From usenet-20051125 at spam.woody.ch Wed Dec 7 12:59:26 2005 From: usenet-20051125 at spam.woody.ch (Benoit Panizzon) Date: Wed Dec 7 08:00:04 2005 Subject: [SC-Help] Fake Headers triggers Spamcop to send complaints to wrong ISP? Message-ID: Hi all I work on the Abuse Desk of Improware 157.161.0.0/16 We just got a quite strange Spamcop complaint about spam sent from an IP that according to our data is was not allocated to any customer during the time that email was sent. I fear the whole Received: headers are faked, but don't manage to find out how spamcop is fooled by them. Usualy spamcop is quite sensitive in detecting fake MX chains etc... eturn-Path: Received: from smtp4.libero.it (193.70.192.54) by ims4a.libero.it (7.2.059.5) id 439505A3000526E6 for becl@libero.it; Wed, 7 Dec 2005 01:07:04 +0100 Received: from wpopcp.libero.it (172.16.1.35) by smtp4.libero.it (7.0.027-DD01) id 4369E43102FD6E43 for becl@libero.it; Wed, 7 Dec 2005 01:07:04 +0100 Received-SPF: none (wpopcp.libero.it: 206.48.149.132 is neither permitted nor denied by domain of ena-adv.com) client-ip=206.48.149.132; envelope-from=tnewlandbnzq@ena- adv.com; helo=ipnat2.turbus.cl; Received: from ipnat2.turbus.cl (ipnat2.turbus.cl [206.48.149.132]) by wpopcp.libero.it (Postfix) with SMTP id 151927000097 for ; Wed, 7 Dec 2005 01:07:02 +0100 (CET) Received: from mail.monmouth.com (mail.monmouth.com [209.191.58.1]) by ipnat2.turbus.cl (8.12.11/8.12.11) with ESMTP id 8Nsiv7C6i9qUxE for ; Tue, 6 Dec 2005 19:08:24 -0800 Received: from hdqfadojllrs (HELO lyvstufk) ([157.161.238.32]) by mail.monmouth.com (Postfix) with ESMTP id IfbkkRgACXHG for ; Tue, 6 Dec 2005 19:08:24 -0800 Date: Tue, 6 Dec 2005 19:08:24 -0800 From: Edward Phipps Reply-To: Edward Phipps Message-ID: <309361725393.809955610549@ena-adv.com> To: Subject: $EXTT0IZ mail.monmouth.com is no MX for libero.it so probably the last Received or even more are fake. Why does spamcop not recognize them? Regards -Benoit- From MikeE at ster.invalid Wed Dec 7 06:22:13 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Dec 7 09:25:02 2005 Subject: [SC-Help] Re: Fake Headers triggers Spamcop to send complaints to wrong ISP? References: Message-ID: Benoit Panizzon wrote: > I work on the Abuse Desk of Improware 157.161.0.0/16 I don't think your IP 157.161.238.32 no rDNS sourced this item. > We just got a quite strange Spamcop complaint about spam sent from an > IP that according to our data is was not allocated to any customer > during the time that email was sent. I think SC misparses the item you posted. Here is a tracker to represent it http://www.spamcop.net/sc?id=z837711675zdcdadfd59bf4582072238795f290fda2z If reported today, reports would be sent to: Re: 157.161.238.32 (Administrator of network where email originates) abuse@imp.ch > I fear the whole Received: headers are faked, but don't manage to > find out how spamcop is fooled by them. Usualy spamcop is quite > sensitive in detecting fake MX chains etc... SC misjudges an IP which is close to the MX & output server for turbus.cl for being a relay. That .cl IP is currently SC blocklisted for hitting traps and reporters. Abbreviated Received lines *comment from smtp4.libero.it (193.70.192.54) by ims4a.libero.it *serves recipient from wpopcp.libero.it (172.16.1.35) by smtp4.libero.it *serves recipient from (ipnat2.turbus.cl [206.48.149.132]) by wpopcp.libero.it *sourceline from (mail.monmouth.com [209.191.58.1]) by ipnat2.turbus.cl *timestamp 3h, bogusline from hdqfadojllrs (HELO lyvstufk) ([157.161.238.32]) by mail.monmouth.com *bogusline SC parses all the way down to the bottom instead of breaking the chain and sourcing at the 3rd line from the top. SC thinks the item came from your IP thru' monmouth and turbus to libero. A human parser would use the evidence and clues in the headers to determine how to break the chain properly. The evidence in the headers is the timestamp as noted, and that turbus.cl shouldn't be relaying for monmouth in NJ and that the turbus.cl IP is not the output server for turbus, but its IP .139 is, and that the SPF could have been used by libero when libero received the item from the .cl IP. The remedy for the SC parse error would be for the libero.it SC reporter to configure for mailhosting. If the client performing the parse were mailhost configured, SC would not parse thru' that turbus.cl IP as a server, I don't think. > mail.monmouth.com is no MX for libero.it so probably the last > Received or even more are fake. Why does spamcop not recognize them? SC misjudges the turbus IP as a server which it has sent to the relay testers, so it derives that it should trust it to be a server. That is a mistake. Possible relay: 206.48.149.132 206.48.149.132 not listed in relays.ordb.org. 206.48.149.132 has already been sent to relay testers Received line accepted -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Dec 7 06:30:30 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Dec 7 09:35:03 2005 Subject: [SC-Help] Re: Fake Headers triggers Spamcop to send complaints to wrong ISP? References: Message-ID: Mike Easter wrote: > That .cl IP is currently SC blocklisted > for hitting traps and reporters. 