Snowbat

For the last couple of weeks, SpamCop has not been correctly parsing spam from my Hotmail account. Any idea what's going on here? Two days ago, I deleted and reran mailhosts for this service but the problem persists. https://www.spamcop.net/sc?id=z6378762559z9e42c80ad962a6642989b272eaee79eaz https://www.spamcop.net/sc?id=z6378762599z963fee002594ef1c3daff0952e466158z https://www.spamcop.net/sc?id=z6378762629z8baabe40e498cbe86c2260097091518bz https://www.spamcop.net/sc?id=z6378762639ze0cd6e76c908a12c1c8ca5553f342b84z https://www.spamcop.net/sc?id=z6378762644z410c37853971273a9de5f9f27ce6f8e3z https://www.spamcop.net/sc?id=z6378762902z2657a78dda3fef60e268f0981100b651z https://www.spamcop.net/sc?id=z6378762909z6c9d303ab453ac2154f15c00a5679f5az https://www.spamcop.net/sc?id=z6378762912z9d3975fe9be4f7d1c6aae30513c8722fz https://www.spamcop.net/sc?id=z6378762954zc9ad3fff16b35c0f4944d00e3fb863eez https://www.spamcop.net/sc?id=z6378763074z9b67a7250f57077a54fbe03e9fcd595az https://www.spamcop.net/sc?id=z6378763254zb4b48a0dd4f105809f20ede6ecdbf006z https://www.spamcop.net/sc?id=z6378763258z72c3b5dd2ea8860af33f5d3c0257f0c6z https://www.spamcop.net/sc?id=z6378763636z034beb54ac57c50dbf09508daa7ff4c5z https://www.spamcop.net/sc?id=z6378763925z449957c88a851d16252cee9de803b257z https://www.spamcop.net/sc?id=z6378951357z10d1d3e42ae81a1447647881d0d9e017z https://www.spamcop.net/sc?id=z6378951360zf352675756ac2d94503af4b8d321969bz https://www.spamcop.net/sc?id=z6378951467zb021e76dd1332491d92b8e3cd39f1cf9z https://www.spamcop.net/sc?id=z6378954042zfecb1df612b2cbecfb69cb4a2e92c512z https://www.spamcop.net/sc?id=z6378954113zdae910ce6dc7784fedef7b308453eb08z https://www.spamcop.net/sc?id=z6378954169z48b59cbf560c5792d41fbb8e0f1c9410z https://www.spamcop.net/sc?id=z6378954182zdb6fafd7f501cd173eb7dbcd62f506fez https://www.spamcop.net/sc?id=z6378955431ze937e7b255a9db4c853c1f339c5663d6z https://www.spamcop.net/sc?id=z6378955479zfb1ffb94829210c5e66876da6110d418z https://www.spamcop.net/sc?id=z6378955491z6bdb65fab486e93e5de4a0fed6b35bb0z https://www.spamcop.net/sc?id=z6378955496z10f110021ce8ffc0e5c9f30a198bebd8z https://www.spamcop.net/sc?id=z6378956202z2151ed96656ef09afbfbda82b5ba09c1z https://www.spamcop.net/sc?id=z6378956209z74e287b105ff93ad043b1e0fd1f06b4dz https://www.spamcop.net/sc?id=z6378956212zea7c1ea8733cbd45235f93381821b57fz https://www.spamcop.net/sc?id=z6379246945z4d4fa92acc977540ebed5abd01c2f5a9z https://www.spamcop.net/sc?id=z6379246996z00c07466cdb9fd55076080a68ac83ac9z https://www.spamcop.net/sc?id=z6379247042zd4cb115a1c92f198d367fc41348c12c3z https://www.spamcop.net/sc?id=z6379247072zd64fb2dbb49c22a46d0154e02375d0bbz

