[SpamCop.net - protecting the internet through technology]

[SC-Help] Re: Question on mail forwarding , 1 of 2

Mike Easter MikeE at ster.invalid
Mon May 15 15:10:53 EDT 2006 

Tim Wayne wrote:

> Question: what am I doing wrong?

Here's another way of saying what's wrong, using my Abbreviated Received
tracelines display style:

  Abbreviated Received tracelines *comment
  from (sc-smtp2-bulkmx.soma.ironport.com [204.15.82.125])  by
sc-app1.soma.ironport.com *spamcop
  from studio321.studio32.com ([128.121.51.87]) by
sc-smtp2-bulkmx.soma.ironport.com *you to SC
  from yahoo.no ([219.155.31.145]) by studio321.studio32.com *sourceline
  from unknown (HELO nntp.pinxodet.net) by smtp-server1.cfdenselr.com
*bogusline
  from unknown (HELO mail.gimmicc.net) by mx.reskind.net *bogusline

If you like, imagine that the headerlines are numbered 1-5 from top to
bottom.

The spammer created the 2 boguslines 4 & 5 and then injected the item at
the abused proxy 219.155.31.145 calling itself yahoo.no and aimed it at
a hisnameistimmy addy, which MX is 128.121.51.87 rDNS
studio321.studio32.com.  That MX received the item in line 3 and
forwarded it to the ironport server using your submit address which
received it in line 2.

The result of that mailhandling is that there is a single set of headers
from the spamsource to the ironport server.  That is not the normal
condition of spam which is sent to a submit address.  The normal
condition is that the submit for a single spam consists of several
parts.

 - the headers from your mailuser agent to the ironport server
 - a non-existent body consisting of an empty line
 - a MIME attachment structure delimitor
 - the headers from the spamsource to your mailbox
 - the body of the spam, which might have additional MIME structure

If someone submits multiple spams to the submit, the structure is more
complicated, with 1 iteration of the top 2 items and mulitple iterations
of the last 3 items in the above - marked bullets.

In any case, the first thing the parser does is subtract the top 3
bullet items aboive before it begins the parse on the spam headers.

> Or, is my assumption that Spamcop
> can accept forwards wrong?

Yes.

> Or should my server be set to configure
> forwards in a particular way so that they are spamcop friendly?

I would guess that it would not be possible to configure your forwards
to match the parser's behavior.  If you had a spamcop address to receive
forwards, that address could be used to handle spam.

You could also simply forward the junk mail by forwarding as attachment,
like everyone else.


-- 
Mike Easter
kibitzer, not SC admin

More information about the SpamCop-Help mailing list