Jump to content

Does IronPort Filter Catch SpamCop.net Messages?


csouter

Recommended Posts

Hi, all!

I'm not sure where to post this, so I'm posting in the SpamCop Lounge.

If a moderator thinks it might be more appropriate to post this somewhere

else, please accept my apologies for any inconvenience I might have caused,

then move or delete this posting as you see fit.

My ISP's POP3 server has IronPort filtering installed.

This morning local (Sydney, Australia) time, I received the following message

from SpamCop. It is a Quick Reporting Data message. (For those of you who

don't know what that is, it's the message you get from the SpamCop reporting

system when you have Quick Reporting enabled on your account. It's enabled

by default for SpamCop WebMail users].

Here is the message:

From - Mon Jan 22 07:23:15 2007

X-Account-Key: account3

X-UIDL: 00000170457f72a7

X-Mozilla-Status: 1001

X-Mozilla-Status2: 00000000

X-Mozilla-Keys:

Return-path: <user.xxxxxxxxxxxxxxxx[at]bounces.spamcop.net>

Envelope-to: <x>

Delivery-date: Mon, 22 Jan 2007 07:19:52 +1100

Received: from [10.0.0.25] (helo=soapberry.exetel.com.au)

by chestnut.exetel.com.au with esmtp (Exim 4.63)

(envelope-from <user.xxxxxxxxxxxxxxxx[at]bounces.spamcop.net>)

id 1H8jAO-0006FO-C2

for <x>; Mon, 22 Jan 2007 07:19:52 +1100

Received: from 60.0.233.220.exetel.com.au ([220.233.0.60] helo=mscip01.mailscan.net.au)

by soapberry.exetel.com.au with esmtp (Exim 4.63)

(envelope-from <user.xxxxxxxxxxxxxxxx[at]bounces.spamcop.net>)

id 1H8jAO-0003PF-9M

for <x>; Mon, 22 Jan 2007 07:19:52 +1100

Received: from sc-smtp2-bulkmx.soma.ironport.com ([204.15.82.125])

by mscip01.mailscan.net.au with ESMTP; 22 Jan 2007 07:19:51 +1100

X-IronPort-Anti-spam-Filtered: true

X-IronPort-Anti-spam-Result: Aq2HAPpZs0XMD1J9h2dsb2JhbACNYwEBCQ4NHVgBAQ

Subject: [sUSPECTED spam] [spamCop] Quick reporting data

X-IronPort-AV: i="4.13,217,1167570000";

d="scan'208"; a="11454970:sNHT29489824"

DomainKey-Signature: s=devnull; d=spamcop.net; c=nofws; q=dns; b=VbkGNZy2/IVfdarJYOtJdYO41syQQPIu/FoeY8+oRaMowK7nYtnDjN9q4Wz19zlSOAgG6cSCz3qC4F11Ynyk93aoLgOf5p9BkkzvABFJdtcoaIDB/tv++cPKUglWjFGM;

Received: from sc-app3.spamcop.net ([204.15.82.22])

by sc-smtp2-bulkmx.soma.ironport.com with SMTP; 21 Jan 2007 12:19:48 -0800

From: SpamCop <spamcop[at]devnull.spamcop.net>

To: Christopher E. Souter <x>

Precedence: list

Message-ID: <qr45b3cae3g3d08[at]msgid.spamcop.net>

Date: Sun, 21 Jan 2007 20:19:47 GMT

X-Mailer: http://www.spamcop.net/ v620

SpamCop.net

Here are the results of your submission:

Processing spam: From: developing[at]ffoql.urnaeuismod.com

Subject: JunkEmail: [spam] Astronomy Biography Biological

0: Received: from [10.0.0.25] (helo=soapberry.exetel.com.au) by chestnut.exetel.com.au with esmtp (Exim 4.63) (envelope-from <developing[at]ffoql.urnaeuismod.com>) id 1H8j1b-00045U-9O for <x>; Mon, 22 Jan 2007 07:10:47 +1100

Internal handoff at exetel.com.au

1: Received: from 60.0.233.220.exetel.com.au ([220.233.0.60] helo=mscip01.mailscan.net.au) by soapberry.exetel.com.au with esmtp (Exim 4.63) (envelope-from <developing[at]ffoql.urnaeuismod.com>) id 1H8j1b-0002r3-5G for <x>; Mon, 22 Jan 2007 07:10:47 +1100

Hostname verified: 60.0.233.220.exetel.com.au

exetel.com.au received mail from exetel.com.au ( 220.233.0.60 )

