Jump to content

RobiBue

Membera
  • Content Count

    252
  • Joined

  • Last visited

Posts posted by RobiBue


  1. I actually believe, Apple should look into the configuration of their SMTP server named st11p00im-smtpin002.

    When it receives the email, it places the host name st11p00im-smtpin002.me.com into the Received: header as "received by",
    then, when it sends the message on its merry way, the same server is now known as st11p00im-smtpin002.mac.com.

    me.com is an apple domain, just like the mac.com is.

    My take is, that some admin forgot to change the domain name on the server...

    If I were you, I'd get in touch with Apple. They'd more than likely be willing to fix their server mis-configuration...


  2. Ok, that's not it, but then again, it is... apparently Google's internal mailing is creating havoc.

    As you can see, the bottom-most (aka first) Received: header is

    Received: by 2002:a17:90a:3aac:0:0:0:0 with HTTP; Thu, 2 Aug 2018 07:36:54
     -0700 (PDT)

    There is no from in the received line. The by is one of those private networks from IPv4 in 6to4 format, which SpamCop correctly identifies as 10.23.9.10 but, as I mentioned earlier, since it's a 6to4 address, it can't cope.

    and no, you won't be able to send a report for this one via SpamCop. This one needs "manual" intervention... https://www.google.com/contact/

    Sorry.

     


  3. 8 hours ago, lisali said:

    Is there anything that we can do? Is there a way to send feedback to Google?

    Well, I guess it wouldn't (or couldn't) hurt if SpamCop users/reporters with gmail accounts send their feedback...

    I found the feedback link in gmail by clicking on the settings gear in the "new" gmail (or classic/standard view). Can't find it in the basic HTML view though.

    2141739526_Gmailsettings.png.779f728fbb2955f57a280a5ff4b1f5c3.png609582151_Gmailsettingsfeedback.png.cb11c29ee8f696b5af06fdb314a49d67.png


  4. With Gmail, SpamCop has been having problems lately, because their mail system adds their internal IP addresses for their mail hosts as so called "6to4" addresses in IPv6 form, and that breaks SpamCop.

    SpamCop has no wish to check if the IPv6 address would be a private address (10/8) and handle it as a private address.

    Google is misusing the 6to4 format not conforming to RFC 3056 section 2 and reporting their private mail host as IPv6 in the 6to4 format.

    Google needs to fix that, but regardless, SpamCop needs to be able to cope with it and sadly it doesn't.

    If the topmost Received: header starts with 2002:axx:xxxx:0:0:0:0:0:0 then manually parenthesize that address and place mx.google.com in front:

    Received: by mx.google.com (2002:axx:xxxx:0:0:0:0:0:0) ............

    and it should work...

    that is, if that is your problem, but without the TRACKING URL it's hard to diagnose the problem ...


  5. Ok, just reread the thread and found the following 

    On 6/19/2018 at 9:21 AM, lisali said:

    Hi! No worries. :) Yes, I have configured all my mailhosts. From what I understand, this issue relates to how Gmail shows the sender/relaying IP, which confuses SpamCop. Other online tools, however,  seem to parse these headers just fine.

    Yeah, Gmail adds their Received: header with a 6to4 IPv6 address from a private 10.0.0.0/8 network which according to RFC 3056 §2 is not allowed, but them being google, do it anyway regardless of the consequences.

    This, in my opinion, is something that google shouldn’t have implemented and should fix. SpamCop should be able to cope with the 6to4 address and see it as an internal private address just as it would be if it was given the original 10.nnn.nnn.nnn address.

    Currently it seems that neither SC nor google is about to budge.