206.48.149.132 listed in bl.spamcop.net spam traps & users listed for 31 hours. 206.48.149.132 rDNS ipnat2.turbus.cl That IP 'sounds like' it could be an output server, but senderbase sez the normal output is mail, which is also the MX 206.48.149.139 rDNS mail.turbus.cl > Possible relay: 206.48.149.132 > 206.48.149.132 not listed in relays.ordb.org. > 206.48.149.132 has already been sent to relay testers > Received line accepted -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Wed Dec 7 09:25:21 2005 From: nobody at spamcop.net (Ellen) Date: Wed Dec 7 10:05:02 2005 Subject: [SC-Help] Re: Fake Headers triggers Spamcop to send complaints to wrong ISP? References: Message-ID: "Benoit Panizzon" wrote in message news:dn6mbe$cko$1@news.spamcop.net... > Hi all > > I work on the Abuse Desk of Improware 157.161.0.0/16 > > We just got a quite strange Spamcop complaint about spam sent from an IP > that according to our data is was not allocated to any customer during the > time that email was sent. > Responded via email Ellen SpamCop From MikeE at ster.invalid Wed Dec 7 07:28:05 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Dec 7 10:30:04 2005 Subject: [SC-Help] Re: Fake Headers triggers Spamcop to send complaints to wrong ISP? References: Message-ID: Mike Easter wrote: > I think SC misparses the item you posted. Here is a tracker to > represent it > www.spamcop.net/sc?id=z837711675zdcdadfd59bf4582072238795f290fda2z > > If reported today, reports would be sent to: > Re: 157.161.238.32 (Administrator of network where email originates) > abuse@imp.ch Ellen fixed it by untrusting the turbus IP: Receiving server (206.48.149.132) does not report source IP accurately Now the tracker above shows the parse correctly naming the turbus as source: If reported today, reports would be sent to: Re: 206.48.149.132 (Administrator of network where email originates) rvaras@turbus.cl -- Mike Easter kibitzer, not SC admin From eohrnberger at gmail.com Mon Dec 12 06:55:02 2005 From: eohrnberger at gmail.com (eohrnberger@gmail.com) Date: Mon Dec 12 10:00:10 2005 Subject: [SC-Help] Spamcop Web Site: Unreported Spam blocked by first spam message Message-ID: <1134399302.366890.214230@f14g2000cwb.googlegroups.com> >From what I can figure out, the spamcop web site need to be adjusted. I've got an old spam report that I've mailed in, but then didn't finish the reporting using the mail response. Now it's sitting in the "Unreported Spam Saved" list, and it's too old to finish reporting. I know that I probably have a few more in the Unreported Spam Saved List as well. When I log into the web site, and click on the "Unreported Spam Saved: Report Now", I get the unreported spam that's too old to report. The web page says: "You have submitted spam which has not yet been reported. Please avoid re-reporting spam. If you have already reported this spam or do not want to report it, please make sure to click "cancel" instead of submitting the report! " But I see no link, button, way to cancel that first message and process to the next Unreported Spam Saved List. Consequently, it seems like all I can do is to "Remove all unreported spam", and loose all the spam reports that come after the one that's too old. Seems like I should be able to pull up a list of unreported spam, select one or more, and cancel reporting on them. From bar_n0ne at hotmail.com Mon Dec 12 19:24:10 2005 From: bar_n0ne at hotmail.com (Berny) Date: Mon Dec 12 10:25:02 2005 Subject: [SC-Help] Re: Spamcop Web Site: Unreported Spam blocked by first spam message References: <1134399302.366890.214230@f14g2000cwb.googlegroups.com> Message-ID: wrote in message news:1134399302.366890.214230@f14g2000cwb.googlegroups.com... > >From what I can figure out, the spamcop web site need to be adjusted. >> > But I see no link, button, way to cancel