Jump to content

Filtered Account


Recommended Posts

Posted

I currently use Spamcop to filter several accounts on mydomain.com. I then have SpamCop forward to an anonomous email account on mydomain.com. It seems that all and I do mean ALL of the spam that is held by SpamCop resolves to what appears to be my IP address. Initially I thought nothing of it as I am in a shared environment and thought someone on my server was responsible, but I am now being told that it is me that is spamming and causing the entire server to be shut down. How can I fix this as I want to continue to report any spam received?

Posted

Please provide a Tracking URL of at least one of these "problem" submittals so someone has the means to look at what you're submitting, what the parser is seeing and doing, and probably the worst item, what you are selecting for the "Send Reports Now" targets. The obvious remark is to suggest you look at the FAQ, as this issue is addressed there ... and the obvious question is whether or not you've configured your account to use the MailHost thing ...????

Posted
Please provide a Tracking URL of at least one of these "problem" submittals so someone has the means to look at what you're submitting, what the parser is seeing and doing, and probably the worst item, what you are selecting for the "Send Reports Now" targets.  The obvious remark is to suggest you look at the FAQ, as this issue is addressed there ... and the obvious question is whether or not you've configured your account to use the MailHost thing ...????

19531[/snapback]

Thanks for the quick reply. I am pretty confident that I have set up my auto-forwards correctly but will review the FAQs for insurance. Basically, I have a number of accounts on mydomain.com going to my SpamCop account that forwards 'clean' email to an anonymous account on mydomain.com.

As far as a tracking url see below.

Tracking URL

All help is appreciated.

Posted

Problem starts with this line in the "received" headers;

Received: from win3.hostony.net (HELO win2.fastbighost.com) (69.93.137.162)

(Although, this problem might be due to the actions addressed by the next line;

Received: with MailEnable Postoffice Connector; Tue, 02 Nov 2004 02:11:06 +0000

Sitting out here in the world, there is no way to guess at just what this line actually sayd happened to the e-mail ... was this "your forward" .. was this something internal?)

Problem "explained" in the chain test steps;

host win2.fastbighost.com (checking ip) = 216.168.41.231

216.168.41.231 not listed in dnsbl.njabl.org

216.168.41.231 not listed in cbl.abuseat.org

216.168.41.231 not listed in dnsbl.sorbs.net

Chain test:win2.fastbighost.com =? win3.hostony.net

host win3.hostony.net (checking ip) = 69.93.137.162

69.93.137.162 is not an MX for win2.fastbighost.com

host win2.fastbighost.com (checking ip) = 216.168.41.231

69.93.137.162 is not an MX for win2.fastbighost.com

Chain test failed

Chain test:win2.fastbighost.com =? 69.93.137.162

69.93.137.162 is not an MX for win2.fastbighost.com

host win2.fastbighost.com (checking ip) = 216.168.41.231

69.93.137.162 is not an MX for win2.fastbighost.com

Chain test failed

Chain error win2.fastbighost.com not equal to last sender received line discarded

where 216.168.41.231 shows up as;

11/03/04 00:39:49 IP block 216.168.41.231

Trying 216.168.41.231 at ARIN

Trying 216.168.41 at ARIN

OrgName: digital.forest, Inc.

OrgID: DIGF

Address: 19515 North Creek

Address: Parkway, Suite 208

City: Bothell

StateProv: WA

NetRange: 216.168.32.0 - 216.168.63.255

CIDR: 216.168.32.0/19

NetName: DIGITAL-FOREST-BLK-1

NetHandle: NET-216-168-32-0-1

Parent: NET-216-0-0-0-0

NetType: Direct Allocation

NameServer: OAK.FOREST.NET

NameServer: WILLOW.FOREST.NET

Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

RegDate: 1998-12-29

Updated: 2001-09-26

And, as conjectured, the critical line;

Reports regarding this spam have already been sent:

Re: 69.93.137.162 (Administrator of network where email originates)

Reportid: 1279355151 To: abuse[at]theplanet.com

If there is forgery involved in these headers, you're going to have to help out a bit and explicitly identify the anonymous "mydomain" stuff as you're the only one that knows what systems are actually involved at this point. If not a forgery, you are at the mercy of a really screwed up server configuration.

And to harp on that last point, you are the ultimate responsibility as to which and where reports go out. Because the parse resolved and lists a URL found in the body but no report was sent out, it would appear that you have fallen victim to one of the bad issues involved with Quick-Reporting. I would suggest that you not do this until this matter of header data content gets resolved. You need to do a "full report" so you can de-select your ISP if this continues to be an issue.

