kgagne Posted January 6, 2005 Share Posted January 6, 2005 My email is forwarded from my domain (gamebits.net, hosted by myhosting.com) to spamcop.net to syndicomm.com. Some valid mail is coming through marked as {spam?} with a notice from Infinity Resources, whoever they are, indicating I should report if the mark is being incorrectly applied. I am trying to figure out to whom this report should go. Syndicomm.com says they didn't do it, and myhosting.com - well, I think they've outsourced all their support to India, and the only answer I could get from them was a description of what SpamCop is. Headers from the original email follow; can anyone tell where the {spam?} mark is coming from? From: deepdiscountdvd[at]deepdiscountdvd.com Date: January 6, 2005 7:04:30 AM EST To: <redacted> Subject: {spam?} Order with DEEPDISCOUNTDVD.com Return-Path: <deepdiscountdvd[at]deepdiscountdvd.com> Received: from c60.cesmail.net (c60.cesmail.net [216.154.195.49]) by sinclair.syndicomm.com (8.13.1/8.13.1) with ESMTP id j06C8ZCk009721 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=FAIL) for <redacted>; Thu, 6 Jan 2005 04:08:40 -0800 Received: from unknown (HELO blade1.cesmail.net) (192.168.1.211) by c60.cesmail.net with SMTP; 06 Jan 2005 07:08:31 -0500 Received: (qmail 21580 invoked by uid 1010); 6 Jan 2005 12:08:30 -0000 Received: (qmail 21431 invoked from network); 6 Jan 2005 12:08:19 -0000 Received: from unknown (192.168.1.103) by blade1.cesmail.net with QMQP; 6 Jan 2005 12:08:19 -0000 Received: from xmail03.myhosting.com (168.144.250.217) by mailgate2.cesmail.net with SMTP; 6 Jan 2005 12:08:19 -0000 Received: (qmail 10502 invoked by alias); 6 Jan 2005 12:08:18 -0000 Received: (qmail 10500 invoked by alias); 6 Jan 2005 12:08:18 -0000 Received: (qmail 10496 invoked from network); 6 Jan 2005 12:08:18 -0000 Received: from mail.infinityresourcesinc.com ([130.94.28.189]) (envelope-sender <deepdiscountdvd[at]deepdiscountdvd.com>) by xmail03.myhosting.com (qmail-ldap-1.03) with SMTP for <redacted>; 6 Jan 2005 12:08:09 -0000 Received: from 130.94.28.189 (linuxcp19046.dn.net [198.65.147.37]) by mail.infinityresourcesinc.com (8.11.6/8.11.6) with ESMTP id j06C7tY00509 for <redacted>; Thu, 6 Jan 2005 07:07:55 -0500 Delivered-To: <redacted> Delivered-To: <redacted> Delivered-To: <redacted> X-Habeas-Swe-1: winter into spring X-Habeas-Swe-2: brightly anticipated X-Habeas-Swe-3: like Habeas SWE X-Habeas-Swe-4: Copyright 2002 Habeas X-Habeas-Swe-5: Sender Warranted Email (SWE) . The sender of this X-Habeas-Swe-6: email in exchange for a license for this Habeas X-Habeas-Swe-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-Swe-8: Message (HCM) and not spam. Please report use of this X-Habeas-Swe-9: mark in spam to <http://www.habeas.com/report/>. Message-Id: <200501061207.j06C7tY00509[at]mail.infinityresourcesinc.com> Content-Type: multipart/report; boundary="======14974==75477======" Mime-Version: 1.0 X-Network-Resources-Mailscanner-Information: Please contact the postmaster[at]infinityresourcesinc.com for more information X-Network-Resources-Mailscanner: Found to be clean X-Network-Resources-Mailscanner-Spamcheck: spam, SpamAssassin (score=5.053, required 5, FORGED_RCVD_HELO 0.05, MSGID_FROM_MTA_ID 1.70, NO_REAL_NAME 0.18, RCVD_HELO_IP_MISMATCH 0.62, RCVD_NUMERIC_HELO 1.53, SARE_FROM_SPAM_WORD0 0.77, UPPERCASE_25_50 0.21) X-Mailscanner-From: deepdiscountdvd[at]deepdiscountdvd.com X-spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade1 X-spam-Level: ** X-spam-Status: hits=2.4 tests=FORGED_RCVD_HELO,NO_REAL_NAME, RCVD_HELO_IP_MISMATCH,RCVD_NUMERIC_HELO version=3.0.0 X-Spamcop-Checked: 192.168.1.103 168.144.250.217 130.94.28.189 130.94.28.189 198.65.147.37 X-Syndicomm-Mailscanner: No viruses found (not authoritative) X-Syndicomm-Mailscanner-Spamcheck: not spam (whitelisted), SpamAssassin (score=1.482, required 5, BAYES_20 -1.95, NO_REAL_NAME 0.01, RCVD_HELO_IP_MISMATCH 2.18, RCVD_NUMERIC_HELO 1.25) X-Envelope-From: deepdiscountdvd[at]deepdiscountdvd.com X-Uidl: 'L["!E`~"!N0]!!3H4!! Our MailScanner believes that the attachment to this message sent to you From: deepdiscountdvd[at]deepdiscountdvd.com Subject: Order with DEEPDISCOUNTDVD.com is Unsolicited Commercial Email (spam). Unless you are sure that this message is incorrectly thought to be spam, please delete this message without opening it. Opening spam messages might allow the spammer to verify your email address. If you believe that this message has been incorrectly marked as spam, please forward this email to postmaster. pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 NO_REAL_NAME From: does not include a real name 0.8 SARE_FROM_SPAM_WORD0 From address suggests this is spam 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 1.7 MSGID_FROM_MTA_ID Message-Id for external message added locally 0.6 RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but should 1.5 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO 0.2 UPPERCASE_25_50 message body is 25-50% uppercase -- This message has been scanned for viruses and dangerous content by MailScanner at Infinity Resources and is believed to be clean. Link to comment Share on other sites More sharing options...
