thams Posted February 7, 2005 Share Posted February 7, 2005 I hope that someone at the Admin level can help me on this one. Here’s the problem…I have an email address that I use on my business cards, etc. That address (abc[at]xyz.com) is owned by one of my relatives. The abc[at]xyz.com if forwarded to another email address which I own (abc[at]xyz.us). The abc[at]xyz.us if forwarded to my spamcop.net email address for filtering and reporting of spam. I receive a lot of spam every day at the xyz.com address. I purchased the xyz.us address through GoDaddy. Yesterday GoDaddy blocked the xyz.com IP because of spam. I am assuming that because my email is routed from xyz.com to xyz.us to spamcop.net that xyz.com appears to be a player in the spam game. I know that this is a long and confusing story, but here’s my question…Is there anyway to prevent xyz.com from getting caught in the loop? Spamcop.net has not yet block xyz.com but I am afraid that is next. HELP PLEASE Link to comment Share on other sites More sharing options...
Wazoo Posted February 7, 2005 Share Posted February 7, 2005 Making assumptions while hiding any pertinent details is a losing game. There are a number of folks here that would more than likely be able to answer just about anything asked, but .... As there doesn't seem to be a direct connection between your scenario and a SpamCop E-mail Account, moving this to the Lounge. Link to comment Share on other sites More sharing options...
thams Posted February 7, 2005 Author Share Posted February 7, 2005 "Making assumptions while hiding any pertinent details" I am not making assuptions...I am asking questions. And I am not hiding anything...I am more than happy to supply details but you will have to guide me through what you need. Thank you. Link to comment Share on other sites More sharing options...
Wazoo Posted February 7, 2005 Share Posted February 7, 2005 Deleted posting that contained only a quoted copy of my last post I am not making assuptions... I am assuming that because my email is routed from xyz.com ...... I sure read that as "making an assumption" ..??? No where in all of your description did you even suggest how GoDaddy may have received some data suggesting spam spew ..???? I am asking questions. And I am not hiding anything...I am more than happy to supply details but you will have to guide me through what you need. whois -h whois.godaddy.com xyz.com ... Registered through: GoDaddy.com Domain Name: XYZ.COM Created on: 14-Mar-94 Expires on: 15-Mar-08 Last Updated on: 02-May-04 Administrative Contact: Galassi, Michael nerdgd <at> nerdy1.com Mist, Oregon 97016 02/06/05 20:06:03 Slow traceroute XYZ.COM Trace XYZ.COM (64.146.134.38) ... 204.119.1.222 RTT: 75ms TTL: 64 (pdxcolo-sawnet.saw.net ok) 64.146.134.38 RTT: 122ms TTL: 49 (XYZ.COM ok) doesn't look like it's been 'whacked' Checking server [whois.nic.us] Domain Name: XYZ.US Domain ID: D1779065-US Sponsoring Registrar: TUCOWS INC. Domain Status: ok Registrant ID: TUMXXDW4FAUGWNQH Registrant Name: Ben Gerber Registrant Organization: Gerber Registrant City: East Syracuse Registrant State/Province: NY Registrant Postal Code: 13057 Registrant Email: ben <at> vkinetic.com Registration data doesn't match ... so let's try again with the 'hidden detail' thing .. The only thing that can be offered this point is an assumption, which of course, just opens up all kinds of possibilities that nothing offered will match up with the real details. Somewhere in all of your forwarding is a server that's not stamping the headers correctly. So have you a sample of one of these e-mails that "you assume" is the reason GoDaddy whacked whatever site you are really talking about? So much easier to work with "real" data than wasting this time beating around the bush .... Link to comment Share on other sites More sharing options...
thams Posted February 7, 2005 Author Share Posted February 7, 2005 OK - let's try this again. 'abc[at]xyz.com' was my way of giving a fictitious example. If you are not interested in helping someone who is not as computer literate as you are then I will not waste your time. However, I will say that I am NOT blaming SpamCop. I am only trying to learn what has happened and how to prevent any further problem. I am a big advocate of SpamCop and want to find a way to avoid further problems when the intent is to get the spammer not the legit email provider. If you are interested in helping me then you need to explain what it is that you need from me and I will do all that I can to provide that information. I will tell you that the email that is forwarded to me comes from thams.com and that the email that I forward to spamcop.net comes from thams.us. What else do you need? Do you need a full header from spam that I have received? Do you need something from the SpamCop Quick reporting data? Just let me know and I will do what is within my knowledge and ability. Thank you. Link to comment Share on other sites More sharing options...
