[Resolved] Parser Curiousity

[agsteele]

I'm in the process of moving my mail servers to a new location and have only just reconfigured the mailhosts for my domain/Email address.

So I was not entirely surprised to find a handful of legitimate messages caught in my held mail since the ip addresses didn't match with the held mail.

However, on closer inspection it appears that the parser grabbed my new ip (212.69.206.38 in preference to the originating ip

Here's the headers. Do we think this is correct parsing or should 132.76.72.216

have been identified?

Andrew

Return-Path: <JXUJSW[at]netscape.net>
Delivered-To: spamcop-net-x
Received: (qmail 4380 invoked from network); 26 Jul 2005 01:20:14 -0000
Received: from unknown (192.168.1.103)
 by blade2.cesmail.net with QMQP; 26 Jul 2005 01:20:14 -0000
Received: from smtp-relay02.x-mailer.co.uk (212.69.217.31)
 by mailgate2.cesmail.net with SMTP; 26 Jul 2005 01:20:14 -0000
Received: from [212.69.206.38] (helo=netwo-45832-001.dsvr.co.uk)
       by smtp-relay02.x-mailer.co.uk with esmtp id 1DxE7B-0002kc-Py
       for x; Tue, 26 Jul 2005 02:20:13 +0100
Received: from [221.200.185.181] (helo=212.69.206.38)
       by netwo-45832-001.dsvr.co.uk with smtp (Exim 4.43)
       id 1DxE78-0000c7-Rt
       for x; Tue, 26 Jul 2005 02:20:13 +0100
Received: from tptuwsrift9.netscape.net (15.8.28.244) by bos044-ug342.netscape.net with Microsoft SMTPSVC(5.0.2195.6824);
        Mon, 25 Jul 2005 20:18:01 -0600
Received: from Merlinz8vac67igd259scc (132.76.72.216) by gcnkhyby487.netscape.net
         (InterMail vM.5.01.06.05 859-013-395-837-128-432775) with SMTP
         id <998840854965872.IYHAE22.untsrco15442.netscape.net[at]editoroa77apn0g25ho>
         for <x>; Tue, 26 Jul 2005 04:16:01 +0200
Message-ID: <9596______________________oy07[at]Merlinli583fq85bf3zb>
From: "Dorothea Berger" <JXUJSW[at]netscape.net>
To: <x>
Subject: Best Erection Drugs ! bestow
Date: Tue, 26 Jul 2005 01:16:01 -0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
       boundary="--afloat"
X-spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on blade2.cesmail.net
X-spam-Level: ****************
X-spam-Status: hits=16.1 tests=RCVD_HELO_IP_MISMATCH,RCVD_NUMERIC_HELO,
       URIBL_AB_SURBL,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,
       URIBL_WS_SURBL version=3.0.3
X-SpamCop-Checked: 192.168.1.103 212.69.217.31 212.69.206.38
X-SpamCop-Disposition: Blocked bl.spamcop.net

----afloat
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable


Hello

[Jeff G.]

Since you didn't provide a Tracking URL, I had to generate one myself: http://www.spamcop.net/sc?id=z789986097zfc...7bd295471e2707z.

The relevant parse snippet follows:

Received:  from [212.69.206.38] (helo=netwo-45832-001.dsvr.co.uk) by smtp-relay02.x-mailer.co.uk with esmtp id 1DxE7B-0002kc-Py for x; Tue, 26 Jul 2005 02:20:13 +0100 <--- smtp-relay02.x-mailer.co.uk should be looking up RDNS of connecting IP Addresses and putting that RDNS in its Received Header Line.

212.69.206.38 found

host 212.69.206.38 = no-reverse.as5587.net. (cached)

Possible spammer: 212.69.206.38

Possible relay: 212.69.217.31

212.69.217.31 not listed in relays.ordb.org.

212.69.217.31 has already been sent to relay testers

Received line accepted

Received:  from [221.200.185.181] (helo=212.69.206.38) by netwo-45832-001.dsvr.co.uk with smtp (Exim 4.43) id 1DxE78-0000c7-Rt for x; Tue, 26 Jul 2005 02:20:13 +0100 <--- netwo-45832-001.dsvr.co.uk (or its new name) should also be looking up RDNS of connecting IP Addresses and putting that RDNS in its Received Header Line.

