Jump to content

Spamcop Falsely Accused Me Of Open Relay


alexoss

Recommended Posts

We recently reconfigured our network to include both an external and an internal mail server. I submitted a spam I received to SpamCop, and it incorrectly identified our external mail server as an open relay. My ISP sent me a letter containing the message they got from SpamCop. They closed the issue right away, recognizing SpamCop's error. Please fix this, because I cannot use SpamCop any more--taking the risk that my ISP might not recognize this error, and cut off our service--until it is fixed.

> [ SpamCop V1.3.4 ]

> This message is brief for your comfort. Please use links below for

> details.

>

> Spamvertised website: http://savinginquotes.com/?partid=bls

> http://savinginquotes.com/?partid=bls is 63.85.86.81; Fri, 02 Apr 2004

> 17:36:50 GMT

> http://www.spamcop.net/w3m?i=z849424394zde...69589f6a76cc007

> 98z

>

> Spamvertised website: http://savinginquotes.com/st.html

> http://savinginquotes.com/st.html is 63.85.86.81; Fri, 02 Apr 2004

> 17:36:49 GMT

> http://www.spamcop.net/w3m?i=z849424399ze7...ed107d8ad9e7de5

> b9z

>

> [ Offending message ]

> Return-Path: <trundlesaccharine[at]attbi.com>

> Received: from mail.films.com (mail.films.com [198.181.237.1])

> by iceman.films.com (8.11.6/linuxconf) with ESMTP id i32HHDv20865

> for <x>; Fri, 2 Apr 2004 12:17:13 -0500

> Received: by mail.films.com (Postfix)

> id 5E4092B0FF; Fri, 2 Apr 2004 12:34:59 -0500 (EST)

> Delivered-To: x

> Received: from dyn-83-152-174-156.ppp.tiscali.fr (dyn-83-152-174-156.ppp.tiscali.fr [83.152.174.156])

> by mail.films.com (Postfix) with SMTP id 66D412B0FD

> for <x>; Fri, 2 Apr 2004 12:34:49 -0500 (EST)

> Received: from [100.57.252.228] by 83.152.174.156 with hierarchic SMTP;

> %CURRENT_DATE_TIME

> X-Authentication-Warning: ministry enumerate inhumane bolshoi

> Date: %CURRENT_DATE_TIME

> From: "Willie Oliver" <quotientbridle[at]attbi.com>

> Reply-To: "Willie Oliver" <circumcisecanto[at]attbi.com>

> Message-ID: <7258______________________5655[at]dusenberg>

> To: x

> Subject: brookline chasm

> References: <41328847784877182902178[at]chinch>

> In-Reply-To: <93696532425335122201849[at]darken>

> X-Mailer: fringe about eminent

> X-Content-Type: text/html; charset=us-ascii

> X-Content-Transfer-Encoding: 7bit

> X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on iceman.films.com

> X-spam-Status: No, hits=0.1 required=5.0 tests=HTML_MESSAGE,MIME_HTML_ONLY

> autolearn=no version=2.63

> X-spam-Level:

> Status:

> Content-Type: text/html

> X-SpamCop-note: Converted to text/html by SpamCop (outlook/eudora hack)

>

> <html>

>

> <head>

>

> </head>

>

> <body>

>

>

> <p>

> Got bad-credit? Let us help you refinance your home<br>

> <br>

> Lowest In.terest Rates Available!<br>

> Get a Pre-Approval in 48 hours for F.RE.E<br>

> Refinancing for the Self-Employed<br>

> SAVE $100-$400 per month and skip ONE payment<br>

> <br>

> Our easy application only takes 1 minute.<br>

> <br>

> <a

> href="http://savinginquotes.com/?partid=bls">http://savinginquotes.com/?partid=bls</a></font><br>

> <br>

> <br>

> <br>

> <br>

> <br>

> <br>

> <font size="3">The above gift or special offer was sent to you as a<br>

> subscriber of Direct Media. We will continue to bring you<br>

> valuable offers on products and services that interest you<br>

> most. To modify your future preference with us:<br><br>

> <a href="http://savinginquotes.com/st.html">http://savinginquotes.com/st.html</a></font></p>

