Legitimate relay of email appears to be Spam

[thams]

I hope that someone at the Admin level can help me on this one.

Here’s the problem…I have an email address that I use on my business cards, etc. That address (abc[at]xyz.com) is owned by one of my relatives. The abc[at]xyz.com if forwarded to another email address which I own (abc[at]xyz.us). The abc[at]xyz.us if forwarded to my spamcop.net email address for filtering and reporting of spam. I receive a lot of spam every day at the xyz.com address. I purchased the xyz.us address through GoDaddy. Yesterday GoDaddy blocked the xyz.com IP because of spam. I am assuming that because my email is routed from xyz.com to xyz.us to spamcop.net that xyz.com appears to be a player in the spam game.

I know that this is a long and confusing story, but here’s my question…Is there anyway to prevent xyz.com from getting caught in the loop? Spamcop.net has not yet block xyz.com but I am afraid that is next.

HELP PLEASE

[Wazoo]

Making assumptions while hiding any pertinent details is a losing game. There are a number of folks here that would more than likely be able to answer just about anything asked, but ....

As there doesn't seem to be a direct connection between your scenario and a SpamCop E-mail Account, moving this to the Lounge.

[thams]

"Making assumptions while hiding any pertinent details"

I am not making assuptions...I am asking questions. And I am not hiding anything...I am more than happy to supply details but you will have to guide me through what you need.

Thank you.

[Wazoo]

Deleted posting that contained only a quoted copy of my last post

I am not making assuptions...

I am assuming that because my email is routed from xyz.com ......

I sure read that as "making an assumption" ..??? No where in all of your description did you even suggest how GoDaddy may have received some data suggesting spam spew ..????

I am asking questions. And I am not hiding anything...I am more than happy to supply details but you will have to guide me through what you need.

whois -h whois.godaddy.com xyz.com ...

Registered through: GoDaddy.com

Domain Name: XYZ.COM

Created on: 14-Mar-94

Expires on: 15-Mar-08

Last Updated on: 02-May-04

Administrative Contact:

Galassi, Michael nerdgd <at> nerdy1.com

Mist, Oregon 97016

02/06/05 20:06:03 Slow traceroute XYZ.COM

Trace XYZ.COM (64.146.134.38) ...

204.119.1.222 RTT: 75ms TTL: 64 (pdxcolo-sawnet.saw.net ok)

64.146.134.38 RTT: 122ms TTL: 49 (XYZ.COM ok)

doesn't look like it's been 'whacked'

Checking server [whois.nic.us]

Domain Name: XYZ.US

Domain ID: D1779065-US

Sponsoring Registrar: TUCOWS INC.

Domain Status: ok

Registrant ID: TUMXXDW4FAUGWNQH

Registrant Name: Ben Gerber

Registrant Organization: Gerber

Registrant City: East Syracuse

Registrant State/Province: NY

Registrant Postal Code: 13057

Registrant Email: ben <at> vkinetic.com

Registration data doesn't match ... so let's try again with the 'hidden detail' thing ..

The only thing that can be offered this point is an assumption, which of course, just opens up all kinds of possibilities that nothing offered will match up with the real details. Somewhere in all of your forwarding is a server that's not stamping the headers correctly. So have you a sample of one of these e-mails that "you assume" is the reason GoDaddy whacked whatever site you are really talking about? So much easier to work with "real" data than wasting this time beating around the bush ....

[thams]

OK - let's try this again. 'abc[at]xyz.com' was my way of giving a fictitious example. If you are not interested in helping someone who is not as computer literate as you are then I will not waste your time. However, I will say that I am NOT blaming SpamCop. I am only trying to learn what has happened and how to prevent any further problem. I am a big advocate of SpamCop and want to find a way to avoid further problems when the intent is to get the spammer not the legit email provider.

If you are interested in helping me then you need to explain what it is that you need from me and I will do all that I can to provide that information. I will tell you that the email that is forwarded to me comes from thams.com and that the email that I forward to spamcop.net comes from thams.us. What else do you need? Do you need a full header from spam that I have received? Do you need something from the SpamCop Quick reporting data? Just let me know and I will do what is within my knowledge and ability.

