The only repoting addressed detected were my own demon.net addresses, but when submitted to spamcop it resolved the last received: header to the spammers host.
Is SpamX not processing all headers?
Return-path: <info@unterbieten.com>
Received: from punt-3.mail.demon.net by mailstore
for xxx@xxx.demon.co.uk id 1BFCW3-0006FG-9w;
Sun, 18 Apr 2004 13:39:23 +0000
Received: from [194.217.242.72] (helo=anchor-hub.mail.demon.net)
by punt-3.mail.demon.net with esmtp id 1BFCW3-0006FG-9w
for xxx@xxx.demon.co.uk; Sun, 18 Apr 2004 13:39:23 +0000
Received: from [220.184.220.194] (helo=194.217.242.75)
by anchor-hub.mail.demon.net with smtp id 1BFCW2-0004nk-9X
for xxx@xxx.demon.co.uk; Sun, 18 Apr 2004 13:39:22 +0000
Received: from [64.195.186.60] by 194.217.242.75 with ESMTP id 93023506; Sat, 20 Mar 2004 19:36:14 +0600
Message-ID: <a-v15458c$o-5e8z3b-hf5$36@lw99ay>
From: "info@unterbieten.com" <info@unterbieten.com>
Reply-To: "info@unterbieten.com" <info@unterbieten.com>
To: xxx@xxx.demon.co.uk
Subject: Kostenlose Auktionen f¨¹r Dienstleistungen
Date: Sat, 20 Mar 2004 19:36:14 +0600
X-Mailer: MIME-tools 5.503 (Entity 5.501)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="B92EDC.9E2_52A8_D.C50"
X-Priority: 1
Full Version: Not detected
You found a bug, by jingy!
The response from RIPE on the first query was unexpectedly long. This caused SpamX to missinterpret the IP count, so the next address was not looked up!
I'll get this fixed up, and post a message here when it's done....
Thanks!
The response from RIPE on the first query was unexpectedly long. This caused SpamX to missinterpret the IP count, so the next address was not looked up!
I'll get this fixed up, and post a message here when it's done....
Thanks!
Excellent..
I think that may be cause of some other oddness today.
Usually, I use SpamControl to direct forward to Spamcop.Bit of a pain having to go there and actually report and then getting most reports devnulled.
So I tried SpamX today and every single report has come back with a NDR.
This could be the aforementioned bug causing the processing to stop too soon in the received: list?
Bazz
I think that may be cause of some other oddness today.
Usually, I use SpamControl to direct forward to Spamcop.Bit of a pain having to go there and actually report and then getting most reports devnulled.
So I tried SpamX today and every single report has come back with a NDR.
This could be the aforementioned bug causing the processing to stop too soon in the received: list?
Bazz
The fix is in for the bug you reported earlier.
Thank you for taking the time to report it.
You can download the fix either by downloading the entire installation package at http://www.hendricom.com/Downloads/spamxii.zip, or you can download just the binary file at http://www.hendricom.com/Downloads/spamxiibinonly.zip.
Thanks again for reporting this bug, I'm anxious to get your feedback regarding whether this is resolved.
Regs,
-Jeff
Thank you for taking the time to report it.
You can download the fix either by downloading the entire installation package at http://www.hendricom.com/Downloads/spamxii.zip, or you can download just the binary file at http://www.hendricom.com/Downloads/spamxiibinonly.zip.
Thanks again for reporting this bug, I'm anxious to get your feedback regarding whether this is resolved.
Regs,
-Jeff
I've just paid for a second license for my work machine so I'll let you know how the new one works.
BAzz
BAzz
Another header that doesn't generate any reporting addresses (but spamcop does)
It only reports items in the don't send list.
It only reports items in the don't send list.
QUOTE
Microsoft Mail Internet Headers Version 2.0
Received: from sdgworld.net ([172.16.10.6]) by Lando.sdgworld.net with Microsoft SMTPSVC(5.0.2195.6713);
Tue, 20 Apr 2004 14:11:50 +0100
Received: from 62.244.189.194 ([61.103.17.135]) by sdgworld.net with Microsoft SMTPSVC(6.0.3790.0);
Tue, 20 Apr 2004 14:11:48 +0100
X-Message-Info: 4bdu733gczL/bELSxKYyzXjeKA1Im
Received: from VU97NO37 ([10.2.202.25]) by FCX71.nubile.mail.com with Microsoft SMTPSVC(5.0.2195.6713);
Tue, 20 Apr 2004 10:00:13 -0400
From: <deoxpt@email.com>
To: <b.freeman@sdgworld.net>
Subject: Spam: ditzel
Date: Tue, 20 Apr 2004 09:00:13 -0500
Message-ID: <95993mhq8zj56wj$3gw1h5d55$482ptq212hne@ardent.mail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--50541855249076870"
X-Mailer: Microsoft CDO for Windows 2000
Thread-Index: TzhcT8BZoNN30us53OLFzCF+AX74VO54yqS==
Content-Class: fm:content-classes:message
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-Virus-Status: Scanned by norton
Return-Path: deoxpt@email.com
X-OriginalArrivalTime: 20 Apr 2004 13:11:49.0811 (UTC) FILETIME=[0A705830:01C426D9]
X-Brightmail-Tracker: AAAAAwDLVwQAztUIANdGsA==
----50541855249076870
Content-Type: text/plain;
Content-Transfer-Encoding: 7Bit
----50541855249076870--
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>Elkins,%<BR>
