Steve Posted December 19, 2015 Posted December 19, 2015 I was reporting a spam email originating from cantv.net but the originating IP address (41.86.234.165) won't parse/provide reporting addresses. I have run a whois search on the originating IP address (41.86.234.165) and gotten the abuse contacts for said IP address. How do I configure my mailhosts to accept this so when I report emails from this ISP (cantv), IP addresses like this (41.86.234.165) also display abuse contacts to forward the spam to? This string of IP addresses 41.86.234.0 - 41.86.234.255 originates in Benin. https://www.spamcop.net/sc?id=z6201383927z31648603dc0cf041920d2b6b403ab134z Delivered-To: xReceived: by 10.129.92.198 with SMTP id q189csp1140214ywb;Fri, 18 Dec 2015 08:21:09 -0800 (PST)X-Received: by 10.129.129.130 with SMTP id r124mr3987090ywf.242.1450455669346;Fri, 18 Dec 2015 08:21:09 -0800 (PST)Return-Path: <williamjames129[at]cantv.net>Received: from 10ibl21ser04.datacenter.cha.cantv.net (10ibl21ser04.datacenter.cha.cantv.net. [200.11.173.10])by mx.google.com with ESMTPS id a193si12293176ywe.138.2015.12.18.08.20.59(version=TLS1 cipher=AES128-SHA bits=128/128);Fri, 18 Dec 2015 08:21:09 -0800 (PST)Received-SPF: pass (google.com: domain of williamjames129[at]cantv.net designates 200.11.173.10 as permitted sender) client-ip=200.11.173.10;Authentication-Results: mx.google.com;spf=pass (google.com: domain of williamjames129[at]cantv.net designates 200.11.173.10 as permitted sender) smtp.mailfrom=williamjames129[at]cantv.netX-Virus-Scanned: amavisd-new at cantv.netReceived: from webmail-05.datacenter.cha.cantv.net (webmail-05.datacenter.cha.cantv.net [200.11.153.88]) (authenticated bits=0) by 10ibl21ser04.datacenter.cha.cantv.net (8.14.3/8.14.3/3.0) with ESMTP id tBIGKr8c010806; Fri, 18 Dec 2015 11:50:53 -0430X-Matched-Lists: []Received: from 41.86.234.165 ([41.86.234.165]) by webmail-05.datacenter.cha.cantv.net (Cantv Webmail) with HTTP; Fri, 18 Dec 2015 11:50:49 -0430 (VET)Date: Fri, 18 Dec 2015 11:50:49 -0430 (VET)From: Peter David <williamjames129[at]cantv.net>Reply-To: williamjames199024[at]yahoo.comTo: xMessage-ID: <2012______________________________________gess[at]webmail-05.datacenter.cha.cantv.net>Subject: ATTENTIONMIME-Version: 1.0Content-Type: text/html; charset=UTF-8Content-Transfer-Encoding: 7bitX-Mailer: Cantv WebmailX-Originating-IP: [41.86.234.165] Parsing header: 0: Received: from 10ibl21ser04.datacenter.cha.cantv.net (10ibl21ser04.datacenter.cha.cantv.net. [200.11.173.10]) by mx.google.com with ESMTPS id a193si12293176ywe.138.2015.12.18.08.20.59 (version=TLS1 cipher=AES128-SHA bits=128/128); Fri, 18 Dec 2015 08:21:09 -0800 (PST) Hostname verified: 10ibl21ser04.datacenter.cha.cantv.netGmail/Postini received mail from sending system 200.11.173.10 1: Received: from webmail-05.datacenter.cha.cantv.net (webmail-05.datacenter.cha.cantv.net [200.11.153.88]) (authenticated bits=0) by 10ibl21ser04.datacenter.cha.cantv.net (8.14.3/8.14.3/3.0) with ESMTP id tBIGKr8c010806; Fri, 18 Dec 2015 11:50:53 -0430 Hostname verified: webmail-05.datacenter.cha.cantv.netTrusted site 200.11.173.10 received mail from 200.11.153.88 2: Received: from 41.86.234.165 ([41.86.234.165]) by webmail-05.datacenter.cha.cantv.net (Cantv Webmail) with HTTP; Fri, 18 Dec 2015 11:50:49 -0430 (VET) No unique hostname found for source: 41.86.234.165 Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust this Received line. Please help. Steve
petzl Posted December 19, 2015 Posted December 19, 2015 I was reporting a spam email originating from cantv.net but the originating IP address (41.86.234.165) won't parse/provide reporting addresses. I have run a whois search on the originating IP address (41.86.234.165) and gotten the abuse contacts for said IP address. How do I configure my mailhosts to accept this so when I report emails from this ISP (cantv), IP addresses like this (41.86.234.165) also display abuse contacts to forward the spam to? This string of IP addresses 41.86.234.0 - 41.86.234.255 originates in Benin. https://www.spamcop.net/sc?id=z6201383927z31648603dc0cf041920d2b6b403ab134z Please help. Steve SpamCop errs in favor of caution 200.11.153.88 is a "webmailer" probably a forged compromised account? You can add to that report. the Injection point Benin, Cotonou abuse[at]isoceltelecom.com 41.86.234.165 BOTNET ATTACK HOST http://cbl.abuseat.org/lookup.cgi?ip=41.86.234.165 This IP is infected (or NATting for a computer that is infected) with the Conficker botnet. TO REMOVE INFECTION Norton Power Eraser is a Windows free tool and doesn't require installation. It just needs to be downloaded and run. https://security.symantec.com/nbrt/npe.aspx BLOCK OUTBOUND PORT 25, RESERVE FOR LEGIT EMAIL SERVER Make sure you are connecting to your mail server's 'authenticated mail' port 587 and not the ordinary 'unauthenticated' port 25. (ask your ISP to check for you) CHANGE TO SECURE PASSWORD SCAN INFECTED COMPUTER FOR MALWARE A BOTNET infected computer/server means the all data passing through it may be compromised (bank details, log-on/password, email, etc). CBL (abuseat.org) lists those computers that are infected with instructions on how to remove BOTNET infections The following Cisco site shows servers/computers with prior or existing BOTNET infections http://www.senderbase.org/lookup/ip/?search_string=41.86.234.165 spewing spam https://www.spamcop.net/w3m?action=checkblock&ip=41.86.234.165 Other hosts in this "neighborhood" with spam reports 41.86.234.144 41.86.234.153 41.86.234.162
Recommended Posts
Archived
This topic is now archived and is closed to further replies.