efa Posted November 8, 2008 Share Posted November 8, 2008 hi, today spammer use a new technique: send tens, tens a "Delivery Status Notification", that reported on Spamcop say: Mailhost configuration problem, identified internal IP as source I just repeated the email return procedure, I do not know how the spammar can do that, but Spamcop say that all that tens of spam come from me! And they continue to arrive, about 1 at a minute. Are 58 for now, and continue growing here an example tracking URL: http://www.spamcop.net/sc?id=z2399003320z8...e925e666a7b573z Link to comment Share on other sites More sharing options...
DavidT Posted November 8, 2008 Share Posted November 8, 2008 Mailhost configuration problem, identified internal IP as source There seems to be a problem with your Mailhost configuration, and there are links on the Tracking URL page to help you fix the problem: Add/edit your mailhost configuration It looks like these might be delivery errors from the "libero.it" coming back to your own "libero.it" account, so you probably don't want to report them as spam. It might involve an infection/trojan on your own computer. First look into fixing the mailhost problem. I see that you also posted in the Mailhost forum, so please read the "pinned" items at the top to understand what to do. You can probably also get Mailhost help from Don D'Minion, the SpamCop Administrator, who posts here fairly regularly. DT Link to comment Share on other sites More sharing options...
efa Posted November 8, 2008 Author Share Posted November 8, 2008 the first thing that I do, before posting here, is to repeat the mailhost configuration procedure. I received the two email, and inserted in the form at the reported link. Spamcop continue to say that those messages come from me. I have a firewall actived, the system now running is WinXP SP3. Link to comment Share on other sites More sharing options...
DavidT Posted November 8, 2008 Share Posted November 8, 2008 Sound like you might need to contact the SpamCop Deputies, so that they can take a look at the situation. It's "deputies at spamcop dot net" DT Link to comment Share on other sites More sharing options...
efa Posted November 8, 2008 Author Share Posted November 8, 2008 the "Delivery Status Notification" now are 109 ... Now I restart in Linux to be sure of the trojan Link to comment Share on other sites More sharing options...
dbiel Posted November 8, 2008 Share Posted November 8, 2008 edit, it looks like a few more posts were posted while I was writting this Spamcop continue to say that those messages come from me.Not quite sure what you are saying here, but unless you are using your own mail server, which I doubt, the message would mean that they are coming from the same mail server that you are using. SpamCop does not identify the source of mail down to the actual sender of the message but only down to the IP address of the server used to inject the message into the internet. Link to comment Share on other sites More sharing options...
efa Posted November 8, 2008 Author Share Posted November 8, 2008 I'm back from Linux. yes you are right, the bounce seems come from my server, not from me. For example, for the tracking url the spam seem come from: 151.33.243.24 Link to comment Share on other sites More sharing options...
efa Posted November 8, 2008 Author Share Posted November 8, 2008 my IP is the same subnet, but is different. Link to comment Share on other sites More sharing options...
Wazoo Posted November 8, 2008 Share Posted November 8, 2008 hi, today spammer use a new technique: send tens, tens a "Delivery Status Notification", that reported on Spamcop say: Mailhost configuration problem, identified internal IP as source Yes, the only IP Addresses showing in the header of your submittal are in fact those of your own ISP/Host. I just repeated the email return procedure, I do not know how the spammar can do that, but Spamcop say that all that tens of spam come from me! ???? All I see is that you are attempting to report your own ISP/Host for their forwarding on a notification of a failed e-mail attempt (that seems to have actually been handled by another ISP/Host.) here an example tracking URL: http://www.spamcop.net/sc?id=z2399003320z8...e925e666a7b573z Embedded within that notification is a set of headers allegedly from the 'actual' attempted e-mail delivery .... one that seems to suggest a connection between your ISP/Host of libero.it and iol.it ... specifically, the headers seem to suggest that the spam was sent from an iol.it account. However, instead of simply following the assumed-to-be forged From: address directly, iol.it handed the notification back to libero.it to hand it back to 'you' .... If it was me, I'd be asking your ISP/Host for some description of that background processing, perhaps starting specifically on why iol.it would be handling your outgoing e-mail???? the "Delivery Status Notification" now are 109 ... But the real question would be how many of these actually 'match' the single example offered thus far? I see that you also posted in the Mailhost forum, That Topic has been deleted. I don't see an actual MailHost Configuration 'problem' at this point .. other than noting that a non-MailHost Configured Reporting Account would have sent out Reports, directly to the Reporter's own ISP/Host .... possibly ending with some bad consequences due to the lack of any suggestion as to why some investigating should be needed. Link to comment Share on other sites More sharing options...
