[Resolved] SpamCop Parsing Error?

[dcm346]

I am currently using SpamCop web mail with email being forwarded from my ISP (PTD.NET). Recently in reporting spam I have noticed that virtually the only spam report being generated is to "Abuse[at]ptd.net" since the parsing of the email header indicates that that is the origination of the spam. I noticed that the first IP address is always 192.168.1.10x (7 or 8). This address is associated with a Linksys broadband router. I happen to use one but have never experienced this before in reporting spam to SpamCop. The parsing continues on but all the IP addresses indicate coming from a PTD.NET server. I know that the spam is not originating from PTD.NET but am at a loss as to how to remedy this. I even tried submitting the spam directly to SpamCop by pasting the header information from one of the emails still in my "Held Mail" folder with the same results. Included below is the tracking URL from a previously submitted spam reported to SpamCop. Any assistance would be greatly appreciated.

http://www.spamcop.net/sc?id=z1480217507z4...05d887bb837893z

[turetzsr]

Hi!

...Please go to the "SpamCop FAQ" (link near top left of every SpamCop Forum page) and look for the entry labeled "Why does SpamCop want to send a report to my own network administrator?" and let us know if that answers your question.

[dcm346]

Hi!

...Please go to the "SpamCop FAQ" (link near top left of every SpamCop Forum page) and look for the entry labeled "Why does SpamCop want to send a report to my own network administrator?" and let us know if that answers your question.

Steve-thanks for the tip. I read the information but am not sure just what has happened to change the spam reporting process. I dread talking to the IT people at Penn Tele Data to see why the source IP address is not being shown in the message header, but I guess that would be my first place to start. I'll post any information I get from them (if anything useful). Thanks again!

Dave M.

Well, I talked to PTD.NET and they assure me that they do not strip out any header information but forward the email message intact. Now, if SpamCop has identified the relaying or forwarding server as "untrusted" how do I fix this??

[turetzsr]

Hi, Dave,

...One of the things that the SpamCop MailHosts configuration feature was designed for was to avoid this situation. You may want to check that out while you are waiting for Penn Tele Data to reply and/or act.

[Telarin]

It is showing the source IP in the header:

Received: from qb-out-0506.google.com ([72.14.204.234])

(envelope-sender <bernardpettyqy[at]googlemail.com>)

by smtp6.mailnet.ptd.net (qmail-ldap-1.03) with SMTP

for <x>; 17 Oct 2007 01:11:58 -0000

However, during the parse it gets to the 3rd Received line down:

Received: from unknown (HELO mailg.ptd.net) ([207.44.96.80]) (envelope-sender <bernardpettyqy[at]googlemail.com>) by smtp56.mailnet.ptd.net (qmail-ldap-1.03) with AES256-SHA encrypted compressed SMTP for <x>; 17 Oct 2007 01:11:59 -0000

and does not recognize 207.44.96.80 as one of your mailhosts. Either you do not have mailhosts configured at all, or your ISP has changed some of their mail servers around. Either way, configuring mailhosts should solve the problem. Your ISP seems to have an excessive number of internal handoffs in their mail handling, however, as long as mailhosts is configured, and you keep an eye on where your reports are going so you can reconfigure mailhosts anytime your ISP makes changes to their mail servers, it should not be a problem.

[dcm346]

It is showing the source IP in the header:

However, during the parse it gets to the 3rd Received line down:

and does not recognize 207.44.96.80 as one of your mailhosts. Either you do not have mailhosts configured at all, or your ISP has changed some of their mail servers around. Either way, configuring mailhosts should solve the problem. Your ISP seems to have an excessive number of internal handoffs in their mail handling, however, as long as mailhosts is configured, and you keep an eye on where your reports are going so you can reconfigure mailhosts anytime your ISP makes changes to their mail servers, it should not be a problem.

Will-thank you for the information. I logged in to SpamCop and clicked on "Mailhosts" and found a large number of entries under hosts/domains (including mailg.ptd.net). However, I could not find 207.44.96.80 under relaying IPS. Just how would I configure mailhost to include this missing IP??

Dave

[turetzsr]

<snip>

I logged in to SpamCop and clicked on "Mailhosts" and found a large number of entries under hosts/domains (including mailg.ptd.net).

<snip>

Just how would I configure mailhost to include this missing IP??

Hi, Dave,

...It's not that straightforward. Just follow the MailHost configuration procedure as if there were none.

[dcm346]

...It's not that straightforward. Just follow the MailHost configuration procedure as if there were none.

