agamemnus Posted October 11, 2007 Posted October 11, 2007 Hello again everyone, I am now using Mozilla Thunderbird to help me with my spam problem. I set it to autoreport spam. The vast majority is coming from 76.96.62.xx, which is a farm field in Kansas (corner of NW River Valley Rd. and NW 120th St.) and a Comcast range of addresses. However, there is a second "received" IP coming from Romania. I'm not sure which one is being faked here.. I think it would be the second one (the one Spamcop thinks is the real one)... am I right? Here are the two recently reported spam emails in question: 2552322841__&__2552322379.. They each have two Received fields..!!
Farelf Posted October 11, 2007 Posted October 11, 2007 Here are the two recently reported spam emails in question: 2552322841__&__2552322379..One of the SC staff could no doubt pull up those spam from report IDs. But they're usually otherwise engaged (fighting spam or something). If you want other members "here" to have a look and confirm your reading of the headers you need to post a tracking URL (link). Which is one of the basic suggestions/directions about asking questions "here" and plastered all over the shop. Be a good lad or lass and give us a tracking link and we won't have to ignore you. We would rather help. The top IP address is probably that of your own provider. If Comcast don't operate from a farm field in Kansas (corner of NW River Valley Rd. and NW 120th St.) I guess that might just show geolocation is, as yet, an inexact science.
Miss Betsy Posted October 11, 2007 Posted October 11, 2007 You might find this link interesting Reading email headers Miss Betsy
agamemnus Posted October 11, 2007 Author Posted October 11, 2007 One of the SC staff could no doubt pull up those spam from report IDs. But they're usually otherwise engaged (fighting spam or something). If you want other members "here" to have a look and confirm your reading of the headers you need to post a tracking URL (link). Which is one of the basic suggestions/directions about asking questions "here" and plastered all over the shop. Be a good lad or lass and give us a tracking link and we won't have to ignore you. We would rather help. The top IP address is probably that of your own provider. If Comcast don't operate from a farm field in Kansas (corner of NW River Valley Rd. and NW 120th St.) I guess that might just show geolocation is, as yet, an inexact science. But those are the tracking ids.. eg.. http://www.spamcop.net/mcgi?action=gettrac...rtid=2552322841 or are you saying that other users can't access the id's? In that case: http://www.spamcop.net/sc?id=z1469868693z8...d6c2b290d600f0z http://www.spamcop.net/sc?id=z1469867047zf...e2698b28df911dz =) You might find this link interesting Reading email headers So, as I understand it, the spammer in question is sending spam to a Comcast server, which then sends it to me?
Wazoo Posted October 11, 2007 Posted October 11, 2007 or are you saying that other users can't access the id's? In that case: http://www.spamcop.net/sc?id=z1469868693z8...d6c2b290d600f0z http://www.spamcop.net/sc?id=z1469867047zf...e2698b28df911dz Folks have been trying to help ..... Farelf was very nice about it, even offering up a lnk for more data. I'll just do the natural "Wazoo has been up all night again" thing and point out that there are numerous FAQ entries 'here' ... a Dictionary, a Glossary, in addition to the Wiki to explain what a Tracking URL is .. I won't even mention that those words are printed in color at the top of a parse result page, along with the reason as to why it might be useful, although not quite beating one over the head with the ovbious clue that it's a copy of the same URL of the page you are looking at when the message is showing ... You mihjt want to take a look at Getting a Tracking URL from a Report ID just becaue the title sounds so cool.