Miss Betsy Posted February 7, 2005 Share Posted February 7, 2005 Have you signed up for mailhosts? If you have then, there should be no problem with spamcop reading the headers (unless as was suggested one of the forwarding servers is messing up the headers IIUC). Though if spamcop is not blocking it, then it doesn't seem to be something that you are doing by reporting spam. Blocklists work on IP addresses, not domain names. The IP address that is being blocked is what is important. Since it is not being blocked by spamcop, it is not a spamcop problem. However, some people might take time to see if it is on other blocklists and maybe suggest why. Perhaps I haven't understood what your problem is or what you want help with. It seems to me that if GoDaddy was the one blocking it, you should ask them. Miss Betsy Link to comment Share on other sites More sharing options...
Wazoo Posted February 7, 2005 Share Posted February 7, 2005 OK - let's try this again. 'abc[at]xyz.com' was my way of giving a fictitious example. Thus my comment about (and time spent verifying) your "hidden data" If you are not interested in helping someone who is not as computer literate as you are then I will not waste your time. I'm not sure why you want to start with "not wanting to help" when all that's been accomplished by my time spent thus far has been to push you into providing some factual data to work with. You are pushing all the wrong buttons thus far. However, I will say that I am NOT blaming SpamCop. Only in this post (your fourth in this discussion including the one I deleted) do you possibly mention any SpamCop involvement - your suggestion of Quick-Report data. If you are interested in helping me then you need to explain what it is that you need from me and I will do all that I can to provide that information. I will tell you that the email that is forwarded to me comes from thams.com and that the email that I forward to spamcop.net comes from thams.us. What else do you need? Do you need a full header from spam that I have received? The "if you are interested" remark is again the wrong button to be pushing .... peer-to-peer support is what this whole Forum thing is all about. Apparently, my query to this was not read in my last post ... the question asked, additional comment made -"So have you a sample of one of these e-mails that "you assume" is the reason GoDaddy whacked whatever site you are really talking about? So much easier to work with "real" data than wasting this time beating around the bush ...." Do you need something from the SpamCop Quick reporting data? Just let me know and I will do what is within my knowledge and ability. Now that you bring Quick-Reporting into the picture, have you done any reading on the downside of Quick-Reporting? Have you noticed all the requests for putting a stop to all the "Quick-Report Detail" e-mails that no one wants to receive, yet it's pointed out that these need to be looked at so as to ensure that one is not reporting oneself? Have you been reading yours? Link to comment Share on other sites More sharing options...
thams Posted February 7, 2005 Author Share Posted February 7, 2005 OK - hopefully I am on the right track. If I understand correctly there is a method other than quick reporting that I need to look into. Is this in my settings? If so, then please guide me to that location and advice on the alternative. I am not familiar with all these settings and I need the guidance. Also, Miss Betsy, can you explain mailhosts? This is all new to me and I appreciate your suggestions. I think you get the gist of the problem. I have email forwarded from thams.com to thams.us to spamcop.net. For some reason that no one can explain GoDaddy (thams.us, which is mine) blocked the IP for thams.com (which belongs to a relative of