Jump to content

No source IP address found, cannot proceed.


csouter

Recommended Posts

Hi, all!

Recently, when attempting to report some spam messages, I got the following error from the

SpamCop parser:

No source IP address found, cannot proceed.

Below are the Tracking URLs for the three messages in question. The messages had been

originally received on 2007-03-07, 2007-03-10 and 2007-03-13 at my old Gmail mailbox, which

has since been cancelled (by me).

(1) http://www.spamcop.net/sc?id=z1246398430za...ce82fc42695c02z

(2) http://www.spamcop.net/sc?id=z1249032218z3...992fe8ded30b32z

(3) http://www.spamcop.net/sc?id=z1251188208z0...e3dac72dcdf926z

Can anyone explain how these messages could have been sent without a source IP in the message

headers?

I have been successfully reporting spam received at my Gmail account for the past several months,

so I do know how to get the full message source and then "copy-and-paste it" into the SpamCop

reporting window.

BTW, the three spams mentioned above were the only ones that actually made it past Gmail's spam

filters and into my InBox. I used that address for about 14 months and started receiving spam there

after about 6 months. The address had never been published anywhere. Actually, the sources

of some of the earliest messages showed that the address had been compromised by a dictionary

attack. (The stupid spammer had put the other addresses in the CC: field, not the BCC: field; but,

then again, maybe he didn't care whether or not I knew about it). It started out at about 2 or

3 spams per week and I finally cancelled the account when the spam count got to 35 per day. (I simply

don't have the time to report so many spams manually every day: it's just too time-consuming).

At any rate, I must say that the Gmail spam filtering is pretty good: only 3 spams missed out of

a total of about 3000 received; and not a single false positive.

Any ideas on hiding the originating IP would be appreciated. I'd really like to know how they did it!

Link to comment
Share on other sites

...Any ideas on hiding the originating IP would be appreciated. I'd really like to know how they did it!
Hi Chris - I guess it is another case like unable to parse emails from gmail - looks like it, yes? As Steven said Google to Google should be handled by Google. With no routing outside the Googleplex (sorry, rotten pun, the Devil made me do it) it's nothing to do with SpamCop.
Link to comment
Share on other sites

outside the Googleplex (sorry, rotten pun, the Devil made me do it)

You are forgiven. :D

Looking at the thread you linked to, I guess you're right.

I had a look at some legitimate messages to me from other Gmail users, and they don't show source IPs, either. Gmail system emails (e.g., from admin, welcome to new users, etc.), do show them. It seems to be a different kind of system.

I just hope that clicking the "Report spam" button (in Gmail, that is) results in Google really doing something about it, and not just using the spam report to fine-tune their anti-spam filtering. I really hope they investigate properly and terminate any user they determine to be a spammer. If the messages are Gmail-to-Gmail, the user can't possibly claim that it's because his poor unfortunate PC has been turned into a spambot by evil Russian spammers. ;)

I also hope that the spammers haven't yet found some way to spoof Gmail addresses and sending domains. :-(

Link to comment
Share on other sites

[snip]

I had a look at some legitimate messages to me from other Gmail users, and they don't show source IPs, either.

The gmail mail header shows IP addresses in the header, but these are special ones, to be used only privately.

From one of the links posted:

Received: by 10.78.148.13 with SMTP id v13cs207394hud;
		Wed, 7 Mar 2007 21:22:17 -0800 (PST)
Received: by 10.90.25.3 with SMTP id 3mr1592agy.1173331336759;
		Wed, 07 Mar 2007 21:22:16 -0800 (PST)
Received: by 10.90.120.2 with HTTP; Wed, 7 Mar 2007 21:22:16 -0800 (PST)

This header shows IP addresses starting with 10 and these are reserved for private use and are only valid on an internal network. 10.x.x.x addresses will never be routed to the public Internet. From RFC 1918 http://tools.ietf.org/html/rfc1918

3. Private Address Space


   The Internet Assigned Numbers Authority (IANA) has reserved the
   following three blocks of the IP address space for private internets:

	 10.0.0.0		-   10.255.255.255  (10/8 prefix)
	 172.16.0.0	  -   172.31.255.255  (172.16/12 prefix)
	 192.168.0.0	 -   192.168.255.255 (192.168/16 prefix)

[snip]

   An enterprise that decides to use IP addresses out of the address
   space defined in this document can do so without any coordination
   with IANA or an Internet registry. The address space can thus be used
   by many enterprises. Addresses within this private address space will
   only be unique within the enterprise, or the set of enterprises which
   choose to cooperate over this space so they may communicate with each
   other in their own private internet.

