Jump to content

Spamcop cleared a mailhost it shouldn't have


jtrigg

Recommended Posts

From that parse I see the following 2 lines.

2: Received: from localhost.localdomain (unknown [203.135.15.198]) by farreaches.org (Postfix) with ESMTP id E5F841B8B0 for <x>; Mon, 10 Jan 2005 07:55:23 -0600 (CST)

No unique hostname found for source: 203.135.15.198

S. Gabriel received mail from sending system 203.135.15.198

3: Received: from samza ([203.135.41.223]) by localhost.localdomain (8.9.3/8.9.3) with SMTP id SAA17621 for <x>; Mon, 10 Jan 2005 18:53:40 -0500

No unique hostname found for source: 203.135.41.223

Trusted site 203.135.15.198 received mail from 203.135.41.223

Line 2 is showing one of your mailhost entries receiving a message from 203.135.15.198. Line 3 says that in the spamcop database, 203.135.15.198 is known to be trusted to report the correct connecting IP, in this case 203.135.41.223, so it reports that IP.

Just because the HELO does not match (or is not investigated) does not make it a bad entry. The spam filtering system Postini always uses the rDNS value of "Source", probably as a way of eliminating a DNS lookup which could slow things down. While I like the "source" idea better than "localhost.localdomain", that is not used much (at all?) in the parsing of the source of a message.

Link to comment
Share on other sites

203.135.15.198 is not a valid relay for any of my email addresses, and is at a bare minimum misconfigured if it is a valid MX -- the name it HELOs with is not a valid FQDN and it has no rDNS, so I cannot determine what network it might be an MX for. It is not in the list of report targets; those are 203.135.41.223 (the IP that allegedly passed the message to it) and the spamvertized URL. I want to know why 203.135.15.198 is being considered "trusted" when I have not so marked it and can see no reason for it to be.

Link to comment
Share on other sites

203.135.15.198 is not a valid relay for any of my email addresses

It could be a valid outgoing relay for the ISP it belongs to. It does not have to be an MX at all, that is only for receiving messages.

Many times it is marked as trusted within spamcops parser software, usually because it is like a smarthost server used to redirect it's customers email to the outside world.

This has nothing to do with your trusting the IP address, only spamcop having seen this IP before and determining, for one reason or another, that it is doing it's job correctly to include the source IP address.

We will need Ellen's investigation into this particular host for the particulars, however.

According to SenderBase, the owner of both IP's is PaknetLimited in Islamabad, Pakistan.

Link to comment
Share on other sites

203.135.15.198 is not a valid relay for any of my email addresses, and is at a bare minimum misconfigured if it is a valid MX -- the name it HELOs with is not a valid FQDN and it has no rDNS, so I cannot determine what network it might be an MX for.  It is not in the list of report targets; those are 203.135.41.223 (the IP that allegedly passed the message to it) and the spamvertized URL.  I want to know why 203.135.15.198 is being considered "trusted" when I have not so marked it and can see no reason for it to be.

23000[/snapback]

203.135.15.198 is a valid outgoing mail server for the sending IP though. Note the statement "Trusted site 203.135.15.198 received mail from 203.135.41.223".

That statement means the admin of that server has contacted us and provided satisfactory information proving the server is properly relaying mail only for authorized IPs and it properly identifies and stamps the originating IP.

Our goal is to identify the correct source of the mail and prevent more spam from that source from reaching our users. Wherever possible we do not cause collateral damage by listing outgoing mail servers.

The parser is correctly finding the source and correctly wanting to send 203.135.15.198 for relay testing because we have not yet done so to date.

Richard

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...