[Mailhost configuration problem, identified internal IP as source. Please correct this situation]

That's great you got it solved! 👍

Also, Thanks Richard

[Mailhost configuration problem, identified internal IP as source. Please correct this situation]

1 hour ago, Mariano said:

Looking at the spam, I see that at the top it says:

#################################

Received: from localhost (localhost [127.0.0.1])
    by mailhost1.astro.rug.nl (Postfix) with ESMTP id 50FED34BCD

#################################

while a few lines below it shows the actual sender:

#################################

Received: from activitymatchdull.co (activitymatchdull.co [163.123.141.109])
    by mailhost1.astro.rug.nl (Postfix) with ESMTP id E20B11C709
    for <USER@astro.rug.nl>; Sun, 16 Jan 2022 20:13:22 +0100 (CET)
#################################

 

Is this standard? (Sorry, I am not familiar with posix conventions). Could it be that this is confusing Spamcop? I can ask my university why they do it this way.

 

Thanks

yes, this is standard. Every email server (MTA or MX) the email passes through, adds a new received line at the top (lately -- that means as of "several years ago" -- with SPF headers and other spoofing detection like DKIM and such), so the topmost received line is yours, then every previous one is the one before that, and somewhere along the line, there is the one the originating email (spam?) came from... now spammers can inject fake received lines, but they all will appear below the originating mail host, and that's what SC tries to discern.

since the top one says it received it from localhost by ***.rug.nl, it is expecting the next (previous) received from line, below, to be BY localhost to close the chain but it is again BY ***.rug.nl, so it fails  and it does, so why it fails I don't know (but that is probably only because the mailhosts are set up since without them it seems to work fine...) somewhere I see mailhost1 and then mailhost (without the 1) in the chain...

I personally do not use mailhosts (all I have is spam in my gmail account which I forward through a gscript I wrote a few years ago to SC) and thus don't have that issue. Albeit some years ago google changed their email system to IPv6 and broke the chain because SC didn't recognize the IPv6 address to be the equivalent of a IPv4 private address... it was later fixed... somehow...

Since I don't use mailhosts, I can't really help with how to set them up, but I have heard/read that removing them and reinserting them helps... somehow those localhost lines seem to be the ones causing the problem (second received line from top)

[Mailhost configuration problem, identified internal IP as source. Please correct this situation]

@Mariano, if you submitted but canceled the report, you should still have them under the [past reports] tab View recent reports link.

it would look something like this:

Quote

Submitted: 1/5/2022, 12:28:22 AM -0600:
McClintock 2021 Congressional Update

• 7160971044 ( ) ( not sent - stats only ) To: cancelled@devnull.spamcop.net

there, if you click on the ID (not the email address) you would be able to see the email (and headers)

 

HTH

[Google ignore complaints about its abused servers]

4 hours ago, efa said:

too bad, I sent all the complaints to the complaint form:

https://support.google.com/code/contact/cloud_platform_report

but all the reported Google redirection links are still all active after months.

I went ahead and checked the first link in the list you posted back in July: (although I changed the encrypted part)

$ wget --spider https://scri_pt.google.com/macros/s/AKfycbw1eXviwEFD_uGw7gK79uwwZZbwrU3R4fRrx7OD0dDi8Qf5KdyJkRFswHVFtlted9Emng/exec?bnVueWFAYnVzaW5lLnNz
Spider mode enabled. Check if remote file exists.
--2022-01-16 12:54:55--  https://scri_pt.google.com/macros/s/AKfycbw1eXviwEFD_uGw7gK79uwwZZbwrU3R4fRrx7OD0dDi8Qf5KdyJkRFswHVFtlted9Emng/exec?bnVueWFAYnVzaW5lLnNz
Resolving scri_pt.google.com (scri_pt.google.com)... 108.177.122.113, 108.177.122.101, 108.177.122.102, ...
Connecting to scri_pt.google.com (scri_pt.google.com)|108.177.122.113|:443... connected.
HTTP request sent, awaiting response... 403 Forbidden
Remote file does not exist -- broken link!!!

