Jump to content

"Identified internal IP as source" for spam received by my personal email server


Recommended Posts

I've got a personal email server (named enchanter.netthat I recently migrated to Exim. I used SpamCop's Mailhosts tab to send me a test email and then I gave it back to SpamCop so that it knows about my mailhost; but still, there are two messages in my Junk mail folder that tell me "Mailhost configuration problem, identified internal IP as source" when I try to submit them to SmapCop.

Here are the headers from one of them (the other one is similar, and I edited out the long signatures):

Return-path: <info@themailertools.com>
Envelope-to: brian@enchanter.net
Delivery-date: Wed, 26 Aug 2020 19:15:42 -0400
Received: from themailertools.com ([106.75.103.146])
	by www with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.93)
	(envelope-from <info@themailertools.com>)
	id 1kB4dp-000XhP-Ex
	for brian@enchanter.net; Wed, 26 Aug 2020 19:15:42 -0400
DKIM-Signature: ...
DomainKey-Signature: ...
Reply-To: <908618401@qq.com>
Message-ID: <20200827071535733026@themailertools.com>
From: "unlimited smtp seller" <info@themailertools.com>
To: <brian@enchanter.net>
Subject: Re:quality SMTP for bulk mailing/fresh office 365 emails
Date: Thu, 27 Aug 2020 07:15:30 +0800
MIME-Version: 1.0
Content-Type: text/html;
	charset="utf-8"
Content-Transfer-Encoding: base64
X-mailer: Jxxflinct 0

What does "identified internal IP as source" mean here? The only IP in the headers is 106.75.103.146, and that's in China.

I admit it's entirely possible that I set up my Exim server incorrectly, but what did I do wrong?

 

Link to comment
Share on other sites

1 hour ago, Brian Kendig said:

What does "identified internal IP as source" mean here? The only IP in the headers is 106.75.103.146, and that's in China.

I admit it's entirely possible that I set up my Exim server incorrectly, but what did I do wrong?

 

Showing a "SpamCop tracking URL" would help
The only IP shown is a Chinese Botnet, You Chinese?
https://www.abuseat.org/lookup.cgi?ip=106.75.103.146

Link to comment
Share on other sites

11 hours ago, Brian Kendig said:

216.53.249.115.

https://www.spamcop.net/sc?id=z6647673526z717f1b3f9f3bda2be59f7a5a44fe732ez
Not stamping received IP only and only the from  Botnet IP
Your email server test
https://mxtoolbox.com/SuperTool.aspx?action=smtp%3a216.53.249.115&amp;run=toolpage

Here is a older spam I parsed, the spammer is faking a Amazon IP but SpamCop picks it up
https://www.spamcop.net/sc?id=z6646871784z9df15b8889614b273871f0e99d31a66fz

Edited by petzl
Link to comment
Share on other sites

petzl - I appreciate your help but I don't understand what that means.

Yes, my spam is from a Chinese botnet IP, but what do you mean by "Not stamping received IP only"? Is that a problem on my end?

As for my email server test - looks like it checks out okay except for reverse DNS on my server. That's because my ISP's DNS apparently takes precedence over the nameserver I chose for my domain. I don't think that can be fixed, but it's not a factor here, is it?

Your example shows SpamCop handling your spam correctly, but I still don't understand what "identified internal IP as source" means for mine.

 

Link to comment
Share on other sites

On 8/29/2020 at 12:53 PM, Brian Kendig said:

"Not stamping received IP only"? Is that a problem on my end?

Your email server needs to stamp it's own IP  (216.53.249.115) as well as the sending IP.
The only IP it shows is the "From" IP.
106.75.87.56.
This needs fixing 
More Information About Smtp Banner Check
The SMTP banner issued by your email server did not contain the hostname we resolved for your server’s IP address.

