Jump to content


  • Content Count

  • Joined

  • Last visited

Everything posted by RobiBue

  1. RobiBue

    Any point in reporting spam from AMAZONAWS?

    Well, amazonaws spam reports get sent to /dev/null in my case: https://www.spamcop.net/sc?id=z6503507988zf04f1366f6ca8e5a872324eb4f96d690z Tracking message source: Routing details for [refresh/show] Cached whois for : abuse@amazonaws.com Using abuse net on abuse@amazonaws.com abuse net amazonaws.com = abuse@amazonaws.com Using best contacts abuse@amazonaws.com Reports disabled for abuse@amazonaws.com Using abuse#amazonaws.com@devnull.spamcop.net for statistical tracking.
  2. it's been eons ago, but I remember when spammers and other scumbags trembled when Afterburner and Nyarlahotep (and of course others in their league) would shutdown their accounts... ah, memories
  3. RobiBue

    Failed to load spam header

    Thanks, that's what was being asked. Somehow some tracking URLs seem to expire, and others continue on... There is probably an "expiration date" attached to them....
  4. RobiBue

    Failed to load spam header

    Hello Petzl, MIG used the URL you provided in this post from last year and is confused in why it returns the message " Failed to load spam header " << Which sample of one filled out becomes https://www.spamcop.net/sc?id=z6405221173zd2f8b10e4a27a1d0e37d7af5dacb6600z botnet spewing spam *DoS* attack URL links are "Joe Jobs" (unassociated with attacks)  >>
  5. From what I understand, when Julian Haight designed SpamCop, it looked at every possible correctly chained IP address, where it was sent from, and who received it, making sure that spoofed headers would not confuse the chain. If he were still running this system, he would have correctly implemented the 6to4 IPv6 checks, which apparently Cisco/Talos has no intention to do. For them to claim the implementation would cause a security vulnerability is pure BS in my not so humble opinion. It just shows, that their programmers are not as good as one would expect from a company of such security weight. It's an email header parser/analyzer for heavens' sake. And it's broken (on the IPv6 6to4 address side at least.)
  6. I do not believe you mis-spoke. It is an IPv6 problem. SpamCop doesn't resolve the 6to4 private addresses, which are in IPv6 format, and that qualifies as an "IPv6 problem" that we all wish SpamCop would be able to handle "today"
  7. In other words: he probably jinxed it... now someone at outlook will “fix” that “working flaw” 😱
  8. RobiBue

    Need help with my new laptop

    As a reminder: this jimmyjell has been posting things like this that in a strange way make sense, and then there is always a link, where I suppose you are sent to grab a virus or malware. He started posting this stuff about a week or two ago...
  9. RobiBue

    Message Header Analyzer - Microsoft

    Coincidentally I saw that just a few days ago... had completely forgotten about it... thanks for the link and the reminder
  10. RobiBue

    url not a routable address

    .HOST is a valid TLD according to IANA it is possible that one of the registrars took it down: https://ntldstats.com/tld/host doubt it though, as It seems to be registered through namecheap... (sorry about the reCaptcha...) Domain Name: BXDGEI.HOST Registry Domain ID: D82021934-CNIC Registrar WHOIS Server: whois.namecheap.com Registrar URL: https://namecheap.com Updated Date: 2018-11-06T17:50:19.0Z Creation Date: 2018-11-06T17:50:07.0Z Registry Expiry Date: 2019-11-06T23:59:59.0Z Registrar: Namecheap Registrar IANA ID: 1068 Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: addPeriod https://icann.org/epp#addPeriod Registrant Organization: WhoisGuard, Inc. Registrant State/Province: Panama Registrant Country: PA
  11. RobiBue

    error: couldn't parse head

    that's why I wish SC/Cisco would also get their gears into motion and have the private 6to4 addresses parsed correctly and not ignore them and break like they have been doing thus far... ?
  12. RobiBue

    Why you allow spaming this forum

    I usually get these posts fairly early and go through the unread posts, flagging the spams first. It does take a little while with a slow pc/nb, but eventually I have a clean slate to look at the real issues, and as Lking said, occasionally I flag a missed one
  13. Many times, pasting the spam into a blank notepad first, will take care of those empty lines or will show that there are empty lines. Usually this happens when there is a carriage return (cr) and a line feed (lf) like in unix (cr/lf) and microsoft (cr) receives it...
  14. RobiBue