that's one of x links returning 403 Forbidden (broken link)

4 hours ago, efa said:

Badly I still receive lot of spam from IP hosted by Google and with Google hosted links in the body.

spam are all of two kind:

1) like this one:

https://www.spamcop.net/sc?id=z6737247338z267b3d5302b97166db9d15f370505eccz

where spam come from hajaked PC somewhere, contain a innocent links (immigration.go.tz in this case) to let hard automatic report of the spams, plus a Google hosted redirection link of this type:

https://scri_pt.google.com/macros/s/hash

here the contact email is: <google-abuse-bounces-reports@devnull.spamcop.net>

that simply bounce.

Those spam are like the ones I'm receiving from months, all reported and still active.

 

I don't know if it's something I am doing wrong or if google is taking action on the link macros, but I get the same result with the link of the spam message above (although to ensure that the feedback wouldn't propagate back to your address I removed the encoded part behind the /exec?

here's what I got:

$ wget --spider https://scri_pt.google.com/macros/s/AKfycbwxSkjAa2XYVTeCyAQcgUJcbxxS9mZJU2GCM6FbXzjPCUg8XAU79aGJNF_VX8hf1nmXXg/exec
Spider mode enabled. Check if remote file exists.
--2022-01-16 13:09:38--  https://scri_pt.google.com/macros/s/AKfycbwxSkjAa2XYVTeCyAQcgUJcbxxS9mZJU2GCM6FbXzjPCUg8XAU79aGJNF_VX8hf1nmXXg/exec
Resolving scri_pt.google.com (scri_pt.google.com)... 108.177.122.100, 108.177.122.138, 108.177.122.102, ...
Connecting to scri_pt.google.com (scri_pt.google.com)|108.177.122.100|:443... connected.
HTTP request sent, awaiting response... 403 Forbidden
Remote file does not exist -- broken link!!!

to me it does seem like google is taking action....

when I left the --spider option out, the results were a constant

TypeError: Cannot read property 'split' of undefined (line 6, file "Code")

which means that the link breaks (I tried adding my own variation of "hash" with the same result)

[New spam with links Spamcop can't parse]

1 hour ago, gnarlymarley said:

I wonder if this was a Brave search to URL redirect such as the "I feel lucky" button that google used to have.  I tried five browsers with your link and all of them either couldn't the &#12290; as a valid part of the hostname or else they took me to their related search page thinking it was a search term.

I suspect SpamCop is ignoring it because &#12290; is not a valid hostname as per the RFCs.

after some deeper researching, @Foxie is correct and the &#12290 = U+3002 = 。which is, according to http://www.unicode.org/reports/tr46/#Compatibility_Processing a valid "IDEOGRAPHIC FULL STOP" character accepted by browsers (or at least should. Now, it is possible that SC, due to its age, has not been implemented for this "newer" Domain Naming using local characters

still, without the parser's information there is little for us to help with.

again, if Foxie could provide the TRACKING URL for the spam message (here is the latest TRACKING URL I got, but I never get any special URL link)
I am providing this link solely to prove that my information is not "leaked" even though my email address would show in the subject line but SC replaced it with an X.

this is found right after the spam was submitted for parsing and it is found as follows at the top of the parse:

SpamCop v 5.4.0 © 2022 Cisco Systems, Inc. All rights reserved.
Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net/sc?id=z6736978831z87d37b033a8accb77b57420189670c67z
Skip to Reports

Delivered-To: x
[...]

 

[New spam with links Spamcop can't parse]

@Foxie, like Petzl said:

Run one through SpamCop reporting  then
Send the TRACK at top of page found before submitting
looks like this
Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net/sc?id=z6697713791z3936f4bee8fc49cf1a24e632409448bdz

nobody here will be able to do anything without the spamcop Tracking URL. (btw it is not the same as a tracking link inside the parsed email)

Also, your header information gets removed by SC if that is your concern for not posting the Tracking URL...

