Jump to content

efa

Membera
  • Content Count

    170
  • Joined

  • Last visited

Community Reputation

0 Neutral

About efa

  • Rank
    Advanced Member
  1. I have to understand if there is some I can do to stop this flooding. The source is fixed, so should be very simple to identify the responsible. Is there something I can do to add those source IP to the blocklist? Is it useful to continue to post those spam in Spamcop reporting form?
  2. As always with spam mail: - the spam was never requested by the receiver - following the removal link do not stop the spam bombing You say "Pay to forward the spam you receive to ..." because payed SC service will send the complaint to mail server source? Why you say to preamble with "Criminal phishing and DDoS" ?
  3. apparently the first block is not listed in any BL: https://talosintelligence.com/reputation_center/lookup?search=91.192.40.0 this appear strange to me given the number of spam I'm receiving
  4. I had only the reporting page at address: http://spamcop.net Anyway, clicking on "Site Map" I found the SpamCop blocking list I just checked the IP block is not listed in the Blocklist. Do you know what are the spam criteria for an IP to be listed in the SC blocklist? thought that 20/spam report a day was good
  5. hi, from some days I'm getting many (about 20/day) spams from two IP blocks: 91.192.40.0 - 91.192.43.255 : abuse@mapp.com 217.61.73.0 - 217.61.73.255 : abuse@airenetworks.es All the spam contain one link from this list: messaggispeciali.it nuoveoccasioni.it nuovepromo.it offertesenzasorprese.it offertesuperstellari.it promoconsigli.it promodalweb.it promogiornaliere.it promomigliori.it promozionidelmese.it and all contain the following domains: adviceme.it advicemenews.it trkadviceme.com responseconcepts.com All was reported on Spamcop ("Reports disabled for abuse@mapp.com" so not sent by Spamcop), but spam does not decrease. Here an example of tracking URL: http://www.spamcop.net/sc?id=z6624412645zda5fff963c7ab47ff120e5a1c69bb9cbz Note: As always with spam mail: - the spam was never requested by the receiver - following the removal link do not stop the spam bombing How can I check if at least the source IP was added to the SC blocklist?
  6. in that case the parsing was correct, so apparently happen only sometimes
  7. DKIM signature is about a standard feature these days, is parsing engine still developed?
  8. the headers pasted in the form from the original email had the tabs: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=viverelavela.com; s=turbo-smtp; x=1544178043; h=DomainKey-Signature: Received:Received:MIME-Version:From:Reply-To:To:Subject: Content-Type:Content-Transfer-Encoding:Date:Message-ID; bh=K3Oe1 kiUPrPyJIlOVf2MjQxxIABLTrz3/oGMMhm7Dfc=; b=Penr5h12pXZlZ4bS0rJDX OrHXneQnHej1GkJqeKVhBj3r8AbVL0mxtVpv6fOwwbwToAGLhYacs+g6HvgMYjRc uGom/zmkT7tSNevd591f5D5PVeq5Lfbvh8Qv0DDrf+xfYrEIu+P+o1rEcm/DXDBT RQYbAiMvI/1SuVBiadzNpcDomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=turbo-smtp; d=viverelavela.com; h=Received:Received:X-TurboSMTP-Tracking:Return-Path:MIME-Version:From:Reply-To:To:Subject:Content-Type:Content-Transfer-Encoding:X-Mailer:Date:Message-ID:X-Antivirus:X-Antivirus-Status; b=KifANc9UKLW0O/8DvzmNyDM6DvkeULFid29JFOKgYTy8t2lqlXj1GEYT+aHas/ cxKYfLb5ivaT79daL/G1xNF0R4mAqd6rbvjGBovTGNBgQ/K5J376fWADQTGIn+nO 5dfgqbTLvT4WnvVnyVCXSKiqaO+0RPkMbacIUq2gfkyRE=; but the headers shown by Spamcop after the parse became changed to: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=viverelavela.com; s=turbo-smtp; x=1544178043; h=DomainKey-Signature: Received:Received:MIME-Version:From:Reply-To:To:Subject: Content-Type:Content-Transfer-Encoding:Date:Message-ID; bh=K3Oe1 kiUPrPyJIlOVf2MjQxxIABLTrz3/oGMMhm7Dfc=; b=Penr5h12pXZlZ4bS0rJDX OrHXneQnHej1GkJqeKVhBj3r8AbVL0mxtVpv6fOwwbwToAGLhYacs+g6HvgMYjRc uGom/zmkT7tSNevd591f5D5PVeq5Lfbvh8Qv0DDrf+xfYrEIu+P+o1rEcm/DXDBT RQYbAiMvI/1SuVBiadzNpcDomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=turbo-smtp; d=viverelavela.com; h=Received:Received:X-TurboSMTP-Tracking:Return-Path:MIME-Version:From:Reply-To:To:Subject:Content-Type:Content-Transfer-Encoding:X-Mailer:Date:Message-ID:X-Antivirus:X-Antivirus-Status; b=KifANc9UKLW0O/8DvzmNyDM6DvkeULFid29JFOKgYTy8t2lqlXj1GEYT+aHas/ cxKYfLb5ivaT79daL/G1xNF0R4mAqd6rbvjGBovTGNBgQ/K5J376fWADQTGIn+nO 5dfgqbTLvT4WnvVnyVCXSKiqaO+0RPkMbacIUq2gfkyRE=;
  9. yes, the parser confuse the DKIM signature as a header line like: Content-Type:Content-Transfer-Encoding so the parsing of the body fail. If you remove the DKIM signature in the header, the parse of the body end correctly. This is probably a spammer technique to curcunvent Spamcop as I'm receiving many spam where body links are skipped like this one. Spamcop please update the header parsing engine to support DKIM signature.
  10. hi, seems that the parsing engine fail with "DKIM-Signature", as it identify the included "Content-Type" as a stand alone header line, and so show "no links found" see: https://www.spamcop.net/sc?id=z6503794799z62a7c6dcdb6ad9bf5c789fc564f35cb9z Maybe spammer are adding fake DKIM-Signature to avoid Spamcop reporting of them links, Spamcop should skip this header line
  11. efa

    source IP is wrong

    we have an alias hosted on Aruba servers that is <direttivo pvi.it> this alias redirect to some real emails, one of them is: <attilio.bongiovanni gmail.com> from where the headers come from. So spam come from an unknown IP, goes to <direttivo pvi.it> hosted on Aruba servers, them redirected to the google account. The question is: what is the real source IP of the spam?
  12. efa

    source IP is wrong

    I'm quite sure that 62.149.158.115/Aruba is not the mail source IP, as Aruba is the host of destination mail with @pvi.it domain
  13. hi, I received this scam/fraud spam: https://www.spamcop.net/sc?id=z6489923983z26622d4c582ecd9c34c736063540b444z seems the parse header engine identified the source IP as: IPv6: 2002:aed:24f5:0:0:0:0:0 that is a 6to4 range and embed the IPv4: 10.237.36.245 that is a private LAN address, so cannot be the source IP. What is the real source IP, and his responsible admin?
  14. I wrote to GoDaddy registrar asking to be removed from them customer mail list. Apart they require a complicated method for spam complaint with a form https://supportcenter.godaddy.com/AbuseReport and a CAPTCHA that often refuse valid reply, I got a month of peace without them junk, then the story restarted. Mailchimp is part of the junk business and GoDaddy has to gain from the situation, so they are responsible accomplices. As Knujon showed ICANN is responsible too.
  15. efa

    KnujOn shutting down

    what they have not written clearly is the reason why they close. The service worked well, and those responsible change over time, so it would be necessary to keep the bad guys list up-to-date
×