Relevant: http://krebsonsecurity.com/2015/10/ibm-runs-worlds-worst-spam-hosting-isp/ Reports appear to be going directly to the spammers, not abuse[at]softlayer.com: https://www.spamcop.net/sc?id=z6191170532z028df85cc9922827b02277fed9187609z https://www.spamcop.net/sc?id=z6191170495z5839032c3aaa7681f719ce5870ba5c02z For some reason, SpamCop trusts the contents of the abuse-mailbox field while ignoring RIPE's % Abuse contact for $NETBLOCK is 'abuse[at]softlayer.com' at the top of the whois output.

eg. https://www.spamcop.net/sc?track=189.212.118.239 Assignee uses a gmail address for contact. SpamCop tries to report to Gmail abuse. Reports should go to axtelipmaster[at]gmail.com

Why are reports to Amazon being devnulled? ___ Re: 54.232.123.91 (Administrator of network where email originates) To: email-abuse#amazon.com.[at]devnull.spamcop.net (Notes) To: ec2-abuse[at]amazon.com (refuses to accept this type of report) To: ec2-abuse#amazon.com[at]devnull.spamcop.net (Notes) ___ Re: http://ge.tt/api/1/files/8FO0iO92/0/blob?download (Administrator of network hosting website referenced in spam) To: ec2-abuse[at]amazon.com (refuses to accept this type of report) To: email-abuse#amazon.com.[at]devnull.spamcop.net (Notes) To: ec2-abuse#amazon.com[at]devnull.spamcop.net (Notes) ___ Re: http://cl.ly/ZTua/download/NFE-7386.zip (Administrator of network hosting website referenced in spam) To: ec2-abuse[at]amazon.com (refuses to accept this type of report) To: email-abuse#amazon.com.[at]devnull.spamcop.net (Notes) To: ec2-abuse#amazon.com[at]devnull.spamcop.net (Notes)

http://www.spamcop.net/sc?id=z5469553896z6...a9d372c3147164z The header timestamps look normal to me. Parser bug?

APNIC whois: % Information related to '36.56.0.0 - 36.63.255.255' inetnum: 36.56.0.0 - 36.63.255.255 netname: CHINANET-AH descr: CHINANET Anhui province network descr: Data Communication Division descr: China Telecom country: CN admin-c: JW89-AP tech-c: JW89-AP status: ALLOCATED PORTABLE notify: nmc[at]mail.hf.ah.cn remarks: service provider mnt-by: APNIC-HM mnt-lower: MAINT-CHINANET-AH mnt-routes: MAINT-CHINANET-AH mnt-irt: IRT-CHINANET-CN changed: hm-changed[at]apnic.net 20110120 source: APNIC irt: IRT-CHINANET-CN address: No.31 ,jingrong street,beijing address: 100032 e-mail: anti-spam[at]ns.chinanet.cn.net abuse-mailbox: anti-spam[at]ns.chinanet.cn.net admin-c: CH93-AP tech-c: CH93-AP auth: # Filtered mnt-by: MAINT-CHINANET changed: anti-spam[at]ns.chinanet.cn.net 20101115 source: APNIC person: Jinneng Wang address: 17/F, Postal Building No.120 Changjiang address: Middle Road, Hefei, Anhui, China country: CN phone: +86-551-2659073 fax-no: +86-551-2659287 e-mail: ahdata[at]189.cn nic-hdl: JW89-AP mnt-by: MAINT-CHINANET-AH changed: wang[at]mail.hf.ah.cninfo.net 19990818 changed: hm-changed[at]apnic.net 20140221 source: APNIC SpamCop current: [refresh/show] Cached whois for 36.57.69.228 : wang[at]mail.hf.ah.cninfo.net Using last resort contacts wang[at]mail.hf.ah.cninfo.net wang[at]mail.hf.ah.cninfo.net bounces (360 sent : 186 bounces) Using wang#mail.hf.ah.cninfo.net[at]devnull.spamcop.net for statistical tracking.

