I just processed 3 messages individually with SpamXii 1.2.7. Each time it came up with an abuse report address that had recently bounced. In 2 cases SpamX reported to a spoofed address and in the other it was a case of "right culprit, wrong reporting address".
Here follow the particulars:
First part of SpamX report 1:
QUOTE
ABUSE@ATTBI.COM;ABUSE@ATT.NET;
Email Abuse Complaint
Here is the SMTP information.
SMTP Info Start ====================================
Received: from 204.127.198.6 (0-2pool195-119.nas38.tukwila2.wa.us.da.qwest.net[67.5.195.119](untrusted sender))
by rwcrmxc12.comcast.net (rwcrmxc12) with SMTP
id <20040531160159r1200mhelee>; Mon, 31 May 2004 16:02:36 +0000
X-Originating-IP: [67.5.195.119]
X-Message-Info: 360T05CLDuonbi298DR91rybLVpVC0nXU3zANlSPI612XS07
Received: from dns200.qwest.net ([214.44.246.220]) by 70oze-ogz25.67.5.195.119 with Microsoft SMTPSVC(5.0.4980.5516);
Mon, 31 May 2004 13:55:58 -0300
Message-ID: <7393234382.11619@67.5.195.119>
Reply-To: "Melody Sprague" <Ellisxml@mn.rr.com>
From: "Melody Sprague" <Ellisxml@mn.rr.com>
To: madmikel@attbi.com
Subject:
Date: Mon, 31 May 2004 10:01:58 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--451779306355193"
<HTML>
<BODY>
<CENTER><STRONG>
<HR>
</STRONG></CENTER>
<CENTER><STRONG><FONT size=4>If you are paying more than 3.6% on your m<terry>ortgage, </FONT></STRONG></CENTER>
<CENTER><STRONG><FONT size=4>we can slash your paym<trident>ent!</FONT></STRONG></CENTER>
Email Abuse Complaint
Here is the SMTP information.
SMTP Info Start ====================================
Received: from 204.127.198.6 (0-2pool195-119.nas38.tukwila2.wa.us.da.qwest.net[67.5.195.119](untrusted sender))
by rwcrmxc12.comcast.net (rwcrmxc12) with SMTP
id <20040531160159r1200mhelee>; Mon, 31 May 2004 16:02:36 +0000
X-Originating-IP: [67.5.195.119]
X-Message-Info: 360T05CLDuonbi298DR91rybLVpVC0nXU3zANlSPI612XS07
Received: from dns200.qwest.net ([214.44.246.220]) by 70oze-ogz25.67.5.195.119 with Microsoft SMTPSVC(5.0.4980.5516);
Mon, 31 May 2004 13:55:58 -0300
Message-ID: <7393234382.11619@67.5.195.119>
Reply-To: "Melody Sprague" <Ellisxml@mn.rr.com>
From: "Melody Sprague" <Ellisxml@mn.rr.com>
To: madmikel@attbi.com
Subject:
Date: Mon, 31 May 2004 10:01:58 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--451779306355193"
<HTML>
<BODY>
<CENTER><STRONG>
<HR>
</STRONG></CENTER>
<CENTER><STRONG><FONT size=4>If you are paying more than 3.6% on your m<terry>ortgage, </FONT></STRONG></CENTER>
<CENTER><STRONG><FONT size=4>we can slash your paym<trident>ent!</FONT></STRONG></CENTER>
As you can see the ATTBI/ATT address is spoofed as is the dns200.qwest.net ([214.44.246.220]) which is a DoD address.
The correct reporting address is abuse@qwest.net.
Next is like it:
QUOTE
ABUSE@ATTBI.COM;ABUSE@ATT.NET;
Email Abuse Complaint
Here is the SMTP information.
SMTP Info Start ====================================
Received: from 204.127.202.6 (cm218-253-101-13.hkcable.com.hk[218.253.101.13](untrusted sender))
by sccrmxc18.comcast.net (sccrmxc18) with SMTP
id <20040531160440s1800dng5oe>; Mon, 31 May 2004 16:04:55 +0000
X-Originating-IP: [218.253.101.13]
X-Message-Info: CI32COLp48sAXDzwnL585SY617nriUMfyRP3
Received: from 187.192.73.0 by ip-3-7-0-46.i.kxmwaujxnphdu@yahoo.com (AppleMailServer 44.4.2.3) id 292822 via NDR; Wed, 02 Jun 2004 20:58:34 +0100
Reply-To: "Eleanor Hopkins" <kxmwaujxnphdu@yahoo.com>
From: "Eleanor Hopkins" <kxmwaujxnphdu@yahoo.com>
To: "Maddykat" <maddykat@attbi.com>
Subject: provident deafen
Date: Wed, 02 Jun 2004 22:54:34 +0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--=====28508609913142=_"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=Windows-1252">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.0.4630.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
Email Abuse Complaint
Here is the SMTP information.