<BR>
75%off for all New Softwares.<BR>
WindowXP,Photoshop,Window2003...etcMore<BR>
<BR>
<A HREF="http://www.BNZTHE.BIZ/OE017/?affiliate_id=233635&campaign_id=601">http://www.BNZTHE.BIZ/OE017/?affiliate_id=233635&campaign_id=601</A><BR>
<BR>
carcinoma,at the metropol?*.<BR>
</FONT>
</P>
</BODY>
</HTML>
Received: from sdgworld.net ([172.16.10.6]) by Lando.sdgworld.net with Microsoft SMTPSVC(5.0.2195.6713);
Tue, 20 Apr 2004 14:11:50 +0100
Received: from 62.244.189.194 ([61.103.17.135]) by sdgworld.net with Microsoft SMTPSVC(6.0.3790.0);
Tue, 20 Apr 2004 14:11:48 +0100
X-Message-Info: 4bdu733gczL/bELSxKYyzXjeKA1Im
Received: from VU97NO37 ([10.2.202.25]) by FCX71.nubile.mail.com with Microsoft SMTPSVC(5.0.2195.6713);
Tue, 20 Apr 2004 10:00:13 -0400
From: <deoxpt@email.com>
To: <b.freeman@sdgworld.net>
Subject: Spam: ditzel
Date: Tue, 20 Apr 2004 09:00:13 -0500
Message-ID: <95993mhq8zj56wj$3gw1h5d55$482ptq212hne@ardent.mail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--50541855249076870"
X-Mailer: Microsoft CDO for Windows 2000
Thread-Index: TzhcT8BZoNN30us53OLFzCF+AX74VO54yqS==
Content-Class: fm:content-classes:message
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-Virus-Status: Scanned by norton
Return-Path: deoxpt@email.com
X-OriginalArrivalTime: 20 Apr 2004 13:11:49.0811 (UTC) FILETIME=[0A705830:01C426D9]
X-Brightmail-Tracker: AAAAAwDLVwQAztUIANdGsA==
----50541855249076870
Content-Type: text/plain;
Content-Transfer-Encoding: 7Bit
----50541855249076870--
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>Elkins,%<BR>
<BR>
75%off for all New Softwares.<BR>
WindowXP,Photoshop,Window2003...etcMore<BR>
<BR>
<A HREF="http://www.BNZTHE.BIZ/OE017/?affiliate_id=233635&campaign_id=601">http://www.BNZTHE.BIZ/OE017/?affiliate_id=233635&campaign_id=601</A><BR>
<BR>
carcinoma,at the metropol?*.<BR>
</FONT>
</P>
</BODY>
</HTML>
Hi BAzz...
When I ran this header here, I picked up the abuse address ABUSE@EXPONENTIAL-E.COM.
You didn't??
When I ran this header here, I picked up the abuse address ABUSE@EXPONENTIAL-E.COM.
You didn't??
Yep, thats our ISP. I've got them in my Don't Send.
This is the spamcop analysis
Nope that helps. I'm running out of credit at Spamcop and if I can get SpamX working right I won't bother renewing.
This is the spamcop analysis
QUOTE
Spam Header
This page may be saved for future reference:
http://www.spamcop.net/sc?id=z429635631z33...963f3974b93a15z
0: Received: from sdgworld.net ([172.16.10.6]) by Lando.sdgworld.net with Microsoft SMTPSVC(5.0.2195.6713); Tue, 20 Apr 2004 14:11:50 +0100
Internal handoff at sdgworld.net
1: Received: from 62.244.189.194 ([61.103.17.135]) by sdgworld.net with Microsoft SMTPSVC(6.0.3790.0); Tue, 20 Apr 2004 14:11:48 +0100
sdgworld.net received mail from 61.103.17.135
2: Received: from VU97NO37 ([10.2.202.25]) by FCX71.nubile.mail.com with Microsoft SMTPSVC(5.0.2195.6713); Tue, 20 Apr 2004 10:00:13 -0400
Internal handoff or trivial forgery
61.103.17.135 listed in dnsbl.njabl.org ( 127.0.0.9 )
Forgery from open proxy
Tracking message source: 61.103.17.135:
Routing details for 61.103.17.135
[refresh/show] Cached whois for 61.103.17.135 : mackerel@dreamline.co.kr ip@dreamline.co.kr 20001004@dreamx.net mo422@saeroun.co.kr
Using last resort contacts mackerel@dreamline.co.kr ip@dreamline.co.kr 20001004@dreamx.net mo422@saeroun.co.kr
Yum, this spam is fresh!
61.103.17.135 listed in dnsbl.njabl.org ( 127.0.0.9 )
61.103.17.135 listed in dnsbl.njabl.org ( 127.0.0.9 )
61.103.17.135 is an open proxy
61.103.17.135 not listed in plus.bondedsender.org
61.103.17.135 not listed in query.bondedsender.org
61.103.17.135 not listed in iadb.isipp.com
Report Spam to:
Re: 61.103.17.135 (Administrator of network where email originates)
To: mo422@saeroun.co.kr (Notes)
To: 20001004@dreamx.net (Notes)
To: ip@dreamline.co.kr (Notes)
To: mackerel@dreamline.co.kr (Notes)
This page may be saved for future reference:
http://www.spamcop.net/sc?id=z429635631z33...963f3974b93a15z
0: Received: from sdgworld.net ([172.16.10.6]) by Lando.sdgworld.net with Microsoft SMTPSVC(5.0.2195.6713); Tue, 20 Apr 2004 14:11:50 +0100
Internal handoff at sdgworld.net
1: Received: from 62.244.189.194 ([61.103.17.135]) by sdgworld.net with Microsoft SMTPSVC(6.0.3790.0); Tue, 20 Apr 2004 14:11:48 +0100
sdgworld.net received mail from 61.103.17.135
2: Received: from VU97NO37 ([10.2.202.25]) by FCX71.nubile.mail.com with Microsoft SMTPSVC(5.0.2195.6713); Tue, 20 Apr 2004 10:00:13 -0400
Internal handoff or trivial forgery
61.103.17.135 listed in dnsbl.njabl.org ( 127.0.0.9 )
Forgery from open proxy
Tracking message source: 61.103.17.135:
Routing details for 61.103.17.135
[refresh/show] Cached whois for 61.103.17.135 : mackerel@dreamline.co.kr ip@dreamline.co.kr 20001004@dreamx.net mo422@saeroun.co.kr
Using last resort contacts mackerel@dreamline.co.kr ip@dreamline.co.kr 20001004@dreamx.net mo422@saeroun.co.kr
Yum, this spam is fresh!
