Misha_Stepanov Posted October 11, 2004 Posted October 11, 2004 I have mail forwarded from iae.nsk.su to lanl.gov. The headers of the E-mail message below contain lass209-075-r.dhcp.CSUChico.EDU [132.241.209.75] that is shown to be the originator of the E-mail message. From the parsing I see that only servers *.lanl.gov and *.iae.nsk.su are "processed", that I consider to be fundamentally wrong. http://www.spamcop.net/sc?id=z681266868z69...395f2639d84486z
matejicek Posted October 11, 2004 Posted October 11, 2004 This seems to be the same case (I hope you don't mind if I repeat it here with headers, for clarity): Return-Path: <Susanna[at]gual.com> Received: from c206235.adsl.hansenet.de (ymnzmqty[at]c206235.adsl.hansenet.de [213.39.206.235]) by <xx> (8.12.8/8.12.8) with SMTP id i99JXJcQ013790 for <x>; Sat, 9 Oct 2004 21:33:19 +0200 Received: from gual.com (smtp.gual.com [212.38.173.220]) by c206235.adsl.hansenet.de (Postfix) with ESMTP id B6636890FB for <x>; Sat, 09 Oct 2004 14:14:37 -0500 Message-ID: <1010______________________972b[at]gual.com> From: "Parsimonious M. Pestilent" <Susanna[at]gual.com> It appears to me that the spam originated from 212... and was transmitted to me by 213... (my server and address were replaced by <xx> and <x>). Why does Spamcop report only the 'middleman', i.e. 213... ? It does an IP check on the original source, too.
Wazoo Posted October 11, 2004 Posted October 11, 2004 I have mail forwarded from iae.nsk.su to lanl.gov. The headers of the E-mail message below contain lass209-075-r.dhcp.CSUChico.EDU [132.241.209.75] that is shown to be the originator of the E-mail message. From the parsing I see that only servers *.lanl.gov and *.iae.nsk.su are "processed", that I consider to be fundamentally wrong. http://www.spamcop.net/sc?id=z681266868z69...395f2639d84486z 18605[/snapback] 1. Rcvd: from mx.iae.nsk.su (mx.iae.nsk.su [193.124.169.59]) by proofpoint2.lanl.gov (8.13.1/8.13.1) 2. Rcvd: from mx.iae.nsk.su (localhost [127.0.0.1]) by be9ilter.local (Postfix) 3. Rcvd: from localhost.localdomain (iaebox.iae.nsk.su [193.124.169.49]) by mx.iae.nsk.su 4. Rcvd: from mx.iae.nsk.su (mx.iae.nsk.su [193.124.169.59]) by localhost.localdomain (8.11.6/8.9.1) 5. Rcvd: from mx.iae.nsk.su (localhost [127.0.0.1]) by be9ilter.local (Postfix) I edited the lines down to more easily see / read them. At issue is the question of why is there so much handling involved? The SpamCop parser starts at the top and tries to work down to the source. In this case, please look at lines 2 and 5 .... then explain why lines 3 and 4 are in there. Basically, the parser was willing to follow them as they were all "within the same domain" but line 5 brought the parser back to the now "circular" entrance point, a non-routable "localhost.localdomain" server ..... I'm having a hard time trying to explain or guess at why the e-mail goes round and round in there.
Wazoo Posted October 11, 2004 Posted October 11, 2004 This seems to be the same case (I hope you don't mind if I repeat it here with headers, for clarity): For clarity, please provide the Tracking URL. Trying to work with what you provided as your sample only gains me; Received: from c206235.adsl.hansenet.de (ymnzmqty[at]c206235.adsl.hansenet.de [213.39.206.235]) by <xx> (8.12.8/8.12.8) with SMTP id i99JXJcQ013790 for <x>; Sat, 9 Oct 2004 21:33:19 +0200 Invalid "received by" I've got no idea what to try to fill in the bad data with or if really was bad stuff before you put the mung on it.
