JayEdgar Posted February 25, 2004 Share Posted February 25, 2004 I got the following message in an email today (with my domain cleaned out): Hello We just received 26 spam complaints from spamcop.net regarding the server where your domain [myserver.com] is on, as being reported as the source of spam when it's actually not. (Please see below). Please be careful not to report the server where your domain is on as the source, as this is not at all good for our network, we do work hard to keep a clean spam free reputation. Continual false complaints could result in access problems from our server to other servers, and it is time consuming for us and the network to weed through, so please do be careful. Thank you, and if you have any questions, please don't hesitate to ask. Note: the email below is from Received: from host162219.arnet.net.ar (host162219.arnet.net.ar for your domain The server mercia.host4u.net ([xxx.xxx.xxx.xxx]) received the email for you. regards spam control at axxs.net From: "Jay Edgar" <711636910[at]reports.spamcop.net> To: abuse[at]axxs.net Subject: [spamCop (216.71.64.117) id:711636910]C L E_A_R - D_R U_G Z_-_1_. 3 3_$_-_P_E R_-_D_O_S_E 61903 Date: 24 Feb 2004 03:41:48 -0000 X-SpamCop-sourceip: X-Mailer: http://www.spamcop.net/ v1.3.4 [ SpamCop V1.3.4 ] This message is brief for your comfort. Please use links below for details. Email from 216.71.64.117 / 24 Feb 2004 03:41:48 -0000 http://www.spamcop.net/w3m?i=z711636910zac...76635b797a3d48z [ Offending message ] Return-Path: <GNCUDUTDQJMUPOTOJBTMHYYHDBX[at]fiddlersgreenorlando.com> Delivered-To: x Received: (qmail 7201 invoked from network); 24 Feb 2004 03:41:49 -0000 Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101) by blade6.cesmail.net with SMTP; 24 Feb 2004 03:41:49 -0000 Received: (qmail 9238 invoked from network); 24 Feb 2004 03:41:48 -0000 Received: from mercia.host4u.net (216.71.64.117) by mailgate.cesmail.net with SMTP; 24 Feb 2004 03:41:48 -0000 Received: from host162219.arnet.net.ar (host162219.arnet.net.ar [200.45.162.219] (may be forged)) by mercia.host4u.net (8.11.6/8.11.6) with SMTP id i1O3fir18988 for <x>; Mon, 23 Feb 2004 21:41:45 -0600 Received: from 80.195.216.195 by web941.mail.yahoo.com; Mon, 23 Feb 2004 21:32:42 -0600 Message-ID: <JPDN_________________ACZG[at]hyenafilms.net> From: "Abe Beard" <GNCUDUTDQJMUPOTOJBTMHYYHDBX[at]fiddlersgreenorlando.com> Reply-To: "Abe Beard" <GNCUDUTDQJMUPOTOJBTMHYYHDBX[at]fiddlersgreenorlando.com> To: x Subject: C L E_A_R - D_R U_G Z_-_1_. 3 3_$_-_P_E R_-_D_O_S_E 61903 Date: Tue, 24 Feb 2004 09:36:42 +0600 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--52961433036076025839" X-CS-IP: 98.128.91.11 X-spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on blade6 X-spam-Level: ***** X-spam-Status: hits=5.8 tests=BIZ_TLD,GAPPY_SUBJECT,HTML_60_70,HTML_FONT_BIG, HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,LINES_OF_YELLING,MIME_HTML_ONLY, MIME_HTML_ONLY_MULTI,SUBJ_ALL_CAPS version=2.60 X-SpamCop-Checked: 192.168.1.101 216.71.64.117 X-SpamCop-Disposition: Blocked bl.spamcop.net ----52961433036076025839 Content-Type: text/html; charset=windows-1251 Content-Transfer-Encoding: 7Bit <BOdy> <fOnT SIZE=1 sTyLe='foNt-size:1px'>astigmatic instable sepoy colby epigram serviceman pictorial diameter infima raft hailstorm haulage command cornucopia bold intelligent patchwork crosswalk cameramen gilbertson lamp mr monument terminus aau hector declamation scarface acrid collet </FoNt><bR> <a href="http://viagraonline.biz/?aff=1034"> <FonT sIze="+3"><fOnT Size=1 STylE='Font-size:1px'>753</FonT>V<FOnt sizE=1 stYlE='FoNT-size:1px'>101</fONT>I<foNT sizE=1 stYlE='foNt-size:1px'>mfz</FOnt>A<fOnT SIZe=1 StyLE='fonT-size:1px'>155</FONT>G<FonT SIZE=1 STyLe='fONt-size:1px'>531</fONT>R<fOnt SIzE=1 stYle='FoNT-size:1px'>856</foNt>A<FOnT Size=1 Style='Font-size:1px'>uhy</fOnT></FoNT><Br><bR> <foNt size="+2"><fONt SIzE=1 styLe='foNT-size:1px'>lja</FoNT>O<FOnt siZe=1 style='fOnt-size:1px'>hms</fonT>N<FOnt sIzE=1 STYlE='fOnT-size:1px'>842</fONt>L<foNT sIZE=1 STyLE='fONT-size:1px'>vgw</FoNT>Y<FonT sIZE=1 StylE='foNt-size:1px'>510</fONt> <B><foNT siZE=1 StyLe='foNT-size:1px'>561</FonT>1<font SiZe=1 STYLE='Font-size:1px'>260</foNt>.