goofy173 Posted July 10, 2007 Share Posted July 10, 2007 I received tens of spam a day from the same place and supposedly from the same website everyday about cameras among other things. It is the same spams over and over and over for months. While I typed this I received 3 more of them! I used to send these to Spamcop to be parsed but after nothing was done, I contacted he.net directly. They responded: The only connection this spam has to anything involving Hurricane Electric is the forged Received: header, with 208.73.93.84 claiming to be mail.zfvak.com, which is one of our colocation customers. There's nothing we can do about that. You'll need to contact the owners of 208.73.93.84. I notice now that after the tracking URL, SpamCop says, "Trivial Forgery" whatever that means. If it's forged, then why does SpamCop always want to send the reports to he.net? http://www.spamcop.net/sc?id=z1354055448z0...439400cd416ce3z this confuses me as Spamcop says zfvak.com goes to abuse[at]he.net and 208.73.93.84 goes to abuse[at]he.net Link to comment Share on other sites More sharing options...
Wazoo Posted July 10, 2007 Share Posted July 10, 2007 starting from the bottom; 07/09/07 23:20:05 Slow traceroute zfvak.com Trace zfvak.com (72.52.71.222) ... 213.248.84.46 RTT: 26ms TTL:170 (hurricane-108836-chi-bb1.c.telia.net ok) 72.52.92.73 RTT: 86ms TTL:170 (10gigabitethernet3-2.core1.sjc2.he.net ok) 72.52.81.177 RTT: 90ms TTL:170 (10gigabitethernet1-2.core1.fmt2.he.net ok) 72.52.71.222 RTT: 107ms TTL:117 (No rDNS) http://mailsc.spamcop.net/sc?action=rcache;ip=72.52.71.222 Tracking details Display data: "whois 72.52.71.222[at]whois.arin.net" (Getting contact from whois.arin.net ) checking NET-72-52-71-0-1 Display data: "whois NET-72-52-71-0-1[at]whois.arin.net" (Getting contact from whois.arin.net ) Found AbuseEmail in whois abuse[at]he.net 72.52.71.0 - 72.52.71.255:abuse[at]he.net checking NET-72-52-64-0-1 Display data: "whois NET-72-52-64-0-1[at]whois.arin.net" (Getting contact from whois.arin.net ) Found AbuseEmail in whois abuse[at]he.net 72.52.64.0 - 72.52.127.255:abuse[at]he.net Routing details for 72.52.71.222 Using abuse net on abuse[at]he.net abuse net he.net = abuse[at]he.net Using best contacts abuse[at]he.net Re: http://zfvak.com/do.cgi?act=SREM&mid=466&am... (Administrator of network hosting website referenced in spam) To: abuse[at]he.net (refuses to accept this type of report) To: abuse#he.net[at]devnull.spamcop.net (Notes) 1: Received: from 208.73.88.239 by 208.73.88.239.zfvak.com with SMTP id 30060 No unique hostname found for source: 208.73.88.239 Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust anything beyond this header Trivial forgery how many more ways would you like/need to be informed that this line is nothing but garbage? on the other hand, a non-mailhost configured account offers this as a parse result; Received: from 208.73.88.239 by 208.73.88.239.zfvak.com with SMTP id 30060 208.73.88.239 found host 208.73.88.239 = host5.tremendousnewsoffer.com. (cached) 208.73.88.239 not listed in dnsbl.njabl.org 208.73.88.239 not listed in cbl.abuseat.org 208.73.88.239 not listed in dnsbl.sorbs.net 208.73.88.239 is not an MX for mta235.mail.re3.yahoo.com 208.73.88.239.zfvak.com looks like a dynamic host, untrusted as relay different description, possibility of a "newly discovered" server there, but again, the line itself still sucks so , one is left with the only other header line with actual data; your parse; 0: Received: from 208.73.88.239 (EHLO mail.zfvak.com) (208.73.88.239) by mta235.mail.re3.yahoo.com with SMTP; Mon, 09 Jul 2007 20:12:54 -0700 No unique hostname found for source: 208.73.88.239 