Andrew thank for the input and your time to respond. Confirms what I thought. :)
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, July 21, 2005 6:37 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Who is the "real" connecting server? (Headers vs Spamcop) Well, you're reading the report correctly. Yes, the server that sent you the mail was indeed Yahoo. Note the SpamCop report line that says "relay trusted"... They are skipping that hop because they trust that relay. Your Declude configuration has no idea what SpamCop's opinion is, so it applies the counterweight from the IP belonging to Yahoo. The SpamCop report then goes on to examine the next hop, which is the broadband IP that originated the spam, and they have an abuse address, so a report is sent there. Should SpamCop send a report to Yahoo about somebody abusing their relay, which presumably requires authentication? You think so, and I think so. SpamCop apparently doesn't think so. I know that complaints to Yahoo about their relays is practically a lost cause. You should try taking it directly to them anyway. As for leaning on SpamCop, you'd have to take this issue to the SpamCop forum, or send a support email to one of the deputies. If this is going to be a configuration problem for you, then either lower your Yahoo counterweight, or create a "combo test" that only counterweights Yahoo if the mailfrom address is also from Yahoo, e.g. something basic like: MAILFROM END NOTCONTAINS @yahoo REVDNS -5 CONTAINS .yahoo. The test details could certainly be much more ornate; I won't make any claims that Yahoo has well-formed reverse DNS names, nor whether valid mail comes from Yahoo partners through their servers that ought to be counterweighted too. Andrew 8) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Sent: Wednesday, July 20, 2005 8:59 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Who is the "real" connecting server? (Headers vs Spamcop) Can someone help me explain this. Why does Imail/Declude report YAHOO as the receiving server when SPAMCOP ignores Yahoo as the receiving server? We add a negative weight from Yahoo REVDNS. Should SPAMCOP also "abuse" to Yahoo? Or do I not fully understand? Imail log DOES show 66.163.175.81 as the connecting server (Yahoo). Shouldn't the abuse really be sent to Yahoo since it come from their server (from our logs)? Erik EMAIL HEADERS: ------------------------------------------------------------ Received: from smtp004.bizmail.sc5.yahoo.com [66.163.175.81] by mail.montananetwork.net (SMTPD-8.20) id A5E40300; Wed, 20 Jul 2005 21:26:28 -0600 Received: (qmail 37210 invoked from network); 21 Jul 2005 03:26:27 -0000 Received: from unknown (HELO User) ([EMAIL PROTECTED]@70.245.85.9 with login) by smtp004.bizmail.sc5.yahoo.com with SMTP; 21 Jul 2005 03:26:26 -0000 Reply-To: <[EMAIL PROTECTED]> From: "PayPal"<[EMAIL PROTECTED]> Subject: Unauthorized access to your PayPal account ! Date: Wed, 20 Jul 2005 22:26:16 -0500 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Message-Id: <[EMAIL PROTECTED]> X-RBL-Warning: MN-WHITELIST: Message failed MN-WHITELIST test (line 21, weight -50) X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED]" X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [c400120a]. X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [c400120a]. X-RBL-Warning: SPAMDOMAINS: Spamdomain '@paypal.com' found: Address of [EMAIL PROTECTED] sent from invalid smtp004.bizmail.sc5.yahoo.com. X-RBL-Warning: SPAMCHK: Message failed SPAMCHK: 10. X-MN: ============================================ X-MN: Scanned for viruses and weighted for SPAM X-MN: Scan Time: 21:26:33 on 20 Jul 2005 X-MN: Spool File: D15E401AD0000093A.SMD X-MN: ============================================ X-MN: Failed Tests: X-MN: MN-WHITELIST, NOLEGITCONTENT, NOABUSE, BADHEADERS, SPAMHEADERS, SPAMDOMAINS, SPAMCHK X-MN: ============================================ X-MN: Receiving Server: mail.montananetwork.net X-MN: Spam Score: 57 X-MN: SMTP Sender: [EMAIL PROTECTED] X-MN: Recipients: X X-MN: Country Chain: UNITED STATES->destination X-MN: Sent from: smtp004.bizmail.sc5.yahoo.com ([66.163.175.81]) X-MN: ============================================ Status: R X-UIDL: 419936643 X-IMail-ThreadID: 15e401ad0000093a SPAMCOP REPORTS: ------------------------------------------------------------------- Received: from smtp004.bizmail.sc5.yahoo.com [66.163.175.81] by mail.montananetwork.net (SMTPD-8.20) id A5E40300; Wed, 20 Jul 2005 21:26:28 -0600 66.163.175.81 found host 66.163.175.81 = smtp004.bizmail.sc5.yahoo.com (cached) smtp004.bizmail.sc5.yahoo.com is 66.163.175.81 Possible spammer: 66.163.175.81 Received line accepted Relay trusted (66.163.175.81 bizmail.sc5.yahoo.com) Received: (qmail 37210 invoked from network); 21 Jul 2005 03:26:27 -0000 Ignored Received: from unknown (HELO User) ([EMAIL PROTECTED]@70.245.85.9 with login) by smtp004.bizmail.sc5.yahoo.com with SMTP; 21 Jul 2005 03:26:26 -0000 70.245.85.9 found host 70.245.85.9 = adsl-70-245-85-9.dsl.hstntx.swbell.net (cached) adsl-70-245-85-9.dsl.hstntx.swbell.net is 70.245.85.9 Possible spammer: 70.245.85.9 Possible relay: 66.163.175.81 66.163.175.81 not listed in relays.ordb.org. 66.163.175.81 has already been sent to relay testers Received line accepted Tracking message source: 70.245.85.9: Routing details for 70.245.85.9 [refresh/show] Cached whois for 70.245.85.9 : [EMAIL PROTECTED] Using abuse net on [EMAIL PROTECTED] abuse net sbcglobal.net = [EMAIL PROTECTED] Using best contacts [EMAIL PROTECTED] Yum, this spam is fresh! Message is 0 hours old 70.245.85.9 not listed in dnsbl.njabl.org 70.245.85.9 not listed in dnsbl.njabl.org 70.245.85.9 not listed in cbl.abuseat.org 70.245.85.9 not listed in dnsbl.sorbs.net 70.245.85.9 not listed in relays.ordb.org. 70.245.85.9 not listed in accredit.habeas.com 70.245.85.9 not listed in plus.bondedsender.org 70.245.85.9 not listed in iadb.isipp.com Finding links in message body Parsing HTML part Resolving link obfuscation http://larry.clsnp.edu.hk/~larry/uit/.ssls/user_data_login_account_secur e_en cryption_ssl_user_signin_online_login/index.htm host larry.clsnp.edu.hk (checking ip) = 210.0.178.155 host 210.0.178.155 (getting name) no name Tracking link: http://larry.clsnp.edu.hk/~larry/uit/.ssls/user_data_login_account_secur e_en cryption_ssl_user_signin_online_login/index.htm [report history] Resolves to 210.0.178.155 Routing details for 210.0.178.155 [refresh/show] Cached whois for 210.0.178.155 : [EMAIL PROTECTED] [EMAIL PROTECTED] Using abuse net on [EMAIL PROTECTED] abuse net hgc.com.hk = [EMAIL PROTECTED] Using abuse net on [EMAIL PROTECTED] abuse net hgcbroadband.com = [EMAIL PROTECTED] Using best contacts [EMAIL PROTECTED] Reports regarding this spam have already been sent: Re: 70.245.85.9 (Silent report about source of mail) Reportid: 1472550866 To: [EMAIL PROTECTED] Re: http://larry.clsnp.edu.hk/~larry/uit/.ssls/user_data_login_account_secur e_en cryption_ssl_user_signin_online_login/index.htm (Silent report about spamvertisement) Reportid: 1472550873 To: [EMAIL PROTECTED] If reported today, reports would be sent to: Re: 70.245.85.9 (Administrator of network where email originates) [EMAIL PROTECTED] Re: 70.245.85.9 (Third party interested in email source) [EMAIL PROTECTED] Re: http://larry.clsnp.edu.hk/~larry/uit/.ssls/user... (Administrator of network hosting website referenced in spam) [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