> </body>

> </html>

> <br>

> <br>

> abyss actuate analeptic sophomore preparative flint bravery nguyen recluse prologue away fusiform theses artisan journey inch eclipse agway catechism stealthy guilty keypunch sharpen vital league whipsaw elmer carnegie gymnosperm decant buret arteriolosclerosis cyclotron shoestring pop exeter bayberry mae swab bryce rhodolite sd worldwide amatory glom grief alimony barrack gymnast stack grimaldi airport cultivate fairchild zirconium reid waals minsky optic arcade hypothalamic crime fear immodesty corvette rasmussen fruitful hellfire threonine virgule prometheus pendant hamper deluge spindle wellesley infantry odyssey crystal depredate carcinogen tammany diabetes pearl who'd christiana horsefly yarn morgen dredge viewport testify directorate ariadne isfahan maze plunk specie subjectivity eta dalton selfadjoint dumpty instance wu surreal syringa terramycin algeria tungstate upwind metabolic emblem conestoga boatswain crucible password colloquy auk bloomington dagger glou!

ce!

s

> ter polariton bale cyrus0

>

Link to comment
Share on other sites

The most important aspect to responsible spam reporting is reviewing where the reports are sent and selecting only those contacts who should be getting spam reports. If your own server is listed in the reports and you chose to report it anyway, it is not the fault of SpamCop...

Link to comment
Share on other sites

The "fault" of SpamCop is that it makes "errors in judgement".

People (ISPs, moles, reporters) need to recognize this failure.

What you do about it is your own business. What we do about

it is not to use SpamCop, and not recommend it to anyone.

Link to comment
Share on other sites

question: what purpose does the *crap* at the end of the spam serves? I see it as well...I would think that some filters may be able to pick on this nonsense? 

:unsure:

The crap at the end serves to fool Bayes filtering (they think).

Actually, it makes Bayes filtering do a better statistical job.

Link to comment
Share on other sites

Also, this report does not appear to be for an open relay but for a spamvertised website. See the part above the [ Offending message ]

This report should have gone to: abuse<at>innerwise.com and abuse<at>mci.com

for that site ( http://savinginquotes.com)

As others have mentioned, it is up to you to review where reports are going and uncheck your ISP if appropriate.

Still, something does not add up. Which ISP sent you the message?

Link to comment
Share on other sites

and it incorrectly identified our external mail server as an open relay. My ISP sent me a letter containing the message they got from SpamCop

So why wasn't this "letter" offered up as your "evidence" of a screw-up?

As pointed out by others, "open relay" is not spelled "Spamvertised website"

Maybe you just grabbed the wrong spam to make your case, maybe someone is really, really confused, but ... what you've provided really makes little sense to me.

Link to comment
Share on other sites

Thanks for all the interesting replies. I include the full text of the letter below for the interested, as opposed to just the part that SpamCop misread. Note the SMTP header reading:

X-SpamCop-sourceip: 198.181.237.1

This is not the IP address of the "spamvertised website". If it's supposed to be, then SpamCop has even more trouble than I thought, but I doubt it.

Yes, I unintentionally left the check marks next to the IP address of the "source" of the spam on when I submitted it. I've since then unchecked my server when it's misidentified. It be better, I think, if SpamCop doesn't identify my mail server as the source of the spam in the first place. Obviously.

**************************************************************************

The following information is being provided in compliance with applicable federal laws. MCI believes this information is accurate but does not guarantee its accuracy in any way. Federal law restricts the dissemination of such information, and recipient should seek legal advice before using or distributing such information. If appropriate, recipient should attempt to verify this information before action is taken based on it.

**************************************************************************

Dear MCI Customer:

We have received a report regarding alleged violations of MCI's Acceptable Use Policy

http://global.mci.com/terms/a_u_p/

from one of your users.

198.181.237.1

MCI works closely with its customers to resolve situations as quickly as possible. We request you take whatever measures you deem appropriate which will ensure no further violations occur. If you wish to discuss technical approaches MCI has found effective in counteracting Internet abuse, please contact our Internet Abuse Investigations team at the number below.