Thank you.

[Miss Betsy]

Have you signed up for mailhosts? If you have then, there should be no problem with spamcop reading the headers (unless as was suggested one of the forwarding servers is messing up the headers IIUC). Though if spamcop is not blocking it, then it doesn't seem to be something that you are doing by reporting spam.

Blocklists work on IP addresses, not domain names. The IP address that is being blocked is what is important. Since it is not being blocked by spamcop, it is not a spamcop problem. However, some people might take time to see if it is on other blocklists and maybe suggest why.

Perhaps I haven't understood what your problem is or what you want help with. It seems to me that if GoDaddy was the one blocking it, you should ask them.

Miss Betsy

[Wazoo]

OK - let's try this again. 'abc[at]xyz.com' was my way of giving a fictitious example.

Thus my comment about (and time spent verifying) your "hidden data"

If you are not interested in helping someone who is not as computer literate as you are then I will not waste your time.

I'm not sure why you want to start with "not wanting to help" when all that's been accomplished by my time spent thus far has been to push you into providing some factual data to work with. You are pushing all the wrong buttons thus far.

However, I will say that I am NOT blaming SpamCop.

Only in this post (your fourth in this discussion including the one I deleted) do you possibly mention any SpamCop involvement - your suggestion of Quick-Report data.

If you are interested in helping me then you need to explain what it is that you need from me and I will do all that I can to provide that information. I will tell you that the email that is forwarded to me comes from thams.com and that the email that I forward to spamcop.net comes from thams.us. What else do you need? Do you need a full header from spam that I have received?

The "if you are interested" remark is again the wrong button to be pushing .... peer-to-peer support is what this whole Forum thing is all about. Apparently, my query to this was not read in my last post ... the question asked, additional comment made -"So have you a sample of one of these e-mails that "you assume" is the reason GoDaddy whacked whatever site you are really talking about? So much easier to work with "real" data than wasting this time beating around the bush ...."

Do you need something from the SpamCop Quick reporting data? Just let me know and I will do what is within my knowledge and ability.

Now that you bring Quick-Reporting into the picture, have you done any reading on the downside of Quick-Reporting? Have you noticed all the requests for putting a stop to all the "Quick-Report Detail" e-mails that no one wants to receive, yet it's pointed out that these need to be looked at so as to ensure that one is not reporting oneself? Have you been reading yours?

[thams]

OK - hopefully I am on the right track. If I understand correctly there is a method other than quick reporting that I need to look into. Is this in my settings? If so, then please guide me to that location and advice on the alternative. I am not familiar with all these settings and I need the guidance.

Also, Miss Betsy, can you explain mailhosts? This is all new to me and I appreciate your suggestions. I think you get the gist of the problem. I have email forwarded from thams.com to thams.us to spamcop.net. For some reason that no one can explain GoDaddy (thams.us, which is mine) blocked the IP for thams.com (which belongs to a relative of mine) due to spam. Thams.com is not the source of the spam; thams.com is forwarding all email to me at my request and a lot of it is spam which I have reported through SpamCop. GoDaddy is looking into it but I have not heard back from them. In the meantime I am trying to prevent further problems. I feel that SpamCop is an important service and want to make certain that I am not contributing to the problem in my attempt to report spam.

