[network-abuse@google.com bounces, again]

On 9/24/2021 at 4:33 PM, RobiBue said:

I use https://support.google.com/code/contact/cloud_platform_report  instead. with Firefox it works.

well, got some replies from them and they said that the IP I reported about was not handled by google cloud platform....

heck, the whole internet is the cloud... and anything google is in the google cloud.... marronies!!! (or maybe I am the marroni... 🤪 )

[Server--issue]

16 hours ago, kolor said:

Still the same issue .I wrote email to Cisco about this issue and why nobody fix this .But I see nobody care about it.

I feel spamcop go to be obsolete idea .

Can't send report: smtpEnvelope (7148829.3c0fe287@bounces.spamcop.net, abuse@hetzner.com): smtpFrom: mail From 7148829.3c0fe287@bounces.spamcop.net: error (452 #4.3.1 temporary system error (12) )

Can't send report: smtpEnvelope (7148832.5f34342c@bounces.spamcop.net, abuse@cloudflare.com): smtpFrom: mail From 7148832.5f34342c@bounces.spamcop.net: error (550 No expected reply from SMTP)

when I get the "Can't send report" message, I simply resubmit and usually the second time around it works.

Honestly, I don't know if I'm "allowed" to resubmit spam (usually not,) but in these cases I believe these measures are warranted.

The reason I resubmit is that reports are not sent if the error arises, and it is not possible (yet) to manually force a report to be re-sent.

[Upgrade this forum to HTTPS please]

11 hours ago, gnarlymarley said:

Also seems like they upgraded as the forum has a new feel to it.

true

[Upgrade this forum to HTTPS please]

Yeah they fixed it 😁 but there for a couple of days thereafter the whole site was a mess until they fixed the css access which wasn't being downloaded with the forum pages.... but they eventually fixed that too 👍

[Tracking message source: fd00:9742:5500:452:0:0:0:93]

"Internal handoff" means that there is no reporting address to be found since it is internally and could be anywhere in any company.

It's basically the same as either of the three private IPv4 addresses: 10.0.0.0/8, 172.16.0.0/12, or the more common home network 192.168.0.0/16 used in most home networks.

This means that there is no set "reporting address" to contact the "owner" or its upstream owner.

SC is correct in this assessment and, no matter how strongly you might feel about it being wrong, it still won't find a reporting address since there is none to find.

 

I hope this explanation helps

Just in case I am unable to explain it clearly, there is a Wikipedia article related to Unique Local Address

Especially in the Properties section

[network-abuse@google.com bounces, again]

I use https://support.google.com/code/contact/cloud_platform_report  instead. with Firefox it works.

In the section about Cloud Platform Service I put "not sure" since emails don't really fall into any of those categories... then I place a short note about the received: header line in the Abuse Details box and attach the full email in the additional logs (the plural is somewhat misleading since only one file can be attached...)

In the abuse details text box I also mention the lines

spf=pass (google.com: domain of ????@gmail.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=????@gmail.com;

of both Authentication-Results:  and ARC-Authentication-Results: in the headers.

 

[No reporting address found for 209.85.220.65]

I don't know. I sure hope so, although they'd investigate them just as they'd investigate the reports sent through SC....

of course, if the reports to google abuse bounce, then the chance is higher by submitting them manually and directly.

[No reporting address found for 209.85.220.65]

12 hours ago, Steve said:

Like I said, I also report the emails through the form on this site: https://support.google.com/mail/contact/abuse?hl=en&rd=1

My apologies. Due to the CSS misconfiguration of the forum I somehow overlooked that part. All good now

 

[No reporting address found for 209.85.220.65]

8 hours ago, Steve said:

Is anyone having a problem reporting Gmail spam? The last 2 Gmail spams I've received have had SC come back with No reporting addresses found for 209.85.220.65, using devnull for tracking. I alternatively report the spam ton this site: https://support.google.com/mail/contact/abuse?hl=en&rd=1

Here's the tracking URL:

https://www.spamcop.net/sc?id=z6723876118z2316e05022f73d38d77598da3bc5f84fz

Steve

The problem is that abuse@google.com bounces (25774 sent : 16690 bounces) and that's why SC comes back with "no reporting address"

If you want to report to google, you have to report manually through your email and not through SC....

