[Scspamcop] Re: Strange spams

Twayne nobody at devnull.spamcop.net
Wed Sep 17 10:33:10 EDT 2008 

> Twayne wrote:
>
> www.spamcop.net/sc?id=z2252252187ze2af7249bf92b1b8c93d194639cd6ec8z
>
> non-mailhosted tracker
>
>> is one of several spams I've had lately.  What's interesting about it
>> is:
>> 1.  When I reported, the report went ONLY to Verizon.
>
> SC correctly determines the source to be 200.96.73.101 rDNS
> 200-96-73-101.paemt701.dsl.brasiltelecom.net.br which should notify
> abuse at noc.brasiltelecom.net.br or supplement that with this gang:
> whois -h whois.abuse.net noc.brasiltelecom.net.br ...
> postmaster at brasiltelecom.net.br   abuse at noc.brasiltelecom.net.br
> mail-abuse at cert.br   suporte at noc.brasiltelecom.net.br
> antispambr at abuse.net (for brasiltelecom.net.br)
>
> -- but the routing deputy most recently in 2002 configured the notify
> to go to verizon.net at abuse.net which translates/references to
> abuse at verizon.net
>
> And/But there is additional information about how the yahoo/verizon
> system is handling its headers to indicate that you should be using
> mailhosting to get accurate parses.  Here's abbreviated tracelines +
> XOIP:
>
>  Abbreviated Received tracelines *comment
>  from mta101.vzn.mail.re2.yahoo.com (HELO mta292.mail.re4.yahoo.com)
> (206.190.53.173) by 0 *serves recipient
>  from 186.12.58.185  (EHLO vms172073pub.verizon.net) (206.46.172.73)
> by mta101.vzn.mail.re2.yahoo.com *serves recipient, noncompliant
>  fromfield from bxtvh ([200.96.73.101]) by vms172073.mailsrvcs.net
> *sourceline X-Originating-IP: [200.96.73.101] *XOIP sourceline
>
> Notice the *noncompliant fromfield stamped by the yahoo server.
>
>> 2.  Using the tracker number, it says it would also have reported it
>> to
>>>
>> Re: http://ree.eymore.cn/ (Administrator of network hosting website
>> referenced in spam)
>>
>> poul at ragtime.ru
>
> Sometimes the parser will want to notify the spamvertiser provider and
> sometimes it doesn't.  Currently it wants to notify
>
>  Re: http://gfse.dmminute.cn/ (Administrator of network hosting
> website referenced in spam) abuse at sbcglobal.net
>  Re: http://gpuu.dmminute.cn/ (Administrator of network hosting
> website referenced in spam) abuse at sbcglobal.net
>
> ... for the above tracker;  so there might be a tracker mixup.
>
>> And here's another, but this time it's only VZ as I saw when I
>> submitted it:
>
> www.spamcop.net/sc?id=z2251380926z6475221400831c985d452c35b6956e06z
>
> also nonmailhosted, you should change that for parser accuracy
> purposes
>
> In this case, the combination of noncompliance and nonmailhosted
> causes SC to break the chain prematurely and name your provider's
> server
>
> If reported today, reports would be sent to:
> Re: 206.46.169.127 (Administrator of network where email originates)
> abuse at verizon.net
>
>  Abbreviated Received tracelines *comment
>  from mta101.vzn.mail.re2.yahoo.com (HELO mta292.mail.re4.yahoo.com)
> (206.190.53.173) by 0 *serves recipient
>  from 216.130.45.150  (EHLO vms169127pub.verizon.net)
> (206.46.169.127) by mta101.vzn.mail.re2.yahoo.com *serves recipient,
>  noncompliant fromfield from ioistphvo ([85.185.153.143]) by
> vms169127.mailsrvcs.net *sourceline X-Originating-IP:
> [85.185.153.143] XOIP sourceline
>
> As you can see, the yahoo server stamped its line badly where I've
> indicated *noncompliant fromfield.
>
>> --  Is SC getting these things right?
>
> Not in the 2nd case above.  You need to be mailhosted especially if
> you are using a mailhost which stamps noncompliant lines.
>
>> Yes, My ISP is Verizon.

Hmm, thanks, Mike, that explains a couple of things, actually.
  I haven't had a spam lately that doesn't trace to Verizon for some 
reason; it must be intentional on the part of the spammers. They 
trickled in all day yesterday.
  I even got one on an account this morning that's never had spam at all 
in fact, in the year + that it's existed; an incoming only account I 
created on my website.  Reporting one's own ISP can be, well, sort of 
self defeating<g>.

As for the noncompliant line in each one, the sc mailhost refuses to 
work for me because of it.  I asked Yahoo and VZ "why" and "when" they 
planned to fix it before but besides a lot of black holes all I ever got 
was to not hold my breath waiting for it to be changed.  I realize it 
should be a FQDN and was able to get the mailhost to parse them by 
adding one manually, but besides it being against the rules to do that, 
it could be any one of several DNs at Yahoo.

   For awhile it looked like SC might be able to work around it, but I 
guess that never went anywhere either and eventually I got tired of 
frogging with it and just let it be.

   The odd thing is, it's a geographic thing.  Other vz/yahoo geographic 
areas and any non-vz/yahoo I've managed to get a look at don't have that 
problem.

   Haven't tried setting up the mailhost in quite awhile now and might 
try again, just for grins, but I don't expect to see anything any 
different come about.  I'm just "left out" when it comes to the mailhost 
at spamcop.

Regards,

Twayne

More information about the SCspamcop mailing list