RE: [Declude.JunkMail] Bogus IP in headers
Especially if the mail server is behind any decent firewall. The problem here is that E-mail will almost never come from those IPs. Spoofing a TCP/IP is extremely difficult to do, and --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Bogus IP in headers
I couldn't locate a message with headers to show you for the Bogus IP: UNIX: localhost, but I did find one of the Bogus IP: ?.?.?.? messages, here are the headers (again, e-mail addresses changed to protect the innocent): Received: from Unknown/Local ([?.?.?.?]) by mailcity.com; Tue, 23 Sep 2003 00:42:24 - Here, the IP actually *is* ?.?.?.? per the mailcity.com mailserver. Although Declude JunkMail did determine the correct IP of the sourec of the E-mail, it did indeed scan 0.0.0.0 in this case. Code has been added for the next release to automatically skip over non-IPs like this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Bogus IP in headers
Scott, looks like people are starting to try and hide their internal IP address through some rather bazaar means. We have been getting quite a few of these (e-mail addresses changed to protect the innocent): = 09/22/2003 11:00:41 Q38c433940072f11a Bogus IP: UNIX: localhost 09/22/2003 11:00:48 Q38c433940072f11a LBL:3 NOMOREFUNN:2 VISI-RELAY:3 nIPNOTINMX:-3 nNOLEGITCONTENT:-5 HELO-FILTER:-10 REVDNS -FILTER:-5 ALLIGATE-SPAM-L1:1 . Total weight = -14 09/22/2003 11:00:48 Q38c433940072f11a Msg failed LBL (0.0.0.0.lbl.lagengymnastik.dk.). Action=IGNORE. 09/22/2003 11:00:48 Q38c433940072f11a Msg failed NOMOREFUNN (0.0.0.0.no-more-funn.moensted.dk.). Action=WARN. 09/22/2003 11:00:48 Q38c433940072f11a Msg failed VISI-RELAY (Mail from 0.0.0.0 refused -- see http://relays.visi.com/lookup.c gi?ipaddr=0.0.0.0). Action=WARN. 09/22/2003 11:00:48 Q38c433940072f11a Msg failed HELO-FILTER (Message failed HELO-FILTER test (122)). Action=WARN. 09/22/2003 11:00:48 Q38c433940072f11a Msg failed REVDNS-FILTER (Message failed REVDNS-FILTER test (78)). Action=WARN. 09/22/2003 11:00:48 Q38c433940072f11a Msg failed ALLIGATE-SPAM-L1 (Message failed ALLIGATE-SPAM-L1: 12.). Action=WARN. 09/22/2003 11:00:48 Q38c433940072f11a L1 Message OK 09/22/2003 11:00:48 Q38c433940072f11a Subject: ipn Website Focus Group Opportunity 09/22/2003 11:00:48 Q38c433940072f11a From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 198.88.144.42 ID: 423 6CADF58 = And a few of these, as well: = 09/22/2003 17:43:40 Q9709116000502df7 Bogus IP: ?.?.?.? 09/22/2003 17:43:47 Q9709116000502df7 BLARSBL:2 COMPU:2 LBL:3 NOMOREFUNN:2 VISI-RELAY:3 nNOLEGITCONTENT:-5 GIBBERISH-FILTER:5 HEADERS-FILTER:5 MAILFROM-FILTER:10 NOGIBBERISH-FILTER:-5 REVDNS-FILTER:-10 ALLIGATE-SPAM-L1:1 ALLIGATE-SPAM-L2:2 SNIFFER-GENERAL:12 SPAMCHECK:-3 . Total weight = 24 09/22/2003 17:43:47 Q9709116000502df7 Msg failed BLARSBL (This E-mail came from 209.202.220.160, a potential spam source listed in BLARSBL.). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed COMPU (Sender IP: 209.202.220.138). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed LBL (0.0.0.0.lbl.lagengymnastik.dk.). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed NOMOREFUNN (0.0.0.0.no-more-funn.moensted.dk.). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed VISI-RELAY (Mail from 0.0.0.0 refused -- see http://relays.visi.com/lookup.cgi?ipaddr=0.0.0.0). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed IPNOTINMX (). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed GIBBERISH-FILTER (Message failed GIBBERISH-FILTER test (132)). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed HEADERS-FILTER (Message failed HEADERS-FILTER test (58)). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed MAILFROM-FILTER (Message failed MAILFROM-FILTER test (1096)). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed NOGIBBERISH-FILTER (Message failed NOGIBBERISH-FILTER test (52)). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed REVDNS-FILTER (Message failed REVDNS-FILTER test (59)). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed ALLIGATE-SPAM-L1 (Message failed ALLIGATE-SPAM-L1: 30.). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed ALLIGATE-SPAM-L2 (Message failed ALLIGATE-SPAM-L2: 30.). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed SNIFFER-GENERAL (Message failed SNIFFER-GENERAL: 63.). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed SPAMCHECK (Message failed SPAMCHECK: -3.). Action=WARN. 09/22/2003 17:43:47 Q9709116000502df7 Msg failed WEIGHT16-35 (Total weight between 16 and 35.). Action=HOLD. 09/22/2003 17:43:47 Q9709116000502df7 Subject: resume submission 09/22/2003 17:43:47 Q9709116000502df7 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 209.202.220.160 ID: D67DAADE47 = The problem with this is that if you using HOPHIGH 1 or greater, JunkMail is running tests against the 0.0.0.0 address and coming back from the IP4R and RHSBLs with a match. I would request that JunkMail be set to never run tests against the 0.0.0.0 IP address, unless that IP address actually shows up in the received headers. Thanks, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Bogus IP in headers
