Results 1 to 13 of 13
  1. #1
    Join Date
    Jan 2007
    Posts
    688

    aol spam complaint, no headers?

    Need to trace this abuse complaint from AOL. They provided the server IP and spam email body, but no headers.

    How can I go about tracing this on a cpanel box?

  2. #2
    Join Date
    Mar 2005
    Location
    Maine, USA
    Posts
    302
    No headers pretty much makes the job very difficult. Reply back to them and ask for headers.

  3. #3
    Join Date
    Jan 2007
    Posts
    688

  4. #4
    Join Date
    Feb 2004
    Location
    UK
    Posts
    1,429
    I had one a while ago, and I spent a good hour trying to find how I could contact them for more infomation. I eventually gave up...

    I mean If i have a spammer on my network, I want to know about it...

  5. #5
    Join Date
    Dec 2002
    Location
    chica go go
    Posts
    11,858
    The message headers are included. They just aren't being displayed in your email client. If you're using thunderbird, open the message, then click view -> message source

    Or if they're being piped into kayako, just view the headers of the email, and it'll display all data.

  6. #6
    Join Date
    Oct 2002
    Location
    State of Disbelief
    Posts
    22,951
    Quote Originally Posted by Calibaba View Post
    Need to trace this abuse complaint from AOL. They provided the server IP and spam email body, but no headers.

    How can I go about tracing this on a cpanel box?
    Did it at least include the messageID? You can trace from that if so.

    I'm in the middle of one of these currently.
    They incorrectly identified our box as being the source of some spam forwarded off to AOL by clients (truth is they are being joejobbed by some spammer), and claimed we had a compromised script. Umm, no.
    I called, and while I was on the phone, was tailing the mail log for AOL deliveries. The whole time I was on the phone there were no mails sent to AOL at all (about an hour), though the tech said he was seeing "numerous" failed messages currently happening.
    When I asked how we could be responsible when there is no sign of this mail ever hitting our server, he said I was wrong. No explanation, just that I was wrong. I let the tail run for almost 9 hours, and saw one stuck message getting retried a few times, and about half a dozen to various AOL accounts. Numerous? Bah.

    Been ongoing for many days now, 'cause the postmaster takes 2 days between replies nearly every time.
    I hate AOL.
    Having problems, or maybe questions about WHT? Head over to the help desk!

  7. #7
    Join Date
    Dec 2002
    Location
    chica go go
    Posts
    11,858

  8. #8
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,686
    A LOT of providers are going down that road, despite the fact that there's a lot of useful information in those headers.

    Unfortunately, you're not going to have a lot of luck getting AOL to give you the headers, they won't do it. It sucks, but using AOL for email is about the most retarded thing you can do anyways, knowing full well that they reject plenty of legitimate email just because they want to.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  9. #9
    Join Date
    Dec 2002
    Location
    chica go go
    Posts
    11,858
    Quote Originally Posted by linux-tech View Post
    A LOT of providers are going down that road, despite the fact that there's a lot of useful information in those headers.

    Unfortunately, you're not going to have a lot of luck getting AOL to give you the headers, they won't do it. It sucks, but using AOL for email is about the most retarded thing you can do anyways, knowing full well that they reject plenty of legitimate email just because they want to.
    What are you talking about? AOL is forwarding me headers for a box I admined 3 years ago, one that I don't even admin anymore. Here's a report I got, with the first headers being forwarded from the servers hosting sonataweb.net down to me.

