Jump to content

Need help reporting spam


jeburkes76

Recommended Posts

Okay here is our setup. We have an email gateway running Symantec Mail Security for SMTP basically an smtp service/engine which does the following. First, it checks the message for viruses, then blacklist(s) (SpamCop), then does a heuristics check. Any message that fails the heuristics check gets sent to a catchall email address on an Exchange 2000 server behind the email gateway. Using Spamsource add for Outlook 2000 I can report the spam fine from the catchall email address but it is reporting my email gateway as the SPAMMER since it is the last server to pass the message on. Since the Symantec Mail Security for SMTP does not have a way to hold the message how can I report the spam correctly or am I doing something wrong?

Thanks in Advance.

Jeremy

Link to comment
Share on other sites

Any server that touches the message should be adding headers to indicate that.

You should be able to register your server in mailhosts (you may need to go through the waiver process because of your configuration) to tell spamcop to trust the headers of the gateway.

Otherwise, post the full headers here (or better yet, a tracking URL for one trying to report your server) and we may also be able to tell you why the headers are failing the spamcop parse.

Link to comment
Share on other sites

Here is a report I sent like I have been trying, if I am reading it correctly under the If reported today, reports would be sent to: It has my email gateway server listed with IP address 206.39.246.201 as the originator (if I am not mistaked). It could just be that I am reading the reporting wrong. <_< Thanks.

Jeremy

SpamCop v 1.356 © SpamCop.net, Inc. 1998-2004 All Rights Reserved

spam Header

This page may be saved for future reference:

http://www.spamcop.net/sc?id=z547330861z24...962ae7d8052f82z

Skip to Reports

Received: from spspam1.sphq.ssp.navy.mil ([206.39.246.201]) by spmail2.sphq.ssp.navy.mil with Microsoft SMTPSVC(5.0.2195.6872);

Tue, 13 Jul 2004 12:40:42 -0400

Received: from out6.mysport-times.com ([64.70.22.163])

by spspam1.sphq.ssp.navy.mil (SMSSMTP 4.0.0.59) with SMTP id M2004071312404228605

for <x>; Tue, 13 Jul 2004 12:40:42 -0400

Received: by out6.mysport-times.com (PowerMTA v2.0r4) id hug7l204a2gj; Tue, 13 Jul 2004 09:35:18 -0700 (envelope-from <pmv8rky[at]e-timetochuckle.com>)

Date: Tue, 13 Jul 2004 09:35:18 -0700

X-OriginalArrivalTime: Tuesday, July 13, 2004 09:35:18

From: SMS.SMTP[at]sphq.ssp.navy.mil

To: x

Reply-To: AFhU3ZKPQQWBMDXKTRKXSFYIN[at]e-timetochuckle.com

Subject: =?utf-8?B?QmFyYmFyYSdzIERhdGUgVG9uaWdodG==?=

MIME-Version: 1.0

Content-Type: text/plain; charset=utf-8

MIME-Version: 1.0

Content-Type: multipart/alternative; boundary="----_=_NextPart_f9c9_15c6a0.2125830"

Content-Length: 6398

Return-Path: SMS.SMTP[at]sphq.ssp.navy.mil

Message-ID: <SPMA___________________082a[at]spmail2.sphq.ssp.navy.mil>View entire message

Parsing header:

Received: from spspam1.sphq.ssp.navy.mil ([206.39.246.201]) by spmail2.sphq.ssp.navy.mil with Microsoft SMTPSVC(5.0.2195.6872); Tue, 13 Jul 2004 12:40:42 -0400

206.39.246.201 found

host 206.39.246.201 (getting name) no name

Possible spammer: 206.39.246.201

Received line accepted

Received: from out6.mysport-times.com ([64.70.22.163]) by spspam1.sphq.ssp.navy.mil (SMSSMTP 4.0.0.59) with SMTP id M2004071312404228605 for <x>; Tue, 13 Jul 2004 12:40:42 -0400

64.70.22.163 found

host 64.70.22.163 = out6.mysport-times.com (cached)

host out6.mysport-times.com (checking ip) = 64.70.22.163

206.39.246.201 not listed in dnsbl.njabl.org

206.39.246.201 not listed in cbl.abuseat.org

206.39.246.201 not listed in dnsbl.sorbs.net

206.39.246.201 is not an MX for spmail2.sphq.ssp.navy.mil

206.39.246.201 is not an MX for spspam1.sphq.ssp.navy.mil

206.39.246.201 is not an MX for spmail2.sphq.ssp.navy.mil

206.39.246.201 not listed in dnsbl.njabl.org

Possible spammer: 64.70.22.163

host spspam1.sphq.ssp.navy.mil (checking ip) ip not found ; spspam1.sphq.ssp.navy.mil discarded as fake.