Bogus IP in HELO removed: 212.69.206.38

Received:

from  x ([221.200.185.181])

by netwo-45832-001.dsvr.co.uk with smtp (Exim 4.43) id 1DxE78-0000c7-Rt for x; Tue, 26 Jul 2005 02:20:13 +0100

221.200.185.181 found

host 221.200.185.181 (getting name) no name

212.69.206.38 not listed in dnsbl.njabl.org

212.69.206.38 not listed in cbl.abuseat.org

212.69.206.38 not listed in dnsbl.sorbs.net

212.69.206.38 is not an MX for smtp-relay02.x-mailer.co.uk <--- What can you do about making 212.69.206.38 an MX for netwo-45832-001.dsvr.co.uk (or its new name)?

netwo-45832-001.dsvr.co.uk looks like a dynamic host, untrusted as relay <--- What can you do about netwo-45832-001.dsvr.co.uk looking like the name of a dynamic host?

[StevenUnderwood]

Andrew: Please post a tracking URL for your parse. The way I am reading your message, I am a bit confused as to your query.

I'm in the process of moving my mail servers to a new location and have only just reconfigured the mailhosts for my domain/Email address.

30692[/snapback]

Good, this statement I understand.

So I was not entirely surprised to find a handful of legitimate messages caught in my held mail since the ip addresses didn't match with the held mail.

30692[/snapback]

Messages in your Held Mail folder have nothing to do with your mailhost configuration. Mailhosts is only used during the parsing of reported spam, not during email delivery.

However, on closer inspection it appears that the parser grabbed my new ip (212.69.206.38 in preference to the originating ip 

30692[/snapback]

Yes, it appears your new server is/was on spamcops BL

212.69.206.38 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 12 hours.

Causes of listing

SpamCop users have reported system as a source of spam about 20 times in the past week

Here's the headers.  Do we think this is correct parsing or should 132.76.72.216

have been identified?

30692[/snapback]

I would need to see the parse to determine it's reasoning. Manually, I get to 221.200.185.181 and because of the false helo that host is receiving, would trust no further. The message was held because the mail service found 212.69.206.38 in the BL.

[agsteele]

Andrew:  Please post a tracking URL for your parse.  The way I am reading your message, I am a bit confused as to your query.

30701[/snapback]

Sorry, I abandoned the process on this message neglecting to retain the tracking URL. I'm not certain how to recover it although JeffG seems to have done so. Thanks.

Yes, it appears your new server is/was on spamcops BL

I would need to see the parse to determine it's reasoning.  Manually, I get to 221.200.185.181 and because of the false helo that host is receiving, would trust no further.  The message was held because the mail service found 212.69.206.38 in the BL.

30701[/snapback]

The listing actually arises from using the quick reporting on the batch of messages immediately prior to this one. So I reported myself. I can live with this for now since having identified the problem I'm not quick reporting. I guess I could ask for immediate de-listing since I've resolved the problem.

Jeff is right, there does appear to be an rDNS issue which I'll have to get my host provider to fix. Not in my power :-(

Even so, though, I'm still bemused why the parser chose my ip rather than the earlier (in the processing) of the source.

Just trying to understand so I can better avoid the issue later.

Andrew

[Jeff G.]

The parser has trust issues with most of the items I identified.

[agsteele]

The parser has trust issues with most of the items I identified.

30717[/snapback]

Fully understood...

Thanks for the help. The ISP is processing the rDNS stuff so we should be in better shape soon :-)

Andrew

[agsteele]

A quick note to finally close out this thread...

We're still working on the rDNS issues with the ISP.

Had some helpful contact with Ellen who said that the issue primarily arose with the change of IP address not having been updated in the mailhosts.

The listing occurred because I had put a large bunch through quick reporting since it had become very reliable in not self-reporting unless, of course, the mailhosts have the wrong ip in the records.

All seems to be settling now. A timely reminder to update the mailhosts record when changing ip for the mailserver. :-)

Thanks for all the input received.

Andrew

[Jeff G.]

Thanks for the update!