[SpamCop.net - protecting the internet through technology]

[SC-Help] Re: Parsing problem with 'new-style'

Mike Easter MikeE at ster.invalid
Thu Jul 15 11:16:23 EDT 2004 

Posted to .spam & .help;  f/ups to .help

Joris Dobbelsteen wrote:
> I'm using the new way where spamcop is aware of my mailhosts...

> And here it does find the correct spammer...
>>> 208.201.17.33 not listed in relays.ordb.org.

Joris, post a spam in .spam, but discuss it in .help or spamcop.  Better
yet, don't even post the spam at all, but post the tracker only - in
.help or spamcop.  Since your post in .spam only showed the header, the
parse of that is reflected here
www.spamcop.net/sc?id=z550575109z653d8cde70ad3d1896d334d14ee755d9z

die spammer, putting a question mark at the top of Joris's entire
untrimmed cite is 'wasteful' or something else non-contributory

  Abbreviated Received lines *comment
  from (wng-03.evisp.enertel.nl) ([213.218.77.203]) by smtp06.freeler.nl
*serves you
  from(charm.il.fontys.nl [145.85.127.2])by wng-03.evisp.enertel.nl
*serves you
  from (localhost [127.0.0.1]) by mail.il.fontys.nl *serves you
  from (localhost [127.0.0.1]) by mail.il.fontys.nl *serves you
  from (spf6.us4.outblaze.com [205.158.62.33]) by mail.il.fontys.nl
*serves you
  from [192.168.11.11] (Lp1.cbreinvestors.com [208.201.17.33]) by
spf6.us4.outblaze.com *chain breaks, possible misconfigured output
server
  from xng-invla-2.cbreinvestors.com by [192.168.11.11] *misconfigured,
possible sourceline
  from fws-invla-11.cbreinvestors.com ([192.168.13.11]) by
xng-invla-2.cbreinvestors.com *possible bogusline
  from [222.183.16.209] by fws-invla-11.cbreinvestors.com *possible
bogusline

In the parse you pasted, SC named 208.201.17.33, which I agree with,
since the chain breaks there, and 'legitimate' parsing can go no further
and the IP /should/ be named as source.  But, it might also be a
misconfigured output server, serving as a relay for the source.

In the parse SC did for me, the tracker for which is pasted above, SC
'wrongly' chained all the way to the bottom 222.183.16.209, but didn't
show me any logic for getting past the cbreinvestors server.

There is a server at 208.201.17.33 which is calling itself
'192.168.11.10' as is the mx similarly calling itself something like
that - and altho' both of them are 'manipulable', I couldn't get them to
relay for me promiscuously.  But, perhaps the spammer injected at a user
IP behind the output server, and the misconfigured output server hid the
actual source IP.

It will be good if the output server gets itself listed in the SCbl,
because of its poor condition.


-- 
Mike Easter
kibitzer, not SC admin

More information about the SpamCop-Help mailing list