I am thinking that those bounces created SC's latest submission hiccups.

[Server--issue]

I believe the mail server is reaching its HDD limit, hence the SMTP 452 #4.3.1 errors.

Somehow I think there is a cleanup job running in the background, but it is also possible that the server's HDD is starting to lose capacity due to corrupted sectors (this is just a thought, although it's feasible taking into consideration the age of the system...) and with that, even a cleanup job won't keep the system happy for long...

 

[Anyone getting Gateway Timeout?]

in regard to the  452 #4.3.1  errors: the receiving smtp server is most probably at the end of free disk space

here I would say that bounces.spamcop.net has reached its free HDD space (or the allocated space for the mail server)

maybe @Richard W or @Lking could put in a word to the server's system admin to run a cleanup job   (just a loud thought here 🖖)

[Upgrade this forum to HTTPS please]

7 hours ago, leagris said:

Seriously, this forum still runs on plain HTTP and no HTTPS.

Given how browsers discourage use of plain HTTP, and how it will become harder or soon impossible to use plain HTTP, without editing obscure config options:

− less and less users will be able to access here, but spam bots.

The problem is not that the site isn't upgraded to HTTPS. The problem is that the certificate is issued to *.cloudfront.net and that is what needs to be fixed...

but I agree! I am browsing the forum with a security exception, which doesn't give me much confidence...

[Why am I blacklisted?]

Hello Perrin,

not knowing how you got informed that you are "blacklisted" leaves me at a loss too.

If you enter here (spamcop) your

1. email address
2. web address

individually -- that is as a single address (one line only) -- you will be able to see if your email/site are blacklisted by spamcop (SC)  but somehow I doubt it by your description of the issue.

As an example:

I added www.spamcop.net in the field and here is the result:

https://www.spamcop.net/sc?track=www.spamcop.net

under Statistics you can see the status of the website in the block lists.

It is possible that your problem does not stem from SC but from an individual provider who claims that the BL (block list) is from SC ...

edit: IIRC SC BLs are only active for 24 hours, which means that after 24 hours they should expire if it was ever listed through this anti-spam service.
(If I Remember Correctly SpamCop Block Listings)

[Anyone getting Gateway Timeout?]

at 4:30 CDT I get it too:
 

Quote

 

Gateway Timeout

The proxy server did not receive a timely response from the upstream server.

Reference #1.d6200117.1629192635.5cabf13

 

it happens as soon as the [ Send spam Report(s) Now ] button is pressed.

Edit:

30 minutes later it worked. No idea what's going on...

[Hivelocity spam Haven?]

while the IP address in the first link isn't in any BL listed in SC, Microsoft/Outlook seem to have a different view:

<https://answers.microsoft.com/en-us/msoffice/forum/all/our-emails-being-blocked-for-no-reason-and-your/717fe0e7-a33d-4db3-ae0b-b89f98c1eb5c>

 I didn't check the other two though...

[Spamcop not x'ing my domain name]

indeed SC does only "x" out the email address...

the websites/links stay the way they are for the ISP to verify that the website is used and to remove the abusing domain or website.

this is unfortunate in your situation, and believe me, I know... had the same "heplful webdesigners" spam me too (well, maybe not the same...)

not much that can be done here...

[Getting ARIN to revoke those facilitating spammers?]

interesting page... especially the last part:

Quote

Helpful Resources for Victims of Spamming/Hacking/Fraud

the last link there is so old that it's as outdated as a broken and deceased newsgroup... well, lots of things change in 15-20 years... except spam that is, unfortunately 😞

[Is there a SpamCop Outage]

3 hours ago, SWarner said:

I have seend this issue posted a couple times in the past, and wanted to see if anyone could provide their thoughts on what I'm experiencing.

Our sending IP was verified as unlisted as late as June 21 at 7AM PST, but an email we sent the next day June 22 at 930AM PST returned several bounces with a range of errors.

What I find interesting is that we received all bounces/errors on the same day, but the errors are so different and come from several unrelated recipient domains. All are referencing a SpamCop block.

