dra007 Posted June 19, 2004 Share Posted June 19, 2004 One of my servers has starting recently filtering the spam with postini. I noticed that reporting those spams end up to my abuse desk rather than the origin of the spam. Can one of the deputies help fix this problem? Processing spam: From: waldo[at]aol.com Subject: (Message Subject) Received: from mb2i1.ns.pitt.edu (mb2i1.ns.pitt.edu [136.142.185.162]) by imap.srv.cis.pitt.edu with ESMTP (8.8.8/8.8.8/cisimap-7.2.2.4) ID <GAA04065[at]imap.srv.cis.pitt.edu>; Sat, 19 Jun 2004 06:57:20 -0400 (EDT) 136.142.185.162 found host 136.142.185.162 = mb2i1.ns.pitt.edu (cached) host mb2i1.ns.pitt.edu (checking ip) ip not found ; mb2i1.ns.pitt.edu discarded as fake. Possible spammer: 136.142.185.162 136.142.185.162 is not an MX for mb2i1.ns.pitt.edu host mb2i1.ns.pitt.edu (checking ip) ip not found ; mb2i1.ns.pitt.edu discarded as fake. cannot find an mx for mb2i1.ns.pitt.edu cannot find an mx for ns.pitt.edu Received line accepted Received: from CONVERSION-DAEMON by pitt.edu (PMDF V5.2-32 #41462) id <01LBH0RQRBDC002R4S[at]mb2i1.ns.pitt.edu>; Sat, 19 Jun 2004 06:57:19 EDT warning:Ignored Received: from psmtp.com ([12.158.38.188]) by pitt.edu (PMDF V5.2-32 #41462) with SMTP id <01LBH0RN48P40035JJ[at]mb2i1.ns.pitt.edu>; Sat, 19 Jun 2004 06:57:18 -0400 (EDT) 12.158.38.188 found host 12.158.38.188 = exprod7mx48.postini.com (cached) host exprod7mx48.postini.com (checking ip) ip not found ; exprod7mx48.postini.com discarded as fake. 136.142.185.162 not listed in dnsbl.njabl.org 136.142.185.162 not listed in cbl.abuseat.org 136.142.185.162 not listed in dnsbl.sorbs.net 136.142.185.162 is not an MX for imap.srv.cis.pitt.edu 136.142.185.162 is not an MX for pitt.edu 136.142.185.162 is not an MX for imap.srv.cis.pitt.edu 136.142.185.162 not listed in dnsbl.njabl.org Possible spammer: 12.158.38.188 host pitt.edu (checking ip) ip not found ; pitt.edu discarded as fake. Chain test:pitt.edu =? 136.142.185.162 136.142.185.162 is not an MX for pitt.edu host pitt.edu (checking ip) ip not found ; pitt.edu discarded as fake. cannot find an mx for pitt.edu Chain test failed Cached whois for 136.142.185.162 : abuse[at]pitt.edu Using abuse net on abuse[at]pitt.edu abuse net pitt.edu = abuse[at]pitt.edu Using best contacts abuse[at]pitt.edu abuse[at]pitt.edu redirects to helpdesk+spamcop[at]pitt.edu warning:Chain error pitt.edu not equal to last sender received line discarded Tracking message source:136.142.185.162: Cached masters for 136.142.185.162: helpdesk+spamcop[at]pitt.edu Message is 3 hours old 136.142.185.162 not listed in dnsbl.njabl.org 136.142.185.162 not listed in dnsbl.njabl.org 136.142.185.162 not listed in cbl.abuseat.org 136.142.185.162 not listed in dnsbl.sorbs.net spam report id 1075375145 sent to: helpdesk+spamcop[at]pitt.edu May be saved for future reference: http://www.spamcop.net/sc?id=z521332480z84...65a4b694a3d2bcz Link to comment Share on other sites More sharing options...
