[SpamCop.net - protecting the internet through technology]

[SC-Help] Re: Spamcop failing to detect true originating IP

Mike Easter MikeE at ster.invalid
Wed Jul 13 01:12:12 EDT 2005 

wskrispy wrote:
> Mike Easter wrote:
>> wskrispy wrote:
>>
>>> Here's a tracker from a spam that Spamcop choked on, complete with
>>> SA headers:

www.spamcop.net/sc?id=z785186974zfb5c4d04f5694f362a90b200bac251bfz

  Abbreviated Received lines *comment
  from acconci1 by 1n5-199.servernode.net *noncompliant
  from localhost by 1n5-199.servernode.net *noncompliant

>> There is nothing you can do, such as removing SA
>> lines, which will restore those headers to a proper condition for
>> reporting spam.


>>> Received: from [62.101.126.224] (helo=acconci.com)
>>>        by 1n5-199.servernode.net with esmtp (Exim 4.43)

>> This second line can take the place of the first line;  it is a
>> compliant line.
>
> Yes, so why doesn't Spamcop use this second line and accept it as
> source IP?

As you can see from the tracker which shows the entirety of the headers
and from my abbreviation above of the 'from' and 'by' fields extracted
from that header, your server is not stamping the 'from' field of its
source with the IP address.  This is unsatisfactory for spam reporting.

> And the reason the first line is unusable is: the spammer succeeded in
> his spoof (he made 1n5-199.servernode.net think it was receiving mail
> from "acconci1", which is the linux username running the mailserver on
> 1n5-199.servernode.net itself!). I thought we're in the business of
> outsmarting these clowns.

The spammer can say what s/he wants in the helo -- but the spammer
cannot [easily] 'spoof' the necessary SYN & ACK packet correspondence
during which the server is communicating with a particular IP address.
The server knows what IP it is accepting the smtp transactions from and
sending transactions to.  It is imperative that the server stamp the
'from' field with that IP address for trace purposes.

In your second example for which we don't have a tracker URL, the two
lines show that one of them was compliant.

  Abbreviated Received lines *comment
  from acconci1 by 1n5-199.servernode.net *noncompliant
  from [62.101.126.224] (helo=acconci.com) by 1n5-199.servernode.net
*compliant

Because the 2nd line shows the source IP address, it can be parsed
properly while the topline is ignored.



-- 
Mike Easter
kibitzer, not SC admin

More information about the SpamCop-Help mailing list