Jump to content

[Resolved] backscatter from spamcop


halloween

Recommended Posts

I just got backscatter spam from spamcop. Perhaps spamcop should be holding the smtp connection while evaluating whether to accept a report or not?

Subject: WARNING: spam NOT PROCESSED - Welcome to SpamCop

The attached email headers in the automated response show that a forged From and Return-Path.

Here are the attached email headers if anyone at spamcop wants to check it out...

Return-Path: <XXX-real-address-removed>

Received: from sc-smtp8-inbound.soma.ironport.com (sc-smtp8-inbound.soma.ironport.com [204.15.82.102])

by sc-app10.soma.ironport.com (Postfix) with ESMTP id 5660FFDD2

for <abuse-ack[at]cmds.spamcop.net>; Wed, 8 Oct 2008 08:32:00 -0700 (PDT)

Received: from c62.cesmail.net ([216.154.195.54])

by vmx2.spamcop.net with ESMTP; 08 Oct 2008 08:31:59 -0700

Received: from unknown (HELO blade5.cesmail.net) ([192.168.1.215])

by c62.cesmail.net with SMTP; 08 Oct 2008 11:31:25 -0400

Received: (qmail 3182 invoked by uid 1010); 8 Oct 2008 15:31:59 -0000

Delivered-To: spamcop-net-postmaster[at]spamcop.net

Received: (qmail 3157 invoked from network); 8 Oct 2008 15:31:56 -0000

X-spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on blade5

X-spam-Level: **

X-spam-Status: hits=2.9 tests=DOS_OE_TO_MX,RDNS_DYNAMIC version=3.2.4

Received: from unknown (192.168.1.107)

by blade5.cesmail.net with QMQP; 8 Oct 2008 15:31:56 -0000

Received: from host197-186-dynamic.51-82-r.retail.telecomitalia.it (82.51.186.197)

by mx70.cesmail.net with SMTP; 8 Oct 2008 15:31:56 -0000

Message-ID: <000701c9295a$0697a276$01f2908d[at]qikvlsct>

From: "ferris vlad" <XXX-real-address-removed>

To: <postmaster[at]spamcop.net>

Subject: =?koi8-r?B?7MDC2cUsIMTB1sUg08HN2cUgx9LR2s7ZxSDTxcvT1cHM2M7F2SDGwQ==?=

=?koi8-r?B?ztTB2snJLCDP1snXwcDUINrExdPY?=

Date: Wed, 08 Oct 2008 13:44:32 +0000

MIME-Version: 1.0

Content-Type: text/plain;

charset="koi8-r"

Content-Transfer-Encoding: 8bit

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2720.3000

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300

Link to comment
Share on other sites

I don't think you need to respond to postmaster email. You just shouldn't [normally] bounce it. It can be a black hole, and you won't be listed by rfc-ignorant.org just because of a lack of response. In fact the policy specifically mentions inbound-only postmaster[at] in the context of a legitimate configuration (http://rfc-ignorant.org/policy-postmaster.php). It also describes situations where bouncing postmaster[at] email, in certain circumstances, is okay.

In fact, the policy specifically says that auto responders to postmaster[at] email _are_ a listable offense...

Further, if a postmaster address contains a "redirecting auto-acknowledgement", such that it is obvious that the message will not be received by a human (as specified in the RFCs), that shall also be considered a listable offense. Auto-acks suggesting "better places" to send e-mail are certainly useful and encouraged, however, it must be clear that the e-mail that generated the auto-ack will in fact be dealt with.

Link to comment
Share on other sites

I don't mean to imply that 'black hole' (/dev/null) is a legitimate configuration for postmaster[at] mail... just that a lack of response to every email going to postmaster[at] is not a listable offense. Certainly in this day and age using a spam filter on postmaster[at] email is a fact of life. So if some postmaster[at] email doesn't get through to a human, that has to be expected.

That said, even if one did bounce email to postmaster[at] (and violate the RFC), it'd be better to reject it at the SMTP session level rather than accept it and respond to [potentially forged] 'from' addresses, thus propagating the backscatter problem.

Link to comment
Share on other sites

I don't mean to imply that 'black hole' (/dev/null) is a legitimate configuration for postmaster[at] mail... just that a lack of response to every email going to postmaster[at] is not a listable offense. Certainly in this day and age using a spam filter on postmaster[at] email is a fact of life. So if some postmaster[at] email doesn't get through to a human, that has to be expected.

