[SpamCop.net - protecting the internet through technology]

[SC-Help] Re: Spamcop treats MX differently depending on where it appears in chain

Blammo nttp.sc.s at bigsleep.org
Mon Apr 4 01:53:10 EDT 2005 

On 02 Apr 2005 You have no need to know entered spamcop.help and left
news:pan.2005.04.02.23.31.40.126032 at fl.net.invalid: 

> This is the first received line. Not the one closest to the top of the
> headers. The one that shows the connect from outside the ISP.
> 
> Received: from 4dmail.co.uk (p548FF904.dip.t-dialin.net
> [84.143.249.4]) 
>      by OTHERNAME.FOR.ISP.MX (Postfix) with ESMTP id 60BB36E; Tue, 29
>      Mar 2005 05:56:46 +1000 (EST)
> 
> ===
> 
> SC's analysis contains these lines relevant to that received line.
> 
> 1.2.3.4 is not an MX for othername.for.isp.mx
> host othername.for.isp.mx (checking ip) ip not found ;
> othername.for.isp.mx discarded as fake. cannot find an mx for
> othername.for.isp.mx cannot find an mx for isp.mx
> 

I don't think SC gets to that line, it's the received line above that that 
fails.

Lets try [84.143.249.4] in that line as an example...

dig -x 84.143.249.4
4.249.143.84.in-addr.arpa. 86400 IN     PTR     p548FF904.dip.t-dialin.net.

dig a p548FF904.dip.t-dialin.net
p548FF904.dip.t-dialin.net. 86400 IN    A       84.143.249.4

dig a P548FF904.DIP.T-DIALIN.NET
P548FF904.DIP.T-DIALIN.NET. 86273 IN    A       84.143.249.4

host P548FF904.DIP.T-DIALIN.NET
P548FF904.DIP.T-DIALIN.NET has address 84.143.249.4

It seems "othername.for.isp.mx" does not have a A record, and I don't see 
that case makes any difference.

dig mx p548FF904.dip.t-dialin.net
no answer

dig mx t-dialin.net
t-dialin.net.           86400   IN      MX      10 rx.t-online.de.

dig a rx.t-online.de
rx.t-online.de.         86400   IN      A       194.25.134.167

IPs aren't even close
194.25.134.167 is an MX for t-dialin.net
84.143.249.4 is not an MX

Now you know your ISP's MX wrote the line "by OTHERNAME.FOR.ISP.MX", but we 
don't know how it got that mail because there is no A or MX record for that 
name, according to what the parser wrote. Otherwise, if Spamcop got this 
far, it could test  [194.25.134.167] against "OTHERNAME.FOR.ISP.MX".
If Spamcop could figure out (reliably) what the recipients address was, 
then it could verify against the MX for that. But even then, the MX server 
can change, and usually does with ISPs. Postfix does write "for 
email-address" in the Received header, but I don't think Spamcop looks at 
that.

Note that in your second example, "OTHERNAME.FOR.ISP.MX" has both an A and 
MX record (apparently).
Spamcop should actually be checking to see if [62.79.79.29] is an MX for 
"OTHERNAME.FOR.ISP.MX". It is possible that the upper case is causing 
Spamcop to print " - chain verified", otherwise I'm a little lost as to why 
it's printing all that.

-- 
| Ric

More information about the SpamCop-Help mailing list