<fOnT sIzE=1 sTylE='FonT-size:1px'>mme</FoNT>3<FOnT Size=1 StYle='FoNT-size:1px'>333</fOnT>3<fonT SiZE=1 styLe='FONt-size:1px'>790</Font>$<FonT Size=1 sTYlE='FONT-size:1px'>qbl</fOnt></b> <FOnT SiZe=1 sTyLE='fonT-size:1px'>slw</foNt>P<fONt SIZe=1 stYLE='FonT-size:1px'>stk</foNT>E<FONT siZe=1 StYLe='FoNt-size:1px'>533</fOnt>R<Font sIze=1 sTylE='FOnt-size:1px'>kwm</FoNT> <b><fOnT SiZe=1 stYLe='FonT-size:1px'>930</foNT>D<FOnT SiZE=1 sTYLe='foNt-size:1px'>864</FOnT>O<FOnt SIze=1 stYle='fONt-size:1px'>owz</fOnt>S<fONt siZE=1 stYLe='fOnT-size:1px'>cfu</foNT>E<Font SiZE=1 STYLe='fOnt-size:1px'>230</fOnT></b></FOnt><br><bR> <foNT SIZE="+3"><foNT sIzE=1 sTylE='fOnT-size:1px'>squ</fONT>V<font SiZE=1 stYLE='FonT-size:1px'>qhs</fONt>I<FoNt SiZE=1 STYlE='fOnT-size:1px'>dwf</foNT>A<font siZe=1 STYLE='foNT-size:1px'>yar</foNt>G<fONt SiZE=1 STYle='fONt-size:1px'>pzp</FonT>R<font sIZE=1 styLe='foNT-size:1px'>024</FOnt>A<FoNT sIZE=1 STyle='FONt-size:1px'>qys</foNT></Font><BR> </a> <FONT sizE=1 StylE='FOnt-size:1px'>contravention celesta constantinople elijah james apostle coconut around ortega elute farce knew toothbrush preempt slope tempt cauliflower union oceanic hackett benny oppose bird doubleday obduracy wastrel checkerboard artificial subterranean coup paddy englishman grindstone procaine wisenheimer quadrupole actual bursty brighton cross escort fum footfall bridgeable millenarian </foNT> </BOdy> ----52961433036076025839-- I'm pretty sure I remember reporting this spam, but I certainly didn't create the spam itself. Am I confused? Are they? Is there an error in how I reported it to spamcop? Did spamcop make a mistake? What do I do next? I'm confused by this, and don't really know how to figure it out. I figured some of you smart folks could direct me. Thanks. Jay Link to comment Share on other sites More sharing options...
Wazoo Posted February 25, 2004 Share Posted February 25, 2004 The critical part of the SpamCop parser output is; Chain error web941.mail.yahoo.com not equal to last sender received line discarded 200.45.162.219 discarded as a forgery, using 216.71.64.117 The critical part of the SpamCop Reporting code is; Report spam to: Re: 216.71.64.117 (Administrator of IP block - statistics only) To: postmaster[at]axxs.net (Notes) To: abuse[at]axxs.net (Notes) You are the one that should have caught this "problem" before clicking on the Send Reports Now button. These are the lines that caused the problem; Received: from mercia.host4u.net (216.71.64.117) by mailgate.cesmail.net with SMTP; 24 Feb 2004 03:41:48 -0000 Received: from host162219.arnet.net.ar (host162219.arnet.net.ar [200.45.162.219] (may be forged)) by mercia.host4u.net (8.11.6/8.11.6) with SMTP id i1O3fir18988 for <x>; Mon, 23 Feb 2004 21:41:45 -0600 You need to make apologies at least, make special note to look at the addresses you're sending complaints to and make sure you're not reporting yourself. Others may chime in later about the probabilities of some configuration problems with the host4u servers ..... Link to comment Share on other sites More sharing options...
turetzsr Posted February 25, 2004 Share Posted February 25, 2004 Hi, Jay! ...In addition to taking into account what Wazoo wrote, you may want to peruse Pinned: FAQ Entry: How can I unsend a report?. Link to comment Share on other sites More sharing options...