StevenUnderwood Posted October 11, 2007 Posted October 11, 2007 I am now using Mozilla Thunderbird to help me with my spam problem. I set it to autoreport spam. The vast majority is coming from 76.96.62.xx, which is a farm field in Kansas (corner of NW River Valley Rd. and NW 120th St.) and a Comcast range of addresses. However, there is a second "received" IP coming from Romania. I'm not sure which one is being faked here.. I think it would be the second one (the one Spamcop thinks is the real one)... am I right? Here are the two recently reported spam emails in question: 2552322841__&__2552322379.. They each have two Received fields..!! The 76.96.62.61 address in the first is a Comcast email server. Neither of those addresses appears to be faked. To place the headers in the order they actually occured (headers in emails are reversed, work bottom up normally): Received: from activ04links.net ([78.95.200.197]) by IMTA07.westchester.pa.mail.comcast.net Received: from imta07.westchester.pa.mail.comcast.net ([76.96.62.61]) by sccrmxc12.comcast.net (sccrmxc12) Comcast server IMTA07 receives the email from 78.95.200.197 which is the originator. IMTA07 then hands the message off to Comcast server sccrmxc12 which is likely a mail storage server for their customers (you). Every message you receive is likely handled in a similar manner.
agamemnus Posted October 11, 2007 Author Posted October 11, 2007 The 76.96.62.61 address in the first is a Comcast email server. Neither of those addresses appears to be faked. To place the headers in the order they actually occured (headers in emails are reversed, work bottom up normally):Comcast server IMTA07 receives the email from 78.95.200.197 which is the originator. IMTA07 then hands the message off to Comcast server sccrmxc12 which is likely a mail storage server for their customers (you). Every message you receive is likely handled in a similar manner. That server only has sent me spam as far as I know. Do you think if someone sent me an email from Romania it would be routed through 76.96.62.xx and then sent to me?
StevenUnderwood Posted October 11, 2007 Posted October 11, 2007 That server only has sent me spam as far as I know. Do you think if someone sent me an email from Romania it would be routed through 76.96.62.xx and then sent to me? If you look at ANY email from outside of Comcast, they should come through the same servers.
agamemnus Posted October 11, 2007 Author Posted October 11, 2007 If you look at ANY email from outside of Comcast, they should come through the same servers. I'm not sure we're talking about the same thing... I'm not talking about sccrmxc12, but 76.96.62.xx. Only spam emails come from 76.96.62.xx.
Miss Betsy Posted October 11, 2007 Posted October 11, 2007 That server only has sent me spam as far as I know. Do you think if someone sent me an email from Romania it would be routed through 76.96.62.xx and then sent to me? Yes. All your emails are accepted by one Comcast server and then passed to another Comcast server and then to you. I haven't looked at the headers in question because I only have a rudimentary knowledge of how to read them. However, basically the important line is where your email provider receives the email and provides the correct IP address from which it came. There may be other headers showing that it was accepted somewhere else and forwarded to you (I several accounts like that) and then additional headers that show that after your email provider accepts it, they have passed it to another computer (for virus protection sometimes; other times for other reasons) before they pass it on to you. The parser is software that can 'read' the headers as long as they configured according to certain standards. The parser is also programmed to identify 'trusted' relays. HTH Miss Betsy
StevenUnderwood Posted October 11, 2007 Posted October 11, 2007 I'm not sure we're talking about the same thing... I'm not talking about sccrmxc12, but 76.96.62.xx. Only spam emails come from 76.96.62.xx.I am talking about the servers named IMTAxx which have the IP addresses 76.96.62.63 and 76.96.62.61 in your 2 examples. MTA generally will stand for Mail Transfer Agent. Have you studied the headers of a normal message coming from the internet? I find it hard to believe that Comcast has figured out a way to route all spam through one route and all good email through another. Could you please parse and then cancel an email you do not cosider spam. One possibility, though I don't know how they could implement it: Perhaps IMTA is International Mail Transfer Agent and they have figured out how to populate the MX records of other countries DNS servers with different servers. C:\Documents and Settings\sunderwood>nslookup Default Server: resolver1.opendns.com Address: 208.67.222.222 > set type=mx > comcast.net Server: resolver1.opendns.com Address: 208.67.222.222 Non-authoritative answer: comcast.net MX preference = 5, mail exchanger = gateway-s1.comcast.net comcast.net MX preference = 5, mail exchanger = mx1.comcast.net comcast.net MX preference = 5, mail exchanger = mx2.comcast.net comcast.net MX preference = 5, mail exchanger = mx3.comcast.net comcast.net MX preference = 5, mail exchanger = gateway-a.comcast.net comcast.net MX preference = 5, mail exchanger = gateway-r.comcast.net comcast.net MX preference = 5, mail exchanger = gateway-s.comcast.net comcast.net MX preference = 5, mail exchanger = gateway-a1.comcast.net comcast.net MX preference = 5, mail exchanger = gateway-a2.comcast.net comcast.net MX preference = 5, mail exchanger = gateway-r1.comcast.net comcast.net MX preference = 5, mail exchanger = gateway-r2.comcast.net > set type=a > mx1.comcast.net Server: resolver1.opendns.com Address: 208.67.222.222 Non-authoritative answer: Name: mx1.comcast.net Address: 76.96.62.116 At least one of the servers they advertize to the entire internet community is in the 76.96.62.* range.