Scott, looks like people are starting to try and hide their internal IP address through some rather bazaar means. We have been getting quite a few of these (e-mail addresses changed to protect the innocent): Do you have the full (or at least all the Received:) headers of such an E-mail? This should only happen if there is a gateway that is not properly recording the IP of the remote mailserver. The problem with this is that if you using HOPHIGH 1 or greater, JunkMail is running tests against the 0.0.0.0 address and coming back from the IP4R and RHSBLs with a match. I would request that JunkMail be set to never run tests against the 0.0.0.0 IP address, unless that IP address actually shows up in the received headers. Declude JunkMail is already programmed to skip the IP-based spam tests if the IP is 0.0.0.0. Unfortunately, while Declude JunkMail is able to scan multiple hops, there is a wide variety of formats that mailservers use to record IPs (since recording IPs isn't mandatory, so some do strange things like include the IP address in a non-standard format within a comment), and there are ways spammers can bypass them. For example, if a mailserver doesn't use the proper format of from hostname.example.com [192.0.2.25], but instead uses from hostname.example.com (192.0.2.25), then a spammer could use a HELO of [0.0.0.0], which would change that to from [0.0.0.0] (192.0.2.25), in which case Declude JunkMail would see the IP as 0.0.0.0 (which in fact it is in this case, according to the RFCs). Hopefully, from the headers, I will be able to see if Declude JunkMail can be doing anything differently to handle this, and see why it may be looking up 0.0.0.0. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Bogus IP in headers
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] Do you have the full (or at least all the Received:) headers of such an E-mail? I couldn't locate a message with headers to show you for the Bogus IP: UNIX: localhost, but I did find one of the Bogus IP: ?.?.?.? messages, here are the headers (again, e-mail addresses changed to protect the innocent): = Received: from gw1.pointshare.com [204.189.38.4] by intramail01.pointshare.net with ESMTP (SMTPD32-8.02) id A70911600050; Mon, 22 Sep 2003 17:42:49 -0700 Received: from lycos.com (www3.mail.lycos.com [209.202.220.160]) by gw1.pointshare.com (Mail Gateway) with SMTP id D67DAADE47 for [EMAIL PROTECTED]; Mon, 22 Sep 2003 17:42:43 -0700 (PDT) Received: from Unknown/Local ([?.?.?.?]) by mailcity.com; Tue, 23 Sep 2003 00:42:24 - To: [EMAIL PROTECTED] Date: Mon, 22 Sep 2003 20:42:24 -0400 From: Anish Ray [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Mime-Version: 1.0 X-Sent-Mail: off Reply-To: [EMAIL PROTECTED] X-Mailer: MailCity Service X-Priority: 3 Subject: resume submission X-Sender-Ip: 140.142.172.166 Organization: Lycos Mail (http://www.mail.lycos.com:80) Content-Type: multipart/mixed; boundary==_-=_-IMMLKNJOFNOHJHAA Content-Transfer-Encoding: 7bit X-IMAIL-SPAM-VALFROM: (291504208) X-Alligate-In: FAILED - Score Adult: 9 (Req: 35) Spam: 21 (Req: 50) Tot: 30 (Req: 6) X-Alligate-Tracking: 68886B86F3287CD0 X-Alligate-Signature: 884897994 X-Alligate-SpoolFile: D9709116000502df7.SMD X-Alligate-Sender: [EMAIL PROTECTED] [209.202.220.160] X-RBL-Warning: BLARSBL: This E-mail came from 209.202.220.160, a potential spam source listed in BLARSBL. X-RBL-Warning: COMPU: Sender IP: 209.202.220.138 X-RBL-Warning: LBL: 0.0.0.0.lbl.lagengymnastik.dk. X-RBL-Warning: NOMOREFUNN: 0.0.0.0.no-more-funn.moensted.dk. X-RBL-Warning: VISI-RELAY: Mail from 0.0.0.0 refused -- see http://relays.visi.com/lookup.cgi?ipaddr=0.0.0.0 X-RBL-Warning: IPNOTINMX: X-RBL-Warning: GIBBERISH-FILTER: Message failed GIBBERISH-FILTER test (132) X-RBL-Warning: HEADERS-FILTER: Message failed HEADERS-FILTER test (58) X-RBL-Warning: MAILFROM-FILTER: Message failed MAILFROM-FILTER test (1096) X-RBL-Warning: NOGIBBERISH-FILTER: Message failed NOGIBBERISH-FILTER test (52) X-RBL-Warning: REVDNS-FILTER: Message failed REVDNS-FILTER test (59) X-RBL-Warning: ALLIGATE-SPAM-L1: Message failed ALLIGATE-SPAM-L1: 30. X-RBL-Warning: ALLIGATE-SPAM-L2: Message failed ALLIGATE-SPAM-L2: 30. X-RBL-Warning: SNIFFER-GENERAL: Message failed SNIFFER-GENERAL: 63. X-RBL-Warning: SPAMCHECK: Message failed SPAMCHECK: -3. X-Declude-Sender: [EMAIL PROTECTED] [209.202.220.160] X-Note: This e-mail was scanned for viruses filtered for spam X-Queue-File: D9709116000502df7.SMD - incoming X-Note: Total spam test weight: 24 = Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Bogus IP
What does this line mean in the declude log: 08/22/2003 08:53:39 Q124905aa0274e442 Bogus IP: ?.?.?.? Thanks, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.