jhg

Members
  • Content count

    21
  • Joined

  • Last visited

Community Reputation

0 Neutral

About jhg

  • Rank
    Member

Recent Profile Visitors

544 profile views
  1. Abuse contact for cloud.promodeals.nl [109.237.218.48] is abuse@mihos.net This is one of those entries in RIPE where the reporting address is an inline image and not parseable from the text whois.
  2. Any chance of getting SpamCop to add a dynamic "additional reporting address" so that we can manually enter the address at reporting time?
  3. https://www.spamcop.net/sc?id=z6396626348z83eec1a7ee976570e7ece110f3a27b86z Return-Path: <RalphLauren@wolved.info> X-Original-To: x Delivered-To: x X-Greylist: delayed 00:06:28 by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp.jhmg.net 937B2403AA Authentication-Results: smtp.jhmg.net; dkim=pass (1024-bit key) header.d=wolved.info header.i=@wolved.info header.b="DpuNugtc" Received: from smoking.wolved.info (smoking.wolved.info [185.202.173.233]) by smtp.jhmg.net (Postfix) with ESMTP id 937B2403AA for <x>; Tue, 8 Aug 2017 13:08:43 -0400 (EDT) Here's the SC interpretation... Tracking message source: 185.202.173.233: Display data: "whois 185.202.173.233@whois.arin.net" (Getting contact from whois.arin.net ) Redirect to ripe Display data: "whois 185.202.173.233@whois.ripe.net" (Getting contact from whois.ripe.net) Lookup fdl258-ripe@whois.ripe.net Display data: "whois fdl258-ripe@whois.ripe.net" (Getting contact from whois.ripe.net) fdl258-ripe = whois.ripe.net 185.202.173.233 (nothing found) No reporting addresses found for 185.202.173.233, using devnull for tracking. HOWEVER... see the attached image. The issue is that the reporting address is an image and not text. Are there any solutions? It would be really helpful if we could add an ad-hoc destination on the analysis results screen to cope with this issue.
  4. https://www.spamcop.net/sc?id=z6333092862z684f4e65bbaa470376d81782694ccf39z Spamcop reports: Tracking link: http://terais.cloner.wedn.us/unsubscribe?g=fDExMTgwNzI4fDUyMDAwMA&u=x No recent reports, no history available Host terais.cloner.wedn.us (checking ip) IP not found ; terais.cloner.wedn.us discarded as fake. terais.cloner.wedn.us is not a routeable IP address Cannot resolve http://terais.cloner.wedn.us/unsubscribe?g=fDExMTgwNzI4fDUyMDAwMA&u=x However [jhg@smtp ~]$ dig terais.cloner.wedn.us ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.1 <<>> terais.cloner.wedn.us ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6341 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;terais.cloner.wedn.us. IN A ;; ANSWER SECTION: terais.cloner.wedn.us. 599 IN CNAME ragg.pregit.com. ragg.pregit.com. 299 IN A 155.94.65.6 and [jhg@smtp ~]$ ping terais.cloner.wedn.us PING ragg.pregit.com (155.94.65.6) 56(84) bytes of data. 64 bytes from 155.94.65.6.ngprobd.com (155.94.65.6): icmp_seq=1 ttl=53 time=24.1 ms 64 bytes from 155.94.65.6.ngprobd.com (155.94.65.6): icmp_seq=2 ttl=53 time=24.0 ms 64 bytes from 155.94.65.6.ngprobd.com (155.94.65.6): icmp_seq=3 ttl=53 time=23.9 ms 64 bytes from 155.94.65.6.ngprobd.com (155.94.65.6): icmp_seq=4 ttl=53 time=23.9 ms Why does Spamcop think it's not a routeable address? Curiously, upon revisiting the report I see: If reported today, reports would be sent to: Re: 85.206.173.211 (Administrator of network where email originates) williamsdesigndk@gmail.com Re: http://terais.cloner.wedn.us/unsubscribe?g=fDEx... (Administrator of network hosting website referenced in spam) abuse@nodesdirect.com However, Spamcop did not send send to the nodesdirect.com address originally.
  5. I merged your post with the earlier related post, "500 internal Server error"