that first message and process > to the next Unreported Spam Saved List. Consequently, it seems like > all I can do is to "Remove all unreported spam", and loose all the spam > reports that come after the one that's too old. Seems like I should be > able to pull up a list of unreported spam, select one or more, and > cancel reporting on them. > you probably have a bunch that are too old, just keep clicking thru, as each one is found to be too old it is knocked off the queue. I know I have had this situation. It could also be that your mailserver has a bad time stamp for the recent past and all your submissions are deemed too old. In any case if it's no fun, just cancel all of them. Larting spam should be a sport and be fun, otherwise don't waste your time. It's not going to materially impact your spam load whatever you do. If it's tedious, let someone else carry the LART load for you. From nobody at devnull.spamcop.net Mon Dec 12 09:41:15 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon Dec 12 10:45:02 2005 Subject: [SC-Help] Re: gateway timeout References: Message-ID: "Technomage Hawke" wrote in message news:dnja4p$mfn$1@news.spamcop.net... > ok, this problem cropped up as of 20 minutes ago and doesn't look to be > resolving: > > Gateway Timeout > The proxy server did not receive a timely response from the upstream > server. > Reference #1.3bfb746.1134373383.21dd374 > > it's a little hard to report spam when I can't even report spam. Just going with the flow, I'll suggest that your attempted connection was somewhere around the last big white spot in the chart seen at http://forum.spamcop.net/forums/index.php?act=module&automodule=custom&page=stats and talked about in http://forum.spamcop.net/forums/index.php?showtopic=5288 which also includes some traffic on the recent re-adding of the notice seen on the (if you can log in) logged-in www.spamcop.net page. From BNRAGMAOKKXT at spammotel.com Tue Dec 13 20:50:37 2005 From: BNRAGMAOKKXT at spammotel.com (Canopus) Date: Tue Dec 13 15:55:02 2005 Subject: [SC-Help] Re: Yahoo! Mail bouncing Spamcop replies to reports References: Message-ID: Mark Jones on 22/11/2005 wrote: >Mike Easter wrote: > >>Mark Jones wrote: >> >>>Your email address, majg12uk@yahoo.co.uk has returned a bounce: >> >>>UP Email not accepted for policy reasons. >>> http://help.yahoo.com/help/us/mail/defer/defer-04.html >> >>>As I regularly report phishing emails to >>>Spamcop any replies from Spamcop will bounce if they are caught by >>>Yahoo's ant-phishing technology. >> >>How so? >> >>If you email report/submit to spamcop, what SC sends to the yahoo addy >>is a trackerlink and some headers in the body. Those headers are simply >>the headers of the mail sent which contains the phish or spam in the >>body, not the phish or the spam or the phish or the spam's headers. >> >>How do you theorize the trackerlink [for a spam or phish] + sending >>headers thereof will trip yahoo's antiphish [or fraud or viruses also >>mentioned at the top link] tech? >> >> >> > >I apologise, I could have been clearer in explaining that the phishing >email >did not originate from or contain links pertaining to Yahoo! servers and so >the corresponding Spamcop report is not going to Yahoo!. What I meant was >the email address that I use to send reports to and receive replies from >Spamcop is based at Yahoo! so, therefore, *responses from ISPs* (that often >contain the original reported spam/phish) are sent to Spamcop and >redirected by Spamcop to my Yahoo! address. It is these that I presume were >blocked by Yahoo! anti-phishing filters and caused the bounce back to >Spamcop. > >Hope that clarifies. > >Mark This probably doesn't solve your problem, but, for the last week I have been having increasingly frustrating problems with Yahoo account and submissions to SC through it i.e. being cut of by Yahoo server intentionally terminating connection when number of submissions reach around 20 in a short time. I have now given up with the Yahoo account and trying Googlemail, but, mail returns from SC are so slow at the moment I can't give it a fair trial. -- Rob http://www.flickr.com/photos/canopus_archives/ From h9vzc2i02 at sneakemail.com Tue Dec 13 13:38:29 2005 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Tue Dec 13 16:40:03 2005 Subject: [SC-Help] Re: Yahoo! Mail bouncing Spamcop replies to reports References: Message-ID: "Canopus" wrote in message news:dnnc6s$sbp$1@news.spamcop.net... > Mark Jones on 22/11/2005 wrote: > > >Mike