61.103.17.135 listed in dnsbl.njabl.org ( 127.0.0.9 )
61.103.17.135 listed in dnsbl.njabl.org ( 127.0.0.9 )
61.103.17.135 is an open proxy
61.103.17.135 not listed in plus.bondedsender.org
61.103.17.135 not listed in query.bondedsender.org
61.103.17.135 not listed in iadb.isipp.com
Report Spam to:
Re: 61.103.17.135 (Administrator of network where email originates)
To: mo422@saeroun.co.kr (Notes)
To: 20001004@dreamx.net (Notes)
To: ip@dreamline.co.kr (Notes)
To: mackerel@dreamline.co.kr (Notes)
Nope that helps. I'm running out of credit at Spamcop and if I can get SpamX working right I won't bother renewing.
You go BAzz, good eyes!
I've corrected a minor error parsing IP addresses.
Put on download site on Tuesday 04-20-04 at 8:26pm EST. If you are not using this version you can download it at:
Executable only:
http://www.hendricom.com/Downloads/spamxiibinonly.zip
Entire install package:
http://www.hendricom.com/Downloads/spamxii.zip
I've corrected a minor error parsing IP addresses.
Put on download site on Tuesday 04-20-04 at 8:26pm EST. If you are not using this version you can download it at:
Executable only:
http://www.hendricom.com/Downloads/spamxiibinonly.zip
Entire install package:
http://www.hendricom.com/Downloads/spamxii.zip
Got another one.
The tracking box fills with ARIN and RIPE erorr/help text.
This one has an obviously forged IP in the last received line which is probably whats causing the problem.
Fancy adding open proxy / open relay tests?
The tracking box fills with ARIN and RIPE erorr/help text.
This one has an obviously forged IP in the last received line which is probably whats causing the problem.
Fancy adding open proxy / open relay tests?
QUOTE
Spam Header
This page may be saved for future reference:
http://www.spamcop.net/sc?id=z431863926z2f...2f6d371f886a2fz
0: Received: from sdgworld.net ([172.16.10.6]) by Lando.sdgworld.net with Microsoft SMTPSVC(5.0.2195.6713); Wed, 21 Apr 2004 10:12:23 +0100
Internal handoff at sdgworld.net
1: Received: from lafilaire-3-82-224-107-62.fbx.proxad.net ([82.224.107.62]) by sdgworld.net with Microsoft SMTPSVC(6.0.3790.0); Wed, 21 Apr 2004 10:12:22 +0100
sdgworld.net received mail from 82.224.107.62
Hostname verified: lafilaire-3-82-224-107-62.fbx.proxad.net
2: Received: from ([0.209.192.54]) by 34lj....hushmail.com (InterMail vX.4.63.65.03 074-4-69-70817-0016-025391630) with ESMTP id <152571.IEZPC663893191.azmd9-mail...net.cable.rogers.com@> for <x>; Wed, 21 Apr 2004 04:04:37 -0600
Internal handoff or trivial forgery
82.224.107.62 listed in dnsbl.njabl.org ( 127.0.0.9 )
Forgery from open proxy
Tracking message source: 82.224.107.62:
Routing details for 82.224.107.62
[refresh/show] Cached whois for 82.224.107.62 : abuse@proxad.net
Using abuse net on abuse@proxad.net
abuse net proxad.net = abuse@proxad.net
Using best contacts abuse@proxad.net
Yum, this spam is fresh!
82.224.107.62 listed in dnsbl.njabl.org ( 127.0.0.9 )
82.224.107.62 listed in dnsbl.njabl.org ( 127.0.0.9 )
82.224.107.62 is an open proxy
82.224.107.62 not listed in plus.bondedsender.org
82.224.107.62 not listed in query.bondedsender.org
82.224.107.62 not listed in iadb.isipp.com
Finding links in message body
Parsing HTML part
Resolving link obfuscation
http://kerry.lyaerd.com/z
host 219.153.1.230 (getting name) no name
Tracking link: http://kerry.lyaerd.com/z
Resolves to 219.153.1.230
Tracking ip 219.153.1.230
Cached masters for 219.153.1.230: spam#ctsi.com.cn@devnull.spamcop.net zhong@public.cta.cq.cn jieliang#ix.netcom.com@devnull.spamcop.net postmaster@cta.cq.cn sysop@ctsi.com.cn abuse@publicf.bta.net.cn wangyan@public.cta.cq.cn dnsmail@public.cta.cq.cn
This page may be saved for future reference:
http://www.spamcop.net/sc?id=z431863926z2f...2f6d371f886a2fz
0: Received: from sdgworld.net ([172.16.10.6]) by Lando.sdgworld.net with Microsoft SMTPSVC(5.0.2195.6713); Wed, 21 Apr 2004 10:12:23 +0100
Internal handoff at sdgworld.net
1: Received: from lafilaire-3-82-224-107-62.fbx.proxad.net ([82.224.107.62]) by sdgworld.net with Microsoft SMTPSVC(6.0.3790.0); Wed, 21 Apr 2004 10:12:22 +0100
sdgworld.net received mail from 82.224.107.62
Hostname verified: lafilaire-3-82-224-107-62.fbx.proxad.net
2: Received: from ([0.209.192.54]) by 34lj....hushmail.com (InterMail vX.4.63.65.03 074-4-69-70817-0016-025391630) with ESMTP id <152571.IEZPC663893191.azmd9-mail...net.cable.rogers.com@> for <x>; Wed, 21 Apr 2004 04:04:37 -0600
Internal handoff or trivial forgery
82.224.107.62 listed in dnsbl.njabl.org ( 127.0.0.9 )
Forgery from open proxy
Tracking message source: 82.224.107.62:
Routing details for 82.224.107.62
[refresh/show] Cached whois for 82.224.107.62 : abuse@proxad.net
Using abuse net on abuse@proxad.net
abuse net proxad.net = abuse@proxad.net
Using best contacts abuse@proxad.net
Yum, this spam is fresh!
