efa Posted September 7, 2006 Share Posted September 7, 2006 Hi, I received an email, that is a mail bounce, conteining a spam. This technique sometimes is used from spammer, that know a misconfigured mail server, fill the Return-Path of the spam with the desired user they want to spam. 1 - can I let spamcop parse that kind of mail, and write to misconfigured email server? 2 - in this case, seems particulary complicated, as 193.109.251.161 auchan.com appear a relay. Someone of the admin of spamcop can manually identify the real IP of the spammer, as I'm not sure the parser is right. Here the tracking url: http://www.spamcop.net/sc?id=z1057867609z5...a7230e5eec2ddcz thanks Link to comment Share on other sites More sharing options...
Telarin Posted September 7, 2006 Share Posted September 7, 2006 Looks like an accurate parse to me. Link to comment Share on other sites More sharing options...
turetzsr Posted September 7, 2006 Share Posted September 7, 2006 Hi, I received an email, that is a mail bounce, conteining a spam. This technique sometimes is used from spammer, that know a misconfigured mail server, fill the Return-Path of the spam with the desired user they want to spam. 1- can I let spamcop parse that kind of mail, and write to misconfigured email server? ...Absolutely!2 - in this case, seems particulary complicated, as 193.109.251.161 auchan.com appear a relay. Someone of the admin of spamcop can manually identify the real IP of the spammer, as I'm not sure the parser is right. Here the tracking url: http://www.spamcop.net/sc?id=z1057867609z5...a7230e5eec2ddcz thanks ...Well, I'm not an admin of SpamCop but while I would have chosen 193.109.251.161 (varelay1.auchan.com) as the source of the bounce message, the IP chosen by the parser (ilx997x005.auchan.com (ilx997x005 [142.239.21.123]) appears to belong to the same folks, auchan.com, so it should go to the same abuse address (postmaster[at]iwk.nshealth.ca). It turns out to be a different abuse address:Parsing input: 193.109.251.161 host 193.109.251.161 (getting name) = varelay1.auchan.com. host 193.109.251.161 = varelay1.auchan.com (cached) Routing details for 193.109.251.161 [refresh/show] Cached whois for 193.109.251.161 : ddescheemaeker[at]auchan.com Using last resort contacts ddescheemaeker[at]auchan.com But your tracking URL offers to send the report to ddescheemaeker[at]auchan.com as "Administrator interested in intermediary handling of spam." ...Bottom line: it all looks as if it ultimately works out right, to me! <g> Link to comment Share on other sites More sharing options...
efa Posted September 7, 2006 Author Share Posted September 7, 2006 ...but while I would have chosen 193.109.251.161 (varelay1.auchan.com) as the source of the bounce message, the IP chosen by the parser (ilx997x005.auchan.com (ilx997x005 [142.239.21.123]) appears to belong to the same folks, auchan.com seems to me that 142.239.21.123, postmaster[at]iwk.nshealth.ca is an health hospital, but 193.109.251.161 ddescheemaeker[at]auchan.com is a market shop. In the middle the are two localhost 127.0.0.1 hop, private lan, so the bounce come from 193.109.251.161 or 142.239.21.123 ? And more: someone has used my email putting it a Return-Path field to send spam. I want to contact abuse desk of this provider to ask to block this sending. Again is difficult to track where the original bounced spam come from? You can see it clicking on the link:View entire message and look at the header below the line: --- Below this line is a copy of the message. It have a candidate source as 128.239.101.13 IRT[at]bu.edu localhost 127.0.0.1 128.197.20.63 IRT[at]bu.edu localhost 127.0.0.1 212.96.209.49 [at]hanty.usi.ru 200.110.110.200 daeum[at]SYWORKS-LATIN.COM which one is right? Link to comment Share on other sites More sharing options...
