SpamCop doesn't parse routing info correctly

Using cite marks per par instead of per line to prevent shortlines.

Post by Tristan Miller
I'm running into an odd problem where SpamCop fails to correctly

identify the source of an e-mail.

Correct. SC breaks the parse chain prematurely on one of your examples
because of a noncompliant server.

Post by Tristan Miller
When I forward to SpamCop an offending e-mail that I received at my

personal account (***@nothingisreal.com), SpamCop correctly
identifies the source as an IP at the University of Arizona.

Using SC to determine the source of this kind of mail is appropriate,
but you shouldn't be SC reporting these as spam -- I'm assuming that you
are not.
list. However, when they (or I) send their copy of the very same e-mail
to SpamCop, it fails to identify the source as the University of
Arizona.

Correct. SC correctly parses yours at nothingisreal; SC incorrectly
parses the worldsocialism because there is a noncompliant MTA mailserver
in the chain..

Post by Tristan Miller
This is very strange, since both copies of the e-mail contain the same

Received header giving a U of A IP (128.196.165.21 =
PUB-E3.AHSL.Arizona.EDU):

Yes, but there is a lot between the sourceline and the last MTA. SC
trips on the way for worldsocialism because of a noncompliant server
line. See abbreviated headers below.

Post by Tristan Miller
Both our domains, nothingisreal.com and worldsocialism.org, are hosted

by DreamHost. The only major difference in our setup is that I use
fetchmail to download my mail via POP3 from mail.nothingisreal.com and
deliver it to a local mail server, whereas my employer checks mail via
IMAP on mail.worldsocialism.org.

The headers are distinctly different.

Post by Tristan Miller
Here is the version I received which SpamCop correctly parses.

Abbreviated Received tracelines *comment
from localhost (localhost [127.0.0.1]) by polecat.worldsocialism.org
*serves you
from mail.nothingisreal.com [208.97.132.24] by localhost *serves you
from (web35715.mail.mud.yahoo.com [66.163.179.169]) by
randymail-mx2.dreamhost.com *serves you
from [128.196.165.21] by web35715.mail.mud.yahoo.com *sourceline

SC correctly parses those lines by chaining from each upper 'from' field
IP to each lower 'by' field domainname.

Post by Tristan Miller
Here is the version my employer received which SpamCop doesn't

correctly parse.

Abbreviated Received tracelines *comment
from enforcer.dreamhost.com [66.33.220.4]) by
randymail-mx1.dreamhost.com *serves recipient
from localhost (localhost [127.0.0.1]) by enforcer.dreamhost.com
*serves recipient
from enforcer.dreamhost.com ([127.0.0.1]) by localhost *serves
recipient
from hesl01uker.he.local (smtpout.btconnect.com [213.123.26.90]) by
enforcer.dreamhost.com *serves recipient, funky helo
from c2bthimr02.btconnect.com ([194.73.73.202]) by hesl01uker.he.local
*serves recipient, funky line
from (web35715.mail.mud.yahoo.com [66.163.179.169]) by
c2bthimr02.btconnect.com *serves recipient
from [128.196.165.21] by web35715.mail.mud.yahoo.com *sourceline

SC incorrectly parses those lines because it breaks the chain
prematurely because of the funky 213.123.26.90 rDNS
smtpout.btconnect.com which is handling its Received traceline
non-compliantly.

It is calling itself hesl01uker.he.local in its line that it stamps # 5
from the top and SC cannot associate the IP with that name. As a
result, SC cannot get past the IP 213.123.26.90 and 'has to' name it as
source.

If that recipient were reporting spam with spamcop, they would have to
configure themselves with mailhosting, because SC would always name that
server as the source of any mail with such headers.

In the above headers, the item goes from source 128 > mud.yahoo >
btconnect > dreamhost

The bad server line belongs to btconnect.

In your headers, the item goes from source 128 > dreamhost without the
intervening btconnect, so the bad line does not appear in your headers.

--
Mike Easter
kibitzer, not SC admin

Mike Easter

2006-04-14 03:38:59 UTC

Post by Mike Easter
In your headers, the item goes from source 128 > dreamhost without the
intervening btconnect, so the bad line does not appear in your
headers.

