Jump to content

tens of Delivery Status Notification


efa

Recommended Posts

hi, today spammer use a new technique:

send tens, tens a "Delivery Status Notification", that reported on Spamcop say:

Mailhost configuration problem, identified internal IP as source

I just repeated the email return procedure, I do not know how the spammar can do that, but Spamcop say that all that tens of spam come from me!

And they continue to arrive, about 1 at a minute. Are 58 for now, and continue growing

here an example tracking URL:

http://www.spamcop.net/sc?id=z2399003320z8...e925e666a7b573z

Link to comment
Share on other sites

Mailhost configuration problem, identified internal IP as source

There seems to be a problem with your Mailhost configuration, and there are links on the Tracking URL page to help you fix the problem:

Add/edit your mailhost configuration

It looks like these might be delivery errors from the "libero.it" coming back to your own "libero.it" account, so you probably don't want to report them as spam. It might involve an infection/trojan on your own computer.

First look into fixing the mailhost problem. I see that you also posted in the Mailhost forum, so please read the "pinned" items at the top to understand what to do. You can probably also get Mailhost help from Don D'Minion, the SpamCop Administrator, who posts here fairly regularly.

DT

Link to comment
Share on other sites

the first thing that I do, before posting here, is to repeat the mailhost configuration procedure.

I received the two email, and inserted in the form at the reported link.

Spamcop continue to say that those messages come from me.

I have a firewall actived, the system now running is WinXP SP3.

Link to comment
Share on other sites

edit, it looks like a few more posts were posted while I was writting this

Spamcop continue to say that those messages come from me.
Not quite sure what you are saying here, but unless you are using your own mail server, which I doubt, the message would mean that they are coming from the same mail server that you are using. SpamCop does not identify the source of mail down to the actual sender of the message but only down to the IP address of the server used to inject the message into the internet.
Link to comment
Share on other sites

hi, today spammer use a new technique:

send tens, tens a "Delivery Status Notification", that reported on Spamcop say:

Mailhost configuration problem, identified internal IP as source

Yes, the only IP Addresses showing in the header of your submittal are in fact those of your own ISP/Host.

I just repeated the email return procedure, I do not know how the spammar can do that, but Spamcop say that all that tens of spam come from me!

???? All I see is that you are attempting to report your own ISP/Host for their forwarding on a notification of a failed e-mail attempt (that seems to have actually been handled by another ISP/Host.)

Embedded within that notification is a set of headers allegedly from the 'actual' attempted e-mail delivery .... one that seems to suggest a connection between your ISP/Host of libero.it and iol.it ... specifically, the headers seem to suggest that the spam was sent from an iol.it account. However, instead of simply following the assumed-to-be forged From: address directly, iol.it handed the notification back to libero.it to hand it back to 'you' .... If it was me, I'd be asking your ISP/Host for some description of that background processing, perhaps starting specifically on why iol.it would be handling your outgoing e-mail????

the "Delivery Status Notification" now are 109 ...

But the real question would be how many of these actually 'match' the single example offered thus far?

I see that you also posted in the Mailhost forum,

That Topic has been deleted. I don't see an actual MailHost Configuration 'problem' at this point .. other than noting that a non-MailHost Configured Reporting Account would have sent out Reports, directly to the Reporter's own ISP/Host .... possibly ending with some bad consequences due to the lack of any suggestion as to why some investigating should be needed.

Link to comment
Share on other sites

my provider is iol.it

libero.it own iol.it

all are property of Wind Infostrada

I tried all the 109, for about 10 spamcop sended the complaint regularly,

For the other it say:

Mailhost configuration problem, identified internal IP as source

if can help, I can process again some of those and post here the tracking url

Link to comment
Share on other sites

my provider is iol.it

libero.it own iol.it

all are property of Wind Infostrada

As I thought .. but wasn't in the mood to research.

I tried all the 109, for about 10 spamcop sended the complaint regularly,

Suggests that those were different ....

The same general header and body content as your last example, thus the same results.

I start to thinking that is really a trojan that send email for me to inexistant address, and they bounce to me. It is possible?

How to be sure?

Note that the body content of both notifications point to the same source;

Received: from ppp-24-243.33-151.iol.it (151.33.243.24) by cp-out11.libero.it (8.5.016.1)

This would appear to be the actual source of the initial spam spew. This (in my mind) would be the subject for a complaint to your your ISP/Host. The normal complaint about a "Mis-Directed Bounce" isn't really totally valid here, seeing as that you admit that these Domains are in fact related to the same people. The problem you are facing goes back to my last posted suggested questions ... the outgoing e-mail being handled by one Domain but the incoming by another Domain ... leaving you caught in the middle of this Reporting problem. Which Domain is involved in really handling your outgoing e-mail? (Not going to really help your Reporting issue, but it might be nice to know if that outgoing server does manage to get listed in the SpamCopDNSBL.)

Link to comment
Share on other sites

ok,

this morning I'm running Windows again, and I not getting more bounce.

I installed AVG free antivirus, updated, and is scanning all the partitions.

For now it not found nothing viral.

I use a Wind Infostrada ADSL connection, so my IP is in

151.59.0.0 - 151.59.255.255 netblock.

My sending SMTP mail server now is 'mail.iol.it',

while the Infostrada provider SMTP server is 'mail.libero.it'.