  6. I'm seeing fairly consistent server errors when submitting spam via the web interface. I get the "500 Internal Server Error" message on submitting an email for parsing as well as for sending the spam notifications. If I retry it will eventually work after 2 or 3 tries.
  7. Also seeing this on an email report that clearly contains lots of dates, on every "Received" line, as well as in the message headers.
  8. Just a heads-up... Some abuse contact info is appearing in "%" comment lines in returned whois info, and this isn't beeing seen by SpamCop. I submitted a spam message, received from the address in the whois output below, and SC used nomaster (https://www.spamcop.net/sc?id=z6150159699zf64fd115c02b2d6e1cf28dbf87b528e4z) [jhg[at]www ~]$ whois 79.142.60.67 [Querying whois.arin.net] [Redirected to whois.ripe.net] [Querying whois.ripe.net] [whois.ripe.net] % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '79.142.60.0 - 79.142.60.255' % Abuse contact for '79.142.60.0 - 79.142.60.255' is 'nic[at]smartnet.kz' inetnum: 79.142.60.0 - 79.142.60.255 netname: SMARTNET descr: P2P address for clients in Almaty country: KZ admin-c: BU909-RIPE tech-c: BU909-RIPE remarks: INFRA-AW status: ASSIGNED PA mnt-by: MNT-SMARTNET created: 2011-09-14T04:44:54Z last-modified: 2011-09-14T04:44:54Z source: RIPE # Filtered person: Baurzhan Ussunov address: Almaty, Al-Farabi av, 73/2 address: Republic of Kazakhstan phone: + 7 727 356 01 33 fax-no: +7 727 356 01 10 nic-hdl: BU909-RIPE mnt-by: MNT-SMARTNET created: 2008-10-23T06:55:51Z last-modified: 2008-10-23T08:13:09Z source: RIPE # Filtered % Information related to '79.142.60.0/24AS43994' route: 79.142.60.0/24 descr: SMARTNET descr: Almaty block origin: AS43994 mnt-by: MNT-SMARTNET created: 2011-04-22T10:35:40Z last-modified: 2011-04-22T10:35:40Z source: RIPE # Filtered % This query was served by the RIPE Database Query Service version 1.80.1 (DB-2)
  9. I just moved my mailhost to a new server and wanted to update my SpamCop mailhost config. I deleted the old one and went through the test email process ("Add new host"). After returning the test email via the web page I find that, rather than replacing the old mailhost configuration, SpamCop has merely added the new mailhost to the old list. The old hostname and IP addresses no longer exist and I really want to get rid of them. What do I need to do?
  10. Never mind, I see that the messages are being forwarded from SpamCop to me, not directly from the ISP.
  11. I have "spam Munging" set to "Obscure identifying information", but recently (in the last week or so) have started receiving emails from ISPs for many of my SpamCop reports. This would indicate to me that my email address is not munged. Has something changed?
  12. I must be missing something obvious. Extracting the Received lines and inverting their order I get the following chain blog.wim888.tw (220.142.72.6) --> lnservice.com lnservice.com (176.28.44.23) --> in-008.ord.mailroute.net --------+ in-008.ord.mailroute.net (199.89.2.11) --> localhost loopback localhost --> in-008.ord.mailroute.net --------+ in-008.ord.mailroute.net --> acmsmtp01.acm.org acmsmtp01.acm.org (64.238.147.78) --> smtp.jhmg.net The "border" between my mailhosts and the outside world is at in-008.ord.mailroute.net. lnservice.com is an external system through which the mail was routed from the botnet. I notice that the NEXT hop (in-008.ord.mailroute.net (199.89.2.11)) should be in my mailhosts but isn't. Is it really THAT hop that is the problem? A lot of my mail is processed by mailroute.net before being sent on to my ACM address, and MailRoute seems to regularly change the hosts that process mail. Is there a way to configure SpamCop mailhosts with a wildcard to recognize all of MailRoute's receiving hosts? I've been down this road before and had to get an admin to set up the mailhosts because the automatic config process based on sending test emails does not work for MailRoute.
  13. Please see https://www.spamcop.net/sc?id=z6139253206z712180235a6aaed02449cae06c1ba29cz Specifically: 4: Received: from blog.wim888.tw ([220.142.72.6]) by lnservice.com with MailEnable ESMTP; Fri, 19 Jun 2015 17:57:54 +0200 Hostname verified: 220-142-72-6.dynamic.hinet.netPossible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust this Received line. This looks like a legitimate hop from the originating host. Can someone explain why this was not trusted?
  14. Please see https://www.spamcop.net/sc?id=z6048286813z098ee39b1dff6f1b0e4f2ba72e4653cbz I receive mail via a forwarding mailbox at acm.org, which first passes through Mailroute. When I attempt to register my acm.org address, I am only given one sending server option (mail.mailroute.net), but when submitting spam to SC it identifies the next server in the chain (acmsmtp02.acm.org) as the sending server, which is incorrect. How to I get the correct mailhost servers registered?