samsx Posted August 10, 2007 Share Posted August 10, 2007 Hi there! I have a problem with report my spam via email. I run a Honeypot (SMTP Server and POP3 server) at 212.101.19.178 (Intranet Computername: SVR-WEB01-CHWA). On this Server, I host several mailboxes with the domains *[at]mx1.numb.ch and *[at]rbl.abuse.ch (MX record for both is tor.abuse.ch [212.101.19.178]). Now I forward every spam mail to my spamcop email address. The problem is, that every mail the "parsing header" shows something like this: Parsing header: 0: Received: from dsl-189-152-164-96.prod-infinitum.com.mx ([189.152.164.96]) by SVR-WEB01-CHWA with Microsoft SMTPSVC(6.0.3790.3959); Fri, 10 Aug 2007 01:47:37 +0200 No unique hostname found for source: 189.152.164.96 Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust anything beyond this header No source IP address found, cannot proceed. Nothing to do. Here are some examples: http://www.spamcop.net/sc?id=z1387999442zd...c591409d54fc14z http://www.spamcop.net/sc?id=z1387999454ze...972a08a8ee747fz http://www.spamcop.net/sc?id=z1387999419z9...cb3b4b48a42ddfz My Mailhost-Configuration for rbl.abuse.ch is: Mailhost name: rbl.abuse.ch Email address: *hidden*[at]rbl.abuse.ch Hosts/Domains: Relaying IPs: (After I add mx1.numb.ch to the mailhosts, the IP-Address gets automaticly removed) My Mailhost-Configuration for mx1.numb.ch is: Mailhost name: mx1.numb.ch Email address: *hidden*[at]mx1.numb.ch Hosts/Domains: Relaying IPs: 212.101.19.178 Why is there no entry in the "Hosts/Domains" field? How can i change it? Can somebody help me? (Sorry for my bad english) Link to comment Share on other sites More sharing options...
Farelf Posted August 10, 2007 Share Posted August 10, 2007 ...Why is there no entry in the "Hosts/Domains" field? How can i change it? Can somebody help me? This seems to be a mailhosts problem, I think your reporting difficulties come from there. Contact the Deputies as outlined in Mailhost Issues - please read before posting (the contact address is there). You have all the detail needed in your post, above, I think, copy it into your email. Let us know if you have further difficulty afterwards but hopefully it will all be fixed. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted August 10, 2007 Share Posted August 10, 2007 Now I forward every spam mail to my spamcop email address. The problem is, that every mail the "parsing header" shows something like this: Parsing header: 0: Received: from dsl-189-152-164-96.prod-infinitum.com.mx ([189.152.164.96]) by SVR-WEB01-CHWA with Microsoft SMTPSVC(6.0.3790.3959); Fri, 10 Aug 2007 01:47:37 +0200 No unique hostname found for source: 189.152.164.96 Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust anything beyond this header No source IP address found, cannot proceed. Nothing to do. 1. You mention forward. Since you are not getting a "no body found" error, I am assuming these are being forwarded as attachment so as to be correctly implemeneted by the spamcop parser. 2. Is it your server adding the by SVR-WEB01-CHWA with Microsoft SMTPSVC(6.0.3790.3959);? If these messages to your honeypot are taking a different path, they will need a new mailhost configured. Link to comment Share on other sites More sharing options...
samsx Posted August 10, 2007 Author Share Posted August 10, 2007 1. You mention forward. Since you are not getting a "no body found" error, I am assuming these are being forwarded as attachment so as to be correctly implemeneted by the spamcop parser. 2. Is it your server adding the ? If these messages to your honeypot are taking a different path, they will need a new mailhost configured. 1. Yes, i'm forward these messages as attachment. I've never seen such an error message. 2. Yes, that's my SMTP Server which is adding this line. What do you mean with "talking a different path"? Link to comment Share on other sites More sharing options...
StevenUnderwood Posted August 10, 2007 Share Posted August 10, 2007 2. Yes, that's my SMTP Server which is adding this line. What do you mean with "talking a different path"? A different path would be a different server software accepting the messages and placing its headers differently. Your server should be adding a fully qualified domain name to the message. That should allow the MailHosts to add a domain to the configuration and allow the message to be parsed correctly. Do all of your messages have this format or only those coming through the honeypot? (Trying to figure out why you added the honeypot information) Link to comment Share on other sites More sharing options...
samsx Posted August 10, 2007 Author Share Posted August 10, 2007 Thanks for your reply I have deleted the Mailhost and made a new one. When i submitted the test mail, I've changed the "Received"-Line manually and wrote tor.abuse.ch instead of SVR-WEB01-CHWA. Now, the Mailhost-Configurations is something like this: Mailhost name: rbl.abuse.ch Email address: *hidden*[at]rbl.abuse.ch Hosts/Domains: rbl.abuse.ch (HURRAY before, here was no "Hosts" or "Domains" listed!) Relaying IPs: 212.101.19.178 Now it seems to be right (or not? ) I've tried to report a spam manually and have also changed the "Received"-Line to tor.abuse.ch but the failure is the same: 0: Received: from [210.111.205.158] ([210.111.205.158]) by tor.abuse.ch with Microsoft SMTPSVC(6.0.3790.3959); Fri, 10 Aug 2007 06:39:26 +0200 No unique hostname found for source: 210.111.205.158 Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust anything beyond this header No source IP address found, cannot proceed. Nothing to do. Could it be, that the problem occurs because the rDNS of 212.101.19.178 is not "tor.abuse.ch"? EDIT: I have now added the IP-Address of my server to the spam mail (http://www.spamcop.net/sc?id=z1388669271z2ab4a17544a68704a6ebb8b14f97bd44z). Now it works! orginal Received line: Received: from localhost ([84.57.123.18]) by SVR-WEB01-CHWA with Microsoft SMTPSVC(6.0.3790.3959); Thu, 9 Aug 2007 23:04:18 +0200 edited Received line: Received: from localhost ([84.57.123.18]) by tor.abuse.ch (212.101.19.178) with Microsoft SMTPSVC(6.0.3790.3959); Thu, 9 Aug 2007 23:04:18 +0200 How can i tell my server, that it should use the "correct" Recived line? Link to comment Share on other sites More sharing options...
samsx Posted August 12, 2007 Author Share Posted August 12, 2007 Seems to work now. Thanks to Don D'Minion (SpamCop Admin) Link to comment Share on other sites More sharing options...
Farelf Posted August 12, 2007 Share Posted August 12, 2007 That's good. Thanks for the update! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.