[SpamCop-List] Re: Beware of MAILHOSTS !!!
michael.spamcop at michaellefevre.com
Sun Mar 21 22:39:28 EST 2004
Marjolein Katsma wrote:
> Michael Lefevre (michael.spamcop at michaellefevre.com) wrote in
> news:c3kfe4$hct$1 at news.spamcop.net:
>>> Remember, we're talking about open proxies here. A report fo ran open
>>> proxy will go to the ISP that is the owner of that IP address - how
>>> can that be "the wrong place"? It's the *right* place! Whetehr or not
>>> it's listed yet, if an open proxy iis used by a spammer to send the
>>> spam, then that's the only origin you can see, and it should be
>>> reported. The owner of that address is not "the wrong place".
>> Sorry - my wording was rather confusing. Assuming the header is
>> forged, the report for the open proxy won't go to the owner of the
>> proxy, it'll go to wherever the forgery points.
> Now you've thoroughly lost me. Just how can an open proxy be forged so
> it "points to" a different owner?
The proxy doesn't add a received line of its own. The spammer can add a
fake line which makes it look as if the proxy is actually a relay - if
Spamcop is fooled by that, then it will trust the fake line and track
whatever IP is in that line. If the forgery is good, there's no way that
a machine can tell it's a forgery - it can even be difficult for a human -
without knowing about the recipient's email setup.
>> At the same time, the proxy IP will be
>> submitted for testing, and after it gets listed, then the reports will
>> go to the provider of the proxy IP.
> OK, I thought I was lost but now I'm lost even more. How can the fact
> that the open proxy is "listed" make it seem it has a different owner?
It doesn't. But the open proxy being listed will prevent Spamcop trusting
any fake lines claiming to be added by the proxy.
> There is no reason I see that the system that *delivers* the mail to
> "me" (any server I "use") is necessarily the *origin*. There can be
> other servers in-between the origin and the delivering system.
> This sounds like a logic error to me that will lead to misreporting the
> wrong "origin".
AIUI (and I'm only going by the stuff that's been posted here at various
times), it does indeed mean that the logic will change, and Spamcop won't
follow the trail back as far as it does currently. However, anything
before "you" (the recipient) will either be exploited proxies/relays, or
servers which the sender (or exploited user) is authorised to send
through. Reporting either of those isn't wrong, but it is different.
More information about the SpamCop-List