Jump to content

jhg

Members
  • Content Count

    25
  • Joined

  • Last visited

Everything posted by jhg

  1. I have a pending report https://www.spamcop.net/sc?id=z6482169832z1c8bdddf658335f33b7b4b8abdb15f13z I cannot submit it because the page stops half way through the analysis output and does not include any of the reporting buttons. The attached image shows the bottom of the page. I looked at the page source and it ends there as well (i.e. there is no unrendered content in the HTML).
  2. @Lking That worked. Does anyone want the full email to figure out why it breaks the SpamCop web UI?
  3. https://www.spamcop.net/sc?id=z6451656800zc64dcd7f5a3bc6377aa0d0284d2eba3bz The system won't let me submit this, saying "This email contains no date", which is clearly not true ... Received: from 18.219.110.235:9276 by cmpweb31.aul.t-online.de with HTTP/1.1 (Lisa V5-1-1-0.14292 on API V5-10-0-0) Received: from 172.20.102.126:42757 by spica07.aul.t-online.de:8080; Sun, 11 Mar 2018 20:53:24 +0100 (CET) Date: Sun, 11 Mar 2018 20:53:24 +0100 (CET) From: John Dashwood <mario.riedel@t-online.de> Sender: John Dashwood <mario.riedel@t-online.de> ... AFAICT this email doesn't look any different structurally from other emails the system accepted. What's up?
  4. https://www.spamcop.net/sc?id=z6396626348z83eec1a7ee976570e7ece110f3a27b86z Return-Path: <RalphLauren@wolved.info> X-Original-To: x Delivered-To: x X-Greylist: delayed 00:06:28 by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp.jhmg.net 937B2403AA Authentication-Results: smtp.jhmg.net; dkim=pass (1024-bit key) header.d=wolved.info header.i=@wolved.info header.b="DpuNugtc" Received: from smoking.wolved.info (smoking.wolved.info [185.202.173.233]) by smtp.jhmg.net (Postfix) with ESMTP id 937B2403AA for <x>; Tue, 8 Aug 2017 13:08:43 -0400 (EDT) Here's the SC interpretation... Tracking message source: 185.202.173.233: Display data: "whois 185.202.173.233@whois.arin.net" (Getting contact from whois.arin.net ) Redirect to ripe Display data: "whois 185.202.173.233@whois.ripe.net" (Getting contact from whois.ripe.net) Lookup fdl258-ripe@whois.ripe.net Display data: "whois fdl258-ripe@whois.ripe.net" (Getting contact from whois.ripe.net) fdl258-ripe = whois.ripe.net 185.202.173.233 (nothing found) No reporting addresses found for 185.202.173.233, using devnull for tracking. HOWEVER... see the attached image. The issue is that the reporting address is an image and not text. Are there any solutions? It would be really helpful if we could add an ad-hoc destination on the analysis results screen to cope with this issue.
  5. Abuse contact for cloud.promodeals.nl [109.237.218.48] is abuse@mihos.net This is one of those entries in RIPE where the reporting address is an inline image and not parseable from the text whois.
  6. Any chance of getting SpamCop to add a dynamic "additional reporting address" so that we can manually enter the address at reporting time?
  7. https://www.spamcop.net/sc?id=z6333092862z684f4e65bbaa470376d81782694ccf39z Spamcop reports: Tracking link: http://terais.cloner.wedn.us/unsubscribe?g=fDExMTgwNzI4fDUyMDAwMA&u=x No recent reports, no history available Host terais.cloner.wedn.us (checking ip) IP not found ; terais.cloner.wedn.us discarded as fake. terais.cloner.wedn.us is not a routeable IP address Cannot resolve http://terais.cloner.wedn.us/unsubscribe?g=fDExMTgwNzI4fDUyMDAwMA&u=x However [jhg@smtp ~]$ dig terais.cloner.wedn.us ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.1 <<>> terais.cloner.wedn.us ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6341 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;terais.cloner.wedn.us. IN A ;; ANSWER SECTION: terais.cloner.wedn.us. 599 IN CNAME ragg.pregit.com. ragg.pregit.com. 299 IN A 155.94.65.6 and [jhg@smtp ~]$ ping terais.cloner.wedn.us PING ragg.pregit.com (155.94.65.6) 56(84) bytes of data. 64 bytes from 155.94.65.6.ngprobd.com (155.94.65.6): icmp_seq=1 ttl=53 time=24.1 ms 64 bytes from 155.94.65.6.ngprobd.com (155.94.65.6): icmp_seq=2 ttl=53 time=24.0 ms 64 bytes from 155.94.65.6.ngprobd.com (155.94.65.6): icmp_seq=3 ttl=53 time=23.9 ms 64 bytes from 155.94.65.6.ngprobd.com (155.94.65.6): icmp_seq=4 ttl=53 time=23.9 ms Why does Spamcop think it's not a routeable address? Curiously, upon revisiting the report I see: If reported today, reports would be sent to: Re: 85.206.173.211 (Administrator of network where email originates) williamsdesigndk@gmail.com Re: http://terais.cloner.wedn.us/unsubscribe?g=fDEx... (Administrator of network hosting website referenced in spam) abuse@nodesdirect.com However, Spamcop did not send send to the nodesdirect.com address originally.
  8. jhg

