[SpamCop-List] Re: Spam from 195.159.7.12
Mike Easter
MikeE at ster.invalid
Wed Feb 26 12:31:01 EST 2003
"Doffen"
> The owner of 195.159.7.12 insist that he is not the sender of this spam.
Is
> that possible?
I'm too lazy to snip some of the things Jason said and I don't want to
post/copy so much stuff, so I'll just ramble on freestyle here.
Jason used an smtp relay tester [interesting tool, I'm gonna save it,
but...] but that relay tester doesn't actually do a "good" test, it just
uses a lot of strategies to give you a clue about how to get the relay to
relay for you. I use a different tester which uses less strategies, but
most importantly, actually gives you a chance to get a mail returned,
because if that doesn't happen, the relay isn't open. My test appeared to
relay, but no return as yet.
The story that I've snipped away is that 66.209.74.150 rDNS
lv.serverbox.net - iSparks / Power Pulse - appears to have relayed for
195.159.7.12 rDNS homer.idium.no - Idium / PowerTech - which one would
think it shouldn't. Neither are listed, serverbox not open smtp, nor
idium proxy. Testing: serverbox appears to relay, but no return. Idium
has an open port 80, hatcheck sez negative, apnet shows the proxy holds a
page, unclear if it is abusable.
So, altho' the results are fuzzy, I think idium's proxy got abused to
relay thru' serverbox. I would notify testers to check it out; ordb for
serverbox and monkeys for idium. So far my own testing is negative but
highly suspicious. The reading of the headers alone sez it happened that
way; we're just trying to figure out how.
My notifies would be abuse at isparks.com [possible open smtp]
abuse at powertech.no [possible open port 80 proxy].
--
Mike Easter
More information about the SpamCop-List
mailing list