JayEdgar Posted February 25, 2004 Author Share Posted February 25, 2004 Wazoo and Steve: Thanks for your responses. I think I'm beginning to understand, but I'm not there yet. Are you saying that the line you pointed out: These are the lines that caused the problem; Received: from mercia.host4u.net (216.71.64.117) indicates my server, and that's what I reported? If so, how did the email originate from me? I have up to date virus software and use adaware, spybot and spyware guard, so I don't think I've been infected and sent out emails. Please have a bit more patience with me and lead me by the hand with this. Thanks much, Jay Link to comment Share on other sites More sharing options...
turetzsr Posted February 25, 2004 Share Posted February 25, 2004 Hi, Jay, Wazoo and Steve: Thanks for your responses. I think I'm beginning to understand, but I'm not there yet. Are you saying that the line you pointed out: These are the lines that caused the problem; Received: from mercia.host4u.net (216.71.64.117) indicates my server, and that's what I reported? If so, how did the email originate from me? I have up to date virus software and use adaware, spybot and spyware guard, so I don't think I've been infected and sent out emails. Please have a bit more patience with me and lead me by the hand with this. Thanks much, Jay ...Yep, it's easy to get confused -- no need to apologize, IMHO. ...Here's the deal, as I understand it: You received an e-mail that you considered to be spam You (logged in as 711636910 <at> reports.spamcop.net) reported it via SpamCop The SpamCop parser became confused due to an odd line (as referenced by Wazoo) and sent the spam report to the abuse desk of your e-mail provider (abuse[at]axxs.net) ...Does that help? Link to comment Share on other sites More sharing options...
Wazoo Posted February 25, 2004 Share Posted February 25, 2004 If so, how did the email originate from me? No, we never said that the e-mail came from you. The SpamCop pareser tries to perform a "chain test", i.e., follow the handling of the e-mail from one server to another. It made it all the way down to your ISP ... Received: from mercia.host4u.net (216.71.64.117) by mailgate.cesmail.net with SMTP; 24 Feb 2004 03:41:48 -0000 Then it hit these lines; Received: from host162219.arnet.net.ar (host162219.arnet.net.ar [200.45.162.219] (may be forged)) by mercia.host4u.net (8.11.6/8.11.6) with SMTP id i1O3fir18988 for <x>; Mon, 23 Feb 2004 21:41:45 -0600 Received: from 80.195.216.195 by web941.mail.yahoo.com; Mon, 23 Feb 2004 21:32:42 -0600 Resulting in the error condition of; Chain error web941.mail.yahoo.com not equal to last sender received line discarded 200.45.162.219 discarded as a forgery, using 216.71.64.117 there is no handoff from the (forged) yahoo.com server to the net.ar server, and this particular bogus line construction has been seen often of late .... that host 200.45.162.219 = host162219.arnet.net.ar is probably a more likely candidate for the injection point, the parser didn't like this line, so it dropped back to the last "good" line, which unfortunately, is your ISP's server. At this point, I would have recommended that you cancel the SpamCop complaint and send one manually, guessing to abuso[at]arnet.com.ar, but only after doing some more digging on these folks ... Guessing that you'd not be comfortable going manual, then I'd suggest that the next time you see your ISP as the complaint target, at least uncheck those boxes before hitting the Send button. Here's hoping I explained it a bit better ...?? Link to comment Share on other sites More sharing options...
JayEdgar Posted February 25, 2004 Author Share Posted February 25, 2004 Those are both great explanations, and thanks to the both of you. The piece I'm still stuck on is that axxs.net isn't my ISP, OLM is. Unless axxs.net is another domain with them or something. I think I have enough to dig into now. Apparently someone has been pretty successfully spoofing my email address or something, as I'm getting a lot of failure emails bouncing back to me of the same type. Any suggestions as to what to do about that? Thanks again. Help is much appreciated. Jay Link to comment Share on other sites More sharing options...
turetzsr Posted February 25, 2004 Share Posted February 25, 2004 Hi, Jay, Those are both great explanations, and thanks to the both of you. ...Happy to try to help! Apparently someone has been pretty successfully spoofing my email address or something, as I'm getting a lot of failure emails bouncing back to me of the same type. Any suggestions as to what to do about that? ...Perhaps Pinned: FAQ Entry: Why am I getting all these bounces? Link to comment Share on other sites More sharing options...
Wazoo Posted February 25, 2004 Share Posted February 25, 2004 I'm lost ... axxs.net I can only find as manual.axxs.net, which doesn't say squat as far as hosting anything, www.host4u.net gets me a 403 error, and OLM ... oh yeah, the folks that advertise with the guy that's happy with 56k and he's never had a question that they couldn't answer ... I sure struck out in trying to find the / your connection .... Link to comment Share on other sites More sharing options...
Jeff G. Posted February 25, 2004 Share Posted February 25, 2004 http://www.abuse.net/lookup.phtml?DOMAIN=host4u.net reports: abuse[at]host4u.net (for host4u.net) postmaster[at]host4u.net (for host4u.net) abuse[at]axxs.net (for host4u.net) postmaster[at]axxs.net (for host4u.net) Link to comment Share on other sites More sharing options...
turetzsr Posted February 25, 2004 Share Posted February 25, 2004 Routing details for 216.71.64.117 Reports routes for 216.71.64.117: routeid:7486781 216.71.0.0 - 216.71.223.255 to:dns[at]axxs.net Administrator found from whois records Link to comment Share on other sites More sharing options...
Wazoo Posted February 25, 2004 Share Posted February 25, 2004 Yeah, I found the same data, but then I tried hitting the web sites associated with the e-mail addresses ... and then trying to sort out the connection to "OLM is my host" but axxs is the one that handled the spam complaints ... there's what I couldn't come up with ... at best, maybe something along the lines of a re-seller in there somewhere, but that connection to marry all these "hosts" together is what I was trying to resolve Link to comment Share on other sites More sharing options...
Ellen Posted February 26, 2004 Share Posted February 26, 2004 Yes you were reporting yourself altho the parser is now parsing past your header so I am not entirely sure what the problem was. You should know your own IP and not report yourself however I have also added a flag to the system to say that your IP is a valid mailserver. The headers I looked at are: Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101) by blade6.cesmail.net with SMTP; 24 Feb 2004 03:41:49 -0000 Received: (qmail 9238 invoked from network); 24 Feb 2004 03:41:48 -0000 Received: from mercia.host4u.net (216.71.64.117) by mailgate.cesmail.net with SMTP; 24 Feb 2004 03:41:48 -0000 Received: from host162219.arnet.net.ar (host162219.arnet.net.ar [200.45.162.219] (may be forged)) by mercia.host4u.net (8.11.6/8.11.6) with SMTP id i1O3fir18988 for <x>; Mon, 23 Feb 2004 21:41:45 -0600 Received: from 80.195.216.195 by web941.mail.yahoo.com; Mon, 23 Feb 2004 21:32:42 -0600 Message-ID: <JPDN_________________ACZG[at]hyenafilms.net> From: "Abe Beard" <GNCUDUTDQJMUPOTOJBTMHYYHDBX[at]fiddlersgreenorlando.com> Reply-To: "Abe Beard" <GNCUDUTDQJMUPOTOJBTMHYYHDBX[at]fiddlersgreenorlando.com> To: x Subject: C L E_A_R - D_R U_G Z_-_1_. 3 3_$_-_P_E R_-_D_O_S_E 61903 Date: Tue, 24 Feb 2004 09:36:42 +0600 The injection is host162219.arnet.net.ar (host162219.arnet.net.ar [200.45.162.219] and the bottom received header with yahoo in it is forged ... Keep an eye on your reports but they should be parsing ok now Link to comment Share on other sites More sharing options...
Wazoo Posted February 26, 2004 Share Posted February 26, 2004 Thank the gods that the dear lady seconded the opinion, and that she has the power to perform the deeds that she does! <g> Link to comment Share on other sites More sharing options...
turetzsr Posted February 26, 2004 Share Posted February 26, 2004 Thank the gods that the dear lady seconded the opinion, and that she has the power to perform the deeds that she does! <g> ...Yep, Ellen's my hero! Link to comment Share on other sites More sharing options...
