Jump to content

All Activity

This stream auto-updates     

  1. Yesterday
  2. RJVB

    Spamcop cannot find source IP

    I've had growing doubts as to SC's usefulness ever since their parsing engine started giving up on spams that contain too many links. Since then, more and more spam seems to have used this trick to avoid the automatic generation of reports to the spamvertised website ISPs. I've been hanging on though, but with just about all my email coming in on GMail I've also wondered why SC don't add a simple parsing rule to work around instead of breaking on the 2002: headers. In the end I wrote a little filter that I added to the chain leading up to SpamAssassin (which handles the SC submission for me), a filter that does the IP6to4 translation described above in the message source. This is what SC should be doing, so it's an IMHO acceptable form of (de)mangling the headers. If anyone is interested in the source (C++) I can upload it here or make it available some other way.
  3. Crime gang running ISP?
  4. Last week
  5. https://www.talosintelligence.com/reputation_center/lookup?search=197.234.221.192 They have port 25 blocked so SpamCop is finding the source IP? Seems near all their entire IP range. CBL are saying their email servers themselves are infected with "sendsafe"
  6. Please read Address 2002:adf:aa91:0:0:0:0:0 (gmail) not associated with any of your mailhosts Spamcop cannot find source IP These related threads discuss the problem you are having and a work-around to report the miss formed header created by gmail. After review if you still have questions please post them and the forum will try to give you help
  7. This problem has recently (last 7-10 days) popped up. Every report I attempt to submit, ends up with this or similar: Parsing header: host 2002:a81:8705:0:0:0:0:0 (getting name) no name 0: Received: by 2002:a81:8705:0:0:0:0:0 with SMTP id x5-v6csp1438670ywf; Thu, 24 May 2018 07:42:11 -0700 (PDT) No unique hostname found for source: 2002:a81:8705:0:0:0:0:0 Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust this Received line. Mailhost configuration problem, identified internal IP as source Mailhost: Please correct this situation - register every email address where you receive spam No source IP address found, cannot proceed. The email was sent to my GMAIL address, I then tried to reprocess my MAILHOSTs configuration for GMAIL. No help! Any ideas? Tracking URL is: https://www.spamcop.net/sc?id=z6466300524z8c4f8dd4c37bd064db31639836fe7077z
  8. True. When I was running my own email server a few years back, I had what amounted to private blacklists, hidden from public view until an incoming email ran foul of the filtering I had in place. I never got round to running a DNSBL/RBL.
  9. Are emails with this string of IP addresses originating from Benin and OCN is just used to send the emails?
  10. Yes there is a big problem with SpamCop abuse address gathering, ARIN is one who allows SpamCop access others do not (so it's that or nothing), to stop "DoS attacking "ARIN" SpamCop reduces checks by caching entries). Another problem are legacy issues when years ago someone hard coded a actual abuse address which is no longer valid. Get yourself a WHOIS program for Windows I use http://www.nirsoft.net/utils/ipnetinfo.html look at page bottom for download link.
  11. That is a public list which is available free to many ISP's, many have secret blocklists that are never known by anyone but them..
  12. With their efforts to hide the real spamertized URL, sending a spam report to them/their ISP has a vary low probability of having any affect. Although the spam does not come from there (the first priority) it would be nice to crush the money trail too.
