heym0n Posted August 11, 2004 Share Posted August 11, 2004 Received: from ppp-64-109-12-114.dialup.peoril.ameritech.net ([64.109.12.114]) by mta1.adelphia.net (InterMail vM.6.01.03.02 201-2131-111-104-20040324) with SMTP id <20040811210939.PEXA15236.mta1.adelphia.net[at]ppp-64-109-12-114.dialup.peoril.ameritech.net> This part comes after return path. I have been getting SPAMCOP tellin me my spam is not associated with mailhosts. Let me know if ya need the whole header. P.S. yes my mailhosts are registered! Link to comment Share on other sites More sharing options...
Merlyn Posted August 11, 2004 Share Posted August 11, 2004 64.109.12.114 is a dialup IP number, why would a mail server be running on that IP? Are you saying you registered a dialup IP as a mailhost? Link to comment Share on other sites More sharing options...
heym0n Posted August 11, 2004 Author Share Posted August 11, 2004 64.109.12.114 is a dialup IP number, why would a mail server be running on that IP? Are you saying you registered a dialup IP as a mailhost? 14994[/snapback] No I didn t registered a dialup IP.....that is what is shown in the spam's header. I guess thats what is being done to thwart off where the spam is being sent from and confuse admin's when spam is reported! Link to comment Share on other sites More sharing options...
Merlyn Posted August 11, 2004 Share Posted August 11, 2004 You would probably be better off posting this in the Mailhosts part of the board. There is a section for mailhosts problems. Maybe an Admin will move this one over there. Link to comment Share on other sites More sharing options...
Ellen Posted August 11, 2004 Share Posted August 11, 2004 Received: from ppp-64-109-12-114.dialup.peoril.ameritech.net ([64.109.12.114]) by mta1.adelphia.net (InterMail vM.6.01.03.02 201-2131-111-104-20040324) with SMTP id <20040811210939.PEXA15236.mta1.adelphia.net[at]ppp-64-109-12-114.dialup.peoril.ameritech.net> This part comes after return path. I have been getting SPAMCOP tellin me my spam is not associated with mailhosts. Let me know if ya need the whole header. P.S. yes my mailhosts are registered! 14993[/snapback] In order to have any idea of what is happening you need to post a tracking url -- posting all or parts of the header unfortunately does not reveal any useful information. Link to comment Share on other sites More sharing options...
heym0n Posted August 11, 2004 Author Share Posted August 11, 2004 In order to have any idea of what is happening you need to post a tracking url -- posting all or parts of the header unfortunately does not reveal any useful information. 14997[/snapback] http://www.spamcop.net/sc?id=z598717409zdb...ff751e1208812bz Link to comment Share on other sites More sharing options...
StevenUnderwood Posted August 12, 2004 Share Posted August 12, 2004 Other than the URL you posted is not the same you are complaining about in the original post, unless you have "a288-f63.hotbox.ru" in your mailhosts, I don't see the problem. his message happens quite often with spam because the headers are often forged. Link to comment Share on other sites More sharing options...
Wazoo Posted August 12, 2004 Share Posted August 12, 2004 Sorry heym0n, as Steven points out, the data seen in your provided Tracking URL doesn't seem to have any relationship to your starting query. On the other hand, I don't trust anything in what's being shown under that Tracking URL. What in the world are you using that makes such a jumble? Link to comment Share on other sites More sharing options...
Merlyn Posted August 12, 2004 Share Posted August 12, 2004 69.38.142.25 has an open socks4, http, and socks5 proxy and is being very abused. What does this one and your first one have in common? Link to comment Share on other sites More sharing options...
heym0n Posted August 12, 2004 Author Share Posted August 12, 2004 what it has in common is how the receive: is forged....well in my opinion. Let me re do the spam complaint........ok look at this.....its the same thing as the other one I posted but without the decoded html part! thats what you saw in my last post was the body was decoded via OPERA's M2 http://www.spamcop.net/sc?id=z598902334z1c...fa91ecb09adf50z do you see how it says received by: accounting thats what is making spamcop say possible forgery due to mailhosts not associated! I had no problem and ellen herself registered this account cause i had problems registering it on the new host system! Link to comment Share on other sites More sharing options...