They permit relaying between the two, probably because they are one single property.

I should switch to 'mail.libero.it' and repeat the Mailhost configuration procedure?

Link to comment
Share on other sites

I should switch to 'mail.libero.it' and repeat the Mailhost configuration procedure?

I think that would be a good idea. On a related note, I'm getting some bounces on one of my accounts that look a little strange. They're coming from the mail server responsible for that address and I usually don't receive any bounces at that address. From the messages, I can tell that my local machine is not involved, so perhaps this is a similar situation. I'll be working it out directly with the server administrator, rather than trying to run these through SpamCop.

DT

Link to comment
Share on other sites

I switch to libero.it and then repeated the Mailhost procedure, then I realized that is based on receiveing a mail, so IMAP server does not impact on this.

Anyway, I got always the

Mailhost configuration problem, identified internal IP as source

error on that spam.

So you say that I should write to abuse[at]libero.it complaining for the bounce?

Most of the time I run Linux, so is difficult for me to go deep to the true of this situation: spammer or windows virus?

Link to comment
Share on other sites

I switch to libero.it and then repeated the Mailhost procedure, then I realized that is based on receiveing a mail, so IMAP server does not impact on this.

As I suggested above, this action wouldn't appear to make much difference in Reporting.

Anyway, I got always the Mailhost configuration problem, identified internal IP as source error on that spam.

Yes .... your ISP/Host's servers are already 'mapped' into the MailHost Configuration database. As I've stated before, the issue is that you are attempting to Report your own ISP/Host's e-mail server ... which has been identified as "trusted" for your Reporting Account. Basically, the parser is throwing up its hands as it can go no further in attempting to discover an 'outside' source for the e-mail you are submitting ... nothing but internal handoffs.

So you say that I should write to abuse[at]libero.it complaining for the bounce?

The 'bounce' is something to discuss with them. I have suggested that the real issue is the 'source' of the original e-mails.

Most of the time I run Linux, so is difficult for me to go deep to the true of this situation: spammer or windows virus?

Not sure I understand that remark at all. There are numerous e-mail clients that work under Linux, various web-browsers if looking at web-based e-mail .... the data I'm talking about is within the body of the e-mails you've provided Tracking URLs on. This should be visible to you also.

Link to comment
Share on other sites

Mailhost configuration problem, identified internal IP as source
This problem has nothing to do with Mailhosts.

The reason SpamCop can't report the bounces is because the spam originated from within the Libero.it network and all the server IP's in the bounce headers are IANA reserved for internal use only. There are no routeable IPs in the headers for the parse to tag as the source.

As Wazoo says, the source IP of the spam that is contained in the bounce is a different matter.

For example, you could write to abuse[at]libero.it and abuse[at]iol.it, and tell them that 151.33.237.92 = ppp-92-237.33-151.iol.it is sending spam. The same would apply for 151.33.243.24, or any other IPs in the 151.33.0.0 - 151.33.255.255 range.

- Don D'Minion - SpamCop Admin -

.

Link to comment
Share on other sites

Thanks for confirming that, Don, but this information from his Tracking URL:

Mailhost configuration problem, identified internal IP as source

Mailhost:

Please correct this situation - register every email address where you receive spam

...was what led both the OP and me to believe there might be some Mailhost involvement. Perhaps the programmers could add something to the parsing output in situations like this that wouldn't encourage "barking up the wrong tree."

DT

Link to comment
Share on other sites

Not sure I understand that remark at all. There are numerous e-mail clients that work under Linux, various web-browsers if looking at web-based e-mail .... the data I'm talking about is within the body of the e-mails you've provided Tracking URLs on. This should be visible to you also.

this is only because DavidT in his first post say:

"It might involve an infection/trojan on your own computer."

so I had some doubts.

Anyway today I'm receiving bounces, and I'm at work with my home computer switched off.

:-))

Fortunately the send rete is decreased, now are 117 at all.

I just sended the complaint to my provider.

Link to comment
Share on other sites

you could write to abuse[at]libero.it and abuse[at]iol.it, and tell them that 151.33.237.92 = ppp-92-237.33-151.iol.it is sending spam.

I do not understood one thing:

from where come the IP:151.33.237.92 ?

To me seems that all these spam are originated from 151.33.243.24

Link to comment
Share on other sites

I do not understood one thing:

from where come the IP:151.33.237.92 ?

To me seems that all these spam are originated from 151.33.243.24

The spams for which links were provided here are from 151.33.243.24. Don, who made that statement, has access to all of the reports made by the OP, so he likely sees some other sources as well.

Link to comment
Share on other sites

I do not understood one thing:

from where come the IP:151.33.237.92 ?

To me seems that all these spam are originated from 151.33.243.24

As I stated (and highlighted in blue) back in Linear Post #12 in this Topic/Discussion .... this is data seen within the body content of the non-delivery notification ... the headers of the e-mail that allegedly triggered the 'problem' ....

Link to comment
Share on other sites

...sorry, but I continue to not see the

IP:151.33.237.92

nowhere in all messages.

Maybe Don saw it elsewhere (nobody else is seeing it either) but, as he says:
The same would apply for 151.33.243.24, or any other IPs in the 151.33.0.0 - 151.33.255.255 range...
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...