Keithj Posted September 1, 2006 Posted September 1, 2006 This morning I was treated to a load of Russian-language spam. When I went to report them, each one was shown as originating from my own ISP (houxou.com) even though the headers seemed to show a different origin. I've put the header below (with my address removed) - why does Spamcop think it came from houxou rather than uni2.es? Am I misreading the header? From - Fri Sep 01 07:03:09 2006 X-Account-Key: account5 X-UIDL: 1157090568.30575.hermes.houxou.com,S=64144 X-Mozilla-Status: 0001 X-Mozilla-Status2: 10000000 Return-Path: <info[at]ian.org> Delivered-To: (me) Received: (qmail 30571 invoked by uid 107); 1 Sep 2006 06:02:48 -0000 Received: from unknown (HELO hunter.houxou.com) (193.203.240.116) by smtp2.houxou.com with SMTP; 1 Sep 2006 06:02:48 -0000 Received: from 49.pool85-50-64.dynamic.uni2.es (49.pool85-50-64.dynamic.uni2.es [85.50.64.49]) by hunter.houxou.com (8.13.1/8.13.1) with SMTP id k8162JuO021899; Fri, 1 Sep 2006 07:02:28 +0100 Message-ID: <0d2801c6cd87$3ad58a70$1f330e0a[at]spindle> From: "Alexey" <info[at]ian.org> To: <(me)> Subject: =?koi8-r?B?4snazsXTLc/C0sHaz9fBzsnFINDPIMzPx8nT1MnLxQ==?= Date: Fri, 1 Sep 2006 09:26:51 +0400 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 X-Houxou-MailScanner-Information: Please contact the ISP for more information X-Houxou-MailScanner: Found to be clean X-Houxou-MailScanner-From: info[at]ian.org X-spam-Status: No X-Antivirus: AVG for E-mail 7.60215712.405 [268.11.7/435] Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=======AVGMAIL-44F7CD1D5DC8======="
Farelf Posted September 1, 2006 Posted September 1, 2006 ... why does Spamcop think it came from houxou rather than uni2.es? Am I misreading the header?Hi Keith. Is it possible for you to post a Tracking URL? Those things make diagnosis a whole lot easier because the message source is not additionally distorted by posting "here" plus the parser's comments and notes provide a significant part of the picture.
Wazoo Posted September 1, 2006 Posted September 1, 2006 http://www.spamcop.net/sc?id=z1050153152zf...31df09b678357fz wants to report to; Report spam to: Re: 193.203.240.116 (Administrator of network where email originates) To: monu[at]aviators.net (Notes) Received: from unknown (HELO hunter.houxou.com) (193.203.240.116) by smtp2.houxou.com with SMTP; 1 Sep 2006 06:02:48 -0000 193.203.240.116 found host 193.203.240.116 (getting name) no name 85.50.64.49 is not an MX for 49.pool85-50-64.dynamic.uni2.es Host 49.pool85-50-64.dynamic.uni2.es (checking ip) = 85.50.64.49 Host hunter.houxou.com (checking ip) = 193.203.240.116 193.203.240.116 not listed in dnsbl.njabl.org 193.203.240.116 not listed in cbl.abuseat.org 193.203.240.116 not listed in dnsbl.sorbs.net 193.203.240.116 is not an MX for smtp2.houxou.com 193.203.240.116 is not an MX for hunter.houxou.com Chain test:hunter.houxou.com =? 193.203.240.116 193.203.240.116 is not an MX for hunter.houxou.com Host hunter.houxou.com (checking ip) = 193.203.240.116 ips are identical hunter.houxou.com and 193.203.240.116 have close IP addresses - chain verified Possible relay: 193.203.240.116 193.203.240.116 not listed in relays.ordb.org. 193.203.240.116 has already been sent to relay testers Received line accepted 85.50.64.49 discarded as a forgery, using 193.203.240.116 MailHosted Reporting account? Could have brought up a "new" server, but SenderBase says: Date of first message seen from this address 2006-03-09 So just for starters, the configuration 'errors' need to be fixed .... Moving to the Reporting Help Forum section.
turetzsr Posted September 2, 2006 Posted September 2, 2006 Hi! ...Have you registered with the SpamCop MailHosts Configuration tool? Mistaking your own ISP as the spam source is one of the things the MailHosts Configuration was designed to prevent. Please also see pinned posts in the SpamCop Forum called Mailhost Configuration of your Reporting Account. Thanks!
bobbear Posted September 2, 2006 Posted September 2, 2006 It looks to me as though the parser has picked up the wrong received line by wrongly discarding 85.50.64.49 as a forgery. It looks as though it has come out of a France Telecom dynamic IP as the reverse DNS for 85.50.64.49 is indeed 49.pool85-50-64.dynamic.uni2.es. Probably a zombied machine.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.