Jump to content

Will anyone help me understand this header?


tonyhj

Recommended Posts

Looking through my Held Mail today, I spotted a personal email from a friend. I whitelisted it, reported the rest, and went on to answer the email. But I'm a curious sort of newbie, and wonder if anyone has the time or inclination to help me parse the header to see what spamhaus or SpamCop found problematic. Here are the long headers:

Return-Path: [my friend's email address.  A nice harmless one]

Delivered-To: spamcop-net[my own address at Spamcop]

Received: (qmail 7061 invoked from network); 5 Apr 2004 20:50:55 -0000

Received: from unknown (192.168.1.101)  by blade6.cesmail.net with QMQP; 5 Apr 2004 20:50:55 -0000

Received: from wnpgmb02-group-mtainout.mts.net (HELO mx-mtain01.mts.net) (142.161.130.103)  by mailgate.cesmail.net with SMTP; 5 Apr 2004 20:50:55 -0000

Received: from pd7mo3no.prod.shaw.ca ([64.59.134.9]) by mx-mtain01.mts.net          with ESMTP          id <20040405200143.HCJQ23385.mx-mtain01.mts.net[at]pd7mo3no.prod.shaw.ca>          for <my real email address>; Mon, 5 Apr 2004 15:01:43 -0500

Received: from pd8mr6no.prod.shaw.ca (pd8mr6no-qfe2.prod.shaw.ca [10.0.144.227]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0HVP0090HRE32J[at]l-daemon> for <my real email address>; Mon, 05 Apr 2004 13:56:27 -0600 (MDT)

Received: from pn7ml2no.prod.shaw.ca ([10.0.149.111]) by pd8mr6no.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0HVP00C7QRE5DDI0[at]pd8mr6no.prod.shaw.ca> for [my real email address]; Mon, 05 Apr 2004 13:56:29 -0600 (MDT)

Received: from DFVNM021 (h24-76-1-94.wp.shawcable.net [24.76.1.94]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with SMTP id <0HVP00M4CRE02O[at]l-daemon> for [my real email address]; Mon, 05 Apr 2004 13:56:27 -0600 (MDT)

Date: Mon, 05 Apr 2004 14:56:29 -0500

From: Roger Dennis <my friend's real email address>

Subject: Re: Could you look over the following, please?

To: Tony Harwood-Jones <my real email address>

Message-id: <001401c41b48$1631e360$5e014c18[at]DFVNM021>

MIME-version: 1.0

X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2727.1300

X-Mailer: Microsoft Outlook Express 6.00.2720.3000

Content-type: multipart/mixed; boundary="----=_NextPart_000_0011_01C41B1E.2D2E89D0"

X-Priority: 3

X-MSMail-priority: Normal

References: <20040405035548.YLXW17534.mx-mtaout01.mts.net[at][142.161.30.14]>

X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade6

X-spam-Level:

X-spam-Status: hits=0.9 tests=FAKE_HELO_SHAW_CA version=2.63

X-SpamCop-Checked: 192.168.1.101 142.161.130.103 64.59.134.9 10.0.144.227 10.0.149.111 24.76.1.94 142.161.30.14

X-SpamCop-Disposition: Blocked xbl.spamhaus.org

Tony

Link to comment
Share on other sites

Looking through my Held Mail today, I spotted a personal email from a friend.  I whitelisted it, reported the rest, and went on to answer the email.  But I'm a curious sort of newbie, and wonder if anyone has the time or inclination to help me parse the header to see what spamhaus or SpamCop found problematic.  Here are the long headers:

[snip]

X-SpamCop-Disposition: Blocked xbl.spamhaus.org

Tony

It appears to be due to your choice of filters. In addition to the X-SpamCop-Disposition header in the headers you posted the parser shows that:

  • 24.76.1.94 listed in dnsbl.sorbs.net ( 127.0.0.10 )

when the headers are parsed.

Link to comment
Share on other sites

tonyhj, .... these groups are apparently picked up in Google (noted druing a search on someone else's problems yesterday) ... you really might want to go back in and edit out your (and your friend's) e-mail addesses out of your posted sample (of course, it could be too late already)

Link to comment
Share on other sites

Looking through my Held Mail today, I spotted a personal email from a friend.  I whitelisted it, reported the rest, and went on to answer the email.  But I'm a curious sort of newbie, and wonder if anyone has the time or inclination to help me parse the header to see what spamhaus or SpamCop found problematic. [...]

In addition to what Spambo said, I would say it's hard to set the filters to stop all spam while also letting through all legit mail. Lower your criteria a little too much, and you get flooded by spam. Make them a little too strict, and legit mail starts getting blocked.

There will always be some false negatives (i.e., spam not detected as such), if only from newly set up open proxies which haven't yet had time to get on the lists. And I think there's no sure-fire way of letting through the innocent bystander who happens to be using the same dynamic IP address from which a spam run was just sent by someone else, so I believe there will also always be some false positives (legit mail treated as spam). Whitelisting your friends & family helps; also, if you can, the people "to" whom you write (some third-party spam filters can do this automatically; SC-mail cannot because it doesn't see your outgoing mail). But I think it's not possible to eliminate with certainty all false positives and all false negatives. The best we can hope for is to try and tune our filters to get as few as possible of both.

(Some people say the solution is to block the whole Internet except for a closed whitelist of friends & family. That's not my policy: I don't want to stop the genuinely friendly letter from someone unknown, about, for instance, a broken link in my website.)

