Report Spam To email

[drpol]

Accounts on our dedicated server have been sent spam. There is nothing unusual in this. However, SpamCop identifies the 'Report spam To:' email as the abuse email of our hosting company, and not of the originator of the spam. The following most recent report (with our server information taken out) shows that the spam (in this instance) originates from 81.169.145.100 (mailin.rzone.de), however our hosting company is being sent reports of this spam and have disabled our server (they enabled it again since then). We have spent hundreds of dollars in identifying potential security weaknesses on our server and fixing contact forms as a result of this. However it seems that the spam is not being relayed through our server. Why is SpamCop sending the innocent party's hosting company the email? Please check the following report (if you want the full report please PM me):

Received: from unknown (192.168.1.103)

by blade2.cesmail.net with QMQP; 25 Jun 2007 14:31:51 -0000

Received: from ****.dedicated.****.net (HELO mail.****) (*****)

by mx53.cesmail.net with SMTP; 25 Jun 2007 14:31:50 -0000

Received: (qmail 1261 invoked by uid 110); 25 Jun 2007 16:31:47 +0200

Delivered-To: 1-***[at]***

Received: (qmail 1225 invoked from network); 25 Jun 2007 16:31:37 +0200

Received: from unknown (HELO aldan) (80.67.50.25)

by ****.dedicated.****.net with SMTP; 25 Jun 2007 16:31:37 +0200

Return-Path: <mehriesemanncof[at]riesemann.de>

Received: from 81.169.145.100 (HELO mailin.rzone.de)

by ***** with esmtp (QBX691<,2, :+'ZO)

id RNV(,C-83HM0/-'8

for info[at]***; Mon, 25 Jun 2007 14:31:39 -0700

Date: Mon, 25 Jun 2007 14:31:39 -0700

From: "Douglas Kennedy" <mehriesemanncof[at]riesemann.de>

X-Mailer: The Bat! (v3.5.25) Professional

X-Priority: 3 (Normal)

Message-ID: <271827418.75637241070911[at]thhebat.net>

To: info[at]***

Subject: Hey man, stop throwing away your money

X-spam: Not detected

X-SpamCop-Checked: 192.168.1.103 ***** 80.67.50.25 81.169.145.100

[Wazoo]

I find your query a bit confusing. You talk about 'reporting' ... you state that you are including an example of a 'report' .. yet .... what I see is a heavily munged copy of a set of headers of an e-mail received by a spamcop.net e-mail account holder.

Somene using a spamcop.net e-mail account really should know a little about how spamcop.net works. There are clues, hints, suggestions, and instructions galore about this place that asks for a Tracking URL when the discussion is about the parsing results. Your example is too heavily munged for someone else to try to re-parse that sample to see what might have happened.

Please provide a Tracking URL of a parse that you say ends up with the wrong results. It would even help if you got specific on "your dedicated server" .. you "host" .. etc. .... I'm not really in the mood to lookup each piece of non-munged data in your example to see if I can sort out just who is whom in all that. Again, you did not provide a parsing result, you provided a received e-mail header ... different systems, different hardware, different software, and your munging does not allow for anyone 'here' to try to connect the dots.

[StevenUnderwood]

Accounts on our dedicated server have been sent spam. There is nothing unusual in this. However, SpamCop identifies the 'Report spam To:' email as the abuse email of our hosting company, and not of the originator of the spam.

Ignoring your useless munged data and only going with what was entered above, I am making the following assumptions:

1. Your dedicated server received spam. (stated)

2. Someone who uses this server reported a spam they received to spamcop. (unstated)

3. SpamCop parsed the spam and came up with your providers server as the source. (kind of stated)

If these are correct, then the person who reported the spam needs to configure mailhosts on their account and pay closer attention to where their reports are going. SpamCop does not send the reports... the reporter does.

SpamCop does its best to determine the source. There is something in your providers configuration that does not allow SpamCop to trust your provider as a valid handler of your messages. A mailhost configuration will work around that issue by telling spamcop what to trust for that account.

[drpol]

Thank you for your replies. Please have a look at: http://www.spamcop.net/sc?id=z1337054525z5...0fb1f7d80b050cz for more information .

[Wazoo]

Thanks for the Tracking URL. As it turns out, the critical data was n fact included in the data that you munged out of your starting post. When you look at the Tracking URL with full Technical details turned on, the actual decision point is seen in the section;

Received: from unknown (HELO aldan) (80.67.50.25) by 69-64-72-207.dedicated.abac.net with SMTP; 25 Jun 2007 16:31:37 +0200

80.67.50.25 found

host 80.67.50.25 (getting name) no name

69.64.72.207 not listed in dnsbl.njabl.org

69.64.72.207 not listed in cbl.abuseat.org

69.64.72.207 not listed in dnsbl.sorbs.net

69.64.72.207 is not an MX for mx53.cesmail.net

69-64-72-207.dedicated.abac.net looks like a dynamic host, untrusted as relay

Parsing input: 69.64.72.207

Routing details for 69.64.72.207

Cached whois for 69.64.72.207 : abuse[at]aplus.net

Using abuse net on abuse[at]aplus.net

abuse net aplus.net = abuse[at]aplus.net

Using best contacts abuse[at]aplus.net

This would explain where the reports are going.

Report history against that IP address in the last 90 days include;

-----------------------------------------

Submitted: Tuesday, June 12, 2007 7:13:46 AM -0500:

Other guys are improving themselves..are you?

