Question about Open Relays & Ameritech/SBC

[jbloom]

My isp is Ameritech/SBC. This morning, I forwarded 70 spams to spamcop. When I reported them I noticed on about 15 of them the following:

Re: 65.43.19.28 (Administrator of network with open relays)

To: abuse[at]sbcglobal.net (Notes)

To: abuse[at]ameritech.net (Notes

What does that mean? I'm not reporting myself, am I? I don't know a thing about the mechanics of email, I just forward and report and am hoping that I'm not reporting myself. What is an open relay?

[Spambo]

An open relay is a mail server that allows anyone to use it to send emails, not just authorized customers.

65.43.19.28 listed in relays.ordb.org. ( 127.0.0.2 )

It appears that 65.43.19.28 is currently misconfigured. I'd suggest not using SpamCop to send reports to your own provider. Deselect the checkbox(es) for address(es) at your provider and send the spam manually to their abuse department. A note in the report alerting them to their listing at ORDb would also be nice, they may want to fix the server if it is indeed open.

[jbloom]

Thanks, Spambo. It's too late, I already reported them. Once before I had gotten a spam and spamcop said it was from Ameirtech/SBC so I didn't report it through spamcop and did it manually. Well, the jokers wrote back that it wasn't them, so manually reporting them does no good.

[PeterJ]

My ISP is SBC as well. Have you configured mailhosts for your reporting? If you are trying mailhosts then you should probably have at least two entries like mine called "SBC" and "Yahoo."

Here is some stuff that I know (perhaps some of it is relevant )

1) 65.43.19.28 is Ameritech's Milwaukee, WI MX

http://www.spamcop.net/w3m?action=checkblock&ip=65.43.19.28

2) Also currently listed is Ameritech's Kalamazoo, MI MX at 67.36.55.28

http://www.spamcop.net/w3m?action=checkblock&ip=67.36.55.28

3) 3 other Ameritech MX IP addresses are NOT listed on the SCBL right now.

4) About a month ago I noticed that almost all the Ameritech MXs were listed and contacted a deputy to see if it was accurate. It turned out that an SBC (Ameritech) residential customer was running a misconfigured mail server from their home. The deputies removed the IPs in question from the SCBL and I assume either warned the user or cancelled his/her account.

5) Sometime during the last week the mailhost entries for Ameritech were reorganized so that they are lumped under the name "SBC", however two relevant mailhosts for Ameritech still exist under the name "Yahoo."

If you are trying to use mailhosts, your configuration may not be correct. You may in fact be reporting yourself. Can you post either some headers of a message in question or a tracking link to one of your reported messages please?

[jbloom]

My ISP is SBC as well.  Have you configured mailhosts for your reporting?  If you are trying mailhosts then you should probably have at least two entries like mine called "SBC" and "Yahoo."

Here is some stuff that I know (perhaps some of it is relevant )

1) 65.43.19.28 is Ameritech's Milwaukee, WI MX

http://www.spamcop.net/w3m?action=checkblock&ip=65.43.19.28

2) Also currently listed is Ameritech's Kalamazoo, MI MX at 67.36.55.28

http://www.spamcop.net/w3m?action=checkblock&ip=67.36.55.28

3) 3 other Ameritech MX IP addresses are NOT listed on the SCBL right now.

4) About a month ago I noticed that almost all the Ameritech MXs were listed and contacted a deputy to see if it was accurate.  It turned out that an SBC (Ameritech) residential customer was running a misconfigured mail server from their home.  The deputies removed the IPs in question from the SCBL and I assume either warned the user or cancelled his/her account.

5) Sometime during the last week the mailhost entries for Ameritech were reorganized so that they are lumped under the name "SBC", however two relevant mailhosts for Ameritech still exist under the name "Yahoo."

If you are trying to use mailhosts, your configuration may not be correct.  You may in fact be reporting yourself.  Can you post either some headers of a message in question or a tracking link to one of your reported messages please?