agamemnus Posted October 12, 2007 Author Posted October 12, 2007 Could you please parse and then cancel an email you do not cosider spam. Ok, here is a normal email that is not spam. http://www.spamcop.net/sc?id=z1471488763zb...1783950327dbbez
StevenUnderwood Posted October 12, 2007 Posted October 12, 2007 Ok, here is a normal email that is not spam. http://www.spamcop.net/sc?id=z1471488763zb...1783950327dbbez OK. I don't know how they do it, but I assume it is foreign email hitting that server. If it were some kind of additional spam filter, the first server would be the same, and then dir directed elsewhere. Anyhow, IMO, spamcop is finding the correct source. You definitely do not want to report Comcast. ISP's usually don't look kindly on that sort of thing.
Miss Betsy Posted October 12, 2007 Posted October 12, 2007 One of the spam samples had notes added about non-compliance. Perhaps Comcast sends all 'suspicious' email to a particular server where, if possible, it 'makes' sense of the headers? If you want to ask Comcast what is going on, you can try. But it is very difficult to get answers from big abuse departments. Whatever they are doing, they don't want anyone to know - either they dump a lot of spam by doing it this way or they are trying to placate customers who don't understand why some email doesn't get to them so they do what they can to make it deliverable, but don't want to explain why their system doesn't always work. As StevenU keeps pointing out, the parser seems to understand the process and doesn't choose Comcast to report to. I haven't heard any complaints lately about how Comcast does nothing to warn or stop customers who allow their computers to be infected, but still it is not likely that Comcast is doing anything to stop spam from happening. Whatever they are doing is for their own bottom line. If you are a Comcast customer, then your quarrel is with them about the kind of email service they are providing you. You don't need spamcop for that. Miss Betsy
agamemnus Posted October 12, 2007 Author Posted October 12, 2007 One of the spam samples had notes added about non-compliance. Perhaps Comcast sends all 'suspicious' email to a particular server where, if possible, it 'makes' sense of the headers? Yeah, thanks for the help. I'm good, I guess. I actually tried to contact Comcast (email) on several occasions regarding setting some sort of mail filters for my username but I was totally ignored. I decided not to persue the matter further via phone, as it probably won't do any good. >Perhaps Comcast sends all 'suspicious' email to a particular server where, if possible, it 'makes' sense of the headers? I asked someone I know from Romania to send me an email to see if it gets filtered or not.
Farelf Posted October 12, 2007 Posted October 12, 2007 ...I asked someone I know from Romania to send me an email to see if it gets filtered or not.You might let us know if anything interesting turns up from that, if you have the chance. I tried tracert to sccrmxc12.comcast.net but I guess the little ping packets move quite 'differently', certainly I couldn't replicate anything like your spam examples' transits. And that included sending via the one working source in Romania vide TraceRoute.org - (see http://forum.spamcop.net/forums/index.php?showtopic=8216)
agamemnus Posted October 13, 2007 Author Posted October 13, 2007 You might let us know if anything interesting turns up from that, if you have the chance. I tried tracert to sccrmxc12.comcast.net but I guess the little ping packets move quite 'differently', certainly I couldn't replicate anything like your spam examples' transits. And that included sending via the one working source in Romania vide TraceRoute.org - (see http://forum.spamcop.net/forums/index.php?showtopic=8216) He didn't send me anything yet, but I just got a normal daily email though 76.96.62.94 which I never had gotten through that server. The mystery widens..