StevenUnderwood Posted June 19, 2004 Share Posted June 19, 2004 The problem was that either pitt.edu did not have a reverse DNS setup or spamcop could not resolve pitt.edu so spamcop could not confirm the chain. It is now parsing down to message source: 70.241.105.9: which is where postini got it from and where it would be sent if you had mailhosts configured. The first difference in the 2 parses I see is Your original parse host 136.142.185.162 = mb2i1.ns.pitt.edu (cached) host mb2i1.ns.pitt.edu (checking ip) ip not found ; mb2i1.ns.pitt.edu discarded as fake. Current parse from your tracking URL host 136.142.185.162 = mb2i1.ns.pitt.edu (cached) host mb2i1.ns.pitt.edu (checking ip) = 136.142.185.162 Link to comment Share on other sites More sharing options...
dra007 Posted June 19, 2004 Author Share Posted June 19, 2004 Thank you Steven, However, if you click on the analysis link at the bottom it shows the correct spam origin, with appropriate abuse addresses. So my question is, why is the reply showing my abuse desk when the analysis points to a different one? Ok, I correct myself, those direct to the spam advertised sites. I only noticed this happening with spams I reported today. Prior to that postini to pitt.edu chain was analysed correctly. I did send an email to deputies <at> and since I have a paid account I do expect some assistance solving this dilema. I want to continue reporting the spam. I could turn the postini filter off and see if that corrects the problem. I did think it was convinient to have the spam tagged and moved to a junk folder. It is surprizing that is going to cause a problem. I have another adress which gets filtered and tagged differently and it is analysed correctly by spamcop. Link to comment Share on other sites More sharing options...
Wazoo Posted June 19, 2004 Share Posted June 19, 2004 It's "documented" under the "broken chain" error message. There is technically no path seen as to how the e-mail got from 12.158.38.188 to 136.142.185.162 ... this is one of those that the human eyes can see what's going on and even make some assumptions, but the parser doesn't work like that. And as the chain is "broken" .. the parser falls back to the "last vaild" header line ..... The "fix" is going to require some work with the sequence/system/configuration of the actions taken and "described" in the line; Received: from CONVERSION-DAEMON by pitt.edu (PMDF V5.2-32 #41462) id <01LBH0RQRBDC002R4S[at]mb2i1.ns.pitt.edu>; Sat, 19 Jun 2004 06:57:19 EDT Link to comment Share on other sites More sharing options...
dra007 Posted June 19, 2004 Author Share Posted June 19, 2004 Thanks Wazoo, I think there is some awareness of parsing problems today. I guess I will wait for some confirmation that the problem was fixed before reporting again. I had similar e-mails analysed correctly all day yesterday and late last night. PS. I had an e-mail confirming the problem on SpamCop's end. Thank you all. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted June 19, 2004 Share Posted June 19, 2004 However, if you click on the analysis link at the bottom it shows the correct spam origin, with appropriate abuse addresses. So my question is, why is the reply showing my abuse desk when the analysis points to a different one? Correct. Your paste and my first quoted section were from the time you actually parsed it. My second parse was from when I wrote the reply and it was correctly parsing at that time. Between those times, something happened to help spamcop parse the message correctly. Either the reverse DNS for the pitt.edu entry was fixed or more likely, the spamcop end was able to find the entry the second time but not the first. This is one of the many good reasons to enable mailhost configuration, spamcop won't rely on DNS for the mail path, but look in your configuraton to see if it is correct. FYI, the tracking URL is reparsed each time you access it so you can see what the current result is, not necessarily what you saw previously. If things have been changed, that change will show. Right now, your tracking URL is producing the following: Parsing header: Received: from