![[SpamCop.net - protecting the internet through technology]](http://news.spamcop.net/newlogo.jpg)
[SC-Help] Re: Spamcop failing to detect true originating IP
Mike Easter
MikeE at ster.invalid
Wed Jul 13 01:47:16 EDT 2005
Some more of the story.
Now we are going to discuss this item
www.spamcop.net/sc?id=z785186974zfb5c4d04f5694f362a90b200bac251bfz from
a different perspective. Previously I was explaining why SC cannot
derive an IP address as a source by parsing those headers as submitted.
Now we can talk about the 'entirety' of what the item contains.
What was submitted to the parser for the tracker above consists of
headers from your provider to you of a mail which contains an attachment
of a mail which used to have a viral propagation which has subsequently
been stripped.
This structure is thus found:
topheaders
body1
attachment headers
body2
AVG info
The 'story' is that 85.40.108.210 rDNS
host210-108.pool8540.interbusiness.it calling itself acconci.com in the
helo propagated a virus I-Worm/Mytob.HL in a password.zip attachment.
That propagation had From admin at acconci.com and was received by the
server 1n5-199.servernode.net which was running SpamAssassin 3 and AVG 7
antivirus
That item was identified as spam by SpamAssassin and stripped of its
virus propagation by AVG. The topheaders are 'internal' headers for the
servernode server, whereas the attachment headers show the source IP of
the propagation.
body1 describes SA functionality and report, body2 is the propagation's
body content, and AVG info is describing the stripping and
characterizing the virm.
--
Mike Easter
kibitzer, not SC admin
More information about the SpamCop-Help
mailing list