Jump to content


  • Content Count

  • Joined

  • Last visited

Everything posted by RobiBue

  1. RobiBue

    Message Header Analyzer - Microsoft

    Coincidentally I saw that just a few days ago... had completely forgotten about it... thanks for the link and the reminder
  2. RobiBue

    url not a routable address

    .HOST is a valid TLD according to IANA it is possible that one of the registrars took it down: https://ntldstats.com/tld/host doubt it though, as It seems to be registered through namecheap... (sorry about the reCaptcha...) Domain Name: BXDGEI.HOST Registry Domain ID: D82021934-CNIC Registrar WHOIS Server: whois.namecheap.com Registrar URL: https://namecheap.com Updated Date: 2018-11-06T17:50:19.0Z Creation Date: 2018-11-06T17:50:07.0Z Registry Expiry Date: 2019-11-06T23:59:59.0Z Registrar: Namecheap Registrar IANA ID: 1068 Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: addPeriod https://icann.org/epp#addPeriod Registrant Organization: WhoisGuard, Inc. Registrant State/Province: Panama Registrant Country: PA
  3. RobiBue

    error: couldn't parse head

    that's why I wish SC/Cisco would also get their gears into motion and have the private 6to4 addresses parsed correctly and not ignore them and break like they have been doing thus far... 😞
  4. RobiBue

    Forona Technologies spam

    Welcome to SpamCop. please do not post private information, if someone else buys the property, or owns it, there could be people that take it the wrong way and do damage... and to the wrong people... thank you this is public information: https://ipinfo.io/AS36263 besides, as a newbie, posting the same stuff 3 times... not a good start...
  5. RobiBue

    Why you allow spaming this forum

    I usually get these posts fairly early and go through the unread posts, flagging the spams first. It does take a little while with a slow pc/nb, but eventually I have a clean slate to look at the real issues, and as Lking said, occasionally I flag a missed one
  6. Many times, pasting the spam into a blank notepad first, will take care of those empty lines or will show that there are empty lines. Usually this happens when there is a carriage return (cr) and a line feed (lf) like in unix (cr/lf) and microsoft (cr) receives it...
  7. RobiBue