On my small private home network I use addresses starting with 192.168 for my private domain "utp.xnet" and I run a local mail server and nameserver. An example name lookup of my private mail server:

nslookup mail.utp.xnet ns.utp.xnet

Server:		 ns.utp.xnet
Address:		192.168.222.11#53

Name:   mail.utp.xnet
Address: 192.168.222.10

You can try the same nslookup command on your own Windows/Unix computer but you never will get an answer, because the 192.168.222.10 and 10 addresses are private.

Likewise Spamcop will not get an answer to the lookup of the private address 10.78.148.13, used internally by Gmail.

nslookup 10.78.148.13				  
Server:		 192.168.222.11
Address:		192.168.222.11#53

** server can't find 13.148.78.10.in-addr.arpa: NXDOMAIN

Because of a similar error Spamcop says "No source IP address found, cannot proceed"

Link to comment
Share on other sites

The gmail mail header shows IP addresses in the header, but these are special ones

<SNIP>

Likewise Spamcop will not get an answer to the lookup of the private address 10.78.148.13, used internally

<SNIP>

Because of a similar error Spamcop says "No source IP address found, cannot proceed"

Thank you for the information! I had absolutely no idea whatsoever about any of that, except for the addresses 192.168.x.x, because that's the address for my ADSL router. Also, I remember 127.0.0.1 as the loopback or localhost address. The rest of it is completely new information to me and very helpful. Thank you very much!

I think I understand most of it, especially the part about the private addresses, but it still leaves me with some questions.

Firstly, if the addresses shown are ostensibly internal to the Gmail system (i.e., private), there is no way for anyone outside Google to determine that, or is there?

Secondly, if such an address as 10.78.148.13 could be used by anyone within their own private network, (in fact, there may be hundreds of private networks around the world using that particular private address somewhere in their system), is it possible that the message could still have originated from outside the Google system?

Thirdly, I seem to remember reading somewhere that any user can configure an email client so that outgoing messages will appear to originate from 127.0.0.1, or some other private address. (Please correct me if I'm wrong). IIRC, I think my copy of avast! Antivirus does something like this when scanning outgoing mail. Would it therefore be possible for a spammer to spoof a private address like that in order to fool applications such as SpamCop? Could Google's own server be fooled in this way?

Fourthly, (and I guess that this depends on the answers to the first three questions), how likely is it that the spams referred to in the Tracking URLs given in my OP really originated from within the Google system?

As Alice (of Wonderland fame) said: "Curiouser and curiouser."

Thank you once again for all your information.

Link to comment
Share on other sites

Firstly, if the addresses shown are ostensibly internal to the Gmail system (i.e., private), there is no way for anyone outside Google to determine that, or is there?

There is no way for anyone outside of Google to determine exactly where the message came from, correct.

Secondly, if such an address as 10.78.148.13 could be used by anyone within their own private network, (in fact, there may be hundreds of private networks around the world using that particular private address somewhere in their system), is it possible that the message could still have originated from outside the Google system?

If that had happened, the message would have had a header including an IP address from where Google received it into their network.

Thirdly, I seem to remember reading somewhere that any user can configure an email client so that outgoing messages will appear to originate from 127.0.0.1, or some other private address. (Please correct me if I'm wrong). IIRC, I think my copy of avast! Antivirus does something like this when scanning outgoing mail. Would it therefore be possible for a spammer to spoof a private address like that in order to fool applications such as SpamCop? Could Google's own server be fooled in this way?