    500 Internal Server Error

    I'm seeing fairly consistent server errors when submitting spam via the web interface. I get the "500 Internal Server Error" message on submitting an email for parsing as well as for sending the spam notifications. If I retry it will eventually work after 2 or 3 tries.
  9. Also seeing this on an email report that clearly contains lots of dates, on every "Received" line, as well as in the message headers.
  10. Just a heads-up... Some abuse contact info is appearing in "%" comment lines in returned whois info, and this isn't beeing seen by SpamCop. I submitted a spam message, received from the address in the whois output below, and SC used nomaster (https://www.spamcop.net/sc?id=z6150159699zf64fd115c02b2d6e1cf28dbf87b528e4z) [jhg[at]www ~]$ whois 79.142.60.67 [Querying whois.arin.net] [Redirected to whois.ripe.net] [Querying whois.ripe.net] [whois.ripe.net] % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '79.142.60.0 - 79.142.60.255' % Abuse contact for '79.142.60.0 - 79.142.60.255' is 'nic[at]smartnet.kz' inetnum: 79.142.60.0 - 79.142.60.255 netname: SMARTNET descr: P2P address for clients in Almaty country: KZ admin-c: BU909-RIPE tech-c: BU909-RIPE remarks: INFRA-AW status: ASSIGNED PA mnt-by: MNT-SMARTNET created: 2011-09-14T04:44:54Z last-modified: 2011-09-14T04:44:54Z source: RIPE # Filtered person: Baurzhan Ussunov address: Almaty, Al-Farabi av, 73/2 address: Republic of Kazakhstan phone: + 7 727 356 01 33 fax-no: +7 727 356 01 10 nic-hdl: BU909-RIPE mnt-by: MNT-SMARTNET created: 2008-10-23T06:55:51Z last-modified: 2008-10-23T08:13:09Z source: RIPE # Filtered % Information related to '79.142.60.0/24AS43994' route: 79.142.60.0/24 descr: SMARTNET descr: Almaty block origin: AS43994 mnt-by: MNT-SMARTNET created: 2011-04-22T10:35:40Z last-modified: 2011-04-22T10:35:40Z source: RIPE # Filtered % This query was served by the RIPE Database Query Service version 1.80.1 (DB-2)
  11. I just moved my mailhost to a new server and wanted to update my SpamCop mailhost config. I deleted the old one and went through the test email process ("Add new host"). After returning the test email via the web page I find that, rather than replacing the old mailhost configuration, SpamCop has merely added the new mailhost to the old list. The old hostname and IP addresses no longer exist and I really want to get rid of them. What do I need to do?
  12. I have "spam Munging" set to "Obscure identifying information", but recently (in the last week or so) have started receiving emails from ISPs for many of my SpamCop reports. This would indicate to me that my email address is not munged. Has something changed?
  13. Never mind, I see that the messages are being forwarded from SpamCop to me, not directly from the ISP.
  14. jhg

    What causes

    Please see https://www.spamcop.net/sc?id=z6139253206z712180235a6aaed02449cae06c1ba29cz Specifically: 4: Received: from blog.wim888.tw ([220.142.72.6]) by lnservice.com with MailEnable ESMTP; Fri, 19 Jun 2015 17:57:54 +0200 Hostname verified: 220-142-72-6.dynamic.hinet.netPossible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust this Received line. This looks like a legitimate hop from the originating host. Can someone explain why this was not trusted?
  15. jhg

