Jump to content

anyone8

Members
  • Content Count

    97
  • Joined

  • Last visited

Posts posted by anyone8


  1. Thanks for pointing me in the right direction. I wasn't sure whether to look at the message, or maybe there was an issue with my computer or SpamCop's parser.

    Although there are no double periods in the whole email, that got me to looking at the message. I tired removing things that looked strange. The one that seemed to be the problem was a hostname that began with "xHRZDMoSZQtTgIAffdczjrWWwatOgPNzFmircaawrvITFdBVQxutRnEWUepKPlOSwGJOqJfGFYyixSZjQnQWiQxqdPmvWeFgxrYmbRuJHWQgniKgFaMzPNMarqJOpuDIqmBFzSYld" as it started working when I changed that portion to "removed."

    If I recall correctly (it's been years), we shouldn't report things with material changes, so I cancelled. But at least we know what was tripping up the parser.


  2. I've been using SpamCop for years, but either something has gone wrong or the last spam I received is stalling it somehow. My first thought was reload, but it stopped at the exact same point. So I went back to the reporting box and tried pasting in the spam again, thinking maybe it would go through this time. Neither of my ideas made any difference. It's been so long since I've ran into any issue like this, I'm not sure how to troubleshoot beyond this, so anything I haven't already tried would be appreciated.

    It always stops at the same point:

    Quote

    Parsing header:
    host 2a01:111:e400:fc11:0:0:0:42 (getting name) no name
    host 2603:10b6:300:c2:0:0:0:27 (getting name) no name

    Here's one of the tracking URLs: https://www.spamcop.net/sc?id=z6702233527zbcd30846d6b3149bd78570af38518361z

    Thanks!


  3. Even after refresh:

    Tracking message source: 191.241.39.98:
    Routing details for 191.241.39.98
    [refresh/show] Cached whois for 191.241.39.98 : tecnet.ce@hotmail.com
    Using abuse net on tecnet.ce@hotmail.com
    abuse net hotmail.com = abuse@outlook.com, abuse@messaging.microsoft.com, abuse@live.com
    Using best contacts abuse@outlook.com abuse@messaging.microsoft.com abuse@live.com
    abuse@live.com bounces (347 sent : 174 bounces)
    Using abuse#live.com@devnull.spamcop.net for statistical tracking.

    and

    Report spam to:
    Re: 191.241.39.98 (Administrator of network where email originates)
     To: abuse#live.com@devnull.spamcop.net (Notes)
     To: abuse@messaging.microsoft.com (Notes)
     To: abuse@outlook.com (Notes)

    Tracking URL:

    https://www.spamcop.net/sc?id=z6380314779zc01b81eef2d5f7bbd0e47780055306fez

    Whois (on source IP shown above) shows 

    abuse-c:     FCHSO2

    When I found a whois that would track this down (http://www.geektools.com/whois.php):

    nic-hdl-br: FCHSO2
    person: francisco crystian horta de souza
    e-mail: tecnet.ce@hotmail.com
    country: BR
    created: 20131104
    changed: 20131104
    
    % Security and mail abuse issues should also be addressed to
    % cert.br, http://www.cert.br/ , respectivelly to cert@cert.br
    % and mail-abuse@cert.br

    Although I'm not sure any of those addresses are the greatest place to send spam reports to, I don't see the connection to live.com/microsoft.com/outlook.com.


  4. Yes, it seems like it started working as soon as I went to the kitchen to get something to eat. :) 

    Thanks for mentioning email reporting. I hadn't thought of that, and since Hotmail doesn't seem to have the "forward as attachment" option, set up the email program on my system to retrieve Hotmail. This led me to discover that this program puts all the spam (from my Hotmail, Yahoo, etc.) into one place, kind of like a unified inbox for spam. That will be much more efficient than checking each one.


  5. Just FYI, at least some of us don't have access to view the reports you linked. If you only want SpamCop admin to be able to see it, that might work.

    Otherwise, tracking URLs usually look like: https://www.spamcop.net/sc?id=z6266145351z9959f30df739e6d2f4bba28ae4976342z As far as I know, the easiest way to get the tracking URL is at the top of the page where you scroll down and click the button to send reports.


  6. Thanks for your detailed responses. You have a good point about backscatter. I realized, to my horror, that my server could be doing exactly that.

    Fortunately, it's not, at least when testing using my mail client. Instead of generating a bounce, my server refuses to even accept the message and "rejected RCPT <address>: Unrouteable address" shows up in my /var/log/exim4/rejectlog. I know testing from one mail client may not cover every scenario, but at least I know it's not as wide open as I feared. If anyone knows of other scenarios I should test, I'd love to hear about it. 

