in turn have flow-on effects)

Your tracking URL by comparison looks exactly like my (other) unmailhosted account report:

http://www.spamcop.net/sc?id=z5355755741z3...a708989a565786z (Yahoo blamed)

There are significant differences in the parser handling of the task, depending on mailhosting - inside the boundary of trusted relays and designated MX servers if not "mailhosted" (because anything else might be spoofed) VERSUS (usually) the delivery agent immediately outside your larger network if mailhosted.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...