  13. If it's on abuseat's CBL list, it will usually find its way to spamhaus's ZEN list as well, I think Spamhaus took the list over a year or two back. I'm also seeing listings on other lists as well.
  14. None of the URL trackers will track that url, But Im sure 100% if I click on it, then it would be redirected. None of the view URL Safe Sites will go to it either.
  15. Based of the dates in the Provided Tracking URL I guess you are still getting similar spam. I assume that www.tb7h.outualo.men is not just the displayed URL in the body. If domain checkers, WHOIS and SpamCop can't identify the "real" destination, I'm at a loss. Maybe with a live example others here may be able to help.
  16. I never found a tracking URL .. but Got another message from them so here it is SpamCop v 4.9.0 © 2018 Cisco Systems, Inc. All rights reserved.Here is your TRACKING URL - it may be saved for future reference:https://www.spamcop.net/sc?id=z6466193413z0672ac3bc563dbe82dcfb5fe5057cf1cz
  17. Why is it only blacklisted at abuseat and nowhere else? Is there a reason for that?
  18. Could someone at spamcop/cisco actually do this? Rather sooner than later. RIPE-db has official abuse-adress per IP prefix that is correct. Other RIR have adopted that to. We have over 800 customers that need to get abuse email sent to them and not to us. It's actually easy to get the right address. For RIPE, APNIC and AFRINIC region just use -b in the whois lookup. For ARIN region just use normal whois and filter out OrgAbuseEmail. For LACNIC they have a resource record for abuse-c.
  19. That's better "X-Originating-IP: [197.234.221.192]" is the botnet source all their IP's listed as a botnet, yes they are sent through a compromised ocn computer "153.149.227.167" but not reported Other hosts in this "neighborhood" with spam reports 197.234.221.1 197.234.221.4 197.234.221.5 197.234.221.12 197.234.221.13 197.234.221.42 197.234.221.43 197.234.221.46 197.234.221.47 197.234.221.54 197.234.221.66 197.234.221.68 197.234.221.69 197.234.221.70 197.234.221.80 197.234.221.91 197.234.221.105 197.234.221.108 197.234.221.120 197.234.221.161 197.234.221.170 197.234.221.172 197.234.221.183 197.234.221.188 197.234.221.192 197.234.221.193 197.234.221.205 197.234.221.224 197.234.221.232 197.234.221.236 197.234.221.238 197.234.221.243 197.234.221.245
  20. 😂 Here's the Tracking URL. Feel free to remove what you need from the URL after examining the report: https://www.spamcop.net/sc?id=z6466108812zeb3430e28af1b6f93be3ffdc98bf48c7z
  21. They have a lot of compromised accounts which they act on, getting Japs to turn on Windows Defender is complicated? would help if you learn what a SpamCop tracking URL was
  22. Of course it's an ocn.ne/ad.jp email. I don't bother reporting to them anymore because I find it pointless. I also reported it to netabuse (at) mtn.bj, but as you all know, they're notorious for not dealing with spam very well. I tried reporting to UBA's security email that I found doing a Google search and this is the result Gmail's mailer-daemon sent back: Original email: Delivered-To: x Received: by 10.55.27.222 with SMTP id m20-v6csp390695lfi; Tue, 22 May 2018 04:17:36 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpYbvb6tOhQ+iZm9i/WTdteOSq3c4khjtYYTyC0U88eDbOBeooA888yF+t/0UxRT/np7P7W X-Received: by 2002:a63:7c0b:: with SMTP id x11-v6mr18459486pgc.384.1526987856201; Tue, 22 May 2018 04:17:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526987856; cv=none; d=google.com; s=arc-20160816; b=jotNUqh782Or1fxX2A+r16K8REfifvVQHUFk5z9gyfBJuv9fVGAP0qgRPnjo4mlJlm 5YHfAR2j+kzg//ih9YB/fNpUmB729kKKSfQ5xmy85c9ocuiieMz1ecmflWftDgmq0zZt