YahooMud received mail from sending system 208.73.88.239 non-mailhost configured parse; Received: from 208.73.88.239 (EHLO mail.zfvak.com) (208.73.88.239) by mta235.mail.re3.yahoo.com with SMTP; Mon, 09 Jul 2007 20:12:54 -0700 208.73.88.239 found host 208.73.88.239 = host5.tremendousnewsoffer.com. (cached) Possible spammer: 208.73.88.239 Received line accepted very different parse result outputs, but the result is the same .... and the reason for HE getting these reports; Reports routes for 208.73.88.239: routeid:28530616 208.73.88.0 - 208.73.95.255 to:abuse[at]he.net Administrator interested in all reports Sunday, June 24, 2007 10:45:53 PM -0500 [Note added by 70.76.161.11 (S0106001195758c79.ss.shawcable.net)] Reports scattered all over by abuse.net, resulting in complaints about reports for blocks they have no control of. abuse[at]net-outsource.com disabled b/c of listwashing. HE is upstream of this /21 abuse net net-outsource.com = abuse[at]he.net, abuse[at]virpus.com, abuse[at]colo4dallas.com, abuse[at]colo4dallas.net, abuse[at]net-outsource.com, postmaster[at]net-outsource.com 07/09/07 23:31:09 Slow traceroute 208.73.88.239 Trace 208.73.88.239 ... 213.248.84.46 RTT: 23ms TTL:170 (hurricane-108836-chi-bb1.c.telia.net ok) 72.52.92.38 RTT: 20ms TTL:170 (port-channel1.gsr12012.chi.he.net ok) 64.62.252.1 RTT: 88ms TTL:170 (pos0-3.gsr12416.sjc2.he.net ok) 64.62.133.17 RTT: 90ms TTL:170 (pos6-0.gsr12012.sjc.he.net ok) 216.218.227.230 RTT: 102ms TTL:170 (No rDNS) 208.73.88.239 RTT: 85ms TTL:115 (No rDNS) 07/09/07 23:32:28 IP block 208.73.88.239 Trying 208.73.88.239 at ARIN Trying 208.73.88 at ARIN Network Outsourcing, Inc. NETOUT-NET (NET-208-73-88-0-1) 208.73.88.0 - 208.73.95.255 Taylor Tech NETOUT-NET-208-73-88-0-24 (NET-208-73-88-0-2) 208.73.88.0 - 208.73.88.255 whois -h whois.arin.net !net-208-73-88-0-1 ... OrgName: Network Outsourcing, Inc. OrgID: NETWO-113 Address: 19 East Main Street City: Belgrade StateProv: MT PostalCode: 59714 Country: US NetRange: 208.73.88.0 - 208.73.95.255 CIDR: 208.73.88.0/21 NetName: NETOUT-NET NetHandle: NET-208-73-88-0-1 Parent: NET-208-0-0-0-0 NetType: Direct Allocation NameServer: NS1.NET-OUTSOURCE.COM NameServer: NS2.NET-OUTSOURCE.COM Comment: http://www.net-outsource.com/ RegDate: 2006-12-11 Updated: 2006-12-11 RAbuseHandle: ABUSE1171-ARIN RAbuseName: Abuse RAbusePhone: +1-888-267-9093 RAbuseEmail: abuse[at]net-outsource.com RNOCHandle: NOC2105-ARIN RNOCName: Network Operation Center RNOCPhone: +1-888-267-9093 RNOCEmail: noc[at]net-outsource.com RTechHandle: ADMIN804-ARIN RTechName: Administrator RTechPhone: +1-888-267-9093 RTechEmail: admin[at]net-outsource.com OrgAbuseHandle: ABUSE1171-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-888-267-9093 OrgAbuseEmail: abuse[at]net-outsource.com OrgNOCHandle: NOC2105-ARIN OrgNOCName: Network Operation Center OrgNOCPhone: +1-888-267-9093 OrgNOCEmail: noc[at]net-outsource.com whois -h whois.arin.net !net-208-73-88-0-2 ... CustName: Taylor Tech Address: 549 North Wickham Road City: Melbourne StateProv: FL PostalCode: 32935 Country: US RegDate: 2007-04-19 Updated: 2007-04-23 NetRange: 208.73.88.0 - 208.73.88.255 CIDR: 208.73.88.0/24 NetName: NETOUT-NET-208-73-88-0-24 NetHandle: NET-208-73-88-0-2 Parent: NET-208-73-88-0-1 NetType: Reassigned Comment: RegDate: 2007-04-19 Updated: 2007-04-23 RAbuseHandle: ABUSE1171-ARIN RAbuseName: Abuse RAbusePhone: +1-888-267-9093 RAbuseEmail: abuse[at]net-outsource.com From appearances, host is out of control, and HE doesn't want to get involved ... perhaps not enough evidence provided as to what is actually going on ... Link to comment Share on other sites More sharing options...