No, a mail server may include the information it is presented, but generates the IP address it receives the message from independently.

Fourthly, (and I guess that this depends on the answers to the first three questions), how likely is it that the spams referred to in the Tracking URLs given in my OP really originated from within the Google system?

Unless Google is dropping headers (which is against the RFC's), the messages are definitely originating within Google's network. The actual machine may be on some other network but using Google's email system. Google COULD report the IP address of that machine, but has chosen not to.

Because of this, all the spam I receive to my Gmail address, which get forwarded onto spamcop, get reported with Google as the source, for them to figure out (or not).

Link to comment
Share on other sites

<SNIP>

Because of this, all the spam I receive to my Gmail address, which get forwarded onto spamcop, get reported with Google as the source, for them to figure out (or not).

Steven, thanks for clearing that up for me!

The messages in question had not actually been picked up by Google's spam filters, so, at least there was an opportunity to report them to Google as spam. As you say, it's then up to Google what to do with them.

Many thanks to everyone for all the info! I've learnt heaps of stuff I never knew before!

Link to comment
Share on other sites

  • 3 weeks later...

Because of this, all the spam I receive to my Gmail address, which get forwarded onto spamcop, get reported with Google as the source, for them to figure out (or not).

And possibly because of this, my gmail.com account now gets the following error message:

Sorry, your account has been disabled.

And the spamcop POP account has 121 errors (estimating 15 minutes per cycle, that would be about 30 hours).

I have used the form provided to ask exactly why the account was disabled.

Link to comment
Share on other sites

Sorry, your account has been disabled.

Your Gmail account, your SpamCop reporting account or your SpamCop WebMail account?

And the spamcop POP account has 121 errors (estimating 15 minutes per cycle, that would be about 30 hours).

What kind of errors?

I have used the form provided to ask exactly why the account was disabled.

Provided by whom: Gmail or SpamCop?

I have to say that my Gmail account never had problems like that. Also, I really ought to add the following "news" to this thread:

On New Year's Day 2007, I actually cancelled my old Gmail account (i.e., the account to which I was referring in my OP), and created a new one, with a 30-character user name made up of apparently random letters and numbers. (This has been done in an attempt to avoid the account being compromised by a dictionary attack).

During its relatively short life, the old Gmail account only ever had about 3 or 4 spams that appeared to come from within Gmail's domain. (That is in comparison with a total daily spam count of around 20-30 for the Gmail account, which is the level where I felt that the account was becoming unusable for me).

Also, I reported all spam to Google, regardless of where it came from. I hardly ever had any spam get past Google's filters, except for those spams which apparently had been sent internally within the Gmail domain. I also reported flagged spam along with unflagged spam. I couldn't report it directly as spam, but it was possible to report it as "phishing." I contend that all spams which are trying to sell something are, in fact, phishing, albeit in an indirect way. (I quite realise that this does not conform to the generally accepted definition of "phishing.") At any rate, during the whole of the period when the account was operating, I never had any problem with the account being disabled for any reason.

I had the account for just over a year and it started receiving spam after about 3 or 4 months, at an ever-increasing rate. Eventually, it became too time-consuming for me to report each spam manually, (because Gmail apparently has no way to forward a message as an attachment), so I cancelled the account and thus capitulated to the spammers.

My new Gmail account at least has an "unguessable" name, so I am hoping that at least it will be relatively safe from dictionary attack, (which is how my old account was compromised in the first place). So far (i.e., after 104 days), the account has received ZERO spam!!! :D

Link to comment
Share on other sites

Sorry for net explaining better...

Your Gmail account, your SpamCop reporting account or your SpamCop WebMail account?

What kind of errors?

Provided by whom: Gmail or SpamCop?

My GMail account has been disabled. I am assuming because of the spam reported to google that was received by that account to spamcop.

SpamCop POP trying to retreive the gmail messages is getting "Invalid password" error. The password had not been touched directly in months. I tried all the things on spamcops side (resetting password, etc.) before venturing over to the gmail.com site itself and trying to log in.