    One note for anyone else running exim4 (at least whatever version came with my Debian server): If your server is configured to relay mail for an IP address, connections from that IP address can generate backscatter instead of performing the behavior mentioned in the previous paragraph, but then you shouldn't be relaying mail for an IP address unless you really trust it not to use your server to send inappropriate mail.

    One final note on backscatter, there's a pretty good article (IMHO) on Wikipedia [Backscatter (email)] if anyone is interested in reading more, and it even links back to our own FAQ.

    Back to the topic of mailboxes, creating a mailbox with a forward sounds good. In my particular case, it looks like my hosting provider only allows 5 mailboxes, but then it's free so I can't complain. This certainly gives me some options to consider if I need to make changes in the future though, and that's much appreciated, as I'm almost allergic to spam.


  7. On 8/3/2016 at 11:26 PM, spinner said:

    I have lots of domains and when I deal with any organisation/person  I create a mailbox specifically for them (Anothercompany@adomain.com) so when I get spammed I know where the leak is and I just delete the account and let them bounce. If I have to continue communicating with them I create another mailbox. I can say that that some people get really snotty when you can categorically say they got hacked (1and1 hosting...) 

    Glad to know I'm not the only one that does this! However, I do it by manually editing /etc/aliases on a Linux server. I'm guessing you found an easier way. Do you use any particular service provider that makes it easy to create/delete mailboxes? And do you end up having to check each account individually or do they get combined somehow? Thanks!


  8. On 8/3/2016 at 5:43 AM, fragile said:

    Well seemingly big news from Yahoo(aka Verizon) Mail I have noticed. When viewing an email in Yahoo Mail, under the "More" drop down menu, instead of their being a View Full Header option, it has now changed to View Raw Message which opens a new window with the full message in text only. This makes it very easy to copy and paste into Spamcop, so no more forwarding thank god.

    Thanks for posting this. Last time I needed it, it was still the "view raw message" option, and I hadn't noticed the change yet. I had resorted to using the "Allow apps that use less secure sign in" to allow me to retrieve spam from Yahoo using a POP client, so I'm glad to be able to change that setting back and get the message source an easier way.


  9. On 5/12/2016 at 7:46 AM, Lking said:

    Anyone care to provide a Tracking URL? I see no indication of a problem this am when clearing out overnight "deposits".

    This is the one where I got the "temporary system error"

    https://www.spamcop.net/sc?id=z6239009824z125b86ad1f42f111fc5227edc6e80898z

    However, even going back to it immediately after getting the error, the message that reports have already been sent is there. It makes me think the system had an error sending, but thinks it sent or at least knows it tried to. What I can't tell from user side is whether or not the report actually got sent.

    I know the report ID isn't usually helpful, but in case SpamCop staff needs one to look into this, the report ID for this one is 6461057999. I just happened to notice when I pasted this in that the report ID just happens to end in 999. It's in sequence with the others, but wow that number was climbing fast:

    6461056716 5/12/2016, 7:26:46 AM
    6461057999 5/12/2016, 7:27:03 AM
    6461065435 5/12/2016, 7:35:38 AM

    Note the other two didn't have errors. I just noticed how fast the report IDs were climbing: 1283 reports in 17 seconds? Looks like that was a significant portion of the 8719 over the ~8.5-minute period between the above samples. If we assume the 8719 over ~8.5 minutes is normal, 1283 in 17 seconds seems like a bit of a departure from a norm of approx 1015 per minute; although I got a D in math so what do I know :)


  10. No matter how many times I tried to submit this single email I always saw;

    "There was an error sending your message:

    Message could not be delivered - the address was not found, is unknown, or is not receiving messages,"

    Allowed it in to Outlook and used 2-part pasting web form and it reported - with the Tracking URL above as proof!

    If a deputy wants to see the original email I can (try to) forward it...

    Although I don't remember the exact error message I got, that reminds me of one I got from my server's webmail (SquirrelMail) when it didn't like something a few months ago. I saw something earlier in this thread about webmail, but if you mentioned which one you're using, I missed it. Which webmail are you using?

    I looked at the headers from your tracking URL, and the only thing that jumped out at me was the note added by SpamCop indicating it had converted it to plain text. Knowing they add that will make me a lot more comfortable just copying the body and not worrying about chasing down the source code, since I keep running into mail clients where it's easy to get the headers but the full source seems to be hiding somewhere.

    I have to wonder if there's something in the body that was making the webmail choke when you tried to forward the message. If you don't get an answer from the deputies, I'd be curious to see the source code to the message body if possible. I hesitate to post an email address publicly, but we can always use PM for that if email is needed. Back in the newsgroup days, there was a spamcop.spam where samples could be posted, but I don't know if this web forum has anything like that.


