gottago Posted November 3, 2004 Posted November 3, 2004 I currently use Spamcop to filter several accounts on mydomain.com. I then have SpamCop forward to an anonomous email account on mydomain.com. It seems that all and I do mean ALL of the spam that is held by SpamCop resolves to what appears to be my IP address. Initially I thought nothing of it as I am in a shared environment and thought someone on my server was responsible, but I am now being told that it is me that is spamming and causing the entire server to be shut down. How can I fix this as I want to continue to report any spam received?
Wazoo Posted November 3, 2004 Posted November 3, 2004 Please provide a Tracking URL of at least one of these "problem" submittals so someone has the means to look at what you're submitting, what the parser is seeing and doing, and probably the worst item, what you are selecting for the "Send Reports Now" targets. The obvious remark is to suggest you look at the FAQ, as this issue is addressed there ... and the obvious question is whether or not you've configured your account to use the MailHost thing ...????
gottago Posted November 3, 2004 Author Posted November 3, 2004 Please provide a Tracking URL of at least one of these "problem" submittals so someone has the means to look at what you're submitting, what the parser is seeing and doing, and probably the worst item, what you are selecting for the "Send Reports Now" targets. The obvious remark is to suggest you look at the FAQ, as this issue is addressed there ... and the obvious question is whether or not you've configured your account to use the MailHost thing ...???? 19531[/snapback] Thanks for the quick reply. I am pretty confident that I have set up my auto-forwards correctly but will review the FAQs for insurance. Basically, I have a number of accounts on mydomain.com going to my SpamCop account that forwards 'clean' email to an anonymous account on mydomain.com. As far as a tracking url see below. Tracking URL All help is appreciated.
Wazoo Posted November 3, 2004 Posted November 3, 2004 Problem starts with this line in the "received" headers; Received: from win3.hostony.net (HELO win2.fastbighost.com) (69.93.137.162) (Although, this problem might be due to the actions addressed by the next line; Received: with MailEnable Postoffice Connector; Tue, 02 Nov 2004 02:11:06 +0000 Sitting out here in the world, there is no way to guess at just what this line actually sayd happened to the e-mail ... was this "your forward" .. was this something internal?) Problem "explained" in the chain test steps; host win2.fastbighost.com (checking ip) = 216.168.41.231 216.168.41.231 not listed in dnsbl.njabl.org 216.168.41.231 not listed in cbl.abuseat.org 216.168.41.231 not listed in dnsbl.sorbs.net Chain test:win2.fastbighost.com =? win3.hostony.net host win3.hostony.net (checking ip) = 69.93.137.162 69.93.137.162 is not an MX for win2.fastbighost.com host win2.fastbighost.com (checking ip) = 216.168.41.231 69.93.137.162 is not an MX for win2.fastbighost.com Chain test failed Chain test:win2.fastbighost.com =? 69.93.137.162 69.93.137.162 is not an MX for win2.fastbighost.com host win2.fastbighost.com (checking ip) = 216.168.41.231 69.93.137.162 is not an MX for win2.fastbighost.com Chain test failed Chain error win2.fastbighost.com not equal to last sender received line discarded where 216.168.41.231 shows up as; 11/03/04 00:39:49 IP block 216.168.41.231 Trying 216.168.41.231 at ARIN Trying 216.168.41 at ARIN OrgName: digital.forest, Inc. OrgID: DIGF Address: 19515 North Creek Address: Parkway, Suite 208 City: Bothell StateProv: WA NetRange: 216.168.32.0 - 216.168.63.255 CIDR: 216.168.32.0/19 NetName: DIGITAL-FOREST-BLK-1 NetHandle: NET-216-168-32-0-1 Parent: NET-216-0-0-0-0 NetType: Direct Allocation NameServer: OAK.FOREST.NET NameServer: WILLOW.FOREST.NET Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 1998-12-29 Updated: 2001-09-26 And, as conjectured, the critical line; Reports regarding this spam have already been sent: Re: 69.93.137.162 (Administrator of network where email originates) Reportid: 1279355151 To: abuse[at]theplanet.com If there is forgery involved in these headers, you're going to have to help out a bit and explicitly identify the anonymous "mydomain" stuff as you're the only one that knows what systems are actually involved at this point. If not a forgery, you are at the mercy of a really screwed up server configuration. And to harp on that last point, you are the ultimate responsibility as to which and where reports go out. Because the parse resolved and lists a URL found in the body but no report was sent out, it would appear that you have fallen victim to one of the bad issues involved with Quick-Reporting. I would suggest that you not do this until this matter of header data content gets resolved. You need to do a "full report" so you can de-select your ISP if this continues to be an issue.
