Jump to content


  • Content Count

  • Joined

  • Last visited

Everything posted by RobiBue

  1. RobiBue

    Failed to load spam header

    Hello Petzl, MIG used the URL you provided in this post from last year and is confused in why it returns the message " Failed to load spam header " << Which sample of one filled out becomes https://www.spamcop.net/sc?id=z6405221173zd2f8b10e4a27a1d0e37d7af5dacb6600z botnet spewing spam *DoS* attack URL links are "Joe Jobs" (unassociated with attacks)  >>
  2. From what I understand, when Julian Haight designed SpamCop, it looked at every possible correctly chained IP address, where it was sent from, and who received it, making sure that spoofed headers would not confuse the chain. If he were still running this system, he would have correctly implemented the 6to4 IPv6 checks, which apparently Cisco/Talos has no intention to do. For them to claim the implementation would cause a security vulnerability is pure BS in my not so humble opinion. It just shows, that their programmers are not as good as one would expect from a company of such security weight. It's an email header parser/analyzer for heavens' sake. And it's broken (on the IPv6 6to4 address side at least.)
  3. I do not believe you mis-spoke. It is an IPv6 problem. SpamCop doesn't resolve the 6to4 private addresses, which are in IPv6 format, and that qualifies as an "IPv6 problem" that we all wish SpamCop would be able to handle "today"
  4. In other words: he probably jinxed it... now someone at outlook will “fix” that “working flaw” 😱
  5. RobiBue

    Need help with my new laptop

    As a reminder: this jimmyjell has been posting things like this that in a strange way make sense, and then there is always a link, where I suppose you are sent to grab a virus or malware. He started posting this stuff about a week or two ago...
  6. RobiBue

    Message Header Analyzer - Microsoft

    Coincidentally I saw that just a few days ago... had completely forgotten about it... thanks for the link and the reminder
  7. RobiBue

    url not a routable address

    .HOST is a valid TLD according to IANA it is possible that one of the registrars took it down: https://ntldstats.com/tld/host doubt it though, as It seems to be registered through namecheap... (sorry about the reCaptcha...) Domain Name: BXDGEI.HOST Registry Domain ID: D82021934-CNIC Registrar WHOIS Server: whois.namecheap.com Registrar URL: https://namecheap.com Updated Date: 2018-11-06T17:50:19.0Z Creation Date: 2018-11-06T17:50:07.0Z Registry Expiry Date: 2019-11-06T23:59:59.0Z Registrar: Namecheap Registrar IANA ID: 1068 Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: addPeriod https://icann.org/epp#addPeriod Registrant Organization: WhoisGuard, Inc. Registrant State/Province: Panama Registrant Country: PA
  8. RobiBue

    error: couldn't parse head

    that's why I wish SC/Cisco would also get their gears into motion and have the private 6to4 addresses parsed correctly and not ignore them and break like they have been doing thus far... ?
  9. RobiBue

    Why you allow spaming this forum

    I usually get these posts fairly early and go through the unread posts, flagging the spams first. It does take a little while with a slow pc/nb, but eventually I have a clean slate to look at the real issues, and as Lking said, occasionally I flag a missed one
  10. Many times, pasting the spam into a blank notepad first, will take care of those empty lines or will show that there are empty lines. Usually this happens when there is a carriage return (cr) and a line feed (lf) like in unix (cr/lf) and microsoft (cr) receives it...
  11. RobiBue

    ISP has indicated spam will cease

    there are unfortunately more ways for spammers to send their junk: they can find an open proxy, that is a server who allows sending through it (on port 25) and you can find plenty of those on the web (unfortunately) another way is to spoof IP addresses, usually addresses that are not in use or still in transfer. I have been receiving my fair share of spam from IP blocks which are not in use and therefore a bounty for spammers as there is no abuse address for those IP blocks
  12. In SC when i submit as attachment, the spam needs to be truncated. SC won't accept it otherwise. Manually in the report box, it might be the case that SC does it automagically but I haven't tried that one in a while though
  13. careful, the above post could be a password phishing link... I haven't looked into it, but it looks suspicious... https://www.spamcop.net/sc?track=http%3A%2F%2Fwww.aoltechsupportnumber.com @admins, my post can be deleted if you delete the above post or if the link is safe
  14. if that's the case, then just post the header and the first few lines of the body in their form with the comment that the rest was truncated or omitted due to size restrictions. I do that when I report spam larger than 50kiB
  15. if they are that large, it would almost seem that they would contain some malware... (a virus or such)
  16. from the vast amount of data breaches, this goon got my old password as well: https://www.spamcop.net/sc?id=z6495594649zd2d6f1f75886a3a021dda5474e8bf174z reported. his mo seems to be that he subscribes you to some prn sites and then sends the canned letter...
  17. lately, I have to manually alter every cloudflare spammer link. I noticed a few weeks ago, that whenever I reporte cloudflare spam (I call it cloudflare spam because the links are hosted by cloudflare, and the spammer spoofs an inactive IP range -- currently CCAMATIL ( 167.103.249.nnn ) -- and seems to be getting away with it) a few seconds later, fresh spam from, you guessed it, cloudflare fills my inbox. So, whenever SpamCop analyzes the links (just touches them), the spam gets triggered. Now I munge the ID number and alter it verbally as: e.g. http://airlinedo.com/?--ID-number-5-(munged) where the 5 in this example is the last of 13 digits https://www.spamcop.net/sc?id=z6493410150za18869ba12b686fd60a88c35e34dc44ez or http://checkshownontv.com/?--ID-number-8-(munged) in this case it's 8 ... https://www.spamcop.net/sc?id=z6493410187zb583dc5e2b40660c7a81ed43e718e3aaz it would be nice if SC could refrain from using the full path so that the visitor trap doesn't get triggered And yeah, the originating IP address is also a problem as there is no real owner for the range, even though indirectly it belongs to the Australian branch (Amatil) of Coca-Cola. APNIC told me that someone is spoofing those IP ranges.
  18. Hello Alexey, this is a user supported forum, but we'll try to help as well as we can. it seems that your system doesn't have "double opt-in". this means, that when the user subscribes, you send a short message to the email address provided asking the subscriber to confirm (preferably not via email but via web-link or to enter a code sent) that they want the subscription to your list. if they do not react within a certain amount of time, you discard the address and leave it at that. do not keep on asking for confirmation, as that constitutes spamming too. also, if the user changes the email address, you do the same, send a message to the new address asking for confirmation via link or by entering a code. this way, you can make sure that someone who is trying to frame you, can not succeed. also, keep a log of the subscription requests and the messages where the replies come from (IP addresses) there could be a possibility that someone is adding "innocent" email addresses to your list, and with this method you can make sure that you're not getting in trouble. personally, if I receive unwanted mail (spam, ube, uce) I do not click on links. I report it. if the spammer keeps sending me requests to confirm my subscription, they are spamming me. if they sent the request once, and don't send me any more requests, then they can easily explain to their provider the way their system works, and if someone is trying to get you in trouble, you can follow up on recent attempts to subscribe (if the same IP address appears to be subscribing many email addresses, you can explain to your provider the situation and even block the IP address attempting to subscribe... you might have to clean out your address DB now, since you don't know who of the 5000 is the one that didn't want to be subscribed. hope this helps
  19. RobiBue


