DavidT Posted February 16, 2004 Share Posted February 16, 2004 In order to report the spam in the "Held" portion of my spamcop.net INBOX, I peruse the Subject line and the first lines of text, move any non-spam out of Held, "select all" and then click on "Report as spam." This usually results in reports being sent to the ISP's responsible for the actual sources of the spam. In at least one case over the weekend, however, the SpamCop engine mis-identified the source of the spam and sent a report to the Abuse address at the host of one of my domains (for which my SpamCop mailbox is the "catchall"). My host contacted me with a copy of the report and warned me to fix my mail scripts...but nothing needs fixing, because while the spam passed *though* one of the addresses on one of my domains, it didn't originate there. The SpamCop-sanitized headers appear below (although I've removed the name of the domain that first *received* the spam) and would like for a deupty to take a look at ReportID 691037615. The report went to <abuse[at]jumpline.com>, my web host, and NOT to the RoadRunner Abuse dept....I'm sure the spam originated at a RoadRunner IP...see below. Delivered-To: spamcop-net-x Received: (qmail 18324 invoked from network); 15 Feb 2004 16:58:57 -0000 Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101) by blade1.cesmail.net with SMTP; 15 Feb 2004 16:58:57 -0000 Received: (qmail 19966 invoked from network); 15 Feb 2004 16:58:56 -0000 Received: from horace.mail.atl.earthlink.net (207.69.200.41) by mailgate.cesmail.net with SMTP; 15 Feb 2004 16:58:56 -0000 Received: from strange.mail.mindspring.net ([207.69.200.30]) by horace.mail.atl.earthlink.net with smtp (Exim 3.33 #1) id 1AsPbc-0000OL-00 for x; Sun, 15 Feb 2004 11:58:56 -0500 X-MindSpring-Loop: x Received: from oneofmydomains ([the IP for oneofmydomains]) by strange.mail.mindspring.net (EarthLink SMTP Server) with ESMTP id 1aSpBA7CU3Nl3oW0 for <x>; Sun, 15 Feb 2004 11:58:54 -0500 (EST) Received: from woof.co.uk (209.211.27.24.cfl.rr.com [24.27.211.209]) by oneofmydomains (8.12.9/8.11.2) with SMTP id i1FGwmpa009289 for <x>; Sun, 15 Feb 2004 11:58:48 -0500 Message-ID: <4992______________________fe02[at]woof.co.uk> From: "Concepcion Major" <c.major_gw[at]kceb.ie> To: x Subject: pénis énlarger Date: Sun, 15 Feb 2004 22:53:41 -0700 Link to comment Share on other sites More sharing options...
Wazoo Posted February 16, 2004 Share Posted February 16, 2004 Normally, if you want "only" input from a Deputy, you'd have sent this data to deputies at spamcop.net .... You chose to publish the data into a public Forum, which would normally invite offer of help from "anyone/everyone" .... However, that you chose to mung the exact data items that need to be looked at, it's a bit hard to take a stab at what may have actually happened at that transfer point. That you did include a Report ID helps, but that's when and if a Deputy actually comes along and hits this Topic/Thread. Back to others trying to help, a Tracking ID may have shed some light on it, but that wasn't one of your offered data items. Link to comment Share on other sites More sharing options...
DavidT Posted February 16, 2004 Author Share Posted February 16, 2004 Actually, although a deupty's assistance would be the most helpful, others are welcome to offer information....that's why I included the headers, munged as they were. This is a public forum, so I have little choice but to alter the data to protect my domain from added spamming. I think I provided enough of the headers to show that the true source of the spam was a RoadRunner user's computer, which is why it's mysterious that the Spamcop engine didn't send a report to RoadRunner. Where do I find the "Tracking ID"? The Subject header sent to my ISP (minus the IP) was: [spamCop (IP address withheld) id:691037615]pénis énl arger The ID number in that Subject is the same one I posted here earlier...it was listed as a "report id" in the URL on the Spamcop.net reporting site. On that page, there's a link with a very long string...perhaps that's the "Tracking ID"? Here it is: z297361546ze6d2ede1bb19f3188f116f88253de702z If you're able to access the details associated with that report, you'll see that the Spamcop engine ruled out the actual RoadRunner source, and then skipped to the IP of my own domain, the *recipient* of the spam, and reported it to my own host. I've recently changed DNS servers for the domain in question, so that might be related to the mis-analysis and misdirection of the report. Link to comment Share on other sites More sharing options...