efa Posted November 8, 2008 Author Share Posted November 8, 2008 my provider is iol.it libero.it own iol.it all are property of Wind Infostrada I tried all the 109, for about 10 spamcop sended the complaint regularly, For the other it say: Mailhost configuration problem, identified internal IP as source if can help, I can process again some of those and post here the tracking url Link to comment Share on other sites More sharing options...
efa Posted November 8, 2008 Author Share Posted November 8, 2008 this is the last I received: http://www.spamcop.net/sc?id=z2399275127z8...31acf3842b1911z here from Linux they seems stopped. I start to thinking that is really a trojan that send email for me to inexistant address, and they bounce to me. It is possible? How to be sure? But the IP is different from mine, that is in: 151.59.0.0 - 151.59.255.255 netblock Link to comment Share on other sites More sharing options...
Wazoo Posted November 9, 2008 Share Posted November 9, 2008 my provider is iol.it libero.it own iol.it all are property of Wind Infostrada As I thought .. but wasn't in the mood to research. I tried all the 109, for about 10 spamcop sended the complaint regularly, Suggests that those were different .... this is the last I received: http://www.spamcop.net/sc?id=z2399275127z8...31acf3842b1911z The same general header and body content as your last example, thus the same results. I start to thinking that is really a trojan that send email for me to inexistant address, and they bounce to me. It is possible? How to be sure? Note that the body content of both notifications point to the same source; Received: from ppp-24-243.33-151.iol.it (151.33.243.24) by cp-out11.libero.it (8.5.016.1) This would appear to be the actual source of the initial spam spew. This (in my mind) would be the subject for a complaint to your your ISP/Host. The normal complaint about a "Mis-Directed Bounce" isn't really totally valid here, seeing as that you admit that these Domains are in fact related to the same people. The problem you are facing goes back to my last posted suggested questions ... the outgoing e-mail being handled by one Domain but the incoming by another Domain ... leaving you caught in the middle of this Reporting problem. Which Domain is involved in really handling your outgoing e-mail? (Not going to really help your Reporting issue, but it might be nice to know if that outgoing server does manage to get listed in the SpamCopDNSBL.) Link to comment Share on other sites More sharing options...
efa Posted November 9, 2008 Author Share Posted November 9, 2008 ok, this morning I'm running Windows again, and I not getting more bounce. I installed AVG free antivirus, updated, and is scanning all the partitions. For now it not found nothing viral. I use a Wind Infostrada ADSL connection, so my IP is in 151.59.0.0 - 151.59.255.255 netblock. My sending SMTP mail server now is 'mail.iol.it', while the Infostrada provider SMTP server is 'mail.libero.it'. They permit relaying between the two, probably because they are one single property. I should switch to 'mail.libero.it' and repeat the Mailhost configuration procedure? Link to comment Share on other sites More sharing options...
DavidT Posted November 9, 2008 Share Posted November 9, 2008 I should switch to 'mail.libero.it' and repeat the Mailhost configuration procedure? I think that would be a good idea. On a related note, I'm getting some bounces on one of my accounts that look a little strange. They're coming from the mail server responsible for that address and I usually don't receive any bounces at that address. From the messages, I can tell that my local machine is not involved, so perhaps this is a similar situation. I'll be working it out directly with the server administrator, rather than trying to run these through SpamCop. DT Link to comment Share on other sites More sharing options...
efa Posted November 9, 2008 Author Share Posted November 9, 2008 I switch to libero.it and then repeated the Mailhost procedure, then I realized that is based on receiveing a mail, so IMAP server does not impact on this. Anyway, I got always the Mailhost configuration problem, identified internal IP as source error on that spam. So you say that I should write to abuse[at]libero.it complaining for the bounce? Most of the time I run Linux, so is difficult for me to go deep to the true of this situation: spammer or windows virus? Link to comment Share on other sites More sharing options...
Wazoo Posted November 10, 2008 Share Posted November 10, 2008 I switch to libero.it and then repeated the Mailhost procedure, then I realized that is based on receiveing a mail, so IMAP server does not impact on this. As I suggested above, this action wouldn't appear to make much difference in Reporting. Anyway, I got always the Mailhost configuration problem, identified internal IP as source error on that spam. Yes .... your ISP/Host's servers are already 'mapped' into the MailHost Configuration database. As I've stated before, the issue is that you are attempting to Report your own ISP/Host's e-mail server ... which has been identified as "trusted" for your Reporting Account. Basically, the parser is throwing up its hands as it can go no further in attempting to discover an 'outside' source for the e-mail you are submitting ... nothing but internal handoffs. So you say that I should write to abuse[at]libero.it complaining for the bounce? The 'bounce' is something to discuss with them. I have suggested that the real issue is the 'source' of the original e-mails. Most of the time I run Linux, so is difficult for me to go deep to the true of this situation: spammer or windows virus? Not sure I understand that remark at all. There are numerous e-mail clients that work under Linux, various web-browsers if looking at web-based e-mail .... the data I'm talking about is within the body of the e-mails you've provided Tracking URLs on. This should be visible to you also. Link to comment Share on other sites More sharing options...