Posted

Why does your mailserver, which uses IP Address "69.93.137.162" that has DNS Name "win3.hostony.net" insist on calling itself "win2.fastbighost.com" (the name of an entirely different IP Address 216.168.41.231)? This is messing up SpamCop's Parser's Chain Test and causing you to report your mailserver to abuse[at]theplanet.com.

Thanks!

Posted

Thanks for the responses.

Wazoo: I have forwarded your analysis to hostony (my host) as I partially understand this stuff. My domain... skylinefinancial.com... is on a shared server ... win3.hostony.net. I have no idea of the relationship to win2.fastbighost.com.

I will take your suggestion of doing a full report and deselecting my host prior to reporting.

Jeff G: I have no idea. This too has been forwarded to my host.

Unfortunately I am not knowledgeable enough to answer these questions so I have to rely on my host for answers.

Thanks again...

Posted

Wow! The whole time I was looking all that stuff up, trying to make sense out of it, point to the right things, ... had the intent to actually type in the words "you need to talk to your host(s) .... and looking back through all that stuff, I see I forgot to actually add that thought in there. Yep, you did the right thing.

That "relationship" between the two "ISPs" is the real question. That a server would lie this much is an astounding situation .. though I really should go look, I don't recall your Domain being in the mix at all?

OK, I had to go look .. obviously, I'm not awake yet. There it is right there in the line;

Delivered-To: x

Gads, off for another cup of coffee ....

Posted

As I suspected, my host Hostony.com is reselling theplanet.com. I am awaitig a response as to the relationship between Hostony and Fastbighost as you both have mentioned.

Is it possible that by using a cesmail.net mail account instead of a spamcop.net mail account this problem exists?

Edit:

I have received the following response regarding the relationship issue:

"win2.fastbighost.com is secondary name of our server.

We have used this setting and will use it forever.

If SpamCop rules don't allow such things that their issue. "

My ISP is not too happy with me cause my reporting cause theplanet.com to shut down their server for over 6 hours which is why I want to get to the bottom of this.

Any thoughts?

Posted
Is it possible that by using a cesmail.net mail account instead of a spamcop.net mail account this problem exists?

19586[/snapback]

This problem would still exist if your address was at cesmail.net.

"win2.fastbighost.com is secondary name of our server.

We have used this setting and will use it forever.

If SpamCop rules don't allow such things that their issue. "

My ISP is not too happy with me cause my reporting cause theplanet.com to shut down their server for over 6 hours which is why I want to get to the bottom of this.

Any thoughts?

19586[/snapback]

Please try configuring Mailhosts and/or asking the Deputies to trust this host. Thanks.
Posted
My domain... skylinefinancial.com... is on a shared server ... win3.hostony.net.

Regarding the DNS and mail settings for your domain...there are some problems. Take a look here:

http://dnsreport.com/tools/dnsreport.ch?do...nefinancial.com

Scroll down to the "Mail" section where you'll find some issues, some of which should be resolved. For example, you don't seem to have a "postmaster" address...this violates Internet standards. You also don't seem to have an "abuse" address, which is less serious, but enough to get you listed on some blocking services.

Interesting location for your hosting company...their business address is on the channel islands off of the coast of France....although the reseller above them and the NOC are all in the United States.

DT

Posted
As I suspected, my host Hostony.com is reselling theplanet.com.  I am awaitig a response as to the relationship between Hostony and Fastbighost as you both have mentioned.

Dig fastbighost.com[at]dns5.name-services.com (212.118.243.118) ...

Authoritative Answer

Query for fastbighost.com type=255 class=1

fastbighost.com A (Address) 216.168.60.84

fastbighost.com A (Address) 216.168.41.240

fastbighost.com MX (Mail Exchanger) Priority: 10 hostony.com

fastbighost.com SOA (Zone of Authority)

Primary NS: dns1.name-services.com

Responsible person: info[at]name-services.com

Is it possible that by using a cesmail.net mail account instead of a spamcop.net mail account this problem exists?

JeffG aready answered --- no difference.

I have received the following response regarding the relationship issue:

"win2.fastbighost.com is secondary name of our server.

We have used this setting and will use it forever.

If SpamCop rules don't allow such things that their issue. "

Dig Hostony.com[at]ns16.hostony.net (209.152.170.32) ...

