Jump to content

Possible forgery. Supposed receiving system not associated with any of your mailhosts. No unique hostname found for source: 41.xx.xxx.xxx


Steve

Recommended Posts

Posted

I was reporting a spam email originating from cantv.net but the originating IP address (41.86.234.165) won't parse/provide reporting addresses. I have run a whois search on the originating IP address (41.86.234.165) and gotten the abuse contacts for said IP address. How do I configure my mailhosts to accept this so when I report emails from this ISP (cantv), IP addresses like this (41.86.234.165) also display abuse contacts to forward the spam to?

This string of IP addresses 41.86.234.0 - 41.86.234.255 originates in Benin.

Delivered-To: x
Received: by 10.129.92.198 with SMTP id q189csp1140214ywb;
Fri, 18 Dec 2015 08:21:09 -0800 (PST)
X-Received: by 10.129.129.130 with SMTP id r124mr3987090ywf.242.1450455669346;
Fri, 18 Dec 2015 08:21:09 -0800 (PST)
Return-Path: <williamjames129[at]cantv.net>
Received: from 10ibl21ser04.datacenter.cha.cantv.net (10ibl21ser04.datacenter.cha.cantv.net. [200.11.173.10])
by mx.google.com with ESMTPS id a193si12293176ywe.138.2015.12.18.08.20.59
(version=TLS1 cipher=AES128-SHA bits=128/128);
Fri, 18 Dec 2015 08:21:09 -0800 (PST)
Received-SPF: pass (google.com: domain of williamjames129[at]cantv.net designates 200.11.173.10 as permitted sender) client-ip=200.11.173.10;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of williamjames129[at]cantv.net designates 200.11.173.10 as permitted sender) smtp.mailfrom=williamjames129[at]cantv.net
X-Virus-Scanned: amavisd-new at cantv.net
Received: from webmail-05.datacenter.cha.cantv.net (webmail-05.datacenter.cha.cantv.net [200.11.153.88])
(authenticated bits=0)
by 10ibl21ser04.datacenter.cha.cantv.net (8.14.3/8.14.3/3.0) with ESMTP id tBIGKr8c010806;
Fri, 18 Dec 2015 11:50:53 -0430
X-Matched-Lists: []
Received: from 41.86.234.165 ([41.86.234.165]) by webmail-05.datacenter.cha.cantv.net (Cantv Webmail) with HTTP; Fri, 18 Dec 2015 11:50:49 -0430 (VET)
Date: Fri, 18 Dec 2015 11:50:49 -0430 (VET)
From: Peter David <williamjames129[at]cantv.net>
Reply-To: williamjames199024[at]yahoo.com
To: x
Message-ID: <2012______________________________________gess[at]webmail-05.datacenter.cha.cantv.net>
Subject: ATTENTION
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Mailer: Cantv Webmail
X-Originating-IP: [41.86.234.165]
Parsing header:
0: Received: from 10ibl21ser04.datacenter.cha.cantv.net (10ibl21ser04.datacenter.cha.cantv.net. [200.11.173.10]) by mx.google.com with ESMTPS id a193si12293176ywe.138.2015.12.18.08.20.59 (version=TLS1 cipher=AES128-SHA bits=128/128); Fri, 18 Dec 2015 08:21:09 -0800 (PST)

Hostname verified: 10ibl21ser04.datacenter.cha.cantv.net
Gmail/Postini received mail from sending system 200.11.173.10

1: Received: from webmail-05.datacenter.cha.cantv.net (webmail-05.datacenter.cha.cantv.net [200.11.153.88]) (authenticated bits=0) by 10ibl21ser04.datacenter.cha.cantv.net (8.14.3/8.14.3/3.0) with ESMTP id tBIGKr8c010806; Fri, 18 Dec 2015 11:50:53 -0430

Hostname verified: webmail-05.datacenter.cha.cantv.net
Trusted site 200.11.173.10 received mail from 200.11.153.88

2: Received: from 41.86.234.165 ([41.86.234.165]) by webmail-05.datacenter.cha.cantv.net (Cantv Webmail) with HTTP; Fri, 18 Dec 2015 11:50:49 -0430 (VET)

No unique hostname found for source: 41.86.234.165

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust this Received line.

Please help.

Steve

Posted

I was reporting a spam email originating from cantv.net but the originating IP address (41.86.234.165) won't parse/provide reporting addresses. I have run a whois search on the originating IP address (41.86.234.165) and gotten the abuse contacts for said IP address. How do I configure my mailhosts to accept this so when I report emails from this ISP (cantv), IP addresses like this (41.86.234.165) also display abuse contacts to forward the spam to?

This string of IP addresses 41.86.234.0 - 41.86.234.255 originates in Benin.

Please help.

Steve

SpamCop errs in favor of caution

200.11.153.88 is a "webmailer" probably a forged compromised account?

You can add to that report.

the Injection point Benin, Cotonou abuse[at]isoceltelecom.com

41.86.234.165

BOTNET ATTACK HOST

http://cbl.abuseat.org/lookup.cgi?ip=41.86.234.165

This IP is infected (or NATting for a computer that is infected) with the Conficker botnet.

TO REMOVE INFECTION

Norton Power Eraser is a Windows free tool and doesn't require installation. It just needs to be downloaded and run.

https://security.symantec.com/nbrt/npe.aspx

BLOCK OUTBOUND PORT 25,

RESERVE FOR LEGIT EMAIL SERVER

Make sure you are connecting to your mail server's 'authenticated mail' port 587 and not the ordinary 'unauthenticated' port 25. (ask your ISP to check for you)

CHANGE TO SECURE PASSWORD

SCAN INFECTED COMPUTER FOR MALWARE

A BOTNET infected computer/server means the all data passing through it may be compromised (bank details, log-on/password, email, etc).

CBL (abuseat.org) lists those computers that are infected with instructions on how to remove BOTNET infections

The following Cisco site shows servers/computers with prior or existing BOTNET infections

http://www.senderbase.org/lookup/ip/?search_string=41.86.234.165

spewing spam

https://www.spamcop.net/w3m?action=checkblock&ip=41.86.234.165

Other hosts in this "neighborhood" with spam reports

41.86.234.144 41.86.234.153 41.86.234.162

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...