Jump to content

Reporting tool misses right IP address


nvargas
 Share

Recommended Posts

I reported today a spam source from a local ISP (ideay.net.ni) by forwarding the email to the system assigned email address, but it reported my eMail provider's IP (Godaddy) as the spam source instead of the local one. Seems to me that it didn't parse all the headers right.

Is there a way I can modify my report so I can spot these errors and correct them before submitting?

BTW, my email client is Thunderbird.

Link to comment
Share on other sites

I don't understand relays very well, but it seems to me that the parser thinks the second received line is an untrusted relay (and a dynamic host) and therefore doesn't go any further. Either godaddy has this received line misconfigured if it is a godaddy relay. or the email did come from godaddy.

Hope someone more knowledgeable comes along to sort it out for you. It makes a difference also whether you have a mailhosted account or not (but again I don't what the difference is). You could ask godaddy also, since they are your ISP, if that is their relay. If the spam is from godaddy, it is best to report it to them yourself rather than send a spamcop report.

Miss Betsy

Link to comment
Share on other sites

I don't understand relays very well, but it seems to me that the parser thinks the second received line is an untrusted relay (and a dynamic host) and therefore doesn't go any further. Either godaddy has this received line misconfigured if it is a godaddy relay. or the email did come from godaddy.

Hope someone more knowledgeable comes along to sort it out for you. It makes a difference also whether you have a mailhosted account or not (but again I don't what the difference is). You could ask godaddy also, since they are your ISP, if that is their relay. If the spam is from godaddy, it is best to report it to them yourself rather than send a spamcop report.

Betsy,

I understand quite well what's going on, I just want to know if I can modify my report before submitting so I can put the right IP instead of my email provider. The spam didn't come from Godaddy, Godaddy hosts my email address, and that's what the tool registered as source of spam, instead of the right origin at 165.98.236.214.

I've received 3 different spam messages in the last 2 hours from this same IP address today, and I don't want to put Godaddy as a spam server since the message wasn't originated there.

Link to comment
Share on other sites

No, you cannot modify the headers in any way whatsoever. The reason is obvious because people could alter headers to attack someone who is not a spammer and reports would be worthless to prove that spam came from that source.

The parser is not often incorrect as to the source of the email. If it is, then there is often something about the way the headers are configured by the ISP. If you read the headers from the bottom up, it does look like the email was sent by DAVID, accepted by mail.topcorporation.com.ni and then sent to a godaddy server, who accepts it. But then it is sent to smtp20-02.prod.mesa1.secureserver.net which is not an MX for godaddy.

The parser looks at it from the top down. The email comes from a godaddy server, but is accepted by an unknown, untrusted server. Therefore, the person to inform is godaddy who, once accepting it, should be delivering it to you, not an untrusted server.

But, I am guessing. If no one else who can explain it, in technical terms, comes along before tomorrow morning (the server admins are all off duty for the weekend), then email Don (email address in my signature) and see what his explanation is.

Miss Betsy

Link to comment
Share on other sites

I'm guessing that you haven't gone through the process of identification of your "Mailhosts" to SpamCop. I'd recommend doing so. There are instructions here in the "Mailhost Configuration of your Reporting Account" forum. That should take care of your problem.

DT

Link to comment
Share on other sites

I understand quite well what's going on, I just want to know if I can modify my report before submitting so I can put the right IP instead of my email provider. The spam didn't come from Godaddy, Godaddy hosts my email address, and that's what the tool registered as source of spam, instead of the right origin at 165.98.236.214.

It sounds like you need to configure mailhosts for your reporting account. You can not change the reports before sending them.

The only other thing would be to get the deputies to mark the GoDaddy servers as trusted relays for all parses. That is effectively whay you do when configuring mailhost, tell spamcop you expect email to travel through this host and to not report it. Then depending on the trust of 165.98.236.214, the parse may actually go to 186.1.3.3 (also in .ni IP space), though I doubt it.

Link to comment
Share on other sites

Just noting something has changed (coming to this late - my emphasis). The reference tracker now shows

Reports regarding this spam have already been sent:

Re: 208.109.80.160 (Administrator of network where email originates)

Reportid: 3706202190 To: abuse[at]godaddy.com

If reported today, reports would be sent to:

Re: 186.1.3.3 (Administrator of network where email originates)

vida.arista[at]ideay.net.ni

Mailhosting has been updated?
Link to comment
Share on other sites

Mailhosting has been updated?

Something seems to have been changed somewhere -- so maybe the OP has gone through the MH process and not told us yet, or maybe there was something wrong with the SC parser and someone fixed that without reporting it here. If either is true, it would be nice for the responsible party to show up here and say so.

DT

Link to comment
Share on other sites

Something seems to have been changed somewhere -- so maybe the OP has gone through the MH process and not told us yet, or maybe there was something wrong with the SC parser and someone fixed that without reporting it here. If either is true, it would be nice for the responsible party to show up here and say so.

The original parse did not seem to have any mailhost configured (no steps where the mailhost name seemed to be used), so maybe mailhosting has been done on the account.

I don't like that he reported the original (or maybe left it un-cancelled and someone else reported it) when he knew it was wrong.