MCI values its relationships with its customers and will work with you in any way necessary to preserve that relationship. However, MCI is legally bound to enforce its AUP. If it is confirmed that abuses are taking place, and we cannot elicit your cooperation in discontinuing the abuse, MCI will be forced to take drastic actions, which could include termination of services.

Once this issue has been resolved please reply to this message, making sure the reply goes to abuse[at]mci.com and keeping the subject the same. This will notify Internet Abuse Investigations that the situation has been resolved.

We have informed the complainant that we have informed the parties responsible for handling this matter. MCI did not disclose any information regarding the investigations or information pertaining to our Resellers/Customers.

If you have further questions you may call Internet Abuse Investigations, M-F 8am - 8pm Eastern Time.

This message is only for the use of the intended recipient. If you have received this communication in error, please destroy all copies of this message and its attachments and notify us immediately.

Thank You,

MCI Internet Abuse Investigations Team 1-800-900-0241

22001 Loudoun County Parkway Ashburn, VA 20147 703-886-8902

security[at]mci.com - Security Incidents http://www.mci.com

abuse-mail[at]mci.com - Massmail abuse-news[at]mci.com - Usenet Abuse

Description of incident:

> 1080928187arhelpFrom 849424399[at]bounces.spamcop.net Fri Apr 2

> 12:37:04 2004

> Received: from imr3.ash.ops.us.uu.net by iaremedy.corp.us.uu.net with ESMTP

> (peer crosschecked as: imr3.ash.ops.us.uu.net [153.39.43.47])

> id QQqirm17858

> for <iaremedy-mail-spooler[at]iaremedy.corp.us.uu.net>; Fri, 2 Apr 2004 12:36:55 -0500 (EST)

> Received: from cmr2.ash.ops.us.uu.net by imr3.ash.ops.us.uu.net with ESMTP

> (peer crosschecked as: cmr2.ash.ops.us.uu.net [198.5.241.40])

> id QQqirm04402

> for <abuse[at]uu.net>; Fri, 2 Apr 2004 17:37:01 GMT

> Received: from cmr2.ash.ops.us.uu.net by cmr2.ash.ops.us.uu.net with ESMTP

> (peer crosschecked as: localhost [127.0.0.1])

> id QQqirm17455

> for <abuse[at]uu.net>; Fri, 2 Apr 2004 17:37:01 GMT

> Received: from omzesmtp02.mci.com by cmr2.ash.ops.us.uu.net with ESMTP

> (peer crosschecked as: omzesmtp02.mci.com [199.249.17.9])

> id QQqirm17442

> for <abuse[at]uu.net>; Fri, 2 Apr 2004 17:37:00 GMT

> Received: from vmx1.spamcop.net ([206.14.107.113])

> by firewall.mci.com (Iplanet MTA 5.2)

> with ESMTP id <0HVK0086B0XOHD[at]firewall.mci.com> for abuse[at]uu.net

> (ORCPT abuse[at]mci.com); Fri, 02 Apr 2004 17:37:00 +0000 (GMT)

> Received: from sc-app3.verio.ironport.com (HELO spamcop.net) (192.168.11.203)

> by vmx1.spamcop.net with SMTP; Fri, 02 Apr 2004 09:37:01 -0800

> Received: from [198.181.237.7] by spamcop.net with HTTP; Fri,

> 02 Apr 2004 17:37:00 +0000 (GMT)

> Date: Fri, 02 Apr 2004 12:17:13 -0500

> From: "Alexander J. Oss" <849424399[at]reports.spamcop.net>

> Subject: [spamCop (http://savinginquotes.com/st.html) id:849424399]brookline

> chasm

> To: abuse[at]mci.com

> Message-id: <rid_849424399[at]msgid.spamcop.net>

> X-Mailer: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)

> via http://www.spamcop.net/ v1.3.4

> Precedence: list

> X-SpamCop-sourceip: 198.181.237.1

>

> [ SpamCop V1.3.4 ]

> This message is brief for your comfort. Please use links below for

> details.