82.224.107.62 listed in dnsbl.njabl.org ( 127.0.0.9 )
82.224.107.62 listed in dnsbl.njabl.org ( 127.0.0.9 )
82.224.107.62 is an open proxy
82.224.107.62 not listed in plus.bondedsender.org
82.224.107.62 not listed in query.bondedsender.org
82.224.107.62 not listed in iadb.isipp.com
Finding links in message body
Parsing HTML part
Resolving link obfuscation
http://kerry.lyaerd.com/z
host 219.153.1.230 (getting name) no name
Tracking link: http://kerry.lyaerd.com/z
Resolves to 219.153.1.230
Tracking ip 219.153.1.230
Cached masters for 219.153.1.230: spam#ctsi.com.cn@devnull.spamcop.net zhong@public.cta.cq.cn jieliang#ix.netcom.com@devnull.spamcop.net postmaster@cta.cq.cn sysop@ctsi.com.cn abuse@publicf.bta.net.cn wangyan@public.cta.cq.cn dnsmail@public.cta.cq.cn
And another. Jeff, I think you broke something 
... this one is pretty straightforward.
BAzz
... this one is pretty straightforward.QUOTE
Spam Header
This page may be saved for future reference:
http://www.spamcop.net/sc?id=z431871378z05...dd8fc1576b384ez
0: Received: from sdgworld.net ([172.16.10.6]) by Lando.sdgworld.net with Microsoft SMTPSVC(5.0.2195.6713); Wed, 21 Apr 2004 10:07:50 +0100
Internal handoff at sdgworld.net
1: Received: from slugs.exponential-e.com ([62.244.176.6]) by sdgworld.net with Microsoft SMTPSVC(6.0.3790.0); Wed, 21 Apr 2004 10:07:50 +0100
sdgworld.net received mail from sdgworld.net ( 62.244.176.6 )
Hostname verified: sugar.exponential-e.net
2: Received: from [218.6.233.172] (port=4094 helo=62.244.176.192) by slugs.exponential-e.com with smtp (Exim 4.22) id 1BGDhk-00018K-PL for x; Wed, 21 Apr 2004 09:07:49 +0000
sdgworld.net received mail from 218.6.233.172
All mail hosts in chain recognized.
Tracking message source: 218.6.233.172:
Routing details for 218.6.233.172
[refresh/show] Cached whois for 218.6.233.172 : ipadmin@my-public.sc.cninfo.net anti-spam@ns.chinanet.cn.net hostmaster@ns.chinanet.cn.net
Using abuse net on ipadmin@my-public.sc.cninfo.net
abuse net sc.cninfo.net = postmaster@mail.sc.cninfo.net, anti-spam@mail.sc.cninfo.net, postmaster@sc.cninfo.net, ctsummary@special.abuse.net
abuse net chinanet.cn.net = postmaster@chinanet.cn.net, anti-spam@chinanet.cn.net, ctsummary@special.abuse.net
abuse net chinanet.cn.net = postmaster@chinanet.cn.net, anti-spam@chinanet.cn.net, ctsummary@special.abuse.net
Using best contacts postmaster@mail.sc.cninfo.net anti-spam@mail.sc.cninfo.net postmaster@sc.cninfo.net ctsummary@special.abuse.net
ctsummary@special.abuse.net redirects to ct-abuse@sprint.net
ct-abuse@sprint.net refuses SpamCop reports
Yum, this spam is fresh!
218.6.233.172 not listed in dnsbl.njabl.org
218.6.233.172 not listed in dnsbl.njabl.org
218.6.233.172 not listed in cbl.abuseat.org
218.6.233.172 not listed in dnsbl.sorbs.net
218.6.233.172 not listed in relays.ordb.org.
218.6.233.172 not listed in plus.bondedsender.org
218.6.233.172 not listed in query.bondedsender.org
218.6.233.172 not listed in iadb.isipp.com
Finding links in message body
Parsing HTML part
Resolving link obfuscation
http://x5wcvkchar.vbshels752medications.biz/unsubscribe.ddd
host 200.161.196.83 = 200-161-196-83.dsl.telesp.net.br (cached)
http://kssx8orsggchar.vbshels752medications.biz/f75
host 200.161.196.83 = 200-161-196-83.dsl.telesp.net.br (cached)
Tracking link: http://x5wcvkchar.vbshels752medications.biz/unsubscribe.ddd
Resolves to 200.161.196.83
Tracking ip 200.161.196.83
Cached masters for 200.161.196.83: mail-abuse@nic.br araposo@telesp.com.br spambr@admin.spamcop.net security@telesp.net.br
Tracking link: http://kssx8orsggchar.vbshels752medications.biz/f75
Resolves to 200.161.196.83
Tracking ip 200.161.196.83
Cached masters for 200.161.196.83: mail-abuse@nic.br araposo@telesp.com.br spambr@admin.spamcop.net security@telesp.net.br
Please make sure this email IS spam:
From: Janelle habeas <x> (Spam: B.freeman)
Wholesale Pharmac.y Med.sOur DOCTORS Will Write You A Prescription For F.R.E.EGe
t Your Prescription Meds OnlineWeight Loss, Pain Relief, Muscle Pain Relief, Wom
View full message
Report Spam to:
Re: 218.6.233.172 (Administrator of network where email originates)
To: postmaster@sc.cninfo.net (Notes)
To: anti-spam@mail.sc.cninfo.net (Notes)
To: postmaster@mail.sc.cninfo.net (Notes)
Re: 218.6.233.172 (Third party interested in email source)
To: Cyveillance spam collection (Notes)
Re: http://kssx8orsggchar.vbshels752medications.biz... (Administrator of network hosting website referenced in spam)
To: Internal spamcop handling: (spambr) (Notes)
To: mail-abuse@nic.br (Notes)
To: araposo@telesp.com.br (Notes)
To: security@telesp.net.br (Notes)
Re: http://x5wcvkchar.vbshels752medications.biz/uns... (Administrator of network hosting website referenced in spam)
To: security@telesp.net.br (Notes)
To: Internal spamcop handling: (spambr) (Notes)
To: mail-abuse@nic.br (Notes)
To: araposo@telesp.com.br (Notes)
This page may be saved for future reference:
http://www.spamcop.net/sc?id=z431871378z05...dd8fc1576b384ez
0: Received: from sdgworld.net ([172.16.10.6]) by Lando.sdgworld.net with Microsoft SMTPSVC(5.0.2195.6713); Wed, 21 Apr 2004 10:07:50 +0100
Internal handoff at sdgworld.net
1: Received: from slugs.exponential-e.com ([62.244.176.6]) by sdgworld.net with Microsoft SMTPSVC(6.0.3790.0); Wed, 21 Apr 2004 10:07:50 +0100
sdgworld.net received mail from sdgworld.net ( 62.244.176.6 )
Hostname verified: sugar.exponential-e.net
2: Received: from [218.6.233.172] (port=4094 helo=62.244.176.192) by slugs.exponential-e.com with smtp (Exim 4.22) id 1BGDhk-00018K-PL for x; Wed, 21 Apr 2004 09:07:49 +0000
sdgworld.net received mail from 218.6.233.172
All mail hosts in chain recognized.