ua3SRaWu+/U51hn2R73K/de9iT02t1D57414RVDakaMz2x2Ff/mf+JjI+1+HSBH4ks0c Mt/Ch7XCfglJUNJl2qNlsBwzd2es8/8rWynsVjdv6BfyYMYTWc5Vda9xPSfUfZJZRTwM IoSDNFFFcgvewA9H8VXA04Cwoz9NY2SAysTZj9TyYRNJjI1C8zilRSMwrDytlSbZ9WoN 7bpQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:subject:message-id:reply-to :from:date:arc-authentication-results; bh=LpXfDxdLzWxwHrFw1Qk9sqc0koHX4eJzLDY8tHHwhoo=; b=hOlAaQ8hWmtbEqeXcXlD0sYdvmdc30qlaSZMbFzJ+6d2giVZqBMmbmBVpMHj4KoQiO RLPsiMKUgcmBnHz8CeqGeJIjU+Zx78n91u+2hJRwIlmsVz7DXdXoWouGMvFNVwdU0LQZ 6GQehGfouDlQGGKOHI+XO4IvcWjgt94jseISgkqAPFx351PaFRYBpFlvnaOtYr8yD1Lc GYzktMwi0v9FVN1HZyX9lojZgz5fnqsJ0D/d1FjPiAdHQekp5QrcLfT1ehd161lEYL0P 7IxJLb8dgGDSG+1BNCrAJffzoPYGyTsD+l7Qyl16mqbM9hNktalB1qTiXvluMpBaSpcj 815Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of www.@miracle.ocn.ne.jp designates 153.149.233.15 as permitted sender) smtp.mailfrom=www.@miracle.ocn.ne.jp Return-Path: <www.@miracle.ocn.ne.jp> Received: from mbkd0214.ocn.ad.jp (mbkd0214.ocn.ad.jp. [153.149.233.15]) by mx.google.com with ESMTP id z18-v6si16038914pfd.357.2018.05.22.04.17.23; Tue, 22 May 2018 04:17:36 -0700 (PDT) Received-SPF: pass (google.com: domain of www.@miracle.ocn.ne.jp designates 153.149.233.15 as permitted sender) client-ip=153.149.233.15; Authentication-Results: mx.google.com; spf=pass (google.com: domain of www.@miracle.ocn.ne.jp designates 153.149.233.15 as permitted sender) smtp.mailfrom=www.@miracle.ocn.ne.jp Received: from mf-smf-ucb035c3 (mf-smf-ucb035c3.ocn.ad.jp [153.153.66.232]) by mbkd0214.ocn.ad.jp (Postfix) with ESMTP id 0E1A418D8F6; Tue, 22 May 2018 20:17:23 +0900 (JST) Received: from ntt.pod01.mv-mta-ucb022 ([153.149.142.85]) by mf-smf-ucb035c3 with ESMTP id L5IAfKI3F3vLcL5IAf4CBa; Tue, 22 May 2018 20:17:23 +0900 Received: from vcwebmail.ocn.ad.jp ([153.149.227.167]) by ntt.pod01.mv-mta-ucb022 with id pPHN1x00F3dLKTM01PHNBl; Tue, 22 May 2018 11:17:22 +0000 Received: from mzcstore202.ocn.ad.jp (mz-cb202p.ocn.ad.jp [180.8.111.9]) by vcwebmail.ocn.ad.jp (Postfix) with ESMTP; Tue, 22 May 2018 20:17:22 +0900 (JST) Date: Tue, 22 May 2018 20:17:22 +0900 (JST) From: "Mr.Emanuela Guidobaldi" <www.@miracle.ocn.ne.jp> Reply-To: "Mr.Emanuela Guidobaldi" <ubabnk0012@live.fr> Message-ID: <114857748.28834412.1526987842427.JavaMail.root@miracle.ocn.ne.jp> Subject: Attention:My dear MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-2022-JP Content-Transfer-Encoding: 7bit X-Originating-IP: [197.234.221.192] Attention:My dear I waited for your message as you told me with none received. Remember, i supposed to have traveled last night but the weather is too bad. I will be leaving to Paraguay tomorrow. Meanwhile, contact the Bank manager with below address, i have kept the cheque with them at amount of USD4.5Million. They will either mail it to you or remit it for transfer depending on how you want it; Mr.Emanuela Guidobaldi united bank for Africa -(UBA) E-EMAIL US:ubabnk0012@live.fr
  23. Steve

    Why does abuse@amazonaws.com get /dev/null?

    Unfortunately, you can no longer use KnujOn to submit spam:
  24. SpamStoolie

    Spamcop cannot find source IP

    Actually, I don’t believe the IPv6 address is the problem either. This server has no FQDN (i.e. no unique hostname.) It is an internal IP address. (Internal to Google.)
  25. petzl

    Spamcop cannot find source IP

    I'm reasonably sure if google don't change this SpamCop could include this in their parser. They already do for network addresses on SpamCop email accounts.
  26. Steve what you provided is not a tracking URL that any of the rest of us can use. Notice you provided a link from a different domain (https://members.spamcop.net) NOT https://www.spamcop.net
  1. Load more activity
×