mine) due to spam. Thams.com is not the source of the spam; thams.com is forwarding all email to me at my request and a lot of it is spam which I have reported through SpamCop. GoDaddy is looking into it but I have not heard back from them. In the meantime I am trying to prevent further problems. I feel that SpamCop is an important service and want to make certain that I am not contributing to the problem in my attempt to report spam. If this does any good, the following is from SpamCop Quick report data and after the header of a spam email. Hopefully you can help me understand how to read it – Tracking URL: http://www.spamcop.net/sc?id=z729457252z7f...05dc27cf313f35z Here is the header of an email currently sitting in my ‘Held mail’ box – Return-Path: <oiivvsufgaes[at]hotmail.com> Delivered-To: spamcop-net-thams <at> spamcop.net Received: (qmail 15080 invoked from network); 7 Feb 2005 01:24:30 -0000 Received: from unknown (192.168.1.101) by blade2.cesmail.net with QMQP; 7 Feb 2005 01:24:30 -0000 Received: from adsl-63-197-2-193.dsl.snfc21.pacbell.net (HELO thams.net) (63.197.2.193) by mailgate.cesmail.net with SMTP; 7 Feb 2005 01:24:29 -0000 X-Apparently-Delivered-To: <karen <at> thams.com> Received: from 63.197.2.193 ([61.37.234.42]) by thams.net (8.12.8/8.12.8) with SMTP id j171OLPH029502 for <karen <at> thams.com>; Sun, 6 Feb 2005 17:24:22 -0800 X-Message-Info: 91ekASsdhVCT280ZyN94T654VLypSHImujFphoHRrkh674F Received: from yahoo.com (254.173.65.136) by oq161-hb47.yahoo.com with Microsoft SMTPSVC(2.4.2463.5625); Mon, 07 Feb 2005 20:25:15 +0300 Received: from yahoo.com (yahoo.com 50.204.208.182) by yahoo.com (8.12.10/8.12.9) with ESMTP id r914VBZ087 for <karen <at> thams.com>; Mon, 07 Feb 2005 11:17:15 -0600 (EST) (envelope-from oiivvsufgaes[at]hotmail.com) Received: from RCU5581708751 (modemcable8.300-52.mc.yahoo.com 16.16.188.101) (authenticated bits=0) by yahoo.com (8.12.10/8.12.9) with ESMTP id yjd765VZK7mss326 for <karen <at> thams.com>; Mon, 07 Feb 2005 18:21:15 +0100 (EST) (envelope-from oiivvsufgaes[at]hotmail.com) Message-ID: <5ln2r431$ji5ntu567ck21$1im0mg95[at]WNB65189244380342> From: "Bridgette Silva" <oiivvsufgaes[at]hotmail.com> To: <karen <at> thams.com> Subject: REAL VALIUM,XANAX,DARVON,LEVITRA..SOMA..MUCH MORE...... Date: Mon, 07 Feb 2005 20:24:15 +0300 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--306674742839143" X-spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade2.cesmail.net X-spam-Level: ****************************************** X-spam-Status: hits=42.3 tests=BLANK_LINES_70_80,CONFIRMED_FORGED, DRUGS_ANXIETY,DRUGS_ANXIETY_EREC,DRUGS_DIET,DRUGS_DIET_OBFU, DRUGS_ERECTILE,DRUGS_ERECTILE_OBFU,DRUGS_MANYKINDS,DRUGS_MUSCLE, DRUGS_PAIN,DRUGS_PAIN_OBFU,DRUG_ED_CAPS,FORGED_HOTMAIL_RCVD, FORGED_RCVD_HELO,INVALID_TZ_EST,J_CHICKENPOX_65,MIME_BOUND_DD_DIGITS, RCVD_FAKE_HELO_DOTCOM,RCVD_HELO_IP_MISMATCH,RCVD_ILLEGAL_IP, RCVD_NUMERIC_HELO,SUBJECT_DRUG_GAP_L,SUBJECT_DRUG_GAP_S, SUBJECT_DRUG_GAP_VA,SUBJECT_DRUG_GAP_X,SUBJ_ALL_CAPS,UPPERCASE_25_50, URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL,X_MESSAGE_INFO version=3.0.0 X-SpamCop-Checked: X-SpamCop-Disposition: Blocked SpamAssassin=42 ----306674742839143 Content-Type: text/plain; Content-Transfer-Encoding: quoted-printable Thanks! Link to comment Share on other sites More sharing options...
Wazoo Posted February 7, 2005 Share Posted February 7, 2005 Data search, update, problems .... Both .com and .us resolve, .com has a web-site, .us says "coming soon" ... mentions that parking of the Domain is free ... but, I have no idea what's supposed to be there ... the problem is that it seems like the original problem description is in error ... perhaps doing the fictional thing got everything confused ..??? Link to comment Share on other sites More sharing options...