    ISP has indicated spam will cease

    there are unfortunately more ways for spammers to send their junk: they can find an open proxy, that is a server who allows sending through it (on port 25) and you can find plenty of those on the web (unfortunately) another way is to spoof IP addresses, usually addresses that are not in use or still in transfer. I have been receiving my fair share of spam from IP blocks which are not in use and therefore a bounty for spammers as there is no abuse address for those IP blocks
  15. In SC when i submit as attachment, the spam needs to be truncated. SC won't accept it otherwise. Manually in the report box, it might be the case that SC does it automagically but I haven't tried that one in a while though
  16. careful, the above post could be a password phishing link... I haven't looked into it, but it looks suspicious... https://www.spamcop.net/sc?track=http%3A%2F%2Fwww.aoltechsupportnumber.com @admins, my post can be deleted if you delete the above post or if the link is safe
  17. if that's the case, then just post the header and the first few lines of the body in their form with the comment that the rest was truncated or omitted due to size restrictions. I do that when I report spam larger than 50kiB
  18. if they are that large, it would almost seem that they would contain some malware... (a virus or such)
  19. from the vast amount of data breaches, this goon got my old password as well: https://www.spamcop.net/sc?id=z6495594649zd2d6f1f75886a3a021dda5474e8bf174z reported. his mo seems to be that he subscribes you to some prn sites and then sends the canned letter...
  20. lately, I have to manually alter every cloudflare spammer link. I noticed a few weeks ago, that whenever I reporte cloudflare spam (I call it cloudflare spam because the links are hosted by cloudflare, and the spammer spoofs an inactive IP range -- currently CCAMATIL ( 167.103.249.nnn ) -- and seems to be getting away with it) a few seconds later, fresh spam from, you guessed it, cloudflare fills my inbox. So, whenever SpamCop analyzes the links (just touches them), the spam gets triggered. Now I munge the ID number and alter it verbally as: e.g. http://airlinedo.com/?--ID-number-5-(munged) where the 5 in this example is the last of 13 digits https://www.spamcop.net/sc?id=z6493410150za18869ba12b686fd60a88c35e34dc44ez or http://checkshownontv.com/?--ID-number-8-(munged) in this case it's 8 ... https://www.spamcop.net/sc?id=z6493410187zb583dc5e2b40660c7a81ed43e718e3aaz it would be nice if SC could refrain from using the full path so that the visitor trap doesn't get triggered And yeah, the originating IP address is also a problem as there is no real owner for the range, even though indirectly it belongs to the Australian branch (Amatil) of Coca-Cola. APNIC told me that someone is spoofing those IP ranges.
  21. Hello Alexey, this is a user supported forum, but we'll try to help as well as we can. it seems that your system doesn't have "double opt-in". this means, that when the user subscribes, you send a short message to the email address provided asking the subscriber to confirm (preferably not via email but via web-link or to enter a code sent) that they want the subscription to your list. if they do not react within a certain amount of time, you discard the address and leave it at that. do not keep on asking for confirmation, as that constitutes spamming too. also, if the user changes the email address, you do the same, send a message to the new address asking for confirmation via link or by entering a code. this way, you can make sure that someone who is trying to frame you, can not succeed. also, keep a log of the subscription requests and the messages where the replies come from (IP addresses) there could be a possibility that someone is adding "innocent" email addresses to your list, and with this method you can make sure that you're not getting in trouble. personally, if I receive unwanted mail (spam, ube, uce) I do not click on links. I report it. if the spammer keeps sending me requests to confirm my subscription, they are spamming me. if they sent the request once, and don't send me any more requests, then they can easily explain to their provider the way their system works, and if someone is trying to get you in trouble, you can follow up on recent attempts to subscribe (if the same IP address appears to be subscribing many email addresses, you can explain to your provider the situation and even block the IP address attempting to subscribe... you might have to clean out your address DB now, since you don't know who of the 5000 is the one that didn't want to be subscribed. hope this helps
  22. RobiBue


    The is not an IP address! It is the version number of the “IceWarp” system used by mail.gvii.net. SpamCop thinks that it’s an IP address because it is commented (in parentheses) after the host name... unfortunate misatribution...
  23. as i mentioned, it's M$'s (microsoft's) fault because they break the chain. I do agree, that it is pointless to report your own email provider instead of the source, but there's nothing we mere "customers/end-users" can do if the big wigs don't want to play along.
  24. Hi Klappa, I can try to explain what’s happening here: In the topmost (last) Received: line Received: from CO1NAM04HT207.eop-NAM04.prod.protection.outlook.com (2603:10a6:4:2b::32) by DB4PR03MB524.eurprd03.prod.outlook.com with HTTPS via DB6PR0801CA0064.EURPRD08.PROD.OUTLOOK.COM; Tue, 2 Oct 2018 00:49:39 +0000 notice the address 2603:10a6:4:2b::32 which is a valid assigned IPv6 address belonging to M$. The next Received: line Received: from CO1NAM04FT010.eop-NAM04.prod.protection.outlook.com ( by CO1NAM04HT207.eop-NAM04.prod.protection.outlook.com ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.1185.13; Tue, 2 Oct 2018 00:49:37 +0000 appears to come from IP address, which is a private network address, so it is not trusted. The following (preceding) Received: line Received: from sfac11.wysweb.com.au ( by CO1NAM04FT010.mail.protection.outlook.com ( with Microsoft SMTP Server id 15.20.1185.13 via Frontend Transport; Tue, 2 Oct 2018 00:49:36 +0000 which actually contains the spamming IP address could already have been forged by the untrusted host mentioned above. The problem is that M$/Hotmail/Outlook breaks the chain causing SpamCop to report the wrong address. This is not SpamCop‘s fault, but M$’s.
  25. RobiBue

    ocn.ad.jp spam

    Well, I still have my hotmail address and it works just fine. but I agree, since M$ moved the hotmail accounts to outlook, they most likely got rid of those addresses, so if SpamCop redirects automatically to them, it should raise an eyebrow or two...