potnoodle Posted December 16, 2004 Share Posted December 16, 2004 http://www.spamcop.net/sc?id=z703069281z8c...5e3c5a21aa0c66z Received: from 210.213.193.195.pldt.net (210.213.193.195.pldt.net [210.213.193.195]) by mx2.mailkeep.net with SMTP (Mailkeep 1.2) id 04121522310811396; Wed, 15 Dec 2004 22:31:08 -0500 210.213.193.195 found host 210.213.193.195 (getting name) = 210.213.193.195.pldt.net. 204.92.85.9 not listed in dnsbl.njabl.org 204.92.85.9 not listed in cbl.abuseat.org 204.92.85.9 not listed in dnsbl.sorbs.net 204.92.85.9 is an MX for mailkeep.net Possible spammer: 210.213.193.195 210.213.193.195 is not an MX for 210.213.193.195.pldt.net host 210.213.193.195.pldt.net (checking ip) ip not found ; 210.213.193.195.pldt.net discarded as fake. Now, 210.213.193.195.pldt.net has no rDNS, so can't be verified as pointing back at 210.213.193.195, but that doesn't mean that it's fake. The recording MTA, mx2.mailkeep.net, was given a HELO of 210.213.193.195.pldt.net that matches the connecting IP of 210.213.193.195. SpamCop is offering to report Mailkeep (204.92.85.9), but Mailkeep is clearly not the spam source, nor acting in any manner likely to impede the tracing of the true source. Link to comment Share on other sites More sharing options...
potnoodle Posted December 16, 2004 Author Share Posted December 16, 2004 Same again in http://www.spamcop.net/sc?id=z703078026za2...b43f9d371d298bz with smtp.mailkeep.net (216.46.27.155). Link to comment Share on other sites More sharing options...
StevenUnderwood Posted December 16, 2004 Share Posted December 16, 2004 Your first example is a problem that has be re-occuring more often as of late. The parser (right now) is actually accepting the line you are talking about but when it does not trust the next line (actually 2 lines later), it skips back over this one to the mailkeep server. This is one reason reporters are supposed to check where they are sending reports. In this case, it is not sending them to the correct place. You should send an email to deputies<at>spamcop.net with these 2 tracking URL's and ask them to take a look and possibly bump it up to Julian. Yhis is also a reason to get your mailhosts configured so that the parser can easily see that mailkeep is a trusted path for your messages and to look further up the chain. Received: from 210.213.193.195.pldt.net (210.213.193.195.pldt.net [210.213.193.195]) by mx2.mailkeep.net with SMTP (Mailkeep 1.2) id 04121522310811396; Wed, 15 Dec 2004 22:31:08 -0500 210.213.193.195 found host 210.213.193.195 = 210.213.193.195.pldt.net (cached) 204.92.85.9 not listed in dnsbl.njabl.org 204.92.85.9 not listed in cbl.abuseat.org 204.92.85.9 not listed in dnsbl.sorbs.net 204.92.85.9 is an MX for mailkeep.net Possible spammer: 210.213.193.195 210.213.193.195 is not an MX for 210.213.193.195.pldt.net host 210.213.193.195.pldt.net (checking ip) ip not found; 210.213.193.195.pldt.net discarded as fake. cannot find an mx for 210.213.193.195.pldt.net cannot find an mx for 213.193.195.pldt.net host mx2.mailkeep.net (checking ip) = 204.92.85.9 204.92.85.9 not listed in dnsbl.njabl.org 204.92.85.9 not listed in cbl.abuseat.org 204.92.85.9 not listed in dnsbl.sorbs.net Chain test:mx2.mailkeep.net =? 204.92.85.9 204.92.85.9 is an MX for mailkeep.net 204.92.85.9 is mx mx2.mailkeep.net and 204.92.85.9 have close IP addresses - chain verified Possible relay: 204.92.85.9 204.92.85.9 not listed in relays.ordb.org. 204.92.85.9 has already been sent to relay testers Received line accepted The second is another example: Received: from 203.233.68.189 ( [203.233.68.189]) by smtp.mailkeep.net with SMTP (Mailkeep 1.2) id 04121522072527737; Wed, 15 Dec 2004 22:07:25 -0500 203.233.68.189 found host 203.233.68.189 (getting name) no name 216.46.27.155 not listed in dnsbl.njabl.org 216.46.27.155 not listed in cbl.abuseat.org 216.46.27.155 not listed in dnsbl.sorbs.net 216.46.27.155 is not an MX for smtpserver.homeip.net ips are close enough 216.46.27.155 is close to an MX (216.46.27.157) for mailkeep.net Possible spammer: 203.233.68.189 host smtp.mailkeep.net (checking ip) = 216.46.27.157 216.46.27.157 not listed in dnsbl.njabl.org 216.46.27.157 not listed in cbl.abuseat.org 216.46.27.157 not listed in dnsbl.sorbs.net Chain test:smtp.mailkeep.net =? mx1.mailkeep.net host mx1.mailkeep.net (checking ip) = 216.46.27.157 216.46.27.157 is an MX for mailkeep.net 216.46.27.157 is mx smtp.mailkeep.net and mx1.mailkeep.net have close IP addresses - chain verified Possible relay: 216.46.27.155 216.46.27.155 not listed in relays.ordb.org. 216.46.27.155 has already been sent to relay testers Received line accepted Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.