Infinity Resources?

[kgagne]

My email is forwarded from my domain (gamebits.net, hosted by myhosting.com) to spamcop.net to syndicomm.com. Some valid mail is coming through marked as {spam?} with a notice from Infinity Resources, whoever they are, indicating I should report if the mark is being incorrectly applied. I am trying to figure out to whom this report should go. Syndicomm.com says they didn't do it, and myhosting.com - well, I think they've outsourced all their support to India, and the only answer I could get from them was a description of what SpamCop is. Headers from the original email follow; can anyone tell where the {spam?} mark is coming from?

From: deepdiscountdvd[at]deepdiscountdvd.com

Date: January 6, 2005 7:04:30 AM EST

To: <redacted>

Subject: {spam?} Order with DEEPDISCOUNTDVD.com

Return-Path: <deepdiscountdvd[at]deepdiscountdvd.com>

Received: from c60.cesmail.net (c60.cesmail.net [216.154.195.49]) by sinclair.syndicomm.com (8.13.1/8.13.1) with ESMTP id j06C8ZCk009721 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=FAIL) for <redacted>; Thu, 6 Jan 2005 04:08:40 -0800

Received: from unknown (HELO blade1.cesmail.net) (192.168.1.211) by c60.cesmail.net with SMTP; 06 Jan 2005 07:08:31 -0500

Received: (qmail 21580 invoked by uid 1010); 6 Jan 2005 12:08:30 -0000

Received: (qmail 21431 invoked from network); 6 Jan 2005 12:08:19 -0000

Received: from unknown (192.168.1.103) by blade1.cesmail.net with QMQP; 6 Jan 2005 12:08:19 -0000

Received: from xmail03.myhosting.com (168.144.250.217) by mailgate2.cesmail.net with SMTP; 6 Jan 2005 12:08:19 -0000

Received: (qmail 10502 invoked by alias); 6 Jan 2005 12:08:18 -0000

Received: (qmail 10500 invoked by alias); 6 Jan 2005 12:08:18 -0000

Received: (qmail 10496 invoked from network); 6 Jan 2005 12:08:18 -0000

Received: from mail.infinityresourcesinc.com ([130.94.28.189]) (envelope-sender <deepdiscountdvd[at]deepdiscountdvd.com>) by xmail03.myhosting.com (qmail-ldap-1.03) with SMTP for <redacted>; 6 Jan 2005 12:08:09 -0000

Received: from 130.94.28.189 (linuxcp19046.dn.net [198.65.147.37]) by mail.infinityresourcesinc.com (8.11.6/8.11.6) with ESMTP id j06C7tY00509 for <redacted>; Thu, 6 Jan 2005 07:07:55 -0500

Delivered-To: <redacted>

Delivered-To: <redacted>

Delivered-To: <redacted>

X-Habeas-Swe-1: winter into spring

X-Habeas-Swe-2: brightly anticipated

X-Habeas-Swe-3: like Habeas SWE

X-Habeas-Swe-4: Copyright 2002 Habeas

X-Habeas-Swe-5: Sender Warranted Email (SWE) . The sender of this

X-Habeas-Swe-6: email in exchange for a license for this Habeas

X-Habeas-Swe-7: warrant mark warrants that this is a Habeas Compliant

X-Habeas-Swe-8: Message (HCM) and not spam. Please report use of this

X-Habeas-Swe-9: mark in spam to <http://www.habeas.com/report/>.

Message-Id: <200501061207.j06C7tY00509[at]mail.infinityresourcesinc.com>

Content-Type: multipart/report; boundary="======14974==75477======"

Mime-Version: 1.0

X-Network-Resources-Mailscanner-Information: Please contact the postmaster[at]infinityresourcesinc.com for more information

X-Network-Resources-Mailscanner: Found to be clean

X-Network-Resources-Mailscanner-Spamcheck: spam, SpamAssassin (score=5.053, required 5, FORGED_RCVD_HELO 0.05, MSGID_FROM_MTA_ID 1.70, NO_REAL_NAME 0.18, RCVD_HELO_IP_MISMATCH 0.62, RCVD_NUMERIC_HELO 1.53, SARE_FROM_SPAM_WORD0 0.77, UPPERCASE_25_50 0.21)

X-Mailscanner-From: deepdiscountdvd[at]deepdiscountdvd.com

X-spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade1

X-spam-Level: **

X-spam-Status: hits=2.4 tests=FORGED_RCVD_HELO,NO_REAL_NAME, RCVD_HELO_IP_MISMATCH,RCVD_NUMERIC_HELO version=3.0.0

X-Spamcop-Checked: 192.168.1.103 168.144.250.217 130.94.28.189 130.94.28.189 198.65.147.37

X-Syndicomm-Mailscanner: No viruses found (not authoritative)

X-Syndicomm-Mailscanner-Spamcheck: not spam (whitelisted), SpamAssassin (score=1.482, required 5, BAYES_20 -1.95, NO_REAL_NAME 0.01, RCVD_HELO_IP_MISMATCH 2.18, RCVD_NUMERIC_HELO 1.25)

X-Envelope-From: deepdiscountdvd[at]deepdiscountdvd.com

X-Uidl: 'L["!E`~"!N0]!!3H4!!