    ISP has indicated spam will cease

    there are unfortunately more ways for spammers to send their junk: they can find an open proxy, that is a server who allows sending through it (on port 25) and you can find plenty of those on the web (unfortunately) another way is to spoof IP addresses, usually addresses that are not in use or still in transfer. I have been receiving my fair share of spam from IP blocks which are not in use and therefore a bounty for spammers as there is no abuse address for those IP blocks
  8. In SC when i submit as attachment, the spam needs to be truncated. SC won't accept it otherwise. Manually in the report box, it might be the case that SC does it automagically but I haven't tried that one in a while though
  9. careful, the above post could be a password phishing link... I haven't looked into it, but it looks suspicious... https://www.spamcop.net/sc?track=http%3A%2F%2Fwww.aoltechsupportnumber.com @admins, my post can be deleted if you delete the above post or if the link is safe
  10. if that's the case, then just post the header and the first few lines of the body in their form with the comment that the rest was truncated or omitted due to size restrictions. I do that when I report spam larger than 50kiB
  11. if they are that large, it would almost seem that they would contain some malware... (a virus or such)
  12. from the vast amount of data breaches, this goon got my old password as well: https://www.spamcop.net/sc?id=z6495594649zd2d6f1f75886a3a021dda5474e8bf174z reported. his mo seems to be that he subscribes you to some prn sites and then sends the canned letter...
  13. I would like to propose a change in SpamCop's handling of cloudflare links. 1. when looking up the whois for the domain, or test the link, do not use the full path, only use the domain name, as a visitor trigger trap causes more spam to be sent as soon as the report is performed. I munged for that purpose every link in my "cloudflare" spams: https://www.spamcop.net/sc?id=z6493410150za18869ba12b686fd60a88c35e34dc44ez https://www.spamcop.net/sc?id=z6493410187zb583dc5e2b40660c7a81ed43e718e3aaz https://www.spamcop.net/sc?id=z6493340629z49245d803153055044b14f0dc24f00a3z https://www.spamcop.net/sc?id=z6493340613z69f628f405e36a4d6fbdf4e2014ffe58z and so on and so forth. it would be grand if SpamCop could do this automagically.
  14. lately, I have to manually alter every cloudflare spammer link. I noticed a few weeks ago, that whenever I reporte cloudflare spam (I call it cloudflare spam because the links are hosted by cloudflare, and the spammer spoofs an inactive IP range -- currently CCAMATIL ( 167.103.249.nnn ) -- and seems to be getting away with it) a few seconds later, fresh spam from, you guessed it, cloudflare fills my inbox. So, whenever SpamCop analyzes the links (just touches them), the spam gets triggered. Now I munge the ID number and alter it verbally as: e.g. http://airlinedo.com/?--ID-number-5-(munged) where the 5 in this example is the last of 13 digits https://www.spamcop.net/sc?id=z6493410150za18869ba12b686fd60a88c35e34dc44ez or http://checkshownontv.com/?--ID-number-8-(munged) in this case it's 8 ... https://www.spamcop.net/sc?id=z6493410187zb583dc5e2b40660c7a81ed43e718e3aaz it would be nice if SC could refrain from using the full path so that the visitor trap doesn't get triggered And yeah, the originating IP address is also a problem as there is no real owner for the range, even though indirectly it belongs to the Australian branch (Amatil) of Coca-Cola. APNIC told me that someone is spoofing those IP ranges.
  15. Hello Alexey, this is a user supported forum, but we'll try to help as well as we can. it seems that your system doesn't have "double opt-in". this means, that when the user subscribes, you send a short message to the email address provided asking the subscriber to confirm (preferably not via email but via web-link or to enter a code sent) that they want the subscription to your list. if they do not react within a certain amount of time, you discard the address and leave it at that. do not keep on asking for confirmation, as that constitutes spamming too. also, if the user changes the email address, you do the same, send a message to the new address asking for confirmation via link or by entering a code. this way, you can make sure that someone who is trying to frame you, can not succeed. also, keep a log of the subscription requests and the messages where the replies come from (IP addresses) there could be a possibility that someone is adding "innocent" email addresses to your list, and with this method you can make sure that you're not getting in trouble. personally, if I receive unwanted mail (spam, ube, uce) I do not click on links. I report it. if the spammer keeps sending me requests to confirm my subscription, they are spamming me. if they sent the request once, and don't send me any more requests, then they can easily explain to their provider the way their system works, and if someone is trying to get you in trouble, you can follow up on recent attempts to subscribe (if the same IP address appears to be subscribing many email addresses, you can explain to your provider the situation and even block the IP address attempting to subscribe... you might have to clean out your address DB now, since you don't know who of the 5000 is the one that didn't want to be subscribed. hope this helps
  16. RobiBue


    The is not an IP address! It is the version number of the “IceWarp” system used by mail.gvii.net. SpamCop thinks that it’s an IP address because it is commented (in parentheses) after the host name... unfortunate misatribution...
  17. as i mentioned, it's M$'s (microsoft's) fault because they break the chain. I do agree, that it is pointless to report your own email provider instead of the source, but there's nothing we mere "customers/end-users" can do if the big wigs don't want to play along.
  18. Hi Klappa, I can try to explain what’s happening here: In the topmost (last) Received: line Received: from CO1NAM04HT207.eop-NAM04.prod.protection.outlook.com (2603:10a6:4:2b::32) by DB4PR03MB524.eurprd03.prod.outlook.com with HTTPS via DB6PR0801CA0064.EURPRD08.PROD.OUTLOOK.COM; Tue, 2 Oct 2018 00:49:39 +0000 notice the address 2603:10a6:4:2b::32 which is a valid assigned IPv6 address belonging to M$. The next Received: line Received: from CO1NAM04FT010.eop-NAM04.prod.protection.outlook.com ( by CO1NAM04HT207.eop-NAM04.prod.protection.outlook.com ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.1185.13; Tue, 2 Oct 2018 00:49:37 +0000 appears to come from IP address, which is a private network address, so it is not trusted. The following (preceding) Received: line Received: from sfac11.wysweb.com.au ( by CO1NAM04FT010.mail.protection.outlook.com ( with Microsoft SMTP Server id 15.20.1185.13 via Frontend Transport; Tue, 2 Oct 2018 00:49:36 +0000 which actually contains the spamming IP address could already have been forged by the untrusted host mentioned above. The problem is that M$/Hotmail/Outlook breaks the chain causing SpamCop to report the wrong address. This is not SpamCop‘s fault, but M$’s.
  19. RobiBue