SpamCopAdmin Posted November 10, 2008 Share Posted November 10, 2008 Mailhost configuration problem, identified internal IP as sourceThis problem has nothing to do with Mailhosts. The reason SpamCop can't report the bounces is because the spam originated from within the Libero.it network and all the server IP's in the bounce headers are IANA reserved for internal use only. There are no routeable IPs in the headers for the parse to tag as the source. As Wazoo says, the source IP of the spam that is contained in the bounce is a different matter. For example, you could write to abuse[at]libero.it and abuse[at]iol.it, and tell them that 151.33.237.92 = ppp-92-237.33-151.iol.it is sending spam. The same would apply for 151.33.243.24, or any other IPs in the 151.33.0.0 - 151.33.255.255 range. - Don D'Minion - SpamCop Admin - . Link to comment Share on other sites More sharing options...
DavidT Posted November 10, 2008 Share Posted November 10, 2008 Thanks for confirming that, Don, but this information from his Tracking URL: Mailhost configuration problem, identified internal IP as source Mailhost: Please correct this situation - register every email address where you receive spam ...was what led both the OP and me to believe there might be some Mailhost involvement. Perhaps the programmers could add something to the parsing output in situations like this that wouldn't encourage "barking up the wrong tree." DT Link to comment Share on other sites More sharing options...
efa Posted November 10, 2008 Author Share Posted November 10, 2008 Not sure I understand that remark at all. There are numerous e-mail clients that work under Linux, various web-browsers if looking at web-based e-mail .... the data I'm talking about is within the body of the e-mails you've provided Tracking URLs on. This should be visible to you also. this is only because DavidT in his first post say: "It might involve an infection/trojan on your own computer." so I had some doubts. Anyway today I'm receiving bounces, and I'm at work with my home computer switched off. :-)) Fortunately the send rete is decreased, now are 117 at all. I just sended the complaint to my provider. Link to comment Share on other sites More sharing options...
efa Posted November 10, 2008 Author Share Posted November 10, 2008 you could write to abuse[at]libero.it and abuse[at]iol.it, and tell them that 151.33.237.92 = ppp-92-237.33-151.iol.it is sending spam. I do not understood one thing: from where come the IP:151.33.237.92 ? To me seems that all these spam are originated from 151.33.243.24 Link to comment Share on other sites More sharing options...
StevenUnderwood Posted November 10, 2008 Share Posted November 10, 2008 I do not understood one thing: from where come the IP:151.33.237.92 ? To me seems that all these spam are originated from 151.33.243.24 The spams for which links were provided here are from 151.33.243.24. Don, who made that statement, has access to all of the reports made by the OP, so he likely sees some other sources as well. Link to comment Share on other sites More sharing options...
DavidT Posted November 10, 2008 Share Posted November 10, 2008 this is only because DavidT in his first post say: "It might involve an infection/trojan on your own computer." But it was only a guess, and not based on any thorough analysis. Sometimes I post before I think. ;-) DT Link to comment Share on other sites More sharing options...
Wazoo Posted November 10, 2008 Share Posted November 10, 2008 I do not understood one thing: from where come the IP:151.33.237.92 ? To me seems that all these spam are originated from 151.33.243.24 As I stated (and highlighted in blue) back in Linear Post #12 in this Topic/Discussion .... this is data seen within the body content of the non-delivery notification ... the headers of the e-mail that allegedly triggered the 'problem' .... Link to comment Share on other sites More sharing options...
efa Posted November 10, 2008 Author Share Posted November 10, 2008 thanks for the explanation on the bounce email/server/provider. sorry, but I continue to not see the IP:151.33.237.92 nowhere in all messages. Link to comment Share on other sites More sharing options...
Farelf Posted November 10, 2008 Share Posted November 10, 2008 ...sorry, but I continue to not see the IP:151.33.237.92 nowhere in all messages. Maybe Don saw it elsewhere (nobody else is seeing it either) but, as he says:The same would apply for 151.33.243.24, or any other IPs in the 151.33.0.0 - 151.33.255.255 range... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.