Our MailScanner believes that the attachment to this message sent to you

From: deepdiscountdvd[at]deepdiscountdvd.com

Subject: Order with DEEPDISCOUNTDVD.com

is Unsolicited Commercial Email (spam). Unless you are sure that this message

is incorrectly thought to be spam, please delete this message without opening

it. Opening spam messages might allow the spammer to verify your email

address.

If you believe that this message has been incorrectly marked as spam, please

forward this email to postmaster.

pts rule name description

---- ---------------------- --------------------------------------------------

0.2 NO_REAL_NAME From: does not include a real name

0.8 SARE_FROM_SPAM_WORD0 From address suggests this is spam

0.1 FORGED_RCVD_HELO Received: contains a forged HELO

1.7 MSGID_FROM_MTA_ID Message-Id for external message added locally

0.6 RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but should

1.5 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO

0.2 UPPERCASE_25_50 message body is 25-50% uppercase

--

This message has been scanned for viruses and

dangerous content by MailScanner at Infinity Resources and is

believed to be clean.

[agsteele]

My email is forwarded from my domain (gamebits.net, hosted by myhosting.com) to spamcop.net to syndicomm.com.  Some valid mail is coming through marked as {spam?} with a notice from Infinity Resources, whoever they are, indicating I should report if the mark is being incorrectly applied.  I am trying to figure out to whom this report should go.  Syndicomm.com says they didn't do it, and myhosting.com - well, I think they've outsourced all their support to India, and the only answer I could get from them was a description of what SpamCop is.  Headers from the original email follow; can anyone tell where the {spam?} mark is coming from?

22605[/snapback]

I a little confused by these headers since they appear to be the headers of the spam alert rather than the original spam message. But it is possible that the intercepted Email had the spam warning added to the top of the original Email. Looking at the headers you've supplied it looks as if Infinity Resources is the company that deepdiscountdvd is using to send their mail through. So whoever deepdiscountdvd is they seem to trapping their own outgoing Email.

Anyone else read these headers the same way?

Andrew

[Wazoo]

I'll agree that this doesn't fall into a nice easy to understand picture <g>

More confusion in trying to guess where infinity actually fits in;

Received: from mail.infinityresourcesinc.com ([130.94.28.189]) (envelope-sender <deepdiscountdvd[at]deepdiscountdvd.com>) by xmail03.myhosting.com (qmail-ldap-1.03) with SMTP for <sales[at]gamebits.net>; 6 Jan 2005 12:08:09 -0000

Received: from 130.94.28.189 (linuxcp19046.dn.net [198.65.147.37]) by mail.infinityresourcesinc.com (8.11.6/8.11.6) with ESMTP id j06C7tY00509 for <sales[at]gamebits.net>; Thu, 6 Jan 2005 07:07:55 -0500

Time lag involved, someone is stamping / inserting some wrong data ... you conjecture it's a deepdiscount output path .. I'll question that maybe it's a myhosting input path ...???

But also definitely agree, this is the output result of being handled somewhere other than the ISPs "known" to be in use.

Also stating that my eyes were glazing over a bit when looking at all those exposed e-mail addresses.

[agsteele]

Time lag involved, someone is stamping / inserting some wrong data ... you conjecture it's a deepdiscount output path .. I'll question that maybe it's a myhosting input path ...???

22619[/snapback]

Yes, of course it could be the input at myhosting...

www.infinityresourcesinc.com reveals Infinity Resources to be an E-commerce agency offering a range of services including direct mail and order fulfillment

On that basis I'd be inclined to suspect that the DVD sellers are marketing through these guys and got their own messages trapped but it is a gut feeling rather than proved conclusively

Andrew

[StevenUnderwood]

Is there any history with infinityresourcesinc.com? I will leave it to others to track that down as I have no time today and others are much better atit than me, but since they want to be contacted and they seem to have put the SA messages in (same tests match upper and lower sections) I would assume they are the ones placing the {spam} subject. If they are legit, you could contact them and find out, but personally, I would not give them my email address (or give them a different one).

[Wazoo]

kgagne apparently PM'd Ellen requesting data on how to edit/delete a post whthin this Forum structure. Not sure I understand that, but I suppose that looking at the "Moderating Team display" might be confusing ...??? Ellen's job description does not include include this kind of work (to the best of my knowledge) ... it's nice that she does find the time to come in here and handle some issues.

In the future, please send queries of this nature to the Moderators (though noting that there is only the one actuve at present .. JeffG promises to be back sometime soon <g>)

I edited out the personal addresses seen in a quick pass though the original post.

I don't like deleting posts/Topics for a number of reasons.

User PM'd (Ellen CC:'d)

[sommerfeld]

pts rule name              description

---- ---------------------- --------------------------------------------------

0.2 NO_REAL_NAME        From: does not include a real name

0.8 SARE_FROM_SPAM_WORD0 From address suggests this is spam

0.1 FORGED_RCVD_HELO    Received: contains a forged HELO

1.7 MSGID_FROM_MTA_ID      Message-Id for external message added locally

0.6 RCVD_HELO_IP_MISMATCH  Received: HELO and IP do not match, but should

1.5 RCVD_NUMERIC_HELO      Received: contains an IP address used for HELO

0.2 UPPERCASE_25_50        message body is 25-50% uppercase

That looks like a locally hacked copy of spamassassin; the total score adds up to 5.1 points vs the normal blocking threshhold of 5.0.

Of the tags which hit, a bunch of these suggest that the sender's mailer is misconfigured/not standards-conformant. this is usually a good but hardly perfect indicator of spam.