Tracking message source: 218.6.233.172:
Routing details for 218.6.233.172
[refresh/show] Cached whois for 218.6.233.172 : ipadmin@my-public.sc.cninfo.net anti-spam@ns.chinanet.cn.net hostmaster@ns.chinanet.cn.net
Using abuse net on ipadmin@my-public.sc.cninfo.net
abuse net sc.cninfo.net = postmaster@mail.sc.cninfo.net, anti-spam@mail.sc.cninfo.net, postmaster@sc.cninfo.net, ctsummary@special.abuse.net
abuse net chinanet.cn.net = postmaster@chinanet.cn.net, anti-spam@chinanet.cn.net, ctsummary@special.abuse.net
abuse net chinanet.cn.net = postmaster@chinanet.cn.net, anti-spam@chinanet.cn.net, ctsummary@special.abuse.net
Using best contacts postmaster@mail.sc.cninfo.net anti-spam@mail.sc.cninfo.net postmaster@sc.cninfo.net ctsummary@special.abuse.net
ctsummary@special.abuse.net redirects to ct-abuse@sprint.net
ct-abuse@sprint.net refuses SpamCop reports
Yum, this spam is fresh!
218.6.233.172 not listed in dnsbl.njabl.org
218.6.233.172 not listed in dnsbl.njabl.org
218.6.233.172 not listed in cbl.abuseat.org
218.6.233.172 not listed in dnsbl.sorbs.net
218.6.233.172 not listed in relays.ordb.org.
218.6.233.172 not listed in plus.bondedsender.org
218.6.233.172 not listed in query.bondedsender.org
218.6.233.172 not listed in iadb.isipp.com
Finding links in message body
Parsing HTML part
Resolving link obfuscation
http://x5wcvkchar.vbshels752medications.biz/unsubscribe.ddd
host 200.161.196.83 = 200-161-196-83.dsl.telesp.net.br (cached)
http://kssx8orsggchar.vbshels752medications.biz/f75
host 200.161.196.83 = 200-161-196-83.dsl.telesp.net.br (cached)
Tracking link: http://x5wcvkchar.vbshels752medications.biz/unsubscribe.ddd
Resolves to 200.161.196.83
Tracking ip 200.161.196.83
Cached masters for 200.161.196.83: mail-abuse@nic.br araposo@telesp.com.br spambr@admin.spamcop.net security@telesp.net.br
Tracking link: http://kssx8orsggchar.vbshels752medications.biz/f75
Resolves to 200.161.196.83
Tracking ip 200.161.196.83
Cached masters for 200.161.196.83: mail-abuse@nic.br araposo@telesp.com.br spambr@admin.spamcop.net security@telesp.net.br
Please make sure this email IS spam:
From: Janelle habeas <x> (Spam: B.freeman)
Wholesale Pharmac.y Med.sOur DOCTORS Will Write You A Prescription For F.R.E.EGe
t Your Prescription Meds OnlineWeight Loss, Pain Relief, Muscle Pain Relief, Wom
View full message
Report Spam to:
Re: 218.6.233.172 (Administrator of network where email originates)
To: postmaster@sc.cninfo.net (Notes)
To: anti-spam@mail.sc.cninfo.net (Notes)
To: postmaster@mail.sc.cninfo.net (Notes)
Re: 218.6.233.172 (Third party interested in email source)
To: Cyveillance spam collection (Notes)
Re: http://kssx8orsggchar.vbshels752medications.biz... (Administrator of network hosting website referenced in spam)
To: Internal spamcop handling: (spambr) (Notes)
To: mail-abuse@nic.br (Notes)
To: araposo@telesp.com.br (Notes)
To: security@telesp.net.br (Notes)
Re: http://x5wcvkchar.vbshels752medications.biz/uns... (Administrator of network hosting website referenced in spam)
To: security@telesp.net.br (Notes)
To: Internal spamcop handling: (spambr) (Notes)
To: mail-abuse@nic.br (Notes)
To: araposo@telesp.com.br (Notes)
BAzz
bAZz, I can't tell you how much I appreciate your help with these bug reports.
Yepper, I found it, fixed it. I put a build on the Web site on Wed. April 21, 2004 at 7:04am EST.
Full installation package:
http://www.hendricom.com/Downloads/spamxii.zip
Executable only:
http://www.hendricom.com/Downloads/spamxiibinonly.zip
Go ahead, try to find a bug in this one, I dare ya....
Yepper, I found it, fixed it. I put a build on the Web site on Wed. April 21, 2004 at 7:04am EST.
Full installation package:
http://www.hendricom.com/Downloads/spamxii.zip
Executable only:
http://www.hendricom.com/Downloads/spamxiibinonly.zip
Go ahead, try to find a bug in this one, I dare ya....