    The is not an IP address! It is the version number of the “IceWarp” system used by mail.gvii.net. SpamCop thinks that it’s an IP address because it is commented (in parentheses) after the host name... unfortunate misatribution...
  20. as i mentioned, it's M$'s (microsoft's) fault because they break the chain. I do agree, that it is pointless to report your own email provider instead of the source, but there's nothing we mere "customers/end-users" can do if the big wigs don't want to play along.
  21. Hi Klappa, I can try to explain what’s happening here: In the topmost (last) Received: line Received: from CO1NAM04HT207.eop-NAM04.prod.protection.outlook.com (2603:10a6:4:2b::32) by DB4PR03MB524.eurprd03.prod.outlook.com with HTTPS via DB6PR0801CA0064.EURPRD08.PROD.OUTLOOK.COM; Tue, 2 Oct 2018 00:49:39 +0000 notice the address 2603:10a6:4:2b::32 which is a valid assigned IPv6 address belonging to M$. The next Received: line Received: from CO1NAM04FT010.eop-NAM04.prod.protection.outlook.com ( by CO1NAM04HT207.eop-NAM04.prod.protection.outlook.com ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.1185.13; Tue, 2 Oct 2018 00:49:37 +0000 appears to come from IP address, which is a private network address, so it is not trusted. The following (preceding) Received: line Received: from sfac11.wysweb.com.au ( by CO1NAM04FT010.mail.protection.outlook.com ( with Microsoft SMTP Server id 15.20.1185.13 via Frontend Transport; Tue, 2 Oct 2018 00:49:36 +0000 which actually contains the spamming IP address could already have been forged by the untrusted host mentioned above. The problem is that M$/Hotmail/Outlook breaks the chain causing SpamCop to report the wrong address. This is not SpamCop‘s fault, but M$’s.
  22. RobiBue

    ocn.ad.jp spam

    Well, I still have my hotmail address and it works just fine. but I agree, since M$ moved the hotmail accounts to outlook, they most likely got rid of those addresses, so if SpamCop redirects automatically to them, it should raise an eyebrow or two...
  23. But again, according to ARIN: https://whois.arin.net/rest/net/NET-209-200-0-0-1/pft?s= their abuse address is abuse@webair.com
  24. RobiBue

    ocn.ad.jp spam

    It would be so much easier if instead of a screenshot, only the URL would be provided... https://www.spamcop.net/sc?id=z6488956777z48d6c277dfcfacb57994880635860105z Anyway, it is clear why this and probably all hotmail emails are reported to Microsoft... the topmost Received: line contains the IP address 2603:10a6:4:8f::13 which is allocated to MSFT... now the next Received: line contains the following private network address: and this breaks the chain, therefore SC reports the message to the last valid provider: Microsoft. now why in Sam Hill isn’t it actually being reported to abuse@microsoft.com is probably because some “looong” time ago, abuse@outlook.com was the place to report to and SpamCop had a special “report desk” there... problem is, by breaking the chain, Microsoft alongside google et al. put SpamCop in a precarious position where spam isn’t being reported correctly anymore. The email system is broken and spammers are having a free pass fest. It’s not SpamCop’s fault, but SpamCop/Cisco is not taking the problem seriously either. Sad days in the anti-spam community.
  25. RobiBue

    ocn.ad.jp spam

    @Salfordian, I don't know about you, but I have no problems reporting spam through gmail. (although I rather use SpamCop) I'm with its8up, if we don't know what you're doing, we can't help you. Gmail has a quota of how many messages (emails) you can send per day, depending on how you send them. I reached that limit once, but haven't run into that problem anymore, and I've had this account since I got an invite to gmail on Nov, 2005 The only failures I get are the ones where the abuse mailbox is dead or the space for inflow on their side has run out. and then I nicely reach out to ARIN, RIPE ... or whoever handles their AS info and ask them to reach out to their registrant to fix their abuse contact. so far it (almost) always has worked for me.