jtrigg Posted January 12, 2005 Share Posted January 12, 2005 See http://www.spamcop.net/sc?id=z711919127zc4...196a171134b8d3z -- it cleared (accepted as authorized) a mailhost which HELOd as localhost.localdomain with no rDNS. Thanks, Jim Link to comment Share on other sites More sharing options...
StevenUnderwood Posted January 12, 2005 Share Posted January 12, 2005 From that parse I see the following 2 lines. 2: Received: from localhost.localdomain (unknown [203.135.15.198]) by farreaches.org (Postfix) with ESMTP id E5F841B8B0 for <x>; Mon, 10 Jan 2005 07:55:23 -0600 (CST) No unique hostname found for source: 203.135.15.198 S. Gabriel received mail from sending system 203.135.15.198 3: Received: from samza ([203.135.41.223]) by localhost.localdomain (8.9.3/8.9.3) with SMTP id SAA17621 for <x>; Mon, 10 Jan 2005 18:53:40 -0500 No unique hostname found for source: 203.135.41.223 Trusted site 203.135.15.198 received mail from 203.135.41.223 Line 2 is showing one of your mailhost entries receiving a message from 203.135.15.198. Line 3 says that in the spamcop database, 203.135.15.198 is known to be trusted to report the correct connecting IP, in this case 203.135.41.223, so it reports that IP. Just because the HELO does not match (or is not investigated) does not make it a bad entry. The spam filtering system Postini always uses the rDNS value of "Source", probably as a way of eliminating a DNS lookup which could slow things down. While I like the "source" idea better than "localhost.localdomain", that is not used much (at all?) in the parsing of the source of a message. Link to comment Share on other sites More sharing options...
Wazoo Posted January 12, 2005 Share Posted January 12, 2005 Note kicked off to Deputies, including the extra note that the parse is currently "live" ... but you will notice that both IPs are included in the report target list .... so it's not as if the parser was faked out . Link to comment Share on other sites More sharing options...
jtrigg Posted January 12, 2005 Author Share Posted January 12, 2005 203.135.15.198 is not a valid relay for any of my email addresses, and is at a bare minimum misconfigured if it is a valid MX -- the name it HELOs with is not a valid FQDN and it has no rDNS, so I cannot determine what network it might be an MX for. It is not in the list of report targets; those are 203.135.41.223 (the IP that allegedly passed the message to it) and the spamvertized URL. I want to know why 203.135.15.198 is being considered "trusted" when I have not so marked it and can see no reason for it to be. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted January 12, 2005 Share Posted January 12, 2005 203.135.15.198 is not a valid relay for any of my email addresses It could be a valid outgoing relay for the ISP it belongs to. It does not have to be an MX at all, that is only for receiving messages. Many times it is marked as trusted within spamcops parser software, usually because it is like a smarthost server used to redirect it's customers email to the outside world. This has nothing to do with your trusting the IP address, only spamcop having seen this IP before and determining, for one reason or another, that it is doing it's job correctly to include the source IP address. We will need Ellen's investigation into this particular host for the particulars, however. According to SenderBase, the owner of both IP's is PaknetLimited in Islamabad, Pakistan. Link to comment Share on other sites More sharing options...
Richard W Posted January 13, 2005 Share Posted January 13, 2005 203.135.15.198 is not a valid relay for any of my email addresses, and is at a bare minimum misconfigured if it is a valid MX -- the name it HELOs with is not a valid FQDN and it has no rDNS, so I cannot determine what network it might be an MX for. It is not in the list of report targets; those are 203.135.41.223 (the IP that allegedly passed the message to it) and the spamvertized URL. I want to know why 203.135.15.198 is being considered "trusted" when I have not so marked it and can see no reason for it to be. 23000[/snapback] 203.135.15.198 is a valid outgoing mail server for the sending IP though. Note the statement "Trusted site 203.135.15.198 received mail from 203.135.41.223". That statement means the admin of that server has contacted us and provided satisfactory information proving the server is properly relaying mail only for authorized IPs and it properly identifies and stamps the originating IP. Our goal is to identify the correct source of the mail and prevent more spam from that source from reaching our users. Wherever possible we do not cause collateral damage by listing outgoing mail servers. The parser is correctly finding the source and correctly wanting to send 203.135.15.198 for relay testing because we have not yet done so to date. Richard Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.