>

> Spamvertised website: http://savinginquotes.com/?partid=bls

> http://savinginquotes.com/?partid=bls is 63.85.86.81; Fri, 02 Apr 2004

> 17:36:50 GMT

> http://www.spamcop.net/w3m?i=z849424394zde...69589f6a76cc007

> 98z

>

> Spamvertised website: http://savinginquotes.com/st.html

> http://savinginquotes.com/st.html is 63.85.86.81; Fri, 02 Apr 2004

> 17:36:49 GMT

> http://www.spamcop.net/w3m?i=z849424399ze7...ed107d8ad9e7de5

> b9z

>

> [ Offending message ]

> Return-Path: <trundlesaccharine[at]attbi.com>

> Received: from mail.films.com (mail.films.com [198.181.237.1])

> by iceman.films.com (8.11.6/linuxconf) with ESMTP id i32HHDv20865

> for <x>; Fri, 2 Apr 2004 12:17:13 -0500

> Received: by mail.films.com (Postfix)

> id 5E4092B0FF; Fri, 2 Apr 2004 12:34:59 -0500 (EST)

> Delivered-To: x

> Received: from dyn-83-152-174-156.ppp.tiscali.fr (dyn-83-152-174-156.ppp.tiscali.fr [83.152.174.156])

> by mail.films.com (Postfix) with SMTP id 66D412B0FD

> for <x>; Fri, 2 Apr 2004 12:34:49 -0500 (EST)

> Received: from [100.57.252.228] by 83.152.174.156 with hierarchic SMTP;

> %CURRENT_DATE_TIME

> X-Authentication-Warning: ministry enumerate inhumane bolshoi

> Date: %CURRENT_DATE_TIME

> From: "Willie Oliver" <quotientbridle[at]attbi.com>

> Reply-To: "Willie Oliver" <circumcisecanto[at]attbi.com>

> Message-ID: <7258______________________5655[at]dusenberg>

> To: x

> Subject: brookline chasm

> References: <41328847784877182902178[at]chinch>

> In-Reply-To: <93696532425335122201849[at]darken>

> X-Mailer: fringe about eminent

> X-Content-Type: text/html; charset=us-ascii

> X-Content-Transfer-Encoding: 7bit

> X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on iceman.films.com

> X-spam-Status: No, hits=0.1 required=5.0 tests=HTML_MESSAGE,MIME_HTML_ONLY

> autolearn=no version=2.63

> X-spam-Level:

> Status:

> Content-Type: text/html

> X-SpamCop-note: Converted to text/html by SpamCop (outlook/eudora hack)

>

> <html>

>

> <head>

>

> </head>

>

> <body>

>

>

> <p>

> Got bad-credit? Let us help you refinance your home<br>

> <br>

> Lowest In.terest Rates Available!<br>

> Get a Pre-Approval in 48 hours for F.RE.E<br>

> Refinancing for the Self-Employed<br>

> SAVE $100-$400 per month and skip ONE payment<br>

> <br>

> Our easy application only takes 1 minute.<br>

> <br>

> <a

> href="http://savinginquotes.com/?partid=bls">http://savinginquotes.com/?partid=bls</a></font><br>

> <br>

> <br>

> <br>

> <br>

> <br>

> <br>

> <font size="3">The above gift or special offer was sent to you as a<br>

> subscriber of Direct Media. We will continue to bring you<br>

> valuable offers on products and services that interest you<br>

> most. To modify your future preference with us:<br><br>

> <a href="http://savinginquotes.com/st.html">http://savinginquotes.com/st.html</a></font></p>