Authoritative Answer

Query for Hostony.com type=255 class=1

Hostony.com SOA (Zone of Authority)

Primary NS: ns11.Hostony.com

Responsible person: administrator[at]Hostony.com

serial:1069170846

refresh:28800s (8 hours)

retry:7200s (2 hours)

expire:3600000s (410 days)

minimum-ttl:86400s (24 hours)

Hostony.com NS (Nameserver) ns16.hostony.net

Hostony.com NS (Nameserver) ns11.Hostony.com

Hostony.com A (Address) 209.152.175.150

Hostony.com MX (Mail Exchanger) Priority: 10 Hostony.com

Hostony.com MX (Mail Exchanger) Priority: 0 secure.Hostony.com

ns11.Hostony.com A (Address) 207.44.244.81

ns16.hostony.net A (Address) 209.152.170.32

secure.Hostony.com A (Address) 209.152.175.151

Dig Hostony.com[at]ns11.Hostony.com (207.44.244.81) ...

Authoritative Answer

Recursive queries supported by this server

Query for Hostony.com type=255 class=1

Hostony.com SOA (Zone of Authority)

Primary NS: ns11.Hostony.com

Responsible person: administrator[at]Hostony.com

serial:1069170846

refresh:28800s (8 hours)

retry:7200s (2 hours)

expire:3600000s (410 days)

minimum-ttl:86400s (24 hours)

Hostony.com NS (Nameserver) ns16.hostony.net

Hostony.com NS (Nameserver) ns11.Hostony.com

Hostony.com A (Address) 209.152.175.150

Hostony.com MX (Mail Exchanger) Priority: 0 secure.Hostony.com

Hostony.com MX (Mail Exchanger) Priority: 10 Hostony.com

ns11.Hostony.com A (Address) 207.44.244.81

secure.Hostony.com A (Address) 209.152.175.151

Dig Hostony.com[at]199.5.157.128 ...

Non-authoritative answer

Recursive queries supported by this server

Query for Hostony.com type=255 class=1

Hostony.com NS (Nameserver) ns11.Hostony.com

Hostony.com NS (Nameserver) ns16.hostony.net

Hostony.com NS (Nameserver) ns11.Hostony.com

Hostony.com NS (Nameserver) ns16.hostony.net

ns11.Hostony.com A (Address) 207.44.244.81

I don't see there so-called secondary MX listed here, which is also why the SpamCop parser made the decision: 69.93.137.162 is not an MX for win2.fastbighost.com

Dig skylinefinancial.com[at]win3.hostony.net (69.93.137.162) ...

Authoritative Answer

Recursive queries supported by this server

Query for skylinefinancial.com type=255 class=1

skylinefinancial.com A (Address) 69.93.137.162

skylinefinancial.com NS (Nameserver) win3.hostony.net

skylinefinancial.com NS (Nameserver) win4.hostony.net

skylinefinancial.com SOA (Zone of Authority)

Primary NS: win3.hostony.net

Responsible person: hostmaster[at]skylinefinancial.com

serial:2004030611

refresh:3600s (60 minutes)

retry:900s (15 minutes)

expire:604800s (7 days)

minimum-ttl:14400s (4 hours)

skylinefinancial.com MX (Mail Exchanger) Priority: 21 mail.skylinefinancial.com

win3.hostony.net A (Address) 69.93.137.162

mail.skylinefinancial.com A (Address) 69.93.137.162

no secondary there ....

My ISP is not too happy with me cause my reporting cause theplanet.com to shut down their server for over 6 hours which is why I want to get to the bottom of this.

I'm tired, but thus far it looks like configuration and registration issues. Yes, there surely have back-up, redundnant, secondary, whatever systems to support their users, but .... I just don't see it in the records at this point .... not an exhaustive search, but then again, I shouldn't have to scratch that deep to find something that should be as obvious as they make it sound.

Posted
no secondary there ....

It's not a secondary MX....it's simply another name for the only MX, which is actually permitted (but discouraged) as long as the IP is the same. Wazoo, please click on the DNSReport link I provided earlier....here it is again:

http://dnsreport.com/tools/dnsreport.ch?do...nefinancial.com

Look in the "Mail" section, where you'll see a warning about the "Mail server host name in greeting." Specifically "mail.skylinefinancial.com claims to be host win2.fastbighost.com" but this shouldn't really give the SC system indigestion. I've got domains on boxes where that happens, and my parsing and mailhosts are fine, in spite of that.

DT

Posted

OK, did that .... also see a warning there about the lack of a Secondary MX <g>

That data is fine, no argument ... but it still doesn't answer my original "call" to the question of identities involved ... specifically, the Received line;

Received: from win3.hostony.net (HELO win2.fastbighost.com) (69.93.137.162)

with the follow-on question of (cut/paste from original post, as I'm not finding an Authoritative answer right now for some reason);

host win2.fastbighost.com (checking ip) = 216.168.41.231

OrgName: digital.forest, Inc.