550-"JunkMail rejected - XXX.mktomail.com [XXXXXX]:55650 is in an 550-RBL on rbl.websitewelcome.com, see Blocked - see 550 http://www.spamcop.net/w3m?action=checkblock&ip=XXXXXX"

550-"JunkMail rejected - sjsmtp.mktomail.com [XXXXXXX]:36064 is in an 550 RBL: Blocked - see https://www.spamcop.net/bl.shtml?XXXXXX"

550 spamcop.mimecast.org Blocked - see https://www.spamcop.net/bl.shtml?XXXXXX. - https://community.mimecast.com/docs/DOC-1369#550 [469OF93uOEyQiJ_Jghl1jw.us376]

But we are not listed:

Could there be a single root issue, or is it really the case that the error is rooted in each recipient's settings --- meaning we would need to contact each recipient who returned an error and address their settings individually?

Thanks!

Hi @SWarner,

this is a problem with "private" blocklists e.g. rbl.websitewelcome.com

they will list ip addresses, and then redirect you to spamcop, which is not involved in the listing through aforementioned RBL.

it happens often, and users who are blocked think that spamcop is to blame. Of course, there can be instances where a customer shares the same address range as a spammer, and ends up as casualty in the spam wars, but here, you are the victim of an independent RBL who has added the IP range you "inhabit" in his/her listing.

if you check goggle you will find a myriad of entries regarding that specific RBL, and it's not good.

https://www.google.com/search?q=rbl.websitewelcome.com

you can also check your mail host here: https://mxtoolbox.com/blacklists.aspx

maybe this info will be of help.

again, just to clarify: said RBL has no connection to spamcop whatsoever.

Good luck

[Anyone receiving emails like this?]

well, looks like both, yours and mine, are hosted by the same Russian spam haven SERVERLUX-NET aka serverlux.ru...

...seems to be a yandex.ru / yandex.net customer... IMNSHO it's the Russian ransomware group phishing for more... just my opinion...

I mean no offense to Russians in this forum, nor any offense to yandex/serverlux users, but the hosting companies seem to be very lax when it comes to spammers, scammers, and cyber criminals... seem is the word of choice I am using...

 

[Anyone receiving emails like this?]

I have been getting spam in Russian lately, but not from transcriby...

they are always something about money ... scams IMO...

Today, this one: https://www.spamcop.net/sc?id=z6714158319za96a80e7bd03d49067421101abebbddfz

oddly enough, if I look at the whois records for 87.251.84.130

% Abuse contact for '87.251.84.0 - 87.251.85.255' is 'noc@serverlux.ru'

and sc sez:

Quote

Reports routes for 87.251.84.130:

routeid: 78610748 87.251.84.0 - 87.251.89.255 to: admin@at-sib.ru
Administrator interested in all reports

3/19/2020, 10:52:56 AM -0500
[Note added by  (no name)]
Route added without comment

routeid: 78610752 87.251.84.0 - 87.251.88.255 to: noc@serverlux.ru
Administrator interested in all reports

3/19/2020, 10:53:21 AM -0500
[Note added by  (no name)]
Route added without comment

but:

Quote

Routing details for 87.251.84.130
Reports disabled for noc@serverlux.ru

Using noc#serverlux.ru@devnull.spamcop.net for statistical tracking.

Report routing for 87.251.84.130: admin@at-sib.ru, noc#serverlux.ru@devnull.spamcop.net

of course, Reports disabled ...

[Unable to report particular spam]

2 hours ago, ronros said:

I don't see how it could have come from a different account; the email client only checks the one.  But can you tell from the tracking link what email address I should add?

Also, if secureserver.net were removing the received lines, why would that only happen with email from this particular source?  Emails from other sources can be reported without issues.

Thanks,

     Ron

looking at the whole message, it does seem that the spam came from an outlook account, so report_spam[at]hotmail.com seems to be the correct place to report for spam origin.

looking at the links in the spam, wix.com is the owner of the web IP address, so abuse[at]wix.com would be the place to report the link.

just my 2¢

 

p.s. if secureserver.net were to remove received lines it would be on them to track the origin of the spam. No MX should be removing received lines, only adding them as they pass through their "sector" to be able to trace the origin correctly. Outlook does have misconfigured mail hosts which break the tracing as the names for inbound vs. outbound are different. (at least that's the way I see it)

[Abuse contact for '217.79.176.0 - 217.79.191.255' is 'abuse@myloc.de']

Six years ago (we're now 2021) manual routing and reporting addresses were added to Spamcop for '217.79.176.0 - 217.79.191.255' but lots happens even in just one year...