StevenUnderwood Posted August 12, 2004 Share Posted August 12, 2004 1. Is adelphia.net your ISP? The first Received header is put there by your ISP. 2. Do all of your messages now show ACCOUNTIN6 ([69.38.142.25])? Adelphia may have changed something on their end. If they changed their systems, your mailhost MAY need to be redone. You should email this poblem to the deputies<at>spamcop.net as they can look at your mailhost config and figure out what is going on. Link to comment Share on other sites More sharing options...
heym0n Posted August 12, 2004 Author Share Posted August 12, 2004 Yes adelphia.net is my ISP......accounting does not show up on all my spam headers but here are a few spam headers: from MICHELLE ([68.156.61.186]) by mta7.adelphia.net from ADSL-TPLUS-15-237.intnet.mu ([202.123.15.237]) by mta3.adelphia.net from host67-8.master.pl ([81.15.154.67]) by mta7.adelphia.net from CM128-lflo0-39-94.cm.vtr.net ([200.120.39.94]) by mta8.adelphia.net here is actual mail that is not spam: m usswtmry10.aventispasteur.com ([209.37.191.109]) by mta3.adelphia.net actually have see no freakin difference but to go back to the header that shows the word ACCOUNTING in it.....this has to be what is causing spamcop to say mailhost not associated: SMTP id <20040811183238.ZMOS9448.mta6.adelphia.net[at]ACCOUNTIN6> oh well....any help is appreciated fella's and thanks for the quick responses!! Link to comment Share on other sites More sharing options...
dbiel Posted August 12, 2004 Share Posted August 12, 2004 Yes adelphia.net is my ISP......accounting does not show up on all my spam headers but here are a few spam headers: Why should it, it is where that piece of mail came from (along with millions of others) Parsing header: 0: Received: from ACCOUNTIN6 ([69.38.142.25]) by mta6.adelphia.net (InterMail vM.6.01.03.02 201-2131-111-104-20040324) with SMTP id <20040811183238.ZMOS9448.mta6.adelphia.net[at]ACCOUNTIN6>; Wed, 11 Aug 2004 14:32:38 -0400 No unique hostname found for source: 69.38.142.25 Adelphia received mail from sending system 69.38.142.25 Note: recievied from (indicated in red) is where your ISP got the mail from. Your ISP (shown in purple) is part of your Mail Host set up and is where you got the mail from. ACCOUNTIN6 seems to be the "name" of the server that sent the message to your IP, I doubt if it is forged, just setup badly. Anything after that probably is forged. If you check senderbase you will see a huge increase in mail being sent from ACCOUNTIN6 ([69.38.142.25]) Report on IP address: 69.38.142.25 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 4.2 - - 30085% Last 30 days 2.8 - 1088% Average 1.7 They have a server that is set up poorly and is compromised and is sending tons of spam they are listed on Spamcops bl 69.38.142.25 listed in bl.spamcop.net (127.0.0.2) Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam less than 10 times in the past week Additional potential problems (these factors do not directly result in spamcop listing) DNS error: 69.38.142.25 has no reverse dns Listing History It has been listed for 29 hours. The parcer is correct not to trust anything past the first recieved line. Link to comment Share on other sites More sharing options...
heym0n Posted August 12, 2004 Author Share Posted August 12, 2004 Well i m still try to figure out why spamcop says my spam didn t come from the registered mailhosts. Link to comment Share on other sites More sharing options...
dbiel Posted August 12, 2004 Share Posted August 12, 2004 Well i m still try to figure out why spamcop says my spam didn t come from the registered mailhosts. Your question makes no sense Parsing header: 0: Received: from ACCOUNTIN6 ([69.38.142.25]) by mta6.adelphia.net (InterMail vM.6.01.03.02 201-2131-111-104-20040324) with SMTP id <20040811183238.ZMOS9448.mta6.adelphia.net[at]ACCOUNTIN6>; Wed, 11 Aug 2004 14:32:38 -0400 No unique hostname found for source: 69.38.142.25 Adelphia received mail from sending system 69.38.142.25 1: Received: from nocturnal-dns.hotbox.ru ([194.10.52.142]) by a288-f63.hotbox.ru with Microsoft SMTPSVC(5.0.2195.6824); Wed, 11 Aug 2004 15:19:35 -0500 No unique hostname found for source: 194.10.52.142 Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust anything beyond this header Adelphia is part of your mailhosts They received the message from ACCOUNTIN6 ([69.38.142.25]) Possible forgery. Supposed receiving system not associated with any of your mailhosts refers to the second received line which is NOT part of your Mailhosts The entire purple section of the header is probably forged. If it were vaild, it would have indicated that ACCOUNTIN6 ([69.38.142.25]) had received the message. This name might be different since they do not have a reverse DNS listing. Link to comment Share on other sites More sharing options...
heym0n Posted August 12, 2004 Author Share Posted August 12, 2004 ok so everything is fine then with how my mailhosts is setup? My question was in regards to spamcop saying possible forgery etc..etc....but I wasn t aware that it was referring to the 2nd received by: thanks for the responses!!! Link to comment Share on other sites More sharing options...
