Jump to content

RobiBue

Membera
  • Content Count

    243
  • Joined

  • Last visited

Posts posted by RobiBue


  1. 16 minutes ago, Lking said:

    The source of an email can be identified by the FROM: line or the IP address found in the list of Received: lines in the header.  The FROM: which looks like a good choice and is valid for all legitimate emails emails you received, it is easy to forge by the spammer (or anyone) and maybe a valid email for someone totally unrelated to the source of the spam. Although it could be a Joe Job, The forged/spoofed FROM: is just a randomly selected mailbox.

    Around 20 years ago, I used to send my wife occasional emails that would look like she sent them to me, just to make sure that she understood that anybody could send an email with spoofed/fake names. 

    So the From: line in the headers is only valid for “trusted” emails. (And then, only if you trust them ;) )

    23 minutes ago, Lking said:

    The IP address found in the header Received: lines must point back to the true source (well mostly).  If the IP address is not correct the network will not be able to do the required handshaking as the email (packets) move through the network to the destination.

    As Lking states, the Received: line in the headers is the one that gets you closest to the original sender. Many times, though, a computer is hacked and some malware is installed, sending the spam from that computer without the knowledge of the real user. Sending spam reports to the ISP of said user is necessary to alert the ISP that the user is either a spammer or has compromised hardware. It is also possible that a company has their own mail server which is open and can be used as a proxy. For the latter, it is also important to have their ISP inform them that they are running an open proxy allowing spammers to abuse their system.

    HTH


  2. 10 hours ago, Tesseract said:

    I don't think there's really anything more to learn from them at this point, as it's the same behaviour documented earlier in the thread with the same type of invalid hostname in the messages. But here are two from today:

    https://www.spamcop.net/sc?id=z6558374359zf6c6bc297b1bf5ec039668d1d2ea7f81z

    https://www.spamcop.net/sc?id=z6558374020zba4d5b7c0c1112bc566769c280cda976z

    atchooly....

    is there a reason why the first From line doesn't have a colon ":"

    From bounce@menshealth.com  Mon Jul  8 01:35:59 2019
    Return-Path: <bounce@menshealth.com>
    X-Original-To: x
    Delivered-To: x

    in my book, that would be a reason for failure...


  3. 51 minutes ago, gabrielt said:

    @Lking and @MIG

    I found the culprit! Many thanks for your help!

    It was a bug with our qmail installation!

    The header in our received emails were malformed.

    [...]

    Once again, thank you so much your time. MIG's answer turned on a light bulb in my head that the email header might be malformed and...bingo!

    I hope this topic helps other SpamCop users in the future.

    Cheers,

    Gabriel.

    and so the G🦗H advances further to becoming a master :)🙏

    @gabrielt Glad you found the problem, and with it, also fixed an internal handoff problem with your qmail setup (malformed received line). (wish some big companies: RE1Mu3b?ver=5c31 -- with outlook and hotmail -- would fix theirs.... )


  4. 13 hours ago, HeatherReid43 said:

    Using last resort contacts search-apnic-not-arin#apnic.net@devnull.spamcop.net

    any idea how to solve this issue ?

    Unfortunately, that is not something we "mere mortal users" can solve unless we report manually and not through spamcop.

    This issue has to be resolved through fixing spamcop's whois lookup with the registries, and following the correct protocol, which apparently ARIN changed a while back. RIPE also seems to have made some changes, but it's affecting spamcop only marginally.

    Sadly many ARIN redirections to APNIC end up devnulled because cisco/talos seems to have only a minimal desire to keep spamcop up to date (at least so it seems to me personally)

    What happens now, is, that someone asks in this forum to fix the reporting address (which may or may not happen), and if this reporting address gets manually changed, it is then prone to end up being the wrong address when the registrant changes the info in the whois DB. :(

     


  5. On 6/13/2019 at 10:11 AM, showker said:

    Nope, three weeks now and zero spam.

    Is there some spamcop in the sky that blocks addresses from getting spam?

    did the big spam cartels somehow decide to remove my address because my articles about spam and cybercrime were getting shared so much?   ( https://www.facebook.com/safenetting/ )

    Has my ISP blocked me from spam?   Other email works perfectly, and some small-time, bush-league spammers get through . . . like those annoying BitCoin Blackmailers ! 

    But Chinese spam?  ZERO.   Ever since I started posting translations! 

    Do you suppose the Chinese have the power to block ALL Chinese spam from a specific email address?  I still get it in all my other addresses!

    A uge mystery

    Fred

    I fathom that somehow they were tipped off to remove certain spam-traps from their database, yours included, but not the other addresses.

    Just my thought...


  6. That one is a bit murky, but looking at its upstream 216.72.0.0/16, it belongs to Equant Inc. (who in turn, back in 2006 was rebranded into Orange along with Wanadoo.)

    That said: "Comments: For abuse, spam or security issues, Please contact SIRT [at] EQUANT.COM", and "OrgAbuseEmail: sirt [at] orange-ftgroup.com" would be the address I'd use.

    The link is a "spamcop command" link that could expire, so the ARIN link is 3-fold:

    1. https://whois.arin.net/rest/net/NET-216-72-0-0-1 which gives the SIRT [at] EQUANT.COM address, and the link below for the " Related organization's POC records. " (the second "See also" as the first one is absolutely useless, and the third isn't much worth for us)
    2. https://whois.arin.net/rest/org/EQUANT-1/pocs where in turn you can find "Abuse: SOC20-ARIN (SOC20-ARIN)" which links to
    3. https://whois.arin.net/rest/poc/SOC20-ARIN.html which gives the sirt [at] orange-ftgroup.com address. (and maybe also attach the other two non- IPG-ARIN addresses as well 😉

    Then, I would also add the address found in https://www.ripe.net/membership/indices/data/ie.equant.html, although since there is no last updated date, there is no security that this email is still valid (but worth a try)

     

    HTH


  7. no, it is not an error, as this network entry really didn't provide an abuse address. Heck, they really didn't provide an address at all:

    https://whois.nic.ad.jp/cgi-bin/whois_gw?codecheck-sjis=Japan+Network+Infromation+Center&amp;lang=%2Fe&amp;key=202.238.198.169&amp;submit=query&amp;type=&amp;rule=

    [ JPNIC database provides information regarding IP address and ASN. Its use   ]
    [ is restricted to network administration purposes. For further information,  ]
    [ use 'whois -h whois.nic.ad.jp help'. To only display English output,        ]
    [ add '/e' at the end of command, e.g. 'whois -h whois.nic.ad.jp xxx/e'.      ]
    
    Network Information:            
    a. [Network Number]             202.238.198.0/24
    b. [Network Name]               IIJNET
    g. [Organization]               IIJ Internet
    m. [Administrative Contact]     JP00010080
    n. [Technical Contact]          JP00010080
    p. [Nameserver]                 dns0.iij.ad.jp
    p. [Nameserver]                 dns1.iij.ad.jp
    [Assigned Date]                 2018/06/25
    [Return Date]                   
    [Last Update]                   2018/06/25 17:35:04(JST)
                                    
    Less Specific Info.
    ----------
    Internet Initiative Japan Inc.
                         [Allocation]                             202.238.192.0/18
    
    More Specific Info.
    ----------
    No match!!

    looking up the JP00010080 AS number (well, JP number, as it isn't really an AS number) I get:

    [ JPNIC database provides information regarding IP address and ASN. Its use   ]
    [ is restricted to network administration purposes. For further information,  ]
    [ use 'whois -h whois.nic.ad.jp help'. To only display English output,        ]
    [ add '/e' at the end of command, e.g. 'whois -h whois.nic.ad.jp xxx/e'.      ]
    
    Group Contact Information:
    [Group Handle]                  JP00010080
    [Group Name]                    IP Address Contact
    [E-Mail]                        nic-sec@iij.ad.jp
    [Organization]                  Internet Initiative Japan Inc.
    [Division]                      
    [TEL]                           03-5205-6500
    [FAX]                           
    [Last Update]                   2014/07/22 12:02:04(JST)
                                    apply@iij.ad.jp

    So nic-sec[at]iij.ad.jp would be the address to complain to, and I personally would add a comment to hostmaster[at]nic.ad.jp letting them know that the above entry has no abuse address listed and is spamming ;)

     


  8. 22 hours ago, MIG said:

    https://www.spamcop.net/sc?id=z6553438559z3bce578c31b64b0feee590952682dcb9z

    Can't work this out, have not escalated any spam queries to email-abuse@amazon.com, is it legit or is it spam? 

    🙏G🦗H

    1/2 way agree wit Petzl 😉

    1. fake bounce: no, it's a real bounce
    2. spammer has you as return address: yes. That's why you're receiving the bounce 😞

    The address that the spammer sent the spam to, is invalid (either never existed or got removed from usage) and since your address was the return address (From:) ...

    another reason to hate spammers...

    but no point in submitting that one, as the owner is legit... they just replied to you to let you know that "your" mail couldn't be delivered...

    that's another reason why spamcop goes after the Received: headers and not the From: email addresses 😉

     


  9. if I use my "potaroo.net" IPv6 checker on the aforementioned IPv6 address:

    http://www.potaroo.net/cgi-bin/ipv6addr?pfx=2402%3Abc00%3A0%3Aa216%3A%3A19%3A124

    I see the following comment in the APNIC entry:

    remarks:	 	This information has been partially mirrored by APNIC from
    remarks:	 	JPNIC. To obtain more specific information, please use the
    remarks:	 	JPNIC WHOIS Gateway at
    remarks:	 	http://www.nic.ad.jp/en/db/whois/en-gateway.html or
    remarks:	 	whois.nic.ad.jp for WHOIS client. (The WHOIS client
    remarks:	 	defaults to Japanese output, use the /e switch for English
    remarks:	 	output)
    last-modified:	 	2014-03-10T22:41:03Z 

    not shown above are other "last-modified" entries, the oldest dating 2009-11-04T06:54:54Z (that's a 10 year old listing), while the shown last-modified is 5 years old, whois.nic.ad.jp should have the current listing

    although I do not find the abuse address mentioned by MIG, I find 2 entries, both using the same email address

    https://whois.nic.ad.jp/cgi-bin/whois_gw?key=JP00076967/e

    and

    https://whois.nic.ad.jp/cgi-bin/whois_gw?key=JP00065730/e

    Group Contact Information:
    [Group Handle]                  JP00076967
    [Group Name]                    networkhozen
    [E-Mail]                        SS01629@enecom.co.jp  <---
    [Organization]                  Energia Communications,Inc
    [Division]                      
    [TEL]                           050-8201-2351
    [FAX]                           
    [Last Update]                   2017/04/05 16:53:06(JST)

    one is from 2011 and this one from 2017...


  10. 15 minutes ago, RobiBue said:

    currently spamcop parses it as follows:

    https://www.spamcop.net/sc?action=showroute;ip=176.56.208.244;typecodes=16

    apnic has:

    % Abuse contact for '176.56.208.0 - 176.56.208.255' is 'abuse[at]phe.uk.com' <<---------- please fix to this correct abuse address

    while Rob.Urry address mentioned in the SC parse is somewhat listed, SC says:

    rob.urry[at]rapidwaters.net bounces (7 sent : 6 bounces)

    No good!

    in fact, the whole /19 range is!

    see http://wq.apnic.net/static/search.html?query=176.56.192.0/19

    or actually the RIPE db: (sorry about that, not APNIC)

    https://apps.db.ripe.net/db-web-ui/#/query?searchtext=176.56.192.0%2F19#resultsSection

    still shows the same abuse address:

    Abuse contact info: abuse[at]phe.uk.com
    inetnum:            176.56.192.0 - 176.56.223.255

     


  11. currently spamcop parses it as follows:

    https://www.spamcop.net/sc?action=showroute;ip=176.56.208.244;typecodes=16

    apnic has:

    % Abuse contact for '176.56.208.0 - 176.56.208.255' is 'abuse[at]phe.uk.com' <<---------- please fix to this correct abuse address

    while Rob.Urry address mentioned in the SC parse is somewhat listed, SC says:

    rob.urry[at]rapidwaters.net bounces (7 sent : 6 bounces)

    No good!


  12. 19 hours ago, bolandross said:

    Hey and thanks for your help.

    In my recent reports section, the reports look like this:

    screen.thumb.png.331fcc69c58f765701512a423e92b96c.png

    I noticed that clicking on the first link (69494888809) shows a site that doesn't contain the source code of the reported mail, but clicking on the other two links shows a site that does!

    To the time I asked the question, I only had tried the first one, thinking that all three would be the same. My case is therefore closed, thank you!

