Strange processing of SPAM E-mail

Misha_Stepanov · October 11, 2004

I have mail forwarded from iae.nsk.su to lanl.gov. The headers of the E-mail message below contain lass209-075-r.dhcp.CSUChico.EDU [132.241.209.75] that is shown to be the originator of the E-mail message. From the parsing I see that only servers *.lanl.gov and *.iae.nsk.su are "processed", that I consider to be fundamentally wrong.

http://www.spamcop.net/sc?id=z681266868z69...395f2639d84486z

matejicek · October 11, 2004

This seems to be the same case (I hope you don't mind if I repeat it here with headers, for clarity):

Return-Path: <Susanna[at]gual.com>

Received: from c206235.adsl.hansenet.de (ymnzmqty[at]c206235.adsl.hansenet.de [213.39.206.235])

by <xx> (8.12.8/8.12.8) with SMTP id i99JXJcQ013790

for <x>; Sat, 9 Oct 2004 21:33:19 +0200

Received: from gual.com (smtp.gual.com [212.38.173.220])

by c206235.adsl.hansenet.de (Postfix) with ESMTP id B6636890FB

for <x>; Sat, 09 Oct 2004 14:14:37 -0500

Message-ID: <1010______________________972b[at]gual.com>

From: "Parsimonious M. Pestilent" <Susanna[at]gual.com>

It appears to me that the spam originated from 212... and was transmitted to me by 213... (my server and address were replaced by <xx> and <x>). Why does Spamcop report only the 'middleman', i.e. 213... ? It does an IP check on the original source, too.

Wazoo · October 11, 2004

I have mail forwarded from iae.nsk.su to lanl.gov. The headers of the E-mail message below contain lass209-075-r.dhcp.CSUChico.EDU [132.241.209.75] that is shown to be the originator of the E-mail message. From the parsing I see that only servers *.lanl.gov and *.iae.nsk.su are "processed", that I consider to be fundamentally wrong.
http://www.spamcop.net/sc?id=z681266868z69...395f2639d84486z

18605[/snapback]

1. Rcvd: from mx.iae.nsk.su (mx.iae.nsk.su [193.124.169.59]) by proofpoint2.lanl.gov (8.13.1/8.13.1)

2. Rcvd: from mx.iae.nsk.su (localhost [127.0.0.1]) by be9ilter.local (Postfix)

3. Rcvd: from localhost.localdomain (iaebox.iae.nsk.su [193.124.169.49]) by mx.iae.nsk.su

4. Rcvd: from mx.iae.nsk.su (mx.iae.nsk.su [193.124.169.59]) by localhost.localdomain (8.11.6/8.9.1)

5. Rcvd: from mx.iae.nsk.su (localhost [127.0.0.1]) by be9ilter.local (Postfix)

I edited the lines down to more easily see / read them. At issue is the question of why is there so much handling involved? The SpamCop parser starts at the top and tries to work down to the source. In this case, please look at lines 2 and 5 .... then explain why lines 3 and 4 are in there. Basically, the parser was willing to follow them as they were all "within the same domain" but line 5 brought the parser back to the now "circular" entrance point, a non-routable "localhost.localdomain" server ..... I'm having a hard time trying to explain or guess at why the e-mail goes round and round in there.

Wazoo · October 11, 2004

This seems to be the same case (I hope you don't mind if I repeat it here with headers, for clarity):

For clarity, please provide the Tracking URL.

Trying to work with what you provided as your sample only gains me;

Received: from c206235.adsl.hansenet.de (ymnzmqty[at]c206235.adsl.hansenet.de [213.39.206.235]) by <xx> (8.12.8/8.12.8) with SMTP id i99JXJcQ013790 for <x>; Sat, 9 Oct 2004 21:33:19 +0200

Invalid "received by"

I've got no idea what to try to fill in the bad data with or if really was bad stuff before you put the mung on it.