2: Received: from pool-71-252-172-134.dllstx.fios.verizon.net (HELO [71.252.172.134]) ([71.252.172.134]) by mscip01.mailscan.net.au with ESMTP; 22 Jan 2007 07:10:46 +1100

Hostname verified: pool-71-252-172-134.dllstx.fios.verizon.net

exetel.com.au received mail from sending system 71.252.172.134

3: Received: from ZJT (unknown [128.143.123.98]) by ffoql.urnaeuismod.com with ESMTP id BFECDCE7A2CE for <x>; Sun, 21 Jan 2007 14:11:03 -0600 (GMT)

No unique hostname found for source: 128.143.123.98

warning:Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust anything beyond this header

Tracking message source:71.252.172.134: Cached whois for 71.252.172.134 : abuse[at]verizon.net

Using abuse net on abuse[at]verizon.net

abuse net verizon.net = abuse[at]verizon.net

Using best contacts abuse[at]verizon.net

warning:Yum, this spam is fresh! Message is 0 hours old

71.252.172.134 not listed in dnsbl.njabl.org

71.252.172.134 not listed in dnsbl.njabl.org

71.252.172.134 not listed in cbl.abuseat.org

71.252.172.134 listed in dnsbl.sorbs.net ( 127.0.0.10 )

spam report id 2109157119 sent to: abuse[at]verizon.net

May be saved for future reference:

http://www.spamcop.net/sc?id=z1199578513zd...8d6028c1fde857z

It appears that the IronPort filtering has tagged as being suspicious a

legitimate message from SpamCop!

I have several different accounts at my ISP, each of which can have

the IronPort filtering individually turned on and off at will.

Last evening, after receiving a couple of "stock junk" spams which had been

directly forwarded to me from my SpamCop.net account, (i.e., they didn't go

through Held Mail) I turned on the filtering for the secret address at my ISP

where I have SpamCop (Quick Reporting and WebMail) forward all messages

(excepting Held Mail, of course). After turning on the filtering, I got two

normal quick data reports (i.e., the subject line was "[spamCop] Quick

data report"). Then, I got the message shown above. Since then, all other

reports have been as normal.

BTW, in about 2 years of using SpamCop WebMail, I have never before

received a spam message at my SpamCop WebMail account that had come

directly into my Inbox, bypassing the Held Mail folder.

It's interesting that IronPort spam filtering tagged a message that came from

one of its own servers, don't you think?

Thoughts/opinions, anyone?

Link to comment
Share on other sites

IronPort sells boxes that perform filtering. These boxes would not be looking for "e-mail from SpamCop.net" .... thay would be "looking at e-mail" .... period. This one apparently tripped enough wires on the way in to set up the actions taken.

Link to comment
Share on other sites

Well, I have no idea how those boxes work, but wouldn't you think they'd have some kind of built-in "whitelist," which would include system messages from SpamCop.net?

Link to comment
Share on other sites

BTW, in about 2 years of using SpamCop WebMail, I have never before received a spam message at my SpamCop WebMail account that had come

directly into my Inbox, bypassing the Held Mail folder.

FYI, the SpamAssassin filtering was broken for almost 36 hours on two of the servers that receive mail for Spamcop Email accounts. You posted this towards the end of the outage, which would explain the unusual leakage of spam to your Inbox. This outage was mentioned in two threads in the SpamCop Email System & Accounts forum and also in one here in the Lounge.

As for the Ironport issue, it would be more direct to simply contact Ironport about that, rather than having the denizens of this venue speculate about it. If you do that, then post any answer here.

DT

Link to comment
Share on other sites

My ISP's user help forum has posted a couple of email addresses at IronPort to which we can forward false positives and false negatives.

They are:

ham[at]access.ironport.com (for false positives)

and

spam[at]access.ironport.com (for false negatives).

I suppose that I could browse the IronPort website for any further

information on the workings of these boxes, but I doubt that they'd

communicate with a humble, ordinary, single home user like myself,

who is unlikely to be a prospective purchaser of their (as I understand

from my message posted by ISP's admins in our user forums) very

expensive hardware.

However, if I do find any useful information, I'll certainly post it here.

As for the SpamAssassin filtering, yes, I did find out about that, but only

a few hours ago, (just after midnight in Sydney, Australia).

Also, I noticed that both SpamCop WebMail and SpamCop Discussion Forum

seemed to be running extremely slowly about 8-10 hours ago (when I was

last logged on). Maybe that was somehow related to the outage, (who knows)?

It seems OK, now.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...