[Yes Running late today]

20 hours ago, Lking said:

Thanks @RobiBueReally not that cold. Temps in the low 20°s but a 10 m/h wind has blown all day with gust 25-30 m/h. Un-drifted snow is about 36" total. AND winter has just started.

The best to you and your's in the year to come.

 

Translation: 20°F - -7°C,  10 m/h - 16 km/h,   25-30 m/h - 40-48km/h,  36" - 91cm (Americans are so egocentric!)

nah, just like to keep a nonstandard standard array of measurements

so there's a yard of snow in the backyard give or take ... or 🦶 🦶🦶 😁

but then, given it's in the 267K range, that could be expected 😆

[Yes Running late today]

Stay warm and cozy up there... lots of snow on the way ❄️☃️

Light a fire in the chimney, grab you a hot chocolate, and enjoy the winter 🎅

Hope you had a merry Christmas. Wishing you happy holidays and a good new year!

[search-apnic-not-arin#apnic.net@devnull.spamcop.net]

wait a minute... que? what? que? since 2012? and Manuel still looks as fresh as he did in that old post? I know NOTHING! I'm from Barcelona!

joking aside (I blame it on Fawlty Towers)...

Yeah, it's about time that this Cisco conglomerate uses their knowledge and background to effectively improve this spam fighting tool.

edit: dang! I had completely forgot that I was involved in that thread.... (I blame that on my age!)

[search-apnic-not-arin#apnic.net@devnull.spamcop.net]

https://www.spamcop.net/sc?id=z6734860051zc341d4446bdd92013698b650963ff273z

Tracking message source: 153.120.151.105:
Routing details for 153.120.151.105
De-referencing sakura.ad.jp@abuse.net
abuse net sakura.ad.jp = support@sakura.ad.jp, abuse@sakura.ad.jp
Report routing for 153.120.151.105: support@sakura.ad.jp, abuse@sakura.ad.jp, abuse@sakura.ad.jp
Routing details for 153.120.151.105
[refresh/show] Cached whois for 153.120.151.105 : search-apnic-not-arin@apnic.net
I refuse to bother search-apnic-not-arin@apnic.net.

SpamCop shouldn't stop there, but follow the whois path given!

Why SC doesn't now continue checking on whois.apnic.net but instead stops, I don't know. I suppose whois.arin.net changed something and SC never got updated to the new format.

If I do a whois in my cygwin terminal, whois automatically continues to the new referral:

$ whois -h whois.arin.net  153.120.151.105

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2021, American Registry for Internet Numbers, Ltd.
#


NetRange:       153.0.0.0 - 153.255.255.255
CIDR:           153.0.0.0/8
NetName:        APNIC-ERX-153
NetHandle:      NET-153-0-0-0-0
Parent:          ()
NetType:        Early Registrations, Maintained by APNIC
OriginAS:
Organization:   Asia Pacific Network Information Centre (APNIC)
RegDate:        1993-05-01
Updated:        2010-07-30
Ref:            https://rdap.arin.net/registry/ip/153.0.0.0

ResourceLink:  http://wq.apnic.net/whois-search/static/search.html
ResourceLink:  whois.apnic.net

[...]

# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2021, American Registry for Internet Numbers, Ltd.
#



Found a referral to whois.apnic.net.

% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '153.120.0.0 - 153.120.191.255'

% Abuse contact for '153.120.0.0 - 153.120.191.255' is 'hostmaster@nic.ad.jp'

inetnum:        153.120.0.0 - 153.120.191.255
netname:        SAKURA-ISHIKARI
descr:          SAKURA Internet Inc.

The abuse contact should be hostmaster@nic.ad.jp given in whois.apnic.net.

also, looking up the abuse.net db, I get the following:

https://www.abuse.net/lookup.phtml?domain=sakura.ad.jp

Look up an address in the abuse.net contact database

support@sakura.ad.jp (for sakura.ad.jp)
abuse@sakura.ad.jp (for sakura.ad.jp)

 

["Too Many Links" behavior change]

/me thinks/ it had to do with the amount of processing on the system. if too many links were to be processed, and too many reports would be submitted, the system wait time would have been too high... at least that's how I remember it to be explained back decades ago...