StevenUnderwood Posted August 12, 2004 Share Posted August 12, 2004 Thanks dbiel, my mind was not working yesterday. The ACCOUNTING6 (and the others) are what the machine sending the message is calling itself. Inside the brackets [] is the IP address of the sending server as seen by the receiving machine and inside the parenteses (), next to the IP address would be the rDNS lookup of the IP address if it were done. It appears that Adelphia is not doing rDNS lookups as it is not shown in any of your examples and I get a valid rDNS for at least your valid example. Link to comment Share on other sites More sharing options...
dbiel Posted August 12, 2004 Share Posted August 12, 2004 Thanks dbiel, my mind was not working yesterday. The ACCOUNTING6 (and the others) are what the machine sending the message is calling itself. Inside the brackets [] is the IP address of the sending server as seen by the receiving machine and inside the parenteses (), next to the IP address would be the rDNS lookup of the IP address if it were done. It appears that Adelphia is not doing rDNS lookups as it is not shown in any of your examples and I get a valid rDNS for at least your valid example. 15012[/snapback] Thanks Steve, You did a better job explaining it that I did. Also I did not try to check to see if there was a valid rDNS, just took the information from the varrious reports that I had checked that claimed that there was no rDNS The section indicated in green definately helps in reading the header info. I am going to have to look to see if it is referenced anywhere in the FAQ, if not then we might what to write up something in detail about it an have Wazoo find a place for it. Link to comment Share on other sites More sharing options...
dbiel Posted August 12, 2004 Share Posted August 12, 2004 ok so everything is fine then with how my mailhosts is setup? My question was in regards to spamcop saying possible forgery etc..etc....but I wasn t aware that it was referring to the 2nd received by: thanks for the responses!!! 15009[/snapback] ok so everything is fine then with how my mailhosts is setup? Can't answer that question completly as I do not have access to your setup and you have not provided any information on how you do receive mail. But as far the the message that you did post, it is set up correctly. If you get mail at other addresses they may or may not be set up correctly as it depends on wether you registered them or not. Also if you have any messages forward to your Adelphia account from other accounts that use different servers such as ACCOUNTING6 then they would have to be added as well. I made the assumption that you do not use ACCOUNTING6 as a vaild mail source (one of the few safe assumptions I have made). So the answer to your question is Yes, No, Maybe Link to comment Share on other sites More sharing options...
Wazoo Posted August 12, 2004 Share Posted August 12, 2004 http://www.spamcop.net/sc?id=z598902334z1c...fa91ecb09adf50z do you see how it says received by: accounting OK, others have dealt with some of the details .... but I'm going to remark about the content and construction of this submittal. I'm actually surprised that the parser accepted it to begin with. Can you explain the two sets of headers inserted into that submittal? First one with long lines, then a copy, but word-wrapped? Can't help but think that this is going to screw up your reports somewhere down the line (again, that it flew as is surprises me) Link to comment Share on other sites More sharing options...
Ellen Posted August 13, 2004 Share Posted August 13, 2004 Well i m still try to figure out why spamcop says my spam didn t come from the registered mailhosts. 15007[/snapback] What the parser is saying is that it recognizes adelphia but it doesn't associate IP 69.38.142.25 with any of your mailhosts (and it shouldn't because it *isn't* one of your mailhosts) and therefore it cannot trust any of the other received headers -- they may or may not be forged. In any case IP 69.38.142.25 is either 1) relaying mail or 2) the source of the mail. It doesn't matter which case is true because it is the server which is delivering the spam to you/adelphia. THe "supposed receiving system not associated ..." remark indicates that the parser is abandoning the parse at this point. Admittedly some of the commentary the parser puts out is opaque and not always located exactly where a human being explaining a parse would have made the comment. I am not sure that I have been any more informative than the parse :-( Link to comment Share on other sites More sharing options...
StevenUnderwood Posted August 13, 2004 Share Posted August 13, 2004 Hopefully at least one of the several explanations given is understood by the OP. I hope he replies with any further questions or that he understands. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.