WooHoo! So far so good.
It processed all the ones from this morning Ok.
Looking good!
It processed all the ones from this morning Ok.
Looking good!
Yiiiippppiiiieeee 
That's great! Thanks again for taking the time to report these bugs!
That's great! Thanks again for taking the time to report these bugs!
Ok, this one didn't report anything exept a dbs-admin address in south africa.
Spamcop found abuse addresses for various nets.
SpamCop found these;
I do have a load of don't send entries but nothing that would get picked up here.
BAzz
Spamcop found abuse addresses for various nets.
QUOTE
Return-path: <clearheadeddivulge@attbi.com>
Received: from punt-3.mail.demon.net by mailstore
for delyth@foxx.demon.co.uk id 1BMhqz-00039g-9D;
Sun, 09 May 2004 06:32:01 +0000
Received: from [194.217.242.72] (helo=anchor-hub.mail.demon.net)
by punt-3.mail.demon.net with esmtp id 1BMhqz-00039g-9D
for delyth@foxx.demon.co.uk; Sun, 09 May 2004 06:32:01 +0000
Received: from [218.48.89.135] (helo=194.217.242.75)
by anchor-hub.mail.demon.net with smtp id 1BMhqy-0007YZ-S0
for delyth@foxx.demon.co.uk; Sun, 09 May 2004 06:32:01 +0000
Received: from [218.48.89.135] by 168.164.67.64 with HTTP;
Mon, 10 May 2004 12:28:38 +0200
From: "Jeremy Ragland" <lookoutbarge@attbi.com>
To: delyth@foxx.demon.co.uk
Subject: spam:
Mime-Version: 1.0
Date: Mon, 10 May 2004 12:35:38 +0200
Reply-To: "Jeremy Ragland" <twelvecreepy@attbi.com>
Content-Type: multipart/alternative;
boundary="=_NextPart_000_000Y_00U68ZW4_6082U5971"
Message-Id: <E1BMhqy-0007YZ-S0@anchor-hub.mail.demon.net>
X-tis-spam: score=14.90000 (113006,112406,113315,110249)
--=_NextPart_000_000Y_00U68ZW4_6082U5971
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
mammalian lunatic petroleum sticktight cannibal give remonstrate brick azimuthal byzantium orangutan needlework conakry diffract nitrogenous arnold pristine substantiate barnett buttress commodity exterior edifice ned periphery typeset hogging euphoric bogging pyroxene alberta amsterdam regret utensil
below cash extempore tech abbott brittany proprietary successive cytology lethargy yucatan multitude rotate experiment ghostly hitachi apt eligible geometrician
mudguard chess thereby pr tibetan kendall exaggerate clank allegate brew brushy log crania kolkhoz hypocycloid carcass chignon ancestor discoid exasperater viceroy operatic incapacity contraption dastard accede judicious lawmake loge glutamine adsorptive
--=_NextPart_000_000Y_00U68ZW4_6082U5971
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 8bit
<html>
<body>
<b>
<p>Why not purchase H_G Hormone DIETARY THERAPY</b> </p>
<p>Lose Weight in 3 Weeks!</p>
<p>Achieve many benefits, including:<br>
<br>
Watch Wrinkles Disappear<br>
Grow New Hair<br>
Improve Skin<br>
</p>
<p>Do this all with:<br>
<br>
NO Strenuous Exercise<br>
NO Cravings<br>
</p>
<a href="http://www.UOY.ed3zc.com/at/">
<p>http://www.yhV.aser4s.com/at/</a> </p>
<p><br>
<br>
<a href="http://www.5yp.zx4d5fc.com/1.php">I want to say
adios</a></p>
<p><br>
<br>
adaptive borealis burglarproof maltese alimony brought rhine bridgeable bayonet shroud epistle not staten upriver fusiform razor populate prim upraise sheath radius immovable nib citroen categoric stile metallic beebread govern manama hay iris stormbound suicidal newsstand calhoun sonic knoll rutty mcallister clergyman bemadden baltic fescue chine cattle cottonwood fume perspective carbon potts lair tank barberry stag abysmal </p>
</body>
</html>
--=_NextPart_000_000Y_00U68ZW4_6082U5971--
Received: from punt-3.mail.demon.net by mailstore
for delyth@foxx.demon.co.uk id 1BMhqz-00039g-9D;
Sun, 09 May 2004 06:32:01 +0000
Received: from [194.217.242.72] (helo=anchor-hub.mail.demon.net)
by punt-3.mail.demon.net with esmtp id 1BMhqz-00039g-9D
for delyth@foxx.demon.co.uk; Sun, 09 May 2004 06:32:01 +0000
Received: from [218.48.89.135] (helo=194.217.242.75)
by anchor-hub.mail.demon.net with smtp id 1BMhqy-0007YZ-S0
for delyth@foxx.demon.co.uk; Sun, 09 May 2004 06:32:01 +0000
Received: from [218.48.89.135] by 168.164.67.64 with HTTP;
Mon, 10 May 2004 12:28:38 +0200
From: "Jeremy Ragland" <lookoutbarge@attbi.com>
To: delyth@foxx.demon.co.uk
Subject: spam:
Mime-Version: 1.0
Date: Mon, 10 May 2004 12:35:38 +0200
Reply-To: "Jeremy Ragland" <twelvecreepy@attbi.com>
Content-Type: multipart/alternative;
boundary="=_NextPart_000_000Y_00U68ZW4_6082U5971"