[New spam with links Spamcop can't parse]

3 hours ago, Foxie said:

I have recently started receiving spam that has links that Spamcop can't parse. It just says they are't routable addresses. My email client displays the links correctly. Please will someone look into these?

Here is an example:

http://roxanacoraline。ru/?REDACTED

This may be false though. The email is such a mess, I can't read any of the source. I'm happy to supply the source if that helps. This new stuff looks exactly like the pharma spam of the 90s. Has a former spammer been released from jail or something?

Thank you

Spamcop is correct saying that it isn't a routable address. the &#12290; code doesn't parse as a valid URL "period" even though in some browsers it does display like a period.

in other words, the URL is invalid and will not parse.

besides, many times, spammers place links and fake links in their spam to try to deceive automated systems and laypersons making them believe that it's a real address.

As petzl suggested: parse the spam email and post the TRACKING URL. That way others can help you understand or direct you to the real culprit.

[Anyone receiving emails like this?]

interesting read! Thanks for the info @yurs5

[most spams lately with attachment (XHTML or HTML)]

12 hours ago, gnarlymarley said:

Spammers have been using base64 for a few decades to get their spam hidden by MTA rules and SpamCop. 

I mostly use it to follow links manually without downloading any malware (hence my --spider flag in the wget call) to get to the origin of the scam instead of hitting only the first link with a complaint

[most spams lately with attachment (XHTML or HTML)]

(Please don't ask for a Tracking URL as this is just an informative post and not a help wanted )

Lately, all spams I have been getting are phishing spams containing an attachment which is encoded in base64 (mostly short)

I then run it through the trusty online base64 decoder to get the source

(mostly something like

<body onload="document.location.href=window.atob('aHR0cHM6Ly94dm94Mi5iZW1vYnRyay5jb20vZ28vYWM2LXNvbWUgdHJhY2luZyBudW1iZXJzPyM=');" /> 

note: the .atob link was modified by me to keep the original website domain intact but changed the tracing info)

I then run only the atob text through the decoder again to receive the website it would "take me to" (although there is more)...

https://xvox2.bemobtrk.com/go/ac6-some tracing numbers?#

now, I open my cygwin terminal and start a get --spider website command (--spider to keep the last page from downloading because usually that part doesn't interest me)

the result I get is something like this (I also changed some tracing information that is not relevant to this post -- mostly anything in [%..%])

$ wget --spider https://xvox2.bemobtrk.com/go/ac6sometracingnumbers?#
Spider mode enabled. Check if remote file exists.
--2021-10-24 08:35:10--  https://xvox2.bemobtrk.com/go/ac6sometracingnumbers?
Resolving xvox2.bemobtrk.com (xvox2.bemobtrk.com)... 35.153.222.28, 54.172.72.35, 3.232.85.129, ...
Connecting to xvox2.bemobtrk.com (xvox2.bemobtrk.com)|35.153.222.28|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://go.2coo.xyz/click?pid=[%number%]&offer_id=[%offer%]&bemobdata=[%somemoredata%] [following]
Spider mode enabled. Check if remote file exists.
--2021-10-24 08:35:10--  https://go.2coo.xyz/click?pid=[%number%]&offer_id=[%offer%]&bemobdata=[%somemoredata%]
Resolving go.2coo.xyz (go.2coo.xyz)... 172.67.142.95, 104.21.79.57, 2606:4700:3034::ac43:8e5f, ...
Connecting to go.2coo.xyz (go.2coo.xyz)|172.67.142.95|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://trace.affiliateedge.com/visit/?bta=[%btanumber%]&nci=[%ncinumber%]&afp=[%afpinformation%] [following]
Spider mode enabled. Check if remote file exists.
--2021-10-24 08:35:11--  https://trace.affiliateedge.com/visit/?bta=[%btanumber%]&nci=[%ncinumber%]&afp=[%afpinformation%]
Resolving trace.affiliateedge.com (trace.affiliateedge.com)... 35.234.86.61
Connecting to trace.affiliateedge.com (trace.affiliateedge.com)|35.234.86.61|:443... connected.
HTTP request sent, awaiting response... 302 Object moved
Location: https://www.luckyredcasino.com/?btag=[%btagcode%] [following]
Spider mode enabled. Check if remote file exists.
--2021-10-24 08:35:12--  https://www.luckyredcasino.com/?btag=[%btagcode%]
Resolving www.luckyredcasino.com (www.luckyredcasino.com)... 104.18.226.39, 104.18.227.39, 2606:4700::6812:e227, ...
Connecting to www.luckyredcasino.com (www.luckyredcasino.com)|104.18.226.39|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Remote file exists and could contain further links,
but recursion is disabled -- not retrieving.

