Jump to content

RobiBue

Membera
  • Content Count

    243
  • Joined

  • Last visited

Posts posted by RobiBue


  1. 44 minutes ago, Surefoot said:

    Oh also interesting to note that the Message-Id header is also missing a space after the colon but is not subject to the same issue, that is really specific to List-Unsubscribe from what i can see.

    As is the to: header... I believe the “munging” of the List-Unsubscribe: header is a side effect of a regex command which is misinterpreting the missing space after the colon as part of hiding a “valid” email address...

    I believe Cisco/talos need to look into that, as it breaks the parser.


  2. 5 hours ago, Surefoot said:

    Here you go :)

    https://www.spamcop.net/sc?id=z6475807183z5236b0f8dee8383f688afa7e2f6401faz

    In this one, removing the List-Unsubscribe allows Spamcop to parse the head properly.

    [...]

     

    (edit3) let me paste the original headers here for reference (just masking my address and receive path):

    
    Received: (...)
    X-ProXaD-SC: state=spam score=500
    from:Archives de cadeaux<hxpljvexyqmuihlrulhf@sales2.beterprivate.xyz>
    To: (...)
    subject:Répondez à notre sondage Free et remportez un cadeau
    MIME-Version:1.0
    Content-Type:text/html; charset="ISO-8859-1"
    Content-Transfer-Encoding:7bit
    List-Unsubscribe:<mailto:leave-31c4v__td0r78@sales2.beterprivate.xyz>
    Message-Id:<LYRIS-l3rsm.0g4ubod-Tue, 24 Jul 2018 12:44:37 +0200@sales2.beterprivate.xyz>
    Date:Tue, 24 Jul 2018 12:44:37 +0200

    Note how Spamcop munges the List-Unsubscribe line entirely

    I see the problem that you're having. It isn't what I thought, but nonetheless bad.

    The problem is, that the sender's mailing program does not add a space right after the colon (:) ending the header type.

    All the messages I have seen have that extra space after the colon. It is not required by RFC standards, but it seems to hurt SC.

    I tried your message, and if you insert that space after the colon, it works.

    https://www.spamcop.net/sc?id=z6475844094zd9d6160d20740d76a1fb1f9ae1dbcbb8z

    (I added a space after every one that didn't have one, but I believe that if you only do it with the List-Unsubscribe: header, it should work too.


  3. Hello Goodnerd,

     

    the problem you're having is unfortunately known to spamcop, and is a problem for us "reporting spam".

    Gmail is one of the biggest causes of this problem, although I have heard that Yahoo! is doing the same.

    The reason is, that theses email providers have been inserting a 6to4 IPv6 address for their Received: headers.

    These 6to4 addresses begin with "2002:a".

    you can submit the spam by changing the following in the topmost Received: line:

    if you have

    Received: by 2002:aa7:d9c9:0:0:0:0:0 with SMTP id h22-v6csp6451088uaf; Tue, 24 Jul 2018 05:25:31 -0700 (PDT)
                 ^^^^^^^^^^^^^^^^^^^^^^^
                 6to4 IPv6 address is a problem

    place the IPv6 address in parentheses and add the equivalent 10.167.217.201 in front like this:

    Received: by 10.167.217.201 (2002:aa7:d9c9:0:0:0:0:0) with SMTP id h22-v6csp6451088uaf; Tue, 24 Jul 2018 05:25:31 -0700 (PDT)
                 ^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^
                       add            parenthesized

    That should enable you to report your spam


  4. 7 hours ago, Richard W said:

    Another possibility is, I notice bouyguestelecom.com  has their own issue with IP addresses being listed.  It is possible they are rejecting mail because their own IP is listed, but their error message shows the connecting IP.  In this case they would be rejecting most of their incoming mail and would hopefully notice quickly.

    Ouch! shoot your own foot


  5. 9 hours ago, kolor said:

    I change password for my spamcop account .I have Gmail account I just copy spam and put on spamcop website form .

    And I don't reported any spam maybe about 30 days.

    I see this "" Your average reporting time is: 7 hours; Great! """ I have not sent any spam for 30 days.??

     

    Here, a SpamCop admin should be able to help you.

    Since you do not report spam via “super sekret email” that SpamCop created for you when you signed up, someone else is sending spam reports to that email address.

    It’s the address that you find where you submit spam after you login.

