agsteele Posted July 26, 2005 Share Posted July 26, 2005 I'm in the process of moving my mail servers to a new location and have only just reconfigured the mailhosts for my domain/Email address. So I was not entirely surprised to find a handful of legitimate messages caught in my held mail since the ip addresses didn't match with the held mail. However, on closer inspection it appears that the parser grabbed my new ip (212.69.206.38 in preference to the originating ip Here's the headers. Do we think this is correct parsing or should 132.76.72.216 have been identified? Andrew Return-Path: <JXUJSW[at]netscape.net> Delivered-To: spamcop-net-x Received: (qmail 4380 invoked from network); 26 Jul 2005 01:20:14 -0000 Received: from unknown (192.168.1.103) by blade2.cesmail.net with QMQP; 26 Jul 2005 01:20:14 -0000 Received: from smtp-relay02.x-mailer.co.uk (212.69.217.31) by mailgate2.cesmail.net with SMTP; 26 Jul 2005 01:20:14 -0000 Received: from [212.69.206.38] (helo=netwo-45832-001.dsvr.co.uk) by smtp-relay02.x-mailer.co.uk with esmtp id 1DxE7B-0002kc-Py for x; Tue, 26 Jul 2005 02:20:13 +0100 Received: from [221.200.185.181] (helo=212.69.206.38) by netwo-45832-001.dsvr.co.uk with smtp (Exim 4.43) id 1DxE78-0000c7-Rt for x; Tue, 26 Jul 2005 02:20:13 +0100 Received: from tptuwsrift9.netscape.net (15.8.28.244) by bos044-ug342.netscape.net with Microsoft SMTPSVC(5.0.2195.6824); Mon, 25 Jul 2005 20:18:01 -0600 Received: from Merlinz8vac67igd259scc (132.76.72.216) by gcnkhyby487.netscape.net (InterMail vM.5.01.06.05 859-013-395-837-128-432775) with SMTP id <998840854965872.IYHAE22.untsrco15442.netscape.net[at]editoroa77apn0g25ho> for <x>; Tue, 26 Jul 2005 04:16:01 +0200 Message-ID: <9596______________________oy07[at]Merlinli583fq85bf3zb> From: "Dorothea Berger" <JXUJSW[at]netscape.net> To: <x> Subject: Best Erection Drugs ! bestow Date: Tue, 26 Jul 2005 01:16:01 -0100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--afloat" X-spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on blade2.cesmail.net X-spam-Level: **************** X-spam-Status: hits=16.1 tests=RCVD_HELO_IP_MISMATCH,RCVD_NUMERIC_HELO, URIBL_AB_SURBL,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL, URIBL_WS_SURBL version=3.0.3 X-SpamCop-Checked: 192.168.1.103 212.69.217.31 212.69.206.38 X-SpamCop-Disposition: Blocked bl.spamcop.net ----afloat Content-Type: text/plain; Content-Transfer-Encoding: quoted-printable Hello Link to comment Share on other sites More sharing options...
Jeff G. Posted July 26, 2005 Share Posted July 26, 2005 Since you didn't provide a Tracking URL, I had to generate one myself: http://www.spamcop.net/sc?id=z789986097zfc...7bd295471e2707z. The relevant parse snippet follows: Received: from [212.69.206.38] (helo=netwo-45832-001.dsvr.co.uk) by smtp-relay02.x-mailer.co.uk with esmtp id 1DxE7B-0002kc-Py for x; Tue, 26 Jul 2005 02:20:13 +0100 <--- smtp-relay02.x-mailer.co.uk should be looking up RDNS of connecting IP Addresses and putting that RDNS in its Received Header Line. 212.69.206.38 found host 212.69.206.38 = no-reverse.as5587.net. (cached) Possible spammer: 212.69.206.38 Possible relay: 212.69.217.31 212.69.217.31 not listed in relays.ordb.org. 212.69.217.31 has already been sent to relay testers Received line accepted Received: from [221.200.185.181] (helo=212.69.206.38) by netwo-45832-001.dsvr.co.uk with smtp (Exim 4.43) id 1DxE78-0000c7-Rt for x; Tue, 26 Jul 2005 02:20:13 +0100 <--- netwo-45832-001.dsvr.co.uk (or its new name) should also be looking up RDNS of connecting IP Addresses and putting that RDNS in its Received Header Line. Bogus IP in HELO removed: 212.69.206.38 Received: from x ([221.200.185.181]) by netwo-45832-001.dsvr.co.uk with smtp (Exim 4.43) id 1DxE78-0000c7-Rt for x; Tue, 26 Jul 2005 02:20:13 +0100 221.200.185.181 found host 221.200.185.181 (getting name) no name 212.69.206.38 not listed in dnsbl.njabl.org 212.69.206.38 not listed in cbl.abuseat.org 212.69.206.38 not listed in dnsbl.sorbs.net 212.69.206.38 is not an MX for smtp-relay02.x-mailer.co.uk <--- What can you do about making 212.69.206.38 an MX for netwo-45832-001.dsvr.co.uk (or its new name)? netwo-45832-001.dsvr.co.uk looks like a dynamic host, untrusted as relay <--- What can you do about netwo-45832-001.dsvr.co.uk looking like the name of a dynamic host? Link to comment Share on other sites More sharing options...