RIPE Whois: Abuse contact for '94.100.162.0 - 94.100.162.63' is 'noc[at]alionis.net' SpamCop current: [refresh/show] Cached whois for 94.100.162.23 : pveron[at]cyberbrain.net Using last resort contacts pveron[at]cyberbrain.net pveron[at]cyberbrain.net bounces (7 sent : 6 bounces)

SpamCop: [refresh/show] Cached whois for 114.98.75.238 : wang[at]mail.hf.ah.cninfo.net Using last resort contacts wang[at]mail.hf.ah.cninfo.net wang[at]mail.hf.ah.cninfo.net bounces (360 sent : 186 bounces) Using wang#mail.hf.ah.cninfo.net[at]devnull.spamcop.net for statistical tracking > whois 114.98.75.238 % [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html % Information related to '114.96.0.0 - 114.103.255.255' inetnum: 114.96.0.0 - 114.103.255.255 netname: CHINANET-AH descr: CHINANET Anhui PROVINCE NETWORK descr: China Telecom descr: No.31,jingrong street descr: Beijing 100032 admin-c: JW89-AP tech-c: JW89-AP country: CN remarks: service provider status: ALLOCATED PORTABLE remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ remarks: This object can only be updated by APNIC hostmasters. remarks: To update this object, please contact APNIC remarks: hostmasters and include your organisation's account remarks: name in the subject line. remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ changed: hm-changed[at]apnic.net 20080516 mnt-by: APNIC-HM mnt-lower: MAINT-CHINANET-AH mnt-routes: MAINT-CHINANET-AH source: APNIC person: Jinneng Wang address: 17/F, Postal Building No.120 Changjiang address: Middle Road, Hefei, Anhui, China country: CN phone: +86-551-2659073 fax-no: +86-551-2659287 e-mail: ahdata[at]189.cn nic-hdl: JW89-AP mnt-by: MAINT-CHINANET-AH changed: wang[at]mail.hf.ah.cninfo.net 19990818 changed: hm-changed[at]apnic.net 20140221 source: APNIC

RIPE Whois: % Abuse contact for '62.22.99.0 - 62.22.99.255' is 'abuse[at]es.verizon.com' Using abuse#es.uu.net[at]devnull.spamcop.net for statistical tracking.

Here is another: http://www.spamcop.net/sc?action=refreshcm...0whois.ripe.net Cache refresh disabled to avoid rate-limiting of whois servers [refresh cache] $ whois 93.83.16.70[at]whois.ripe.net [whois.ripe.net] % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf %ERROR:201: access denied for 184.94.240.95 % % Sorry, access from your host has been permanently % denied because of a repeated excessive querying. % For more information, see % http://www.ripe.net/data-tools/db/faq/faq-db/why-did-you-receive-the-error-201-access-denied % This query was served by the RIPE Database Query Service version 1.75 (DB-2)

Abuse contact for '85.10.239.32 - 85.10.239.63' is 'abuse[at]hetzner.de' SpamCop currently sending to legal#hospedagemgenial.com.br[at]devnull.spamcop.net (hardwired). Routing details for 85.10.239.42 legal[at]hospedagemgenial.com.br bounces (8 sent : 6 bounces) Using legal#hospedagemgenial.com.br[at]devnull.spamcop.net for statistical tracking.

Nic.br: inetnum: 186.233.144/21 aut-num: AS262790 abuse-c: CSL287 <<<< ... nic-hdl-br: CSL287 person: Central Server Inform�tica Ltda e-mail: registro[at]centralserver.com.br created: 20020130 changed: 20140414

Abuse contact for '194.165.26.0 - 194.165.27.255' is 'tiger.net.abuse[at]gmail.com' Routing details for 194.165.27.150 [refresh/show] Cached whois for 194.165.27.150 : tiger.net.resources[at]gmail.com Using abuse net on tiger.net.resources[at]gmail.com abuse net gmail.com = gmail-abuse[at]google.com Using best contacts gmail-abuse[at]google.com Reports disabled for gmail-abuse[at]google.com Using gmail-abuse#google.com[at]devnull.spamcop.net for statistical tracking.