    ocn.ad.jp spam

    Well, I still have my hotmail address and it works just fine. but I agree, since M$ moved the hotmail accounts to outlook, they most likely got rid of those addresses, so if SpamCop redirects automatically to them, it should raise an eyebrow or two...
  20. But again, according to ARIN: https://whois.arin.net/rest/net/NET-209-200-0-0-1/pft?s= their abuse address is abuse@webair.com
  21. RobiBue

    ocn.ad.jp spam

    It would be so much easier if instead of a screenshot, only the URL would be provided... https://www.spamcop.net/sc?id=z6488956777z48d6c277dfcfacb57994880635860105z Anyway, it is clear why this and probably all hotmail emails are reported to Microsoft... the topmost Received: line contains the IP address 2603:10a6:4:8f::13 which is allocated to MSFT... now the next Received: line contains the following private network address: and this breaks the chain, therefore SC reports the message to the last valid provider: Microsoft. now why in Sam Hill isn’t it actually being reported to abuse@microsoft.com is probably because some “looong” time ago, abuse@outlook.com was the place to report to and SpamCop had a special “report desk” there... problem is, by breaking the chain, Microsoft alongside google et al. put SpamCop in a precarious position where spam isn’t being reported correctly anymore. The email system is broken and spammers are having a free pass fest. It’s not SpamCop’s fault, but SpamCop/Cisco is not taking the problem seriously either. Sad days in the anti-spam community.
  22. RobiBue

    ocn.ad.jp spam

    @Salfordian, I don't know about you, but I have no problems reporting spam through gmail. (although I rather use SpamCop) I'm with its8up, if we don't know what you're doing, we can't help you. Gmail has a quota of how many messages (emails) you can send per day, depending on how you send them. I reached that limit once, but haven't run into that problem anymore, and I've had this account since I got an invite to gmail on Nov, 2005 The only failures I get are the ones where the abuse mailbox is dead or the space for inflow on their side has run out. and then I nicely reach out to ARIN, RIPE ... or whoever handles their AS info and ask them to reach out to their registrant to fix their abuse contact. so far it (almost) always has worked for me.
  23. RobiBue

    Flooded With Groupon spam

    The problem with OP‘s issue is that google is using their 10.nnn.nnn.nnn private network addresses encapsulated into 6to4 IPv6 addresses and propagating them into the Received: headers. SpamCop chokes on that specific „internal“ network type IPv6 style. Instead of ignoring it like it does with IPv4 private network addresses, it wants to report to the address holder => IANA.ORG. Problem is, neither SpamCop nor google want to fix it.
  24. Unfortunately, no. there is no fix in sight. some of us are using workarounds (php, apps-scri_pt, ...) or other methods to replace the 6to4 IPv6 address with its IPv4 counterpart. Spamcop (Cisco) has no desire to fix it, since they claim it opens vulnerabilities (I say that it's already a vulnerability by not fixing it) and Google (et al.) has, AFAICR, mentioned to spamcop that they are looking into fixing it, but since other big emailers have followed suit into abusing the 6to4 IPv6 addressing with private IPv4 networks, there is a very slim chance that it will be fixed at all. It's sad, but it is what it is. And with that, I believe, Cisco is putting the nail in SpamCop's coffin...
  25. Hello Psy and welcome to SpamCop. There is a possibility that someone has subscribed a "third party" through your website, because someone thought he or she'd be interested in your real estate. Another possibility is that a competitor of yours has subscribed "innocents" and one or more of them are SpamCop users and don't like spam... I don't Unless you have double opt-in implemented, I don't think there is nothing you can do except stop sending out your emails and have whoever is interested opt in again. in other words, start from scratch. (you might want to send out an email stating that due to a system problem, the mailing list was corrupted and you have to rebuild it, asking interested parties to re-subscribe but using double opt-in) Just make sure it's double opt-in, i.e. require a confirmation email to confirm the subscription, but don't follow up if they don't confirm the subscription. Only one confirmation email. If they keep coming, I report them... If you have someone unsubscribe, don't send a confirmation email to confirm that they are unsubscribed. I hate those and I report them, since I already stated in my unsubscribe that I don't want any more emails. you also might want to log the IP address used to subscribe email addresses on the website, in case someone is trying to abuse your system to subscribe others. good luck