Link to comment
Share on other sites

Something seems to have been changed somewhere -- so maybe the OP has gone through the MH process and not told us yet, or maybe there was something wrong with the SC parser and someone fixed that without reporting it here. If either is true, it would be nice for the responsible party to show up here and say so.

There are no signs of this particular spam being processed by a MailHost Configured Reporting Account.

However, at the risk of bringing all kinds of other possible isues, there does appear to be a bit of code variance seen.

The original parse I saw returned;

<!-- 05look $Revision: #1 $ produced by sc-app9 -->

Received: from topcorporation.com.ni (HELO mail.topcorporation.com.ni) ([165.98.236.214]) (envelope-sender <x>) by p3presmtp01-11.prod.phx3.secureserver.net (qmail-ldap-1.03) with SMTP for <nx>; 5 Dec 2008 23:05:25 -0000

165.98.236.214 found

host 165.98.236.214 = topcorporation.com.ni (cached)

topcorporation.com.ni is 165.98.236.214

208.109.80.160 not listed in dnsbl.njabl.org

208.109.80.160 not listed in cbl.abuseat.org

208.109.80.160 not listed in dnsbl.sorbs.net

208.109.80.160 is not an MX for smtp20-02.prod.mesa1.secureserver.net

p3presmtp01-11.prod.phx3.secureserver.net looks like a dynamic host, untrusted as relay

Tracking message source: 208.109.80.160:

Later parse returns;

<!-- 05look $Revision: #1 $ produced by sc-app8 -->

Received: from topcorporation.com.ni (HELO mail.topcorporation.com.ni) ([165.98.236.214]) (envelope-sender <x>) by p3presmtp01-11.prod.phx3.secureserver.net (qmail-ldap-1.03) with SMTP for <nx>; 5 Dec 2008 23:05:25 -0000

165.98.236.214 found

host 165.98.236.214 = topcorporation.com.ni (cached)

topcorporation.com.ni is 165.98.236.214

Possible spammer: 165.98.236.214

Possible relay: 208.109.80.160

208.109.80.160 has already been sent to relay testers

Received line accepted

Received: from DAVID (unknown [186.1.3.3]) by mail.topcorporation.com.ni (Postfix) with SMTP id E22B9AFEB7; Fri, 5 Dec 2008 17:06:34 -0600 (CST)

186.1.3.3 found

host 186.1.3.3 = topcorporation.com.ni (cached)

Receiving server (topcorporation.com.ni) does not report source IP accurately

Tracking message source: 165.98.236.214:

Either the 'untrusted relay' flag has been reset or there are the signs of different code running on different servers again. Safer to go with thr first option. <g>

Link to comment
Share on other sites

...there does appear to be a bit of code variance seen....

Later parse returns;

<!-- 05look $Revision: #1 $ produced by sc-app8 -->

Received: from topcorporation.com.ni (HELO mail.topcorporation.com.ni) ([165.98.236.214]) (envelope-sender <x>) by p3presmtp01-11.prod.phx3.secureserver.net (qmail-ldap-1.03) with SMTP for <nx>; 5 Dec 2008 23:05:25 -0000

165.98.236.214 found

host 165.98.236.214 = topcorporation.com.ni (cached)

topcorporation.com.ni is 165.98.236.214

Possible spammer: 165.98.236.214

Possible relay: 208.109.80.160

208.109.80.160 has already been sent to relay testers

Received line accepted

Received: from DAVID (unknown [186.1.3.3]) by mail.topcorporation.com.ni (Postfix) with SMTP id E22B9AFEB7; Fri, 5 Dec 2008 17:06:34 -0600 (CST)

186.1.3.3 found

host 186.1.3.3 = topcorporation.com.ni (cached)

Receiving server (topcorporation.com.ni) does not report source IP accurately

Tracking message source: 165.98.236.214:...

Leapin' lizards - different again to the one I recorded. I should have noted the server ID, but I was not expecting anything but consistent results at that time ('Trustful' being my middle name - well, it's actually 'Truthful', but near enough). As you say, safest to go with the 'untrusted relay' flag has been reset notion
Link to comment
Share on other sites

Receiving server (topcorporation.com.ni) does not report source IP accurately

Either the 'untrusted relay' flag has been reset or there are the signs of different code running on different servers again. Safer to go with thr first option. <g>

Yep, the first option is the correct one.

Even if there were different versions of SpamCop running on the various servers, there is only one database of "trusted" and "untrusted" servers. The only way you can get the "does not report source IP accurately" response is if the server has been flagged as a liar.

- Don D'Minion - SpamCop Admin -

.

Link to comment
Share on other sites

Yep, the first option is the correct one.

Even if there were different versions of SpamCop running on the various servers, there is only one database of "trusted" and "untrusted" servers. The only way you can get the "does not report source IP accurately" response is if the server has been flagged as a liar.

Having to point out the obvious apparently .... although taking your data into account that might explain one parse result, this Topic actually includes four different results for the same spam. All were from the same Tracking URL, none were from a MailHost Configured Reporting Account, over something like an 8-hour time span. From this side of the scree, no way to try to exlain that situation, and of course hampered by the 'real-time re-parsing' involved using the Tracking URL.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...