[SpamCop-List] Re: Old E-Mail???

Thu Dec 8 14:20:08 EST 2005

Robert Williams wrote:

>
http://members.spamcop.net/sc?id=z838364690zf1b826e68318eb9ee341bae5588d527az
>
> This should give you some idea of what my headers normally look like.

Okey dokey thanks.

Oh, I see.  You don't have anything to do with cleartel.  I
misinterpreted something that SC said in the verbose^1 and tho't it
cleartel had something to do with you.  It isn't the first time I have
misunderstood something SC sez about a mailhost.

^1 "Hostname verified: mail.cleartel.net"

In that case, I will revise my earlier abbreviated headers of the item
this all started wtih.

  Abbreviated Received lines *comment
  from mail.cleartel.net ([206.72.209.41]) by
server1.DANJONENGINEERING.LOCAL *sourceline vs relay output
  from [206.72.209.49] (helo=mail.4-serv.com) by mail.cleartel.net
*timestamp 17d, bogushelo, ?bogusline vs sourceIP
  from 4technology.net ([90.66.225.30]) by mwcp.4technology.net
*bogusline

>From a human parser's point of view, the notified source would be
albany.net for cleartel in any case, it is just a matter of whether you
want to say the source IP is the cleartel output server or a userIP
behind it.

The server IP is also listed in PSBL, which gives evidence which looks
like your spamitem, ie the same IP 'behind' the server and the same
'modus' of a bogus helo in that line.

http://psbl.surriel.com/evidence?ip=206.72.209.41&action=Check+evidence

I personally think the problem is an insecurity between 206.72.209.49 &
its server -- that the spam may be being injected at .49 and going out
thru' the server 'belatedly' [getting stuck there] and getting the
timestamp discrepancy.

The other possibility is that the server is insecure and the timestamp
problem line is bogus.  It is worse for the server to be listed than the
user IP, because the server is the #1 output server for the cleartel.

-- 
Mike Easter
kibitzer, not SC admin