Jump to content

Innocent ISP blamed?


Keithj
 Share

Recommended Posts

This morning I was treated to a load of Russian-language spam. When I went to report them, each one was shown as originating from my own ISP (houxou.com) even though the headers seemed to show a different origin. I've put the header below (with my address removed) - why does Spamcop think it came from houxou rather than uni2.es? Am I misreading the header?

From - Fri Sep 01 07:03:09 2006

X-Account-Key: account5

X-UIDL: 1157090568.30575.hermes.houxou.com,S=64144

X-Mozilla-Status: 0001

X-Mozilla-Status2: 10000000

Return-Path: <info[at]ian.org>

Delivered-To: (me)

Received: (qmail 30571 invoked by uid 107); 1 Sep 2006 06:02:48 -0000

Received: from unknown (HELO hunter.houxou.com) (193.203.240.116)

by smtp2.houxou.com with SMTP; 1 Sep 2006 06:02:48 -0000

Received: from 49.pool85-50-64.dynamic.uni2.es (49.pool85-50-64.dynamic.uni2.es [85.50.64.49])

by hunter.houxou.com (8.13.1/8.13.1) with SMTP id k8162JuO021899;

Fri, 1 Sep 2006 07:02:28 +0100

Message-ID: <0d2801c6cd87$3ad58a70$1f330e0a[at]spindle>

From: "Alexey" <info[at]ian.org>

To: <(me)>

Subject: =?koi8-r?B?4snazsXTLc/C0sHaz9fBzsnFINDPIMzPx8nT1MnLxQ==?=

Date: Fri, 1 Sep 2006 09:26:51 +0400

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2900.2869

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962

X-Houxou-MailScanner-Information: Please contact the ISP for more information

X-Houxou-MailScanner: Found to be clean

X-Houxou-MailScanner-From: info[at]ian.org

X-spam-Status: No

X-Antivirus: AVG for E-mail 7.60215712.405 [268.11.7/435]

Mime-Version: 1.0

Content-Type: multipart/mixed; boundary="=======AVGMAIL-44F7CD1D5DC8======="

Link to comment
Share on other sites

... why does Spamcop think it came from houxou rather than uni2.es? Am I misreading the header?
Hi Keith. Is it possible for you to post a Tracking URL? Those things make diagnosis a whole lot easier because the message source is not additionally distorted by posting "here" plus the parser's comments and notes provide a significant part of the picture.
Link to comment
Share on other sites

http://www.spamcop.net/sc?id=z1050153152zf...31df09b678357fz wants to report to;

Report spam to:

Re: 193.203.240.116 (Administrator of network where email originates)

To: monu[at]aviators.net (Notes)

Received: from unknown (HELO hunter.houxou.com) (193.203.240.116) by smtp2.houxou.com with SMTP; 1 Sep 2006 06:02:48 -0000

193.203.240.116 found

host 193.203.240.116 (getting name) no name

85.50.64.49 is not an MX for 49.pool85-50-64.dynamic.uni2.es

Host 49.pool85-50-64.dynamic.uni2.es (checking ip) = 85.50.64.49

Host hunter.houxou.com (checking ip) = 193.203.240.116

193.203.240.116 not listed in dnsbl.njabl.org

193.203.240.116 not listed in cbl.abuseat.org

193.203.240.116 not listed in dnsbl.sorbs.net

193.203.240.116 is not an MX for smtp2.houxou.com

193.203.240.116 is not an MX for hunter.houxou.com

Chain test:hunter.houxou.com =? 193.203.240.116

193.203.240.116 is not an MX for hunter.houxou.com

Host hunter.houxou.com (checking ip) = 193.203.240.116

ips are identical

hunter.houxou.com and 193.203.240.116 have close IP addresses - chain verified

Possible relay: 193.203.240.116

193.203.240.116 not listed in relays.ordb.org.

193.203.240.116 has already been sent to relay testers

Received line accepted

85.50.64.49 discarded as a forgery, using 193.203.240.116

MailHosted Reporting account?

Could have brought up a "new" server, but SenderBase says:

Date of first message seen from this address 2006-03-09

So just for starters, the configuration 'errors' need to be fixed ....

Moving to the Reporting Help Forum section.

Link to comment
Share on other sites

It looks to me as though the parser has picked up the wrong received line by wrongly discarding 85.50.64.49 as a forgery. It looks as though it has come out of a France Telecom dynamic IP as the reverse DNS for 85.50.64.49 is indeed 49.pool85-50-64.dynamic.uni2.es. Probably a zombied machine.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...