mb2i1.ns.pitt.edu (mb2i1.ns.pitt.edu [136.142.185.162]) by imap.srv.cis.pitt.edu with ESMTP (8.8.8/8.8.8/cisimap-7.2.2.4) ID <GAA04065[at]imap.srv.cis.pitt.edu>; Sat, 19 Jun 2004 06:57:20 -0400 (EDT) 136.142.185.162 found host 136.142.185.162 = mb2i1.ns.pitt.edu (cached) host mb2i1.ns.pitt.edu (checking ip) = 136.142.185.162 Possible spammer: 136.142.185.162 136.142.185.162 is not an MX for mb2i1.ns.pitt.edu host mb2i1.ns.pitt.edu (checking ip) = 136.142.185.162 Received line accepted Received: from CONVERSION-DAEMON by pitt.edu (PMDF V5.2-32 #41462) id <01LBH0RQRBDC002R4S[at]mb2i1.ns.pitt.edu>; Sat, 19 Jun 2004 06:57:19 EDT Ignored Received: from psmtp.com ([12.158.38.188]) by pitt.edu (PMDF V5.2-32 #41462) with SMTP id <01LBH0RN48P40035JJ[at]mb2i1.ns.pitt.edu>; Sat, 19 Jun 2004 06:57:18 -0400 (EDT) 12.158.38.188 found host 12.158.38.188 (getting name) = exprod7mx48.postini.com. host exprod7mx48.postini.com (checking ip) = 12.158.38.188 136.142.185.162 not listed in dnsbl.njabl.org 136.142.185.162 not listed in cbl.abuseat.org 136.142.185.162 not listed in dnsbl.sorbs.net 136.142.185.162 is not an MX for imap.srv.cis.pitt.edu 136.142.185.162 is not an MX for mb2i1.ns.pitt.edu 136.142.185.162 is not an MX for pitt.edu ips are close enough 136.142.185.162 is close to an MX (136.142.185.24) for cis.pitt.edu Possible spammer: 12.158.38.188 host pitt.edu (checking ip) = 136.142.185.162 136.142.185.162 not listed in dnsbl.njabl.org 136.142.185.162 not listed in cbl.abuseat.org 136.142.185.162 not listed in dnsbl.sorbs.net Chain test:pitt.edu =? mb2i1.ns.pitt.edu host mb2i1.ns.pitt.edu (checking ip) = 136.142.185.162 136.142.185.162 is not an MX for pitt.edu host pitt.edu (checking ip) = 136.142.185.162 ips are identical pitt.edu and mb2i1.ns.pitt.edu have close IP addresses - chain verified Possible relay: 136.142.185.162 136.142.185.162 not listed in relays.ordb.org. 136.142.185.162 has already been sent to relay testers Received line accepted Relay trusted (12.158.38 postini.com) Received: from source ([70.241.105.9]) by exprod7mx48.postini.com ([12.158.38.251]) with SMTP; Sat, 19 Jun 2004 03:57:12 -0700 (PDT) Masking IP-based 'by' clause. Received: from source ([70.241.105.9]) by exprod7mx48.postini.com with SMTP; Sat, 19 Jun 2004 03:57:12 -0700 (PDT) 70.241.105.9 found host 70.241.105.9 = adsl-70-241-105-9.dsl.hstntx.swbell.net. (cached) host adsl-70-241-105-9.dsl.hstntx.swbell.net (checking ip) = 70.241.105.9 Possible spammer: 70.241.105.9 Possible relay: 12.158.38.188 12.158.38.188 not listed in relays.ordb.org. 12.158.38.188 has already been sent to relay testers Received line accepted Received: from 144.240.29.207 by 70.241.105.9; Sat, 19 Jun 2004 09:51:08 -0200 144.240.29.207 found host 144.240.29.207 (getting name) no name 70.241.105.9 not listed in dnsbl.njabl.org 70.241.105.9 listed in cbl.abuseat.org ( 127.0.0.2 ) Open proxies untrusted as relays Tracking message source: 70.241.105.9: Routing details for 70.241.105.9 [refresh/show] Cached whois for 70.241.105.9 : abuse[at]swbell.net Using abuse net on abuse[at]swbell.net abuse net swbell.net = abuse[at]swbell.net Using best contacts abuse[at]swbell.net Message is 6 hours old 70.241.105.9 not listed in dnsbl.njabl.org 70.241.105.9 not listed in dnsbl.njabl.org 70.241.105.9 listed in cbl.abuseat.org ( 127.0.0.2 ) 70.241.105.9 is an open proxy 70.241.105.9 not listed in query.bondedsender.org 70.241.105.9 not listed in iadb.isipp.com Link to comment Share on other sites More sharing options...
Wazoo Posted June 19, 2004 Share Posted June 19, 2004 Well, as you said, stuff changes <g> ... my remarks were based on what I saw when I checked <g> .... and now we have Don's notification that something is seriously hosed .... Link to comment Share on other sites More sharing options...
dra007 Posted June 19, 2004 Author Share Posted June 19, 2004 Apparently some servers were turned off for meitainance simultaneously causing the problem. Glad to see things back to normal. Mind you, I don't know if my help desk will ever answer to the abuse queries. Someone was very likely annoyed. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.