    What causes

    I must be missing something obvious. Extracting the Received lines and inverting their order I get the following chain blog.wim888.tw (220.142.72.6) --> lnservice.com lnservice.com (176.28.44.23) --> in-008.ord.mailroute.net --------+ in-008.ord.mailroute.net (199.89.2.11) --> localhost loopback localhost --> in-008.ord.mailroute.net --------+ in-008.ord.mailroute.net --> acmsmtp01.acm.org acmsmtp01.acm.org (64.238.147.78) --> smtp.jhmg.net The "border" between my mailhosts and the outside world is at in-008.ord.mailroute.net. lnservice.com is an external system through which the mail was routed from the botnet. I notice that the NEXT hop (in-008.ord.mailroute.net (199.89.2.11)) should be in my mailhosts but isn't. Is it really THAT hop that is the problem? A lot of my mail is processed by mailroute.net before being sent on to my ACM address, and MailRoute seems to regularly change the hosts that process mail. Is there a way to configure SpamCop mailhosts with a wildcard to recognize all of MailRoute's receiving hosts? I've been down this road before and had to get an admin to set up the mailhosts because the automatic config process based on sending test emails does not work for MailRoute.
  16. Please see https://www.spamcop.net/sc?id=z6048286813z098ee39b1dff6f1b0e4f2ba72e4653cbz I receive mail via a forwarding mailbox at acm.org, which first passes through Mailroute. When I attempt to register my acm.org address, I am only given one sending server option (mail.mailroute.net), but when submitting spam to SC it identifies the next server in the chain (acmsmtp02.acm.org) as the sending server, which is incorrect. How to I get the correct mailhost servers registered?
  17. I use a mailbox-forwarding service at acm.org for my primary email. They used to filter spam with Postini, but switched to Mailroute about a year ago. Mailroute spam filtering is a great improvement over Postini, catching over 95% of spam with very few false positives. When the occasional spam makes it through I submit it to SpamCop. Starting immediately after the switch to Mailroute I noticed my SpamCop reports included an "Interested third party" recipient, which I assumed was someone at Mailroute. Recently (about a month ago), this "interested third party" email disappeared from my reports, and since then Mailroute's spam filtering has gotten less effective, letting through really obvious spam. Some questions: Does SpamCop have (or did they have) a direct line to Mailroute to submit spam for analysis and tracking? Was the "Interested third party" (tj at terramar.net) a Mailroute spam tracking address? What changed at SpamCop such that this third party is no longer receiving spam reports? Thanks.
  18. I don't know if it was SC or mailroute that changed. I guess the real question is why that address was an "interested third party" to begin with. How did terramar get "interested third party" status for spam arriving via mailroute?
  19. How often does it happen that SpamCop doesn't find a reporting address when one exists? I see several "No reporting address found" messages per week. I guess I should start checking manually when I see this.
  20. Here's a recent set of spam headers: Return-Path: <WirelessInternet[at]717777.net> X-Original-To: joyce[at]redacted.com Delivered-To: joyce[at]redacted.com X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from 717777.net (717777.net [192.157.244.142]) by redacted.com (Postfix) with ESMTP id 8E2C93384E2 for <joyce[at]redacted.com>; Wed, 7 Jan 2015 20:16:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key1; d=717777.net; h=Content-Type:MIME-Version:From:To:Subject:Reply-To:List-Unsubscribe:Message-ID:Date; i=WirelessInternet[at]717777.net; bh=Ibo7yBSNBsuxkZczrHEwkU1tFKU=; b=KiTYml480efc7t5kMfYhwT0/76pWERK1UX4DnqdnniQYdJjEIz3xrKcs6iPXi0JAG7Bju6t8tCda aS0gR9sUrEQRtcl4ix41/8lTk9SUp9W5oXNmHTkOpjB4WFpwKwXSB4PtzLgE0GfYTfm9gOQr9GcR 2FKU2KrTzLGRdquPMzg= DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=key1; d=717777.net; b=eYPifaKYR1X7WiFC4eu9z7sabCx6h5KoIWqXTjibUtJLRG4Scxnn/QQxBjPZJUgPtyBj1AiZtzX6 