[SpamCop.net - protecting the internet through technology]

[SC-Help] Re: Strange stuff going on (my mail got 8192 spamcop reports,counting)

Ilgaz Ocal Ilgaz at spamcop.net
Sun Nov 20 07:34:39 EST 2005 

On 2005-11-20 06:47:53 +0200, "Mike Easter" <MikeE at ster.invalid> said:

> Ilgaz Ocal wrote:
> 
>> I am a spamcop customer and serverlogistics customer. Saying as it
>> could be related.
> 
> The blocklisted major output server  67.43.163.77  rDNS
> osiris.serverlogistics.com  is also the incoming MX IP for
> serverlogistics AKA mail.serverlogistics.net
> 
> .... so it is conceivable that you could be reporting your own provider.

But I didn't report anything :) I even gave up quick reporting a while 
ago. You know what? Serverlogistics is also a spamcop customer (as 
company) I guess. Their mail got Spamcop blocking list enabled.

> 
>> I woke up, Eudora shows 8100 unread messages in my stepfathers site
>> mail which I maintain. It is fhzre at fhzregvyznp.pbz (rot13)
> 
> The mailserver for sumertilmac.com is also the serverlogistics server
> mentioned above.  So, the reporting of spam to that account could also
> be misreported as the server above.
> 
> I have no idea what the unread messages are about.  Do you?

Sorry for late reply as even Eudora lost its mind while trying to get 
these mails. I digged it's mailbox file, pasting here (all identical)

Incoming message...
Subject: Delivery failure to <sumer_tilmac at myrealbox.com> ...
Date: Sat, 19 Nov 2005 15:24:09 -0800 PST
From: "Mail Delivery Subsystem" <postmaster at serverlogistics.com>
To: <fhzre at fhzregvyznp.pbz>

>From ???@??? Sun Nov 20 07:11:54 2005
Received: from IMAIL_LOCAL (unverified [localhost]) 
	by serverlogistics.com (SurgeMail 3.5b3) with ESMTP id 6071098 
	for <sumer at sumertilmac.com>; Sat, 19 Nov 2005 15:24:09 -0800 PST
Return-Path: <>
Date: Sat, 19 Nov 2005 15:24:09 -0800 PST
From: "Mail Delivery Subsystem" <postmaster at serverlogistics.com>
X-AutoResponder: mailer-daemon
To: <fhzre at fhzregvyznp.pbz>
Subject: Delivery failure to <sumer_tilmac at myrealbox.com> ...
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status; 
boundary="surge_1132442649_serverlogistics.com"
X-Server: High Performance Mail Server - http://surgemail.com r=-1195071323
Message-ID: <1132442649_3371 at osiris.serverlogistics.com>
X-Rcpt-To: <sumer at sumertilmac.com>

When trying to deliver your message, the mail server at 
serverlogistics.com encountered
problems with the following addresses:

For <sumer_tilmac at myrealbox.com>, Open Error 0sec (553 Your IP address 
67.43.163.77 is blackholed by bl.spamcop.net. Please see 
http://spamcop.net/w3m?action=checkblock&ip=67.43.163.77)

For a more detailed explanation see 
http://netwinsite.com/surgemail/deliver_failed.htm

Reporting-MTA: dns; serverlogistics.com
____

OK now I understand what happened! It is the worst thing can ever 
happen. I had a mail for him from Novell Myrealbox before. I somehow 
enabled

'When this account receives an incoming email, send a notification 
email to the address below:"

to his myrealbox account. So, when he gets mail,notification is sent to 
myrealbox, myrealbox bounces mail to his mail.... Bah, endless cycle.

What prevented me from figuring it out is, even Eudora lost its mind 
while trying to get/cache 12000 mails.

I will notify serverlogistics admin about this amazing possibility. 
Looks like it is serverlogistics flooding its own customer.

Thank you Mike for waking me up! I was about to take down site as I 
suspected the PHP mail form is hacked or something!

Really thanks

Ilgaz


> 
>> The link given in "bounce" mail is:
>> 
>> http://www.spamcop.net/w3m?action=checkblock&ip=67.43.163.77
> 
> It is bad for the server to be so listed:
> 
> 67.43.163.77 listed in bl.spamcop.net
> SpamCop users have reported system
> delisted automatically in approximately 1 hours
> System has been listed for less than 24 hours
> 
> Reporter listing a server is suspicious for a bad reporter reporting hir
> own server.

So is it normal to get that mail to a normal user (not even 
postmaster at sumertilmac.com) as admin of entire serverlogistics?

> 
>> It is "shared hosting" from a known company does Mac Xserve hosting
>> (www.serverlogistics.com ) , I don't think they are involved in spam
>> of any kind.
>> 
>> In any case, contact address should not be "him".
>> 
>> I have no clue what is happening. Some endless cycle?
>> 
>> I just woke up so sorry if I missed some details and my english as
>> usual :)

More information about the SpamCop-Help mailing list