    Code:
    Delivered-To: [email protected]
    Received: by 10.143.187.3 with SMTP id o3cs69201wfp;
            Mon, 7 Apr 2008 03:15:53 -0700 (PDT)
    Received: by 10.65.240.17 with SMTP id s17mr8956233qbr.83.1207563352795;
            Mon, 07 Apr 2008 03:15:52 -0700 (PDT)
    Return-Path: <[email protected]>
    Received: from server2.aztekhosting.com ([208.79.234.78])
            by mx.google.com with ESMTP id e15si8166724qba.9.2008.04.07.03.15.52;
            Mon, 07 Apr 2008 03:15:52 -0700 (PDT)
    Received-SPF: neutral (google.com: 208.79.234.78 is neither permitted nor denied by domain of [email protected]) client-ip=208.79.234.78;
    Authentication-Results: mx.google.com; spf=neutral (google.com: 208.79.234.78 is neither permitted nor denied by domain of [email protected]) [email protected]
    Received: from omr-m22.mx.aol.com ([64.12.136.130])
    	by server2.aztekhosting.com with esmtp (Exim 4.68)
    	(envelope-from <[email protected]>)
    	id 1JioOG-0002MH-RF
    	for [email protected]; Mon, 07 Apr 2008 06:15:29 -0400
    Received: from scmp-d38.mail.aol.com (scmp-d38.mail.aol.com [172.19.132.201]) by omr-m22.mx.aol.com (v117.7) with ESMTP id MAILOMRM228-7dee47f9f42e275; Mon, 07 Apr 2008 06:15:10 -0400
    Received: from imo-d23.mx.aol.com (iwslbfa2-dtc-sip17.net.aol.com [172.18.65.17] (may be forged))
    	by scmp-d38.mail.aol.com (8.13.6/8.12.11) with ESMTP id m37AEmeq007262
    	for <[email protected]>; Mon, 7 Apr 2008 06:14:48 -0400
    Received: from [email protected]
    	by imo-d23.mx.aol.com (mail_out_v38_r9.3.) id g.d33.298f701b (7372)
    	 for <[email protected]>; Mon, 7 Apr 2008 06:14:44 -0400 (EDT)
    From: <[email protected]>
    Message-ID: <[email protected]>
    Date: Mon, 7 Apr 2008 06:14:44 EDT
    Subject: Client TOS Notification
    To: <[email protected]>
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="part1_d33.298f701b.352b4e14_boundary"
    X-Mailer: OSM Client
    X-AOL-SPAM-SIGNATURE: 01010001bf69a8404b45ba3fa25d6e7694efdd9f
    X-Spam-Flag: NO
    X-AOL-INRLY: dust.dnsprotect.com [207.210.85.146] scmp-d38
    X-Loop: scomp
    X-AOL-IP: 172.19.132.201
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - server2.aztekhosting.com
    X-AntiAbuse: Original Domain - sonataweb.net
    X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
    X-AntiAbuse: Sender Address Domain - aol.net
    
    
    --part1_d33.298f701b.352b4e14_boundary
    Content-Type: text/plain; charset="US-ASCII"
    Content-Transfer-Encoding: 7bit
    
     
    
    --part1_d33.298f701b.352b4e14_boundary
    Content-Type: message/rfc822
    Content-Disposition: inline
    
    Return-Path: <[email protected]>
    Received: from rly-mh08.mx.aol.com (rly-mh08.mail.aol.com [172.21.166.144]) by air-mh03.mail.aol.com (v121.4) with ESMTP id MAILINMH034-bea47f9a272388; Mon, 07 Apr 2008 00:26:47 -0400
    Received: from dust.dnsprotect.com (dust.dnsprotect.com [207.210.85.146]) by rly-mh08.mx.aol.com (v121.4) with ESMTP id MAILRELAYINMH082-bea47f9a272388; Mon, 07 Apr 2008 00:26:26 -0400
    Received: from nobody by dust.dnsprotect.com with local (Exim 4.68)
    	(envelope-from <[email protected]>)
    	id 1Jiiw6-0007Qa-3F
    	for Undisclosed Recipients; Mon, 07 Apr 2008 00:26:26 -0400
    To: <Undisclosed Recipients>
    Subject: Asking Permission
    X-PHP-Script: www.maticbiz.com/resfile/cmanage.php for 222.127.228.6
    Date: Mon, 7 Apr 2008 00:26:26 -0400
    From: Rachel Parker <[email protected]>
    Reply-to: 
    Message-ID: <[email protected]>
    X-Priority: 3
    X-Mailer: PHPMailer [version 1.72]
    Errors-To: 
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    	boundary="b1_13f0f822e301d491e2c2ebb9c040ec4e"
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - dust.dnsprotect.com
    X-AntiAbuse: Original Domain - aol.com
    X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
    X-AntiAbuse: Sender Address Domain - gmail.com
    X-AOL-IP: 207.210.85.146
    X-AOL-SCOLL-AUTHENTICATION: listenair ; SPF_helo : n
    X-AOL-SCOLL-AUTHENTICATION: listenair ; SPF_822_from : ?
    
