Re: [Declude.JunkMail] SpamRouting Broken?
Then, does %countrychain% get its info from a different, more correct source? It showed Chile in the flow. That is correct. The ROUTING test works regardless of whether you have the all_list.dat file that is required for the IP->country translation, and as a result, doesn't use data that is as accurate. On the other hand, if the ROUTING test were to use the IP->country data, it would have more false positives (for example, a company in France that has an office in Germany might get caught by the test, whereas it would not given the current setup). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamRouting Broken?
Then, does %countrychain% get its info from a different, more correct source? It showed Chile in the flow. Tuesday, April 6, 2004, 3:29:35 PM, R. Scott Perry <[EMAIL PROTECTED]> wrote: >>RSP> It went from 216.65.3.237 to 164.77.48.71 to your mailserver. Both those >>RSP> IPs are from North America, so the ROUTING test does not get triggered. >> >>However, when I just did a ARIN lookup on 164.77.48.71, it says that >>IP belongs to LACNIC. A LACNIC lookup says the IP is located in Chile. >>So, the spamrouting test should have failed, right? RSP> Actually, what is happening here is that the IP was originally registered RSP> through ARIN, and only recently switched to use LACNIC. In general, the RSP> ROUTING test tries to determine whether the IP was registered to ARIN, RSP> APNIC, or RIPE, and works on those three large areas. RSP> -Scott RSP> --- RSP> Declude JunkMail: The advanced anti-spam solution for IMail mailservers RSP> since 2000. RSP> Declude Virus: Ultra reliable virus detection and the leader in mailserver RSP> vulnerability detection. RSP> Find out what you've been missing: Ask for a free 30-day evaluation. RSP> --- RSP> [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] RSP> --- RSP> This E-mail came from the Declude.JunkMail mailing list. To RSP> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and RSP> type "unsubscribe Declude.JunkMail". The archives can be found RSP> at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamRouting Broken?
RSP> It went from 216.65.3.237 to 164.77.48.71 to your mailserver. Both those RSP> IPs are from North America, so the ROUTING test does not get triggered. However, when I just did a ARIN lookup on 164.77.48.71, it says that IP belongs to LACNIC. A LACNIC lookup says the IP is located in Chile. So, the spamrouting test should have failed, right? Actually, what is happening here is that the IP was originally registered through ARIN, and only recently switched to use LACNIC. In general, the ROUTING test tries to determine whether the IP was registered to ARIN, APNIC, or RIPE, and works on those three large areas. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamRouting Broken?
>>It looks to me like this e-mail should have failed SpamRouting, but it >>passed. Declude headers show it was routed US--->Chile-->Destination (US). >>Using Pro ver 1.78i31, but upgrading to 1.79 beta momentarily. >> >>Received: from dutch-courage.com [164.77.48.71] by inetconcepts.net >> (SMTPD32-8.05) id AB8A21703BC; Tue, 06 Apr 2004 11:32:10 -0500 >>Received: from chicky-babe.com (mail4.surgeweb.com [216.65.3.237]) >> by dutch-courage.com (Postfix) with ESMTP id 6246E890F3 >> for <[EMAIL PROTECTED]>; Tue, 06 Apr 2004 08:31:24 -0700 Tuesday, April 6, 2004, 12:05:26 PM, R. Scott Perry <[EMAIL PROTECTED]> wrote: RSP> It went from 216.65.3.237 to 164.77.48.71 to your mailserver. Both those RSP> IPs are from North America, so the ROUTING test does not get triggered. RSP> -Scott RSP> --- I didn't check the IP numbers because the %COUNTRYCHAIN% showed: "X-Note: Origin Country - UNITED STATES->CHILE->destination." However, when I just did a ARIN lookup on 164.77.48.71, it says that IP belongs to LACNIC. A LACNIC lookup says the IP is located in Chile. So, the spamrouting test should have failed, right? The output from both lookups is below. Thanks, [Query: 164.77.48.71, Server: whois.arin.net] OrgName:Latin American and Caribbean IP address Regional Registry OrgID: LACNIC Address:Potosi 1517 City: Montevideo StateProv: PostalCode: 11500 Country:UY ReferralServer: whois://whois.lacnic.net NetRange: 164.77.0.0 - 164.77.255.255 CIDR: 164.77.0.0/16 NetName:LACNIC-ERX-164-77-0-0 NetHandle: NET-164-77-0-0-1 Parent: NET-164-0-0-0-0 NetType:Early Registrations, Transferred to LACNIC Comment:This IP address range is under LACNIC responsibility Comment:for further allocations to users in LACNIC region. Comment:Please see http://www.lacnic.net/ for further details, Comment:or check the WHOIS server located at whois.lacnic.net RegDate:2003-07-23 Updated:2003-08-06 OrgTechHandle: LACNIC-ARIN OrgTechName: LACNIC Hostmaster OrgTechPhone: (+55) 11 5509-3522 OrgTechEmail: [EMAIL PROTECTED] # ARIN WHOIS database, last updated 2004-04-05 19:15 # Enter ? for additional hints on searching ARIN's WHOIS database. [End of Data] - inetnum: 164.77.32/19 status: reallocated owner: ENTEL CHILE S.A. ownerid: CL-ECSA6-LACNIC address: Av. Andres Bello 2687, Piso 9 address: Santiago, country: CL owner-c: LE89-ARIN remarks: Reassignment information for this block can be found at rs.entelchile.net created: 20010410 changed: 20010926 inetnum-up: 164.77/16 source: ARIN-LACNIC-TRANSITION nic-hdl: LE89-ARIN person: Luis Espinoza e-mail: [EMAIL PROTECTED] address: Entel Chile S.A. address: Amunategui 20, Piso 14 address: Santiago, Chile country: CL phone: 562-360-2663 source: ARIN-LACNIC-TRANSITION Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamRouting Broken?
It looks to me like this e-mail should have failed SpamRouting, but it passed. Declude headers show it was routed US--->Chile-->Destination (US). Using Pro ver 1.78i31, but upgrading to 1.79 beta momentarily. Received: from dutch-courage.com [164.77.48.71] by inetconcepts.net (SMTPD32-8.05) id AB8A21703BC; Tue, 06 Apr 2004 11:32:10 -0500 Received: from chicky-babe.com (mail4.surgeweb.com [216.65.3.237]) by dutch-courage.com (Postfix) with ESMTP id 6246E890F3 for <[EMAIL PROTECTED]>; Tue, 06 Apr 2004 08:31:24 -0700 It went from 216.65.3.237 to 164.77.48.71 to your mailserver. Both those IPs are from North America, so the ROUTING test does not get triggered. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SpamRouting Broken?
It looks to me like this e-mail should have failed SpamRouting, but it passed. Declude headers show it was routed US--->Chile-->Destination (US). Using Pro ver 1.78i31, but upgrading to 1.79 beta momentarily. Received: from SMTP32-FWD by inetconcepts.net (SMTP32) id A07AC9635; Tue, 6 Apr 2004 11:32:55 -0500 Received: from dutch-courage.com [164.77.48.71] by inetconcepts.net (SMTPD32-8.05) id AB8A21703BC; Tue, 06 Apr 2004 11:32:10 -0500 Received: from chicky-babe.com (mail4.surgeweb.com [216.65.3.237]) by dutch-courage.com (Postfix) with ESMTP id 6246E890F3 for <[EMAIL PROTECTED]>; Tue, 06 Apr 2004 08:31:24 -0700 Message-ID: <[EMAIL PROTECTED]> From: "Coagulate F. Giraffes" <[EMAIL PROTECTED]> To: Websites <[EMAIL PROTECTED]> Subject: Biggest medication site on net, Websites. Best offers for you! Date: Tue, 06 Apr 2004 08:31:24 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_000_0035_F284D45F.DDA9D0F6" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081 X-Declude-Sender: [EMAIL PROTECTED] [164.77.48.71] X-Declude-Spoolname: Ddb8a021703bc4a41.SMD X-Note: This E-mail was sent from [No Reverse DNS] ([164.77.48.71]). X-Note: The Server Helo Handshake was dutch-courage.com. X-Note: Mail-From singer.chicky-babe.com. X-Note: Mail-From for Spam Reporting is [EMAIL PROTECTED] X-Note: Initial Recipients: [EMAIL PROTECTED] X-Note: Final Recipients: [EMAIL PROTECTED] X-Note: Origin Country - UNITED STATES->CHILE->destination. X-Note: Failed: REVDNS [1], IPNOTINMX [1], FILT-COUNTRY [1], FILT-FREEMAIL [2]. X-Note: Total Failed Weight: 5. X-Note: Checked for SPAM and Viruses by Internet Concepts - http://www.inetconcepts.net. Status: U X-UIDL: 369013565 Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPAMROUTING Broken
>Here is the header. You'll notice - the mail came from the 10.x.x.x private
>address block. So THAT one should not count at all - it's their local LAN.