That said, even if one did bounce email to postmaster[at] (and violate the RFC), it'd be better to reject it at the SMTP session level rather than accept it and respond to [potentially forged] 'from' addresses, thus propagating the backscatter problem.

No, it has to be accepted, I think, because the rfc says that someone will really look at it. Certainly, however, a spam filter and someone who checked the box every day for legitimate email would be within the rules. Sending a modified spamcop report to what is caught in the spam filter would also work, according the rules, "this email was caught by spam filter in the postmaster box. If it is a legitimate email, please respond (which would go to a reports address where a real person checks it). I suppose the responses would also have to be filtered since anyone doing it deliberately could flood the response address, but they would not have to be looked since spam coming in response to a spamcop report has to be deliberate.

That seems like such a simple solution that there must be something I don't know about that makes it unworkable!

Miss Betsy

Link to comment
Share on other sites

  • 2 months later...
I'll bring the backscatter issue up for discussion again.

No promises.

From three days ago, I am getting 5 to 10 of these a day and they are from the same smtp server as the OP.

Can someone explain why I get them? Is someone forging me as the spammer? Is there a way to stop them? This is the header;

This email was sent in response to:

Return-Path: <vicentesnottychase[at]frogdesign.com>

Received: from sc-smtp8-inbound.soma.ironport.com (sc-smtp8-inbound.soma.ironport.com [204.15.82.102])

by sc-app10.soma.ironport.com (Postfix) with ESMTP id 0B71FFDE0

for <abuse-ack[at]cmds.spamcop.net>; Wed, 17 Dec 2008 09:36:28 -0800 (PST)

Received: from unknown (HELO c62.cesmail.net) ([216.154.195.54])

by vmx2.spamcop.net with ESMTP; 17 Dec 2008 09:36:25 -0800

Message-Id: <5u6ccc$4mja1k[at]c62.cesmail.net>

Received: from unknown (HELO blade5.cesmail.net) ([192.168.1.215])

by c62.cesmail.net with SMTP; 17 Dec 2008 11:56:39 -0500

Received: (qmail 9257 invoked by uid 1010); 17 Dec 2008 17:36:18 -0000

Delivered-To: spamcop-net-postmaster[at]spamcop.net

Received: (qmail 9243 invoked from network); 17 Dec 2008 17:36:17 -0000

X-spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on blade5

X-spam-Level: ****************

X-spam-Status: hits=16.4 tests=BODY_ENHANCEMENT2,DYN_RDNS_SHORT_HELO_HTML,

FB_HARD_ERECTION,HTML_MESSAGE,MIME_HTML_ONLY,MISSING_DATE,MISSING_MID,

RDNS_DYNAMIC,SARE_ADULT2,URIBL_BLACK,URIBL_JP_SURBL,URIBL_SBL,URIBL_SC_SURBL

version=3.2.4

Received: from unknown (192.168.1.108)

by blade5.cesmail.net with QMQP; 17 Dec 2008 17:36:17 -0000

Received: from client-81-108-185-75.brig.adsl.tesco.net (HELO grantcc2181425) (81.108.185.75)

by mx71.cesmail.net with SMTP; 17 Dec 2008 17:36:17 -0000

To: <andrewcrumplehorn at spamcop.net>

Subject: Discount ID: 1867

From: <andrewcrumplehorn at spamcop.net>

MIME-Version: 1.0

Importance: High

Content-Type: text/html

Date: Wed, 17 Dec 2008 09:36:28 -0800 (PST)

Link to comment
Share on other sites

... Is someone forging me as the spammer? Is there a way to stop them? This is the header;

...

Received: from unknown (192.168.1.108)

by blade5.cesmail.net with QMQP; 17 Dec 2008 17:36:17 -0000

Received: from client-81-108-185-75.brig.adsl.tesco.net (HELO grantcc2181425) (81.108.185.75)

by mx71.cesmail.net with SMTP; 17 Dec 2008 17:36:17 -0000

To: <andrewcrumplehorn at spamcop.net>

Subject: Discount ID: 1867

From: <andrewcrumplehorn at spamcop.net>

MIME-Version: 1.0

Importance: High

Content-Type: text/html

Date: Wed, 17 Dec 2008 09:36:28 -0800 (PST)

Well that part looks straight forward - someone calling themselves you [at]spamcop.net sent spam from tesco.net (NTL) to the real you and perhaps others on BCC (no way to tell about that). So yes, that looks like a simple forgery.