Wazoo Posted February 7, 2005 Share Posted February 7, 2005 02/06/05 23:24:47 Slow traceroute thams.com Trace thams.com (63.197.2.193) ... dns16.register.com reports the following MX records: Preference Host Name IP Address TTL 10 mail.thams.com 63.197.2.193 3600 63.197.2.193 not listed in bl.spamcop.net http://www.senderbase.org/?searchBy=ipaddr...ng=63.197.2.193 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 1.8 .. -100% Last 30 days .. 0.5 .. -100% Average ........ 0.0 (very strange numbers there????) http://openrbl.org/ip/63/197/2/193.htm Lookup 63.197.2.193 (adsl-63-197-2-193.dsl.snfc21.pacbell.net) in 20+9 Zones AS: 63.197.0.0/19 AS7132 Southwestern Bell Internet Servi Plano/Texas Net 63.197.0-3 SBCIS62194 San Francisco, California Results: Negative=28, Positive=0, Timeouts=1 (2005-02-07 05:49:13 UTC) I hope you are confused, as I'm getting a bit ticked now ... there is no major evidence of anything substanial going on with thams.com based on the above ... However ... after editing your last post (removing the first sample content to just leaving the Tracking URL .. then going further and being nice to karen and munging her address a bit) .. then going in and taking a look at your spam submital/report and seeing that thams.net was involved there .... something not mentioned before .... are you involved with this Domain? (It is noted that the SpamCop parser tossed this line out as a forgery, but ..... in your "currently in the InBox, one sees the following lines; Received: from adsl-63-197-2-193.dsl.snfc21.pacbell.net (HELO thams.net) (63.197.2.193) by mailgate.cesmail.net with SMTP; 7 Feb 2005 01:24:29 -0000) 02/06/05 23:52:54 Slow traceroute thams.net Trace thams.net (207.111.252.230) ... No MX records found for thams.net (at http://www.mxtoolbox.com/index.aspx) 2/6/2005 11:45:33 PM Central Standard Time http://www.dnsreport.com/tools/dnsreport.ch?domain=thams.net ERROR: I couldn't find any MX records for thams.net. If you want to receive E-mail on this domain, you should have MX record(s). Without any MX records, mailservers should attempt to deliver mail to the A record for thams.net. I can't continue in a case like this, so I'm assuming you don't receive mail on this domain. ERROR: I could not find any mailservers for thams.net Anyway, based on your samples, I again fail to see where GoDaddy would have received any notifies ... So, where I'm at now .... what have you got that says "GoDaddy blocked something" ...???? What I'm seeing is reason for PacBell to have issues with your reporting, further noting that neither example demonstrates your original "flow" of the several "forwards" .. or perhaps this is the problem I suggested before ... servers involved are not stamping the headers during their handling of the e-mail in question...??? (Yes, you have you account configured for the Mail-Host thing.) Link to comment Share on other sites More sharing options...
thams Posted February 7, 2005 Author Share Posted February 7, 2005 I do not own the thams.com so if there is a thams.net involved then you know more than I know. All I know is that GoDaddy is bouncing email from thams.us back to thams.com with the message "Reason: 553 63.197.2.193 - rejected due to spam". My telephone conversation with a tech at GoDaddy provided me the confirmation that too much spam came from the thams.com email address (IP) and that as a result GoDaddy has blocked the IP. Would you be so kind as to explain some of the following: Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 1.8 .. -100% Last 30 days .. 0.5 .. -100% Average ........ 0.0 (very strange numbers there????) What are these numbers and why are they strange? Is it because they recently moved the thams.com server? are you involved with this URL? It is noted that the SpamCop parser tossed this line out as a forgery, but ..... What URL? The thams.us is mine the thams.com is a relative's. I don't have any hands on the thams.com, its server, or anything else involved with it. I am just the lost individual who is trying to learn what is happening and how to avoid further problems. What is tossed as a forgery? ERROR: I couldn't find any MX records for thams.net. If you want to receive E-mail on this domain, you should have MX record(s). Without any MX records, mailservers should attempt to deliver mail to the A record for thams.net. I can't continue in a case like this, so I'm assuming you don't receive mail on this domain. ERROR: I could not find any mailservers for thams.net What is a MX record? I receive email sent to thams.com and it is forwarded to thams.us. I don't know that is done with thams.net. Anyway, based on your samples, I again fail to see where GoDaddy would have received any notifies ... So, where I'm at now .... what have you got that says "GoDaddy blocked something" ...???? 24017[/snapback] Let me know what else I can provide for you. I realize that this is confusing and that is why I came here and posted my question. I need help understanding what is going on, how to address in a productive manner and how to prevent further problems. Am I using the wrong way of reporting the spam? Show I use a mailhost, as suggested by Miss Betsy? Thanks! Link to comment Share on other sites More sharing options...
