Jump to content

RobiBue

Members
  • Content count

    33
  • Joined

  • Last visited

Everything posted by RobiBue

  1. RobiBue

    PARCO Innovation compagny blacklist

    Ouch! shoot your own foot
  2. RobiBue

    PARCO Innovation compagny blacklist

    it is possible that bouyguestelecom.com "maintains" their own block/black-list... I would ask their admin how it is maintained, and why they claim that your address is listed in SpamCop if it clearly is not.
  3. RobiBue

    Spamcop server

    Here, a SpamCop admin should be able to help you. Since you do not report spam via “super sekret email” that SpamCop created for you when you signed up, someone else is sending spam reports to that email address. It’s the address that you find where you submit spam after you login. Forward your spam to: submit.A-long-funny-looking-address@spam.spamcop.net Or maybe some spammer is sending spam to that address and SpamCop thinks it’s a report but doesn’t find the spam inside...
  4. https://www.spamcop.net/sc?action=rcache;ip=162.252.58.155 netrouting.com claims that it works. Please reset.
  5. RobiBue

    Spamcop server

    You say you haven’t reported spam in a long time, yet you receive those messages every 2nd day... Did you change jobs and left your reporting email saved at your last place? Someone who works there now might be reporting the spam to that address. The email address that was in the original message might give a clue who received and submitted the spam. There might be a link with the reporting ID. It is possible as well, that the reporting entity is receiving the spam through a google account and SpamCop is choking on the 6to4 IPv6 address in the Received: line.
  6. RobiBue

    Reporting to Spammer?

    Yeah, that would be them themselves. IOW you'd be sending the report straight to the spammer.... unfortunately, they get their addresses straight from IANA/ARIN At least that's what I see, unless someone has more insight...
  7. RobiBue

    Reporting to Spammer?

    It seems to me that superlative.com has a large IP address space (https://whois.arin.net/rest/net/NET-74-118-120-0-1/pft?s=74.118.120.0.) That shows a /22 range with 1024 addresses (well, minus 2) they could be the spammer host (or not). there doesn't seem to be an upstream they are subletting from... at least I couldn't find one... This link (https://ipinfo.io/74.118.123.4) tells me a bit of a different story, but the data could be old...
  8. RobiBue

    Outlook "Beta"

    I see what you mean. The only way I can see it done involves some extra work manually, and I believe that is out of the question. it is for me anyway. In the message, click on the down arrow and select "view message source". here's where the manual work starts: copy headers and message source (in the same window) by selecting everything in the new text-box and paste it into an editor. The whole thing is one line, so you'll have to insert a CR or CR/NL after every header part. Then you'll be able to submit it to spamcop. unless you have some programming experience and create an add-in for outlook with visual Studio... https://docs.microsoft.com/en-us/visualstudio/vsto/walkthrough-creating-your-first-vsto-add-in-for-outlook
  9. RobiBue

    Outlook "Beta"

    could this link help? https://www.lifewire.com/view-complete-message-source-outlook-1173713
  10. Since mid-May I have been reporting spam originating from IP-range 58.14/16 May 18, 2018 - June 29, 2018 total of 3359 spam messages from that IP range! That's over 76 per day... It looks like my reporting is working, as the spammer seems to be switching to 27.146/16 as I have already received 10 from there in the last 1.5 hour... Unfortunately, Cloudflare is still hosting their spamvertised websites... and doesn't seem to give "a barrier constructed to hold back water"
  11. see below and that's why I like to use the clue by four through the abuse desks and Spamcop is a very helpful tool (if they eventually would get through their heads that they need to fix the IPv6 part where it pertains to 6to4 addresses...)
  12. I don't even go to those pages. 3 main reasons: I don't care, it's spam. The links could contain viruses. The links are most likely coded so that the spammer knows that I received the spam, and by visiting it, he can prove to the spamvertised "client" that he should get paid for his efforts. And a last, but not least reason: I didn't sign up for it, why should I unsubscribe anyway. That's what the clue by four is for... if the provider's abuse desk gets flooded with abuse reports, eventually he'll get put in place. I believe that my email address ended up in his/their list due to one or more of the data breaches of late... IOW just another list where they can send their junk... I have also been getting lots of unsubscribe confirmation requests which I handle just like spam, as I didn't unsubscribe, and if I did, why should I confirm that i am unsubscribing... take another clue by four, spammer, I don't want your junk... abuse desk will hopefully clue you in
  13. well, I believe I found my spammer(s)... probably the same scumbag unless they teamed up... List of domain names registered by Michael Wallace https://domainbigdata.com/nj/PMs8PeMWLXMFAfjPwmyV3g List of domain names registered by Frank Marsicano https://domainbigdata.com/nj/2NMIE802bt4WH2rc3SoTUA List of domain names registered by Chris Patterson https://domainbigdata.com/nj/rnPab-DpPIdNUYynMibFFw List of domain names registered by Richard Hawking https://domainbigdata.com/nj/GlBwSDCvDWjzlWpRAgo9Kg List of domain names registered by Anton Lassen https://domainbigdata.com/nj/vubKHIY--XkSbXo_sFyHPw some reports with the 58.14/16 range: https://www.spamcop.net/sc?id=z6471482675z858c71a05814a9763517674009c94768z https://www.spamcop.net/sc?id=z6471482674z9ab0a9c820151d7ac9ce9a041686d4c6z https://www.spamcop.net/sc?id=z6471482673zcd19939939e9d574cdb141b1b360f152z https://www.spamcop.net/sc?id=z6471482672z08f29a0817817fdf745140d9fa2031baz https://www.spamcop.net/sc?id=z6471482671z9f4ead4df33727978572d5e46ac87ad1z (and there are over 3000 more of these) and the new 27.146/16 spams: https://www.spamcop.net/sc?id=z6471634192z1d8fd5aece82eb5feb80e4b6b19f6eb3z https://www.spamcop.net/sc?id=z6471634194z7350adbd7dbeaedf80def1cb4631741dz https://www.spamcop.net/sc?id=z6471634195zf18a0c1292ecbd3adb3a2a03e64e3fb6z https://www.spamcop.net/sc?id=z6471634196zdc9be4ffc73a9c61325ef1a168149c9bz https://www.spamcop.net/sc?id=z6471634197z3f7ef41d7685eb94ae14eaf91f4ef100z This isn't a DoS attack, it is just a spammer at work hopping through ISPs that want to make a quick buck...
  14. RobiBue