Easter wrote: > > > >>Mark Jones wrote: > >> > >>>Your email address, majg12uk@yahoo.co.uk has returned a bounce: > >> > >>>UP Email not accepted for policy reasons. > >>> http://help.yahoo.com/help/us/mail/defer/defer-04.html > >> > >>>As I regularly report phishing emails to > >>>Spamcop any replies from Spamcop will bounce if they are caught by > >>>Yahoo's ant-phishing technology. > >> > >>How so? > >> > >>If you email report/submit to spamcop, what SC sends to the yahoo addy > >>is a trackerlink and some headers in the body. Those headers are simply > >>the headers of the mail sent which contains the phish or spam in the > >>body, not the phish or the spam or the phish or the spam's headers. > >> > >>How do you theorize the trackerlink [for a spam or phish] + sending > >>headers thereof will trip yahoo's antiphish [or fraud or viruses also > >>mentioned at the top link] tech? > >> > >> > >> > > > >I apologise, I could have been clearer in explaining that the phishing > >email > >did not originate from or contain links pertaining to Yahoo! servers and so > >the corresponding Spamcop report is not going to Yahoo!. What I meant was > >the email address that I use to send reports to and receive replies from > >Spamcop is based at Yahoo! so, therefore, *responses from ISPs* (that often > >contain the original reported spam/phish) are sent to Spamcop and > >redirected by Spamcop to my Yahoo! address. It is these that I presume were > >blocked by Yahoo! anti-phishing filters and caused the bounce back to > >Spamcop. > > > >Hope that clarifies. > > > >Mark > > This probably doesn't solve your problem, but, for the last week I have > been having increasingly frustrating problems with Yahoo account and > submissions to SC through it i.e. being cut of by Yahoo server > intentionally terminating connection when number of submissions reach > around 20 in a short time. I have now given up with the Yahoo account and > trying Googlemail, but, mail returns from SC are so slow at the moment I > can't give it a fair trial. > **** You mentioned yahoo vs. 20 submissions in short time?? Do you mean that you send each spam submission in a separate e-mail? Why not submit all 20 as attachments to ONE e-mail submission? You are limited in the number of submitted spams only by the total size of each submission. Most spams are short so you probably could fit more than 20 into one e-mail submittal to SC. -- A SpamCop user and forum reader, Not Admin *** > -- > Rob > > http://www.flickr.com/photos/canopus_archives/ From Kilgallen at SpamCop.net Fri Dec 16 05:43:00 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Fri Dec 16 06:45:03 2005 Subject: [SC-Help] Re: help References: <1134723374.150964.320180@g43g2000cwa.googlegroups.com> Message-ID: In article <1134723374.150964.320180@g43g2000cwa.googlegroups.com>, boazn0@gmail.com writes: > i get error with sending email > > reason: 553 5.3.0 Message from 216.130.184.22 rejected based on > external blacklist - See also http://www.spamcop.net/bl.shtml > > what can i do? Prevent spam from being sent by IP address 216.130.184.22 owned by Webair Internet Development Incorporated. > the mail is sent by my website. Nonsense. Email sent by SMTP software; websites send HTTP messages. Now certainly you cannot be Webair Internet Development Incorporated, since a corporation is different from a sentient being. So let us presume that you, as an individual, have a contract with the true owner of that IP address, Webair Internet Development Incorporated, and they provide both HTTP and SMTP services (the latter from that IP address). If you have _exclusive_ use of that IP address, then you need to fix your software that is sending spam. But http://www.DNSstuff.com/tools/ptr.ch?ip=216.130.184.22 says that 216.130.184.22 is called mail1.webair.com, so it appears that webair is your vendor and is sending your email out from that IP address (from SMTP software, not from your "website"). > but only to regesiter users. If you are not Webair Internet Development Incorporated but a customer of theirs, I think it unlikely that you are in a position to characterize all messages sent by mail1.webair.com. You need to get them to fix their spam problem, but if you do not have access to their logfiles, there is not much analysis you can do. You need to get them involved. From rvaessen at spamcop.net Fri Dec 16 07:37:28 2005 From: rvaessen at spamcop.net (Robert L. Vaessen) Date: Fri Dec 16 09:36:53 2005 Subject: [SC-Help]