bobbear Posted January 26, 2005 Share Posted January 26, 2005 Is it helpful to feedback to you SC derived reporting addresses that bounce? i.e: The reporting address network[at]hljtele.com bounces with the reply: User network (network[at]hljtele.com) not listed in Domino Directory Link to comment Share on other sites More sharing options...
Wazoo Posted January 26, 2005 Share Posted January 26, 2005 Doing a "Refresh" on the SpamCop parser returned; Removing old cache entries. Tracking details "whois 219.147.185.126[at]whois.apnic.net" (Getting contact from whois.apnic.net mirror) Display data: lz298-ap = network[at]hljtele.com ch93-ap = hostmaster[at]ns.chinanet.cn.net anti-spam[at]ns.chinanet.cn.net whois.apnic.net 219.147.185.126 = network[at]hljtele.com, anti-spam[at]ns.chinanet.cn.net, hostmaster[at]ns.chinanet.cn.net whois: 219.147.128.0 - 219.147.255.255 = network[at]hljtele.com, anti-spam[at]ns.chinanet.cn.net, hostmaster[at]ns.chinanet.cn.net Routing details for 219.147.185.126 Using abuse net on network[at]hljtele.com abuse net hljtele.com = network[at]hljtele.com, postmaster[at]hljtele.com, anti-spam[at]ns.chinanet.cn.net abuse net chinanet.cn.net = anti-spam[at]chinanet.cn.net, ctsummary[at]special.abuse.net, postmaster[at]chinanet.cn.net abuse net chinanet.cn.net = anti-spam[at]chinanet.cn.net, ctsummary[at]special.abuse.net, postmaster[at]chinanet.cn.net Using best contacts network[at]hljtele.com postmaster[at]hljtele.com anti-spam[at]ns.chinanet.cn.net anti-spam[at]ns.chinanet.cn.net bounces (102 sent : 23203 bounces) Using anti-spam#ns.chinanet.cn.net[at]devnull.spamcop.net for statistical tracking. Normally, this type of data would be posted over in news://news.spamcop.net/spamcop.routing ... in this case, abuse.net would also appear to need a notify ... in both instances, full showing of the 'evidence' would be part of the standard notify. Note kicked up to Depitues. Link to comment Share on other sites More sharing options...
bobbear Posted January 26, 2005 Author Share Posted January 26, 2005 Normally, this type of data would be posted over in news://news.spamcop.net/spamcop.routing ... in this case, abuse.net would also appear to need a notify ... in both instances, full showing of the 'evidence' would be part of the standard notify. Note kicked up to Depitues. 23614[/snapback] Cheers - I could post all the source code but there's a lot of it.... It was in response to a manually reported trojan, ('dropper.inor.j'), dropper site, (http://www.jagsiocol.xxx/scr4/page.php), included in a spam - a nasty thing using an ActiveX control. Two attempts - two bounces. I've no idea how SC does the path testing, but I assume it's easily checked. Re: anti-spam[at]ns.chinanet.cn.net bounces (102 sent : 23203 bounces) Funnily enough, anti-spam[at]ns.chinanet.cn.net doesn't bounce for me. Don't understand those statistics, by the way.... Edit - com obfuscated in site address to stop anyone inadvertantly clicking on it... Link to comment Share on other sites More sharing options...
Wazoo Posted January 26, 2005 Share Posted January 26, 2005 Cheers - I could post all the source code but there's a lot of it.... Was talking about the bounce/rejection e-mail to show that you had it addressed properly and the rejection was 'valid' ... The actual spam is just extra data ... <g> Re: anti-spam[at]ns.chinanet.cn.net bounces (102 sent : 23203 bounces) Funnily enough, anti-spam[at]ns.chinanet.cn.net doesn't bounce for me. Yeah, there's another guy that really likes to complain about this little detail over in the newsgroups a lot ... (for at least a year <g>) ... let's just point out the obvious .. ISPs can use filters also, and if an e-mail comes from some place 300 to 1,000 times a day with the exact same header data, it doesn't take much to figure out how to reject that e-mail <g> Don't understand those statistics, by the way.... 23203 attempts at sending reports, but only 102 made it through ... Edit - com obfuscated in site address to stop anyone inadvertantly clicking on it... Thanks. appreciated by those that might have tried it <g> Link to comment Share on other sites More sharing options...
