Suspected Forgery in Header

[trisha506]

I get the following message in my spam Header from Spamcop.

1: Received: from tome.guisbjsuzy[at]whale-mail.com ([74.127.40.88]) by ifm50-ohk16.guisbjsuzy[at]whale-mail.com with Microsoft SMTPSVC(5.0.2941.6777); Tue, 31 Aug 2004 19:54:07 -0600

No unique hostname found for source: 74.127.40.88

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust anything beyond this header

Does that mean I should not even bother hitting the "Send spam Report(s) Now" button when I get those messages about forgery? It seems that's all I get basically. What are the implications then, that submitting information about those types of emails turns out to be useless?

[StevenUnderwood]

It really depends on if that line is part of your normal mail route (ie. do you use whale-mail.com) to receive your messages.

If your mailhost configuration is complete and correct, then that is a normal message stating that the line in question is a forgery so the parser is going to use the previous header to determine the source. If you look at where the reports are going, it is probably from the Line 0 part of the parse, where your ISP received the message from.

If you provide a tracking URL (the web address that can be saved for future reference) we may be able to give you more information.

[dbiel]

It really depends on if that line is part of your normal mail route (ie. do you use whale-mail.com) to receive your messages.

If your mailhost configuration is complete and correct, then that is a normal message stating that the line in question is a forgery so the parser is going to use the previous header to determine the source.  If you look at where the reports are going, it is probably from the Line 0 part of the parse, where your ISP received the message from.

If you provide a tracking URL (the web address that can be saved for future reference) we may be able to give you more information.

16309[/snapback]

Just to add one more note: If whale-mail.com is part of your mail delivery system (normal or only occassional) then your MailHosts configuration needs to be updated/completed and you should definately NOT report any spam until you have revised and tested your MailHosts configuration.

[trisha506]

Guys -

I'm not going to pretend that I know what you are talking about, because I don't. Maybe I didn't even ask the right question, or ask the question right. I will try with another similar thing I got when I went in through my Spamcop account to report the individual abuses.

I am showing you the entire "spam Header." You will recognize the format because it comes right from Spamcop. The thing I am concerned about is the bolded part. What does "possible forgery" mean? Does it mean that there is nowhere to report this and this spam can't be stopped? I guess I don't understand the meaning of the entire bolded part. Is it anything I need to be concerned about?

I apologize for being very unsophisticated about all of this. I am not well versed in any of it.

Thank you.

By the way, I use cox.net to receive my email

______________________________

This page may be saved for future reference:

http://www.spamcop.net/sc?id=z638734604z7a...d734aff9c88f73z

<Parsing page results deleted by Wazoo, as the Tracking URL above is all that's needed to see the issue being queried.>

[dbiel]

It looks like you have quite a bit to learn still, so will try to help a bit

The thing I am concerned about is the bolded part. What does "possible forgery" mean? Does it mean that there is nowhere to report this and this spam can't be stopped? I guess I don't understand the meaning of the entire bolded part. Is it anything I need to be concerned about?

If you will look at the bottom half of the report (copied below) this is the list of addresses the the report would be sent to if you clicked on the button "send reports"

Report spam to:

Re: 80.242.254.136 (Administrator of network where email originates)

To: abuse[at]quicknet.nl (Notes)

Re: 80.242.254.136 (Third party interested in email source)

To: Cyveillance spam collection (Notes)

Re: http://www.mmfin.info/ (Administrator of network hosting website referenced in spam)

To: ct-abuse[at]sprint.net (Notes)

To: ipadm[at]gddc.com.cn (Notes)

To: postmaster#chinanet.cn.net[at]devnull.spamcop.net (Notes)

To: anti-spam[at]chinanet.cn.net (Notes)

As far as the "Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust anything beyond this header" goes, there is nothing to be concerned about. It simply means than anything in the header beyond that point may or may not be forged and therefor will not be considered in the reporting process.

[Wazoo]

What type of answer do you want? What you have pasted shows the Parsing engine's output and decision points. If you are using cox for your ISP, then in all likelihood, quicknet.nl is someone you probably have never heard of. And if you have never heard of them, why are you having a problem wth the SpamCop parser identifying this ISP as not being on "your normal e-mail flow" scenario? As far as the forgery aspects, look at those headers .... isn't it kind of obvious that there's something funny about those lines that include the IP of 80.242.254.136 .. the alleged same server receiving this same e-mail from three other places???

You are seeing this specific "forgery / error" code because you have gone through the Mail-Host configuration. Understand it or not, it appears to be a good thing for lots of people as it reduces the problems of reporting one's own ISP.

