csouter Posted January 22, 2007 Share Posted January 22, 2007 Hi, all! I'm not sure where to post this, so I'm posting in the SpamCop Lounge. If a moderator thinks it might be more appropriate to post this somewhere else, please accept my apologies for any inconvenience I might have caused, then move or delete this posting as you see fit. My ISP's POP3 server has IronPort filtering installed. This morning local (Sydney, Australia) time, I received the following message from SpamCop. It is a Quick Reporting Data message. (For those of you who don't know what that is, it's the message you get from the SpamCop reporting system when you have Quick Reporting enabled on your account. It's enabled by default for SpamCop WebMail users]. Here is the message: From - Mon Jan 22 07:23:15 2007 X-Account-Key: account3 X-UIDL: 00000170457f72a7 X-Mozilla-Status: 1001 X-Mozilla-Status2: 00000000 X-Mozilla-Keys: Return-path: <user.xxxxxxxxxxxxxxxx[at]bounces.spamcop.net> Envelope-to: <x> Delivery-date: Mon, 22 Jan 2007 07:19:52 +1100 Received: from [10.0.0.25] (helo=soapberry.exetel.com.au) by chestnut.exetel.com.au with esmtp (Exim 4.63) (envelope-from <user.xxxxxxxxxxxxxxxx[at]bounces.spamcop.net>) id 1H8jAO-0006FO-C2 for <x>; Mon, 22 Jan 2007 07:19:52 +1100 Received: from 60.0.233.220.exetel.com.au ([220.233.0.60] helo=mscip01.mailscan.net.au) by soapberry.exetel.com.au with esmtp (Exim 4.63) (envelope-from <user.xxxxxxxxxxxxxxxx[at]bounces.spamcop.net>) id 1H8jAO-0003PF-9M for <x>; Mon, 22 Jan 2007 07:19:52 +1100 Received: from sc-smtp2-bulkmx.soma.ironport.com ([204.15.82.125]) by mscip01.mailscan.net.au with ESMTP; 22 Jan 2007 07:19:51 +1100 X-IronPort-Anti-spam-Filtered: true X-IronPort-Anti-spam-Result: Aq2HAPpZs0XMD1J9h2dsb2JhbACNYwEBCQ4NHVgBAQ Subject: [sUSPECTED spam] [spamCop] Quick reporting data X-IronPort-AV: i="4.13,217,1167570000"; d="scan'208"; a="11454970:sNHT29489824" DomainKey-Signature: s=devnull; d=spamcop.net; c=nofws; q=dns; b=VbkGNZy2/IVfdarJYOtJdYO41syQQPIu/FoeY8+oRaMowK7nYtnDjN9q4Wz19zlSOAgG6cSCz3qC4F11Ynyk93aoLgOf5p9BkkzvABFJdtcoaIDB/tv++cPKUglWjFGM; Received: from sc-app3.spamcop.net ([204.15.82.22]) by sc-smtp2-bulkmx.soma.ironport.com with SMTP; 21 Jan 2007 12:19:48 -0800 From: SpamCop <spamcop[at]devnull.spamcop.net> To: Christopher E. Souter <x> Precedence: list Message-ID: <qr45b3cae3g3d08[at]msgid.spamcop.net> Date: Sun, 21 Jan 2007 20:19:47 GMT X-Mailer: http://www.spamcop.net/ v620 SpamCop.net Here are the results of your submission: Processing spam: From: developing[at]ffoql.urnaeuismod.com Subject: JunkEmail: [spam] Astronomy Biography Biological 0: Received: from [10.0.0.25] (helo=soapberry.exetel.com.au) by chestnut.exetel.com.au with esmtp (Exim 4.63) (envelope-from <developing[at]ffoql.urnaeuismod.com>) id 1H8j1b-00045U-9O for <x>; Mon, 22 Jan 2007 07:10:47 +1100 Internal handoff at exetel.com.au 1: Received: from 60.0.233.220.exetel.com.au ([220.233.0.60] helo=mscip01.mailscan.net.au) by soapberry.exetel.com.au with esmtp (Exim 4.63) (envelope-from <developing[at]ffoql.urnaeuismod.com>) id 1H8j1b-0002r3-5G for <x>; Mon, 22 Jan 2007 07:10:47 +1100 Hostname verified: 60.0.233.220.exetel.com.au exetel.com.au received mail from exetel.com.au ( 220.233.0.60 ) 2: Received: from pool-71-252-172-134.dllstx.fios.verizon.net (HELO [71.252.172.134]) ([71.252.172.134]) by mscip01.mailscan.net.au with ESMTP; 22 Jan 2007 07:10:46 +1100 Hostname verified: pool-71-252-172-134.dllstx.fios.verizon.net exetel.com.au received mail from sending system 71.252.172.134 3: Received: from ZJT (unknown [128.143.123.98]) by ffoql.urnaeuismod.com with ESMTP id BFECDCE7A2CE for <x>; Sun, 21 Jan 2007 14:11:03 -0600 (GMT) No unique hostname found for source: 128.143.123.98 warning:Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust anything beyond this header Tracking message source:71.252.172.134: Cached whois for 71.252.172.134 : abuse[at]verizon.net Using abuse net on abuse[at]verizon.net abuse net verizon.net = abuse[at]verizon.net Using best contacts abuse[at]verizon.net warning:Yum, this spam is fresh! Message is 0 hours old 71.252.172.134 not listed in dnsbl.njabl.org 71.252.172.134 not listed