This also  needs fixing (ask your ISP) as many services will discard email from you
More Information About Smtp Reverse Dns Mismatch
The forward lookup (A) of the hostname hostname did not match the reverse lookup (PTR) for the IP Address. 
Example of a correctly matching pair of records:
(A) lookup for smtp.mxtoolbox.com resolves to 208.123.79.38
(PTR) lookup for 208.123.79.38 reverses to smtp.mxtoolbox.com

 

Edited by petzl
Link to comment
Share on other sites

Aha, you're saying that your example spam message has "Received: by" with a numeric IP address, while my spam headers have "Received: by www" with no IP. I'll look into how to get Exim to put my external IP address there and have it show 'enchanter.net' instead of 'www'. (It's probably a matter of editing Exim's received_header_text setting, though I'm surprised the IP address isn't appearing by default.) Thank you!

As for reverse DNS, I don't know if I can do anything about that because I'm using FreeDNS to resolve my hostname, but IP to hostname conversion is being handled by my ISP. I'll need to ask them if they'll fix it on their end, but they might not want to be bothered.

Thank you for your help!

Link to comment
Share on other sites

No success yet. I submitted spam with this header, which includes my FQDN and IP address:

Received: from net-mkting.com ([106.75.87.56])
	by www.enchanter.net (216.53.249.115) with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.93)
	(envelope-from <sales@net-mkting.com>)
	id 1kCAPa-0001f8-Pi
	for brian@enchanter.net; Sat, 29 Aug 2020 19:37:31 -0400

but SpamCopy still says "Mailhost configuration problem, identified internal IP as source". (https://www.spamcop.net/sc?id=z6647849203zdc6a9633e3bd43a0c4fc48a74c4b0f42z)

I just don't understand what it thinks is an "internal IP" that's being used as a "source."

Edit: aha, when I remove my FQDN and just say "by 216.53.249.115", then SpamCop accepts it, interesting...

Edited by Brian Kendig
Link to comment
Share on other sites

1 hour ago, Brian Kendig said:

Edit: aha, when I remove my FQDN and just say "by 216.53.249.115", then SpamCop accepts it, interesting...

Sounds like you have it you may be able to put "www.enchanter.net" after IP?

Link to comment
Share on other sites

13 hours ago, Brian Kendig said:

Edit: aha, when I remove my FQDN and just say "by 216.53.249.115", then SpamCop accepts it, interesting...

I wonder if SpamCop might be having problems with the IP of the receiving server too.  If you change it to the follow, it will probably work.  It may only want one entry for the receiving host.

by www.enchanter.net with esmtps
Link to comment
Share on other sites

"by www.enchanter.net with esmtps" still gives me the "Mailhost configuration problem, identified internal IP as source" / "No source IP address found, cannot proceed" error.

"by 216.53.249.115 (www.enchanter.net) withy esmtps" also gives me the same error.

"by 216.53.249.115 with esmtps" also isn't working for me on another message, now. Same error.

I'm perplexed - I no longer seem to be able to report any spam for my mail server. Not a critical issue, of course, but I wonder what's going on. I don't see other servers needing to put their IP address into their Received header.

 

Edited by Brian Kendig
Link to comment
Share on other sites

Aha. I think I've figured it out.

A few days ago, on the Mailhosts tab, I had set up the entry for my server by having Spamcop send me an email and then I copy/pasted it with full headers back into Spamcop's form. This created the Mailhosts entry - but the "Hosts/Domains" pulldown menu for it was empty. This was before I had put the FQDN into the email headers, so my server was only identifying itself with its local name, "www". I think this confused Spamcop.

Yesterday I fixed my mail server to put its FQDN into its email headers.

And just now I deleted that Mailhosts entry and created it again the same way - only, now the "Hosts/Domains" pulldown menu lists "www.enchanter.net" and "enchanter.net".

I resubmitted this morning's spam, and Spamcop was able to handle it with no problem. Thank you both for your help!

tl;dr: If the mail server doesn't put its FQDN into its Received header, then Spamcop's Mailhosts setup won't be able to read the domain name, and Spamcop will reject spam reports for that server with the "identified internal IP as source" error.

Edited by Brian Kendig
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...