HillsCap Posted March 8, 2004 Posted March 8, 2004 Hi, all. One quick question: My web host / email provider is using iMail 6.06 (an older version of IpSwitch's iMail mail server), and it does not properly report Source IPs. Instead of placing the IP address of the sender into the headers, it places ITS OWN IP address into the headers, tricking SpamCop into thinking that it is the sender of the spam. Well, that's all well and good, I've reported several hundred from this mail provider, in the hopes that them receiving these reports would make them realize that they should upgrade their mail server. So far, they refuse to... so we're moving to a new web host / mail provider. But, the real question is this: Even though there are links to web pages in these spam submissions, SpamCop does not report to the responsible parties for these websites... I was wondering why? It seems like SpamCop looks at the headers to determine if they are forged, and if they are, it looks further for links in the body of the spam message. But, if the headers look legit, it won't try to get info about the links. The headers look legit in our case because the iMail server is ancient and doesn't work the way it should. Shouldn't SpamCop always look at the links in the body of the spam message?
Jeff G. Posted March 8, 2004 Posted March 8, 2004 Can you please provide a sample spam in spamcop.spam and refer to it here? Thanks!
HillsCap Posted March 9, 2004 Author Posted March 9, 2004 Ok, this is going to sound really dumb, but I'm not really familiar with how this new discussion board is laid out... "Where is spamcop.spam?"
Wazoo Posted March 9, 2004 Posted March 9, 2004 call it newsreader territory .... news://news.spamcop.net/spamcop.spam may get you there, depending on your software mix ... if not, then fire up your favorite NNTP newsreader and point it to the news.spamcop.net news-server. The problem in answering your first posted queries is that it's difficult to address "your" spam without seeing it, and there are many reasons why something doesn't get picked up, noting that spammers are always working to find a "better way" ....
HillsCap Posted March 9, 2004 Author Posted March 9, 2004 Ah, thanks Wazoo, I'm posting it there now...
Merlyn Posted March 9, 2004 Posted March 9, 2004 Hi, all. One quick question: My web host / email provider is using iMail 6.06 (an older version of IpSwitch's iMail mail server), and it does not properly report Source IPs. Instead of placing the IP address of the sender into the headers, it places ITS OWN IP address into the headers, tricking SpamCop into thinking that it is the sender of the spam. Well, that's all well and good, I've reported several hundred from this mail provider, in the hopes that them receiving these reports would make them realize that they should upgrade their mail server. So far, they refuse to... so we're moving to a new web host / mail provider. But, the real question is this: Even though there are links to web pages in these spam submissions, SpamCop does not report to the responsible parties for these websites... I was wondering why? It seems like SpamCop looks at the headers to determine if they are forged, and if they are, it looks further for links in the body of the spam message. But, if the headers look legit, it won't try to get info about the links. The headers look legit in our case because the iMail server is ancient and doesn't work the way it should. Shouldn't SpamCop always look at the links in the body of the spam message? I just helped a client with IMail 6.06 and we placed a free product in front of it and it solved all their problems. BCWARE Nospam Gateway. http://www.bcwaresystems.com/nospam/ Now they are able to use all the blocklists with it and turning on the SMTP log file gives the all the IP addresses of every email. It is a gateway that sits on port 25 and checks the transactions before passing them to IMail. The only thing you have to do is change IMails port to another which is easy. Free is a good price..........
HillsCap Posted March 9, 2004 Author Posted March 9, 2004 OK, I've posted to the newsgroup, under the title, "Older iMail servers, and links in spam...". Is there some way to tell you the address or whatever for the individual message in the newsgroup? (Sorry, I never used newsgroups before... I kind of skipped that whole thing when it was all the rage years back.) Oh, and I didn't worry about obfuscating the two email addresses of ours in the sample spam I posted... they're both turned off now.
Wazoo Posted March 9, 2004 Posted March 9, 2004 Well, on one hand, I'd offer congrats on gettin gthe post put up over there ... However, where did all the extra blank lines come from? If this is the way the spams get submitted, that's why there are no links found. I'm actually kind of surprised that you;d even get the (wrong) source identified as a report target, rather thinking that the parser tool would have just came back with an error message, period. Well shoot, the copy of the spam, placed into a Notepad window here, also shows additional C/R's, so there's a serious word-wrap issue going on in what you posted. So going through, deleting the extra lines, fixing the bad line-breaks, and changing the dates, here's some of the successful parse output: host 176.188.236.132 (getting name) no name Receiving server (66.36.96.35) does not report source IP accurately So that's seen and recognized, but of course, no way to identify the real source now ... Now the next thing is the header line Content-Type: multipart/alternative; boundary="--757603944586146843" .... there are no boundary lines in the body. This is an item normally seen in the problems with Outlook for instance. But this also will explain the reasons for not seeing the links in the body (noting also that these lines had word-wrap issues) so, bottom line, there's more issues than just the inserting of the local IP going on. What you posted as an example says it's broken in a coule of different ways. Not sure that this is helping you <g>
HillsCap Posted March 10, 2004 Author Posted March 10, 2004 No, the extra lines and word wrap problems were put in by my crappy newsreader when I pasted... I tried to remove them, but couldn't. Trust me, it looks like any other email when I view the spam source in Notepad. The 66.36.96.35 server is the receiving server... that's our mail server with the older version of IMail on it that doesn't report Source IP correctly. But why isn't SpamCop seeing the a href= links? Shouldn't it always try to figure out the spamvertised website? It does when I report spam from our other email server. It seems like SpamCop is checking the headers, and if the headers seem legit, it doesn't check the body. The headers seem legit in this case because the IMail server is inserting its own IP address in there, so it doesn't look like the sending server was forged.
Wazoo Posted March 10, 2004 Posted March 10, 2004 But why isn't SpamCop seeing the a href= links The last paragragh in my last post .. the missing boundary lines .... In the specific spam example you've offered (and trusting that it really is an "exact" copy (minus all the extras <g>), you could demonstrate the issue by changing that Content-Type: line to read "Text" and run the parse .. the links will be found. However, actually reporting that spam in this condition puts you in violation of SpamCop rules and guideline, in that "you will not make material changes in order to make SpamCop find things that it would not have found on its own", and thus setting yourself up for a fine or a banned acount.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.