1,3,7-Trimethylxanthin Posted November 21, 2004 Share Posted November 21, 2004 http://www.spamcop.net/sc?id=z694817270z9c...36645d935b0411z SC is right in that the last Received line ("from wproxy.gmail.com") is a forgery, however it seems to discard the preceding one ("from ppp38.pm3-3.ifw-ch.in.localnet.com") as well, so it ends up blaming mailgate2.zdv.Uni-Mainz.DE rather than from ppp38.pm3-3.ifw-ch.in.localnet.com. Can this be fixed somehow? Link to comment Share on other sites More sharing options...
Jeff G. Posted November 21, 2004 Share Posted November 21, 2004 Received: from ppp38.pm3-3.ifw-ch.in.localnet.com (ppp38.pm3-3.ifw-ch.in.localnet.com [64.179.114.38]) by mailgate2.zdv.Uni-Mainz.DE (Postfix) with SMTP id 11D3B300059B for <x>; Sun, 21 Nov 2004 03:47:22 +0100 (CET) 64.179.114.38 found host 64.179.114.38 = ppp38.pm3-3.ifw-ch.in.localnet.com. (cached) ppp38.pm3-3.ifw-ch.in.localnet.com. is 64.179.114.38 134.93.178.130 not listed in dnsbl.njabl.org 134.93.178.130 not listed in cbl.abuseat.org 134.93.178.130 not listed in dnsbl.sorbs.net 134.93.178.130 is not an MX for schloss-proxy.dmz.schloss-online.de 134.93.178.130 is an MX for zdv.Uni-Mainz.DE Possible spammer: 64.179.114.38 64.179.114.38 is not an MX for ppp38.pm3-3.ifw-ch.in.localnet.com host ppp38.pm3-3.ifw-ch.in.localnet.com (checking ip) = 64.179.114.38 host mailgate2.zdv.Uni-Mainz.DE (checking ip) = 134.93.178.130 134.93.178.130 not listed in dnsbl.njabl.org 134.93.178.130 not listed in cbl.abuseat.org 134.93.178.130 not listed in dnsbl.sorbs.net Chain test:mailgate2.zdv.Uni-Mainz.DE =? mailgate2.zdv.Uni-Mainz.DE mailgate2.zdv.Uni-Mainz.DE and mailgate2.zdv.Uni-Mainz.DE have same hostname - chain verified Possible relay: 134.93.178.130 134.93.178.130 not listed in relays.ordb.org. 134.93.178.130 has already been sent to relay testers Received line accepted Received: from wproxy.gmail.com ([78.161.48.184]:61893 "EHLO mproxy.gmail.com") by avas-mx56.yahoo.com with ESMTP id S131155AbUJINgX; Sat, 20 Nov 2004 10:36:23 -0300 78.161.48.184 found host 78.161.48.184 (getting name) no name 64.179.114.38 not listed in dnsbl.njabl.org 64.179.114.38 not listed in cbl.abuseat.org 64.179.114.38 listed in dnsbl.sorbs.net ( 127.0.0.7 ) 64.179.114.38 is not an MX for mailgate2.zdv.Uni-Mainz.DE 64.179.114.38 is not an MX for ppp38.pm3-3.ifw-ch.in.localnet.com. 64.179.114.38 is not an MX for avas-mx56.yahoo.com 64.179.114.38 is not an MX for mailgate2.zdv.Uni-Mainz.DE 64.179.114.38 not listed in dnsbl.njabl.org Possible spammer: 78.161.48.184 host avas-mx56.yahoo.com (checking ip) ip not found ; avas-mx56.yahoo.com discarded as fake. 78.161.48.184 is not an MX for avas-mx56.yahoo.com 64.179.114.38 is not an MX for avas-mx56.yahoo.com Looks like a forgery 64.179.114.38 discarded as a forgery, using 134.93.178.130 Tracking message source: 134.93.178.130: I don't see a good reason for the "forgery" allegation against 64.179.114.38, when the previous Received line was already accepted. CIDR Blocks within Class A Block 64.0.0.0/8 have been assigned as far back as September 1st of 2002, but SpamCop Admins may have something against that Class A Block. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted November 21, 2004 Share Posted November 21, 2004 The only possible reason I see in the parse is the line: 64.179.114.38 listed in dnsbl.sorbs.net ( 127.0.0.7). Link to comment Share on other sites More sharing options...
Jeff G. Posted November 21, 2004 Share Posted November 21, 2004 A 127.0.0.7 listing at dnsbl.sorbs.net generally indicates listing on web.dnsbl.sorbs.net, "List of web (WWW) servers which have spammer abusable vulnerabilities (e.g. FormMail scripts) Note: This zone now includes non-webserver IP addresses that have abusable vulnerabilities." per Using SORBS. Specifically, that IP Address has been a "Likely Trojaned Machine, host running Korgo4 trojan" since September 17th per Specific SORBS Lookup, but how does that invalidate it as being the visible source (with the currently untraceable spammer having abused it)? Link to comment Share on other sites More sharing options...
StevenUnderwood Posted November 21, 2004 Share Posted November 21, 2004 I did not say it was probable or even likely....only possible. Since I have no access to the code, it could be for any reason at all (or no reason at all, ie mistake). Link to comment Share on other sites More sharing options...
Ellen Posted November 22, 2004 Share Posted November 22, 2004 http://www.spamcop.net/sc?id=z694817270z9c...36645d935b0411z SC is right in that the last Received line ("from wproxy.gmail.com") is a forgery, however it seems to discard the preceding one ("from ppp38.pm3-3.ifw-ch.in.localnet.com") as well, so it ends up blaming mailgate2.zdv.Uni-Mainz.DE rather than from ppp38.pm3-3.ifw-ch.in.localnet.com. Can this be fixed somehow? 20373[/snapback] It appears to be accepting uni-mainz.de right now. Are you supposed to be getting your mail forwarded thru that server? Link to comment Share on other sites More sharing options...
1,3,7-Trimethylxanthin Posted November 22, 2004 Author Share Posted November 22, 2004 It appears to be accepting uni-mainz.de right now. Are you supposed to be getting your mail forwarded thru that server? 20402[/snapback] Yes, and SC accepts this server almost always, but sometimes not. As this happens seldom, I have no idea what could be causing this. BTW: Email notification of replies in this forum doesn't seem to work, for me at least. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.