If this does any good, the following is from SpamCop Quick report data and after the header of a spam email. Hopefully you can help me understand how to read it –

Tracking URL: http://www.spamcop.net/sc?id=z729457252z7f...05dc27cf313f35z

Here is the header of an email currently sitting in my ‘Held mail’ box –

Return-Path: <oiivvsufgaes[at]hotmail.com>

Delivered-To: spamcop-net-thams <at> spamcop.net

Received: (qmail 15080 invoked from network); 7 Feb 2005 01:24:30 -0000

Received: from unknown (192.168.1.101)

by blade2.cesmail.net with QMQP; 7 Feb 2005 01:24:30 -0000

Received: from adsl-63-197-2-193.dsl.snfc21.pacbell.net (HELO thams.net) (63.197.2.193)

by mailgate.cesmail.net with SMTP; 7 Feb 2005 01:24:29 -0000

X-Apparently-Delivered-To: <karen <at> thams.com>

Received: from 63.197.2.193 ([61.37.234.42])

by thams.net (8.12.8/8.12.8) with SMTP id j171OLPH029502

for <karen <at> thams.com>; Sun, 6 Feb 2005 17:24:22 -0800

X-Message-Info: 91ekASsdhVCT280ZyN94T654VLypSHImujFphoHRrkh674F

Received: from yahoo.com (254.173.65.136) by oq161-hb47.yahoo.com with Microsoft SMTPSVC(2.4.2463.5625);

Mon, 07 Feb 2005 20:25:15 +0300

Received: from yahoo.com (yahoo.com 50.204.208.182)

by yahoo.com (8.12.10/8.12.9) with ESMTP id r914VBZ087

for <karen <at> thams.com>; Mon, 07 Feb 2005 11:17:15 -0600 (EST)

(envelope-from oiivvsufgaes[at]hotmail.com)

Received: from RCU5581708751 (modemcable8.300-52.mc.yahoo.com 16.16.188.101)

(authenticated bits=0)

by yahoo.com (8.12.10/8.12.9) with ESMTP id yjd765VZK7mss326

for <karen <at> thams.com>; Mon, 07 Feb 2005 18:21:15 +0100 (EST)

(envelope-from oiivvsufgaes[at]hotmail.com)

Message-ID: <5ln2r431$ji5ntu567ck21$1im0mg95[at]WNB65189244380342>

From: "Bridgette Silva" <oiivvsufgaes[at]hotmail.com>

To: <karen <at> thams.com>

Subject: REAL VALIUM,XANAX,DARVON,LEVITRA..SOMA..MUCH MORE......

Date: Mon, 07 Feb 2005 20:24:15 +0300

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="--306674742839143"

X-spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade2.cesmail.net

X-spam-Level: ******************************************

X-spam-Status: hits=42.3 tests=BLANK_LINES_70_80,CONFIRMED_FORGED,

DRUGS_ANXIETY,DRUGS_ANXIETY_EREC,DRUGS_DIET,DRUGS_DIET_OBFU,

DRUGS_ERECTILE,DRUGS_ERECTILE_OBFU,DRUGS_MANYKINDS,DRUGS_MUSCLE,

DRUGS_PAIN,DRUGS_PAIN_OBFU,DRUG_ED_CAPS,FORGED_HOTMAIL_RCVD,

FORGED_RCVD_HELO,INVALID_TZ_EST,J_CHICKENPOX_65,MIME_BOUND_DD_DIGITS,

RCVD_FAKE_HELO_DOTCOM,RCVD_HELO_IP_MISMATCH,RCVD_ILLEGAL_IP,

RCVD_NUMERIC_HELO,SUBJECT_DRUG_GAP_L,SUBJECT_DRUG_GAP_S,

SUBJECT_DRUG_GAP_VA,SUBJECT_DRUG_GAP_X,SUBJ_ALL_CAPS,UPPERCASE_25_50,

URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL,X_MESSAGE_INFO version=3.0.0

X-SpamCop-Checked:

X-SpamCop-Disposition: Blocked SpamAssassin=42

----306674742839143

Content-Type: text/plain;

Content-Transfer-Encoding: quoted-printable

Thanks!

[Wazoo]

Data search, update, problems .... Both .com and .us resolve, .com has a web-site, .us says "coming soon" ... mentions that parking of the Domain is free ... but, I have no idea what's supposed to be there ... the problem is that it seems like the original problem description is in error ... perhaps doing the fictional thing got everything confused ..???

