Jump to content

Reporting myself -- bug in spamcop?


fadden

Recommended Posts

I got a phone call an hour ago from my ISP, concerned that I was relaying spam. This seemed unlikely, given my configuration, but anything is possible these days.

It turns out that I probably quick-reported myself. I'm still trying to figure out how. I hold on to most mail sent to my domain, but there are a couple of addresses "invented" by clumsy spammers, so I forward those addresses directly to spamcop. My procmail scri_pt does spamassassin processing first, and adds an X-Loop header to avoid nastiness before forwarding.

For some reason this report found me instead of the spammer. The 192.168.100.8 address is the internal IP address for the web server; I don't know what 192.168.1.103 is. 209.204.141.120 is my external address. My procmail log shows the message arriving at the time shown.

This could possibly be a problem with the mailhosts stuff, but (a) my configuration hasn't changed in any way, and (B) I'm reporting about 50 of these a day, and it hadn't failed until now. I tagged a couple just now and queued them up for reporting, and it didn't identify me as a culprit.

I have to assume there's a bug in the spamcop reporting engine. Unfortunately, I don't have access to the full original message, so I can't identify what it is about this spam that is unusual. The report ID# is 1370636848. My best guess is that the 192.168.1.103 host caused the problem, but based on its position in the mail header I would guess that site is internal to spamcop.

Help?

- Andy

Return-Path: <dawnmaod[at]usa.net>

Delivered-To: x

Received: (qmail 7243 invoked from network); 28 Feb 2005 07:51:59 -0000

Received: from unknown (192.168.1.103)

by blade6.cesmail.net with QMQP; 28 Feb 2005 07:51:59 -0000

Received: from 209-204-141-120.dsl.static.sonic.net (HELO webby.localdomain) (209.204.141.120)

by mailgate2.cesmail.net with SMTP; 28 Feb 2005 07:51:59 -0000

Received: (qmail 9215 invoked by uid 1000); 28 Feb 2005 07:52:26 -0000

Message-ID: <2005_________________mail[at]webby.localdomain>

MBOX-Line: From dawnmaod[at]usa.net Mon Feb 28 07:52:22 2005

Delivered-To: x

Received: (qmail 9203 invoked from network); 28 Feb 2005 07:52:21 -0000

Received: from unknown (HELO usa.net) (barehlo[at]193.138.194.61)

by 192.168.100.8 with SMTP; 28 Feb 2005 07:52:21 -0000

From: <dawnmadt[at]usa.net>

To: <x>

Subject: [spam:16.2] At first I was hesistant, Not anymordt

Date: Mon, 28 Feb 2005 15:44:21 -0500

Mime-Version: 1.0

Content-Type: text/plain; charset=us-ascii

X-spam-Prev-Subject: At first I was hesistant, Not anymordt

X-Loop: fadden[at]spamcop.net

X-spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade6

X-spam-Level: *************

X-spam-Status: hits=13.7 tests=DATE_IN_FUTURE_12_24,DRUGS_ERECTILE,

DRUGS_ERECTILE_OBFU,FORGED_RCVD_HELO,J_CHICKENPOX_12,J_CHICKENPOX_14,

MSGID_FROM_MTA_HEADER,NO_REAL_NAME,RCVD_BY_IP,URIBL_AB_SURBL,

URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL version=3.0.0

X-SpamCop-Checked:

[message body]

Link to comment
Share on other sites

I reparsed it as a test without Mailhosts to get Tracking URL http://www.spamcop.net/sc?id=z737339641z3c...a60a2e6097bf06z with the following pertinent results:

Received:  from unknown (HELO usa.net) (barehlo[at]193.138.194.61) by 192.168.100.8 with SMTP; 28 Feb 2005 07:52:21 -0000

Bogus IP in HELO removed: 193.138.194.61

Received: from unknown (HELO usa.net) (barehlo[x.x.x.x] by 192.168.100.8 with SMTP; 28 Feb 2005 07:52:21 -0000

192.168.100.8 found

host 192.168.100.8 (getting name) no name

...

