SPAM NOT ASSOCIATED W/ MAILHOST

[heym0n]

Received: from ppp-64-109-12-114.dialup.peoril.ameritech.net ([64.109.12.114]) by mta1.adelphia.net (InterMail vM.6.01.03.02 201-2131-111-104-20040324) with SMTP id <20040811210939.PEXA15236.mta1.adelphia.net[at]ppp-64-109-12-114.dialup.peoril.ameritech.net>

This part comes after return path. I have been getting SPAMCOP tellin me my spam is not associated with mailhosts. Let me know if ya need the whole header.

P.S. yes my mailhosts are registered!

[Merlyn]

64.109.12.114 is a dialup IP number, why would a mail server be running on that IP? Are you saying you registered a dialup IP as a mailhost?

[heym0n]

64.109.12.114 is a dialup IP number, why would a mail server be running on that IP?  Are you saying you registered a dialup IP as a mailhost?

14994[/snapback]

No I didn t registered a dialup IP.....that is what is shown in the spam's header. I guess thats what is being done to thwart off where the spam is being sent from and confuse admin's when spam is reported!

[Merlyn]

You would probably be better off posting this in the Mailhosts part of the board.

There is a section for mailhosts problems. Maybe an Admin will move this one over there.

[Ellen]

Received:  from ppp-64-109-12-114.dialup.peoril.ameritech.net ([64.109.12.114]) by mta1.adelphia.net (InterMail vM.6.01.03.02 201-2131-111-104-20040324) with SMTP id <20040811210939.PEXA15236.mta1.adelphia.net[at]ppp-64-109-12-114.dialup.peoril.ameritech.net>

This part comes after return path. I have been getting SPAMCOP tellin me my spam is not associated with mailhosts.  Let me know if ya need the whole header.

P.S. yes my mailhosts are registered!

14993[/snapback]

In order to have any idea of what is happening you need to post a tracking url -- posting all or parts of the header unfortunately does not reveal any useful information.

[heym0n]

In order to have any idea of what is happening you need to post a tracking url -- posting all or parts of the header unfortunately does not reveal any useful information.

14997[/snapback]

http://www.spamcop.net/sc?id=z598717409zdb...ff751e1208812bz

[StevenUnderwood]

Other than the URL you posted is not the same you are complaining about in the original post, unless you have "a288-f63.hotbox.ru" in your mailhosts, I don't see the problem. his message happens quite often with spam because the headers are often forged.

[Wazoo]

Sorry heym0n, as Steven points out, the data seen in your provided Tracking URL doesn't seem to have any relationship to your starting query. On the other hand, I don't trust anything in what's being shown under that Tracking URL. What in the world are you using that makes such a jumble?

[Merlyn]

69.38.142.25 has an open socks4, http, and socks5 proxy and is being very abused.

What does this one and your first one have in common?

[heym0n]

what it has in common is how the receive: is forged....well in my opinion. Let me re do the spam complaint........ok look at this.....its the same thing as the other one I posted but without the decoded html part! thats what you saw in my last post was the body was decoded via OPERA's M2

http://www.spamcop.net/sc?id=z598902334z1c...fa91ecb09adf50z

do you see how it says received by: accounting

thats what is making spamcop say possible forgery due to mailhosts not associated! I had no problem and ellen herself registered this account cause i had problems registering it on the new host system!

[StevenUnderwood]

1. Is adelphia.net your ISP? The first Received header is put there by your ISP.

2. Do all of your messages now show ACCOUNTIN6 ([69.38.142.25])? Adelphia may have changed something on their end. If they changed their systems, your mailhost MAY need to be redone.

You should email this poblem to the deputies<at>spamcop.net as they can look at your mailhost config and figure out what is going on.

[heym0n]

Yes adelphia.net is my ISP......accounting does not show up on all my spam headers but here are a few spam headers:

from MICHELLE ([68.156.61.186]) by mta7.adelphia.net

from ADSL-TPLUS-15-237.intnet.mu ([202.123.15.237]) by mta3.adelphia.net

from host67-8.master.pl ([81.15.154.67]) by mta7.adelphia.net

from CM128-lflo0-39-94.cm.vtr.net ([200.120.39.94]) by mta8.adelphia.net

here is actual mail that is not spam:

m usswtmry10.aventispasteur.com ([209.37.191.109]) by mta3.adelphia.net

actually have see no freakin difference but to go back to the header that shows the word ACCOUNTING in it.....this has to be what is causing spamcop to say mailhost not associated:

SMTP id <20040811183238.ZMOS9448.mta6.adelphia.net[at]ACCOUNTIN6>

oh well....any help is appreciated fella's and thanks for the quick responses!!

[dbiel]

Yes adelphia.net is my ISP......accounting does not show up on all my spam headers but here are a few spam headers:

Why should it, it is where that piece of mail came from (along with millions of others)

Parsing header:

0: Received: from ACCOUNTIN6 ([69.38.142.25]) by mta6.adelphia.net (InterMail vM.6.01.03.02 201-2131-111-104-20040324) with SMTP id <20040811183238.ZMOS9448.mta6.adelphia.net[at]ACCOUNTIN6>; Wed, 11 Aug 2004 14:32:38 -0400

No unique hostname found for source: 69.38.142.25

Adelphia received mail from sending system 69.38.142.25

Note: recievied from (indicated in red) is where your ISP got the mail from.

Your ISP (shown in purple) is part of your Mail Host set up and is where you got the mail from.

ACCOUNTIN6 seems to be the "name" of the server that sent the message to your IP, I doubt if it is forged, just setup badly. Anything after that probably is forged.