Wazoo Posted February 7, 2005 Share Posted February 7, 2005 I'll wait until you edit your post a bit, after going back and re-reading my last ... it appears we were typing in data at the same time. 90% of your last questions currently deal with the thams.net Domain. (and naturally, again I lied .. and kept right on typing ......) What are these numbers and why are they strange? Is it because they recently moved the thams.com server? Tha's the only way I could see the massive increase in traffic, but followed by a -100% ... they found out it was blocked, so moved it to a differnt IP address ... which says absolutley nothing about whther the "real" problem was handled or not ... What is tossed as a forgery? The parse results as seen in your Tracking URL sample. As you are asking, I'll make the guess that you don't have "show Technical Details" turned on, so you are probably not seeing the results. The line there with thams.net is tossed out as a fogery. What is a MX record? I receive email sent to thams.com and it is forwarded to thams.us. I don't know that is done with thams.net. MS = Mail Exchange = Mail server .... I see what you are saying, but I have been pointing out what data is seen in the headers of your samples. I copied one line to point it out, noting that the IP address offered in that header line doesn't match the other data found when searching for data on thams.net .... and it was this line that showed receipt by the SpamCop (cesmail) e-mail server ...... And again, neither of your samples show what you just said. Perhaps you are picking the wrong examples of this forwarding / forwarding / forwarding .... Link to comment Share on other sites More sharing options...
Wazoo Posted February 7, 2005 Share Posted February 7, 2005 OK, worked the heck out of your "currently in the InBox" item ... ran that through the parser ... bottom line, you need to talk to your relative ..... here are the results, also bombing out due to the thams.net issue; http://www.spamcop.net/sc?id=z729555934z0a...ffbcaa533b1dc4z Received: from adsl-63-197-2-193.dsl.snfc21.pacbell.net (HELO thams.net) (63.197.2.193) by mailgate.cesmail.net with SMTP; 7 Feb 2005 01:24:29 -0000 63.197.2.193 found host 63.197.2.193 = adsl-63-197-2-193.dsl.snfc21.pacbell.net. (cached) adsl-63-197-2-193.dsl.snfc21.pacbell.net. is 63.197.2.193 Possible spammer: 63.197.2.193 Received line accepted Received: from 63.197.2.193 ([61.37.234.42]) by thams.net (8.12.8/8.12.8) with SMTP id j171OLPH029502 for <karen <at> thams.com>; Sun, 6 Feb 2005 17:24:22 -0800 Possible untrusted IP in HELO name, removing: 63.197.2.193 Received: from x ([61.37.234.42]) by thams.net (8.12.8/8.12.8) with SMTP id j171OLPH029502 for <karen <at> thams.com>; Sun, 6 Feb 2005 17:24:22 -0800 61.37.234.42 found The 'server' that is handling this thams.net thing is mis-stamping the incoming header line, thus kicking the parser back to the previous 'good' line, which then has you reporting PacBell, apparently your host/ISP/whatever .... (That being based on thams.com ... the thams.net Domain still being a critical qustion) <incoming emergency phone call .... out of here for a bit> Link to comment Share on other sites More sharing options...
thams Posted February 7, 2005 Author Share Posted February 7, 2005 Wow - I thank you so very much. To me the header is all a foreign language. I know that the email gets from point A to point B and the header has something to do with it but that is the limit of my understanding. I will copy your notes and forward them on to my relative. One last question (for now)...should I read up on the mailhosts forum for the thams.us? I am trying to be proactive to prevent further problems. Thanks again! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.