    Forward your spam to: submit.A-long-funny-looking-address@spam.spamcop.net

    Or maybe some spammer is sending spam to that address and SpamCop thinks it’s a report but doesn’t find the spam inside...

     


  6. https://www.spamcop.net/sc?action=rcache;ip=162.252.58.155

    Quote

     

    abuse[at]netrouting.com bounces (99 sent : 99 bounces)

    Using abuse#netrouting.com@devnull.spamcop.net for statistical tracking.

     

     

    netrouting.com claims that it works. Please reset.

    Quote

    Thank you for writing in and so unfortunately to hear you're having spam issues.
    Please go a head and send the abuse report over to abuse[at]netrouting.com

    Despite the fact what spamcop says (just verified it myself) our abuse[at]netrouting.com address works like a charm.
    Unfortunately, we're getting complaints almost everyday.
    Should work definitely work when sending from gmail (tested from my personal mail adres moments ago).

     


  7. 12 hours ago, kolor said:

    Hi I would ask about Spamcop server .I received this report every second day .I haven't report spam long time .

     

     

    You say you haven’t reported spam in a long time, yet you receive those messages every 2nd day...

    Did you change jobs and left your reporting email saved at your last place? Someone who works there now might be reporting the spam to that address.

    11 hours ago, Lking said:

    Kolor, The way I read what you have quoted,

    it is not the spam/email that is causing the problem.  It is the application you are using to forward the email that is causing the problem.

    Check your email application and see if you can change the format from "html" to "text"

    You may be able to look at the source of the email you sent to SpamCop using <ctrl>U   I believe you will see that the attachment is included within some html code, and have <p> </p> or <br> code inserted in the  header.

    NOTE: I have edited your "quote" deleting the example header which reveals your email address, your secrete/private spamcop submit address, etc.

    The email address that was in the original message might give a clue who received and submitted the spam. There might be a link with the reporting ID. It is possible as well, that the reporting entity is receiving the spam through a google account and SpamCop is choking on the 6to4 IPv6 address in the Received: line.


  8. It seems to me that superlative.com has a large IP address space (https://whois.arin.net/rest/net/NET-74-118-120-0-1/pft?s=74.118.120.0.) That shows a /22 range with 1024 addresses (well, minus 2)

    they could be the spammer host (or not).

    there doesn't seem to be an upstream they are subletting from... at least I couldn't find one...

    This link (https://ipinfo.io/74.118.123.4) tells me a bit of a different story, but the data could be old...


  9. I see what you mean.

    The only way I can see it done involves some extra work manually, and I believe that is out of the question. it is for me anyway.

    In the message, click on the down arrow and select "view message source".

    here's where the manual work starts:

    copy headers and message source (in the same window) by selecting everything in the new text-box and paste it into an editor.

    The whole thing is one line, so you'll have to insert a CR or CR/NL after every header part. Then you'll be able to submit it to spamcop.

    unless you have some programming experience and create an add-in for outlook with visual Studio...

    https://docs.microsoft.com/en-us/visualstudio/vsto/walkthrough-creating-your-first-vsto-add-in-for-outlook


  10. 13 hours ago, mojorisin said:

    That's why you'll continue to get their spam. I'd stop sending the abuse reports too if I were you. You're only wasting your time.

    see below ;)

    5 hours ago, petzl said:

    Your abuse reports seem to be working cloudfare have removed link 404'ed

    and that's why I like to use the clue by four through the abuse desks :) and Spamcop is a very helpful tool (if they eventually would get through their heads that they need to fix the IPv6 part where it pertains to 6to4 addresses...)


  11. I don't even go to those pages.

    3 main reasons:

    1. I don't care, it's spam.
    2. The links could contain viruses.
    3. The links are most likely coded so that the spammer knows that I received the spam, and by visiting it, he can prove to the spamvertised "client" that he should get paid for his efforts.

    And a last, but not least reason: I didn't sign up for it, why should I unsubscribe anyway.

    That's what the clue by four is for... if the provider's abuse desk gets flooded with abuse reports, eventually he'll get put in place.

    I believe that my email address ended up in his/their list due to one or more of the data breaches of late...

    IOW just another list where they can send their junk...