goofy173 Posted July 10, 2007 Author Share Posted July 10, 2007 1: Received: from 208.73.88.239 by 208.73.88.239.zfvak.com with SMTP id 30060 No unique hostname found for source: 208.73.88.239 Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust anything beyond this header Trivial forgery how many more ways would you like/need to be informed that this line is nothing but garbage? Still waiting on being informed the first time. I have no idea what you are talking about. Spamcop is putting out garbage? From appearances, host is out of control, and HE doesn't want to get involved ... perhaps not enough evidence provided as to what is actually going on ... So again, where should abuse complaints go to? The mumble jumble you posted doesn't give me a clue. Either He.net is the responsible party or they aren't. If they are, then they are ignoring Spamcop reports. Link to comment Share on other sites More sharing options...
Miss Betsy Posted July 10, 2007 Share Posted July 10, 2007 Still waiting on being informed the first time. I have no idea what you are talking about. Spamcop is putting out garbage? I think, but am not sure, since I, too, find it difficult to understand what all that means, is that spamcop thinks the 'line' itself is garbage and Wazoo agrees by using different tools. So again, where should abuse complaints go to? The mumble jumble you posted doesn't give me a clue. Either He.net is the responsible party or they aren't. If they are, then they are ignoring Spamcop reports. They are 'responsible' for the range of IP addresses in which the one in question is. However, they have leased it to someone else (probably net-outsource.com who somebody thinks is possible spammer) who may have customers also, most likely host5.tremendousnewsoffer.com who is the actual spammer. HE is the 'upstream' and would probably tell net-outsource who would tell tremendousnewsoffer. However, for some reason, HE is unwilling to do anything to curb net-outsource because they aren't making tremendousnewsoffer stop whatever it is they are doing (knowingly or unknowingly due to trojans). And tremendousnewsoffer is probably knowingly a spammer and wouldn't stop unless their host cut them off. Because you have configured mailhosts on your account, the parser only recognizes that header line means nothing and won't go any further. If you know enough about headers, like Wazoo, you can find out where the 'real' header is. And, if you parse it with a non-mailhosted account, the parser also is able to find the real header line that shows the real source of the email, but it wants to send reports to HE which has told spamcop as well as you that it doesn't want to hear about it because they aren't going to do anything about it. The reports go to devnull which means that although the report isn't sent, the IP address is added to the bl. I don't understand the relationships among upstreams and hosts very well. However, you need to remember that they are making money from their customers. If the block doesn't affect them, then unless they are very principled, they don't do anything. Also, sometimes they can't do anything - i.e. Wazoo's comment about "...perhaps not enough evidence provided as to what is actually going on ..." For people who use the spamcop bl, it would be worthwhile to report those spams with a non-mailhosted account so the IP address may get listed. For people who are just reporting as a good citizen, then unless you want to take the time to learn more about headers and other ways of shutting down spammers, it probably isn't worth the time. Use some other kind of filter to keep them out of your inbox. Wazoo is probably either laughing at my explanation or will correct my misapprehensions. If he does, then I may learn something more about what the experts know about spam. However, it will take me a while to figure out what he says since I am technically non-fluent and will depend on how much time I have to do so. However, he does know what he is talking about and when I have time, I do try to make sense of what he posts. HTH Miss Betsy Link to comment Share on other sites More sharing options...