  11. Thanks. On gmail, I just copy/paste the source as-is, but I hadn't seen that thread and it was good to read.

    The normal processing time for email submissions might be about a minute. I haven't clocked it. I just know I find another task to do for a moment and it improves the chances that the "report now" link will be there when I check. I assume the good people at SpamCop wouldn't want me to refresh the screen over and over like the over-caffeinated psycho I may or may not be. :D

    I'm usually done reporting by the time the autoreply comes. I suppose that could be because it's sent to a spamcop.net address then forwarded to my real address, but I don't know. The reporting system usually works well enough that I don't give it much thought until something unusual happens.


  12. Was that as an email submission? I was able to report three spams this morning via the webmail interface, but not when forwarded to submit.....

    My email submission seems to have also gone and hid somewhere. I've forgotten how to get the source, but I'm sure it's been asked and answered before, so I just hope the recent technical difficulties don't include the forum's search function. :)

    Update: Processing my email submission simply took about 40 minutes instead of the usual < 5. I guess I should have given it more time before thinking it had gone in a black hole somewhere.


  13. It has been a while, but as I remember the Bounce flag/warning should be on the first screen when you login and red

    Mine's not red, but looks like this:

    Bounce error

    Your email address, x[at]spamcop.net has returned a bounce:

    Subject: Delivery Status Notification (Failure)

    Reason: 5.1.0 - Unknown address error 550-"SC-001 (BAY004-MC4F22) Unfortunately, me=

    Please ensure your email account is reliable, then click below:

    To whom it may concern, there may be an issue with using an [at]outlook.com address to receive mail forwarded through spamcop.net, as this has been happening periodically. Today, a test message sent from my hotmail account didn't come through either, so I changed my forwarding address before resetting the bounce flag.


  14. I guess it works part of the time, as the one you added last has the button to send spam reports instead of erroring out. Of course, they'd go to devnull.spamcop.net, but at least they'd be counted instead of lost because of some error in the parser.


  15. Thanks for posting the tracking URLs. Unfortunately, they're now showing the "Sorry, this email is too old to file a spam report" message. Maybe I should check back more often! :)

    Anyway, I fed the IP address from one of them to the parser, which will usually get it to tell the email address a person could send an abuse report to. Sure enough, it gave the problem you described. Since what I did doesn't produce a tracking URL, I'll quote the parser's output:

    Parsing input: 104.206.22.85

    [report history]
    Routing details for 104.206.22.85
    [refresh/show] Cached whois for 104.206.22.85 : net-admin[at]eonix.net
    Using abuse net on net-admin[at]eonix.net
    No abuse net record for eonix.net
    Using default postmaster contacts postmaster[at]eonix.net
    postmaster[at]eonix.net redirects to net-abuse[at]eonix.net
    net-abuse[at]eonix.net bounces (322 sent : 165 bounces)

    Cannot find master for:104.206.22.85
    No valid email addresses found, sorry!
    • There are several possible reasons for this:
    • The site involved may not want reports from SpamCop.
    • SpamCop administrators may have decided to stop sending reports to the site to prevent listwashing.
    • SpamCop uses internal routeing to contact this site, only knows about the internal method and so cannot provide an externally-valid email address.
    • There may be no working email address to receive reports.

    I also tried another IP address (108.160.150.154) from one of my spam reports that had recently gone to an address at devnull.spamcop.net.

    I noticed three differences between the parser output for these two IP addresses (not counting the long explanation starting with "There are several possible reasons for this", which I included in the quote in case it would be useful to someone):

    1. "No abuse net record for eonix.net". I don't think this is the problem, but I'm not an expert, just an experienced user.
    2. "postmaster[at]eonix.net redirects to net-abuse[at]eonix.net" followed by "net-abuse[at]eonix.net bounces (322 sent : 165 bounces)". I suspect this is where the problem is. My suspicion is that the parser doesn't handle the scenario where it follows a redirect and then finds out that it bounces. In other words, my guess is that if that redirect didn't exist, the parser would do somthing like postmaster#eonix[at]devnull.spamcop.net.
    3. The IP address I tried still had at least one valid email address after the parser devnull'ed the ones it didn't like. However, I think the parser will handle the case where all addresses are devnull.

    Although my reply doesn't solve anything, I'm hoping this discussion will lead to an action by someone who can make a difference. Since the previous discussion in this thread indicates that all the contact addresses for the ISP bounce, I think that makes getting the statistics on the IP address even more important. Maybe some time on the SpamCop blocklist will help the situation somehow.

