Jump to content

forgery detection malfunctions


Recommended Posts

http://www.spamcop.net/sc?id=z694817270z9c...36645d935b0411z

SC is right in that the last Received line ("from wproxy.gmail.com") is a forgery, however it seems to discard the preceding one ("from ppp38.pm3-3.ifw-ch.in.localnet.com") as well, so it ends up blaming mailgate2.zdv.Uni-Mainz.DE rather than from ppp38.pm3-3.ifw-ch.in.localnet.com. Can this be fixed somehow?

Link to comment
Share on other sites

Received:  from ppp38.pm3-3.ifw-ch.in.localnet.com (ppp38.pm3-3.ifw-ch.in.localnet.com [64.179.114.38]) by mailgate2.zdv.Uni-Mainz.DE (Postfix) with SMTP id 11D3B300059B for <x>; Sun, 21 Nov 2004 03:47:22 +0100 (CET)

64.179.114.38 found

host 64.179.114.38 = ppp38.pm3-3.ifw-ch.in.localnet.com. (cached)

ppp38.pm3-3.ifw-ch.in.localnet.com. is 64.179.114.38

134.93.178.130 not listed in dnsbl.njabl.org

134.93.178.130 not listed in cbl.abuseat.org

134.93.178.130 not listed in dnsbl.sorbs.net

134.93.178.130 is not an MX for schloss-proxy.dmz.schloss-online.de

134.93.178.130 is an MX for zdv.Uni-Mainz.DE

Possible spammer: 64.179.114.38

64.179.114.38 is not an MX for ppp38.pm3-3.ifw-ch.in.localnet.com

host ppp38.pm3-3.ifw-ch.in.localnet.com (checking ip) = 64.179.114.38

host mailgate2.zdv.Uni-Mainz.DE (checking ip) = 134.93.178.130

134.93.178.130 not listed in dnsbl.njabl.org

134.93.178.130 not listed in cbl.abuseat.org

134.93.178.130 not listed in dnsbl.sorbs.net

Chain test:mailgate2.zdv.Uni-Mainz.DE =? mailgate2.zdv.Uni-Mainz.DE

mailgate2.zdv.Uni-Mainz.DE and mailgate2.zdv.Uni-Mainz.DE have same hostname - chain verified

Possible relay: 134.93.178.130

134.93.178.130 not listed in relays.ordb.org.

134.93.178.130 has already been sent to relay testers

Received line accepted

Received:  from wproxy.gmail.com ([78.161.48.184]:61893 "EHLO mproxy.gmail.com") by avas-mx56.yahoo.com with ESMTP id S131155AbUJINgX; Sat, 20 Nov 2004 10:36:23 -0300

78.161.48.184 found

host 78.161.48.184 (getting name) no name

64.179.114.38 not listed in dnsbl.njabl.org

64.179.114.38 not listed in cbl.abuseat.org

64.179.114.38 listed in dnsbl.sorbs.net ( 127.0.0.7 )

64.179.114.38 is not an MX for mailgate2.zdv.Uni-Mainz.DE

64.179.114.38 is not an MX for ppp38.pm3-3.ifw-ch.in.localnet.com.

64.179.114.38 is not an MX for avas-mx56.yahoo.com

64.179.114.38 is not an MX for mailgate2.zdv.Uni-Mainz.DE

64.179.114.38 not listed in dnsbl.njabl.org

Possible spammer: 78.161.48.184

host avas-mx56.yahoo.com (checking ip) ip not found ; avas-mx56.yahoo.com discarded as fake.

78.161.48.184 is not an MX for avas-mx56.yahoo.com

64.179.114.38 is not an MX for avas-mx56.yahoo.com

Looks like a forgery

64.179.114.38 discarded as a forgery, using 134.93.178.130

Tracking message source: 134.93.178.130:

I don't see a good reason for the "forgery" allegation against 64.179.114.38, when the previous Received line was already accepted. CIDR Blocks within Class A Block 64.0.0.0/8 have been assigned as far back as September 1st of 2002, but SpamCop Admins may have something against that Class A Block.
Link to comment
Share on other sites

A 127.0.0.7 listing at dnsbl.sorbs.net generally indicates listing on web.dnsbl.sorbs.net, "List of web (WWW) servers which have spammer abusable vulnerabilities (e.g. FormMail scripts) Note: This zone now includes non-webserver IP addresses that have abusable vulnerabilities." per Using SORBS. Specifically, that IP Address has been a "Likely Trojaned Machine, host running Korgo4 trojan" since September 17th per Specific SORBS Lookup, but how does that invalidate it as being the visible source (with the currently untraceable spammer having abused it)?

Link to comment
Share on other sites

http://www.spamcop.net/sc?id=z694817270z9c...36645d935b0411z

SC is right in that the last Received line ("from wproxy.gmail.com") is a forgery, however it seems to discard the preceding one ("from ppp38.pm3-3.ifw-ch.in.localnet.com") as well, so it ends up blaming mailgate2.zdv.Uni-Mainz.DE rather than from ppp38.pm3-3.ifw-ch.in.localnet.com. Can this be fixed somehow?

20373[/snapback]

It appears to be accepting uni-mainz.de right now. Are you supposed to be getting your mail forwarded thru that server?

Link to comment
Share on other sites

It appears to be accepting uni-mainz.de right now. Are you supposed to be getting your mail forwarded thru that server?

20402[/snapback]

Yes, and SC accepts this server almost always, but sometimes not. As this happens seldom, I have no idea what could be causing this.

BTW: Email notification of replies in this forum doesn't seem to work, for me at least.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...