• Content count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About william_sc

  • Rank
  1. Ew. That is obviously not a universal solution to the problem. Please explain why IPs less than work, but domains greater than don't?
  2. So this might where the confusion is. Yes and yes. *I* report spam from a single spamcop account for all email I have access to: Yahoo!, Gmail, etc, and my work email. *Others* in my company report spam to their work email (as well as to their personal email, most likely) using their own spamcop accounts. So, if it is as simple as registering the misflagged host as a mailhost, how can we do that for *ALL* reporters without mucking up their personal spamcop accounts? (I get the sense reading the warnings that a mailhost is only valid for the one account setting it up, and once you go down that route you must set it up for ALL mailhosts you include in reports.)
  3. I'm going to say this again, this isn't just me, it's the entire company. Everyone who reports spam through spamcop is getting this problem. Solving it only for me with my email (a) only fixes it for my reporting and (b) makes it harder when I have to report through other emails.
  4. Ok, I did a bit of hacking and have found two variants of the same header, one that "works" and one that "fails". https://www.spamcop.net/sc?id=z6406368915z3c233e5f6b35df52e43f378d28d0b9f2z This one parses "correctly" by picking up the IP of the originator. https://www.spamcop.net/sc?id=z6406369049zc70613d15e81e38ceff9ce99252dac8ez This one parses incorrectly, by picking up the intermediate IP (in this case, I randomly picked an IP, which happens to be NASA.) The one difference is the top (newest) Received: line: (parses correctly) vs (parses incorrectly and flags NASA). Ideas? Received: from null.net ( by s03.null.net (; 07 Sep 2017 10:55:26 -0400 Received: from null.com ([]) by esa3.null.edu with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Sep 2017 10:55:21 -0400 From: User <User@bogusemail.com> To: "x" <x> Subject: This is spam! Date: Thu, 7 Sep 2017 14:55:18 +0000 Message-ID: <6c29________________________2fda@anywheres.au> Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_6c296c4007fa2384928b5c7de3d02fdasmtp13abcdefgcom_" MIME-Version: 1.0 Body of Message
  5. This is bigger than just me. It's my entire company. The problem is emails sent to my company through these filters, not my personal emails. Entering mailhosts for me only solves the problem for me, and creates a risk for my personal emails. Sorry, please help me figure out what else might be causing it.
  6. I have never done that, and it looks too risky for me to do given the multiple emails that I report. Also, since Yahoo! is one of my primary report from accounts, I still need the quick-report (since I can't forward as an attachment from Yahoo! anymore).
  7. Not just personal information, but hostnames, IP addresses, internal to our network.
  8. That's presumably the source IP of the offender. My take is that the spammer is sending from that IP (nicknamed "STAVRO-PC") to comcast ISP, which in turn passes it to sendgrid.net, who then sends it to cioarena.com, where it is then picked up by my company's outside filter "esa2". It then bounces around a bit internally through various firewalls and filters and arrives in my inbox. But, as I point out, when spamcop parses this, the "originator" is picked up as the esa2 server inside our network, and ignores everything earlier than that.
  9. Yes, I see that. But then if I post it, rather confidential information is revealed in a public forum. I can't do that. If one of you wants to chat with me direct, I can see about making that happen.
  10. Well, it looks like you can figure out a lot more stuff than I'm comfortable posting on a public forum.
  11. "proofpoint", is the internal filtering, which gets forwarded to us.
  12. No. This is an email I received (that was marketing), and I am submitting it to spamcop. Instead of reporting to the ISP of the offender (comcast), it reports to my company, blacklisting us in the process.
  13. When I run the headers through spamcop, it only reports to the address for "MF.com". It doesn't even mention the comcast.com. This is not a one-off problem. Dozens of similar headers with the internal "MP" and "MF" filter routing ignore the original "Received:" line. So, over the past few weeks since implementing the additional internal spam filters, all emails submitted to spamcop have been reporting "COMPANY.com" as the abuser.