If you check senderbase you will see a huge increase in mail being sent from ACCOUNTIN6 ([69.38.142.25])

Report on IP address: 69.38.142.25

Volume Statistics for this IP 

Magnitude Vol Change vs. Average

Last day 4.2 - - 30085%

Last 30 days 2.8 -  1088%

Average 1.7

They have a server that is set up poorly and is compromised and is sending tons of spam

they are listed on Spamcops bl

69.38.142.25 listed in bl.spamcop.net (127.0.0.2)

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

Additional potential problems

(these factors do not directly result in spamcop listing)

DNS error: 69.38.142.25 has no reverse dns

Listing History

It has been listed for 29 hours.

The parcer is correct not to trust anything past the first recieved line.

[heym0n]

Well i m still try to figure out why spamcop says my spam didn t come from the registered mailhosts.

[dbiel]

Well i m still try to figure out why spamcop says my spam didn t come from the registered mailhosts.

Your question makes no sense

Parsing header:

0: Received: from ACCOUNTIN6 ([69.38.142.25]) by mta6.adelphia.net (InterMail vM.6.01.03.02 201-2131-111-104-20040324) with SMTP id <20040811183238.ZMOS9448.mta6.adelphia.net[at]ACCOUNTIN6>; Wed, 11 Aug 2004 14:32:38 -0400

No unique hostname found for source: 69.38.142.25

Adelphia received mail from sending system 69.38.142.25

1: Received: from nocturnal-dns.hotbox.ru ([194.10.52.142]) by a288-f63.hotbox.ru with Microsoft SMTPSVC(5.0.2195.6824); Wed, 11 Aug 2004 15:19:35 -0500

No unique hostname found for source: 194.10.52.142

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust anything beyond this header

Adelphia is part of your mailhosts

They received the message from ACCOUNTIN6 ([69.38.142.25])

Possible forgery. Supposed receiving system not associated with any of your mailhosts refers to the second received line which is NOT part of your Mailhosts

The entire purple section of the header is probably forged. If it were vaild, it would have indicated that ACCOUNTIN6 ([69.38.142.25]) had received the message. This name might be different since they do not have a reverse DNS listing.

[heym0n]

ok so everything is fine then with how my mailhosts is setup? My question was in regards to spamcop saying possible forgery etc..etc....but I wasn t aware that it was referring to the 2nd received by:

thanks for the responses!!!

[StevenUnderwood]

Thanks dbiel, my mind was not working yesterday.

The ACCOUNTING6 (and the others) are what the machine sending the message is calling itself. Inside the brackets [] is the IP address of the sending server as seen by the receiving machine and inside the parenteses (), next to the IP address would be the rDNS lookup of the IP address if it were done. It appears that Adelphia is not doing rDNS lookups as it is not shown in any of your examples and I get a valid rDNS for at least your valid example.

[dbiel]

Thanks dbiel, my mind was not working yesterday. 

The ACCOUNTING6 (and the others) are what the machine sending the message is calling itself.  Inside the brackets [] is the IP address of the sending server as seen by the receiving machine and inside the parenteses (), next to the IP address would be the rDNS lookup of the IP address if it were done.  It appears that Adelphia is not doing rDNS lookups as it is not shown in any of your examples and I get a valid rDNS for at least your valid example.

15012[/snapback]

Thanks Steve,

You did a better job explaining it that I did.

Also I did not try to check to see if there was a valid rDNS, just took the information from the varrious reports that I had checked that claimed that there was no rDNS

The section indicated in green definately helps in reading the header info. I am going to have to look to see if it is referenced anywhere in the FAQ, if not then we might what to write up something in detail about it an have Wazoo find a place for it.

[dbiel]

ok so everything is fine then with how my mailhosts is setup?  My question was in regards to spamcop saying possible forgery etc..etc....but I wasn t aware that it was referring to the 2nd received by:

thanks for the responses!!!

15009[/snapback]

ok so everything is fine then with how my mailhosts is setup? Can't answer that question completly as I do not have access to your setup and you have not provided any information on how you do receive mail. But as far the the message that you did post, it is set up correctly. If you get mail at other addresses they may or may not be set up correctly as it depends on wether you registered them or not.

Also if you have any messages forward to your Adelphia account from other accounts that use different servers such as ACCOUNTING6 then they would have to be added as well. I made the assumption that you do not use ACCOUNTING6 as a vaild mail source (one of the few safe assumptions I have made).

So the answer to your question is Yes, No, Maybe

[Wazoo]

http://www.spamcop.net/sc?id=z598902334z1c...fa91ecb09adf50z

do you see how it says received by:  accounting

OK, others have dealt with some of the details .... but I'm going to remark about the content and construction of this submittal. I'm actually surprised that the parser accepted it to begin with. Can you explain the two sets of headers inserted into that submittal? First one with long lines, then a copy, but word-wrapped? Can't help but think that this is going to screw up your reports somewhere down the line (again, that it flew as is surprises me)

[Ellen]

Well i m still try to figure out why spamcop says my spam didn t come from the registered mailhosts.

15007[/snapback]

What the parser is saying is that it recognizes adelphia but it doesn't associate IP 69.38.142.25 with any of your mailhosts (and it shouldn't because it *isn't* one of your mailhosts) and therefore it cannot trust any of the other received headers -- they may or may not be forged. In any case IP 69.38.142.25 is either 1) relaying mail or 2) the source of the mail. It doesn't matter which case is true because it is the server which is delivering the spam to you/adelphia. THe "supposed receiving system not associated ..." remark indicates that the parser is abandoning the parse at this point.

Admittedly some of the commentary the parser puts out is opaque and not always located exactly where a human being explaining a parse would have made the comment.

I am not sure that I have been any more informative than the parse :-(

[StevenUnderwood]

Hopefully at least one of the several explanations given is understood by the OP. I hope he replies with any further questions or that he understands.