From there, I'm lost. It was apparently received by SC - blade5.cesmail.net and internally processed. I take it you never saw the 'original' - from 'you' to you? You never reported 81.108.185.75 to abuse[at]ntlworld.com? Not that any of that affects the question of how it got delivered to spamcop-net-postmaster[at]spamcop.net, thence abuse-ack[at]cmds.spamcop.net. Some third party application autosending to SC Postmaster from your computer might (almost) explain it but you would be aware of that anyway but it could be due to the similar actions of a BCC recipient. Otherwise it seems more like an internal SC thing - seems like a case for Don (SC Admin).

Link to comment
Share on other sites

From three days ago, I am getting 5 to 10 of these a day and they are from the same smtp server as the OP.

Can someone explain why I get them? Is someone forging me as the spammer? Is there a way to stop them? This is the header;

Yes, it would appear that the From: line is forged. This also brings up a slew of other questions, most dealing with details not mentioned in your description/query. For example, are you reporting these?

http://www.spamcop.net/sc?id=z2463637966za...8e5ab6155ee7dez

81.108.185.75 is an open proxy

Report spam to:

Re: 81.108.185.75 (Administrator of network where email originates)

To: abuse[at]ntlworld.com

Seems to show that the appropriate target is found and offered.

Per the "news" page at http://mail.spamcop.net/news.php .... have you got your e-mail address white-listed?

With the spam score offered up and suchm just where did thise-mal end up in your Folders? A bit confused as I don't see any Dispostion lines normally found in e-mail handled on JT's servers.

Last 90 days of reports only shows three listings ....

Submitted: Thursday, December 18, 2008 6:29:42 AM -0600:

Discount ID: 1867

3730420170 ( 81.108.185.75 ) To: abuse[at]ntlworld.com

--------------------------------------------

Submitted: Wednesday, December 17, 2008 1:07:58 PM -0600:

Discount ID: 5712

3728918886 ( 81.108.185.75 ) To: abuse[at]ntlworld.com

-------------------------------------------

Submitted: Wednesday, December 17, 2008 12:56:05 PM -0600:

Discount ID: 5712

3728887820 ( 81.108.185.75 ) To: abuse[at]ntlworld.com

Apparently you are not reporting 'all' of these??? (based on your description of 5 to 10 a day)

Link to comment
Share on other sites

Yes, it would appear that the From: line is forged. This also brings up a slew of other questions, most dealing with details not mentioned in your description/query. For example, are you reporting these?

http://www.spamcop.net/sc?id=z2463637966za...8e5ab6155ee7dez

81.108.185.75 is an open proxy

Report spam to:

Re: 81.108.185.75 (Administrator of network where email originates)

To: abuse[at]ntlworld.com

Seems to show that the appropriate target is found and offered.

Per the "news" page at http://mail.spamcop.net/news.php .... have you got your e-mail address white-listed?

With the spam score offered up and such just where did thise-mal end up in your Folders? A bit confused as I don't see any Dispostion lines normally found in e-mail handled on JT's servers.

Last 90 days of reports only shows three listings ....

Submitted: Thursday, December 18, 2008 6:29:42 AM -0600:

Discount ID: 1867

3730420170 ( 81.108.185.75 ) To: abuse[at]ntlworld.com

--------------------------------------------

Submitted: Wednesday, December 17, 2008 1:07:58 PM -0600:

Discount ID: 5712

3728918886 ( 81.108.185.75 ) To: abuse[at]ntlworld.com

-------------------------------------------

Submitted: Wednesday, December 17, 2008 12:56:05 PM -0600:

Discount ID: 5712

3728887820 ( 81.108.185.75 ) To: abuse[at]ntlworld.com

Apparently you are not reporting 'all' of these??? (based on your description of 5 to 10 a day)

Thank you for the information offered so far. I have my Spamcop account set up so that legitimate mail is forwarded to my normal ISP address which is via sympatico.ca. I didn't report the e-mails as I was puzzled why they were being sent to me. I usually only report spam via Mailwasher Pro. My spamcop e-mail address is on a marketeers CD and is heavily spammed. Nearly all is kept as held mail and is routinely deleted. I should really change my account name with Spamcop.

I will check to see if my e-mail address is on my own whitelist.

Tesco and NTL are both UK companies and that is where I came from originally. I have had no dealings with NTL, but I did sign up for a Tesco online shopping account way back in 2001 or so.

I will write to NTL.

This is the first e-mail I received on Monday which originates in Montevideo, Mexico.