    The parser finds no links

    I stand corrected... I tried the first URL (rli4agdrppbmldbtnmctdvkaorftbetr) and that one returned nothing, then I tried the last one (whitefide) with the same result... then I tried the obvious un-subscribe one where I assumedthe others ending with TLD .pw would be like the first one, sorry. Then, I don't know why it would not parse them from the original...
  15. RobiBue

    The parser finds no links

    Hello Euphorique, the reason that SC doesn't find any links is, that there are no links in the spam. Although the list of "websites" looks like links, it's just plain text. If you try to resolve one or more of them manually (by pasting the link in the parser field and press the [ Process spam ] button, you will see that they are fake anyway except for one, but I'll assume that it's an innocent site...
  16. Abuse contact for '185.5.36.0/22' ([185.5.36.0-185.5.39.255]) is ' info[at]abstation.net' RIPE db Responsible organisation: ahbr company limited Abuse contact info: info[at]abstation.net Other contacts: abuse[at]abstation.net, rumi[at]abstation.net
  17. I believe that Paerhc is actually subscribed to that blogspot site; iow he wants the information coming from there. At least that's how I understand it... The problem is, that apparently some spammers are using that blogspot as delivery engine. The only ones that can prevent that, are the blogspot owners/admins.
  18. RobiBue

    Reporting Issue's reason Fake Headers

    The line tells that the message was received by the mail server at IPv6 address 2002:a9d:21b7:0:0:0:0:0 which is actually a 6to4 address translated from the IPv4 address 10.157.33.183. In short, the mail server at google that received the message before displaying it to you in your gmail account has the IP address 10.157.33.183. I received the following message from SpamCop: <quote> Gmail has broken their headers, not showing who received the mail and using IP addresses that do not resolve. Google has promised to fix the issue but have not provided an ETA of a fix. We looked at programming around it but that option was rejected by our CERT board as it would have opened a security hole in our system. We can just sit and wait for Gmail. </quote>
  19. yeah, that's right, they need the full headers, but the problem is within SpamCop, where the parsing of said Received: line causes havoc within the next (previous actually) Received: lines. The 2002:a02:b4d7:0:0:0:0:0 address is called a 6to4 address, but according to RFC-3056, section#2: [A] subscriber site has at least one valid, globally unique 32-bit IPv4 address, referred to in this document as V4ADDR. This address MUST be duly allocated to the site by an address registry (possibly via a service provider) and it MUST NOT be a private address [RFC 1918]. and Google is inserting their private addresses into the IPv6 6to4 address. That would in fact be a violation of the aforementioned RFC-3056 as :a02:b4d7: translates to 10.2.180.215 which is definitely a private address according to RFC-1918, section#3. In theory, they should (if they want to use private IPv6 addresses) use, according to RFC-4193, section#3, addresses in the fc00::/7 or fd00::/8 address ranges. Unfortunately SpamCop has the same problem with the fd00:/8 addresses and does not identify those addresses as local private addresses like the 10/8, 172/12, and 192.168/16 address ranges. I have written a crude program that replaces the 6to4 addresses with the actual IPv4 counterpart and places the original IPv6 address in parentheses. The program works for me, but I have not tested it with a larger group of gmail users, and am reluctant to do so, as munging headers is mostly a "no-no" and could cause SpamCop to disable user accounts, although this type of munging is necessary for SpamCop to correctly identify the actual spammer (or the proxy they are using). Until SpamCop gets an update to correctly identify those IPv6 addresses as local/private addresses, the aforementioned removal or change of the address is necessary to get SpamCop to work correctly with gmail accounts. To add some workarounds: remove the topmost Received: line with the address beginning with 2002:a or change the address beginning with 2002:a to its IPv4 address using http://www.potaroo.net/cgi-bin/ipv6addr or replace the address beginning with 2002:a with mx.google.com I have seen these three options in action before, and they work. HTH
  20. https://www.spamcop.net/sc?action=showroute;ip=23.111.178.61 points to: Reports routes for 23.111.178.61: routeid: 71622013 23.104.0.0 - 23.111.255.255 to: abuse@nobistech.net Administrator found from whois records routeid: 71622026 23.104.0.0 - 23.111.255.255 to: abuse@nobistech.net Administrator interested in all reports 12/3/2013, 4:25:50 PM -0600 [Note added by 63.224.241.72 (63-224-241-72-boi-usr.qwest.net)] Per RIPE - Don - This is not correct anymore and should be changed (the above address bounces anyway) https://whois.arin.net/rest/net/NET-23-111-128-0-1/pft?s=23.111.178.61 has two abuse addresses: abuse@noc4hosts.com, and abuse@hivelocity.net
  21. RobiBue