add that with a modification note to the spam source and let every single one of the link owners know that they need to keep their phishing clients from accessing the web!

 

Here it was (including the original source of the phishing spam)

( https://trace.affiliateedge.com/visit/?bta=... ) To: google-cloud-compliance@google.com
( https://www.luckyredcasino.com/?btag=... ) To: abuse@cloudflare.com
( https://go.2coo.xyz/click?pid=... ) To: abuse@cloudflare.com
( 134.0.112.147 ) To: abuse@reg.ru 

I am hoping that they all get their act together

 

Sometimes I do check the resulting file, mostly when it's a direct 200 result and not a 302 redirect and there I sometimes find in the source something like this or a JS which loads a page similarly and just run it as above...

<body onload="document.location.href=window.atob('aHR0cHM6Ly94dm94Mi5iZW1vYnRyay5jb20vZ28vYWM2LXNvbWUgdHJhY2luZyBudW1iZXJzPyM=');" /> 

 

[Server--issue]

10 hours ago, KNERD said:

You have to redo the spam report when you het those errors. It will get through eventually.

That is exactly what wants or needs to be avoided -- to redo the reports.

Even though the message to the abuse departments didn't get sent, the spam got processed by SC and entered in the SCBL. every time the same identical spam gets reported, the reports get skewed and SC ends up being listed as unreliable due to skewed reports, and as a SC user, I don't think that would be a good thing. One report for one spam recipient. That's the goal. at least that's the goal I thought we were aiming for...

Hence my inquiry into resending only the emails to the abuse depts, instead of resubmitting the spam over and over until the errors finally subside.

[Server--issue]

5 hours ago, petzl said:

https://www.spamcop.net/sc?id=z6727039788z68822f31af72e34fa6ba9d060077cf7cz

Can't send report: smtpEnvelope (7146523841.c6a2e9c3@bounces.spamcop.net, chinv@adsota.com): smtpFrom: mail From 7146523841.c6a2e9c3@bounces.spamcop.net: error (452 #4.3.1 temporary system error (12) )
/dev/null'ing report for google-abuse-bounces-reports@devnull.spamcop.net
Can't send report: smtpEnvelope (7146523844.d384cc6c@bounces.spamcop.net, hm-changed@vnnic.vn): smtpFrom: mail From 7146523844.d384cc6c@bounces.spamcop.net: error (550 No expected reply from SMTP)
Can't send report: smtpEnvelope (7146523845.2a1237c0@bounces.spamcop.net, international@vncert.vn): smtpFrom: mail From 7146523845.2a1237c0@bounces.spamcop.net: error (550 No expected reply from SMTP)

While the spam was processed, the 3 mentioned Vietnamese abuse departments will never receive a report to act upon. Well, never for this specific submitted report due to the smtpEnvelope/smtpFrom errors (452 and 550).

I'm not counting google's report since that one gets /dev/null'ed right away without any further decorum.

