![[SpamCop.net - protecting the internet through technology]](http://news.spamcop.net/newlogo.jpg)
[SpamCop-List]
Re: several ISPs used by the same spammer (in the mail route)
Mike Easter
MikeE at ster.invalid
Fri Apr 22 06:46:39 EDT 2005
Marinos J. Yannikos wrote:
> in this case:
It is better to post a tracker than partial headers. I don't ever
assume that the item we are talking about has been analyzed correctly;
and if the tracker isn't posted we can't see what SC did with it.
> a spammer sent e-mail from his access ISP (COLT) through one of his
> servers hosted at inode.at and then to us. The reporting web interface
> found only the administrators related to the COLT IP.
That's exactly the way it is supposed to work. That is, the parser is
designed to name the source and chain thru' the relays and feed the
relays to the relay testers.
When I report manually, if I think the relay needs to be notified
separately, then I do that manually. A paid SC reporter can SC report
an additional notified. I can't tell from the partial headers you
posted exactly what happened, that is, if it were really true that
213.185.164.132 rDNS 132-164-185-213.customer.coltnet.at were the source
and that 83.64.50.180 rDNS ns2.netkey.at were the relay; then the
relationship between those two, besides that they are both in .at, isn't
quite clear to me.
The 213 is colt which is AS8220 whose upstream adjacencies are AS513 &
4637 which are cern & reach -- whereas the 83 is inode netkey, which
doesn't seem the same to me, and it is AS8514. If I were doing that
manually, I would be notifying inode about the relay. There is a server
there, but it isn't listed as open anywhere -- so presumably it is
[supposed to be] serving the source 'appropriately'. If it isn't, it
needs to be notified and find out what is going on.
SC doesn't figure all of that out.
--
Mike Easter
kibitzer, not SC admin
More information about the SpamCop-List
mailing list