Jeff G. Posted November 3, 2004 Posted November 3, 2004 Why does your mailserver, which uses IP Address "69.93.137.162" that has DNS Name "win3.hostony.net" insist on calling itself "win2.fastbighost.com" (the name of an entirely different IP Address 216.168.41.231)? This is messing up SpamCop's Parser's Chain Test and causing you to report your mailserver to abuse[at]theplanet.com. Thanks!
gottago Posted November 3, 2004 Author Posted November 3, 2004 Thanks for the responses. Wazoo: I have forwarded your analysis to hostony (my host) as I partially understand this stuff. My domain... skylinefinancial.com... is on a shared server ... win3.hostony.net. I have no idea of the relationship to win2.fastbighost.com. I will take your suggestion of doing a full report and deselecting my host prior to reporting. Jeff G: I have no idea. This too has been forwarded to my host. Unfortunately I am not knowledgeable enough to answer these questions so I have to rely on my host for answers. Thanks again...
Wazoo Posted November 3, 2004 Posted November 3, 2004 Wow! The whole time I was looking all that stuff up, trying to make sense out of it, point to the right things, ... had the intent to actually type in the words "you need to talk to your host(s) .... and looking back through all that stuff, I see I forgot to actually add that thought in there. Yep, you did the right thing. That "relationship" between the two "ISPs" is the real question. That a server would lie this much is an astounding situation .. though I really should go look, I don't recall your Domain being in the mix at all? OK, I had to go look .. obviously, I'm not awake yet. There it is right there in the line; Delivered-To: x Gads, off for another cup of coffee ....
gottago Posted November 4, 2004 Author Posted November 4, 2004 As I suspected, my host Hostony.com is reselling theplanet.com. I am awaitig a response as to the relationship between Hostony and Fastbighost as you both have mentioned. Is it possible that by using a cesmail.net mail account instead of a spamcop.net mail account this problem exists? Edit: I have received the following response regarding the relationship issue: "win2.fastbighost.com is secondary name of our server. We have used this setting and will use it forever. If SpamCop rules don't allow such things that their issue. " My ISP is not too happy with me cause my reporting cause theplanet.com to shut down their server for over 6 hours which is why I want to get to the bottom of this. Any thoughts?
Jeff G. Posted November 4, 2004 Posted November 4, 2004 Is it possible that by using a cesmail.net mail account instead of a spamcop.net mail account this problem exists?19586[/snapback] This problem would still exist if your address was at cesmail.net. "win2.fastbighost.com is secondary name of our server. We have used this setting and will use it forever. If SpamCop rules don't allow such things that their issue. " My ISP is not too happy with me cause my reporting cause theplanet.com to shut down their server for over 6 hours which is why I want to get to the bottom of this. Any thoughts? 19586[/snapback] Please try configuring Mailhosts and/or asking the Deputies to trust this host. Thanks.
