Jump to content

spam bounce using relay


efa

Recommended Posts

Hi, I received an email, that is a mail bounce, conteining a spam.

This technique sometimes is used from spammer, that know a misconfigured mail server, fill the Return-Path of the spam with the desired user they want to spam.

1 - can I let spamcop parse that kind of mail, and write to misconfigured email server?

2 - in this case, seems particulary complicated, as 193.109.251.161 auchan.com appear a relay.

Someone of the admin of spamcop can manually identify the real IP of the spammer, as I'm not sure the parser is right.

Here the tracking url:

http://www.spamcop.net/sc?id=z1057867609z5...a7230e5eec2ddcz

thanks

Link to comment
Share on other sites

Hi, I received an email, that is a mail bounce, conteining a spam.

This technique sometimes is used from spammer, that know a misconfigured mail server, fill the Return-Path of the spam with the desired user they want to spam.

1- can I let spamcop parse that kind of mail, and write to misconfigured email server?

...Absolutely!
2 - in this case, seems particulary complicated, as 193.109.251.161 auchan.com appear a relay.

Someone of the admin of spamcop can manually identify the real IP of the spammer, as I'm not sure the parser is right.

Here the tracking url:

http://www.spamcop.net/sc?id=z1057867609z5...a7230e5eec2ddcz

thanks

...Well, I'm not an admin of SpamCop but while I would have chosen 193.109.251.161 (varelay1.auchan.com) as the source of the bounce message, the IP chosen by the parser (ilx997x005.auchan.com (ilx997x005 [142.239.21.123]) appears to belong to the same folks, auchan.com, so it should go to the same abuse address (postmaster[at]iwk.nshealth.ca). It turns out to be a different abuse address:
Parsing input: 193.109.251.161

host 193.109.251.161 (getting name) = varelay1.auchan.com.

host 193.109.251.161 = varelay1.auchan.com (cached)

Routing details for 193.109.251.161

[refresh/show] Cached whois for 193.109.251.161 : ddescheemaeker[at]auchan.com

Using last resort contacts ddescheemaeker[at]auchan.com

But your tracking URL offers to send the report to ddescheemaeker[at]auchan.com as "Administrator interested in intermediary handling of spam."

...Bottom line: it all looks as if it ultimately works out right, to me! :) <g>

Link to comment
Share on other sites

...but while I would have chosen 193.109.251.161 (varelay1.auchan.com) as the source of the bounce message, the IP chosen by the parser (ilx997x005.auchan.com (ilx997x005 [142.239.21.123]) appears to belong to the same folks, auchan.com

seems to me that 142.239.21.123, postmaster[at]iwk.nshealth.ca is an health hospital, but

193.109.251.161 ddescheemaeker[at]auchan.com is a market shop.

In the middle the are two localhost 127.0.0.1 hop, private lan, so the bounce come from 193.109.251.161 or 142.239.21.123 ?

And more: someone has used my email putting it a Return-Path field to send spam.

I want to contact abuse desk of this provider to ask to block this sending.

Again is difficult to track where the original bounced spam come from?

You can see it clicking on the link:View entire message and look at the header below the line:

--- Below this line is a copy of the message.

It have a candidate source as

128.239.101.13 IRT[at]bu.edu

localhost 127.0.0.1

128.197.20.63 IRT[at]bu.edu

localhost 127.0.0.1

212.96.209.49 [at]hanty.usi.ru

200.110.110.200 daeum[at]SYWORKS-LATIN.COM

which one is right?

Link to comment
Share on other sites

And more: someone has used my email putting it a Return-Path field to send spam.

I want to contact abuse desk of this provider to ask to block this sending.

Using the Return-Path to forge email addresses is a common technique of spammers.

If you have the complete headers of the spam, you can use the parser to find the source abuse address. Cancel the report. You did not receive the spam so you cannot report it.

If you trust that the parser is correct, you can send your request to the abuse address yourself. Do not expect them to do anything for you. Most spam comes from abuse desks who are unresponsive to spam reports.

It is better to post the Tracking URL for analysis of headers. The parser stops at the first received header that is not correct. Usually the parser chooses the correct abuse address. All the other headers after the one the parser stops at cannot be trusted. These headers may be forged.

Miss Betsy

Link to comment
Share on other sites

If you have the complete headers of the spam, you can use the parser to find the source abuse address. Cancel the report. You did not receive the spam so you cannot report it.

If you trust that the parser is correct, you can send your request to the abuse address yourself.

the problem is with "Mailhost" spamcop service.

I use it, and it dont let me parse a bounced mail from another server.

So I asked for a manual analisis.

You can see it, following my already posted tracking url:

http://www.spamcop.net/sc?id=z1057867609z5...a7230e5eec2ddcz

and clicking on the link:View entire message and look at the header below the line:

--- Below this line is a copy of the message.

regards

Link to comment
Share on other sites

Ok, I think maybe there was some misunderstanding here. Are you trying to report the actual bounce message itself, or are you trying to pick the original spam out of the bounce and report that?

You can report the bounce itself as unsolicited using spamcop reporting.

However, since the actual spam is not to you, you are not allowed to report it using spamcop (this does not stop you from doing manual reports however). If this is the case, I would recommend reporting it to everyone that has handled it along the way, that way all your bases are covered.

Link to comment
Share on other sites

Are you trying to report the actual bounce message itself, or are you trying to pick the original spam out of the bounce and report that?

Normally in that cases, I report:

A - the bounce to the bouncing mail server (by hand or using SpamCop parser)

B - the original fake Return-path spam to the spammer server (by hand).

The point A, "turetzsr" clarified to me.

In post of "Sep 7 2006, 04:51 PM" I'm asking an help to identificate the real source of spammer server ( point B ) as the header is also a bit complicated.

thanks in advance.

Link to comment
Share on other sites

If I read the spamcop parse correctly, the parser seems to trust the auchan.com relays

Received: from relay-out.auchan.com (ilx997x003 [127.0.0.1]) by varelay1.auchan.com (8.12.11.20060308/8.12.11) with ESMTP id k87IW7AN007346 for <x>; Thu, 7 Sep 2006 20:32:08 +0200

Internal handoff by trusted site 193.109.251.161

4: Received: from relay-in.auchan.com (ilx997x001 [127.0.0.1]) by relay-out.auchan.com (8.12.11.20060308/8.12.11) with ESMTP id k87IW7Df021382 for <x>; Thu, 7 Sep 2006 20:32:07 +0200

Internal handoff by trusted site 193.109.251.161

so 212.96.209.49 [at]hanty.usi.ru is the one to complain to. If they did receive the spam from the IP address in the next header, it looks to me as though it were a user of theirs (in the same way 142.239.21.123 goes to auchan.com) so they would be able to handle it - if they wanted to. But I would not hold my breath.

But I am not an expert at reading headers. I do not think the next line is configured properly. And if it is proper, it is a spammer who is not going to listen to your complaint either.

You can open a free spamcop account and do not do the mailhost configuration to parse headers that the parser won't take for mailhosting configuration. Just be sure to cancel the reports.

Miss Betsy

Link to comment
Share on other sites

If I read the spamcop parse correctly, the parser seems to trust the auchan.com relays

....

so 212.96.209.49 [at]hanty.usi.ru is the one to complain to. If they did receive the spam from the IP address in the next header, it looks to me as though it were a user of theirs (in the same way 142.239.21.123 goes to auchan.com) so they would be able to handle it - if they wanted to. But I would not hold my breath.

...

You can open a free spamcop account and do not do the mailhost configuration to parse headers that the parser won't take for mailhosting configuration. Just be sure to cancel the reports.

thanks for all

:-))

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...