Currently SC has the following: https://www.spamcop.net/sc?action=showroute;ip=217.79.187.55;typecodes=16

Quote

Reports routes for 217.79.187.55:

routeid: 74332930 217.79.176.0 - 217.79.191.255 to: abuse@fastit.net
Administrator interested in all reports

10/9/2015, 10:31:24 AM -0500
[Note added by 70.64.96.109 (s0106586d8fed0f8d.ss.shawcable.net)]
Route added without comment

routeid: 74332931 217.79.176.0 - 217.79.191.255 to: abuse@fibre1.net
Administrator interested in all reports

10/9/2015, 10:31:27 AM -0500
[Note added by 70.64.96.109 (s0106586d8fed0f8d.ss.shawcable.net)]
Route added without comment

besides:

Reports disabled for abuse@fastit.net
Using abuse#fastit.net@devnull.spamcop.net for statistical tracking.

BUT
% Abuse contact for '217.79.176.0 - 217.79.191.255' is 'abuse@myloc.de'

and

remarks:        +---------------------------------------------------+
remarks:        | Please direct abuse issues ONLY                   |
remarks:        | to abuse@myloc.de                                 |
remarks:        |                                                   |
remarks:        | Complaints to other adresses will be deemed       |
remarks:        | as spam and not further processed!                |
remarks:        +---------------------------------------------------+

the full whois as of today, May 27, 2021 with current data (no fastit.net nor fibre1.net anywhere to be seen although I do believe that a few years ago fastit.net and fibre1.net used to be involved...)

$ whois 217.79.187.55
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '217.79.176.0 - 217.79.191.255'

% Abuse contact for '217.79.176.0 - 217.79.191.255' is 'abuse@myloc.de'  <------!!!

inetnum:        217.79.176.0 - 217.79.191.255
netname:        DE-MYLOC-DUS-20031117
country:        DE
org:            ORG-MMIA3-RIPE
admin-c:        MOPS-RIPE
tech-c:         MOPS-RIPE
status:         ALLOCATED PA
mnt-by:         MYLOC-MNT
mnt-by:         RIPE-NCC-HM-MNT
created:        2020-11-04T10:31:12Z
last-modified:  2020-11-04T10:31:12Z
source:         RIPE

organisation:   ORG-MMIA3-RIPE
org-name:       myLoc managed IT AG
country:        DE
org-type:       LIR
address:        Am Gatherhof 44
address:        40472
address:        D▒sseldorf
address:        GERMANY
admin-c:        MOPS-RIPE
tech-c:         MOPS-RIPE
abuse-c:        MOPS-RIPE
mnt-ref:        MYLOC-MNT
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         MYLOC-MNT
created:        2019-10-28T10:48:29Z
last-modified:  2021-02-09T10:11:49Z
source:         RIPE # Filtered
remarks:        Phone number is 24/7 NOC number with senior engineer on duty for routing/backbone related issues.
remarks:        This number should NOT be used for customer support nor for requests by public authorities.
remarks:        Thanks for your understanding.
phone:          +4921161708110
fax-no:         +4921161708111