Thanks for the info, PeterJ. I'm not using Mailhost and I don't even have the report number.

I was having a real problem with my primary account as I have had it several years and it was becoming filled with spam so I contacted them to see if I could switch my primary account over to one of my sub accounts and they said no, I'd have to close my account. Well, I went back and forth with them and asked if I could just quit using that account and it looks like they've shut it down so I have no more mail coming in on that account. Thank god!

[PeterJ]

I was having a real problem with my primary account as I have had it several years and it was becoming filled with spam so I contacted them to see if I could switch my primary account over to one of my sub accounts and they said no, I'd have to close my account.

That is a shame. HillsCap (a participant here and in the newsgroups) just posted similar sentiments in the SpamCop NewsGroup under the conversation "Nag Page." I have never used my "primary account email addy" from SBC for anything, what I try to do is keep my primary email address and ISP separate for the most part. I have started to use some of the sub accounts they allow for more or less throw away purposes. Having a SpamCop email address has certainly helped me move from ISP to ISP over the last several years.

You can always get a SpamCop mail account ($30/year still I think) if SBC's mail services do not work out for you and only use SBC for providing your internet access.

[PeterJ]

One other thing I thought of that you might be interested in. Marjolein (who frequents the SpamCop newsgroups) has some nice information regarding what steps one could take when starting with a "fresh" email address to try and prevent/limit spam. You might find some of this useful:

http://banspam.javawoman.com/index.html

If you happen to have one of the spams around in your trash that triggered a report to 65.43.19.28 I would like to see the headers. Just trying to keep abreast of what my ISP is or is NOT doing correctly...it cannot hurt to be informed.

Can you please post the spam to the SpamCop .spam newsgroup or email it to me at sx6000 AT ameritech.net? Thanks.

[jbloom]

I just now got another in one of my sub accounts. Here's the headers:

X-Apparently-To: x via 206.190.37.125; Mon, 14 Jun 2004 08:48:43 -0700

X-YahooFilteredBulk: 218.97.236.66

X-Originating-IP: [218.97.236.66]

Return-Path: <cbiyt[at]yahoo.com>

Received: from 67.36.55.28 (EHLO mx1-klmzmi.klmzmi.ameritech.net) (67.36.55.28)

by mta812.mail.yahoo.com with SMTP; Mon, 14 Jun 2004 08:48:41 -0700

X-Originating-IP: [218.97.236.66]

X-Header-Overseas: Mail.from.Overseas.source.218.97.236.66

X-Header-NoReverseIP: IP.name.lookup.failed[218.97.236.66]

Received: from 67.36.55.28 ([218.97.236.66])

by mx1-klmzmi.klmzmi.ameritech.net (8.12.10/8.12.10) with SMTP id i5EFlGs6006237;

Mon, 14 Jun 2004 10:47:59 -0500 (CDT)

X-Message-Info: 36QA07NWLuzesh91fNJbxOQ7CZ919djTdbNX9

Received: from u-483-9-185-896.XLROL08.cbiyt[at]yahoo.com ([144.62.224.182]) by ka0-wspe107.cbiyt[at]yahoo.com with Microsoft SMTPSVC(5.0.6083.1911);

Sat, 19 Jun 2004 12:32:38 -0100

Message-ID: <4088___________3879[at]cbiyt[at]yahoo.com>

X-Originating-IP: [70.136.60.129]

X-Originating-Email: [cbiyt[at]yahoo.com]

X-Sender: cbiyt[at]yahoo.com

Reply-To: "John Santiago" <cbiyt[at]yahoo.com>

From: "John Santiago" <cbiyt[at]yahoo.com>

To: "Sanas" <x>

Subject: Sanas avionic suffix nick bayou

Date: Sat, 19 Jun 2004 16:32:38 +0300

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="--=====05856298186635=_"

X-Mozilla-Status2: 00000000

[jbloom]

Can you please post the spam to the SpamCop .spam newsgroup or email it to me at sx6000 AT ameritech.net?  Thanks.