Wazoo Posted January 26, 2005 Share Posted January 26, 2005 Just back from Ellen; May have been transient. I think it looks OK now. Ellen SpamCop Please include all previous correspondence with replies ----- Original Message ----- From: wazoo To: deputies Sent: Wednesday, January 26, 2005 8:02 AM Subject: Routing override ..?? > http://forum.spamcop.net/forums/index.php?showtopic=3548 > parser using an abuse.net listing that allegedly bounces Link to comment Share on other sites More sharing options...
bobbear Posted January 26, 2005 Author Share Posted January 26, 2005 Yeah, there's another guy that really likes to complain about this little detail over in the newsgroups a lot ... (for at least a year <g>) ... let's just point out the obvious .. ISPs can use filters also, and if an e-mail comes from some place 300 to 1,000 times a day with the exact same header data, it doesn't take much to figure out how to reject that e-mail <g> I considered that, but thought I might have seen "anti-spam[at]ns.chinanet.cn.net rejects SpamCop reports", (or whatever the usual message is), instead...... 23203 attempts at sending reports, but only 102 made it through ... Thanks - It just reads the other way around, that's all.... Cheers, Bob Link to comment Share on other sites More sharing options...
bobbear Posted January 26, 2005 Author Share Posted January 26, 2005 Just back from Ellen; 23627[/snapback] This was the bounced email source code, (returned attachment truncated & email address munged) Return-path: <> Envelope-to: xxxxx[at]breathemail.net Delivery-date: Wed, 26 Jan 2005 08:23:17 +0000 Received: from [219.147.185.126] (helo=mp.hljtele.com) by mk-mx-2.b2b.uk.tiscali.com with esmtp (Exim 4.24) id 1CtiSH-000BYJ-1w for xxxx[at]breathemail.net; Wed, 26 Jan 2005 08:23:14 +0000 Message-ID: <00c701c50380$10bee3d0$527da2d5[at]bobs> From: Postmaster[at]hljtele.com To: "Bob" <xxxx[at]breathemail.net> Subject: =?GB2312?B?tKvLzcqnsNw6IFVzZXIgbmV0d29yayAobmV0d29ya0BobGp0ZWxlLmNvbSkg?= =?GB2312?B?bm90IGxpc3RlZCBpbiBEb21pbm8gRGlyZWN0b3J5?= Date: Wed, 26 Jan 2005 08:21:39 -0000 MIME-Version: 1.0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1478 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478 X-MIMETrack: Itemize by SMTP Server on mp.hljtele.com/ =?GB2312?B?utrB+r2tL2N0bnQoUmVsZWFzZSA2LjB8U2VwdGVtYmVyIDI2LCAyMDAyKSA=?= =?GB2312?B?YXQgMjAwNS0wMS0yNiAxNjoyNDo0Nw==?=, Serialize by Router on mp.hljtele.com/ =?GB2312?B?utrB+r2tL2N0bnQoUmVsZWFzZSA2LjB8U2VwdGVtYmVyIDI2LCAyMDAyKSA=?= =?GB2312?B?YXQgMjAwNS0wMS0yNiAxNjoyNDo1OQ==?=, Serialize complete at 2005-01-26 16:24:59 Content-Type: multipart/report; report-type=delivery-status; boundary="==IFJRGLKFGIR29218UHRUHIHD" X-Antivirus: AVG for E-mail 7.0.302 [265.7.3] --==IFJRGLKFGIR29218UHRUHIHD Content-Type: text/plain; charset=GB2312 Content-Transfer-Encoding: base64 z/vPog0KDQogINb3zOI6IEFidXNlIFJlcG9ydCA6IFdlYnNpdGUgZGlzdHJpYnV0aW5nIHRyb2ph bg0KDQrDu9PQtKvLzToNCg0KICBuZXR3b3JrQGhsanRlbGUuY29tDQoNCtLyzqo6DQoNCiAgVXNl ciBuZXR3b3JrIChuZXR3b3JrQGhsanRlbGUuY29tKSBub3QgbGlzdGVkIGluIERvbWlubyBEaXJl Y3RvcnkNCg0K --==IFJRGLKFGIR29218UHRUHIHD Content-Type: message/delivery-status Reporting-MTA: dns;mp.hljtele.com Final-Recipient: rfc822;network[at]hljtele.com Action: failed Status: 5.1.1 Diagnostic-Code: X-Notes; User network (network[at]hljtele.com) not listed in Domino Directory --==IFJRGLKFGIR29218UHRUHIHD Content-Type: message/rfc822 Received: from mail.metronet.co.uk ([213.162.97.75]) by mp.hljtele.com (Lotus Domino Release 6.0) with ESMTP id 2005012616244673-5313 ; Wed, 26 Jan 2005 16:24:46 +0800 Received: from [213.162.125.82] (213-162-125-82.xxxx.adsl.metronet.co.uk [213.162.125.82]) by smtp.metronet.co.uk (MetroNet Mail) with ESMTP id 667E74166A6; Wed, 26 Jan 2005 08:22:27 +0000 (GMT) Received: from 127.0.0.1 (AVG SMTP 7.0.302 [265.7.3]); Wed, 26 Jan 2005 08:21:42 +0000 Message-ID: <00c701c50380$10bee3d0$527da2d5[at]bobs> From: "Bob" <xxxx[at]breathemail.net> To: <network[at]hljtele.com> Subject: Abuse Report : Website distributing trojan Date: Wed, 26 Jan 2005 08:21:39 -0000 MIME-Version: 1.0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1478 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478 X-MIMETrack: Itemize by SMTP Server on mp.hljtele.com/ Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.