[Resolved] Problems with Reporting Spam (No unique hostname found for source)

[samsx]

Hi there!

I have a problem with report my spam via email.

I run a Honeypot (SMTP Server and POP3 server) at 212.101.19.178 (Intranet Computername: SVR-WEB01-CHWA).

On this Server, I host several mailboxes with the domains *[at]mx1.numb.ch and *[at]rbl.abuse.ch (MX record for both is tor.abuse.ch [212.101.19.178]).

Now I forward every spam mail to my spamcop email address.

The problem is, that every mail the "parsing header" shows something like this:

Parsing header:

0: Received: from dsl-189-152-164-96.prod-infinitum.com.mx ([189.152.164.96]) by SVR-WEB01-CHWA with Microsoft SMTPSVC(6.0.3790.3959); Fri, 10 Aug 2007 01:47:37 +0200

No unique hostname found for source: 189.152.164.96

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust anything beyond this header

No source IP address found, cannot proceed.

Nothing to do.

Here are some examples:

http://www.spamcop.net/sc?id=z1387999442zd...c591409d54fc14z

http://www.spamcop.net/sc?id=z1387999454ze...972a08a8ee747fz

http://www.spamcop.net/sc?id=z1387999419z9...cb3b4b48a42ddfz

My Mailhost-Configuration for rbl.abuse.ch is:

Mailhost name: rbl.abuse.ch

Email address: *hidden*[at]rbl.abuse.ch

Hosts/Domains:

Relaying IPs: (After I add mx1.numb.ch to the mailhosts, the IP-Address gets automaticly removed)

My Mailhost-Configuration for mx1.numb.ch is:

Mailhost name: mx1.numb.ch

Email address: *hidden*[at]mx1.numb.ch

Hosts/Domains:

Relaying IPs: 212.101.19.178

Why is there no entry in the "Hosts/Domains" field? How can i change it?

Can somebody help me?

(Sorry for my bad english)

[Farelf]

...Why is there no entry in the "Hosts/Domains" field? How can i change it?

Can somebody help me?

This seems to be a mailhosts problem, I think your reporting difficulties come from there. Contact the Deputies as outlined in Mailhost Issues - please read before posting (the contact address is there). You have all the detail needed in your post, above, I think, copy it into your email. Let us know if you have further difficulty afterwards but hopefully it will all be fixed.

[StevenUnderwood]

Now I forward every spam mail to my spamcop email address.

The problem is, that every mail the "parsing header" shows something like this:

Parsing header:

0: Received: from dsl-189-152-164-96.prod-infinitum.com.mx ([189.152.164.96]) by SVR-WEB01-CHWA with Microsoft SMTPSVC(6.0.3790.3959); Fri, 10 Aug 2007 01:47:37 +0200

No unique hostname found for source: 189.152.164.96

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust anything beyond this header

No source IP address found, cannot proceed.

Nothing to do.

1. You mention forward. Since you are not getting a "no body found" error, I am assuming these are being forwarded as attachment so as to be correctly implemeneted by the spamcop parser.

2. Is it your server adding the

by SVR-WEB01-CHWA with Microsoft SMTPSVC(6.0.3790.3959);

? If these messages to your honeypot are taking a different path, they will need a new mailhost configured.

[samsx]

1. You mention forward. Since you are not getting a "no body found" error, I am assuming these are being forwarded as attachment so as to be correctly implemeneted by the spamcop parser.

2. Is it your server adding the ? If these messages to your honeypot are taking a different path, they will need a new mailhost configured.

1. Yes, i'm forward these messages as attachment. I've never seen such an error message.

2. Yes, that's my SMTP Server which is adding this line. What do you mean with "talking a different path"?

[StevenUnderwood]

2. Yes, that's my SMTP Server which is adding this line. What do you mean with "talking a different path"?

A different path would be a different server software accepting the messages and placing its headers differently.

Your server should be adding a fully qualified domain name to the message. That should allow the MailHosts to add a domain to the configuration and allow the message to be parsed correctly. Do all of your messages have this format or only those coming through the honeypot? (Trying to figure out why you added the honeypot information)

[samsx]

Thanks for your reply

I have deleted the Mailhost and made a new one.

When i submitted the test mail, I've changed the "Received"-Line manually and wrote tor.abuse.ch instead of SVR-WEB01-CHWA.

Now, the Mailhost-Configurations is something like this:

Mailhost name: rbl.abuse.ch

Email address: *hidden*[at]rbl.abuse.ch

Hosts/Domains: rbl.abuse.ch (HURRAY before, here was no "Hosts" or "Domains" listed!)

Relaying IPs: 212.101.19.178

Now it seems to be right (or not? )

I've tried to report a spam manually and have also changed the "Received"-Line to tor.abuse.ch but the failure is the same:

0: Received: from [210.111.205.158] ([210.111.205.158]) by tor.abuse.ch with Microsoft SMTPSVC(6.0.3790.3959); Fri, 10 Aug 2007 06:39:26 +0200

No unique hostname found for source: 210.111.205.158

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust anything beyond this header

No source IP address found, cannot proceed.

Nothing to do.

Could it be, that the problem occurs because the rDNS of 212.101.19.178 is not "tor.abuse.ch"?

EDIT: I have now added the IP-Address of my server to the spam mail (http://www.spamcop.net/sc?id=z1388669271z2ab4a17544a68704a6ebb8b14f97bd44z).

Now it works!

orginal Received line: Received: from localhost ([84.57.123.18]) by SVR-WEB01-CHWA with Microsoft SMTPSVC(6.0.3790.3959);

Thu, 9 Aug 2007 23:04:18 +0200

edited Received line: Received: from localhost ([84.57.123.18]) by tor.abuse.ch (212.101.19.178) with Microsoft SMTPSVC(6.0.3790.3959);

Thu, 9 Aug 2007 23:04:18 +0200

How can i tell my server, that it should use the "correct" Recived line?

[samsx]

Seems to work now.

Thanks to Don D'Minion (SpamCop Admin)

[Farelf]

That's good. Thanks for the update!