    All we can do, is either delete the 2nd line Received: header with its faulty IPv6 address and paste it as a comment for the receiving abuse recipients for completeness, or put the IPv6 address in parentheses and place its equivalent IPv4 address in front.

    an example of that 2nd line:

    Received: by 10.176.75.22 (2002:ab0:4b16:0:0:0:0:0) with SMTP id h22-v6csp5358367uaf;
            Tue, 31 Jul 2018 11:25:32 -0700 (PDT)

     


  6. 6 hours ago, petzl said:

    I doubt if Google are using legit email headers. Other email providers using ARC are parsed easily by SpamCop

    it's not the ARC headers, it's the Received: header containing the IPv6 address in 6to4 form which points to a private IPv4 address [rfc 1918]

    and no, the Received header with that type of IPv6 address (private IPv4 in 6to4 form) is not allowed, therefore not legit. [rfc 3056] section 2:
     

    Quote

     

    2. IPv6 Prefix Allocation

    Suppose that a subscriber site has at least one valid, globally unique 32-bit IPv4 address, referred to in this document as V4ADDR. This address MUST be duly allocated to the site by an address registry (possibly via a service provider) and it MUST NOT be a private address [RFC 1918].

     

     


  7. 44 minutes ago, Surefoot said:

    Oh also interesting to note that the Message-Id header is also missing a space after the colon but is not subject to the same issue, that is really specific to List-Unsubscribe from what i can see.

    As is the to: header... I believe the “munging” of the List-Unsubscribe: header is a side effect of a regex command which is misinterpreting the missing space after the colon as part of hiding a “valid” email address...

    I believe Cisco/talos need to look into that, as it breaks the parser.


  8. 5 hours ago, Surefoot said:

    Here you go :)

    https://www.spamcop.net/sc?id=z6475807183z5236b0f8dee8383f688afa7e2f6401faz

    In this one, removing the List-Unsubscribe allows Spamcop to parse the head properly.

    [...]

     

    (edit3) let me paste the original headers here for reference (just masking my address and receive path):

    
    Received: (...)
    X-ProXaD-SC: state=spam score=500
    from:Archives de cadeaux<hxpljvexyqmuihlrulhf@sales2.beterprivate.xyz>
    To: (...)
    subject:Répondez à notre sondage Free et remportez un cadeau
    MIME-Version:1.0
    Content-Type:text/html; charset="ISO-8859-1"
    Content-Transfer-Encoding:7bit
    List-Unsubscribe:<mailto:leave-31c4v__td0r78@sales2.beterprivate.xyz>
    Message-Id:<LYRIS-l3rsm.0g4ubod-Tue, 24 Jul 2018 12:44:37 +0200@sales2.beterprivate.xyz>
    Date:Tue, 24 Jul 2018 12:44:37 +0200

    Note how Spamcop munges the List-Unsubscribe line entirely

    I see the problem that you're having. It isn't what I thought, but nonetheless bad.

    The problem is, that the sender's mailing program does not add a space right after the colon (:) ending the header type.

    All the messages I have seen have that extra space after the colon. It is not required by RFC standards, but it seems to hurt SC.

    I tried your message, and if you insert that space after the colon, it works.

    https://www.spamcop.net/sc?id=z6475844094zd9d6160d20740d76a1fb1f9ae1dbcbb8z

    (I added a space after every one that didn't have one, but I believe that if you only do it with the List-Unsubscribe: header, it should work too.


  9. Hello Goodnerd,

     

    the problem you're having is unfortunately known to spamcop, and is a problem for us "reporting spam".

    Gmail is one of the biggest causes of this problem, although I have heard that Yahoo! is doing the same.

    The reason is, that theses email providers have been inserting a 6to4 IPv6 address for their Received: headers.