Farelf Posted October 13, 2007 Posted October 13, 2007 Thanks - there's always an explanation, it's just they'e not always apparent from one's present viewpoint.
agamemnus Posted October 16, 2007 Author Posted October 16, 2007 Update. I was sent an email from Romania, and it was at 76.96.30.xx, not 76.96.32.xx. Some regular weekly emails also started coming in from 76.96.32.xx. My theory now is that it could just be a new server that Comcast installed, and by coincidence a lot of spam went through 76.96.32.xx first.
Wazoo Posted October 16, 2007 Posted October 16, 2007 dropping the last 'octet' sure makes it hard to look anything up ....
Farelf Posted October 16, 2007 Posted October 16, 2007 76.96.62.61 76.96.62.63 76.96.62.116 have been revealed in the various bits and pieces above 76.96.62.62 is another in the ownership block, all shown by SenderBase as being in comcast.net under Comcast Cable. Oddly, they're not included in the 28423 "Addresses in comcast.net used to send email" tagged by SenderBase, nor in the 28973 for Comcast Cable. I have no idea whether that is significant or not - just that it doesn't fit with "usual" observations.
Wazoo Posted October 16, 2007 Posted October 16, 2007 have been revealed in the various bits and pieces above Yeah, but .... about a dozen computers here in various states of repair/install/whatever ... developing three web-sites from the ground up, diagnosing and fixing the Google search issue for both here and the www.spamcop.net Help page, phone calls, folks wanting help via IM, e-mail seemingly running at high warp, etc. etc. Seeing that whole passle of ".xx" IP addresses just stopped me cold. As you state, my thoughts were "geeze, it's ComCast that's being talked about .. the land of a billion compromised computers"
Farelf Posted October 16, 2007 Posted October 16, 2007 Stand easy digger <grin>, there's others who will step up when they have a moment, in the meantime there's no great urgency in what appears to be an "evolving" situation - the IP address block having been caught sending goodmail ...Some regular weekly emails also started coming in from 76.96.32.xx. My theory now is that it could just be a new server that Comcast installed, and by coincidence a lot of spam went through 76.96.32.xx first.I just nominated a few addresses to maybe assist anyone coming late and thinking investigation is impossible.
Miss Betsy Posted October 16, 2007 Posted October 16, 2007 I have forgotten the details, but Wazoo's remark about the "the land of a billion compromised computers" reminded me of one of my conjectures that possibly it was one of those internal things where the spam was coming from one of the computers on the Comcast network and that's why it was always the same one. Not as likely now that he has gotten other email, but who knows maybe they are on Comcast also. Miss Betsy
agamemnus Posted October 17, 2007 Author Posted October 17, 2007 I have forgotten the details, but Wazoo's remark about the "the land of a billion compromised computers" reminded me of one of my conjectures that possibly it was one of those internal things where the spam was coming from one of the computers on the Comcast network and that's why it was always the same one. Not as likely now that he has gotten other email, but who knows maybe they are on Comcast also. Well, I got one from Anthropologie (not spam) through 76.96.62.46, and it's definitely not a Comcast personal account. Perhaps it is using a Comcast business network? http://www.spamcop.net/sc?id=z1478318100zf...dc4ae869fd3083z The only other non-spam email using 76.96.52.xx was routed from 76.96.62.94, using mail.mlspin.com. (non-spam real estate offerings email) On a different note, let me say that it seems SpamCop has been apparently working for me, blocking some spam emails that I've gotten that it previously didn't block before. Note: Comcast has a "Report spam" button, but I don't think it works too well. (or at all)
Recommended Posts
Archived
This topic is now archived and is closed to further replies.