Jump to content

RobiBue

Membera
  • Content Count

    243
  • Joined

  • Last visited

Everything posted by RobiBue

  1. RobiBue

    The problem against spam users.

    Around 20 years ago, I used to send my wife occasional emails that would look like she sent them to me, just to make sure that she understood that anybody could send an email with spoofed/fake names. So the From: line in the headers is only valid for β€œtrusted” emails. (And then, only if you trust them ) As Lking states, the Received: line in the headers is the one that gets you closest to the original sender. Many times, though, a computer is hacked and some malware is installed, sending the spam from that computer without the knowledge of the real user. Sending spam reports to the ISP of said user is necessary to alert the ISP that the user is either a spammer or has compromised hardware. It is also possible that a company has their own mail server which is open and can be used as a proxy. For the latter, it is also important to have their ISP inform them that they are running an open proxy allowing spammers to abuse their system. HTH
  2. RobiBue

    Report Ends With "Parsing Header:"

    /me/ stands corrected. Thank you 😊. wasn’t aware that the headers could share importance with a DB file structure (mbox in this case)
  3. RobiBue

    Report Ends With "Parsing Header:"

    atchooly.... is there a reason why the first From line doesn't have a colon ":" From bounce@menshealth.com Mon Jul 8 01:35:59 2019 Return-Path: <bounce@menshealth.com> X-Original-To: x Delivered-To: x in my book, that would be a reason for failure...
  4. and so the GπŸ¦—H advances further to becoming a master πŸ™ @gabrielt Glad you found the problem, and with it, also fixed an internal handoff problem with your qmail setup (malformed received line). (wish some big companies: -- with outlook and hotmail -- would fix theirs.... )
  5. Unfortunately, that is not something we "mere mortal users" can solve unless we report manually and not through spamcop. This issue has to be resolved through fixing spamcop's whois lookup with the registries, and following the correct protocol, which apparently ARIN changed a while back. RIPE also seems to have made some changes, but it's affecting spamcop only marginally. Sadly many ARIN redirections to APNIC end up devnulled because cisco/talos seems to have only a minimal desire to keep spamcop up to date (at least so it seems to me personally) What happens now, is, that someone asks in this forum to fix the reporting address (which may or may not happen), and if this reporting address gets manually changed, it is then prone to end up being the wrong address when the registrant changes the info in the whois DB.
  6. yeah, rule #3, but don't forget Russel's Corollary...
  7. I fathom that somehow they were tipped off to remove certain spam-traps from their database, yours included, but not the other addresses. Just my thought...
  8. RobiBue