Misha_Stepanov · October 11, 2004

1. Rcvd: from mx.iae.nsk.su (mx.iae.nsk.su [193.124.169.59]) by proofpoint2.lanl.gov (8.13.1/8.13.1)
2. Rcvd: from mx.iae.nsk.su (localhost [127.0.0.1]) by be9ilter.local (Postfix)

3. Rcvd: from localhost.localdomain (iaebox.iae.nsk.su [193.124.169.49]) by mx.iae.nsk.su

4. Rcvd: from mx.iae.nsk.su (mx.iae.nsk.su [193.124.169.59]) by localhost.localdomain (8.11.6/8.9.1)

5. Rcvd: from mx.iae.nsk.su (localhost [127.0.0.1]) by be9ilter.local (Postfix)

I edited the lines down to more easily see / read them. At issue is the question of why is there so much handling involved? The SpamCop parser starts at the top and tries to work down to the source. In this case, please look at lines 2 and 5 .... then explain why lines 3 and 4 are in there. Basically, the parser was willing to follow them as they were all "within the same domain" but line 5 brought the parser back to the now "circular" entrance point, a non-routable "localhost.localdomain" server ..... I'm having a hard time trying to explain or guess at why the e-mail goes round and round in there.

18609[/snapback]

1. Rcvd: from mx.iae.nsk.su (mx.iae.nsk.su [193.124.169.59]) by proofpoint2.lanl.gov (8.13.1/8.13.1) for <...[at]...lanl.gov>;

2. Rcvd: from mx.iae.nsk.su (localhost [127.0.0.1]) by be9ilter.local (Postfix) for <...[at]...lanl.gov>;

3. Rcvd: from localhost.localdomain (iaebox.iae.nsk.su [193.124.169.49]) by mx.iae.nsk.su (Postfix) for <...[at]...lanl.gov>;

4. Rcvd: from mx.iae.nsk.su (mx.iae.nsk.su [193.124.169.59]) by localhost.localdomain (8.11.6/8.9.1) for <...[at]...iae.nsk.su>;

5. Rcvd: from mx.iae.nsk.su (localhost [127.0.0.1]) by be9ilter.local (Postfix) for <...[at]...iae.nsk.su>;

These are the same lines (also edited) with <x>'s (that are shown in tracking) to be explained (the mail is forwarded from iae.nsk.su to lanl.gov). Then the meaning of lines 2 and 5 is different.

Even though, the server lass209-075-r.dhcp.CSUChico.EDU [132.241.209.75] is in headers, why not "process" it also? I mean all message passing in *.iae.nsk.su is its intrinsic life, but the message came to iae.nsk.su from somewhere else.

Wazoo · October 11, 2004

Sorry, but the "for" stuff isn't part of the chain test. Only looking for the handoff from one server to the next. Hint: the whole point of my listing and numbering the edited lines was to demonstrate the circular loop involved .. and ending up with a localhost with a non-routable IP blows any sense of going beyond that step, so the parser falls back to the last "known good" point, which is inside this circle. The HINT was for your ISP to fix the server names and / or routing.

You're trying to follow the "delivery" of the e-mail .. whereas the SpamCop parser only follows the "steps" taken by the e-mail.

Ellen · October 12, 2004

I have mail forwarded from iae.nsk.su to lanl.gov. The headers of the E-mail message below contain lass209-075-r.dhcp.CSUChico.EDU [132.241.209.75] that is shown to be the originator of the E-mail message. From the parsing I see that only servers *.lanl.gov and *.iae.nsk.su are "processed", that I consider to be fundamentally wrong.
http://www.spamcop.net/sc?id=z681266868z69...395f2639d84486z

18605[/snapback]

The headers are sort of convoluted but I believe I fixed the problem --let me know if you see any other problems.

Shurik_Yakovlev · October 12, 2004

Hello

Headers are correct.

source server => mx.iae.nsk.su => filter => iaebox.iae.nsk.su => forward_to_another_email => mx.iae.nsk.su => filter => destination_server

Users are not allowed to make any outside forwards, any forwards

must be submited to our mail administrators.

iaebox/~misha/.forward was removed

Our reason to make such an authoritative decision is that otherwise

our outgoing server mx.iae.nsk.su behaves as an open relay.

I'm afwul sorry for this incident.

WBR, Alexander

iae.nsk.su postmaster

Wazoo · October 12, 2004

Boy, do I feel so confused at present.

Sign In

Strange processing of SPAM E-mail

Recommended Posts

Misha_Stepanov

Link to comment

Share on other sites

matejicek

Link to comment

Share on other sites

Wazoo

Link to comment

Share on other sites

Wazoo

Link to comment

Share on other sites

Misha_Stepanov

Link to comment

Share on other sites

Wazoo

Link to comment

Share on other sites

Ellen

Link to comment

Share on other sites

Shurik_Yakovlev

Link to comment

Share on other sites

Wazoo

Link to comment

Share on other sites

Archived

Browse

Activity