Chain test:spspam1.sphq.ssp.navy.mil =? 206.39.246.201

206.39.246.201 is not an MX for spspam1.sphq.ssp.navy.mil

host spspam1.sphq.ssp.navy.mil (checking ip) ip not found ; spspam1.sphq.ssp.navy.mil discarded as fake.

cannot find an mx for spspam1.sphq.ssp.navy.mil

206.39.250.30 is an mx ( 10 ) for sphq.ssp.navy.mil

206.39.246.201 is not an MX for spspam1.sphq.ssp.navy.mil

Chain test failed

Routing details for 206.39.246.201

[refresh/show] Cached whois for 206.39.246.201 : hostmaster[at]nic.mil

I refuse to bother hostmaster[at]nic.mil.

Using hostmaster#nic.mil[at]devnull.spamcop.net for statistical tracking.

Using last resort contacts hostmaster#nic.mil[at]devnull.spamcop.net

Chain error spspam1.sphq.ssp.navy.mil not equal to last sender received line discarded

Tracking message source: 206.39.246.201:

Routing details for 206.39.246.201

[refresh/show] Cached whois for 206.39.246.201 : hostmaster[at]nic.mil

I refuse to bother hostmaster[at]nic.mil.

Using hostmaster#nic.mil[at]devnull.spamcop.net for statistical tracking.

Using last resort contacts hostmaster#nic.mil[at]devnull.spamcop.net

Yum, this spam is fresh!

Message is 1 hours old

206.39.246.201 not listed in dnsbl.njabl.org

206.39.246.201 not listed in dnsbl.njabl.org

206.39.246.201 not listed in cbl.abuseat.org

206.39.246.201 not listed in dnsbl.sorbs.net

206.39.246.201 not listed in relays.ordb.org.

206.39.246.201 not listed in query.bondedsender.org

206.39.246.201 not listed in iadb.isipp.com

Finding links in message body

Parsing text part

Resolving link obfuscation

http://clicks.timetolaugh.info/profile.asp...&lid=14&email=x

host 66.226.4.28 (getting name) no name

http://clicks.timetolaugh.info/redir.aspx?id=269468&email=x

host 66.226.4.28 (getting name) no name

Tracking link: http://clicks.timetolaugh.info/redir.aspx?id=269468&email=x

No recent reports, no history available

Resolves to 66.226.4.28

Routing details for 66.226.4.28

[refresh/show] Cached whois for 66.226.4.28 : dnsadmin[at]alchemy.net

Using abuse net on dnsadmin[at]alchemy.net

abuse net alchemy.net = abuse[at]alchemy.net

Using best contacts abuse[at]alchemy.net

Tracking link: http://clicks.timetolaugh.info/profile.asp...&lid=14&email=x

No recent reports, no history available

Resolves to 66.226.4.28

Routing details for 66.226.4.28

[refresh/show] Cached whois for 66.226.4.28 : dnsadmin[at]alchemy.net

Using abuse net on dnsadmin[at]alchemy.net

abuse net alchemy.net = abuse[at]alchemy.net

Using best contacts abuse[at]alchemy.net

Reports regarding this spam have already been sent:

Reportid: 1111197463 To: cancelled[at]devnull.spamcop.net

If reported today, reports would be sent to:

Re: 206.39.246.201 (Administrator of network where email originates)

hostmaster#nic.mil[at]devnull.spamcop.net

Re: 206.39.246.201 (Third party interested in email source)

spamcop[at]imaphost.com

Re: http://clicks.timetolaugh.info/profile.asp?eid=... (Administrator of network hosting website referenced in spam)

abuse[at]alchemy.net

Re: http://clicks.timetolaugh.info/redir.aspx?id=26... (Administrator of network hosting website referenced in spam)

abuse[at]alchemy.net

Link to comment
Share on other sites

You are reading it correctly.

host spspam1.sphq.ssp.navy.mil (checking ip) ip not found ; spspam1.sphq.ssp.navy.mil discarded as fake.

Chain test:spspam1.sphq.ssp.navy.mil =? 206.39.246.201

206.39.246.201 is not an MX for spspam1.sphq.ssp.navy.mil

host spspam1.sphq.ssp.navy.mil (checking ip) ip not found ; spspam1.sphq.ssp.navy.mil discarded as fake.

cannot find an mx for spspam1.sphq.ssp.navy.mil

206.39.250.30 is an mx ( 10 ) for sphq.ssp.navy.mil

206.39.246.201 is not an MX for spspam1.sphq.ssp.navy.mil

Chain test failed

Because the MX for the message should go to 206.39.250.30, spamcop is rejecting 206.39.246.201 accepting it from the internet.

It is possible that if the spspam1.sphq.ssp.navy.mil server had a DNS entry that spamcop would not discard it and see it as "close enough" to the MX to be accepted. It is also possible that since spspam1 is not in the same /24 network, that it would not be "close enough" anyway.

You could contact the deputies<at>spamcop.net for a ruling on that. They may also have further insight as to why it was rejected.

Either way, if you can get the mailhost configuration approved, I think this will work.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...