role:           myLoc NOC
address:        myLoc managed IT AG
address:        Network Operations & Services
address:        Am Gatherhof 44
address:        40472 Duesseldorf DE
admin-c:        PHAN
tech-c:         PHAN
tech-c:         DDO
tech-c:         JOH
tech-c:         NIL
tech-c:         PRI
nic-hdl:        MOPS-RIPE
remarks:        +---------------------------------------------------+
remarks:        | Please direct abuse issues ONLY                   |
remarks:        | to abuse@myloc.de                                 |
remarks:        |                                                   |
remarks:        | Complaints to other adresses will be deemed       |
remarks:        | as spam and not further processed!                |
remarks:        +---------------------------------------------------+
remarks:        | Please send legal/law enforcement inquiries to    |
remarks:        | auskunft_AT_myloc.de.                             |
remarks:        |                                                   |
remarks:        | PGP-Key ID for auskunft@myloc.de is 0xBB75B2C5    |
remarks:        |                                                   |
remarks:        | You can send your inquiry also via fax to this    |
remarks:        | number: +49 211 61708 551                         |
remarks:        |                                                   |
remarks:        | For questions on legal/law enforcement use phone  |
remarks:        | number: +49 211 61708 114                         |
remarks:        |                                                   |
remarks:        | Mails to abuse@myloc.de WILL                      |
remarks:        | be automatically processed and the customer WILL  |
remarks:        | get a notification about your inquiry.            |
remarks:        +---------------------------------------------------+
remarks:        | ONLY In case of routing/peering related issues    |
remarks:        | please contact NOC:                               |
remarks:        |                                                   |
remarks:        | 24/7 NOC email: noc@myLoc.de                      |
remarks:        | 24/7 NOC phone: +49 211 61708 110                 |
remarks:        +---------------------------------------------------+
abuse-mailbox:  abuse@myloc.de
mnt-by:         MYLOC-MNT
created:        2013-02-11T16:38:10Z
last-modified:  2021-02-09T19:48:35Z
source:         RIPE # Filtered

% Information related to '217.79.176.0/20AS24961'

route:          217.79.176.0/20
descr:          myLoc managed IT AG
origin:         AS24961
mnt-by:         MYLOC-MNT
created:        2003-11-17T13:44:38Z
last-modified:  2017-02-07T16:39:12Z
source:         RIPE

% This query was served by the RIPE Database Query Service version 1.100 (BLAARKOP)

Personally, I would suggest disabling the two report routes, and if myLoc managed IT AG requests to place those two reporting addresses back, add a comment to the note(s) of who requested the addition and why.

Thank you

[Linsk are not parsed when Return-Path is empty]

for me and for SC it resolves. just paste the link to the parser...

Quote

SpamCop v 5.3.0 © 2021 Cisco Systems, Inc. All rights reserved.

Parsing input: https://d00.nyc3.digitaloceanspaces.com/10507.htm

Host d00.nyc3.digitaloceanspaces.com (checking ip) = 162.243.189.2
Routing details for 162.243.189.2
[refresh/show] Cached whois for 162.243.189.2 : abuse@digitalocean.com
Using best contacts abuse@digitalocean.com

Statistics:

162.243.189.2 not listed in bl.spamcop.net
More Information.
162.243.189.2 not listed in cbl.abuseat.org
162.243.189.2 not listed in dnsbl.sorbs.net

Reporting addresses:
abuse@digitalocean.com

it does redirect to a different website though...

Edit:
now, 12 hours later I got the chance to revisit the issue:

<Error>
<Code>UserSuspended</Code>
<BucketName>d00</BucketName>
<RequestId>tx0000000000000348ca477-0060aed878-c814a11-nyc3c</RequestId>
<HostId>c814a11-nyc3c-nyc3-zg03</HostId>
</Error>

digital ocean does seem to act upon reports!

It would just be nice if SC would parse bounces regardless...

[Linsk are not parsed when Return-Path is empty]

The problem is not where the spam is coming from. the problem for the OP is that whenever a bounce is detected, the links in the spam do not parse.

also, manual reporting is not for everybody, and SC was designed to automate the process, not make it harder.

It's a pity that Julian is not involved anymore... I miss him...

and if @Richard W can look into this again, it would be fantastic wink wink

BTW @EkriirkE I like your interests status it sounds fun to peruse stuff for something it's not meant to be 😄

 

[Windows Mail in Win 10]

@WindsorFox what email program do you use to submit the spam?

I would first try the following:

Open the saved email file with notepad and copy/paste the whole content (headers and body) into the https://www.spamcop.net/ online form and see if that causes a problem when you submit it like that.

Also, I am not sure if the attached email files have to end in spamfile.eml or if it can be .txt or .whatever (but I would go with .eml) so be sure it has the correct file type.
Just as a side note, mine works if I submit it as spam1.eml and I can submit many spam emails attached to the one submission email (of course the number then increases for the file.)