> </body>

> </html>

> <br>

> <br>

> abyss actuate analeptic sophomore preparative flint bravery nguyen recluse prologue away fusiform theses artisan journey inch eclipse agway catechism stealthy guilty keypunch sharpen vital league whipsaw elmer carnegie gymnosperm decant buret arteriolosclerosis cyclotron shoestring pop exeter bayberry mae swab bryce rhodolite sd worldwide amatory glom grief alimony barrack gymnast stack grimaldi airport cultivate fairchild zirconium reid waals minsky optic arcade hypothalamic crime fear immodesty corvette rasmussen fruitful hellfire threonine virgule prometheus pendant hamper deluge spindle wellesley infantry odyssey crystal depredate carcinogen tammany diabetes pearl who'd christiana horsefly yarn morgen dredge viewport testify directorate ariadne isfahan maze plunk specie subjectivity eta dalton selfadjoint dumpty instance wu surreal syringa terramycin algeria tungstate upwind metabolic emblem conestoga boatswain crucible password colloquy auk bloomington dagger glou!

ce!

s

> ter polariton bale cyrus0

>

Link to comment
Share on other sites

Your original question is quoted:

We recently reconfigured our network to include both an external and an internal mail server.

If spamcop is not bypassing your server as the source of the message, your server may not be configured properly to insert all of the needed headers for spamcop to recognize the handoff. Unfortunately, I am in a beta program that will not allow me to parse someone elses configuration so I can not see what the parser is seeing. If you can post a spamcop parse tracker that is showing spamcop stopping at this server, we may figure out why spamcop does not like it.

I submitted a spam I received to SpamCop, and it incorrectly identified our external mail server as an open relay.

SpamCop does not identify any mail server as an open relay. It asks ordb.org if it knows if a relaying IP is an open relay already. If it is not known, it submits that IP for testing. Please show us a spamcop parse tracker where spamcop is identifying your IP as an open relay?

My ISP sent me a letter containing the message they got from SpamCop.

Is your ISP MCI? That letter is from MCI to it's customer.

If MCI is not your ISP, why did MCI send you that letter?

Is your website savinginquotes.com (I doubt it, but need to ask)? As mentioned previously, that specific report is about a spamvertized website, not a spam source. The fact that your mail server was incorrectly identified as the source should NOT have pointed MCI in your direction. They should have contacted the administrator of the website to determine if they were spamvertized on purpose.

They closed the issue right away, recognizing SpamCop's error.

Again, was this MCI that closed the case? If so, they should not have because the case was for the spamvertized website, not the spam being sent. If it was films.com (where the report for this source would be sent) that closed their case (no evidence presented to this end), that is appropriate.

Please fix this, because I cannot use SpamCop any more--taking the risk that my ISP might not recognize this error, and cut off our service--until it is fixed.

The most likely reason for the error is a misconfigured server not giving the parser enough information to confirm were the message came from. Without a message tracker from the parser, there is nothing I can do. SOmeone else here who is not using the mailhosts beta test may be able to play with the headers in the MCI report and tell you what is happening.

Basically, thre are too many unanswered questions to figure out exactly what is happening. The fact that you posted a spamvertized web report as a spam source report has thrown everyone off, which is why I figured I would start from the top again.

I hope something here helps and please answer some of the questions here so we can sort this matter out and get your reports working properly again (which is the real problem). Even if you answer them with questions on how to get the answer, we wil make progress.

Link to comment
Share on other sites

Hi, alexoss!

<snip>

I've since then unchecked my server when it's misidentified.  It be better, I think, if SpamCop doesn't identify my mail server as the source of the spam in the first place.  Obviously.

<snip>

...Is this the "SpamCop error" you want addressed, or am I oversimplifying?

Link to comment
Share on other sites

Parsing header:

Received: from mail.films.com (mail.films.com [198.181.237.1]) by iceman.films.com (8.11.6/linuxconf) with ESMTP id i32HHDv20865 for <x>; Fri, 7 Apr 2004 12:17:13 -0500

198.181.237.1 found

host 198.181.237.1 = iceman.films.com (cached)

host iceman.films.com (checking ip) = 198.181.237.1

Possible spammer: 198.181.237.1

198.181.237.1 is an MX for films.com

198.181.237.1 is mx

Received line accepted

no problem seen here

Received: from dyn-83-152-174-156.ppp.tiscali.fr (dyn-83-152-174-156.ppp.tiscali.fr [83.152.174.156]) by mail.films.com (Postfix) with SMTP id 66D412B0FD for <x>; Fri, 7 Apr 2004 12:34:49 -0500 (EST)

83.152.174.156 found

host 83.152.174.156 = dyn-83-152-174-156.ppp.tiscali.fr (cached)

host dyn-83-152-174-156.ppp.tiscali.fr (checking ip) = 83.152.174.156

....