192.168.100.8 discarded

Tracking message source: 209.204.141.120:

There are a number of problems here, which appear to have combined to cause SpamCop's Parser to discard its Received Header Line:
  • Your mailserver is recording the IP Address connecting to it in a rather unusual format (no brackets, and what is "barehlo"?).
  • Your mailserver doesn't record its own name in its Received Header Line.
  • Your mailserver is calling itself webby.localdomain (not a proper FQDN) when connecting to mailgate2.

Link to comment
Share on other sites

  • Your mailserver is recording the IP Address connecting to it in a rather unusual format (no brackets, and what is "barehlo"?).
  • Your mailserver doesn't record its own name in its Received Header Line.
  • Your mailserver is calling itself webby.localdomain (not a proper FQDN) when connecting to mailgate2.

I'm using stock qmail, which I believe implements a correct interpretation of the mail RFCs. I have no idea where it pulls "barehlo" from; maybe something from the SMTP transaction?

"webby.localdomain" is a valid local hostname. I can type "ping webby.localdomain" and it busily pings itself. It doesn't have an FQDN because I'm not running DNS for internal hosts. I would hope that my IP address would be more interesting than the name.

At any rate, all of the above statements hold true for the last few thousand pieces of spam that I have reported, and this is the first one that has reacted this way. I've been quick-reporting spam this way for months. Nothing has changed in my qmail or procmail/formail configurations.

*Something* about this message was different. It would be helpful to have the unmodified original headers. Does spamcop archive these, or just the mangled version?

Link to comment
Share on other sites

Here's a test I just tried. I took an older spam from the 23rd, added 5 to the dates, and sent it off to spamcop with a sendmail command, just like procmail would. The original (with hand edits) looks like this:

From BRCRTEHYBOPKKB[at]city2city.com Wed Feb 28 13:23:51 2005

Return-Path: <BRCRTEHYBOPKKB[at]city2city.com>

Delivered-To: x-x-x[at]x.com

Received: (qmail 3284 invoked from network); 28 Feb 2005 13:23:51 -0000

Received: from rrcs-24-153-253-16.sw.biz.rr.com (zrkaipnf[at]24.153.253.16)

by 192.168.100.8 with SMTP; 28 Feb 2005 13:23:51 -0000

Language: English

Conversion: Prohibited

Alternate-Recipient: Allowed

Content-Class: urn:content-classes:message

Sensitivity: 1

Reply-To: "Jade Adams" <BRCRTEHYBOPKKB[at]city2city.com>

From: "Jade Adams" <BRCRTEHYBOPKKB[at]city2city.com>

To: x[at]x.com

Subject: [spam:23.8] Long time no see!^M

Date: Thu, 24 Feb 2005 10:22:25 +0600

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="--2668161153933277736"

X-spam-Prev-Subject: Long time no see!^M

X-spam-Flag: YES

X-spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on webby.localdomain

X-spam-Level: ***********************

X-spam-Status: Yes, score=23.8 required=5.0 tests=DATE_IN_FUTURE_12_24,

HELO_DYNAMIC_IPADDR,HTML_60_70,HTML_IMAGE_ONLY_08,HTML_MESSAGE,

HTML_MIME_NO_HTML_TAG,INFO_TLD,MIME_BOUND_DD_DIGITS,MIME_HTML_ONLY,

MIME_HTML_ONLY_MULTI,MPART_ALT_DIFF,RCVD_BY_IP,RCVD_IN_BL_SPAMCOP_NET,

RCVD_IN_DSBL,RCVD_IN_NJABL_PROXY,RCVD_IN_XBL,TRACKER_ID

autolearn=unavailable version=3.0.0

----2668161153933277736

blah

----2668161153933277736--

I pulled it out of my "held" box and queued it for reporting. Here's how it is shown on the reporting page:

From BRCRTEHYBOPKKB[at]city2city.com Wed Feb 28 13:23:51 2005

Return-Path: <BRCRTEHYBOPKKB[at]city2city.com>

Delivered-To: x

Received: (qmail 3284 invoked from network); 28 Feb 2005 13:23:51 -0000

Received: from rrcs-24-153-253-16.sw.biz.rr.com (zrkaipnf[at]24.153.253.16)

by 192.168.100.8 with SMTP; 28 Feb 2005 13:23:51 -0000

Language: English

Conversion: Prohibited

Alternate-Recipient: Allowed

Content-Class: urn:content-classes:message

Sensitivity: 1

Reply-To: "Jade Adams" <BRCRTEHYBOPKKB[at]city2city.com>

From: "Jade Adams" <BRCRTEHYBOPKKB[at]city2city.com>

To: x

Subject: [spam:23.8] Long time no see!