    That's correct, in your case, the first link is basically just a link parser equivalent, and nothing more, although the report to the telegram . org abuse desk will contain the complete spam for parsing (munged if your settings have it so selected)

    The next ones are targeting the source of the spam, and will contain the full, yet probably munged, headers and message body.

    Glad we could help 🙂

     


  13.  

    @bolandross, have you clicked on [View Recent Reports] and tried yourself? Just curious.

    Anyway, there are different "forms" of reports

    the ones not yet filed:

    Quote

    Submitted: 4/30/2019, 6:45:46 AM -0500:
    IRS Fresh Start Initiative Programs Before They Expire
    No reports filed


    as you can see, there's no link

    and then, filed:

    Quote

    depending on how and what you clicked to report the spam, the links provided will vary

    • here, the first few links are just URL parses which point to the owner/administrator/abuse desk of the serving IP address of the spamvertised websites,
    • then you might have a personal link if you request one in [Preferences]. There you can add notes, or see how the spam was parsed (Tracking URL)
    • and then you might have one or more for the spam source ip address, where you can see
      a) the full spam (depending on your settings with the email address munged) and
      b) a link to how the spam was parsed (again, Tracking URL) (in the above, ending in 50, I replaced the link with the tracking URL because otherwise you wouldn't be able to see anything)

  14. 19 hours ago, MIG said:

    Hey Klappa, 

    Just going thru some old, "interesting" reading & noticed your question, did you ever get an answer that helped?

    Please let me know if you'd be so kind?

    Thanks!

    Cheers!

    Klappa had two posts.

    1. He mentioned you can add a recipient in settings (actually the [Preferences] tab/link) but he didn't mention that it's under Report Handling Options by adding an  email address to the Public standard report recipients field.
    2. In the 2nd post (the one you quoted) he asked where (about adding a recipient for every report independently), but just recently, we all found out, that you can do that only if you have either
      1. a paid account, or
      2. fuel added (until it runs out)

    HTH


  15. 22 hours ago, salfordian said:

    Over the past few weeks from absolutely no where I've started getting loads of spam from this network, all the spammers seem to be flocking to them because they don't take any action, has anyone else noticed this?

    sorry, can't say I've noticed, but as Petzl mentioned, a tracking URL might be helpful.

    Petzl is not a troll, he might just have had a bad day with all the spam in the forum (it goes away after an admin browsed through it, but the TZ between OZ and US difference keeeps the spam visible much longer for him...)

    anyway, the past reports can be found here when logged in (same as the link/tab [Past Reports])

    (p.s. that's TZ for Time Zone, OZ for Down Under, and US for a Colorado/Rockies location or something like that ;))


  16. 8 hours ago, gnarlymarley said:

    There are a few options you have left when the adminstrator is useless if you really want to stop the spam.

    1. Keep reporting for two or three years and the spammer will give up.
    2. Block the whole IP range.  (this could be a problem as the emails from this forum appear to come from amazon, so this could block legitimate email.)
    3. Implement SPF checks on the MTA and hopes that blocks it (only works if you have the ability to control the MTA.)
    4. Use greylisting to make sure that only servers can connect and send you email (again, only works if you can change the MTA behavior.)

    The reason most businesses offer the free accounts is it falls under the idea of advertising.  If someone cannot check out the service, then they are less likely to use it.  Kind of problem as it pulls in the jerks, but also pulls in paid accounts as well......

    I like Idea #2!, especially if everybody is on-board.

    a) it would convince amazon to clean up their act with spammers and hosting them,
    b) especially if they start losing legitimate clientele :)


  17. On 4/14/2019 at 10:45 PM, gnarlymarley said:

    For me, my spam is up and down.  I noticed that gmail is lately blocking a lot of the spam.  It is also rejecting some of my legitimate email as if it were spam too.  I dislike it went folks sign up on a mailing list and then mark it as spam instead of unsubcribing because I am fighting the gmail spam police who tend to block that instead of just putting it in my spam folder.

    I too dislike it when folks sign up on a mailing list and then mark it as spam instead of unsubscribing, but I dislike it even more, when an emailer, after me having unsubscribed from *ALL* their emails, decides that I might still be interested, regardless of my decision.

    WRT gmail blocking/rejecting legitimate email: I haven't had that encounter yet, or the person that got rejected never got in touch with me about it...

×