I accidentally left out yahoo.

In your headers, the item goes from source 128 > mud.yahoo > dreamhost
without the intervening btconnect, so the bad line does not appear in
your headers.

--
Mike Easter
kibitzer, not SC admin

Tristan Miller

2006-04-14 12:52:03 UTC

Greetings.

Post by Tristan Miller
When I forward to SpamCop an offending e-mail that I received at my

identifies the source as an IP at the University of Arizona.
Using SC to determine the source of this kind of mail is appropriate,
but you shouldn't be SC reporting these as spam -- I'm assuming that you
are not.

Why shouldn't I be? As far as I can tell from the FAQ on what is
appropriate to report as spam
<http://www.spamcop.net/fom-serve/cache/125.html>, these messages qualify.
They are both unsolicited and bulk. The sender has been sending them
(sometimes several a day) to a large and growing mailing list of people
for years. He refuses to stop sending mail despite repeated requests.
AFAIK nobody has opted in to his list; in fact, people sometimes use
"Reply to all" to complain and ask how to get rid of him. He tries to
circumvent filters and block lists by using public access terminals in
libraries and creating new Yahoo! Mail accounts every few weeks. I think
this fits the definition of spam listed in the FAQ.

Post by Tristan Miller
Correct. SC correctly parses yours at nothingisreal; SC incorrectly
parses the worldsocialism because there is a noncompliant MTA mailserver
in the chain..

OK, perhaps I should report this to BT Connect, then.

Regards,
Tristan

--
_
_V.-o Tristan Miller [en,(fr,de,ia)] >< Space is limited
/ |`-' -=-=-=-=-=-=-=-=-=-=-=-=-=-=-= <> In a haiku, so it's hard
(7_\\ http://www.nothingisreal.com/ >< To finish what you

Mike Easter

2006-04-14 13:30:31 UTC

Post by Mike Easter
Using SC to determine the source of this kind of mail is appropriate,
but you shouldn't be SC reporting these as spam -- I'm assuming that
you are not.

Why shouldn't I be?

My thoughts were not that it wasn't unsolicited and unwanted, but more
that the 'butt' of a SC report, the arizona.edu spamsource, might be
'misdirected' [sorta] and if listed could potentially cause 'collateral'
damage. But, OTOH, maybe it isn't a library terminal at all. And, on
another hand, maybe a spamcop report might cause some interest on
arizona.edu's part.

In reality, the entity which should be taking action is yahoo against
its webmailer account ***@yahoo.com so if I were manually
reporting, I would be 'talking' to yahoo. But, I see below that s/he
adds new yahoo accounts, or rather perhaps just changes from one to
another without losing any..

It is hard to say what 128.196.165.21 rDNS PUB-E3.AHSL.Arizona.EDU
really is, because you can't trust your antagonist to be telling the
truth about that, but it seems that 'correspondence' with the arin
listed contact ***@arizona.edu with a manual notify, just like the
manual notify to yahoo, would be more 'interesting' than simply
performing a SC report.

Post by Tristan Miller
mass mailing his incoherent rants to everyone in his address book for
years. He always uses a Yahoo! Mail account, which he logs into at
some public access library terminal at the University of Arizona. (He

has

Post by Tristan Miller
admitted as much.)
He tries to circumvent filters and block lists by using
public access terminals in libraries and creating new Yahoo! Mail
accounts every few weeks. I think this fits the definition of spam
listed in the FAQ.

It is unwanted and unsolicited -- it isn't typical spam. It is more
like 'social' spam, being on someone's mailing list you don't want to be
on. As a result of its difference from typical spam, the typical
spamcop report isn't really quite on the money, ie accurately directed.
Unless maybe that isn't a library terminal but a dormitory access.

Post by Mike Easter
Correct. SC correctly parses yours at nothingisreal; SC incorrectly
parses the worldsocialism because there is a noncompliant MTA
mailserver in the chain..

OK, perhaps I should report this to BT Connect, then.

I'm still trying to figure out why that btconnect is in there. I'm now
thinking it is part of the apparatus for yahoo. Server admins are often
'reluctant' to improve on their configuration -- because it isn't really
bothering /them/ - it just doesn't parse right. If your employer
recipient were reporting spams which named the btconnect server, they
might get SCbl listed and interested.