Ellen Posted February 26, 2004 Share Posted February 26, 2004 :-) Link to comment Share on other sites More sharing options...
JayEdgar Posted February 27, 2004 Author Share Posted February 27, 2004 Wow. My post has led to so much activity and effort on others' parts! OK, so I reported my own address somehow. Could that have happened using the 'quick report and immediately trash' option on the held email page? To be honest, I spend plenty of time reporting the email that gets through to my inbox (which is rather painful with Outlook...); I have little interest in going through each submittal manually and ensuring my IP isn't in there. Perhaps that makes me a bad little spamcopper. I do my best to be conscientious, but I have to get enough hours in at work so I can pay my mortgage. Am I to understand that what Ellen did takes care of this concern? Deep thanks to everyone who's been so helpful. You all are great. Jay Link to comment Share on other sites More sharing options...
Jeff G. Posted February 27, 2004 Share Posted February 27, 2004 Am I to understand that what Ellen did takes care of this concern?Yes. Deep thanks to everyone who's been so helpful. You all are great.You're welcome. Link to comment Share on other sites More sharing options...
Wazoo Posted February 27, 2004 Share Posted February 27, 2004 Am I to understand that what Ellen did takes care of this concern? Just a small note on this .. Yes, Ellen put the "fix" in on "this"one ... It doesn't mean that you still run blindly trusting everything, cause there maybe something else that could go wrong tomorrow ... there a number of folks that suggest not using the Quick Report at all, balanced against so many others that don't run into issues. Link to comment Share on other sites More sharing options...
Miss Betsy Posted February 27, 2004 Share Posted February 27, 2004 If you do use Quick Reporting, be sure to look at the reports you get back just in case the parser hiccups so you can correct any errors. I went for months without ever having a problem. Then two weeks before Quick Reporting started, the parser timed out and named my ISP. It never happened again, but if it happened once, it could happen again. Also sometimes ISP's change things that cause the parser to stop and you are unaware of it until you see your ISP checked (or if using Quick Reporting, reported). I found reading the reports as tedious as reporting each spam so I would go with just reporting what you have time for (the newest first). Miss Betsy Link to comment Share on other sites More sharing options...
turetzsr Posted February 27, 2004 Share Posted February 27, 2004 If you do use Quick Reporting, be sure to look at the reports you get back just in case the parser hiccups so you can correct any errors. I went for months without ever having a problem. Then two weeks before Quick Reporting started, the parser timed out and named my ISP. It never happened again, but if it happened once, it could happen again. Also sometimes ISP's change things that cause the parser to stop and you are unaware of it until you see your ISP checked (or if using Quick Reporting, reported). I found reading the reports as tedious as reporting each spam so I would go with just reporting what you have time for (the newest first). Miss Betsy ...Great post, Miss Betsy! ...Moderators: another candidate for a FAQ. Link to comment Share on other sites More sharing options...
Jeff G. Posted February 27, 2004 Share Posted February 27, 2004 If you do use Quick Reporting, be sure to look at the reports you get back just in case the parser hiccups so you can correct any errors. I went for months without ever having a problem. Then two weeks before Quick Reporting started, the parser timed out and named my ISP. It never happened again, but if it happened once, it could happen again. Also sometimes ISP's change things that cause the parser to stop and you are unaware of it until you see your ISP checked (or if using Quick Reporting, reported). I found reading the reports as tedious as reporting each spam so I would go with just reporting what you have time for (the newest first). Miss Betsy ...Great post, Miss Betsy! ...Moderators: another candidate for a FAQ. I agree. I added it to http://forum.spamcop.net/forums/index.php?showtopic=88 as Step 16. Link to comment Share on other sites More sharing options...
Miss Betsy Posted February 28, 2004 Share Posted February 28, 2004 Golly gee! I feel really special! I'm glad I finally contributed something worthwhile! Miss Betsy Link to comment Share on other sites More sharing options...
turetzsr Posted February 28, 2004 Share Posted February 28, 2004 Golly gee! I feel really special! I'm glad I finally contributed something worthwhile! Miss Betsy ...Finally? Really, Miss Betsy, that smacks of false modesty! Link to comment Share on other sites More sharing options...
Miss Betsy Posted February 28, 2004 Share Posted February 28, 2004 But this is a FAQ! Most of what I contribute is just IMHO! Perhaps I should have said "practical" instead of "worthwhile" Miss Betsy Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.