This email was sent in response to:

Return-Path: <lorenalliancenewton[at]debevoise.com>

Received: from sc-smtp10-inbound.soma.ironport.com (sc-smtp10-inbound.soma.ironport.com [204.15.82.104])

by sc-app1.soma.ironport.com (Postfix) with ESMTP id 4CD2549E846

for <abuse-ack[at]cmds.spamcop.net>; Mon, 15 Dec 2008 06:28:22 -0800 (PST)

Received: from c62.cesmail.net ([216.154.195.54])

by vmx2.spamcop.net with ESMTP; 15 Dec 2008 06:28:22 -0800

Message-Id: <5u6ccc$4miubr[at]c62.cesmail.net>

Received: from unknown (HELO blade6.cesmail.net) ([192.168.1.216])

by c62.cesmail.net with SMTP; 15 Dec 2008 08:49:54 -0500

Received: (qmail 27595 invoked by uid 1010); 15 Dec 2008 14:28:22 -0000

Delivered-To: spamcop-net-postmaster[at]spamcop.net

Received: (qmail 27582 invoked from network); 15 Dec 2008 14:28:22 -0000

X-spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on blade6

X-spam-Level: ************

X-spam-Status: hits=12.3 tests=HTML_IMAGE_ONLY_04,HTML_MESSAGE,

HTML_SHORT_LINK_IMG_1,MIME_HTML_ONLY,MISSING_DATE,MISSING_MID,RDNS_NONE,

URIBL_BLACK,URIBL_JP_SURBL,URIBL_SBL version=3.2.4

Received: from unknown (192.168.1.88)

by blade6.cesmail.net with QMQP; 15 Dec 2008 14:28:22 -0000

Received: from unknown (HELO contador) (190.252.124.57)

by mxin1.cesmail.net with SMTP; 15 Dec 2008 14:24:00 -0000

To: <andrewcrumplehorn [at] spamcop.net>

Subject: Discount ID: 0813

From: <andrewcrumplehorn [at] spamcop.net>

MIME-Version: 1.0

Importance: High

Content-Type: text/html

Date: Mon, 15 Dec 2008 06:28:22 -0800 (PST)

Link to comment
Share on other sites

Thank you for the information offered so far.

Please note that the Forum FAQ (among other places) includes a few notes about editing down the quoted material in a reply. As noted in this response, there is no need to quote the previous post in its entirety, especially when that previous post is still showing on the same page.

I will check to see if my e-mail address is on my own whitelist.

I do wish you'd have answered this by now.

This is the first e-mail I received on Monday which originates in Montevideo, Mexico.

If you're getting 5 to 10 a day, why reach all the way back to Monday to toss up another example .... which really doesn't show anything new ...????

This is what I've done to see if JT or Trevor can offer some details ....

From: "Wazoo"

To: "SpamCop Support - JT"

Subject: Delivery destination of e-mail

Date: Fri, 19 Dec 2008 02:24:27 -0600

<http://forum.spamcop.net/forums/index.php?showtopic=9822>

Message-Id: <5u6ccc$4mja1k[at]c62.cesmail.net>

Message-Id: <5u6ccc$4miubr[at]c62.cesmail.net>

From: <elided for this post>

To: <elided for this post>

Delivered-To: elided for this post

User states: I have my Spamcop account set up so that legitimate mail is

forwarded to my normal ISP address which is via sympatico.ca.

Questions:

Can you tell why the postmaster-spamcop.net account is shown as the Delivery

target?

I noted no Disposition: line in the info posted by the user ... he made no

attempt to state whether it existed and it wasn't copied ... or that it

simply doesn't exist. Question dealt with whether or not this address was

in his whitelist. Is the lack of a Disposition: line due to the

"forwarding" mode?

Link to comment
Share on other sites

I'm happy to report a small success.

The autoresponder was removed from our postmaster and abuse addresses the afternoon of the 17th. The backscatter problem should be over now.

Thanks Don - perseverence appreciated.

Not entirely clear (to me, anyway) if that was the whole cause of the current query but certainly it was involved.

Link to comment
Share on other sites

Not entirely clear (to me, anyway) if that was the whole cause of the current query but certainly it was involved.

My continuing educarion goes on .... an issue with the List Archives has left me with the conclusion that I don't have enough logging turned on (disk space consumed) to backtrack that specific issue. I suspect the same issue is what JT ran into ... however, what he provided .... the e-mail almost certainly did contain the postmaster address in a BCC: .... the postmaster (and of course numerous other admin types of accounts) are basically directly and immediately forwarded to the IronPort server, which is why there were no Dispsition: lines in the data provided within this Topic. So, in effect, Don's 'positive' results would in fact appear to have also resolved this particular issue. Tagging Topic title as such.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...