    abuse: nobody{AT}example.com

    That one is a bit murky, but looking at its upstream 216.72.0.0/16, it belongs to Equant Inc. (who in turn, back in 2006 was rebranded into Orange along with Wanadoo.) That said: "Comments: For abuse, spam or security issues, Please contact SIRT [at] EQUANT.COM", and "OrgAbuseEmail: sirt [at] orange-ftgroup.com" would be the address I'd use. The link is a "spamcop command" link that could expire, so the ARIN link is 3-fold: https://whois.arin.net/rest/net/NET-216-72-0-0-1 which gives the SIRT [at] EQUANT.COM address, and the link below for the " Related organization's POC records. " (the second "See also" as the first one is absolutely useless, and the third isn't much worth for us) https://whois.arin.net/rest/org/EQUANT-1/pocs where in turn you can find "Abuse: SOC20-ARIN (SOC20-ARIN)" which links to https://whois.arin.net/rest/poc/SOC20-ARIN.html which gives the sirt [at] orange-ftgroup.com address. (and maybe also attach the other two non- IPG-ARIN addresses as well πŸ˜‰ Then, I would also add the address found in https://www.ripe.net/membership/indices/data/ie.equant.html, although since there is no last updated date, there is no security that this email is still valid (but worth a try) HTH
  9. I would like to propose a change in SpamCop's handling of cloudflare links. 1. when looking up the whois for the domain, or test the link, do not use the full path, only use the domain name, as a visitor trigger trap causes more spam to be sent as soon as the report is performed. I munged for that purpose every link in my "cloudflare" spams: https://www.spamcop.net/sc?id=z6493410150za18869ba12b686fd60a88c35e34dc44ez https://www.spamcop.net/sc?id=z6493410187zb583dc5e2b40660c7a81ed43e718e3aaz https://www.spamcop.net/sc?id=z6493340629z49245d803153055044b14f0dc24f00a3z https://www.spamcop.net/sc?id=z6493340613z69f628f405e36a4d6fbdf4e2014ffe58z and so on and so forth. it would be grand if SpamCop could do this automagically.
  10. no, it is not an error, as this network entry really didn't provide an abuse address. Heck, they really didn't provide an address at all: https://whois.nic.ad.jp/cgi-bin/whois_gw?codecheck-sjis=Japan+Network+Infromation+Center&amp;lang=%2Fe&amp;key=202.238.198.169&amp;submit=query&amp;type=&amp;rule= [ JPNIC database provides information regarding IP address and ASN. Its use ] [ is restricted to network administration purposes. For further information, ] [ use 'whois -h whois.nic.ad.jp help'. To only display English output, ] [ add '/e' at the end of command, e.g. 'whois -h whois.nic.ad.jp xxx/e'. ] Network Information: a. [Network Number] 202.238.198.0/24 b. [Network Name] IIJNET g. [Organization] IIJ Internet m. [Administrative Contact] JP00010080 n. [Technical Contact] JP00010080 p. [Nameserver] dns0.iij.ad.jp p. [Nameserver] dns1.iij.ad.jp [Assigned Date] 2018/06/25 [Return Date] [Last Update] 2018/06/25 17:35:04(JST) Less Specific Info. ---------- Internet Initiative Japan Inc. [Allocation] 202.238.192.0/18 More Specific Info. ---------- No match!! looking up the JP00010080 AS number (well, JP number, as it isn't really an AS number) I get: [ JPNIC database provides information regarding IP address and ASN. Its use ] [ is restricted to network administration purposes. For further information, ] [ use 'whois -h whois.nic.ad.jp help'. To only display English output, ] [ add '/e' at the end of command, e.g. 'whois -h whois.nic.ad.jp xxx/e'. ] Group Contact Information: [Group Handle] JP00010080 [Group Name] IP Address Contact [E-Mail] nic-sec@iij.ad.jp [Organization] Internet Initiative Japan Inc. [Division] [TEL] 03-5205-6500 [FAX] [Last Update] 2014/07/22 12:02:04(JST) apply@iij.ad.jp So nic-sec[at]iij.ad.jp would be the address to complain to, and I personally would add a comment to hostmaster[at]nic.ad.jp letting them know that the above entry has no abuse address listed and is spamming
  11. 1/2 way agree wit Petzl πŸ˜‰ fake bounce: no, it's a real bounce spammer has you as return address: yes. That's why you're receiving the bounce 😞 The address that the spammer sent the spam to, is invalid (either never existed or got removed from usage) and since your address was the return address (From:) ... another reason to hate spammers... but no point in submitting that one, as the owner is legit... they just replied to you to let you know that "your" mail couldn't be delivered... that's another reason why spamcop goes after the Received: headers and not the From: email addresses πŸ˜‰
  12. Oh those times πŸ‘΄πŸΌ I think I’m showing my age πŸ˜—πŸŽΆ But to our microVAX I had direct terminal access
  13. I prefer https://youtu.be/RlsiiWlt35s (Surely you understand I don&#39;t like to be called Muriel 🀨🀫) πŸ™ƒπŸ€—πŸ€£
  14. RobiBue