Link to comment
Share on other sites

It appears to be due to your choice of filters.  In addition to the X-SpamCop-Disposition header in the headers you posted the parser shows that:
  • 24.76.1.94 listed in dnsbl.sorbs.net ( 127.0.0.10 )

when the headers are parsed

Sure! Whatever you say! I mean, those letters and numbers are a complete mystery to me! What on earth do these things tell you??

24.76.1.94 listed in dnsbl.sorbs.net ( 127.0.0.10 )

Second, when you "parsed" the headers, did the email get reported as spam? I noticed the disquieting phrase, "Yum, this spam is fresh!"

Third, my ignorance remains as to why "spamhaus" wanted to block that email.

Fourth, to Wazoo - thanks for the warning, I edited the email addresses out as you suggest. I hope successfully. I presume that all the thousands of parsed reports that SpamCop generates are not picked up by Google, even if these discussion boards are...?

Link to comment
Share on other sites

And I think there's no sure-fire way of letting through the innocent bystander who happens to be using the same dynamic IP address from which a spam run was just sent by someone else

Now there's an answer that makes sense to me! I have heard that my friend's ISP had been having some trouble with viruses. They may also have a spammer operating from their addresses. So, my friend gets scooped up and blacklisted in the process. Sad. But makes sense.

Thank you.

Link to comment
Share on other sites

It appears to be due to your choice of filters.  In addition to the X-SpamCop-Disposition header in the headers you posted the parser shows that:
  • 24.76.1.94 listed in dnsbl.sorbs.net ( 127.0.0.10 )

when the headers are parsed

Sure! Whatever you say! I mean, those letters and numbers are a complete mystery to me! What on earth do these things tell you??

X-SpamCop-Disposition tells you why SC-Mail treated this email as it did (in this case, moving it to your Held folder). IIUC, the reason in this case is that it found its origin (IIUC, the last IP address in the X-SpamCop-Checked) listed in the SpamHaus blocking list (a blacklist analogous to the SC blocking list, but maintained by someone else, about somewhat different criteria).

24.76.1.94 listed in dnsbl.sorbs.net ( 127.0.0.10 )

Second, when you "parsed" the headers, did the email get reported as spam? I noticed the disquieting phrase, "Yum, this spam is fresh!"

Parsing a mail does not, in and of itself, report it. In fact, the parser will not generate reports unless there is at least one line of "body" below the headers. As for the "Yum-fresh" line, it means (IIUC) that the mail was parsed before it was three hours old (according to the timestamp in the received-line written by your mail server) and that the responsible ISP hasn't (yet?) marked the issue as "resolved". In fact, the phrase is not meant as disquieting but as a compliment.

Third, my ignorance remains as to why "spamhaus" wanted to block that email.

I don't know exactly on which criteria the Spamhaus blacklists (apparently there are two of them) are operated. From what I heard they list spam-support services and addresses exploited by third-party illegal software such as open-proxies and viruses.

Link to comment
Share on other sites

The xbl.spamhaus.org is a mirror of the cbl.abuseat.org. It lists computers that have sent spam or viruses to spamtraps. The address remains listed until someone removes it through a web form at cbl.abuseat.org.

The dnsbl.sorbs.net zone of 127.0.0.10 is indicating that SORBS thinks that the address is dynamic.

It appears that your friend is trying to send e-mail directly from a DHCP allocated address, and your ISP does not realize yet is is a DHCP address and is still accepting mail from it.

And some owner of the I.P. address that your friend is on, was at one time, or still is compromised so that spam can be sent through it.

Your friend needs to find a mail server at a fixed I.P. address to send their e-mail through, as most mail server operators that I know will not accept e-mail from addresses that are known to be DHCP allocated.

The MAPS-DUL is about 7 months behind in listing such ranges, and as his range is already in the widely used DUL.DNSBL.SORBS.NET range, it is only a matter of time before it shows up in the MAPS-DUL listings.

Also many network providers may block port 25 outgoing with out prior notice to their customers if a large network blocks all e-mail from them until they do, as has already happened to many networks. Or they may do it to cut their operating costs.

An open proxy on a broadband network can cost an ISP a considerable amount of money.

See the pinned topic on the cost of spam.

-John

Personal Opinion Only

Link to comment
Share on other sites

24.76.1.94 listed in dnsbl.sorbs.net ( 127.0.0.10 )

Heading over to http://www.moensted.dk/spam/?addr=24.76.1.94&Submit=Submit we see that this IP is listed by them because it's within a dynamic IP range - historically symbolyzing a dial-up user, but these days usually just suggesting a "home" user at the wheel. The listing here is basically a decsion made that, in general, there wouldn't be an e-mail server sending mail out from that IP, so if "you" see it, the normal assumption these days is that it's from an infected box. So normally, this specific BL entry wouldn't be of very much concern to a non-spammer. In another Topic, discussion was about the fact that even though that user saw this same type of listing, the particular e-mail was not sent to the Held folder, so "we're" not sure that the SpamCop Filtered E-Mail system actually reacts to this x.x.x10 type listing.

I edited the email addresses out as you suggest

Look for an MTS.Net listing <g>

X-SpamCop-Disposition: Blocked xbl.spamhaus.org

actually deals with the last IP shown of 142.161.30.14 .... http://www.spamhaus.org/query/bl?ip=142.161.30.14

IP Address Lookup

142.161.30.14 is not listed in the SBL

142.161.30.14 is listed in the XBL, because it appears in:

http://cbl.abuseat.org/lookup.cgi?ip=142.161.30.14

The CBL takes its source data from very large spamtraps, and only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or "stealth" spamware, without doing open proxy tests of any kind.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...