  14. I am wondering why the following headers (sanitized to protect the innocent) would direct abuse reports to the emails noted for MF.com, rather than comcast.net? What is happening is that, since MF.com is internal routing, the abuse reports get sent to my company and we get blacklisted. Received: from bnwems02.CNA.COMPANY.com (IP) by rtwems08.CNA.COMPANY.com (IP) with Microsoft SMTP Server (TLS) id 15.0.1320.4 via Mailbox Transport; Tue, 12 Sep 2017 12:17:10 -0400 Received: from bnwems03.CNA.COMPANY.com (IP) by bnwems02.CNA.COMPANY.com (IP) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Tue, 12 Sep 2017 12:17:09 -0400 Received: from mx0a-00266502.MF.com (IP) by bnwems03.CNA.COMPANY.com (IP) with Microsoft SMTP Server (TLS) id 15.0.1320.4 via Frontend Transport; Tue, 12 Sep 2017 12:17:09 -0400 Received: from MFS.filterd (m0122629.MFOPS.net []) by mx0a-00266502.MF.com (IP/IP) with SMTP id v8CGFOtS000474 for <LASTNAMEw@COMPANY.com>; Tue, 12 Sep 2017 12:17:08 -0400 Received: from esa2.COMPANY.MP.com (esa2.COMPANY.MP.com [IP]) by mx0a-00266502.MF.com with ESMTP id 2cvau2gx07-1 (version=TLSv1.2 cipher=RC4-SHA bits=128 verify=NOT) for <LASTNAMEw@COMPANY.com>; Tue, 12 Sep 2017 12:17:08 -0400 Received: from o1.delegates.cioarena.com ([IP]) by esa2.COMPANY.MP.com with ESMTP/TLS/DHE-RSA-AES128-GCM-SHA256; 12 Sep 2017 12:16:25 -0400 Received: by filter1077p1mdw1.sendgrid.net with SMTP id filter1077p1mdw1-27332-59B80858-15 2017-09-12 16:16:24.588092298 +0000 UTC Received: from STAVRO-PC (c-24-13-33-151.hsd1.il.comcast.net [IP]) by ismtpd0004p1iad1.sendgrid.net (SG) with ESMTP id 1QC0oXBlSTOHRHSxN1R2Ig for <LASTNAME_FI@COMPANY.com>; Tue, 12 Sep 2017 16:16:24.313 +0000 (UTC) From: XXX YYY <XXX@cioarena.com> To: "LASTNAME, FNN" <LASTNAME_FI@COMPANY.com> Subject: [External] RE: Reserved Ticket for FIRSTNAME LASTNAME to CIOarena NYC at the Conrad Hotel Thread-Topic: [External] RE: Reserved Ticket for FIRSTNAME LASTNAME to CIOarena NYC at the Conrad Hotel Thread-Index: AQHTK+KVaazU6gxqLkyJiimUpkwZ/Q== Date: Tue, 12 Sep 2017 16:16:24 +0000 Message-ID: <20170912111627.504209864@cioarena.com> Content-Language: en-US X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-Exchange-Organization-AuthSource: bnwems03.CNA.COMPANY.com X-MS-Has-Attach: X-MS-Exchange-Organization-SCL: 0 X-MS-Exchange-Organization-PCL: 2 X-MS-TNEF-Correlator: received-spf: Pass (esa2.COMPANY.MP.com: domain of bounces+5440949-49ec-LASTNAME_FI=COMPANY.com@delegates.cioarena.com designates as permitted sender) identity=mailfrom; client-ip=; receiver=esa2.COMPANY.MP.com; envelope-from="bounces+5440949-49ec-LASTNAMEw=COMPANY.com@delegates.cioarena.com"; x-sender="bounces+5440949-49ec-LASTNAMEw=COMPANY.com@delegates.cioarena.com"; x-conformance=spf_only; x-record-type="v=spf1" Content-Type: multipart/alternative; boundary="_000_20170912111627504209864cioarenacom_" MIME-Version: 1.0