Wazoo Posted July 10, 2007 Share Posted July 10, 2007 Topic Subject line: forged headers but Spamcop doesn't know it demonstrated/proven wrong several times within this Topic/Discussion I copied/pasted one of the Deputies' notes for the hand-massaging of the database to send reports upstream on this IP address ... both lousy abise.net data and whitelisting issues were described ... I documented that both the spam source and the hosting of the spamvertised web-site were in IP Address space allocated to HE. I noted that HE has set flags to advise that they don't want to hear about web-site stuff. I posted the WHOIS data on the "ownership" of the IP Address used for the web-hosting, demonstrating that although two separate 'isentites' are used, (one using a MT, USA address, the other pointing to a FL, USA address) both are using the sane e-mail contact addresses. bottom line: net-outsource.com appears to be in coollusion with the spammer, or is in fact the spammer ... They don't respond positively to SpamCop.net reports. The upstream for both the spew and the web-site ultimately ends up being HE, and HE has already opted out of spamvertised site actions, then basically blew you off on the spew complaint. I provided all that 'mumbo jumbo' so that you could see the same data, come to the same conclusions. Basically, this kind of non-response is where several other BLs come into play .... APEWS for instance ... so the next issue that comes into play is whether or not you can use any of these other BLs ... Concepts involved: SpamCop.net is based on letting ISPs that gave a damn some information that they can work with to stop the spam. If the ISP involved doesn't care, then that's where the SpamCopDNSBL comes into play. Given enough time and spew, then other BLs list the same (or expamded) data .... All that said, Wazoo is looking at developing yet more Wiki page data ... yet again wondering if it's worth it, as no one seems to want to do their own reseach on things like this ..... Link to comment Share on other sites More sharing options...
goofy173 Posted July 11, 2007 Author Share Posted July 11, 2007 Ok to both of you. I kind of understand what you are saying now, but you're still over my head and I thought I knew a lot about spam. The good thing is that these are going into my Bulk folder anyway. I think I set up filters on Yahoo to do this a couple of months ago. The thing is that there is no reason for a spammer to do this, except just to be an a**hole as there are so many of the same spam coming through. Do they think that someone will finally buy into what they are selling because they have received the same spam 1000 times? I doubt it. I wasn't using SpamCop anymore to report them so HE.Net was getting a load because I felt that they weren't doing anything about it, so for 2 weeks I forwarded everyone of them to their 5 contact addresses on their contact page. Still nothing was done, so I contacted them by my Hotmail address and that's when I finally got a response. Link to comment Share on other sites More sharing options...
goofy173 Posted July 11, 2007 Author Share Posted July 11, 2007 Funny, but I think the spam has stopped. When I finally received a response from them I was using my Hotmail account. I was told to forward one of the spams to them which I did and I believed that I removed all instances of my Yahoo email address so that they couldn't whitelist me. Maybe it will start up again but normally I would have received 3-5 of those spams during these last 2 message posts. Link to comment Share on other sites More sharing options...
Telarin Posted July 11, 2007 Share Posted July 11, 2007 Spammers will usually try to hit their lists with many copies of the same, or very similar spams, in the hopes that one of the many will make it through spam filters and actually end up in the inbox. On the other hand, if all the spams are identical, and coming from the same IP address, I would suggest referring to Spammer Rule #3. Possibly also James' Axioms may apply as well. Link to comment Share on other sites More sharing options...
goofy173 Posted July 12, 2007 Author Share Posted July 12, 2007 I don't know what the pause was but they've started back up again. I am actually going to call Hurricane Electric tomorrow to have a further discussion with them. Link to comment Share on other sites More sharing options...
Telarin Posted July 12, 2007 Share Posted July 12, 2007 Good luck. I think a more effective way to cut down on spam coming from HE might involve a pair of wire cutters, but your approach has a much lower probability of legal trouble Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.