agsteele Posted January 6, 2005 Share Posted January 6, 2005 My email is forwarded from my domain (gamebits.net, hosted by myhosting.com) to spamcop.net to syndicomm.com. Some valid mail is coming through marked as {spam?} with a notice from Infinity Resources, whoever they are, indicating I should report if the mark is being incorrectly applied. I am trying to figure out to whom this report should go. Syndicomm.com says they didn't do it, and myhosting.com - well, I think they've outsourced all their support to India, and the only answer I could get from them was a description of what SpamCop is. Headers from the original email follow; can anyone tell where the {spam?} mark is coming from? 22605[/snapback] I a little confused by these headers since they appear to be the headers of the spam alert rather than the original spam message. But it is possible that the intercepted Email had the spam warning added to the top of the original Email. Looking at the headers you've supplied it looks as if Infinity Resources is the company that deepdiscountdvd is using to send their mail through. So whoever deepdiscountdvd is they seem to trapping their own outgoing Email. Anyone else read these headers the same way? Andrew Link to comment Share on other sites More sharing options...
Wazoo Posted January 6, 2005 Share Posted January 6, 2005 I'll agree that this doesn't fall into a nice easy to understand picture <g> More confusion in trying to guess where infinity actually fits in; Received: from mail.infinityresourcesinc.com ([130.94.28.189]) (envelope-sender <deepdiscountdvd[at]deepdiscountdvd.com>) by xmail03.myhosting.com (qmail-ldap-1.03) with SMTP for <sales[at]gamebits.net>; 6 Jan 2005 12:08:09 -0000 Received: from 130.94.28.189 (linuxcp19046.dn.net [198.65.147.37]) by mail.infinityresourcesinc.com (8.11.6/8.11.6) with ESMTP id j06C7tY00509 for <sales[at]gamebits.net>; Thu, 6 Jan 2005 07:07:55 -0500 Time lag involved, someone is stamping / inserting some wrong data ... you conjecture it's a deepdiscount output path .. I'll question that maybe it's a myhosting input path ...??? But also definitely agree, this is the output result of being handled somewhere other than the ISPs "known" to be in use. Also stating that my eyes were glazing over a bit when looking at all those exposed e-mail addresses. Link to comment Share on other sites More sharing options...
agsteele Posted January 6, 2005 Share Posted January 6, 2005 Time lag involved, someone is stamping / inserting some wrong data ... you conjecture it's a deepdiscount output path .. I'll question that maybe it's a myhosting input path ...??? 22619[/snapback] Yes, of course it could be the input at myhosting... www.infinityresourcesinc.com reveals Infinity Resources to be an E-commerce agency offering a range of services including direct mail and order fulfillment On that basis I'd be inclined to suspect that the DVD sellers are marketing through these guys and got their own messages trapped but it is a gut feeling rather than proved conclusively Andrew Link to comment Share on other sites More sharing options...
StevenUnderwood Posted January 6, 2005 Share Posted January 6, 2005 Is there any history with infinityresourcesinc.com? I will leave it to others to track that down as I have no time today and others are much better atit than me, but since they want to be contacted and they seem to have put the SA messages in (same tests match upper and lower sections) I would assume they are the ones placing the {spam} subject. If they are legit, you could contact them and find out, but personally, I would not give them my email address (or give them a different one). Link to comment Share on other sites More sharing options...
Wazoo Posted January 26, 2005 Share Posted January 26, 2005 kgagne apparently PM'd Ellen requesting data on how to edit/delete a post whthin this Forum structure. Not sure I understand that, but I suppose that looking at the "Moderating Team display" might be confusing ...??? Ellen's job description does not include include this kind of work (to the best of my knowledge) ... it's nice that she does find the time to come in here and handle some issues. In the future, please send queries of this nature to the Moderators (though noting that there is only the one actuve at present .. JeffG promises to be back sometime soon <g>) I edited out the personal addresses seen in a quick pass though the original post. I don't like deleting posts/Topics for a number of reasons. User PM'd (Ellen CC:'d) Link to comment Share on other sites More sharing options...
sommerfeld Posted January 26, 2005 Share Posted January 26, 2005 pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 NO_REAL_NAME From: does not include a real name 0.8 SARE_FROM_SPAM_WORD0 From address suggests this is spam 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 1.7 MSGID_FROM_MTA_ID Message-Id for external message added locally 0.6 RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but should 1.5 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO 0.2 UPPERCASE_25_50 message body is 25-50% uppercase That looks like a locally hacked copy of spamassassin; the total score adds up to 5.1 points vs the normal blocking threshhold of 5.0. Of the tags which hit, a bunch of these suggest that the sender's mailer is misconfigured/not standards-conformant. this is usually a good but hardly perfect indicator of spam. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.