Declude does check for that...
> >From there it went to their virus firewall at 194.127.224.201, which is a
>European Address Block - which happens to be EXACTLY where the sending
>domain "mainova.de" is located (last time I checked my American globe).
>
>So... why does SPAMROUTING fail?
It's a bug, that will be fixed in the next release. I'll show you what
happened:
>Received: from 10.129.1.101 by viruswall1 (InterScan E-Mail VirusWall
>NT);
This header type is only used by InterScan ("From IP.IP.IP.IP", which
doesn't appear to be a valid header). We added support for the Interscan
header, but Declude was looking at it starting at the space after from, so
it was looking at " 10.129.1.101" instead of "10.129.1.101". The check for
internal IPs (such as 10.x.x.x) saw the space instead of the "10", and
didn't treat it as an internal IP. So while Declude is correctly
recognizing IPs in Interscan's headers, it isn't recognizing the internal
IPs in their headers.
The next release will properly handle internal IPs in the headers that
Interscan adds.
-Scott
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". You can E-mail
[EMAIL PROTECTED] for assistance. You can visit our web
site at http://www.declude.com .
RE: [Declude.JunkMail] SPAMROUTING Broken
Haha - Scott - you know me better than trying a quick fix . Here is the header. You'll notice - the mail came from the 10.x.x.x private address block. So THAT one should not count at all - it's their local LAN. >From there it went to their virus firewall at 194.127.224.201, which is a European Address Block - which happens to be EXACTLY where the sending domain "mainova.de" is located (last time I checked my American globe). So... why does SPAMROUTING fail? Received: from viruswall1 [194.127.224.201] by hm-software.com (SMTPD32-7.04) id AED6427009E; Mon, 17 Dec 2001 09:19:02 -0500 Received: from 10.129.1.101 by viruswall1 (InterScan E-Mail VirusWall NT); Mon, 17 Dec 2001 15:20:40 +0100 To: Wolfgang Pissareck <[EMAIL PROTECTED]> Subject: SPAM: [See Headers] Ihr Konfigurationscode =?iso-8859-1?Q?f=FCr_MF=2FES_?= Message-ID: <[EMAIL PROTECTED]> From: [EMAIL PROTECTED] Date: Mon, 17 Dec 2001 15:18:20 +0100 X-MIMETrack: Serialize by Router on D2HUB01P/SRV/MAINOVA/DE(Release 5.0.9 |November 16, 2001) at 17.12.2001 15:18:19 MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: quoted-printable X-RBL-WARNING: Suspected SPAM. This E-mail was routed in a poor manner consistent with spam [2103]. X-Declude-Sender: [EMAIL PROTECTED] [194.127.224.201] X-Declude-Spoolname: Dfed609e.SMD X-Declude-Note: Processed by Declude 1.30; remote host [No Reverse DNS] X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 601 Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry Sent: Monday, December 17, 2001 12:42 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] http://www.declude.com/tools/header.php broken Importance: Low >Code: 2103. The E-mail (code 2103) didn't fail either the BADHEADERS >or SPAMHEADERS tests. > >yet: >X-RBL-WARNING: Suspected SPAM. This E-mail was routed in a poor manner >consistent with spam [2103]. It didn't fail either the BADHEADERS or SPAMHEADERS tests -- it was the SPAMROUTING test. The web page has been updated to accept the code for the SPAMROUTING test. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