StevenUnderwood Posted July 26, 2005 Share Posted July 26, 2005 Andrew: Please post a tracking URL for your parse. The way I am reading your message, I am a bit confused as to your query. I'm in the process of moving my mail servers to a new location and have only just reconfigured the mailhosts for my domain/Email address. 30692[/snapback] Good, this statement I understand. So I was not entirely surprised to find a handful of legitimate messages caught in my held mail since the ip addresses didn't match with the held mail. 30692[/snapback] Messages in your Held Mail folder have nothing to do with your mailhost configuration. Mailhosts is only used during the parsing of reported spam, not during email delivery. However, on closer inspection it appears that the parser grabbed my new ip (212.69.206.38 in preference to the originating ip 30692[/snapback] Yes, it appears your new server is/was on spamcops BL 212.69.206.38 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 12 hours. Causes of listing SpamCop users have reported system as a source of spam about 20 times in the past week Here's the headers. Do we think this is correct parsing or should 132.76.72.216 have been identified? 30692[/snapback] I would need to see the parse to determine it's reasoning. Manually, I get to 221.200.185.181 and because of the false helo that host is receiving, would trust no further. The message was held because the mail service found 212.69.206.38 in the BL. Link to comment Share on other sites More sharing options...
agsteele Posted July 26, 2005 Author Share Posted July 26, 2005 Andrew: Please post a tracking URL for your parse. The way I am reading your message, I am a bit confused as to your query. 30701[/snapback] Sorry, I abandoned the process on this message neglecting to retain the tracking URL. I'm not certain how to recover it although JeffG seems to have done so. Thanks. Yes, it appears your new server is/was on spamcops BL I would need to see the parse to determine it's reasoning. Manually, I get to 221.200.185.181 and because of the false helo that host is receiving, would trust no further. The message was held because the mail service found 212.69.206.38 in the BL. 30701[/snapback] The listing actually arises from using the quick reporting on the batch of messages immediately prior to this one. So I reported myself. I can live with this for now since having identified the problem I'm not quick reporting. I guess I could ask for immediate de-listing since I've resolved the problem. Jeff is right, there does appear to be an rDNS issue which I'll have to get my host provider to fix. Not in my power :-( Even so, though, I'm still bemused why the parser chose my ip rather than the earlier (in the processing) of the source. Just trying to understand so I can better avoid the issue later. Andrew Link to comment Share on other sites More sharing options...
Jeff G. Posted July 26, 2005 Share Posted July 26, 2005 The parser has trust issues with most of the items I identified. Link to comment Share on other sites More sharing options...
agsteele Posted July 26, 2005 Author Share Posted July 26, 2005 The parser has trust issues with most of the items I identified. 30717[/snapback] Fully understood... Thanks for the help. The ISP is processing the rDNS stuff so we should be in better shape soon :-) Andrew Link to comment Share on other sites More sharing options...
agsteele Posted July 29, 2005 Author Share Posted July 29, 2005 A quick note to finally close out this thread... We're still working on the rDNS issues with the ISP. Had some helpful contact with Ellen who said that the issue primarily arose with the change of IP address not having been updated in the mailhosts. The listing occurred because I had put a large bunch through quick reporting since it had become very reliable in not self-reporting unless, of course, the mailhosts have the wrong ip in the records. All seems to be settling now. A timely reminder to update the mailhosts record when changing ip for the mailserver. :-) Thanks for all the input received. Andrew Link to comment Share on other sites More sharing options...
Jeff G. Posted July 29, 2005 Share Posted July 29, 2005 Thanks for the update! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.