BoMbY Posted November 25, 2006 Posted November 25, 2006 Hello, i've just received a spam message, with a faked SMTP header entry: Received: from unknown (HELO mohamand) (213.6.1.75) by uhweb150XX.united-hoster.com with SMTP; 25 Nov 2006 22:23:13 +0100 Received: from 195.154.194.202 (HELO mx2.magic.fr) by x.de with esmtp (0T*7Y0,8T1+) 5448M) id N1J5XA-KY>+R;-A0 for x[at]x.de; Sat, 25 Nov 2006 21:22:52 -0120 The first entry is the correct SMTP header entry from my mail server. The second one is completely faked. (x[at]x.de is the mail address where the spam was send to, and x.de is the correct hostname). The from-IP-address which was used, seems to be chosen from the spammer (maybe randomly). The problem is: The SpamCop parser (and maybe others) takes this faked SMTP entry for real and blame the wrong target. Is there a way to avoid this, or maybe to build in a workaround for something like this in SpamCop? Thanks and Regards, BoMbY Edit: PS: Maybe it's possible to verify the whole way through the SMTP servers (by matching the "from IP" of every entry with the "by IP" from the entry before)?
dbiel Posted November 26, 2006 Posted November 26, 2006 It would help if you would parse the message and cancel the reports and then post the Tracking URL. If SpamCop is actually showing forged headers as the source of the spam, then it needs to be reported to the Deputies, but they will need a Tracking URL to confirm what is going on.
karlisma Posted November 30, 2006 Posted November 30, 2006 It would help if you would parse the message and cancel the reports and then post the Tracking URL. If SpamCop is actually showing forged headers as the source of the spam, then it needs to be reported to the Deputies, but they will need a Tracking URL to confirm what is going on. it does not show, however - it is not cleaned up - thus revieling reporters identity which is in that fake header, dbiel.
Wazoo Posted November 30, 2006 Posted November 30, 2006 it does not show, however - it is not cleaned up - thus revieling reporters identity which is in that fake header, dbiel. ??? not a clue what you're talking about .. original post has no e-mail address data. Tracking URL possibly? What do you suggest to that user for the actual header block to be seen, along with the parser decision data points? Posting random thoughts doesn't really help anyone. Lack of follow-up by the original poster doesn't help much either.
karlisma Posted November 30, 2006 Posted November 30, 2006 ??? not a clue what you're talking about .. original post has no e-mail address data. Tracking URL possibly? What do you suggest to that user for the actual header block to be seen, along with the parser decision data points? Posting random thoughts doesn't really help anyone. Lack of follow-up by the original poster doesn't help much either. okay, be it random. Just a guess...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.