    These 6to4 addresses begin with "2002:a".

    you can submit the spam by changing the following in the topmost Received: line:

    if you have

    Received: by 2002:aa7:d9c9:0:0:0:0:0 with SMTP id h22-v6csp6451088uaf; Tue, 24 Jul 2018 05:25:31 -0700 (PDT)
                 ^^^^^^^^^^^^^^^^^^^^^^^
                 6to4 IPv6 address is a problem

    place the IPv6 address in parentheses and add the equivalent 10.167.217.201 in front like this:

    Received: by 10.167.217.201 (2002:aa7:d9c9:0:0:0:0:0) with SMTP id h22-v6csp6451088uaf; Tue, 24 Jul 2018 05:25:31 -0700 (PDT)
                 ^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^
                       add            parenthesized

    That should enable you to report your spam


  10. 7 hours ago, Richard W said:

    Another possibility is, I notice bouyguestelecom.com  has their own issue with IP addresses being listed.  It is possible they are rejecting mail because their own IP is listed, but their error message shows the connecting IP.  In this case they would be rejecting most of their incoming mail and would hopefully notice quickly.

    Ouch! shoot your own foot


  11. 9 hours ago, kolor said:

    I change password for my spamcop account .I have Gmail account I just copy spam and put on spamcop website form .

    And I don't reported any spam maybe about 30 days.

    I see this "" Your average reporting time is: 7 hours; Great! """ I have not sent any spam for 30 days.??

     

    Here, a SpamCop admin should be able to help you.

    Since you do not report spam via “super sekret email” that SpamCop created for you when you signed up, someone else is sending spam reports to that email address.

    It’s the address that you find where you submit spam after you login.

    Forward your spam to: submit.A-long-funny-looking-address@spam.spamcop.net

    Or maybe some spammer is sending spam to that address and SpamCop thinks it’s a report but doesn’t find the spam inside...

     


  12. https://www.spamcop.net/sc?action=rcache;ip=162.252.58.155

    Quote

     

    abuse[at]netrouting.com bounces (99 sent : 99 bounces)

    Using abuse#netrouting.com@devnull.spamcop.net for statistical tracking.

     

     

    netrouting.com claims that it works. Please reset.

    Quote

    Thank you for writing in and so unfortunately to hear you're having spam issues.
    Please go a head and send the abuse report over to abuse[at]netrouting.com

    Despite the fact what spamcop says (just verified it myself) our abuse[at]netrouting.com address works like a charm.
    Unfortunately, we're getting complaints almost everyday.
    Should work definitely work when sending from gmail (tested from my personal mail adres moments ago).

     


  13. 12 hours ago, kolor said:

    Hi I would ask about Spamcop server .I received this report every second day .I haven't report spam long time .

     

     

    You say you haven’t reported spam in a long time, yet you receive those messages every 2nd day...

    Did you change jobs and left your reporting email saved at your last place? Someone who works there now might be reporting the spam to that address.

    11 hours ago, Lking said:

    Kolor, The way I read what you have quoted,

    it is not the spam/email that is causing the problem.  It is the application you are using to forward the email that is causing the problem.

    Check your email application and see if you can change the format from "html" to "text"

    You may be able to look at the source of the email you sent to SpamCop using <ctrl>U   I believe you will see that the attachment is included within some html code, and have <p> </p> or <br> code inserted in the  header.

    NOTE: I have edited your "quote" deleting the example header which reveals your email address, your secrete/private spamcop submit address, etc.

    The email address that was in the original message might give a clue who received and submitted the spam. There might be a link with the reporting ID. It is possible as well, that the reporting entity is receiving the spam through a google account and SpamCop is choking on the 6to4 IPv6 address in the Received: line.


  14. It seems to me that superlative.com has a large IP address space (https://whois.arin.net/rest/net/NET-74-118-120-0-1/pft?s=74.118.120.0.) That shows a /22 range with 1024 addresses (well, minus 2)

    they could be the spammer host (or not).

    there doesn't seem to be an upstream they are subletting from... at least I couldn't find one...

    This link (https://ipinfo.io/74.118.123.4) tells me a bit of a different story, but the data could be old...


  15. I see what you mean.

    The only way I can see it done involves some extra work manually, and I believe that is out of the question. it is for me anyway.

    In the message, click on the down arrow and select "view message source".

    here's where the manual work starts:

    copy headers and message source (in the same window) by selecting everything in the new text-box and paste it into an editor.

