![[SpamCop.net - protecting the internet through technology]](http://news.spamcop.net/newlogo.jpg)
[SC-Help] Re: Incorrect parsing of source IP for
http://www.spamcop.net/sc?id=z782199815z9c391e5f64401830ced6a66f74fda7eez
Mike Easter
MikeE at ster.invalid
Tue Jul 5 05:51:12 EDT 2005
Posted to .help & .spam, f/ups to .help
Mark C wrote:
> I reported some spam which included a forged mail header.
> Spamcop incorrectly identified the source IP.
Correct.
> Here's the tracking URL:
www.spamcop.net/sc?id=z782199815z9c391e5f64401830ced6a66f74fda7eez
If reported today, reports would be sent to:
Re: 202.0.32.211 (Administrator of network where email originates)
Abbreviated Received lines *comment
from bm-3a.paradise.net.nz (202.0.58.22) by irene-1.paradise.net.nz
*serves you
from smtp-2.paradise.net.nz ([202.0.32.211]) by
linda-3.paradise.net.nz *serves you,
from 61-230-136-3.dynamic.hinet.net ([61.230.136.3]) by
smtp-2.paradise.net.nz *sourceline
from [81.204.65.230] (port=1372 helo=[Virginian]) by
61-230-136-3.dynamic.hinet.net *bogusline
> The spam source IP should have been (IMO):
> xx-xxx-xxx-x.dynamic.hinet.net (obfuscated)
Correct.
> Instead, spamcop suggested I report to my ISP
> (the next to last valid mail header)
Correct.
> I haven't yet clicked the "Send Spam Reports Now" button.
Better than that, you cancelled the report.
Summary:
- you are correct, parse broke chain prematurely
- you need to configure for mailhosts
- housekeeping, post in discussion group
SC's algorithm in 'standard mode' tries to figure out if an IP is a
relay in the chain by performing a test that I call the 'MX step' when
it is trying to relate an upper 'from' IP field with a lower 'by'
domainname field because the parse's target is supposed to be the
source, not some relay in the chain.
paradise.net.nz's MXes are
pop3.paradise.net.nz A (Address) 203.96.152.6
smtp.paradise.net.nz A (Address) 203.96.152.32
but SC doesn't recognize that situation from the IP 202.0.32.211 because
the IP which shows up is 'too far' away and also because SC doesn't
recognize the IP as a relay for paradise yet. Given time and
experience, the parser has shown the ability to adapt to the situation,
when the parser's experience has matured with that MTA it sees in the
chain -- after the 'submitting to relay testers' program has aged.
However, you can configure SC for a different mode than standard if you
configure it to use mailhosts. Mailhosts is poorly described on this
faq page http://www.spamcop.net/fom-serve/cache/397.html How do I
configure Mailhosts for SpamCop?
and it is configured by going to your parser page having logged in
http://www.spamcop.net/ and clicking 'mailhosts' and beginning the
process for configuration. If you choose to not configure for
mailhosts, if you continue to submit your parses, it is likely that SC
will be able to figure out what is going on in time. But mailhosts is a
'smarter' configuration, because it helps SC decipher that using my
so-called 'MX step' doesn't need to be done.
Housekeeping: The reason that I posted also to .help and made f/ups
there is that .spam wasn't intended to be a discussion group, or
traditionally hasn't been used as a discussion group. Once upon a time
the tracker device didn't work like it does now and it was necessary to
post raw spams with complete headers into this group - so at that time
people posted their questions into the discussion newsgroups spamcop or
spamcop.help and their spam into spamcop.spam and/but didn't discuss the
issue in spam, but discussed it in the discussion group. Things have
changed now, so it is better to just post a tracker into .help or
spamcop and not use .spam at all.
--
Mike Easter
kibitzer, not SC admin
More information about the SpamCop-Help
mailing list