--
Mike Easter
kibitzer, not SC admin

Tristan Miller

2006-04-14 15:10:45 UTC

Greetings.

Post by Mike Easter
Using SC to determine the source of this kind of mail is appropriate,
but you shouldn't be SC reporting these as spam -- I'm assuming that
you are not.

Why shouldn't I be?

I sent a manual report to ***@arizona.edu a few days ago and got a
response back from an IT administrator. They've confirmed that the source
is a public access library terminal. This is in line with what the
spammer himself admits -- he makes no attempt to disguise his identity,
freely giving out his name, birthdate, photograph, and often mentions that
he's sending his mails from a public library terminal. As I said, we're
pretty sure he's mentally ill. His e-mails consist of nothing but
incoherent rants that go on for pages and pages about the World Socialist
Party of the United States, of which his late father was a member. This
apparently explains his choice of spam recipients -- I recognize some of
the e-mail addresses as belonging to members and departments of the WSPUS
and affiliated parties overseas.

Post by Mike Easter
In reality, the entity which should be taking action is yahoo against
reporting, I would be 'talking' to yahoo.

I've been manually reporting to Yahoo! for months and they never take any
action. At worst the reports are ignored, and at best I get an automated
response.

Post by Mike Easter
Correct. SC correctly parses yours at nothingisreal; SC incorrectly
parses the worldsocialism because there is a noncompliant MTA
mailserver in the chain..

OK, perhaps I should report this to BT Connect, then.

My employer is receiving the spam at ***@worldsocialism.org. The spammer
is sending to ***@btconnect.com, an obsolete address which
forwards to ***@worldsocialism.org.

I've since set up mailhosts for my employer's SpamCop account. The
automatic configuration wouldn't work for ***@btconnect.com,
but the administrators waived it. SpamCop now correctly identifies the
University of Arizona IP for the spam.

Regards,
Tristan

--
_
_V.-o Tristan Miller [en,(fr,de,ia)] >< Space is limited
/ |`-' -=-=-=-=-=-=-=-=-=-=-=-=-=-=-= <> In a haiku, so it's hard
(7_\\ http://www.nothingisreal.com/ >< To finish what you

Mike Easter

2006-04-14 15:52:10 UTC

Post by Tristan Miller
This is in line with
what the spammer himself admits -- he makes no attempt to disguise
his identity, freely giving out his name, birthdate, photograph, and
often mentions that he's sending his mails from a public library
terminal. As I said, we're pretty sure he's mentally ill.

Oh, I see. I'm beginning to get the picture.

Post by Tristan Miller
His
e-mails consist of nothing but incoherent rants that go on for pages
and pages about the World Socialist Party of the United States, of
which his late father was a member. This apparently explains his
choice of spam recipients -- I recognize some of the e-mail addresses
as belonging to members and departments of the WSPUS and affiliated
parties overseas.

He is simply proselytizing his point of view to 'you' people --- who
don't want to hear it. I'm surprised there isn't some clever way to
filter him out, depending upon what kind of filter tools you have at
your disposal.

Post by Tristan Miller
I've been manually reporting to Yahoo! for months and they never take
any action. At worst the reports are ignored, and at best I get an
automated response.

That would be yahoo all right. They simply consider this
'correspondence'.

Post by Mike Easter
I'm still trying to figure out why that btconnect is in there.

Ah, so! I now understand the btconnect being in there perfectly.

Post by Tristan Miller
I've since set up mailhosts for my employer's SpamCop account. The
automatic configuration wouldn't work for

Waived? I don't understand that yet.

Post by Tristan Miller
SpamCop now correctly identifies the University of Arizona IP for the
spam.

Not according to what I see at your originally posted employer's header
example
http://www.spamcop.net/sc?id=z919793041z85093855a4505837202f64fc298ebaa6z

Supposed receiving system not associated with any of your mailhosts

If reported today, reports would be sent to:
Re: 213.123.26.90 (Administrator of network where email originates)
Internal spamcop handling: (bt)

That tracker shows a mailhosted account, but since the btconnect
mailhosting wouldn't work for some reason I don't understand, the
spamsource isn't correctly identitified.