    For the IP 104.206.22.85, I did notice the whois says

    Comment: Please contact us directly to report abuse: net-abuse[at]eonix.net

    and wondered if that meant they want abuse reports directly from the user rather than through spamcop. Of course, that could be because spamcop gives a little anonymity to abuse reports, which would probably make it harder for an ISP to listwash those who complain. Heaven forbid they actually get rid of the spammer(s) on their network. :o

    Hope something I've wrote helps somehow.


  16. When Spamcop shows that "nothing to do" message, there's no "Send spam Report(s) Now" button to click.

    For other ISPs that don't have a valid abuse address, Spamcop lists a devnull address and explicitly states it's using that address for statistical or tracking purposes. In the case of Eonix, it doesn't list such an address and there's no "Send spam Report(s) Now" button to click.

    A tracking URL would probably help folks troubleshoot this. On the page that is missing the button to send the spam reports, there should be a line "Here is your TRACKING URL - it may be saved for future reference:" near the top and a link (the tracking URL) right below the "Here is your TRACKING URL - it may be saved for future reference:" line.


  17. Tracking link: http://t.co/ [removed]

    No recent reports, no history available

    Host t.co (checking ip) = 199.59.148.12

    Resolves to 199.59.148.12

    Routing details for 199.59.148.12

    [refresh/show] Cached whois for 199.59.148.12 : net-abuse[at]twitter.com

    tcoabuse[at]twitter.com redirects to twitterdoesntcareaboutspamreports[at]devnull.spamcop.net

    Using best contacts twitterdoesntcareaboutspamreports[at]devnull.spamcop.net

    Or tracking URL, for those who want to see it for themselves: http://www.spamcop.net/sc?id=z6007628019z0a553839e8ee127e2cde75b677032013z

    I have to confess I laughed when I saw this. An email address that makes a statement (twitterdoesntcareaboutspamreports is "twitter doesn't care about spam reports", for anyone who has trouble seeing it) is totally something I would do.

    Now I don't know whether to be sad or pissed off that twitter has demonstrated such an attitude that someone has gone to the trouble of setting the reporting address like this.

    If there is any interesting history on what lead up to this, it might make interesting reading.


  18. I have a vaguely similar problem in that I am being spammed directly by godaddy and some of its subsidiaries. Also its to my domain contact addresses, there seems to no reporting mechanism through ICANN (you have to have a valid domain contact address but there's nothing to stop it being abused). I want to know if there's any reporting possible at the top domain registration body level (those who licence the registrars). I have tried contacting 1and1 (my registrar) but they are incapable of comprehending that a competitor is spamming their customers and tell me to turn on the spam filters.

    This my first post so ridicule is welcome.

    This is why the contact address for my domain is my spamcop.net email address. I had a feeling it would get spammed, and sure enough, I started getting a lot more spam very soon after I registered my domain. I don't think any of mine was from godaddy, but then spammers seem to keep moving around, probably to try and get around spam blockers.

    Prior to CESmail shutting down, the spam would get caught in "held mail" and could be reported very easily. Since the shutdown, only legitimate email (no spam) has come through. I preferred being able to report spam rather than having it disappear, but at least it's not getting to my inbox. Unfortunately, unless you happened to be a customer of CESmail before they shut down a little over a month ago, none of what I've wrote so far is likely to do you any good. :(

    One thing that may help is reporting every spam you get. In my experience, that seemed to slow them down a little, but your mileage may vary.

    Another idea: on some domains, "domain privacy" is an option to avoid displaying your contact info, although once the spammers have your email address, I'm not sure that helps much unless you get a new email address and domain privacy at the same time.

    And welcome to the forums. :)

    Hmm... I just noticed you replied to a message from a couple years ago in the "new feature request" area. I'm not sure our discussion is really relevant to new features, so we may find that one of the moderators moves it somewhere.

    Moderators: I depend on the reply notification feature, so if you move this and think there's any chance it will keep the system from sending me such notification, could you please PM me so I can log in and set the notification in the new location? I'm assuming it will email me if someone sends me a PM.


  19. The parser says

    No reporting addresses found for 46.130.87.83, using devnull for tracking

    but one of the lines from doing a whois on that IP is

    % Abuse contact for '46.130.64.0 - 46.130.127.255' is 'ses[at]mts.am'

    Just posting this in case one of the admins (Don?) would like to enter this data into the system so it knows where to send reports for this IP range.

    Tracking URL is http://www.spamcop.net/sc?id=z5999379014za6f3bc221367a98c9f0f5cb9d6f13a9ez


  20. Well I'm here because I prefer to report the spam. If it get vaporized the spam serves no purpose. If it gets to me and is reported some "good" may come. Life is short, latter this week I have a 2,000mi road trip.

    I'll 2nd that, report and then vaporize sounds preferable. Vaporizing spam sounds so much more fun than just deleting it. Now if only we could vaporize the spammers too. :D Have a safe trip!

×