Date: Thu, 24 Feb 2005 10:22:25 +0600

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="--2668161153933277736"

X-spam-Prev-Subject: Long time no see!

X-spam-Flag: YES

X-spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on webby.localdomain

X-spam-Level: ***********************

X-spam-Status: Yes, score=23.8 required=5.0 tests=DATE_IN_FUTURE_12_24,

HELO_DYNAMIC_IPADDR,HTML_60_70,HTML_IMAGE_ONLY_08,HTML_MESSAGE,

HTML_MIME_NO_HTML_TAG,INFO_TLD,MIME_BOUND_DD_DIGITS,MIME_HTML_ONLY,

MIME_HTML_ONLY_MULTI,MPART_ALT_DIFF,RCVD_BY_IP,RCVD_IN_BL_SPAMCOP_NET,

RCVD_IN_DSBL,RCVD_IN_NJABL_PROXY,RCVD_IN_XBL,TRACKER_ID

autolearn=unavailable version=3.0.0

(I didn't actually report it, since it's five days old.)

In case it's hard to see in the forum: what spamcop is showing on the analysis page -- which correctly identified roadrunner as the culprit -- is essentially identical to the original. Unlike the problematic message, the activity inside spamcop's network isn't shown. The elements identified as questionable by the previous reply are present, except for the webby.localdomain "HELO", which is gone because spamcop removed the forwarding info.

This reinforces my opinion that the earlier problem was the result of a spamcop.net internal error. It failed to remove the mail forwarding header, and parsed it as being the spam source. What I'd like to figure out is whether this was a temporary configuration glitch or something that will happen whenever a smiliarly-formatted message is sent through the system.

As a first-order sanity check, can someone from spamcop's admin team identify 192.168.1.103 as a valid internal address? (Do admins read this, or is it strictly peer-to-peer?)

- Andy

Link to comment
Share on other sites

192.168.1.103 appears to be the unnamed address of the internal interface of the new mailserver mailgate2.cesmail.net. There appears to have been a lack of communication between various functions within the two SpamCop enterprises which caused this sub-issue. I hope it will be addressed soon.

Another data point is that 193.138.194.61 does not currently pass paranoid dns checking - it authoritatively reverses as the authoritatively nonexistent 193-138-194-61.teentelecom.ro. Is your qmail supposed to be doing rdns checks when putting together its Received Header Line?

Thanks!

Link to comment
Share on other sites

Another data point is that 193.138.194.61 does not currently pass paranoid dns checking - it authoritatively reverses as the authoritatively nonexistent 193-138-194-61.teentelecom.ro.  Is your qmail supposed to be doing rdns checks when putting together its Received Header Line?

24917[/snapback]

A typical "received" line from qmail looks like this:

Received: from slip-12-64-134-219.mis.prserv.net (HELO hials.no) (12.64.134.219)

by 192.168.100.8 with SMTP; 28 Feb 2005 18:08:09 -0000

As opposed to the "Received: from unknown (HELO ..." earlier. So it's doing reverse DNS, and checking the result, but not using the result as a spam filter. (I don't use block lists -- I have an ongoing experiment blocking China and Korea by IP address, so I flip through a lot of stuff manually.)

The domain file for 193.138.* (http://www.whois.sc/193.138.194.61) shows it was updated earlier this month. Maybe the ownership changed and they failed to update their reverse DNS?

- Andy

Link to comment
Share on other sites

This reinforces my opinion that the earlier problem was the result of a spamcop.net internal error. It failed to remove the mail forwarding header, and parsed it as being the spam source. What I'd like to figure out is whether this was a temporary configuration glitch or something that will happen whenever a smiliarly-formatted message is sent through the system.

As a first-order sanity check, can someone from spamcop's admin team identify 192.168.1.103 as a valid internal address? (Do admins read this, or is it strictly peer-to-peer?)

I am not technically fluent so I didn't answer before. I thought that mailhosts was designed to prevent self reporting when there was a temporary glitch (the connection timed out when spamcop looked up the data on the IP address - which happened to me and which is why I won't use quick reporting). So I would think that it is a temporary glitch that slipped by the mailhosts. JeffG thinks that it could be an internal glitch that is being worked on (IIUC) and that possibly your mailhosts configuration has changed.

Admins do read the forum, but on a sporadic basis. Usually, the peer to peer discussion produces quicker answers, or if there is a glitch that admin needs to know about, the resulting data from the discussion gives them more to go on to fix the problem. For instance, if you get the rDNS fixed and the problem does not recur, then that was the 'glitch'. If it continues, then it points to some other problem and spamcop can start to fix it whereas if you had contacted admin directly, that step would still have had to been done.

And if I have misunderstood the technical part, JeffG or StevenUnderwood or Wazoo or someone else will correct it.

Miss Betsy

Link to comment
Share on other sites

  • 2 weeks later...

I have a rather different problem, in that it keeps coming up with my ip (note: I pick up mail directly into outlook from my own and my home isp's servers) and trying to report me to my isp! A quick check reveals the ip that spamcop's come up with is the ip that I'm using at that time. Now either I've been spamming myself in my sleep again, or there's an error somewhere :P

Link to comment
Share on other sites

I have the exact same problem, except that I have no mail servers of any kind at home (where spamcop's picked up my dynamic ips when I've reported mail several time) Just me and outlook :angry:

I download mail, report spam and then when I click to finish my ip is listed :(

Link to comment
Share on other sites

I have a rather different problem, in that it keeps coming up with my ip (note: I pick up mail directly into outlook from my own and my home isp's servers) and trying to report me to my isp! A quick check reveals the ip that spamcop's come up with is the ip that I'm using at that time. Now either I've been spamming myself in my sleep again, or there's an error somewhere  :P

25318[/snapback]

Please post a Tracking URL and let us know what mail server software you're running. Thanks!
Link to comment
Share on other sites

I have the exact same problem, except that I have no mail servers of any kind at home (where spamcop's picked up my dynamic ips when I've reported mail several time) Just me and outlook  :angry:

I download mail, report spam and then when I click to finish my ip is listed :(

Tracking URL? MailHost configuration performed on your reporting accounts? Applications used amd what mechanisms used to submit your spam for parsing?

NOTE: found another posting from Neo and a response from Jeff G. in another discussion that actually was discussing another problem ... split those two posts out from that Topic and moved/Merged them into this one ... thus the apparent duplication of problem and responses now showing 'here'

Link to comment
Share on other sites

Please post a Tracking URL and let us know what mail server software you're running.  Thanks!

25321[/snapback]

I'm not running mail server (or rather I am, but in an unrelated aspect - I run a small webhosting biz and do pick up mail from there, but at home I just pick up mail direct to outlook and relay via my home isp or my biz mail server).

Next time I come across it I will indeed post the URL. (or is there a way to check report history?)

Mail sent to a, b or c address and received via MX [at] biz address (sendmail 8.13.3)

I pick up using outlook express 6.0

If it's spam I forward as attachment to reportin address using outlook express (relayed either using home isp smtp - exim - smtp.tiscali.co.uk or own biz server - sendmail, depending on address)

Link received using outlook express from above mailserver (sendmail) and opened in ie 6 - my home (dynamic) ip appears as spam source.

Note biz mail server is remote :)

Link to comment
Share on other sites

Mail sent to a, b or c address and received via MX [at] biz address (sendmail 8.13.3)

I pick up using outlook express 6.0

If it's spam I forward as attachment to reportin address using outlook express (relayed either using home isp smtp - exim - smtp.tiscali.co.uk or own biz server - sendmail, depending on address)

Link received using outlook express from above mailserver (sendmail) and opened in ie 6 - my home (dynamic) ip appears as spam source.

Note biz mail server is remote :)

25360[/snapback]

have you been through the mailhiosts procedure with both tiscali and the biz mail server?

Link to comment
Share on other sites

have you been through the mailhiosts procedure with both tiscali and the biz mail server?

25372[/snapback]

You'll find a mention in another thread - despite numerous mentions of mailhosts, I can't find an actual config link anywhere - can someone point me in the right direction? (a url would be nice)

Link to comment
Share on other sites

You'll find a mention in another thread - despite numerous mentions of mailhosts, I can't find an actual config link anywhere - can someone point me in the right direction? (a url would be nice)

25411[/snapback]

Mailhosts now found and fixed (I was logging into ISP account for receiving reports related to my bus. ips)

Captain, I think we have a live one

http://www.spamcop.net/sc?id=z740468117z05...b486268ac3e948z

Incidentally in response to above, Tiscali smtp will never appear for any of my email addresses in mailhosts - I don't use any kind of tiscali mail address, merely relay outgoing when at home. No idea how my own ip would have gotten into incoming headers either...

Incidentally, looking at spamassassin headers in mailhosts mail - looks like spamcop itself is listed in rfc-ignorant.org somewhere...

Edit: http://www.rfc-ignorant.org/tools/lookup.p...ain=spamcop.net

http://www.rfc-ignorant.org/tools/lookup.p...gid.spamcop.net

Link to comment
Share on other sites

Incidentally in response to above, Tiscali smtp will never appear for any of my email addresses in mailhosts - I don't use any kind of tiscali mail address, merely relay outgoing when at home. No idea how my own ip would have gotten into incoming headers either...

Are you saying that (dsl-80-44-133-135.access.as9105.com [80.44.133.135]) is your own IP address?

This message seems like a spam submission of a message (Subject: Jeanie) that you have sent to your self (To: "Spamcop" x) then reported that message when it was received. Do you use some sort of system to automatically submit your spam. Please check the address that that software is using. It should be submit.<some 16 character code>[at]spam.spamcop.net, not your spamcop email address.

Link to comment
Share on other sites

Incidentally, looking at spamassassin headers in mailhosts mail - looks like spamcop itself is listed in rfc-ignorant.org somewhere...

Yes ... the obvious problems with trying to actually use the RFC compliant postmaster, hostmaster, or even abuse should be easy to see for this type of actuvity .. on the other hand, e-mail sent to those addresses gets a response that identifies other actual addresses to use for different situarions. So they do work in a fashion, but outside the guidelines for this other BL listing.

Link to comment
Share on other sites

Are you saying that (dsl-80-44-133-135.access.as9105.com [80.44.133.135]) is your own IP address?

This message seems like a spam submission of a message (Subject: Jeanie) that you have sent to your self (To: "Spamcop" x) then reported that message when it was received.  Do you use some sort of system to automatically submit your spam.  Please check the address that that software is using.  It should be submit.<some 16 character code>[at]spam.spamcop.net, not your spamcop email address.

25416[/snapback]

No, email received in outlook (via normal non -spamcop address straight from ISP) and then forwarded as attachment to submit.<some 16 character code>[at]spam.spamcop.net.

I noticed another one last night, unfortunately after I'd reported myself :huh:

Link to comment
Share on other sites

No, email received in outlook (via normal non -spamcop address straight from ISP) and then forwarded as attachment to submit.<some 16 character code>[at]spam.spamcop.net.

I noticed another one last night, unfortunately after I'd reported myself  :huh:

Playing catch-up tight now and in the middle of some other things, but ... Forwarding as an attachment via Outlook just isn't going to work .....

Link to comment
Share on other sites

OK, went back through this Topic and see that Neo said elsewhere that OE6 was in use .... However, Neo also knows about Tracking URLs .. and none were provided in the last post so "we" could see the self-reporting issue involved .. a bit odd in that Neo also stated that MailHost configuration had been acccomplished successfully ..???

Link to comment
Share on other sites

OK, Perhaps it should be...

Forwarding as an attachment via Outlook just isn't going to work for some configurations .....

Outlook in certain configurations (with Exchange???) does not store the internet headers at all, so there is no way to report further than the local configuration/

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...