Thanks Steve, I reconfigured both my email accounts (SpamCop.net and PTD.NET). I then sent a test message from my spamcop email account to my ptd.net account and I still see IP 207.44.96.80 as an unknown IP under mailg.ptd.net. I looked at the new email configuration and cannot find 207.44.96.80 under relay IPS listing. Am I still doing something wrong? I don't understand why IP 207.44.96.80 doesn't show in the new mailhost configuration.

Dave

[turetzsr]

<snip>I don't understand why IP 207.44.96.80 doesn't show in the new mailhost configuration.

...Uh-oh, I'm afraid that I don't understand how it works very well, either. I guess the acid test is to submit spam and see what the parser does with them. If the parser output looks reasonable and does not try to report ptd.net as the spam source, I think you can consider everything okay. If not, I'm afraid you'll have to contact the SpamCop Deputies (deputies[at]admin.spamcop.net). Be sure to include the tracking url and your registered SpamCop email address and include the word "mailhosts" somewhere in the subject line.

[dcm346]

...Uh-oh, I'm afraid that I don't understand how it works very well, either. I guess the acid test is to submit spam and see what the parser does with them. If the parser output looks reasonable and does not try to report ptd.net as the spam source, I think you can consider everything okay. If not, I'm afraid you'll have to contact the SpamCop Deputies (deputies[at]admin.spamcop.net). Be sure to include the tracking url and your registered SpamCop email address and include the word "mailhosts" somewhere in the subject line.

Steve-thanks so much for your help. I'm waiting for SpamCop to send me the reporting information. I'll let you know how it turns out. Thanks again.

Dave

[Wazoo]

I am currently using SpamCop web mail with email being forwarded from my ISP (PTD.NET). Recently in reporting spam I have noticed that virtually the only spam report being generated is to "Abuse[at]ptd.net" since the parsing of the email header indicates that that is the origination of the spam. I noticed that the first IP address is always 192.168.1.10x (7 or 8). This address is associated with a Linksys broadband router.

192.168.x.x is basically a "local network" .. a set of non-routable IP addresses set aside so as to be used "locally" In this case, the system in question is a computer/server actually located in the DataCenter down in Georgia, part of JT's e-mail system.

The parsing continues on but all the IP addresses indicate coming from a PTD.NET server. I know that the spam is not originating from PTD.NET but am at a loss as to how to remedy this.

The parsing stops due to the offered error message;

Supposed receiving system not associated with any of your mailhosts

Will not trust anything beyond this header

I even tried submitting the spam directly to SpamCop by pasting the header information from one of the emails still in my "Held Mail" folder with the same results.

As the header data should be the same, not sure why different results would be expected ...????

My guess ... the IP address in question is associated recently added server at ptd.net .. just one guess.

To 'resolve' the issue ... you've already tried the obvious first step and it seems to gave failed (based on your words) ... so I'd go with Ellen's comments / directions in the "Read before posting" Pinned post. One could ignore that in hopes that there'll eventually be enough traffic across that server to be seen, recognized, and added into the data that the MailHost Configured parsing system uses .... or you could follow Ellen's directions and assumedly get some new data added to that database manually by one of the Deputies.

All this 'stuff' does fall under the "check the results of the MaulHost Configuration of your Reporting Account before going hog-wild" ..... Congratulations and kudos on noting an issue and working to get it resolved.

[dcm346]

To 'resolve' the issue ... you've already tried the obvious first step and it seems to gave failed (based on your words) ... so I'd go with Ellen's comments / directions in the "Read before posting" Pinned post. One could ignore that in hopes that there'll eventually be enough traffic across that server to be seen, recognized, and added into the data that the MailHost Configured parsing system uses .... or you could follow Ellen's directions and assumedly get some new data added to that database manually by one of the Deputies.

All this 'stuff' does fall under the "check the results of the MaulHost Configuration of your Reporting Account before going hog-wild" ..... Congratulations and kudos on noting an issue and working to get it resolved.

I want to thank all who gave me assistance in resolving my spam reporting issue. As it turns out it was something I had not thought of when this problem cropped up. Recently before reporting my spam through a SpamCop web mail account I was reporting spam to spamcop from my ptd.net account. I didn't realize that I needed to configure the ptd.net mailhost from my spamcop.net account. After doing that (thanks to Richard from deputies[at]admin.spamcop.net ) I was successful in reporting the spam to spamcop and the reports went to the proper places (IP 207.44.96.80 was listed as a relaying IP when I configured the mailhost). Thanks again for all the help and your patience and the kind words from Wazoo.

Dave M.

[turetzsr]

<snip>

I was successful in reporting the spam to spamcop and the reports went to the proper places (IP 207.44.96.80 was listed as a relaying IP when I configured the mailhost).

<snip>

...Thanks, Dave, for taking the time to return here and let us know the good news!

...Based on this, I am marking this forum thread as "resolved."