2330822216 ( 69.64.72.207 ) To: abuse[at]aplus.net

----------------------------------------

Submitted: Monday, June 11, 2007 8:57:11 AM -0500:

Become fit and happy again

2329207722 ( 69.64.72.207 ) To: abuse[at]aplus.net

----------------------------------------

Submitted: Monday, June 11, 2007 8:56:54 AM -0500:

Become fit and happy again

2329208709 ( 69.64.72.207 ) To: abuse[at]aplus.net

----------------------------------------

Submitted: Monday, June 11, 2007 8:56:53 AM -0500:

Become fit and happy again

2329208786 ( 69.64.72.207 ) To: abuse[at]aplus.net

----------------------------------------

Submitted: Monday, June 11, 2007 8:56:52 AM -0500:

Become fit and happy again

2329208841 ( 69.64.72.207 ) To: abuse[at]aplus.net

----------------------------------------

Submitted: Monday, June 11, 2007 8:56:52 AM -0500:

Become fit and happy again

2329208921 ( 69.64.72.207 ) To: abuse[at]aplus.net

----------------------------------------

Submitted: Sunday, June 10, 2007 7:43:16 AM -0500:

Can you imagine that you are healthy?

2327653987 ( 69.64.72.207 ) To: abuse[at]aplus.net

----------------------------------------

Submitted: Sunday, June 10, 2007 7:43:15 AM -0500:

Can you imagine that you are healthy?

2327654043 ( 69.64.72.207 ) To: abuse[at]aplus.net

----------------------------------------

Submitted: Sunday, June 10, 2007 7:43:14 AM -0500:

Can you imagine that you are healthy?

2327654085 ( 69.64.72.207 ) To: abuse[at]aplus.net

----------------------------------------

Submitted: Sunday, June 10, 2007 7:43:14 AM -0500:

Can you imagine that you are healthy?

2327654108 ( 69.64.72.207 ) To: abuse[at]aplus.net

The multiple complaints showing the same date/time stamps suggests that these are multiple e-mails hitting multiple recipients. Are these "your" outgoing e-mails? (Noting that the item demonstrated isn't showing in the history listing I pulled up .. hmmmmm??? Then again, there have been two major outages in the Parsing & Reporting system in the last few days ????)

http://www.senderbase.org/senderbase_queri...ng=69.64.72.207

Date of first message seen from this address 2007-04-17

It is possible that this IP address/server has been considered "new" by the SpamCop.net Parsing & Reporting system. leading to the untrusted relay" parse comment, but ..... Subject: lines sure seem to fit the typical spammer mode. The "newly discovered" mode typically means that with more reports (or direct Deputy contact to identify this server manually in the database) that future reports 'may' go beyond this server. As Steven stated, MailHost Configuration of that Reporting Account 'may' also allow the parsing to go beyond this IP address. But at present, the spamminess of the e-mail itself can't be ignored. The question boils down to --- is this "your" server and can you track down the actual source of this spew?

I'm not sure just what the "dedicated" is supposed to mean in the server 'name' .... the first 50 (of 201) displayed servers all carry the "dedicated" name descriptor .... I'm not convinced that there is all that much "dedication" going on, the appearances are that these are shared servers .....

[drpol]

The multiple complaints showing the same date/time stamps suggests that these are multiple e-mails hitting multiple recipients. Are these "your" outgoing e-mails? (Noting that the item demonstrated isn't showing in the history listing I pulled up .. hmmmmm??? Then again, there have been two major outages in the Parsing & Reporting system in the last few days ????)

These are certainly not "our" emails, but the worry is that our server is relaying this spam.

It is possible that this IP address/server has been consdered "new" by the SpamCop.net Parsing & Reporting system. leading to the "untrusted relay" parse comment, but ..... Subject: lines sure seem to fit the typical spammer mode. The "newly discovered" mode typically means that with more reports (or direct Deputy contact to identify this server manually in the database) that future reports 'may' go beyond this server. As Steven stated, MailHost Configuration of that Reporting Account 'may' also allow the parsing to go beyond this IP address. But at present, the spamminess of the e-mail itself can't be ignored. The question boils down to --- is this "your" server and can you track down the actual source of this spew?

We are trying to track this down but the concern is whether our server is the relay or not. The SpamCop reports seem to indicate that it is the case but then a closer inspection of the above report in question shows that the origin is not our server. Our server is "new" in the sense that we have only been operating for several months.

I'm not sure just what the "dedicated" is supposed to mean in the server 'name' .... the first 50 (of 201) displayed servers all carry the "dedicated" name descriptor .... I'm not convinced that there is all that much "dedication" going on, the appearances are that these are shared servers .....

This is a dedicated server, I suppose that the IP.dedicated.aplus.net makes it appear like the IP can change. I will confirm with Aplus why they use a dynamic looking host.

[Miss Betsy]

If you want to check your server out, there is a lot of information in the "Why Am I Blocked?" FAQ in the server admins' section. Also, spammers who have infected a server or a machine connected to the server, generally use a Port other than 25 for sending email so some server admins have found the source by looking at the firewall logs.

HTH

Miss Betsy

[drpol]

We have asked our hosting company to change our host to an rDNS which might solve the issue of the host being considered a dynamic relay.

Please can you check the following report:

http://www.spamcop.net/sc?id=z1340429420zc...580db486c7c28bz

As you can see it now does not send an email to our host but includes our IP for "Automated open-relay testing system". Is this temporary?

[Wazoo]

As you can see it now does not send an email to our host but includes our IP for "Automated open-relay testing system". Is this temporary?

SpamCop.net does not "test" for open relays. There ae other tools, sites, databases for that .. which you will see in the list of "other checked places" in that same parse .... Going with the appearance that this IP address sending e-mail was in fact a "newly discivered" item, that IP address has been submitted to "other places" for that Open Relay Test bit ...

You also left that Parse "live" which could/would allow someone else to "fill in some of the blanks" and send it on your behalf. You need to "Cancel" it if you are not going to actually Send it ....