When trying to find out why the gmail account was disabled, I submitted the form provided by google in their FAQ area.

My point in posting this is that if you report google emails to google, you may be jeopardizing your gmail account.

Link to comment
Share on other sites

My point in posting this is that if you report google emails to google, you may be jeopardizing your gmail account.

Well, as I said in my previous post, I never had that problem myself, but, of course, that is not to say that it can't happen. <_<

I must say that I can't imagine why Google would not want users to report spam, although I seem to remember once or twice seeing a warning from the SpamCop parser, the gist of which was that the Google admins do not wish to receive reports. (IIRC, it was about Google-hosted links to spamvertised websites). It is even more difficult to understand how reporting spam could get your Gmail account disabled.

It is completely beyond me why such a large organisation such as Google would not be interested in getting behind the fight against the spammers and fraudsters of this world. They really ought to have co-operative arrangements with organisations such as SpamCop and KnujOn. Their reasoning is completely beyond me!

Anyway, good luck with Google. Let us know how you get on.

Link to comment
Share on other sites

Well, as I said in my previous post, I never had that problem myself, but, of course, that is not to say that it can't happen.

Since I don't have a gmail account, I haven't been following this too closely. IIUC, from this and other threads, if you report spam from google, that puts google on the scbl because they don't put the originating IP address in the headers (if you have a non-google account in addition to the gmail account which can't be reported via spamcop because the headers are all internal). IOW, you are reporting your email service and they don't like that.

I agree - I don't understand why google doesn't cooperate with spamcop. They must be putting their eggs completely in the Baysian filter basket.

Miss Betsy

Link to comment
Share on other sites

I agree - I don't understand why google doesn't cooperate with spamcop. They must be putting their eggs completely in the Baysian filter basket.

Someone should point their decision makers to the following pages on the KnujOn.com website:

Eight Reasons Why Content Blocking Does Not Work

KnujOn Frequently Asked Questions

KnujOn.com Mission Statement

The whole issue is argued so well, there's no way I could improve on it. The gentleman running the KnujOn site is an expert in computer security and forensics. Further information on him and his service can be found on the KnujOn General Discussion Forum at CastleCops, especially this early thread from last year. KnujOn rose to prominence in the anti-spam community at the time of the BlueFrog debacle. There is also an archived BlueFrog forum on CastleCops; that forum was closed down as interest in KnujOn increased. I was a BlueFrog user and, like many others, was totally dismayed at the power of the spammers to shut them down. I am well aware that my contribution to the anti-spam effort can only be very minor; I nevertheless feel that we all should contribute as much as we can, no matter how small that contribution may be. And, Miss Betsy, having read many of your excellently expressed and reasoned contributions to other similar threads in these forums, I'm pretty sure you would agree with me!

At any rate, at every possible opportunity, I push the line: "Don't delete spam without first reporting it to anyone who will listen!" Unfortunately the average clueless Windoze user is very hard to convince!

BTW, many thanks to everyone for wading through my interminable, (maybe even insufferable), ranting diatribes!

Link to comment
Share on other sites

Oh, I agree completely that one should do whatever one can to report spam to the sender. It is somewhat like picking up litter when taking a walk. It is only a little bit in specific area, but that area becomes litter free for a time - sometimes even a long time. If everyone did it, then there would be lots of areas free of litter.

Although I don't see how knujon could reduce a person's spam by shutting down websites since spammers are known to create websites by the hundreds and I don't agree with them that blocking at the server level is not effective, perhaps they may be making a difference. OTOH, there was a comment in the spamcop ngs that knujon may not actually be doing anything except listwashing, IIRC.

I do agree that allowing someone else to filter your email without complete knowledge of how they do it is not a good precedent for censorship. However, IMHO, shutting down websites is an even worse precedent for free speech. Shutting down email servers or computers for not complying with the rules of the road in sending email is like taking away a drivers' license. OTOH, knujon seems to be targeting the truly criminal element in shutting down websites so that's a different story.

Miss Betsy

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...