Miss Betsy Posted September 8, 2006 Share Posted September 8, 2006 And more: someone has used my email putting it a Return-Path field to send spam. I want to contact abuse desk of this provider to ask to block this sending. Using the Return-Path to forge email addresses is a common technique of spammers. If you have the complete headers of the spam, you can use the parser to find the source abuse address. Cancel the report. You did not receive the spam so you cannot report it. If you trust that the parser is correct, you can send your request to the abuse address yourself. Do not expect them to do anything for you. Most spam comes from abuse desks who are unresponsive to spam reports. It is better to post the Tracking URL for analysis of headers. The parser stops at the first received header that is not correct. Usually the parser chooses the correct abuse address. All the other headers after the one the parser stops at cannot be trusted. These headers may be forged. Miss Betsy Link to comment Share on other sites More sharing options...
efa Posted September 8, 2006 Author Share Posted September 8, 2006 If you have the complete headers of the spam, you can use the parser to find the source abuse address. Cancel the report. You did not receive the spam so you cannot report it. If you trust that the parser is correct, you can send your request to the abuse address yourself. the problem is with "Mailhost" spamcop service. I use it, and it dont let me parse a bounced mail from another server. So I asked for a manual analisis. You can see it, following my already posted tracking url: http://www.spamcop.net/sc?id=z1057867609z5...a7230e5eec2ddcz and clicking on the link:View entire message and look at the header below the line: --- Below this line is a copy of the message. regards Link to comment Share on other sites More sharing options...
Telarin Posted September 8, 2006 Share Posted September 8, 2006 Ok, I think maybe there was some misunderstanding here. Are you trying to report the actual bounce message itself, or are you trying to pick the original spam out of the bounce and report that? You can report the bounce itself as unsolicited using spamcop reporting. However, since the actual spam is not to you, you are not allowed to report it using spamcop (this does not stop you from doing manual reports however). If this is the case, I would recommend reporting it to everyone that has handled it along the way, that way all your bases are covered. Link to comment Share on other sites More sharing options...
efa Posted September 8, 2006 Author Share Posted September 8, 2006 Are you trying to report the actual bounce message itself, or are you trying to pick the original spam out of the bounce and report that? Normally in that cases, I report: A - the bounce to the bouncing mail server (by hand or using SpamCop parser) B - the original fake Return-path spam to the spammer server (by hand). The point A, "turetzsr" clarified to me. In post of "Sep 7 2006, 04:51 PM" I'm asking an help to identificate the real source of spammer server ( point B ) as the header is also a bit complicated. thanks in advance. Link to comment Share on other sites More sharing options...
Miss Betsy Posted September 8, 2006 Share Posted September 8, 2006 If I read the spamcop parse correctly, the parser seems to trust the auchan.com relays Received: from relay-out.auchan.com (ilx997x003 [127.0.0.1]) by varelay1.auchan.com (8.12.11.20060308/8.12.11) with ESMTP id k87IW7AN007346 for <x>; Thu, 7 Sep 2006 20:32:08 +0200 Internal handoff by trusted site 193.109.251.161 4: Received: from relay-in.auchan.com (ilx997x001 [127.0.0.1]) by relay-out.auchan.com (8.12.11.20060308/8.12.11) with ESMTP id k87IW7Df021382 for <x>; Thu, 7 Sep 2006 20:32:07 +0200 Internal handoff by trusted site 193.109.251.161 so 212.96.209.49 [at]hanty.usi.ru is the one to complain to. If they did receive the spam from the IP address in the next header, it looks to me as though it were a user of theirs (in the same way 142.239.21.123 goes to auchan.com) so they would be able to handle it - if they wanted to. But I would not hold my breath. But I am not an expert at reading headers. I do not think the next line is configured properly. And if it is proper, it is a spammer who is not going to listen to your complaint either. You can open a free spamcop account and do not do the mailhost configuration to parse headers that the parser won't take for mailhosting configuration. Just be sure to cancel the reports. Miss Betsy Link to comment Share on other sites More sharing options...
efa Posted September 10, 2006 Author Share Posted September 10, 2006 If I read the spamcop parse correctly, the parser seems to trust the auchan.com relays .... so 212.96.209.49 [at]hanty.usi.ru is the one to complain to. If they did receive the spam from the IP address in the next header, it looks to me as though it were a user of theirs (in the same way 142.239.21.123 goes to auchan.com) so they would be able to handle it - if they wanted to. But I would not hold my breath. ... You can open a free spamcop account and do not do the mailhost configuration to parse headers that the parser won't take for mailhosting configuration. Just be sure to cancel the reports. thanks for all :-)) Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.