efa Posted December 10, 2005 Share Posted December 10, 2005 Hi submitted a 3 days old spam today. Here the tracking url: http://www.spamcop.net/sc?id=z839337921z6e...464b0b17bedc64z The spam is too old, so the parser cannot report at all. But I noted that the parser incorrectly identify the source as: 1.16.104.105 registered to: OrgName: Internet Assigned Numbers Authority OrgID: IANA NetRange: 1.0.0.0 - 1.255.255.255 CIDR: 1.0.0.0/8 NetName: RESERVED-9 NetType: IANA Reserved OrgAbuseEmail: abuse[at]iana.org when the source is surely: 213.140.2.73 registered to: inetnum: 213.140.0.0 - 213.140.2.255 netname: FASTWEB-NOC abuse[at]fastweb.it Clearly the header is forged inserting a hop in a private lan 10.31.40.142, and a fake source from 1.16.104.105 Link to comment Share on other sites More sharing options...
Jeff G. Posted December 10, 2005 Share Posted December 10, 2005 I agree that this is a problem with the SpamCop Parser, in that the Parser should recognize "IANA Reserved" and "IANA Special Use" NetTypes (like Networks 1.0.0.0/8, 2.0.0.0/8, and 5.0.0.0/8), as documented in whois.arin.net responses as well as RFC3330 Special-Use IPv4 Addresses, and should discard them like it does "IANA Special Use" NetTypes (10.0.0.0/8, 192.168.0.0/16, and 172.16.0.0/12), as documented in RFC1918 Address Allocation for Private Internets and referenced in RFC3330 Special-Use IPv4 Addresses. To expedite repair of this problem, I'd suggest emailing a SpamCop Admin via How To Get Official SpamCop.Net Customer Support. Link to comment Share on other sites More sharing options...
Miss Betsy Posted December 11, 2005 Share Posted December 11, 2005 When I click on the tracking URL, this is what I get: If reported today, reports would be sent to: Re: 213.140.2.73 (Administrator of IP block - statistics only) abuse[at]fastweb.it Re: 213.140.2.73 (Third party interested in email source) spamcop[at]imaphost.com Re: http://www.duniaonline.net/ (Administrator of network hosting website referenced in spam) abuse[at]plusserver.de abuse[at]server4you.de Either efa was quick to contact spamcop and they were quick to fix it or it was one of those times when the parser hiccuped. Often when that happens, refreshing the parse produces a different result. Miss Betsy Link to comment Share on other sites More sharing options...
efa Posted December 11, 2005 Author Share Posted December 11, 2005 Either efa was quick to contact spamcop and they were quick to fix it I post here <munged> my email to spamcop admin: --- Date: Sun, 11 Dec 2005 01:01:21 +0100 From: efa <...efa...[at]....it> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; it-IT; rv:1.7.12) Gecko/20050915 To: <SpamCop Admin [at:-] showtopic=5517> Subject: Referral from the SpamCop Web Forum X-Enigmail-Version: 0.92.0.0 I wrote to the forum signaling a probable parser bug/enhancement: http://forum.spamcop.net/forums/index.php?showtopic=5572 Jeff G. ask me to contact directly spamcop admin email to speed up the fix of this. regards, <efa> --- and his fast reply (and fix): --- From - Sun Dec 11 03:41:38 2005 X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.4 (Beta) Date: Sat, 10 Dec 2005 19:40:46 -0700 To: efa <...efa...[at]....it> From: SpamCop Admin <SpamCop Admin [at:-] showtopic=5517> Subject: Re: Referral from the SpamCop Web Forum >I wrote to the forum signaling a probable parser bug/enhancement: >http://forum.spamcop.net/forums/index.php?showtopic=5572 > >Jeff G. ask me to contact directly spamcop admin email to speed up the >fix of this. Thanks for the info. Looks like a good spammer forgery. I compensated for it and the parse is finding 213.140.2.73 as the source now. Also, old spam is old news. SpamCop won't process spam that's over 48 hours old, so there's no point in wasting your time with it. Feel free to delete anything over 24 hours old. - <Don> - --- Now the tracking is correct also for me. Thanks! I received already 4 spam about duniaonline.net (whats is this?) from fastweb.it For everyone I wrote to abuse[at]fastweb.it via spamcop, but I'm listed again. fastweb admin work good! :-)) This time the header is clearly forged to avoid tracking. In the mail there's no remove tag as from italian privacy act (I and server source come from Italy and the mail content is also in italian). Normally I do not reply with remove email [dangerous], but in this case probably I shall do as I know the provider (fiber optic incumbent national big carrier). I was out for 4 days so I readed the spam only yesterday evening. Spamcop refuse to send the mail because was 3.3 days old. So I wrote myself to fastweb.it hope for the next time... thanks again, efa Link to comment Share on other sites More sharing options...