This example has correctly chosen the spam spew source. What else do you want to hear?

[turetzsr]

This example has correctly chosen the spam spew source.  What else do you want to hear?

16355[/snapback]

...Perhaps this: don't worry about it, Trisha. It's some extra information that the SpamCop parser threw in for the benefit of people who might care. For what it's worth, I have always done my reporting as if that message weren't there and, as far as I know, everything is fine.

[StevenUnderwood]

Hostname verified: dsl-80-242-254-136.quicknet.nl

Spamcop hac confirmed that [80.242.254.136] has a rDNS entry on the internet. This means the IP is expected to be seen on the internet by it's owner.

Cox received mail from sending system 80.242.254.136

Cox (your ISP's hostname) received mail from machine at 80.242.254.136. This has been accepted and trusted by the parser.

Hostname verified: pcp08747306pcs.dckrsn01.tn.comcast.net

Spamcop has confirmed that [68.52.253.167] has an rDNS entry on the internet.

Possible forgery. Supposed receiving system not associated with any of your mailhosts

The host reported receiving mail for your address (by 80.242.254.136) is not listed in your mailhost configuration as supposed to be touching your messages so spamcop does not trust this line to be valid. IF it were supposed to be handling your messages because it was one of your ISP's for instance, it indicates your mailhost configuration is not complete and you should not report this message (because you would be reporting your ISP).

Will not trust anything beyond this header

Because it does not trust line 1, it will not process any more headers because they also can not be trusted.

If you have any further questions, please do not hesitate to ask. That is why I and many others hang around here, to help people understand this process.

[turetzsr]

<snip excellent explanation of parser messages>

Possible forgery. Supposed receiving system not associated with any of your mailhosts

The host reported receiving mail for your address (by 80.242.254.136) is not listed in your mailhost configuration as supposed to be touching your messages so spamcop does not trust this line to be valid. IF it were supposed to be handling your messages because it was one of your ISP's for instance, it indicates your mailhost configuration is not complete and you should not report this message (because you would be reporting your ISP).

<snip>

16357[/snapback]

...Another (and I would suggest, better) way for you to tell that you might be reporting your ISP (which is something you really, really want to avoid!) is that one of the e-mail addresses to which SpamCop offers to send a spam report includes "cox.net".

[Miss Betsy]

Many of the lines that the parser adds to its analysis are very cryptic and don't always mean exactly what they seem to say. After you have seen them a few times and have seen what the parser chooses for reports, you kind of get a feel for what they intend to mean. Also because of the code, they don't always seem to appear in the 'right' place that a human doing a parse would be likely to put them. Humans also will look things up in a different order.

As Steve (turetzer) says, if the choice for reports looks reasonable and is not choosing your ISP every time, then probably things are going all right. In order to understand the technical details and comments, you really have to know how to read headers yourself and maybe understand about programming a little. But if you look at them enough, even the technically non-fluent can grasp the concepts if not be able to explain exactly what the parser is doing.

I think others have explained that when the parser gets to a header that doesn't work, it stops looking at the headers and goes to the header line that it can trust to be not forged to find the IP address from which the spam came. For most spam that is where your ISP received it from the internet. There may be other headers where your ISP has passed it to other computers on its way to your mailbox. If you have configured mailhosts, then the parser recognizes those computers and ignores them.

Even the deputies can't explain /why/ the parser makes its comments or /why/ they are phrased the way they are. All they can do is to tell you /what/ the parser is doing at that step.

Miss Betsy

[trisha506]

example has correctly chosen the spam spew source. What else do you want to hear?

by Wazoo

...Perhaps this: don't worry about it, Trisha. It's some extra information that the SpamCop parser threw in for the benefit of people who might care. For what it's worth, I have always done my reporting as if that message weren't there and, as far as I know, everything is fine.

by turetzsr

Steve T, thank you! I think that's probably exactly what I needed to hear. :)

I do sincerely thank you all for taking the time to explain what you did to me. I read each response carefully because I do want to become more knowledgeable about the technical side of reporting. Thanks for not treating me like the complete idiot I probably appear to be!

Trisha

P.S. I actually tried to figure out how to put in a quote that showed the name of the person who posted it but finally gave up. What you see is my contrived version.

[dbiel]

<snip> P.S.  I actually tried to figure out how to put in a quote that showed the name of the person who posted it but finally gave up.  What you see is my contrived version. 

16387[/snapback]

Your contrived version is very effective and make a good alternate method as well. In case you are still interested in how it is done see: Using the Reply button