btech Posted February 20, 2006 Posted February 20, 2006 http://www.spamcop.net/sc?id=z879525076z4d...3814b266b9d905z The IP that's being reported is: 72.22.11.69, which is the domain my mailbox is on... from what I see here, shouldn't 70.21.254.184, the initial source, have been picked up as the sender and reported? Received: FROM [70.21.254.184] BY newbox.selekta.com with hMailServer; Sun, 19 Feb 2006 18:05:45 -0500 no from 70.21.254.184 found host 70.21.254.184 = static-70-21-254-184.nwrk.east.verizon.net (cached) static-70-21-254-184.nwrk.east.verizon.net is 70.21.254.184 72.22.11.69 not listed in dnsbl.njabl.org 72.22.11.69 not listed in cbl.abuseat.org 72.22.11.69 not listed in dnsbl.sorbs.net 72.22.11.69 is not an MX for mailgate.cesmail.net 72.22.11.69 is not an MX for newbox.selekta.com 72.22.11.69 is not an MX for mailgate.cesmail.net 72.22.11.69 not listed in dnsbl.njabl.org Possible spammer: 70.21.254.184 Host newbox.selekta.com (checking ip) = 72.22.11.66 72.22.11.66 not listed in dnsbl.njabl.org 72.22.11.66 not listed in cbl.abuseat.org 72.22.11.66 not listed in dnsbl.sorbs.net Chain test:newbox.selekta.com =? 72.22.11.69 72.22.11.69 is not an MX for newbox.selekta.com Host newbox.selekta.com (checking ip) = 72.22.11.66 72.22.11.69 is not an MX for newbox.selekta.com ips are close enough newbox.selekta.com and 72.22.11.69 have close IP addresses - chain verified Possible relay: 72.22.11.69 72.22.11.69 not listed in relays.ordb.org. 72.22.11.69 has already been sent to relay testers Received line accepted [b]70.21.254.184 discarded as a forgery, using 72.22.11.69[/b] THe bold part is what gets me. It's an IP listed to Verizon and even though the magnitude is negative [at] Senderbase, I fail to see how the parser would assume then that the second IP is the sender. I really don't want to think I'm reporting spammers and actually reporting my domain to it's host.
Farelf Posted February 20, 2006 Posted February 20, 2006 Certainly static-70-21-254-184.nwrk.east.verizon.net should have been picked. Your 72.22.11.69 has no rDNS entry which probably doesn't help with the parser. Also I note a 3 second discrepancy from selekta.com (HELO newbox.selekta.com) (72.22.11.69) by mailgate.cesmail.net with SMTP; 19 Feb 2006 23:05:42 -0000 FROM [70.21.254.184] BY newbox.selekta.com with hMailServer ; Sun, 19 Feb 2006 18:05:45 -0500 - though shouldn't think that would come into it. Should be reported to Deputies I think - in case something can be learned from it. Assume this sort of thing doesn't happen to you often? If it did, I wonder if registering your mailhost might be good idea. Shouldn't be necessary but the whole idea was to help overcome "clever forgeries" which evidently the parser is "assuming" this to be.
agsteele Posted February 20, 2006 Posted February 20, 2006 I think I have a similar issue just discovered but probably rumbling for days or even weeks. http://www.spamcop.net/sc?id=z875636200z75...de3bd0cf2e56b9z A different example at: http://www.spamcop.net/sc?id=z874322442z71...c6c06cfa9a3ab8z It seems that an IP address roughly halfway up the headers is getting identified as the source rather than the actual source IP. The IP is an IP address at our ISP. The common factor here is that the IP is the one provided by our ISP when the mail item passes from their system to the SpamCop flat rate Email system. It so happens I use the function to 'POP' our ISP mailbox instead of forwarding straight onto the SpamCop Email account. Not sure if this makes a difference. I'll make some changes and see what I can report. Andrew
btech Posted February 20, 2006 Author Posted February 20, 2006 It's bothersome, because I have two of the same messages in my inbox today from the same Verizon IP. hmmm.. one of them parsed right, but the header didn't catch the link: http://www.spamcop.net/sc?id=z880276904zfa...6ccd8114c91f2cz
SpamCopAdmin Posted February 20, 2006 Posted February 20, 2006 I really don't want to think I'm reporting spammers and actually reporting my domain to it's host. Unfortunately, that's what's happening. It's been going on for some time now. On the bright side, you're the only one reporting the IP as a spam source, so your reports haven't put the server on our blocking list. You can compensate for that by running our Mailhost configuration utility so that SpamCop can create a list of the services that handle your email so that our system will know what servers to trust when you report your spam. You'll need to configure a host for *all* the domains you receive mail through. You can accomplish that by logging into your SpamCop account at http://www.spamcop.net and using the Mailhosts link to tell SpamCop about *all* of your service providers, forwarding services, and webmail hosts. You need to register one email address for each host that handles your email. Once you start configuring hosts, you can't report spam again until you get them all on your list because the Mailhost system completely changes the way SpamCop looks at your spam. - Don D'Minion - SpamCop Admin - service[at]admin.spamcop.net
SpamCopAdmin Posted February 20, 2006 Posted February 20, 2006 I think I have a similar issue just discovered but probably rumbling for days or even weeks. http://www.spamcop.net/sc?id=z875636200z75...de3bd0cf2e56b9z A different example at: http://www.spamcop.net/sc?id=z874322442z71...c6c06cfa9a3ab8z It seems that an IP address roughly halfway up the headers is getting identified as the source rather than the actual source IP. mailout02.dsvr.x-isp.net [213.253.179.6] isn't on your list of Mailhosts. The details I need from you are private, so I'll contact you via email. - Don -
btech Posted February 20, 2006 Author Posted February 20, 2006 *EDIT* N/M. I've added my mail hosts to my SC interface. We can change this thread to 'resolved'
Jeff G. Posted February 20, 2006 Posted February 20, 2006 N/M. I've added my mail hosts to my SC interface. 40624[/snapback] Thanks for taking that step and letting us know.We can change this thread to 'resolved'40624[/snapback] Thanks, but I'd prefer to wait until we have confirmation that Andrew's similar issue is also resolved.
SpamCopAdmin Posted February 20, 2006 Posted February 20, 2006 Thanks for taking that step and letting us know.Thanks, but I'd prefer to wait until we have confirmation that Andrew's similar issue is also resolved. 40630[/snapback] You can close the issue. Andrew's problem is a Mailhost configuration detail unique to him. It's not a system or procedural problem. - Don -
turetzsr Posted February 20, 2006 Posted February 20, 2006 <snip><snip> We can change this thread to 'resolved' 40624[/snapback] Thanks, but I'd prefer to wait until we have confirmation that Andrew's similar issue is also resolved.40630[/snapback] You can close the issue. Andrew's problem is a Mailhost configuration detail unique to him. It's not a system or procedural problem. - Don - 40631[/snapback] ...Thanks, all -- this thread is now marked "Resolved."
agsteele Posted February 20, 2006 Posted February 20, 2006 You can close the issue. Andrew's problem is a Mailhost configuration detail unique to him. It's not a system or procedural problem.40631[/snapback] I'm working with Don directly but wanted to record my thanks for the speedy take up to this issue posted here. Thanks Don. Andrew
Recommended Posts
Archived
This topic is now archived and is closed to further replies.