Miss Betsy Posted December 11, 2005 Share Posted December 11, 2005 Good work! Thank you. In this case, it was worthwhile to report 'old' spam because you caught a bug! Miss Betsy Link to comment Share on other sites More sharing options...
Jeff G. Posted December 11, 2005 Share Posted December 11, 2005 Don, thanks for the fix! efa, thanks for the update! Link to comment Share on other sites More sharing options...
turetzsr Posted December 12, 2005 Share Posted December 12, 2005 I post here <munged> my email to spamcop admin: <snip> 37572[/snapback] Hi, efa, ...Great, fast work by both you and Don -- thank you! Normally I do not reply with remove email [dangerous],37572[/snapback] ...and for good reason! <g>but in this case probably I shall do as I know the provider (fiber optic incumbent national big carrier). <snip> 37572[/snapback] ...Just from what you write, it still looks dangerous. The "fiber optic incumbent national big carrier" is unlikely to be able to protect you from the spammer tricks. They certainly did not protect you from being spammed! If I were you, I would reconsider the plan to reply with remove e-mail. Link to comment Share on other sites More sharing options...
efa Posted January 26, 2006 Author Share Posted January 26, 2006 I have found a spam header that cheat the parser. Here the tracking url: http://www.spamcop.net/sc?id=z864389934z6c...559d2a3031fac0z The mail clearly come from 213.140.2.69 on fastweb.it but the parser indicate it come from iana reserved 1.16.104.109 I had already posted another example of this cheat some month ago, and seems was fixed. Moderator Edit: Merged this "new" Topic into the Topic efa previously had opened up on the same subject .... Link to comment Share on other sites More sharing options...
Wazoo Posted January 26, 2006 Share Posted January 26, 2006 query sent upstream, referencing that the same issue is being brought up again. Link to comment Share on other sites More sharing options...
efa Posted January 26, 2006 Author Share Posted January 26, 2006 great memory wazoo :-)) Is the case to remove the subject [Resolved] as can be misunderstanded ? Link to comment Share on other sites More sharing options...
Wazoo Posted January 26, 2006 Share Posted January 26, 2006 great memory wazoo :-)) Is the case to remove the subject [Resolved] as can be misunderstanded ? 39716[/snapback] I meant to do that ... done now .. thanks. Link to comment Share on other sites More sharing options...
SpamCopAdmin Posted January 26, 2006 Share Posted January 26, 2006 query sent upstream, referencing that the same issue is being brought up again. 39715[/snapback] Not the same issue. Different Fastwebnet IP. Most of Fastwebnet's main servers are flagged as "trusted" relays so that SpamCop will push past them and go after the true source of the spam. The problem is that some of them can't be trusted. When we identify one that is recording a bogus source, such as an IANA reserved IP, all we can do is go in and mark the offending server as a "liar" so the parse won't trust it anymore and tags it as the actual source. I just did that for 213.140.2.69. The parse is finding it as the source now. Received: from aa002msg.fastwebnet.it (213-140-2-69.ip.fastwebnet.it [213.140.2.69]) by smtp11.libero.it Received: from ms004msg.fastwebnet.it (10.31.40.142) by aa002msg.fastwebnet.it - Don - Link to comment Share on other sites More sharing options...
efa Posted January 27, 2006 Author Share Posted January 27, 2006 When we identify one that is recording a bogus source, such as an IANA reserved IP, all we can do is go in and mark the offending server as a "liar" so the parse won't trust it anymore and tags it as the actual source. all the fastweb users are on a private lan, and the provider shelf use the nat. Seems to me that the fastweb DHCP server assign the forbidden (reserved) address 1.x.x.x Noone mail server should record a source from a reserved iana address like 1.x. So when something similar happen, you can be sure that that server is the real source. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.