    Spamcop cannot find source IP

    I understand the frustration, and I do have the same point of view, although I do admit that the reason of the lowest priority is that many spammers use legit links that will clog abuse mailboxes from these legit ISPs. as an example (although I haven't had one recently) spammers have added "terms of conduct" and similar links from 3rd party ISPs which SC will use to send reports to them. Also, random images found on the internet either akamaized or from other providers have been used as links before (although these IIRC have been since disabled by SC)
  22. RobiBue

    Constant reporting problems

    @ Lking: I did read the contents carefully but I also noticed the coincidental appearance of the same IP address in both header and body which only means to me, that the spammer is advertising from his own IP address. If I had a mail server and a web server on my network, and I would be sending mail form my mail server with links to the website on my web server, both mail server and web server addresses would have the same IP address. @ lepa71: the IPv6 address 2002:a9f:3d14:0:0:0:0:0 is a correct 6to4 IPv6 address and can be abbreviated as 2002:a9f:3d14:: or expanded to 2002:0a9f:3d14:0000:0000:0000:0000:0000 They all mean the same and all point to the IPv4 IP address [10.159.61.20] (you can try them here and see the result.) I have seen in past reports (besides my own) that google's mx servers utilize various 10.nnn.nnn.nnn IP addresses and it seems that several weeks ago they decided to "6to4" them, but unfortunately, with that move, SC got left behind limping...
  23. RobiBue

    Constant reporting problems

    unfortunately, that is exactly what SC does at the moment with gmail's first (topmost) IPv6 (actually 6to4) private address Received: line: Received: by 2002:a9f:3d14:0:0:0:0:0 with SMTP id l20-v6csp1947284uai; Sun, 27 May 2018 17:19:06 -0700 (PDT) This IPv6 address is the 6to4 equivalent to 10.159.61.20 which is a private network address. The next Received: line : Received: from gambashoping.com (static.71.150.216.95.clients.your-server.de. [95.216.150.71]) by mx.google.com with ESMTP id m1-v6si28198295plt.276.2018.05.27.17.19.05 for <x>; Sun, 27 May 2018 17:19:06 -0700 (PDT) shows the actual spammer IP address [95.216.150.71]. This is coincidentally also the IP address that the link in the body of the message returns. SpamCop chokes on Gmail's "private" IPv6 address, and the rest of the Received: lines suffer from it and the real spamming IP does not get reported. Long discussions, explanations and workarounds are listed in the following two threads: http://forum.spamcop.net/topic/25123-address-2002adfaa9100000-gmail-not-associated-with-any-of-your-mailhosts/ http://forum.spamcop.net/topic/23516-spamcop-cannot-find-source-ip/
  24. RobiBue

    Spamcop cannot find source IP

    I like the Comments: section. if it's ok with you I'll blatantly steal it I did something similar, but when I tried it with the parens, SC did a weird thing: Received: by 10.176.8.72 (2002:ab0:848:0:0:0:0:0) with SMTP id b8-v6csp1225199uaf; Sat, 26 May 2018 19:22:05 -0700 (PDT) Masking IP-based 'by' clause. Received: by 10.176.8.72 with SMTP id b8-v6csp1225199uaf; Sat, 26 May 2018 19:22:05 -0700 (PDT) I've never seen that before...
  25. RobiBue

    Spamcop cannot find source IP

    Since I'm using gmail, I wrote a little apps scri_pt (I am still trying to implement a few additions to it) and like RJVB, my scri_pt (de)munges the 6to4 address and replaces the the IPv6 with its IPv4 address equivalent and IMHO I do believe this is an acceptable form of header (de)munging. Today I received a spam with an actual IPv6 address, and after (de)munging google's private 2002:axx:: address, SpamCop correctly identified the IPv6 sender, so I can attest, that SpamCop works when it comes to "valid" IPv6 addresses https://www.spamcop.net/sc?id=z6466615389z4cdd3ad918544a33bcf0dc613af17294z with "valid" I mean registered IPv6 addresses. I have yet to come by a 6to4 address from a registered IPv4 address to confirm the 2002:: working range when it comes to registered non-IPv6 addresses in the aforementioned 6to4 range.
×