    I have also been getting lots of unsubscribe confirmation requests which I handle just like spam, as I

    1. didn't unsubscribe, and
    2. if I did, why should I confirm that i am unsubscribing...

    take another clue by four, spammer, I don't want your junk... abuse desk will hopefully clue you in :)

     


  12. well, I believe I found my spammer(s)... probably the same scumbag unless they teamed up...

     

    List of domain names registered by Michael Wallace

    https://domainbigdata.com/nj/PMs8PeMWLXMFAfjPwmyV3g
     

    List of domain names registered by Frank Marsicano

    https://domainbigdata.com/nj/2NMIE802bt4WH2rc3SoTUA
     

    List of domain names registered by Chris Patterson

    https://domainbigdata.com/nj/rnPab-DpPIdNUYynMibFFw
     

    List of domain names registered by Richard Hawking

    https://domainbigdata.com/nj/GlBwSDCvDWjzlWpRAgo9Kg
     

    List of domain names registered by Anton Lassen

    https://domainbigdata.com/nj/vubKHIY--XkSbXo_sFyHPw
     

    some reports with the 58.14/16 range:

    https://www.spamcop.net/sc?id=z6471482675z858c71a05814a9763517674009c94768z
    https://www.spamcop.net/sc?id=z6471482674z9ab0a9c820151d7ac9ce9a041686d4c6z
    https://www.spamcop.net/sc?id=z6471482673zcd19939939e9d574cdb141b1b360f152z
    https://www.spamcop.net/sc?id=z6471482672z08f29a0817817fdf745140d9fa2031baz
    https://www.spamcop.net/sc?id=z6471482671z9f4ead4df33727978572d5e46ac87ad1z

    (and there are over 3000 more of these)

    and the new 27.146/16 spams:

    https://www.spamcop.net/sc?id=z6471634192z1d8fd5aece82eb5feb80e4b6b19f6eb3z
    https://www.spamcop.net/sc?id=z6471634194z7350adbd7dbeaedf80def1cb4631741dz
    https://www.spamcop.net/sc?id=z6471634195zf18a0c1292ecbd3adb3a2a03e64e3fb6z
    https://www.spamcop.net/sc?id=z6471634196zdc9be4ffc73a9c61325ef1a168149c9bz
    https://www.spamcop.net/sc?id=z6471634197z3f7ef41d7685eb94ae14eaf91f4ef100z

    This isn't a DoS attack, it is just a spammer at work hopping through ISPs that want to make a quick buck...


  13. Since mid-May I have been reporting spam originating from IP-range 58.14/16

    May 18, 2018 - June 29, 2018 total of 3359 spam messages from that IP range! That's over 76 per day...

    It looks like my reporting is working, as the spammer seems to be switching to 27.146/16 as I have already received 10 from there in the last 1.5 hour...

    Unfortunately, Cloudflare is still hosting their spamvertised websites... and doesn't seem to give "a barrier constructed to hold back water"


  14. I stand corrected... I tried the first URL (rli4agdrppbmldbtnmctdvkaorftbetr) and that one returned nothing, then I tried the last one (whitefide) with the same result...

    then I tried the obvious un-subscribe one where I assumedthe others ending with TLD .pw would be like the first one, sorry.

    Then, I don't know why it would not parse them from the original...


  15. 12 minutes ago, euphorique said:

    https://www.spamcop.net/sc?id=z6471208157zab0c11469dbccb0312c128df5eac948ez

    The parser could not find a single link. Any reason for that?

     

    Hello Euphorique,

    the reason that SC doesn't find any links is, that there are no links in the spam.

    Although the list of "websites" looks like links, it's just plain text.

    If you try to resolve one or more of them manually (by pasting the link in the parser field and press the [ Process spam ] button, you will see that they are fake anyway ;)

    except for one, but I'll assume that it's an innocent site...


  16. 1 hour ago, albert2 said:

    Thanks Petzl,

    Seems you have pinpointed the problem to the second header line.

    Do you or someone else knows what exactly is caused by this line & what this line tells ?

    Again maybe Spamcop systems can be altered to remove or ignore this line automatically when present so users won't need to take care of it anymore for each mail.

    If this line is specific to mailboxes from gmail, maybe spamcop could contact google and ask for a solution.

     

    Albert

    The line tells that the message was received by the mail server at IPv6 address 2002:a9d:21b7:0:0:0:0:0 which is actually a 6to4 address translated from the IPv4 address 10.157.33.183.