OrgID: DIGF

Address: 19515 North Creek

Address: Parkway, Suite 208

City: Bothell

StateProv: WA

NetRange: 216.168.32.0 - 216.168.63.255

CIDR: 216.168.32.0/19

NetName: DIGITAL-FOREST-BLK-1

NetHandle: NET-216-168-32-0-1

Parent: NET-216-0-0-0-0

NetType: Direct Allocation

NameServer: OAK.FOREST.NET

NameServer: WILLOW.FOREST.NET

who are these people and why are they involved?

Posted

DT - Yes I have seen this and questioned the mail piece when I frist signed up. I was advised by Hostony that while not conforming to all standards, it was okay and my mail would work okay. Hmm...

Yea their location has made me question these guys but until now I have not had any problems with their service. My research (and they have confirmed) showed that they are reselling from a firm here in the Dallas area. they have had several problems with their Linux hosting but the Windows hosting has bee pretty solid until I started reporting spam.

Jeff G - trying to understand this mailhosting thing gives me a headache;) Remember I am not technical, just a hack. I will review mailhosting again this evening.

Wazoo - your labor is greatly appreciated but I am sure you aren't too tired:)

Thanks again for the thoughts...

Posted
who are these people and why are they involved?

Ah...I missed that part...I was only speaking to the issue that it's pretty common to see conflicting/multiple "names" assciated with a mail host, primarily in virutual hosting situations where lots of domains share a single outgoing mail server.

As for connections between "hostony" and "fastbighost" I found one:

http://dnsreport.com/tools/dnsreport.ch?do...fastbighost.com

On that report, you'll find that "hostony.com" is the only MX for "fastbighost.com."

Here's another connection...the domain registrants for both "theplanet.com" and "fastbighost.com" are located in Dallas, TX. We might be looking at multiple levels of resellers here...with the OP being a customer of a reseller, who is a customer of a reseller, who is a customer of "theplanet.com" perhaps.

DT

Posted

I know I had probably posted too much in that last big one, but that was covered up top where I'd quoted that releationshup questions:

Dig fastbighost.com[at]dns5.name-services.com (212.118.243.118) ...

Authoritative Answer

Query for fastbighost.com type=255 class=1

fastbighost.com A (Address) 216.168.60.84

fastbighost.com A (Address) 216.168.41.240

fastbighost.com MX (Mail Exchanger) Priority: 10 hostony.com

(and again noting a lack of a secondary server there .. these folks seem to have a lot of faith in their up-time <g>)

I am sure not going to argue with your suggested connections theory ... what I'm not sure is if running through the mailhost configuration will actually solve anything though. Based on previous stuff, I know Ellen can do some massaive massfe work on the data, but it sure seems like somebody needs to clean something up .... and actually wondering why the problem is so unclear at present, but it's probably just me <g>

Posted
... it would appear that you have fallen victim to one of the bad issues involved with Quick-Reporting.  I would suggest that you not do this until this matter of header data content gets resolved.  You need to do a "full report" so you can de-select your ISP if this continues to be an issue.

19533[/snapback]

As an intermediary step and especially given the latest issues you all are currently facing, I have email forwarding to my cesmail.net account but now I am leaving a copy on my host server. With the current problems with cesmail.net, I have POPed my mail (from my host) with yahoo and have successfully been able to report spam without increminating my host using the cumbersome but full report method (via forwarding link). reporting form the site was not picking up all of the IP addresses whether I used Quick reporting or Queue for reporting.

From full report:

from 69.93.137.162 ([202.83.174.42]) by win2.fastbighost.com with MailEnable ESMTP; Tue, 09 Nov 2004 21:55:55 +0000

For some reason, the bold IP address above would not show up in when I tried to use either the quick reorting or the Queue reproting. Yet when I cancelled the submission when on the site the IP address shows in the archived file.

As I stated earler, I am not a techy so I am not getting why this is happening but for now i'll work it this way until I am comfortable with how the mailhosts app works.

Thanks again for you insight and help!!!

Posted

gottago, can you please post a Tracking URL for that cancelled parse? Thanks!

Posted

Unfortunately I do not have it as I chose 'Queue for peporting and trash' and then cancelled the submission. All I can offer is to wait until tomorrow and 'Queue for reporting while saving' unless you might have another alternative.

Posted

gottago, unless you emptied your trash, that email should still be in your trash, whether that trash be your Trash Folder or the Deleted Items view of your Held Mail or Inbox Folder. You can still requeue that email for reporting.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...