[SpamCop.net - protecting the internet through technology]

[SC-Help] Re: Failing to track spammer - is this being parsed correctly?

Mike Easter MikeE at ster.invalid
Tue Jan 25 09:42:08 EST 2005 

posted to .help & .spam, f/ups to .help

Phil Scadden wrote:
> Tracker is
www.spamcop.net/sc?id=z724762596z5b065452f3ad83623c927332069673ffz

  Abbreviated Received lines *comment
  from grfn6.gns.cri.nz ([131.203.5.60]) by dndm1.gns.cri.nz *serves you
  from omega.gns.cri.nz by grfn6.gns.cri.nz *serves you, ignored
  from (adsl-67-39-200-54.dsl.bcvloh.ameritech.net [67.39.200.54]) by
omega.gns.cri.nz *sourceline

> but it is deciding that the source is forged and declaring our mail
> gateway is the spammer.

That is not currently happening with that parse.  The parse result has
changed.

> Getting a few of these which look to me from inside ameritech space.

The source is now named as the ameritech IP.

If reported today, reports would be sent to:
Re: 67.39.200.54 (Administrator of network where email originates)
abuse at ameritech.net

What was probably happening before was the chain was being broken
prematurely because SC was unfamiliar with the relay and it failed what
I call the 'mx step'.  The evidence of the mx step having 'matured' and
SC recognizing the server by is demonstrated in these 2 sections of the
verbose:

131.203.5.60 is not an MX for dndm1.gns.cri.nz
131.203.5.60 is not an MX for grfn6.gns.cri.nz
131.203.5.60 is not an MX for omega.gns.cri.nz
131.203.5.60 is not an MX for dndm1.gns.cri.nz

   Chain test:omega.gns.cri.nz =? grfn6.gns.cri.nz
   host grfn6.gns.cri.nz (checking ip) = 131.203.5.60
   131.203.5.60 is not an MX for omega.gns.cri.nz
   host omega.gns.cri.nz (checking ip) = 161.65.52.34
   131.203.5.60 is not an MX for omega.gns.cri.nz
   omega.gns.cri.nz and grfn6.gns.cri.nz have same domain - chain
verified
Possible relay: 131.203.5.60
131.203.5.60 not listed in relays.ordb.org.
131.203.5.60 has already been sent to relay testers
Received line accepted

If that line is not accepted, then the chain breaks and SC names the
source 131.203.5.60  rDNS  grfn6.gns.cri.nz

The problem originates because of the discrepancy between or about
mx1.gns.cri.nz vs omega.gns.cri.nz and the IPs 161.65.52.34 and
131.203.5.60  which are nowhere near each other.

The mx is 161.65.52.34 and it rDNSes one way and the DNS is the other.
That is, the mx for gns.cri.nz is 161.65.52.34 which is mx1.gns.cri.nz
or omega.gns.cri.nz  not  131.203.5.60

SC is trying to 'figure that out' and it is just an algorithm.  The 'old
fashioned' remedy was that SC would break the chain and send the
possible relay to the relay testers.  The 'new fangled' remedy is that
people who put their mailhosts into mailhost configuration have the
correct result 'immediately'.


As a housekeeping issue;  the reason I 'moved' my reply and its f/ups
from where you originally posted in .spam is because spamcop.spam is
just supposed to be a place where 'raw' spam is posted [a tracker isn't
raw spam and is better than raw spam] and either of the groups
spamcop.help or spamcop are where things like this are discussed.


-- 
Mike Easter
kibitzer, not SC admin

More information about the SpamCop-Help mailing list