![[SpamCop.net - protecting the internet through technology]](http://news.spamcop.net/newlogo.jpg)
[SC-Help] Re: Spammer tricks successfully beat spamcop
Mike Easter
MikeE at ster.invalid
Tue Jun 28 16:51:36 EDT 2005
Mike Easter wrote:
> Phil Scadden wrote:
>> Link isnt parsed and doesnt find the spam source
> Report Spam to:
> Re: 131.203.5.60
> which appears to be your mailhost, because it breaks the chain
> prematurely.
>
> Abbreviated Receive lines *comment
> from grfn6.gns.cri.nz ([131.203.5.60]) by dndm1.gns.cri.nz *serves
> you from omega.gns.cri.nz (unverified) by grfn6.gns.cri.nz *serves
> you from (host86-130-77-159.range86-130.btcentralplus.com
> [86.130.77.159]) by omega.gns.cri.nz *sourceline
>
> SC fails to make the chain from the 2nd line to the third, leaving it
> stuck with the 1st.
One of the main reasons that SC can't chain thru' those lines is the
great discrepancy between the IPs of the mx which gets the spam and the
server which puts it in your mailbox. If the grfn6 server had stamped
its line in the 'from' field with the IP of the server it got it from,
you would have had a more satisfactory outcome.
For demonstration purposes only, I have forged a spam in which I have
corrected the deficiency of grfn6's line stamping
http://www.spamcop.net/sc?id=z779834567z8407ed771ddb9549ad3eda29942f0397z
<now cancelled>
That tracker shows SC correctly naming the source:
Report Spam to:
Re: 161.65.52.34 (Automated open-relay testing system(s))
To: Internal spamcop handling: (relays) (Notes)
Re: 86.130.77.159 (Administrator of network where email originates)
To: abuse at bt.com (Notes)
To: Internal spamcop handling: (bt)
... and it suspects the MX of being an 'open relay' because it is
unfamiliar with it.
The configuration which I changed/forged the original to looks like
this:
Abbreviated Receive lines *comment
from grfn6.gns.cri.nz ([131.203.5.60]) by dndm1.gns.cri.nz *serves you
from omega.gns.cri.nz (161.65.52.34) by grfn6.gns.cri.nz *serves you
from (host86-130-77-159.range86-130.btcentralplus.com [86.130.77.159])
by omega.gns.cri.nz *sourceline
The difference from the original is that the 'from' field of the 2nd
line is correctly configured to show the IP of the source [its own
server] from which it got the item. Proper compliance requires that the
Received tracelines be properly configured, and grfn6 isn't stamping its
line, the 2nd one properly. In this case, that makes a lot of
difference to spamcop, because there's a lot of difference in the IPs
between omega and grfn6.
--
Mike Easter
kibitzer, not SC admin
More information about the SpamCop-Help
mailing list