That is, SC is still tripping on the same place for the same reason. If
you had been successful at mailhosting the btconnect, the parse result
would be/ should be/ correct.

--
Mike Easter
kibitzer, not SC admin

Tristan Miller

2006-04-14 20:51:23 UTC

Greetings.

Post by Mike Easter
He is simply proselytizing his point of view to 'you' people --- who
don't want to hear it. I'm surprised there isn't some clever way to
filter him out, depending upon what kind of filter tools you have at
your disposal.

As an experienced user, I have no problem filtering out his messages.
However, the same cannot be said for the dozens (hundreds?) of other
people he spams. My employer and various other people on his mailing list
want to know how to block him. Rather than prepare twenty different
responses giving instructions for each person's particular combination of
operating system and software, I figure it's best to tell everyone to
report the problem to SpamCop and hope that Yahoo! and/or his ISPs
permanently suspend him for TOS violations.

Post by Tristan Miller
I've since set up mailhosts for my employer's SpamCop account. The
automatic configuration wouldn't work for

Waived? I don't understand that yet.

When the automated mailhosts configuration failed, the SpamCop web page
gave me an option to request manual configuration by a SpamCop
administrator. They call this a "waiver".

Post by Tristan Miller
SpamCop now correctly identifies the University of Arizona IP for the
spam.

Not according to what I see at your originally posted employer's header
example
http://www.spamcop.net/sc?id=z919793041z85093855a4505837202f64fc298ebaa6z

That was an old submission. Submissions made after mailhosts configuration
are processed correctly.

Regards,
Tristan

--
_
_V.-o Tristan Miller [en,(fr,de,ia)] >< Space is limited
/ |`-' -=-=-=-=-=-=-=-=-=-=-=-=-=-=-= <> In a haiku, so it's hard
(7_\\ http://www.nothingisreal.com/ >< To finish what you

Mike Easter

2006-04-14 21:17:37 UTC

Post by Tristan Miller
I figure it's best to
tell everyone to report the problem to SpamCop and hope that Yahoo!
and/or his ISPs permanently suspend him for TOS violations.

Considerting some of the elements of this particular issue, ie he is a
known and identifiable meatspace identity who sounds pretty whacky such
that the recipients of his missives consider him to be mentally ill --
and have for some time -- and that he posts from the Arizona Health
Sciences Library IP via yahoo webmailer accounts. I find myself
wondering if his composing and mailing these essays might be
'therapeutic' for him.

Post by Tristan Miller
When the automated mailhosts configuration failed, the SpamCop web
page gave me an option to request manual configuration by a SpamCop
administrator. They call this a "waiver".

Hmm. Interesting use of the word.

Post by Tristan Miller
SpamCop now correctly identifies the University of Arizona IP for
the spam.

Not according to what I see at your originally posted employer's
header example

http://www.spamcop.net/sc?id=z919793041z85093855a4505837202f64fc298ebaa6z

Post by Tristan Miller
That was an old submission. Submissions made after mailhosts
configuration are processed correctly.

When I parsed that tracker at the beginning of this conversation, it
didn't parse as a mailhost. Since then, you said that the account which
corresponds to that tracker has become mailhosted, and in fact, it
parses with the appearance of a mailhosted account.

But, even tho' it parses with the appearance of a mailhosted account
called 'gountchev' now, as opposed to before when the thread started,
the mailhosted account does not have the whacky btconnect server calling
itself hesl01uker.he.local in its Received traceline associated with the
gountchev account. SC sez

<snip>
4: Received: from c2bthimr02.btconnect.com ([194.73.73.202]) by
hesl01uker.he.local with Microsoft SMTPSVC(6.0.3790.211); Thu, 13 Apr
2006 00:07:42 +0100
Hostname verified: c2bthimr02.btconnect.com

Possible forgery. Supposed receiving system not associated with any of
your mailhosts
Will not trust anything beyond this header
</snip>

Where 'supposed receiving system' being mentioned is hesl01uker.he.local

Perhaps the deputy manually configured the mailhost for some whacky name
or another that s/he saw, such as hesl02uker.he.local [there is such a
server as that] or some other -- or perhaps when there is a manual
configuration, things don't work the same as expected.