SMTP Info Start ====================================
Received: from 204.127.202.6 (cm218-253-101-13.hkcable.com.hk[218.253.101.13](untrusted sender))
by sccrmxc18.comcast.net (sccrmxc18) with SMTP
id <20040531160440s1800dng5oe>; Mon, 31 May 2004 16:04:55 +0000
X-Originating-IP: [218.253.101.13]
X-Message-Info: CI32COLp48sAXDzwnL585SY617nriUMfyRP3
Received: from 187.192.73.0 by ip-3-7-0-46.i.kxmwaujxnphdu@yahoo.com (AppleMailServer 44.4.2.3) id 292822 via NDR; Wed, 02 Jun 2004 20:58:34 +0100
Reply-To: "Eleanor Hopkins" <kxmwaujxnphdu@yahoo.com>
From: "Eleanor Hopkins" <kxmwaujxnphdu@yahoo.com>
To: "Maddykat" <maddykat@attbi.com>
Subject: provident deafen
Date: Wed, 02 Jun 2004 22:54:34 +0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--=====28508609913142=_"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=Windows-1252">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.0.4630.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
The correct address is 218.253.101.13 with this abuse report address from Abuse.net: abuse@cms.hkcable.com
And here's the third:
QUOTE
ABUSE@UNINET.NET.MX;
Email Abuse Complaint
Here is the SMTP information.
SMTP Info Start ====================================
Received: from dup-200-64-196-70.prodigy.net.mx ([200.64.196.70])
by sccrmxc11.comcast.net (sccrmxc11) with SMTP
id <20040531174852s1100lursfe>; Mon, 31 May 2004 17:49:49 +0000
X-Originating-IP: [200.64.196.70]
Received: (qmail 6193 invoked by uid 89032); Mon, 31 May 2004 12:48:31 -0600
Date: Mon, 31 May 2004 12:48:31 -0600
Message-ID: <5366640797.419@bellatlantic.net>
From: "Raymond Bermudez" <eoxahg@bellatlantic.net>
To: "Mjgorham" <mjgorham@attbi.com>
Subject: spam: Windows hu NT 4.0
MIME-Version: 1.0
Content-Type: text/html;
charset="windows-1251"
Content-Transfer-Encoding: quoted-printable
X-tis-spam: score=5.40000 (139002,112017,113768,113397)
<HTML><HEAD><TITLE>comparator decisive</TITLE>
</HEAD><BODY>
<div align=3D"center"><font size=1><FONT></FONT>
<a href="http://www.fkryfeq.de.lpydza.DKGLCB.info/OE017/?affiliate_id=233670&campaign_id=601"><STRONG></STRONG>
Email Abuse Complaint
Here is the SMTP information.
SMTP Info Start ====================================
Received: from dup-200-64-196-70.prodigy.net.mx ([200.64.196.70])
by sccrmxc11.comcast.net (sccrmxc11) with SMTP
id <20040531174852s1100lursfe>; Mon, 31 May 2004 17:49:49 +0000
X-Originating-IP: [200.64.196.70]
Received: (qmail 6193 invoked by uid 89032); Mon, 31 May 2004 12:48:31 -0600
Date: Mon, 31 May 2004 12:48:31 -0600
Message-ID: <5366640797.419@bellatlantic.net>
From: "Raymond Bermudez" <eoxahg@bellatlantic.net>
To: "Mjgorham" <mjgorham@attbi.com>
Subject: spam: Windows hu NT 4.0
MIME-Version: 1.0
Content-Type: text/html;
charset="windows-1251"
Content-Transfer-Encoding: quoted-printable
X-tis-spam: score=5.40000 (139002,112017,113768,113397)
<HTML><HEAD><TITLE>comparator decisive</TITLE>
</HEAD><BODY>
<div align=3D"center"><font size=1><FONT></FONT>
<a href="http://www.fkryfeq.de.lpydza.DKGLCB.info/OE017/?affiliate_id=233670&campaign_id=601"><STRONG></STRONG>
While SpamX found the right ISP, it seems that's the wrong reporting address. I received both of the following today:
QUOTE
A message (from <me@myisp.xxx>) was received at 31 May 2004 14:01:28 +0000.
The following addresses had delivery problems:
<ABUSE@UNINET.NET.MX>
Permanent Failure: 550_5.1.2_unknown_host_or_domain:_ABUSE@uninet.net.mx
Delivery last attempted at Mon, 31 May 2004 14:01:34 -0000
The following addresses had delivery problems:
<ABUSE@UNINET.NET.MX>
Permanent Failure: 550_5.1.2_unknown_host_or_domain:_ABUSE@uninet.net.mx
Delivery last attempted at Mon, 31 May 2004 14:01:34 -0000
and
QUOTE
This report relates to a message you sent with the following header fields:
--snip--
Your message cannot be delivered to the following recipients:
Recipient address: prodigypma@ims-ms-daemon
Original address: postmaster@uninet.net.mx
Reason: Over quota
--snip--
Your message cannot be delivered to the following recipients:
Recipient address: prodigypma@ims-ms-daemon
Original address: postmaster@uninet.net.mx
Reason: Over quota
Abuse.net gives the following report addresses for this ISP: abuse@nic.mx; ssradmin@telmex.com; ips-adm@uninet.net.mx; abuse@uninet.net.mx; dominio