Wazoo Posted February 16, 2004 Share Posted February 16, 2004 If you're able to access the details associated with that report, you'll see that the Spamcop engine ruled out the actual RoadRunner source, and then skipped to the IP of my own domain, the *recipient* of the spam, and reported it to my own host. I've recently changed DNS servers for the domain in question, so that might be related to the mis-analysis and misdirection of the report. You may have just answered the issue ??? there is a bit of a deal in that Julian had set up a check for "servers recently seen passing e-mail" ... and the deal was that if it was a "newly discovered" e-mail source, it went into a probationary setting. You're not the first that found out that if spam complaints were made while the IP was in this mode, it got caught as the source. A long, long time ago, Don had posted in at least one of the newsgroups that you could head this off by sending the IP/DNS data to them, they'd manually take care of the listing, and theoretically, things would work great. But, I haven't seen this tidbit brought up in a long time. So, to handle this thing quickly, (again, based on thie above assumption) .. definitly kick an e-mail to deputies at spamcop.net with the contents of your first post (no munging <g>) ... if this guess is good, the block may be removed as soon as one of them checks it out and agrees. The main reason I felt lost at the missing data was, like you seem to feel, my quick glance through the chaining didn't seem to show a problem, but I couldn't take the next logical step and look at that specific IP to look. But, yes, you need the power of a Deputy to verify this guess and make the change .... Here's hoping <g> Link to comment Share on other sites More sharing options...
DavidT Posted February 16, 2004 Author Share Posted February 16, 2004 So, to handle this thing quickly, (again, based on thie above assumption) .. definitly kick an e-mail to deputies at spamcop.net with the contents of your first post (no munging <g>) ... if this guess is good, the block may be removed as soon as one of them checks it out and agrees. Done...thanks! Link to comment Share on other sites More sharing options...
Jeff G. Posted February 16, 2004 Share Posted February 16, 2004 OK, given the tracking URL ("This page may be saved for future reference") of http://www.spamcop.net/sc?id=z297361546ze6...116f88253de702z , this problem may go on for a week because your SOA record is set to "expire:604800s (7 days)" and SpamCop's Parser doesn't currently think your IP Address is an MX for your Domain, unless a Deputy or Admin intervenes. Also, please see How can I get SpamCop reports about my network?. Thanks! Link to comment Share on other sites More sharing options...
DavidT Posted February 17, 2004 Author Share Posted February 17, 2004 (snip)...this problem may go on for a week because your SOA record is set to "expire:604800s (7 days)" and SpamCop's Parser doesn't currently think your IP Address is an MX for your Domain, unless a Deputy or Admin intervenes. I don't think I have any control over the SOA expiration values...those are determined by the hosting company, AFAIK, but I'll look into it. Also, please see How can I get SpamCop reports about my network?. Ah, nuts! I just looked there and my IP is now in the SpamCop BL, thanks to MY OWN (TWO) REPORTS! Son of a #%&^[at]&^. OK, I guess I'm all done reporting any of the spam in my Held mail. I've been reporting hundreds and hundreds each day, but if there's a risk of SpamCop sending reports to MY OWN web host and then adding my domains to the SpamCop BL, it's NOT WORTH IT! DRAT! :angry: Link to comment Share on other sites More sharing options...
jefft Posted February 17, 2004 Share Posted February 17, 2004 (snip)...this problem may go on for a week because your SOA record is set to "expire:604800s (7 days)" and SpamCop's Parser doesn't currently think your IP Address is an MX for your Domain, unless a Deputy or Admin intervenes. I don't think I have any control over the SOA expiration values...those are determined by the hosting company, AFAIK, but I'll look into it. Also, please see How can I get SpamCop reports about my network?. Ah, nuts! I just looked there and my IP is now in the SpamCop BL, thanks to MY OWN (TWO) REPORTS! Son of a #%&^[at]&^. OK, I guess I'm all done reporting any of the spam in my Held mail. I've been reporting hundreds and hundreds each day, but if there's a risk of SpamCop sending reports to MY OWN web host and then adding my domains to the SpamCop BL, it's NOT WORTH IT! DRAT! :angry: We're currently in early testing of a new system which will fix this. SpamCop will know from where you're supposed to get mail and won't report those hosts. This has been much-requested in the past. It's actually a complicated problem and a lot of work has gone into it. Hopefully this will be live soon (weeks, not days). JT Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.