    The whole thing is one line, so you'll have to insert a CR or CR/NL after every header part. Then you'll be able to submit it to spamcop.

    unless you have some programming experience and create an add-in for outlook with visual Studio...

    https://docs.microsoft.com/en-us/visualstudio/vsto/walkthrough-creating-your-first-vsto-add-in-for-outlook


  16. 13 hours ago, mojorisin said:

    That's why you'll continue to get their spam. I'd stop sending the abuse reports too if I were you. You're only wasting your time.

    see below ;)

    5 hours ago, petzl said:

    Your abuse reports seem to be working cloudfare have removed link 404'ed

    and that's why I like to use the clue by four through the abuse desks :) and Spamcop is a very helpful tool (if they eventually would get through their heads that they need to fix the IPv6 part where it pertains to 6to4 addresses...)


  17. I don't even go to those pages.

    3 main reasons:

    1. I don't care, it's spam.
    2. The links could contain viruses.
    3. The links are most likely coded so that the spammer knows that I received the spam, and by visiting it, he can prove to the spamvertised "client" that he should get paid for his efforts.

    And a last, but not least reason: I didn't sign up for it, why should I unsubscribe anyway.

    That's what the clue by four is for... if the provider's abuse desk gets flooded with abuse reports, eventually he'll get put in place.

    I believe that my email address ended up in his/their list due to one or more of the data breaches of late...

    IOW just another list where they can send their junk...

    I have also been getting lots of unsubscribe confirmation requests which I handle just like spam, as I

    1. didn't unsubscribe, and
    2. if I did, why should I confirm that i am unsubscribing...

    take another clue by four, spammer, I don't want your junk... abuse desk will hopefully clue you in :)

     


  18. well, I believe I found my spammer(s)... probably the same scumbag unless they teamed up...

     

    List of domain names registered by Michael Wallace

    https://domainbigdata.com/nj/PMs8PeMWLXMFAfjPwmyV3g
     

    List of domain names registered by Frank Marsicano

    https://domainbigdata.com/nj/2NMIE802bt4WH2rc3SoTUA
     

    List of domain names registered by Chris Patterson

    https://domainbigdata.com/nj/rnPab-DpPIdNUYynMibFFw
     

    List of domain names registered by Richard Hawking

    https://domainbigdata.com/nj/GlBwSDCvDWjzlWpRAgo9Kg
     

    List of domain names registered by Anton Lassen

    https://domainbigdata.com/nj/vubKHIY--XkSbXo_sFyHPw
     

    some reports with the 58.14/16 range:

    https://www.spamcop.net/sc?id=z6471482675z858c71a05814a9763517674009c94768z
    https://www.spamcop.net/sc?id=z6471482674z9ab0a9c820151d7ac9ce9a041686d4c6z
    https://www.spamcop.net/sc?id=z6471482673zcd19939939e9d574cdb141b1b360f152z
    https://www.spamcop.net/sc?id=z6471482672z08f29a0817817fdf745140d9fa2031baz
    https://www.spamcop.net/sc?id=z6471482671z9f4ead4df33727978572d5e46ac87ad1z

    (and there are over 3000 more of these)

    and the new 27.146/16 spams:

    https://www.spamcop.net/sc?id=z6471634192z1d8fd5aece82eb5feb80e4b6b19f6eb3z
    https://www.spamcop.net/sc?id=z6471634194z7350adbd7dbeaedf80def1cb4631741dz
    https://www.spamcop.net/sc?id=z6471634195zf18a0c1292ecbd3adb3a2a03e64e3fb6z
    https://www.spamcop.net/sc?id=z6471634196zdc9be4ffc73a9c61325ef1a168149c9bz
    https://www.spamcop.net/sc?id=z6471634197z3f7ef41d7685eb94ae14eaf91f4ef100z

    This isn't a DoS attack, it is just a spammer at work hopping through ISPs that want to make a quick buck...

×