Misha_Stepanov Posted October 11, 2004 Author Posted October 11, 2004 1. Rcvd: from mx.iae.nsk.su (mx.iae.nsk.su [193.124.169.59]) by proofpoint2.lanl.gov (8.13.1/8.13.1) 2. Rcvd: from mx.iae.nsk.su (localhost [127.0.0.1]) by be9ilter.local (Postfix) 3. Rcvd: from localhost.localdomain (iaebox.iae.nsk.su [193.124.169.49]) by mx.iae.nsk.su 4. Rcvd: from mx.iae.nsk.su (mx.iae.nsk.su [193.124.169.59]) by localhost.localdomain (8.11.6/8.9.1) 5. Rcvd: from mx.iae.nsk.su (localhost [127.0.0.1]) by be9ilter.local (Postfix) I edited the lines down to more easily see / read them. At issue is the question of why is there so much handling involved? The SpamCop parser starts at the top and tries to work down to the source. In this case, please look at lines 2 and 5 .... then explain why lines 3 and 4 are in there. Basically, the parser was willing to follow them as they were all "within the same domain" but line 5 brought the parser back to the now "circular" entrance point, a non-routable "localhost.localdomain" server ..... I'm having a hard time trying to explain or guess at why the e-mail goes round and round in there. 18609[/snapback] 1. Rcvd: from mx.iae.nsk.su (mx.iae.nsk.su [193.124.169.59]) by proofpoint2.lanl.gov (8.13.1/8.13.1) for <...[at]...lanl.gov>; 2. Rcvd: from mx.iae.nsk.su (localhost [127.0.0.1]) by be9ilter.local (Postfix) for <...[at]...lanl.gov>; 3. Rcvd: from localhost.localdomain (iaebox.iae.nsk.su [193.124.169.49]) by mx.iae.nsk.su (Postfix) for <...[at]...lanl.gov>; 4. Rcvd: from mx.iae.nsk.su (mx.iae.nsk.su [193.124.169.59]) by localhost.localdomain (8.11.6/8.9.1) for <...[at]...iae.nsk.su>; 5. Rcvd: from mx.iae.nsk.su (localhost [127.0.0.1]) by be9ilter.local (Postfix) for <...[at]...iae.nsk.su>; These are the same lines (also edited) with <x>'s (that are shown in tracking) to be explained (the mail is forwarded from iae.nsk.su to lanl.gov). Then the meaning of lines 2 and 5 is different. Even though, the server lass209-075-r.dhcp.CSUChico.EDU [132.241.209.75] is in headers, why not "process" it also? I mean all message passing in *.iae.nsk.su is its intrinsic life, but the message came to iae.nsk.su from somewhere else.
Wazoo Posted October 11, 2004 Posted October 11, 2004 Sorry, but the "for" stuff isn't part of the chain test. Only looking for the handoff from one server to the next. Hint: the whole point of my listing and numbering the edited lines was to demonstrate the circular loop involved .. and ending up with a localhost with a non-routable IP blows any sense of going beyond that step, so the parser falls back to the last "known good" point, which is inside this circle. The HINT was for your ISP to fix the server names and / or routing. You're trying to follow the "delivery" of the e-mail .. whereas the SpamCop parser only follows the "steps" taken by the e-mail.
Ellen Posted October 12, 2004 Posted October 12, 2004 I have mail forwarded from iae.nsk.su to lanl.gov. The headers of the E-mail message below contain lass209-075-r.dhcp.CSUChico.EDU [132.241.209.75] that is shown to be the originator of the E-mail message. From the parsing I see that only servers *.lanl.gov and *.iae.nsk.su are "processed", that I consider to be fundamentally wrong. http://www.spamcop.net/sc?id=z681266868z69...395f2639d84486z 18605[/snapback] The headers are sort of convoluted but I believe I fixed the problem --let me know if you see any other problems.
Shurik_Yakovlev Posted October 12, 2004 Posted October 12, 2004 Hello Headers are correct. source server => mx.iae.nsk.su => filter => iaebox.iae.nsk.su => forward_to_another_email => mx.iae.nsk.su => filter => destination_server Users are not allowed to make any outside forwards, any forwards must be submited to our mail administrators. iaebox/~misha/.forward was removed Our reason to make such an authoritative decision is that otherwise our outgoing server mx.iae.nsk.su behaves as an open relay. I'm afwul sorry for this incident. WBR, Alexander iae.nsk.su postmaster
Recommended Posts
Archived
This topic is now archived and is closed to further replies.