    Abbreviations/acronyms

    I learn it from a book πŸ™ƒπŸ€—πŸ€£
  15. almost -- it's missing the net (sorry for the late reply, have been busy otherwise. Even my spam folder accumulated several days of unreported spam 🀫)
  16. if I use my "potaroo.net" IPv6 checker on the aforementioned IPv6 address: http://www.potaroo.net/cgi-bin/ipv6addr?pfx=2402%3Abc00%3A0%3Aa216%3A%3A19%3A124 I see the following comment in the APNIC entry: remarks: This information has been partially mirrored by APNIC from remarks: JPNIC. To obtain more specific information, please use the remarks: JPNIC WHOIS Gateway at remarks: http://www.nic.ad.jp/en/db/whois/en-gateway.html or remarks: whois.nic.ad.jp for WHOIS client. (The WHOIS client remarks: defaults to Japanese output, use the /e switch for English remarks: output) last-modified: 2014-03-10T22:41:03Z not shown above are other "last-modified" entries, the oldest dating 2009-11-04T06:54:54Z (that's a 10 year old listing), while the shown last-modified is 5 years old, whois.nic.ad.jp should have the current listing although I do not find the abuse address mentioned by MIG, I find 2 entries, both using the same email address https://whois.nic.ad.jp/cgi-bin/whois_gw?key=JP00076967/e and https://whois.nic.ad.jp/cgi-bin/whois_gw?key=JP00065730/e Group Contact Information: [Group Handle] JP00076967 [Group Name] networkhozen [E-Mail] SS01629@enecom.co.jp <--- [Organization] Energia Communications,Inc [Division] [TEL] 050-8201-2351 [FAX] [Last Update] 2017/04/05 16:53:06(JST) one is from 2011 and this one from 2017...
  17. currently spamcop parses it as follows: https://www.spamcop.net/sc?action=showroute;ip=176.56.208.244;typecodes=16 apnic has: % Abuse contact for '176.56.208.0 - 176.56.208.255' is 'abuse[at]phe.uk.com' <<---------- please fix to this correct abuse address while Rob.Urry address mentioned in the SC parse is somewhat listed, SC says: rob.urry[at]rapidwaters.net bounces (7 sent : 6 bounces) No good!
  18. in fact, the whole /19 range is! see http://wq.apnic.net/static/search.html?query=176.56.192.0/19 or actually the RIPE db: (sorry about that, not APNIC) https://apps.db.ripe.net/db-web-ui/#/query?searchtext=176.56.192.0%2F19#resultsSection still shows the same abuse address: Abuse contact info: abuse[at]phe.uk.com inetnum: 176.56.192.0 - 176.56.223.255
  19. That's correct, in your case, the first link is basically just a link parser equivalent, and nothing more, although the report to the telegram . org abuse desk will contain the complete spam for parsing (munged if your settings have it so selected) The next ones are targeting the source of the spam, and will contain the full, yet probably munged, headers and message body. Glad we could help πŸ™‚
  20. @bolandross, have you clicked on [View Recent Reports] and tried yourself? Just curious. Anyway, there are different "forms" of reports the ones not yet filed: as you can see, there's no link and then, filed: depending on how and what you clicked to report the spam, the links provided will vary here, the first few links are just URL parses which point to the owner/administrator/abuse desk of the serving IP address of the spamvertised websites, then you might have a personal link if you request one in [Preferences]. There you can add notes, or see how the spam was parsed (Tracking URL) and then you might have one or more for the spam source ip address, where you can see a) the full spam (depending on your settings with the email address munged) and b) a link to how the spam was parsed (again, Tracking URL) (in the above, ending in 50, I replaced the link with the tracking URL because otherwise you wouldn't be able to see anything)
  21. RobiBue

    ocn.ad.jp spam

    Klappa had two posts. He mentioned you can add a recipient in settings (actually the [Preferences] tab/link) but he didn't mention that it's under Report Handling Options by adding an email address to the Public standard report recipients field. In the 2nd post (the one you quoted) he asked where (about adding a recipient for every report independently), but just recently, we all found out, that you can do that only if you have either a paid account, or fuel added (until it runs out) HTH
  22. RobiBue

    rir-abuse{AT}oath{DOT}com

    sorry, can't say I've noticed, but as Petzl mentioned, a tracking URL might be helpful. Petzl is not a troll, he might just have had a bad day with all the spam in the forum (it goes away after an admin browsed through it, but the TZ between OZ and US difference keeeps the spam visible much longer for him...) anyway, the past reports can be found here when logged in (same as the link/tab [Past Reports]) (p.s. that's TZ for Time Zone, OZ for Down Under, and US for a Colorado/Rockies location or something like that )
  23. I like Idea #2!, especially if everybody is on-board. a) it would convince amazon to clean up their act with spammers and hosting them, b) especially if they start losing legitimate clientele
  24. RobiBue

    re. @devnull.spamcop.net

    Just for clarification: I do not get [User Notification] either. Admittedly, I have not a paid account, and do not have "added fuel" either. And WRT checking the settings, tried both: on and off with no difference.
×