DavidT Posted November 4, 2004 Posted November 4, 2004 My domain... skylinefinancial.com... is on a shared server ... win3.hostony.net. Regarding the DNS and mail settings for your domain...there are some problems. Take a look here: http://dnsreport.com/tools/dnsreport.ch?do...nefinancial.com Scroll down to the "Mail" section where you'll find some issues, some of which should be resolved. For example, you don't seem to have a "postmaster" address...this violates Internet standards. You also don't seem to have an "abuse" address, which is less serious, but enough to get you listed on some blocking services. Interesting location for your hosting company...their business address is on the channel islands off of the coast of France....although the reseller above them and the NOC are all in the United States. DT
Wazoo Posted November 4, 2004 Posted November 4, 2004 As I suspected, my host Hostony.com is reselling theplanet.com. I am awaitig a response as to the relationship between Hostony and Fastbighost as you both have mentioned. Dig fastbighost.com[at]dns5.name-services.com (212.118.243.118) ... Authoritative Answer Query for fastbighost.com type=255 class=1 fastbighost.com A (Address) 216.168.60.84 fastbighost.com A (Address) 216.168.41.240 fastbighost.com MX (Mail Exchanger) Priority: 10 hostony.com fastbighost.com SOA (Zone of Authority) Primary NS: dns1.name-services.com Responsible person: info[at]name-services.com Is it possible that by using a cesmail.net mail account instead of a spamcop.net mail account this problem exists? JeffG aready answered --- no difference. I have received the following response regarding the relationship issue: "win2.fastbighost.com is secondary name of our server. We have used this setting and will use it forever. If SpamCop rules don't allow such things that their issue. " Dig Hostony.com[at]ns16.hostony.net (209.152.170.32) ... Authoritative Answer Query for Hostony.com type=255 class=1 Hostony.com SOA (Zone of Authority) Primary NS: ns11.Hostony.com Responsible person: administrator[at]Hostony.com serial:1069170846 refresh:28800s (8 hours) retry:7200s (2 hours) expire:3600000s (410 days) minimum-ttl:86400s (24 hours) Hostony.com NS (Nameserver) ns16.hostony.net Hostony.com NS (Nameserver) ns11.Hostony.com Hostony.com A (Address) 209.152.175.150 Hostony.com MX (Mail Exchanger) Priority: 10 Hostony.com Hostony.com MX (Mail Exchanger) Priority: 0 secure.Hostony.com ns11.Hostony.com A (Address) 207.44.244.81 ns16.hostony.net A (Address) 209.152.170.32 secure.Hostony.com A (Address) 209.152.175.151 Dig Hostony.com[at]ns11.Hostony.com (207.44.244.81) ... Authoritative Answer Recursive queries supported by this server Query for Hostony.com type=255 class=1 Hostony.com SOA (Zone of Authority) Primary NS: ns11.Hostony.com Responsible person: administrator[at]Hostony.com serial:1069170846 refresh:28800s (8 hours) retry:7200s (2 hours) expire:3600000s (410 days) minimum-ttl:86400s (24 hours) Hostony.com NS (Nameserver) ns16.hostony.net Hostony.com NS (Nameserver) ns11.Hostony.com Hostony.com A (Address) 209.152.175.150 Hostony.com MX (Mail Exchanger) Priority: 0 secure.Hostony.com Hostony.com MX (Mail Exchanger) Priority: 10 Hostony.com ns11.Hostony.com A (Address) 207.44.244.81 secure.Hostony.com A (Address) 209.152.175.151 Dig Hostony.com[at]199.5.157.128 ... Non-authoritative answer Recursive queries supported by this server Query for Hostony.com type=255 class=1 Hostony.com NS (Nameserver) ns11.Hostony.com Hostony.com NS (Nameserver) ns16.hostony.net Hostony.com NS (Nameserver) ns11.Hostony.com Hostony.com NS (Nameserver) ns16.hostony.net ns11.Hostony.com A (Address) 207.44.244.81 I don't see there so-called secondary MX listed here, which is also why the SpamCop parser made the decision: 69.93.137.162 is not an MX for win2.fastbighost.com Dig skylinefinancial.com[at]win3.hostony.net (69.93.137.162) ... Authoritative Answer Recursive queries supported by this server Query for skylinefinancial.com type=255 class=1 skylinefinancial.com A (Address) 69.93.137.162 skylinefinancial.com NS (Nameserver) win3.hostony.net skylinefinancial.com NS (Nameserver) win4.hostony.net skylinefinancial.com SOA (Zone of Authority) Primary NS: win3.hostony.net Responsible person: hostmaster[at]skylinefinancial.com serial:2004030611 refresh:3600s (60 minutes) retry:900s (15 minutes) expire:604800s (7 days) minimum-ttl:14400s (4 hours) skylinefinancial.com MX (Mail Exchanger) Priority: 21 mail.skylinefinancial.com win3.hostony.net A (Address) 69.93.137.162 mail.skylinefinancial.com A (Address) 69.93.137.162 no secondary there .... My ISP is not too happy with me cause my reporting cause theplanet.com to shut down their server for over 6 hours which is why I want to get to the bottom of this. I'm tired, but thus far it looks like configuration and registration issues. Yes, there surely have back-up, redundnant, secondary, whatever systems to support their users, but .... I just don't see it in the records at this point .... not an exhaustive search, but then again, I shouldn't have to scratch that deep to find something that should be as obvious as they make it sound.