[is spamcop down?]

sorry, I don't seem to be making myself clear.

I'm not talking about the devnull reports, I am talking about reports that because of either

Can't send report: smtpEnvelope ...

or OP's

[an error occurred while processing this directive]

errors (assuming that if I check with [Past Reports] tab and the report was processed, but emails to me and the abuse depts of non-devnulled isps) were not sent — I can tell reports were not sent because I didn't receive mine — could be retried to send to a later time or manually triggered to re-send...

edit 2021.10.18-04:50:00 CDT:

I'm talking about reports like these: https://forum.spamcop.net/topic/46809-server-issue/?do=findComment&comment=158695

 

btw, I had just an "awesome" experience with cloudflare who replied to me with an automated message, but when I checked the link I reported about, I saw that they had manually edited the page in question (or replaced it) with the following message:
 

<p>This link has been flagged as phishing. Phishing is an attempt to acquire personal information such as passwords and credit card details by pretending to be a trustworthy source.</p>
<p><strong>If you're a visitor of this website</strong><br />
            The website owner has been notified and is in the process of resolving the issue. For now, it is recommended that you do not continue to the link that has been flagged.</p>
<p><strong>If you're the owner of this website</strong><br />
            Please log in to cloudflare.com to review your flagged website. If you have questions about why this was flagged as phishing please contact the Trust &amp; Safety team for more information.</p>

yay! 🎆 (fireworks)

[is spamcop down?]

5 hours ago, Lking said:

I would not thank so. It is not an error to send reports to devnull. Re-sending reports would open SC to having a single spam reported to the sender's ISP  and the SCBL several times, distorting the data base, making all reports then questionable.

I understand that...

I guess I wasn't clear: instead of me re-submitting the report (since it would be the same spam "reported twice") there should be an option to re-send the emails from the original report. the ones that were never sent in the first place...

That's what I meant with "re-sending the report" as opposed to "re-submitting the report"

[is spamcop down?]

17 minutes ago, Lking said:

Even though spam reports are not sent, your reports do feed the SCBL

I am curious, is there a way to "re-send" a report?

What I mean, when an error like that happens, I don't receive a report which I usually send to my own email for "safekeeping/bookkeeping" to confirm that the spam was reported.

That would enable me to avoid double reporting on such occasions...

[is spamcop down?]

1 hour ago, gnarlymarley said:

The browser URL for the page that gives you the tracking URL is the same as the tracking URL.  If you submit by email, the tracking URL is used in the email.

thanks forgot that part 😔

(although I can't confirm it, many times an error like that appears, the URL actually points to the error and not the tracking URL — will keep my eyes peeled though)

 

[is spamcop down?]

1 hour ago, petzl said:

Try to include a SpamCop Tracking URL (at top of page before you submit)

when someone gets that sort of error, they won't get a tracking URL.

that error happens before the spam gets parsed.

@ArtmakersWorlds an hour later, here on Central Time, the reporting works for me without error.

it also could be that the spammers have figured out a way to break the system (although I highly doubt that)

[Server--issue]

it has been working for me too...

clearly "speculation does not resolve the issue" but by the system working (be it on and off or even seemingly on) one can speculate that the system is being maintained and probably some disk space assigned (or even reprogrammed to account for certain 'errors') to work properly.... pure speculation here...

also got a reply just moments ago from NTT Communications(OCN) (automated reply though) and from support.mchost.ru (also automated reply)

something is working 😈

[Yes Running late today]

18 hours ago, Lking said:

[...] Could have used a stranger 😉  Lose of a few organized electrons and its back to the stone age burning wood to heat the cave.

[...]

Judy was a hart throb back in the day when I was young and ...

or an option: coal from the locomotives (they are not used atm I believe), build a steam generator, use snow (melted) for steam and viola, you got yourself some power and heat too 😀

... when we were young 😁

I take it power or internet is out again... back to basic life it is

[Yes Running late today]

Reminds me somewhat of a Judy Collins song....