Message-Id: <E1BMhqy-0007YZ-S0@anchor-hub.mail.demon.net>
X-tis-spam: score=14.90000 (113006,112406,113315,110249)
--=_NextPart_000_000Y_00U68ZW4_6082U5971
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
mammalian lunatic petroleum sticktight cannibal give remonstrate brick azimuthal byzantium orangutan needlework conakry diffract nitrogenous arnold pristine substantiate barnett buttress commodity exterior edifice ned periphery typeset hogging euphoric bogging pyroxene alberta amsterdam regret utensil
below cash extempore tech abbott brittany proprietary successive cytology lethargy yucatan multitude rotate experiment ghostly hitachi apt eligible geometrician
mudguard chess thereby pr tibetan kendall exaggerate clank allegate brew brushy log crania kolkhoz hypocycloid carcass chignon ancestor discoid exasperater viceroy operatic incapacity contraption dastard accede judicious lawmake loge glutamine adsorptive
--=_NextPart_000_000Y_00U68ZW4_6082U5971
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 8bit
<html>
<body>
<b>
<p>Why not purchase H_G Hormone DIETARY THERAPY</b> </p>
<p>Lose Weight in 3 Weeks!</p>
<p>Achieve many benefits, including:<br>
<br>
Watch Wrinkles Disappear<br>
Grow New Hair<br>
Improve Skin<br>
</p>
<p>Do this all with:<br>
<br>
NO Strenuous Exercise<br>
NO Cravings<br>
</p>
<a href="http://www.UOY.ed3zc.com/at/">
<p>http://www.yhV.aser4s.com/at/</a> </p>
<p><br>
<br>
<a href="http://www.5yp.zx4d5fc.com/1.php">I want to say
adios</a></p>
<p><br>
<br>
adaptive borealis burglarproof maltese alimony brought rhine bridgeable bayonet shroud epistle not staten upriver fusiform razor populate prim upraise sheath radius immovable nib citroen categoric stile metallic beebread govern manama hay iris stormbound suicidal newsstand calhoun sonic knoll rutty mcallister clergyman bemadden baltic fescue chine cattle cottonwood fume perspective carbon potts lair tank barberry stag abysmal </p>
</body>
</html>
--=_NextPart_000_000Y_00U68ZW4_6082U5971--
SpamCop found these;
QUOTE
0: Received: from [194.217.242.72] (helo=anchor-hub.mail.demon.net) by punt-3.mail.demon.net with esmtp id 1BMhqz-00039g-9D for x; Sun, 09 May 2004 06:32:01 +0000
BEEB.net received mail from BEEB.net ( 194.217.242.72 )
Hostname verified: anchor-hub-2.mail.demon.net
1: Received: from [218.48.89.135] (helo=194.217.242.75) by anchor-hub.mail.demon.net with smtp id 1BMhqy-0007YZ-S0 for x; Sun, 09 May 2004 06:32:01 +0000
BEEB.net received mail from 218.48.89.135
2: Received: from [218.48.89.135] by 168.164.67.64 with HTTP; Mon, 10 May 2004 12:28:38 +0200
Possible forgery. Supposed receiving system not associated with any of your mailhosts
Will not trust anything beyond this header
Trivial forgery
Tracking message source: 218.48.89.135:
Routing details for 218.48.89.135
[refresh/show] Cached whois for 218.48.89.135 : abuse@hanaro.com ip-adm@hanaro.com
Using abuse net on abuse@hanaro.com
abuse net hanaro.com = spamrelay@certcc.or.kr, abuse@hanaro.com, postmaster@hanaro.com, nospam@hanaro.com
Using best contacts spamrelay@certcc.or.kr abuse@hanaro.com postmaster@hanaro.com nospam@hanaro.com
abuse@hanaro.com redirects to nospam@hanaro.com
postmaster@hanaro.com redirects to nospam@hanaro.com
Yum, this spam is fresh!
218.48.89.135 not listed in dnsbl.njabl.org
218.48.89.135 not listed in dnsbl.njabl.org
218.48.89.135 listed in cbl.abuseat.org ( 127.0.0.2 )
218.48.89.135 is an open proxy
218.48.89.135 not listed in query.bondedsender.org
218.48.89.135 not listed in iadb.isipp.com
Finding links in message body
Recurse multipart:
Parsing text part
Parsing HTML part
Resolving link obfuscation
http://www.uoy.ed3zc.com/at/
host 222.55.10.2 (getting name) no name
http://www.5yp.zx4d5fc.com/1.php
host 222.55.10.2 (getting name) no name
Tracking link: http://www.uoy.ed3zc.com/at/
Tracking ip 222.55.10.2
Routing details for 222.55.10.2
[refresh/show] Cached whois for 222.55.10.2 : crnet_mgr@crc.net.cn crnet_tec@crc.net.cn
Using abuse net on crnet_mgr@crc.net.cn
abuse net crc.net.cn = postmaster@crc.net.cn, mliu@crc.net.cn, anti-spam@chinanet.cn.net, ctsummary@special.abuse.net
Using best contacts postmaster@crc.net.cn mliu@crc.net.cn anti-spam@chinanet.cn.net ctsummary@special.abuse.net
anti-spam@chinanet.cn.net bounces (143 sent : 100 bounces)
Using anti-spam#chinanet.cn.net@devnull.spamcop.net for statistical tracking.
