milkboy Posted November 25, 2008 Share Posted November 25, 2008 The report (not sent) is at http://www.spamcop.net/sc?id=z2418169598zc...4493d6215965dcz The header parsing is fine up until #2. #3 is marked as "trusted site" for some reason? SpamCop trusts this host? #4 is marked as Internal handoff at IKI, IKI being one of my mailhosts, but smtp5.jaring.my has absolutely nothing to do with my mailhosts, so this is incorrect #5 might or might not be faked As I see it, 61.6.32.55 should be the sender and not just "intermediary" handler? Someone correct me if I'm wrong ---------- 0: Received: from emh01.mail.saunalahti.fi (emh01.mail.saunalahti.fi [62.142.5.107]) by be35.mail.saunalahti.fi (Postfix) with ESMTP id D58FE910AB for <x>; Tue, 25 Nov 2008 02:45:35 +0200 (EET) Hostname verified: emh01.mail.saunalahti.fi Saunalahti2 received mail from Saunalahti2 ( 62.142.5.107 ) 1: Received: from jatkuu.iki.fi (jatkuu.iki.fi [212.16.98.53]) by emh01.mail.saunalahti.fi (Postfix) with ESMTP id C45464BB47 for <x>; Tue, 25 Nov 2008 02:45:35 +0200 (EET) Hostname verified: jatkuu.iki.fi Saunalahti2 received mail from IKI ( 212.16.98.53 ) 2: Received: from smtp5.jaring.my (smtp5.jaring.my [61.6.32.55]) by jatkuu.iki.fi (8.14.2/8.14.2) with ESMTP id mAP0jUdQ000988 for <x>; Tue, 25 Nov 2008 02:45:33 +0200 (EET) Hostname verified: smtp5.jaring.my IKI received mail from sending system 61.6.32.55 3: Received: from localhost (localhost.jaring.my [127.0.0.1]) by smtp5.jaring.my (8.13.8/8.13.8) with ESMTP id mAP0hZIg011176; Tue, 25 Nov 2008 08:43:35 +0800 (MYT) (envelope-from hicktom[at]googlemail.com) Internal handoff by trusted site 61.6.32.55 4: Received: from smtp5.jaring.my ([127.0.0.1]) by localhost (smtp5.jaring.my [127.0.0.1]) (amavisd-new, port 10024) with LMTP id QBdCuSngWsw9; Tue, 25 Nov 2008 08:43:33 +0800 (MYT) Internal handoff at IKI 5: Received: from User ([41.6.31.123]) (authenticated bits=0) by smtp5.jaring.my (8.13.8/8.13.8) with ESMTP id mAP0gpn6010729; Tue, 25 Nov 2008 08:42:57 +0800 (MYT) (envelope-from hicktom[at]googlemail.com) No unique hostname found for source: 41.6.31.123 Trusted site 61.6.32.55 received mail from 41.6.31.123 Edit: #4 -> 61.6.32.55, which was the original intention Link to comment Share on other sites More sharing options...
StevenUnderwood Posted November 25, 2008 Share Posted November 25, 2008 The report (not sent) is at http://www.spamcop.net/sc?id=z2418169598zc...4493d6215965dcz The header parsing is fine up until #2. #3 is marked as "trusted site" for some reason? SpamCop trusts this host? #4 is marked as Internal handoff at IKI, IKI being one of my mailhosts, but smtp5.jaring.my has absolutely nothing to do with my mailhosts, so this is incorrect #5 might or might not be faked As I see it, #4 should be the sender and not just "intermediary" handler? Someone correct me if I'm wrong ---------- #4 could never be the source as it is an internal handoff, there is no IP address to report. The mention of IKI is really just a factor of SpamCop trying to "humanize" the parse and part of the mailhost system. You are correct it is not part of IKI, but it is likely that 127.0.0.1 is in your mailhost configuration as it is in most. #3 does appear to be trusted... if you do not trust it your manual report should go to the ISP of 61.6.32.55 because: IKI received mail from sending system 61.6.32.55. I have seen very few cases where the manually set trusted flag needed to be turned back off, so I usually trust the parse. All it means is that host is known to correctly include the source where it got the message. As such, the original source is 41.6.31.123 Link to comment Share on other sites More sharing options...
milkboy Posted November 25, 2008 Author Share Posted November 25, 2008 #4 could never be the source as it is an internal handoff, there is no IP address to report. The mention of IKI is really just a factor of SpamCop trying to "humanize" the parse and part of the mailhost system. You are correct it is not part of IKI, but it is likely that 127.0.0.1 is in your mailhost configuration as it is in most. #3 does appear to be trusted... if you do not trust it your manual report should go to the ISP of 61.6.32.55 because: IKI received mail from sending system 61.6.32.55. I have seen very few cases where the manually set trusted flag needed to be turned back off, so I usually trust the parse. All it means is that host is known to correctly include the source where it got the message. As such, the original source is 41.6.31.123 127.0.0.1 does not appear in any of my mailhosts IP lists? Nor does 61.6.32.55. This is what is confusing me. Afaik, anything starting from #3 could be faked.. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted November 25, 2008 Share Posted November 25, 2008 127.0.0.1 does not appear in any of my mailhosts IP lists? Nor does 61.6.32.55. This is what is confusing me. Afaik, anything starting from #3 could be faked.. Nothing said that 61.6.32.55 was in your mailhost. SpamCop has a list of trusted hosts that have been found to correctly indicate where the message came from. As I said earlier, #3 provides no information... it is internal to the server... You could have that same line in headers caused by your own machine if you havve certain AV products, for instance. It is possible it could be faked, but SpamCop has gone out of their way (setting the trusted flag) to make the parse go beyond that point. You trust IKI placed the correct IP on its messages, SpamCop trusts that 61.6.32.55 nplaced the correct IP on its messages. Again, you can manually report to anyplace you like. SpamCop trusts all the way to step 5 on this parse. Link to comment Share on other sites More sharing options...
milkboy Posted November 25, 2008 Author Share Posted November 25, 2008 Sounds perfectly reasonable. Thanks. Reports go to both places anyway (intermediary and original sender). So I suppose the bottom line is that "Internal handoff at IKI" in #4 should be read as "Internal handoff at some-spamcop-trusted-host". Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.