I just forwarded one of the spams to you, Peter. Thanks for all of your help.

[jbloom]

And here's another that just came in. Not every spam submitted is linked to Ameritech/SBC, so I don't know what is happening.

X-Apparently-To: x via 206.190.37.119; Mon, 14 Jun 2004 13:33:04 -0700

X-YahooFilteredBulk: 219.150.117.138

X-Originating-IP: [219.150.117.138]

Return-Path: <b.tatum_wn[at]hotmail.com>

Received: from 67.36.55.28 (EHLO mx1-klmzmi.klmzmi.ameritech.net) (67.36.55.28)

by mta817.mail.yahoo.com with SMTP; Mon, 14 Jun 2004 13:33:01 -0700

X-Originating-IP: [219.150.117.138]

X-Header-Overseas: Mail.from.Overseas.source.219.150.117.138

X-Header-NoReverseIP: IP.name.lookup.failed[219.150.117.138]

Received: from msn.com ([219.150.117.138])

by mx1-klmzmi.klmzmi.ameritech.net (8.12.10/8.12.10) with ESMTP id i5EKWes4024696;

Mon, 14 Jun 2004 15:32:44 -0500 (CDT)

Message-ID: <KHGA_______________________________m_wn[at]hotmail.com>

From: "Ben Tatum" <b.tatum_wn[at]hotmail.com>

To: x, x, x,

x, x, x

Subject: Complimentary investment alert newsletter

Date: Mon, 14 Jun 2004 20:50:55 +0000

MIME-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: base64

X-Mozilla-Status2: 00000000

[PeterJ]

Thanks for sending those. I ran both of the emails you sent (and also posted the headers for) through my SpamCop account with my SBC/Yahoo mailhosts setup and I get reports that want to go to China at 218.97.236.66 and 219.150.117.138

I am not much of an expert on headers at all, but from what I see, you have reported yourself. If I am wrong, please someone correct me.

Remember that if you have SBC/Ameritech/Yahoo it is normal to see stuff like this:

Received: from 67.36.55.28 (EHLO mx1-klmzmi.klmzmi.ameritech.net) (67.36.55.28)

by mta817.mail.yahoo.com with SMTP; Mon, 14 Jun 2004 13:33:01 -0700

This is a legitimate handoff of YOUR mail servers.

I do not know why the Milwaukee MX is listed as an open relay however.

[jbloom]

Thanks for sending those.  I ran both of the emails you sent (and also posted the headers for) through my SpamCop account with my SBC/Yahoo mailhosts setup and I get reports that want to go to China at 218.97.236.66 and 219.150.117.138

I am not much of an expert on headers at all, but from what I see, you have reported yourself.  If I am wrong, please someone correct me.

Remember that if you have SBC/Ameritech/Yahoo it is normal to see stuff like this:

Received: from 67.36.55.28 (EHLO mx1-klmzmi.klmzmi.ameritech.net) (67.36.55.28)

by mta817.mail.yahoo.com with SMTP; Mon, 14 Jun 2004 13:33:01 -0700

This is a legitimate handoff of YOUR mail servers.

I do not know why the Milwaukee MX is listed as an open relay however.

If that's the case, then why isn't ameritech on all of the spams I submit? This just started happening recently after years of reporting spam.

[PeterJ]

If that's the case, then why isn't ameritech on all of the spams I submit?

I do not know. Maybe you are not reporting yourself and there is a simply a problem with the milwaukee mx such that when you report spam that invloves the milwaukee mx those and only those spams get reported to ameritech while ones that traverse the kalamazoo mx do not?

OR

Maybe this particular spammer has forged the headers well enough to foul up your reporting and you are reporting yourself. (If this is the case then it is a good example as to why the SpamCop "mailhosts" concept was started.)

This is just my speculation, perhaps someone with more experience than myself can figure it out from here. It helps that you have posted the headers.