[clue-admin] Fwd: [spry.com #430594] [SpamCop (64.79.210.234)
id:3189128524]The results of your email commands
Jed S. Baer
cluemail at jbaer.cotse.net
Fri Jun 13 22:30:44 MDT 2008
On Thu, 12 Jun 2008 12:21:31 -0600
Jeff Cann wrote:
> This looks not good...
The more I look at this, the wierder it gets. I at least understand part
of it now, but the received chain is messed up.
As an experiment, I sent an e-mail to one of the "request" addresses for
one of the CLUE mailing lists. As expected, I got a response quoting what
I'd sent to it (which wasn't a valid Mailman request). So I've partially
reproduced what happened. Mailman sends back the complete message source,
so I could see what the headers looked like, and they were as I expected
for the chain of delivery from my local machine, through my mail
provider, to CLUE.
But look at this:
> Received: from tee.gr (unknown [77.41.41.253])
> by cluedenver.org (Postfix) with SMTP id 2D4CB2D4C0B8
> for <x>;
> Thu, 12 Jun 2008 05:29:25 -0600 (MDT)
> Received: from 144.202.0.38 (HELO mail02.ops-netman.net)
> by cluedenver.org with esmtp ({nChar[8-12]} {nChar[4-6]})
> id tRCxg-Qn6Ge0-Tj
> for x; Thu, 12 Jun 2008 15:29:29 +0400
This is part of what Mailman sent back to whoever reported us to Spamcop.
Two receives in the chain, both by our server? What's more interesting to
me is that the the bottom of the chain is claiming to be the same domain
(ops-netman.net) as that which the Mailman response went through.
$ host oe-consulting.com
oe-consulting.com has address 71.246.230.124
;; Warning: Message parser reports malformed message packet.
oe-consulting.com mail is handled by 20 mail02.ops-netman.net.
oe-consulting.com mail is handled by 30 mail03.ops-netman.net.
oe-consulting.com mail is handled by 10 mail.ops-netman.net.
So, the original mail to clue-cert-request either came from oe-consulting
(or ops-netman.net), or someone spoofed a Received: header knowing that
mail for oe-consulting.com was handled by ops-netman.net. Do spammers or
joe-jobbers really go through all this trouble? Or am I missing something
here?
jed
More information about the clue-admin
mailing list