IApZCQ9UjjJD333hdi9MHur4ymgoCQKao1z0PP8VxILTTFDPbHtF3weWnmx7TYIXe2950xAskS9a pw4y81O49hIWbQT2oGg=; Content-Type: multipart/alternative; boundary="===============5263607597987950669==" MIME-Version: 1.0 From: Wireless Internet <WirelessInternet[at]717777.net> To: joyce[at]redacted.com Subject: Did you miss this wireless Internet alternative? Reply-To: noreply[at]717777.net List-Unsubscribe: <mailto:unsubscribe-espc-tech-12345N[at]717777.net> Message-ID: <5bd0724990f8d52706b3ff173e52e4ee[at]717777.net> Date: Wed, 7 Jan 2015 15:05:57 -0500 SpamCop resolved this to 6250245206 ( http://www.717777.net/2706b208350d36ef1f0d784ca... ) To: ec2-abuse#amazon.com[at]devnull.spamcop.net 6250245205 ( http://www.717777.net/2706b208350d36ef1f0d784ca... ) To: email-abuse#amazon.com.[at]devnull.spamcop.net 6250245204 ( 192.157.244.142 ) To: abuse[at]scalabledns.com However, a simple whois lookup of 717777.net at whois.domaintools.com turned up Domain Name: 717777.net Registry Domain ID: Registrar WHOIS Server: whois.ename.com Registrar URL: http://www.ename.net Updated Date: 2014-04-07 T19:28:03Z Creation Date: 2014-04-07 T19:28:03Z Registrar Registration Expiration Date: 2015-04-07 T19:28:03Z Registrar: eName Technology Co.,Ltd. Registrar IANA ID: 1331 Registrar Abuse Contact Email: abuse[at]ename.com Registrar Abuse Contact Phone: +86.4000044400 Domain Status: clientDeleteProhibited Domain Status: clientTransferProhibited Registry Registrant ID: . . . So, why didn't SC include abuse[at]ename.com as a reporting address? Note that 717777.net <--> 192.157.244.142 has matching A and PTR records. Is there something I'm not seeing that makes this reporting address invalid?
  21. I'm receiving spam messages that all look the same and have the same "unsubscribe" link: The messages are always base64-encoded HTML and the HTML always has the following at the end Preferences Unsubscribe 6757 Cascade Rd. Suite 166 where Preferences and Unsubscribe are links of the form http://same-host-as-spam-link/long-string-of-hex-digits These messages seem to come through exploited open relays or throwaway Amazon EC2 instances, and I get only 3-4 messages from each IP. I've been adding client IP and sender checks to my Postfix SMTP configuration but they change hosts often enough that I have to update the filters at least once a day to add the latest hosts/domains. Sample headers: Return-Path: <WirelessInternet[at]allwebbuy.com> X-Original-To: redacted[at]redacted.com Delivered-To: redacted[at]redacted.com X-Greylist: delayed 00:10:00 by SQLgrey-1.8.0 Received: from allwebbuy.com (unknown [91.108.81.162]) by smtp.redacted.com (Postfix) with ESMTP id D4FB8338554 for <redacted[at]redacted.com>; Sat, 3 Jan 2015 02:48:42 +0000 (UTC) Content-Type: multipart/alternative; boundary="===============6835749550156966652==" MIME-Version: 1.0 From: Wireless Internet <WirelessInternet[at]allwebbuy.com> To: redacted[at]redacted.com Subject: Your Web Connection Floats with You with Wi-Fi Reply-To: noreply[at]allwebbuy.com List-Unsubscribe: <mailto:unsubscribe-espc-tech-12345N[at]allwebbuy.com> Message-ID: <5bd0724990f8d52706b3ff173e52e4ee[at]allwebbuy.com> Date: Sat, 3 Jan 2015 05:38:40 +0300 The message format is extremely consistent, and I'm sure thousands of people are receiving these emails. Is there any resource on the web that might know the actual source of these messages? I tried following one of the links with curl but there are at least 3 or 4 layers of redirects involved. Anything else to do to fight the spammers?
  22. There used to be a configuration option where you could tell the system not to expire your web session for up to 1 year, to prevent needing to re-enter my password. I recently had to clear all browser history and cookies (browser link hijack) and now I can't find the page where this option resides. Is it gone?
  23. http://www.spamcop.net/sc?id=z5612672545zb...ba460158570b32z What specific "date" is the parser looking for?
×