DavidT Posted November 4, 2004 Posted November 4, 2004 no secondary there .... It's not a secondary MX....it's simply another name for the only MX, which is actually permitted (but discouraged) as long as the IP is the same. Wazoo, please click on the DNSReport link I provided earlier....here it is again: http://dnsreport.com/tools/dnsreport.ch?do...nefinancial.com Look in the "Mail" section, where you'll see a warning about the "Mail server host name in greeting." Specifically "mail.skylinefinancial.com claims to be host win2.fastbighost.com" but this shouldn't really give the SC system indigestion. I've got domains on boxes where that happens, and my parsing and mailhosts are fine, in spite of that. DT
Wazoo Posted November 4, 2004 Posted November 4, 2004 OK, did that .... also see a warning there about the lack of a Secondary MX <g> That data is fine, no argument ... but it still doesn't answer my original "call" to the question of identities involved ... specifically, the Received line; Received: from win3.hostony.net (HELO win2.fastbighost.com) (69.93.137.162) with the follow-on question of (cut/paste from original post, as I'm not finding an Authoritative answer right now for some reason); host win2.fastbighost.com (checking ip) = 216.168.41.231 OrgName: digital.forest, Inc. OrgID: DIGF Address: 19515 North Creek Address: Parkway, Suite 208 City: Bothell StateProv: WA NetRange: 216.168.32.0 - 216.168.63.255 CIDR: 216.168.32.0/19 NetName: DIGITAL-FOREST-BLK-1 NetHandle: NET-216-168-32-0-1 Parent: NET-216-0-0-0-0 NetType: Direct Allocation NameServer: OAK.FOREST.NET NameServer: WILLOW.FOREST.NET who are these people and why are they involved?
gottago Posted November 4, 2004 Author Posted November 4, 2004 DT - Yes I have seen this and questioned the mail piece when I frist signed up. I was advised by Hostony that while not conforming to all standards, it was okay and my mail would work okay. Hmm... Yea their location has made me question these guys but until now I have not had any problems with their service. My research (and they have confirmed) showed that they are reselling from a firm here in the Dallas area. they have had several problems with their Linux hosting but the Windows hosting has bee pretty solid until I started reporting spam. Jeff G - trying to understand this mailhosting thing gives me a headache;) Remember I am not technical, just a hack. I will review mailhosting again this evening. Wazoo - your labor is greatly appreciated but I am sure you aren't too tired:) Thanks again for the thoughts...