Possible spammer: 83.152.174.156

83.152.174.156 is not an MX for dyn-83-152-174-156.ppp.tiscali.fr

host dyn-83-152-174-156.ppp.tiscali.fr (checking ip) = 83.152.174.156

host mail.films.com (checking ip) = 198.181.237.1

....

Chain test:mail.films.com =? iceman.films.com

host iceman.films.com (checking ip) = 198.181.237.1

198.181.237.1 is an MX for films.com

198.181.237.1 is mx

mail.films.com and iceman.films.com have close IP addresses - chain verified

Possible relay: 198.181.237.1

198.181.237.1 not listed in relays.ordb.org.

198.181.237.1 has already been sent to relay testers

Received line accepted

no problem so far

Received: from [100.57.252.228] by 83.152.174.156 with hierarchic SMTP; %CURRENT_DATE_TIME

no from

100.57.252.228 found

...

Possible spammer: 100.57.252.228

host 83.152.174.156 (checking ip) ip not found ; 83.152.174.156 discarded as fake.

Looks like a forgery

problem seen - but note that 198.181.237.1 has yet to be identified as an issue

after all the BL list checks (all negative at the moment) then we get to;

Finding links in message body

Parsing HTML part

Resolving link obfuscation

http://savinginquotes.com/st.html

host 63.85.86.81 (getting name) no name

http://savinginquotes.com/?partid=bls

host 63.85.86.81 (getting name) no name

and the final answer of;

Re: 83.152.174.156 (Administrator of network where email originates)

To: abuse[at]tiscali.fr (Notes)

Re: 83.152.174.156 (Third party interested in email source)

To: Cyveillance spam collection (Notes)

Re: http://savinginquotes.com/?partid=bls (Administrator of network hosting website referenced in spam)

To: postmaster#innerwise.com[at]devnull.spamcop.net (Notes)

To: abuse[at]innerwise.com (Notes)

To: abuse[at]mci.com (Notes)

Re: http://savinginquotes.com/st.html (Administrator of network hosting website referenced in spam)

To: postmaster#innerwise.com[at]devnull.spamcop.net (Notes)

To: abuse[at]innerwise.com (Notes)

To: abuse[at]mci.com (Notes)

Tracking URL is http://www.spamcop.net/sc?id=z396973006z8c...d4a09eaa7412eez (but I aslo cancelled it, due to all the modifications made ot get it to parsing shape, and that I sure don't need someone else hitting the Send button on my behalf .. so not sure if anyone else can pull it up later, thus all the posted details)

Bottom line yet again .... the spam complaint referenced is dealing with the spamvertised web-sites, just as they state

X-SpamCop-sourceip: 198.181.237.1

This is a header bit inserted by SpamCop into the complaint/report ... It's the IP address of the SpamCop reporter's machine .. thus, as you stated elsewhere, you reported from this IP .... there is no direct connection between the actual spam, parser output for complain targets, and the specific IP you're carrying on about, other than you reported from the IP .... and apparently, there are some other folks confused about this IP also, but that may be due to your other queries to them, following your lead?

identified our external mail server as an open relay

Sorry, but from what you've supplied here, you have made no case for the above statement. It may have happened, it may be true, but if so, you're still referencing the wrong SpamCop complaint to make your point.

Link to comment
Share on other sites

It's the IP address of the SpamCop reporter's machine .. thus, as you stated elsewhere, you reported from this IP .... there is no direct connection between the actual spam, parser output for complain targets, and the specific IP you're carrying on about, other than you reported from the IP .... and apparently, there are some other folks confused about this IP also, but that may be due to your other queries to them, following your lead?

Wazoo:

I thought that as well until I parsed one of my own messages and looked at the preview report it was going to send. The IP address the spam report referenced was in that field on my preview. I actually completely rewrote my answer based on that finding.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...