I'm just guessing that the mailhost configuring for the btconnect server
family is incomplete.

--
Mike Easter
kibitzer, not SC admin

Guy Macon

2006-04-14 17:40:37 UTC

Post by Mike Easter
It is hard to say what 128.196.165.21 rDNS PUB-E3.AHSL.Arizona.EDU
really is, because you can't trust your antagonist to be telling the
truth about that

There is a reasonable chance that it is this: [
http://www.ahsl.arizona.edu/computing/ ].
If so, this usage violates [
http://www.ahsl.arizona.edu/policies/usepolicy.cfm ].

I have found that sending snailmail is often more effective than email when
dealing
with universities, so the OP might wish to drop a stamp on the user if email
fails.

Mike Easter

2006-04-14 18:47:53 UTC

"Mike Easter"

Post by Mike Easter
It is hard to say what 128.196.165.21 rDNS PUB-E3.AHSL.Arizona.EDU
really is,

There is a reasonable chance that it is this: [
http://www.ahsl.arizona.edu/computing/ ].
If so, this usage violates [
http://www.ahsl.arizona.edu/policies/usepolicy.cfm ].

Ah so, the Arizona Health Sciences Library branch. I certainly agree
with that.

There are also a supervisor and a computer operator

Staff:

Jose Solorzano
Supervisor
***@ahsl.arizona.edu
520-626-2738

Tessie O'Talley
Computer Operator
***@ahsl.arizona.edu
520-626-6707

I have found that sending snailmail is often more effective

Arizona Health Sciences Center
3rd Floor Rm 3215
1501 N Campbell Ave
Tucson, AZ 85724

As to blocking things from ahsl.arizona.edu, I'll bet if you tagged
everything from 128.196.164.0/23 so that you would get 128.196.164.0 -
128.196.165.255 that all of the ahsl stuff would be in there. This item
is from .165.21 and the MX for the ahsl names is in .164.2 .

My SpamPal can tag on IPs and IP ranges.

--
Mike Easter
kibitzer, not SC admin

Tristan Miller

2006-04-14 20:55:59 UTC

Greetings.

Post by Guy Macon

Post by Mike Easter
It is hard to say what 128.196.165.21 rDNS PUB-E3.AHSL.Arizona.EDU
really is,

There is a reasonable chance that it is this: [
http://www.ahsl.arizona.edu/computing/ ].
If so, this usage violates [
http://www.ahsl.arizona.edu/policies/usepolicy.cfm ].

Ah so, the Arizona Health Sciences Library branch. I certainly agree
with that.
There are also a supervisor and a computer operator
Jose Solorzano
Supervisor
520-626-2738
Tessie O'Talley
Computer Operator
520-626-6707

Post by Guy Macon
I have found that sending snailmail is often more effective

Arizona Health Sciences Center
3rd Floor Rm 3215
1501 N Campbell Ave
Tucson, AZ 85724

Thanks for this information. I'll try writing and/or calling next week.

Regards,
Tristan

--
_
_V.-o Tristan Miller [en,(fr,de,ia)] >< Space is limited
/ |`-' -=-=-=-=-=-=-=-=-=-=-=-=-=-=-= <> In a haiku, so it's hard
(7_\\ http://www.nothingisreal.com/ >< To finish what you

Frog Prince

2006-04-16 13:36:41 UTC

"Guy Macon"

| >It is hard to say what 128.196.165.21 rDNS PUB-E3.AHSL.Arizona.EDU
| >really is, because you can't trust your antagonist to be telling the
| >truth about that
|
| There is a reasonable chance that it is this: [
| http://www.ahsl.arizona.edu/computing/ ].
| If so, this usage violates [
| http://www.ahsl.arizona.edu/policies/usepolicy.cfm ].
|
| I have found that sending snailmail is often more effective than email
when
| dealing
| with universities, so the OP might wish to drop a stamp on the user if
email
| fails.
|

I've found, in the few cases where the university did not seem to care about
a complaint that a CC with a cover letter to the char person of the
legislative agency controlling the funding of the university about the abuse
and lack of response usually gets the attention of someone at the university
who will make things happen.

Money talks ... ** walks

Mike Easter

2006-04-14 12:14:54 UTC