DavidT Posted November 4, 2004 Posted November 4, 2004 who are these people and why are they involved? Ah...I missed that part...I was only speaking to the issue that it's pretty common to see conflicting/multiple "names" assciated with a mail host, primarily in virutual hosting situations where lots of domains share a single outgoing mail server. As for connections between "hostony" and "fastbighost" I found one: http://dnsreport.com/tools/dnsreport.ch?do...fastbighost.com On that report, you'll find that "hostony.com" is the only MX for "fastbighost.com." Here's another connection...the domain registrants for both "theplanet.com" and "fastbighost.com" are located in Dallas, TX. We might be looking at multiple levels of resellers here...with the OP being a customer of a reseller, who is a customer of a reseller, who is a customer of "theplanet.com" perhaps. DT
Wazoo Posted November 5, 2004 Posted November 5, 2004 I know I had probably posted too much in that last big one, but that was covered up top where I'd quoted that releationshup questions: Dig fastbighost.com[at]dns5.name-services.com (212.118.243.118) ... Authoritative Answer Query for fastbighost.com type=255 class=1 fastbighost.com A (Address) 216.168.60.84 fastbighost.com A (Address) 216.168.41.240 fastbighost.com MX (Mail Exchanger) Priority: 10 hostony.com (and again noting a lack of a secondary server there .. these folks seem to have a lot of faith in their up-time <g>) I am sure not going to argue with your suggested connections theory ... what I'm not sure is if running through the mailhost configuration will actually solve anything though. Based on previous stuff, I know Ellen can do some massaive massfe work on the data, but it sure seems like somebody needs to clean something up .... and actually wondering why the problem is so unclear at present, but it's probably just me <g>
gottago Posted November 9, 2004 Author Posted November 9, 2004 ... it would appear that you have fallen victim to one of the bad issues involved with Quick-Reporting. I would suggest that you not do this until this matter of header data content gets resolved. You need to do a "full report" so you can de-select your ISP if this continues to be an issue. 19533[/snapback] As an intermediary step and especially given the latest issues you all are currently facing, I have email forwarding to my cesmail.net account but now I am leaving a copy on my host server. With the current problems with cesmail.net, I have POPed my mail (from my host) with yahoo and have successfully been able to report spam without increminating my host using the cumbersome but full report method (via forwarding link). reporting form the site was not picking up all of the IP addresses whether I used Quick reporting or Queue for reporting. From full report: from 69.93.137.162 ([202.83.174.42]) by win2.fastbighost.com with MailEnable ESMTP; Tue, 09 Nov 2004 21:55:55 +0000 For some reason, the bold IP address above would not show up in when I tried to use either the quick reorting or the Queue reproting. Yet when I cancelled the submission when on the site the IP address shows in the archived file. As I stated earler, I am not a techy so I am not getting why this is happening but for now i'll work it this way until I am comfortable with how the mailhosts app works. Thanks again for you insight and help!!!
Jeff G. Posted November 9, 2004 Posted November 9, 2004 gottago, can you please post a Tracking URL for that cancelled parse? Thanks!
Jeff G. Posted November 10, 2004 Posted November 10, 2004 Tracking URL to see the whole thing?19915[/snapback] Sure, why not?
gottago Posted November 10, 2004 Author Posted November 10, 2004 Sure, why not? 19918[/snapback] I hope this is it. Tracking URL
Jeff G. Posted November 10, 2004 Posted November 10, 2004 I hope this is it. Tracking URL19921[/snapback] Nope, only Deputies and Admins can use that. Please see the "Tracking URL" Entry in the SpamCop Glossary. Thanks!
gottago Posted November 10, 2004 Author Posted November 10, 2004 Unfortunately I do not have it as I chose 'Queue for peporting and trash' and then cancelled the submission. All I can offer is to wait until tomorrow and 'Queue for reporting while saving' unless you might have another alternative.
gottago Posted November 10, 2004 Author Posted November 10, 2004 Here is the Tracking URL for the actual submission, if that helps.
Jeff G. Posted November 10, 2004 Posted November 10, 2004 gottago, unless you emptied your trash, that email should still be in your trash, whether that trash be your Trash Folder or the Deleted Items view of your Held Mail or Inbox Folder. You can still requeue that email for reporting.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.