in dnsbl.njabl.org 71.252.172.134 not listed in cbl.abuseat.org 71.252.172.134 listed in dnsbl.sorbs.net ( 127.0.0.10 ) spam report id 2109157119 sent to: abuse[at]verizon.net May be saved for future reference: http://www.spamcop.net/sc?id=z1199578513zd...8d6028c1fde857z It appears that the IronPort filtering has tagged as being suspicious a legitimate message from SpamCop! I have several different accounts at my ISP, each of which can have the IronPort filtering individually turned on and off at will. Last evening, after receiving a couple of "stock junk" spams which had been directly forwarded to me from my SpamCop.net account, (i.e., they didn't go through Held Mail) I turned on the filtering for the secret address at my ISP where I have SpamCop (Quick Reporting and WebMail) forward all messages (excepting Held Mail, of course). After turning on the filtering, I got two normal quick data reports (i.e., the subject line was "[spamCop] Quick data report"). Then, I got the message shown above. Since then, all other reports have been as normal. BTW, in about 2 years of using SpamCop WebMail, I have never before received a spam message at my SpamCop WebMail account that had come directly into my Inbox, bypassing the Held Mail folder. It's interesting that IronPort spam filtering tagged a message that came from one of its own servers, don't you think? Thoughts/opinions, anyone? Link to comment Share on other sites More sharing options...
Wazoo Posted January 22, 2007 Share Posted January 22, 2007 IronPort sells boxes that perform filtering. These boxes would not be looking for "e-mail from SpamCop.net" .... thay would be "looking at e-mail" .... period. This one apparently tripped enough wires on the way in to set up the actions taken. Link to comment Share on other sites More sharing options...
csouter Posted January 22, 2007 Author Share Posted January 22, 2007 Well, I have no idea how those boxes work, but wouldn't you think they'd have some kind of built-in "whitelist," which would include system messages from SpamCop.net? Link to comment Share on other sites More sharing options...
DavidT Posted January 22, 2007 Share Posted January 22, 2007 BTW, in about 2 years of using SpamCop WebMail, I have never before received a spam message at my SpamCop WebMail account that had come directly into my Inbox, bypassing the Held Mail folder. FYI, the SpamAssassin filtering was broken for almost 36 hours on two of the servers that receive mail for Spamcop Email accounts. You posted this towards the end of the outage, which would explain the unusual leakage of spam to your Inbox. This outage was mentioned in two threads in the SpamCop Email System & Accounts forum and also in one here in the Lounge. As for the Ironport issue, it would be more direct to simply contact Ironport about that, rather than having the denizens of this venue speculate about it. If you do that, then post any answer here. DT Link to comment Share on other sites More sharing options...
csouter Posted January 22, 2007 Author Share Posted January 22, 2007 My ISP's user help forum has posted a couple of email addresses at IronPort to which we can forward false positives and false negatives. They are: ham[at]access.ironport.com (for false positives) and spam[at]access.ironport.com (for false negatives). I suppose that I could browse the IronPort website for any further information on the workings of these boxes, but I doubt that they'd communicate with a humble, ordinary, single home user like myself, who is unlikely to be a prospective purchaser of their (as I understand from my message posted by ISP's admins in our user forums) very expensive hardware. However, if I do find any useful information, I'll certainly post it here. As for the SpamAssassin filtering, yes, I did find out about that, but only a few hours ago, (just after midnight in Sydney, Australia). Also, I noticed that both SpamCop WebMail and SpamCop Discussion Forum seemed to be running extremely slowly about 8-10 hours ago (when I was last logged on). Maybe that was somehow related to the outage, (who knows)? It seems OK, now. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.