    
    --b1_13f0f822e301d491e2c2ebb9c040ec4e
    Content-Type: text/plain; charset = "iso-8859-1"
    Content-Transfer-Encoding: 8bit
    
    
    Hello GetWellCenter,<br><br>
    
    I would like to ask a permission to send information<br>
    about the hottest new home business opportunity.<br><br>
    
    This is totally different from what you have heard<br>
    or tried already.<br><br>
    
    </br><a href='http://www.maticbiz.com/resfile/cenablecust.php?cust_id=31243' ><u>If you allow me please click here</u></a><br><br>
    
    If not I will delete your email address immediately<br>
    from my contact list.<BR><BR><BR>
    
    
    Thank you,<BR><BR>
    
    Rachel Parker<BR>
    [email protected]<BR>
    070 Lower Bacayan, Cebu City<BR>
    6014 - Philippines<BR><BR>
    
    If you wish not to receive future messages from me<br>
    please click the removal link<br><br>
    
    Removal link: <a href='http:[email protected]l.com&list_id=1' ><u>stop future messages</u></a><br>
    
    
    --b1_13f0f822e301d491e2c2ebb9c040ec4e
    Content-Type: text/html; charset = "iso-8859-1"
    Content-Transfer-Encoding: 8bit
    
    <html><body><br/>Hello GetWellCenter,<br><br>
    
    I would like to ask a permission to send information<br>
    about the hottest new home business opportunity.<br><br>
    
    This is totally different from what you have heard<br>
    or tried already.<br><br>
    
    </br><a href='http://www.maticbiz.com/resfile/cenablecust.php?cust_id=31243' ><u>If you allow me please click here</u></a><br><br>
    
    If not I will delete your email address immediately<br>
    from my contact list.<BR><BR><BR>
    
    
    Thank you,<BR><BR>
    
    Rachel Parker<BR>
    [email protected]<BR>
    070 Lower Bacayan, Cebu City<BR>
    6014 - Philippines<BR><BR>
    
    If you wish not to receive future messages from me<br>
    please click the removal link<br><br>
    
    Removal link: <a href='http:[email protected]l.com&list_id=1' ><u>stop future messages</u></a><br><br/></body></html>
    
    
    
    --b1_13f0f822e301d491e2c2ebb9c040ec4e--
    
    --part1_d33.298f701b.352b4e14_boundary--
    If anyone is at fault, you are, for not being intelligent enough to realize that the email headers not being displayed are the fault of your email client. AOL forwards the headers, you are wrong, look at the full message source.

  10. #10
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,686
    I'm not going to get into an argument with you about something this simple. AOL has, in the past NOT sent headers, and every time I've dealt with them they've had the same reaction. Obviously, they're still doing this, because the other person's saying the same thing.

    It's not a "view source" matter, it is a matter where they have done this, multiple times, multiple places, to multiple clients.

    You may be an exception, that's fine, but as a general rule, from what I've seen (and obviously what this other person is seeing), they DO NOT DO THIS.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  11. #11
    Join Date
    Dec 2002
    Location
    chica go go
    Posts
    11,858
    Quote Originally Posted by linux-tech View Post
    I'm not going to get into an argument with you about something this simple. AOL has, in the past NOT sent headers, and every time I've dealt with them they've had the same reaction. Obviously, they're still doing this, because the other person's saying the same thing.

    It's not a "view source" matter, it is a matter where they have done this, multiple times, multiple places, to multiple clients.

    You may be an exception, that's fine, but as a general rule, from what I've seen (and obviously what this other person is seeing), they DO NOT DO THIS.
    Every host i've worked for has had this setup, and every single time, AOL has provided the email headers in their reports. This is a problem with your email client, very possibly his email server. Can you open up a SCOMP report in thunderbird right now, and view the message source? I can. Provide your proof. I mean, it's obviously a mistake on the user's side. I made the same mistake when I started using it. But, I eventually figured out the issue, and now I know how it works. You can do the same thing too, just be honest about your flaws.

  12. #12
    Join Date
    Oct 2002
    Location
    State of Disbelief
    Posts
    22,951
    I've yet to receive a SCOMP report that didn't include the headers I needed to trace the message. They do redact the adress, but that's about it.
    Having problems, or maybe questions about WHT? Head over to the help desk!

  13. #13
    Join Date
    Jan 2007
    Posts
    688
    I am still not getting the headers. The past 24hrs I've literally gotten about 15 spam complaints from AOL regarding the same exact IP address (which is in fact mine).

    I use Outlook 2007 and have no issues at all viewing email headers for any emails incoming except AOL's spam complaints.

    Each complaint has two attached files. One is a .dat file and the other is the body of the original spam complaint. I view that, and see no message headers whatsoever.

    The dat file shows only something like this:

    Code:
    Feedback-Type: abuse
    User-Agent: AOL SComp
    Version: 0.1
    Received-Date: Thu, 10 Apr 2008 11:47:09 -0400
    Source-IP: ***
    Reported-Domain: server.***.com
    Redacted-Address: redacted
    Redacted-Address: redacted@
    Now, today's dozen or so complaints showed this as the subject of the spams:

    "Britney does it again"

    I have what seems *incoming* spam with that subject according to the grep output for exim_mainlog, but I'm trying to trace those sent out.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •