Chris pointed out that a significant number of the abuse addresses were bouncing back.
I looked into this further, and the function I was calling to parse the email addresses returned by ABUSE.NET was the OLD one <Homer Simpson DOOH!>.
What this meant - SpamX was only using ONE of the addresses in the list. In the majority of cases this would work. But as Chris pointed out, in a lot of cases it does not.
Thanks for keeping me honest Chris, the fix is on the site!
BTW current users, the 'Full installation package' will overwrite your current 'do not send' list, so you may want to use the 'Executable only', or make a backup of your file.
Full installation package:
http://www.hendricom.com/Downloads/spamxii.zip
Executable only:
http://www.hendricom.com/Downloads/spamxiibinonly.zip
Full Version: Version 1.2.9 Released
Something still amiss..
These headers:
1.29 wants to send to:
ABUSE@ULCC.AC.UK
POSTMASTER@CWI.NL
POSTMASTER@ANS.NET
ABUSE@ANS.NET
ABUSE@UCL.AC.UK
CERT@UCL.AC.UK
ABUSE@JA.NET
CERT@CERT.JA.NET
The AC.UK addresses are probably derived from the received: line containing 128.40.59.67, but this is an obvious forgery.
the previous received line:
Received: from [140.122.200.115] (port=3795 helo=62.244.177.193)
Shows the actual sending system [140.122.200.115] with a forged helo.
yet the 140.122.200.115 address is not picked up at all.
This resolved to twnic.net and an email: address of tanetadm@moe.edu.tw
Confirmed by processing it through spamcop.
Bazz
These headers:
QUOTE
Microsoft Mail Internet Headers Version 2.0
Received: from Lando.sdgworld.net ([172.16.10.7]) by Harry.sdgworld.net with Microsoft SMTPSVC(6.0.3790.0);
Mon, 5 Jul 2004 13:30:59 +0100
Received: from mx1.exponential-e.com ([62.244.177.19]) by Lando.sdgworld.net with Microsoft SMTPSVC(5.0.2195.6713);
Mon, 5 Jul 2004 13:30:59 +0100
Received: from [140.122.200.115] (port=3795 helo=62.244.177.193)
by mx1.exponential-e.com with smtp (Exim 4.24)
id 1BhSZY-0003Ut-3p
for b.freeman@sdgworld.net; Mon, 05 Jul 2004 12:27:48 +0000
Received: from 128.40.59.67 by 140.122.200.115; Mon, 05 Jul 2004 07:30:00 -0600
Message-ID: <UWQSEBRREUBUWQMTCAEKH@goodmail.com>
From: "Angelina Coleman" <kzedzo@voicestream.net>
Reply-To: "Angelina Coleman" <kzedzo@voicestream.net>
To: b.freeman@sdgworld.net
Subject: b.freeman@sdgworld.net -We have CEOs as students.
Date: Mon, 05 Jul 2004 18:26:00 +0500
X-Mailer: Microsoft Outlook, Build 10.0.2616
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--180711651860536"
X-Priority: 3
X-MSMail-Priority: Normal
Return-Path: kzedzo@voicestream.net
X-OriginalArrivalTime: 05 Jul 2004 12:30:59.0234 (UTC) FILETIME=[ED2CF820:01C4628B]
----180711651860536
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
Received: from Lando.sdgworld.net ([172.16.10.7]) by Harry.sdgworld.net with Microsoft SMTPSVC(6.0.3790.0);
Mon, 5 Jul 2004 13:30:59 +0100
Received: from mx1.exponential-e.com ([62.244.177.19]) by Lando.sdgworld.net with Microsoft SMTPSVC(5.0.2195.6713);
Mon, 5 Jul 2004 13:30:59 +0100
Received: from [140.122.200.115] (port=3795 helo=62.244.177.193)
by mx1.exponential-e.com with smtp (Exim 4.24)
id 1BhSZY-0003Ut-3p
for b.freeman@sdgworld.net; Mon, 05 Jul 2004 12:27:48 +0000
Received: from 128.40.59.67 by 140.122.200.115; Mon, 05 Jul 2004 07:30:00 -0600
Message-ID: <UWQSEBRREUBUWQMTCAEKH@goodmail.com>
From: "Angelina Coleman" <kzedzo@voicestream.net>
Reply-To: "Angelina Coleman" <kzedzo@voicestream.net>
To: b.freeman@sdgworld.net
Subject: b.freeman@sdgworld.net -We have CEOs as students.
Date: Mon, 05 Jul 2004 18:26:00 +0500
X-Mailer: Microsoft Outlook, Build 10.0.2616
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--180711651860536"
X-Priority: 3
X-MSMail-Priority: Normal
Return-Path: kzedzo@voicestream.net
X-OriginalArrivalTime: 05 Jul 2004 12:30:59.0234 (UTC) FILETIME=[ED2CF820:01C4628B]
----180711651860536
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
1.29 wants to send to:
ABUSE@ULCC.AC.UK
POSTMASTER@CWI.NL
POSTMASTER@ANS.NET
ABUSE@ANS.NET
ABUSE@UCL.AC.UK
CERT@UCL.AC.UK
ABUSE@JA.NET
CERT@CERT.JA.NET
The AC.UK addresses are probably derived from the received: line containing 128.40.59.67, but this is an obvious forgery.
the previous received line:
Received: from [140.122.200.115] (port=3795 helo=62.244.177.193)
Shows the actual sending system [140.122.200.115] with a forged helo.
yet the 140.122.200.115 address is not picked up at all.
This resolved to twnic.net and an email: address of tanetadm@moe.edu.tw
Confirmed by processing it through spamcop.
Bazz
nd another:
Spamx finds nothing at all.
My Processing;
43.98.106.71 resolves as either an ipV6 address or not assigned. Turns out (via whois.v6nic.net) to be unassigned and therefore forged.
next up is 61.110.223.216 (which Spamx ignores) with the familiar forged helo
This resolved (via krnic.net) to shinbiro.com and abuse.net gives us
postmaster@shinbiro.com (for shinbiro.com)
abuse@shinbiro.com (for shinbiro.com)
spamrelay@certcc.or.kr (for shinbiro.com)
Bazz
QUOTE
Microsoft Mail Internet Headers Version 2.0
Received: from Lando.sdgworld.net ([172.16.10.7]) by Harry.sdgworld.net with Microsoft SMTPSVC(6.0.3790.0);
Mon, 5 Jul 2004 13:23:35 +0100
Received: from mx1.exponential-e.com ([62.244.177.19]) by Lando.sdgworld.net with Microsoft SMTPSVC(5.0.2195.6713);
Mon, 5 Jul 2004 13:23:35 +0100
Received: from [61.110.223.216] (port=2751 helo=62.244.177.193)
by mx1.exponential-e.com with smtp (Exim 4.24)
id 1BhSSL-0003R5-W5
for b.freeman@sdgworld.net; Mon, 05 Jul 2004 12:20:23 +0000
To: b.freeman@sdgworld.net
From: "Dian Myrtie" <wur96pasr@best.com>
Reply-To: "Dian Myrtie" <wur96pasr@best.com>
Date: Mon, 05 Jul 2004 15:14:57 +0200
Subject: SOFTWARES FROM 50 DOLLAR EACH TO ALL COUNTRIES human safety daughter
Message-ID: <JxMLZqYZsIBbQ8CtKdO07jm8TY@tablepair>
Received: awPTts-TJ6P6J6D.specialthankyou.com (fvsdmdy [43.98.106.71])
by particularly.favoriteupon.com (6.32.7/0.84.0) with ESMTP id F8V99KAXOBJ2
for <b.freeman@sdgworld.net>; Mon, 05 Jul 2004 06:18:57 -0700 GMT
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2912.3504
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--9552981908721"
Return-Path: wur96pasr@best.com
X-OriginalArrivalTime: 05 Jul 2004 12:23:35.0265 (UTC) FILETIME=[E48CAD10:01C4628A]
Received: from Lando.sdgworld.net ([172.16.10.7]) by Harry.sdgworld.net with Microsoft SMTPSVC(6.0.3790.0);
Mon, 5 Jul 2004 13:23:35 +0100
Received: from mx1.exponential-e.com ([62.244.177.19]) by Lando.sdgworld.net with Microsoft SMTPSVC(5.0.2195.6713);
Mon, 5 Jul 2004 13:23:35 +0100
Received: from [61.110.223.216] (port=2751 helo=62.244.177.193)
by mx1.exponential-e.com with smtp (Exim 4.24)
id 1BhSSL-0003R5-W5
for b.freeman@sdgworld.net; Mon, 05 Jul 2004 12:20:23 +0000
To: b.freeman@sdgworld.net
From: "Dian Myrtie" <wur96pasr@best.com>
Reply-To: "Dian Myrtie" <wur96pasr@best.com>
Date: Mon, 05 Jul 2004 15:14:57 +0200
Subject: SOFTWARES FROM 50 DOLLAR EACH TO ALL COUNTRIES human safety daughter
Message-ID: <JxMLZqYZsIBbQ8CtKdO07jm8TY@tablepair>
Received: awPTts-TJ6P6J6D.specialthankyou.com (fvsdmdy [43.98.106.71])
by particularly.favoriteupon.com (6.32.7/0.84.0) with ESMTP id F8V99KAXOBJ2
for <b.freeman@sdgworld.net>; Mon, 05 Jul 2004 06:18:57 -0700 GMT
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2912.3504
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--9552981908721"
Return-Path: wur96pasr@best.com
X-OriginalArrivalTime: 05 Jul 2004 12:23:35.0265 (UTC) FILETIME=[E48CAD10:01C4628A]
Spamx finds nothing at all.
My Processing;
43.98.106.71 resolves as either an ipV6 address or not assigned. Turns out (via whois.v6nic.net) to be unassigned and therefore forged.
next up is 61.110.223.216 (which Spamx ignores) with the familiar forged helo
This resolved (via krnic.net) to shinbiro.com and abuse.net gives us
postmaster@shinbiro.com (for shinbiro.com)
abuse@shinbiro.com (for shinbiro.com)
spamrelay@certcc.or.kr (for shinbiro.com)
Bazz
Hi BaZz,
You are correct sir, good eyes.
The (port=3795 helo=62.244.177.193)
in the line Received: from [140.122.200.115] (port=3795 helo=62.244.177.193)
tripped up the SpamX IP parser, and it found 62.244.177.193 as the IP address.
It should have found 140.122.200.115.
These lines are usually spoofed - from 62.244.177.193 [140.122.200.115]
I need to account for this in the IP parser, I'll let you know when it's done....
Thanks!
Regs,
-Jeff
You are correct sir, good eyes.
The (port=3795 helo=62.244.177.193)
in the line Received: from [140.122.200.115] (port=3795 helo=62.244.177.193)
tripped up the SpamX IP parser, and it found 62.244.177.193 as the IP address.
It should have found 140.122.200.115.
These lines are usually spoofed - from 62.244.177.193 [140.122.200.115]
I need to account for this in the IP parser, I'll let you know when it's done....
Thanks!
Regs,
-Jeff
Hi BaZz,
The fix for your report is in!
Full installation package:
http://www.hendricom.com/Downloads/spamxii.zip
Executable only:
http://www.hendricom.com/Downloads/spamxiibinonly.zip
Thank you for pointing this out!!
Regs,
-Jeff
The fix for your report is in!
Full installation package:
http://www.hendricom.com/Downloads/spamxii.zip
Executable only:
http://www.hendricom.com/Downloads/spamxiibinonly.zip
Thank you for pointing this out!!
Regs,
-Jeff
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.