[Wazoo]

02/06/05 23:24:47 Slow traceroute thams.com

Trace thams.com (63.197.2.193) ...

dns16.register.com reports the following MX records:

Preference Host Name IP Address TTL

10 mail.thams.com 63.197.2.193 3600

63.197.2.193 not listed in bl.spamcop.net

http://www.senderbase.org/?searchBy=ipaddr...ng=63.197.2.193

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 1.8 .. -100%

Last 30 days .. 0.5 .. -100%

Average ........ 0.0

(very strange numbers there????)

http://openrbl.org/ip/63/197/2/193.htm

Lookup 63.197.2.193 (adsl-63-197-2-193.dsl.snfc21.pacbell.net) in 20+9 Zones

AS: 63.197.0.0/19 AS7132 Southwestern Bell Internet Servi Plano/Texas

Net 63.197.0-3 SBCIS62194 San Francisco, California

Results: Negative=28, Positive=0, Timeouts=1 (2005-02-07 05:49:13 UTC)

I hope you are confused, as I'm getting a bit ticked now ... there is no major evidence of anything substanial going on with thams.com based on the above ... However ... after editing your last post (removing the first sample content to just leaving the Tracking URL .. then going further and being nice to karen and munging her address a bit) .. then going in and taking a look at your spam submital/report and seeing that thams.net was involved there .... something not mentioned before .... are you involved with this Domain? (It is noted that the SpamCop parser tossed this line out as a forgery, but ..... in your "currently in the InBox, one sees the following lines;

Received: from adsl-63-197-2-193.dsl.snfc21.pacbell.net (HELO thams.net) (63.197.2.193) by mailgate.cesmail.net with SMTP; 7 Feb 2005 01:24:29 -0000)

02/06/05 23:52:54 Slow traceroute thams.net

Trace thams.net (207.111.252.230) ...

No MX records found for thams.net (at http://www.mxtoolbox.com/index.aspx)

2/6/2005 11:45:33 PM Central Standard Time

http://www.dnsreport.com/tools/dnsreport.ch?domain=thams.net

ERROR: I couldn't find any MX records for thams.net. If you want to receive E-mail on this domain, you should have MX record(s). Without any MX records, mailservers should attempt to deliver mail to the A record for thams.net. I can't continue in a case like this, so I'm assuming you don't receive mail on this domain.

ERROR: I could not find any mailservers for thams.net

Anyway, based on your samples, I again fail to see where GoDaddy would have received any notifies ... So, where I'm at now .... what have you got that says "GoDaddy blocked something" ...???? What I'm seeing is reason for PacBell to have issues with your reporting, further noting that neither example demonstrates your original "flow" of the several "forwards" .. or perhaps this is the problem I suggested before ... servers involved are not stamping the headers during their handling of the e-mail in question...???

(Yes, you have you account configured for the Mail-Host thing.)

[thams]

I do not own the thams.com so if there is a thams.net involved then you know more than I know. All I know is that GoDaddy is bouncing email from thams.us back to thams.com with the message "Reason: 553 63.197.2.193 - rejected due to spam". My telephone conversation with a tech at GoDaddy provided me the confirmation that too much spam came from the thams.com email address (IP) and that as a result GoDaddy has blocked the IP.

Would you be so kind as to explain some of the following:

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 1.8 .. -100%

Last 30 days .. 0.5 .. -100%

Average ........ 0.0

(very strange numbers there????)

What are these numbers and why are they strange? Is it because they recently moved the thams.com server?

are you involved with this URL? It is noted that the SpamCop parser tossed this line out as a forgery, but .....

What URL? The thams.us is mine the thams.com is a relative's. I don't have any hands on the thams.com, its server, or anything else involved with it. I am just the lost individual who is trying to learn what is happening and how to avoid further problems. What is tossed as a forgery?

ERROR: I couldn't find any MX records for thams.net. If you want to receive E-mail on this domain, you should have MX record(s). Without any MX records, mailservers should attempt to deliver mail to the A record for thams.net. I can't continue in a case like this, so I'm assuming you don't receive mail on this domain.