    In short, the mail server at google that received the message before displaying it to you in your gmail account has the IP address 10.157.33.183.

    I received the following message from SpamCop:

    <quote>
    Gmail has broken their headers, not showing who received the mail and
    using IP addresses that do not resolve.

    Google has promised to fix the issue but have not provided an ETA of a
    fix.  We looked at programming around it but that option was rejected by
    our CERT board as it would have opened a security hole in our system.

    We can just sit and wait for Gmail.
    </quote>

     

    
     

  17. 40 minutes ago, halberstadt said:

    Thanks, petzl.  

    As I understand, we should edit the raw "headers plus text" before submitting, to delete its second line (similar to above example). I don't understand, however, "...ISP's need FULL headers as evidence so past deleted line in comments".

    Bill Halberstadt

    yeah, that's right, they need the full headers, but the problem is within SpamCop, where the parsing of said Received: line causes havoc within the next (previous actually) Received: lines.

    The 2002:a02:b4d7:0:0:0:0:0 address is called a 6to4 address, but according to RFC-3056, section#2:

    [A] subscriber site has at least one valid, globally
    unique 32-bit IPv4 address, referred to in this document as V4ADDR.
    This address MUST be duly allocated to the site by an address
    registry (possibly via a service provider) and it MUST NOT be a
    private address [RFC 1918].

    and Google is inserting their private addresses into the IPv6 6to4 address. That would in fact be a violation of the aforementioned RFC-3056 as :a02:b4d7: translates to 10.2.180.215 which is definitely a private address according to RFC-1918, section#3.

    In theory, they should (if they want to use private IPv6 addresses) use, according to RFC-4193, section#3, addresses in the fc00::/7 or fd00::/8 address ranges. Unfortunately SpamCop has the same problem with the fd00:/8 addresses and does not identify those addresses as local private addresses like the 10/8, 172/12, and 192.168/16 address ranges.

    I have written a crude program that replaces the 6to4 addresses with the actual IPv4 counterpart and places the original IPv6 address in parentheses. The program works for me, but I have not tested it with a larger group of gmail users, and am reluctant to do so, as munging headers is mostly a "no-no" and could cause SpamCop to disable user accounts, although this type of munging is necessary for SpamCop to correctly identify the actual spammer (or the proxy they are using).

    Until SpamCop gets an update to correctly identify those IPv6 addresses as local/private addresses, the aforementioned removal or change of the address is necessary to get SpamCop to work correctly with gmail accounts.

    To add some workarounds:

    • remove the topmost Received: line with the address beginning with 2002:a
    • or change the address beginning with 2002:a to its IPv4 address using http://www.potaroo.net/cgi-bin/ipv6addr
    • or replace the address beginning with 2002:a with mx.google.com

    I have seen these three options in action before, and they work.

    HTH

     


  18. https://www.spamcop.net/sc?action=showroute;ip=23.111.178.61 points to:

     
    Reports routes for 23.111.178.61:
    routeid: 71622013 23.104.0.0 - 23.111.255.255 to: abuse@nobistech.net
    Administrator found from whois records
    routeid: 71622026 23.104.0.0 - 23.111.255.255 to: abuse@nobistech.net
    Administrator interested in all reports
    
        12/3/2013, 4:25:50 PM -0600
        [Note added by 63.224.241.72 (63-224-241-72-boi-usr.qwest.net)]
        Per RIPE
        - Don -
     
    This is not correct anymore and should be changed (the above address bounces anyway)
    https://whois.arin.net/rest/net/NET-23-111-128-0-1/pft?s=23.111.178.61
    has two abuse addresses:
    abuse@noc4hosts.com, and abuse@hivelocity.net

  19. 4 hours ago, RJVB said:

    Well, it shouldn't be. That's like plugging holes in the ceiling instead of getting the upstairs neighbour to repair the leak in his plumbing. As long as there are things to spamvertise the spam will keep coming.

     

    I understand the frustration, and I do have the same point of view, although I do admit that the reason of the lowest priority is that many spammers use legit links that will clog abuse mailboxes from these legit ISPs.

    as an example (although I haven't had one recently) spammers have added "terms of conduct" and similar links from 3rd party ISPs which SC will use to send reports to them.

    Also, random images found on the internet either akamaized or from other providers have been used as links before (although these IIRC have been since disabled by SC)

×