Jump to content

Reporting - Wrong Received line identified as spammer


ravenstar68
 Share

Recommended Posts

Hi

I came across your reporting tool yesterday, as I help out on the Virgin Media e-mail forum and one user wanted to block as9143, as your reporting tool identified it as a spammer.

For the record as9143 is the Autonomous Service number of Ziggo internet, and Virgin Media actually host their email platform there as both companies are owned by Liberty Global.

I've tried the reporting tool myself today with an unmodified mail source.  There appears to be a problem.  Looking at the header information only here:

Return-Path: <julie_mendoza@android-mediacenter.com>
Delivered-To: x
Received: from md13.tb.ukmail.iss.local ([212.54.57.73])
	by mc8.tb.ukmail.iss.local (Dovecot) with LMTP id FbnPMLTb5VcnGAAAVqD7fw
	for <x>; Sat, 24 Sep 2016 03:50:16 +0200
Received: from mx6.tb.ukmail.iss.as9143.net ([212.54.57.73])
	by md13.tb.ukmail.iss.local (Dovecot) with LMTP id oPwyBoDWlFbNQQAAqJN26w
	; Sat, 24 Sep 2016 03:50:16 +0200
Received: from android-mediacenter.com ([37.252.122.91])
	by mx6.tb.ukmail.iss.as9143.net with bizsmtp
	id nDpu1t0041yRVcd01Dpv6m; Sat, 24 Sep 2016 03:49:56 +0200
X-spam-Action: folder spam
X-SourceIP: 37.252.122.91
X-CNFS-Analysis: v=2.2 cv=TJoHcBta c=1 sm=1 tr=0 p=XV3dVy5JtiUA:10
 a=XRFXrBVhVSsQnPq5ts7Q4Q==:117 a=XRFXrBVhVSsQnPq5ts7Q4Q==:17 a=2sMxTpsZAAAA:8
 a=-5zWNhNOLqyU-mziGwwA:9 a=CjuIK1q_8ugA:10 a=9igu4sHJnlQA:10
 a=A4GxgP0Wf4sA:10 a=qcKvcIRw2B-Flh6p21IA:9 a=_W_S_7VecoQA:10
 a=tpYBpqdMaEUA:10 a=o6gHy28TGYCxXgbS0hxg:22
Date: Sat, 24 Sep 2016 01:49:52 +0000
To: x
From: Julie Mendoza <julie_mendoza@android-mediacenter.com>
Subject: We're Perfect Match
Message-ID: <7ad1________________________45d9@android-mediacenter.com>
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="b1_7ad1978f4b2ef435299465152bba45d9"
Content-Transfer-Encoding: 8bit

Your system reports the possible spammer as being 

Received:  from md13.tb.ukmail.iss.local ([212.54.57.73]) by mc8.tb.ukmail.iss.local (Dovecot) with LMTP id FbnPMLTb5VcnGAAAVqD7fw for <x>; Sat, 24 Sep 2016 03:50:16 +0200
host 212.54.57.73 = mx6.tb.ukmail.iss.as9143.net (cached)
mx6.tb.ukmail.iss.as9143.net is 212.54.57.73
Possible spammer: 212.54.57.73
Received line accepted

However as Received: lines should be read from the bottom up this is actually the last link in the delivery chain, which is one of Ziggo's internal servers delivering to the final server which stores the message in the users inbox.

The actual spammers address is given in the bottom most Received line:

 

Received: from android-mediacenter.com ([37.252.122.91])
	by mx6.tb.ukmail.iss.as9143.net with bizsmtp
	id nDpu1t0041yRVcd01Dpv6m; Sat, 24 Sep 2016 03:49:56 +0200

Could you please take a look.

Virgin Media's email system did correctly identify this message as spam BTW

Thanks

Ravenstar68

Edit

I think I understand what's happening here.

The reporting system relies on the fact that most email providers use private addresses e.g. 10.x.x.x in their internal systems.  Because Ziggo uses public addresses on it's internal hops, this is confusing your reporting tool.

Edited by ravenstar68
Link to comment
Share on other sites

Hi, and welcome.

The short answer is, to get SpamCop to correctly identify the actual sending mail server (rather than identifying servers within the Virgin Media mail system as the sender, or indeed from going too far down a chain of 'Received' headers and getting an earlier hop on the sender's side rather than the server that actually handed the message off from them to you) you should set up 'Mailhosts' in your SpamCop account, as described at https://www.spamcop.net/fom-serve/cache/397.html - basically, you tell it the email address(es) of yours, and it sends you a few 'probe' emails to allow it to trace how your incoming mail is routed.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...