ERROR: I could not find any mailservers for thams.net

What is a MX record? I receive email sent to thams.com and it is forwarded to thams.us. I don't know that is done with thams.net.

Anyway, based on your samples, I again fail to see where GoDaddy would have received any notifies ... So, where I'm at now .... what have you got that says "GoDaddy blocked something" ...????

24017[/snapback]

Let me know what else I can provide for you. I realize that this is confusing and that is why I came here and posted my question. I need help understanding what is going on, how to address in a productive manner and how to prevent further problems. Am I using the wrong way of reporting the spam? Show I use a mailhost, as suggested by Miss Betsy?

Thanks!

[Wazoo]

I'll wait until you edit your post a bit, after going back and re-reading my last ... it appears we were typing in data at the same time. 90% of your last questions currently deal with the thams.net Domain. (and naturally, again I lied .. and kept right on typing ......)

What are these numbers and why are they strange? Is it because they recently moved the thams.com server?

Tha's the only way I could see the massive increase in traffic, but followed by a -100% ... they found out it was blocked, so moved it to a differnt IP address ... which says absolutley nothing about whther the "real" problem was handled or not ...

What is tossed as a forgery?

The parse results as seen in your Tracking URL sample. As you are asking, I'll make the guess that you don't have "show Technical Details" turned on, so you are probably not seeing the results. The line there with thams.net is tossed out as a fogery.

What is a MX record? I receive email sent to thams.com and it is forwarded to thams.us. I don't know that is done with thams.net.

MS = Mail Exchange = Mail server .... I see what you are saying, but I have been pointing out what data is seen in the headers of your samples. I copied one line to point it out, noting that the IP address offered in that header line doesn't match the other data found when searching for data on thams.net .... and it was this line that showed receipt by the SpamCop (cesmail) e-mail server ......

And again, neither of your samples show what you just said. Perhaps you are picking the wrong examples of this forwarding / forwarding / forwarding ....

[Wazoo]

OK, worked the heck out of your "currently in the InBox" item ... ran that through the parser ... bottom line, you need to talk to your relative ..... here are the results, also bombing out due to the thams.net issue;

http://www.spamcop.net/sc?id=z729555934z0a...ffbcaa533b1dc4z

Received: from adsl-63-197-2-193.dsl.snfc21.pacbell.net (HELO thams.net) (63.197.2.193) by mailgate.cesmail.net with SMTP; 7 Feb 2005 01:24:29 -0000

63.197.2.193 found

host 63.197.2.193 = adsl-63-197-2-193.dsl.snfc21.pacbell.net. (cached)

adsl-63-197-2-193.dsl.snfc21.pacbell.net. is 63.197.2.193

Possible spammer: 63.197.2.193

Received line accepted

Received: from 63.197.2.193 ([61.37.234.42]) by thams.net (8.12.8/8.12.8) with SMTP id j171OLPH029502 for <karen <at> thams.com>; Sun, 6 Feb 2005 17:24:22 -0800

Possible untrusted IP in HELO name, removing: 63.197.2.193

Received:

from x ([61.37.234.42]) by thams.net (8.12.8/8.12.8) with SMTP id j171OLPH029502 for <karen <at> thams.com>; Sun, 6 Feb 2005 17:24:22 -0800

61.37.234.42 found

The 'server' that is handling this thams.net thing is mis-stamping the incoming header line, thus kicking the parser back to the previous 'good' line, which then has you reporting PacBell, apparently your host/ISP/whatever .... (That being based on thams.com ... the thams.net Domain still being a critical qustion)

<incoming emergency phone call .... out of here for a bit>

[thams]

Wow - I thank you so very much. To me the header is all a foreign language. I know that the email gets from point A to point B and the header has something to do with it but that is the limit of my understanding. I will copy your notes and forward them on to my relative.

One last question (for now)...should I read up on the mailhosts forum for the thams.us? I am trying to be proactive to prevent further problems.

Thanks again!