[Scspamcop] Re: Strange spams

Mike Easter MikeE at ster.invalid
Tue Sep 16 19:57:15 EDT 2008 

Twayne wrote:

www.spamcop.net/sc?id=z2252252187ze2af7249bf92b1b8c93d194639cd6ec8z

non-mailhosted tracker

> is one of several spams I've had lately.  What's interesting about it
> is:
> 1.  When I reported, the report went ONLY to Verizon.

SC correctly determines the source to be 200.96.73.101 rDNS
200-96-73-101.paemt701.dsl.brasiltelecom.net.br which should notify
abuse at noc.brasiltelecom.net.br or supplement that with this gang:
whois -h whois.abuse.net noc.brasiltelecom.net.br ...
postmaster at brasiltelecom.net.br   abuse at noc.brasiltelecom.net.br
mail-abuse at cert.br   suporte at noc.brasiltelecom.net.br
antispambr at abuse.net (for brasiltelecom.net.br)

 -- but the routing deputy most recently in 2002 configured the notify to
go to verizon.net at abuse.net which translates/references to
abuse at verizon.net

And/But there is additional information about how the yahoo/verizon system
is handling its headers to indicate that you should be using mailhosting
to get accurate parses.  Here's abbreviated tracelines + XOIP:

  Abbreviated Received tracelines *comment
  from mta101.vzn.mail.re2.yahoo.com (HELO mta292.mail.re4.yahoo.com)
(206.190.53.173) by 0 *serves recipient
  from 186.12.58.185  (EHLO vms172073pub.verizon.net) (206.46.172.73) by
mta101.vzn.mail.re2.yahoo.com *serves recipient, noncompliant fromfield
  from bxtvh ([200.96.73.101]) by vms172073.mailsrvcs.net *sourceline
X-Originating-IP: [200.96.73.101] *XOIP sourceline

Notice the *noncompliant fromfield stamped by the yahoo server.

> 2.  Using the tracker number, it says it would also have reported it to
>>
> Re: http://ree.eymore.cn/ (Administrator of network hosting website
> referenced in spam)
>
> poul at ragtime.ru

Sometimes the parser will want to notify the spamvertiser provider and
sometimes it doesn't.  Currently it wants to notify

  Re: http://gfse.dmminute.cn/ (Administrator of network hosting website
referenced in spam) abuse at sbcglobal.net
  Re: http://gpuu.dmminute.cn/ (Administrator of network hosting website
referenced in spam) abuse at sbcglobal.net

... for the above tracker;  so there might be a tracker mixup.

> And here's another, but this time it's only VZ as I saw when I submitted
> it:

www.spamcop.net/sc?id=z2251380926z6475221400831c985d452c35b6956e06z

also nonmailhosted, you should change that for parser accuracy purposes

In this case, the combination of noncompliance and nonmailhosted causes SC
to break the chain prematurely and name your provider's server

If reported today, reports would be sent to:
Re: 206.46.169.127 (Administrator of network where email originates)
abuse at verizon.net

  Abbreviated Received tracelines *comment
  from mta101.vzn.mail.re2.yahoo.com (HELO mta292.mail.re4.yahoo.com)
(206.190.53.173) by 0 *serves recipient
  from 216.130.45.150  (EHLO vms169127pub.verizon.net) (206.46.169.127) by
mta101.vzn.mail.re2.yahoo.com *serves recipient, noncompliant fromfield
  from ioistphvo ([85.185.153.143]) by vms169127.mailsrvcs.net *sourceline
X-Originating-IP: [85.185.153.143] XOIP sourceline

As you can see, the yahoo server stamped its line badly where I've
indicated *noncompliant fromfield.

> --  Is SC getting these things right?

Not in the 2nd case above.  You need to be mailhosted especially if you
are using a mailhost which stamps noncompliant lines.

> Yes, My ISP is Verizon.



--
Mike Easter
kibitzer, not SC admin

More information about the SCspamcop mailing list