ctsummary@special.abuse.net redirects to ct-abuse@sprint.net
ct-abuse@sprint.net refuses SpamCop reports
Tracking link: http://www.5yp.zx4d5fc.com/1.php
Tracking ip 222.55.10.2
Cached masters for 222.55.10.2: anti-spam#chinanet.cn.net@devnull.spamcop.net mliu@crc.net.cn postmaster@crc.net.cn
Please make sure this email IS spam:
From: "Jeremy Ragland" <lookoutbarge@attbi.com> (spam: )
--=_NextPart_000_000Y_00U68ZW4_6082U5971
Content-Type: text/plain; charset=us-ascii
View full message
Report Spam to:
Re: 218.48.89.135 (Administrator of network where email originates)
To: nospam@hanaro.com (Notes)
To: spamrelay@certcc.or.kr (Notes)
Re: 218.48.89.135 (Third party interested in email source)
To: Cyveillance spam collection (Notes)
Re: http://www.5yp.zx4d5fc.com/1.php (Administrator of network hosting website referenced in spam)
To: postmaster@crc.net.cn (Notes)
To: mliu@crc.net.cn (Notes)
To: anti-spam#chinanet.cn.net@devnull.spamcop.net (Notes)
Re: http://www.uoy.ed3zc.com/at/ (Administrator of network hosting website referenced in spam)
To: anti-spam#chinanet.cn.net@devnull.spamcop.net (Notes)
To: postmaster@crc.net.cn (Notes)
To: mliu@crc.net.cn (Notes)
BEEB.net received mail from BEEB.net ( 194.217.242.72 )
Hostname verified: anchor-hub-2.mail.demon.net
1: Received: from [218.48.89.135] (helo=194.217.242.75) by anchor-hub.mail.demon.net with smtp id 1BMhqy-0007YZ-S0 for x; Sun, 09 May 2004 06:32:01 +0000
BEEB.net received mail from 218.48.89.135
2: Received: from [218.48.89.135] by 168.164.67.64 with HTTP; Mon, 10 May 2004 12:28:38 +0200
Possible forgery. Supposed receiving system not associated with any of your mailhosts
Will not trust anything beyond this header
Trivial forgery
Tracking message source: 218.48.89.135:
Routing details for 218.48.89.135
[refresh/show] Cached whois for 218.48.89.135 : abuse@hanaro.com ip-adm@hanaro.com
Using abuse net on abuse@hanaro.com
abuse net hanaro.com = spamrelay@certcc.or.kr, abuse@hanaro.com, postmaster@hanaro.com, nospam@hanaro.com
Using best contacts spamrelay@certcc.or.kr abuse@hanaro.com postmaster@hanaro.com nospam@hanaro.com
abuse@hanaro.com redirects to nospam@hanaro.com
postmaster@hanaro.com redirects to nospam@hanaro.com
Yum, this spam is fresh!
218.48.89.135 not listed in dnsbl.njabl.org
218.48.89.135 not listed in dnsbl.njabl.org
218.48.89.135 listed in cbl.abuseat.org ( 127.0.0.2 )
218.48.89.135 is an open proxy
218.48.89.135 not listed in query.bondedsender.org
218.48.89.135 not listed in iadb.isipp.com
Finding links in message body
Recurse multipart:
Parsing text part
Parsing HTML part
Resolving link obfuscation
http://www.uoy.ed3zc.com/at/
host 222.55.10.2 (getting name) no name
http://www.5yp.zx4d5fc.com/1.php
host 222.55.10.2 (getting name) no name
Tracking link: http://www.uoy.ed3zc.com/at/
Tracking ip 222.55.10.2
Routing details for 222.55.10.2
[refresh/show] Cached whois for 222.55.10.2 : crnet_mgr@crc.net.cn crnet_tec@crc.net.cn
Using abuse net on crnet_mgr@crc.net.cn
abuse net crc.net.cn = postmaster@crc.net.cn, mliu@crc.net.cn, anti-spam@chinanet.cn.net, ctsummary@special.abuse.net
Using best contacts postmaster@crc.net.cn mliu@crc.net.cn anti-spam@chinanet.cn.net ctsummary@special.abuse.net
anti-spam@chinanet.cn.net bounces (143 sent : 100 bounces)
Using anti-spam#chinanet.cn.net@devnull.spamcop.net for statistical tracking.
ctsummary@special.abuse.net redirects to ct-abuse@sprint.net
ct-abuse@sprint.net refuses SpamCop reports
Tracking link: http://www.5yp.zx4d5fc.com/1.php
Tracking ip 222.55.10.2
Cached masters for 222.55.10.2: anti-spam#chinanet.cn.net@devnull.spamcop.net mliu@crc.net.cn postmaster@crc.net.cn
Please make sure this email IS spam:
From: "Jeremy Ragland" <lookoutbarge@attbi.com> (spam: )
--=_NextPart_000_000Y_00U68ZW4_6082U5971
Content-Type: text/plain; charset=us-ascii
View full message
Report Spam to:
Re: 218.48.89.135 (Administrator of network where email originates)
To: nospam@hanaro.com (Notes)
To: spamrelay@certcc.or.kr (Notes)
Re: 218.48.89.135 (Third party interested in email source)
To: Cyveillance spam collection (Notes)
Re: http://www.5yp.zx4d5fc.com/1.php (Administrator of network hosting website referenced in spam)
To: postmaster@crc.net.cn (Notes)
To: mliu@crc.net.cn (Notes)
To: anti-spam#chinanet.cn.net@devnull.spamcop.net (Notes)
Re: http://www.uoy.ed3zc.com/at/ (Administrator of network hosting website referenced in spam)
To: anti-spam#chinanet.cn.net@devnull.spamcop.net (Notes)
To: postmaster@crc.net.cn (Notes)
To: mliu@crc.net.cn (Notes)
I do have a load of don't send entries but nothing that would get picked up here.
BAzz
Hi BaZz,
Thanks for reporting this...
I ran this header here, and came up with the abuse addresses....
INFO@HANANET.NET
HOSTMASTER@NIC.OR.KR
IP-ADM@HANARO.COM
I think this is a valid answer. Is it possible for you to run this message again by itself? I think this might be an IP connection related issue...
Regs -Jeff
Thanks for reporting this...
I ran this header here, and came up with the abuse addresses....
INFO@HANANET.NET
HOSTMASTER@NIC.OR.KR
IP-ADM@HANARO.COM
I think this is a valid answer. Is it possible for you to run this message again by itself? I think this might be an IP connection related issue...
Regs -Jeff
If you report to any of those addresses you get bounces , so they're in my DNS list.
Spamcop get the certcc.kr abuse address.
Spamcop get the certcc.kr abuse address.
Thanks BaZz, I'll look into this further, and see if I can come up with a solution. Because of a few other bounce reports, I think I'm going to add a feature that uses an external resource to look up the best abuse address for a domain....
That would be cool.
For general lookups I like whois.geektools.com as it does a lot if the recursive digging for you.
For general lookups I like whois.geektools.com as it does a lot if the recursive digging for you.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2012 Invision Power Services, Inc.