Limestonenetworks.com has been devnulled for the last few weeks. What was the reason for this? Any clues? Tracking message source: 69.162.99.184: Routing details for 69.162.99.184 [refresh/show] Cached whois for 69.162.99.184 : abuse[at]limestonenetworks.com Using abuse net on abuse[at]limestonenetworks.com abuse net limestonenetworks.com = abuse[at]limestonenetworks.com Using best contacts abuse[at]limestonenetworks.com Reports disabled for abuse[at]limestonenetworks.com Using abuse#limestonenetworks.com[at]devnull.spamcop.net for statistical tracking.

Tracking message source: 200.186.136.163: Routing details for 200.186.136.163 abuse[at]gblx.net bounces (99 sent : 99 bounces) Using abuse#gblx.net[at]devnull.spamcop.net for statistical tracking. Reports disabled for abuse[at]impsat.com.br Using abuse#impsat.com.br[at]devnull.spamcop.net for statistical tracking. Report routing for 200.186.136.163: mail-abuse[at]cert.br, abuse#gblx.net[at]devnull.spamcop.net, abuse#impsat.com.br[at]devnull.spamcop.net Message is 18 hours old Routing details for 200.186.136.163 mail-abuse[at]cert.br has expressed an interest in 200.186.136.163 200.186.136.163 not listed in cbl.abuseat.org 200.186.136.163 listed in dnsbl.sorbs.net ( 1 ) 200.186.136.163 not listed in accredit.habeas.com 200.186.136.163 not listed in plus.bondedsender.org 200.186.136.163 not listed in iadb.isipp.com whois -h whois.nic.br 200.186.136.163 abuse-c field indicates the current reporting address for 200.186/16 is abuse[at]level3.com. There is a manual route addition above from 2007 to add mail-abuse[at]cert.br - perhaps this is preventing a cache refresh? whois -h whois.nic.br 200.186.136.163 inetnum: 200.186/16 aut-num: AS11415 abuse-c: LEACO68 owner: GLOBAL CROSSING COMUNICA��ES DO BRASIL LTDA. ... nic-hdl-br: LEACO68 person: Level 3 Abuse Contact e-mail: abuse[at]level3.com created: 20120326 changed: 20120327

I think it is just your luck. In my mailboxes the big problem is ovh.net (typically both the message source and hosting the spamvertised site) and it seems they won't do anything unless Spamhaus is involved.

abuse[at]uk2group.com is working - I got a reply. Can the bounce counter be reset or was this marked bouncing "by administrative decision"?

http://www.spamcop.net/sc?id=z5498357529z6...75524e5f2de1eaz

More "This email contains no date" samples: http://www.spamcop.net/sc?id=z5491238222z0...e36fa3c640ea39z http://www.spamcop.net/sc?id=z5491238372z2...2ce3fca4a884fez

On a related note: http://www.spamcop.net/sc?id=z5484448620z2...7979b567171946z This one looks like it has been sitting in the outgoing mail queue at [222.252.202.104] for 11 years (!) until yesterday but is in fact part of a recent spam run (identical subject, link, and "zoo movies 2012" in the body).

Another one: http://www.spamcop.net/sc?id=z5484387070z9...f2a4e91661f039z RFC1122 "Be liberal in what you accept, and conservative in what you send" Exim and Postfix handle these messages without issue. If you can point out how accepting these messages for delivery is not RFC-compliant, I'll be happy to submit bug reports against Exim and Postfix. Otherwise, it's SpamCop who should be encouraged to look at their handling of these messages.

Two samples that generate the error "This header is incomplete. Please supply the full headers of the spam you're trying to report. No source IP address found, cannot proceed.": http://www.spamcop.net/sc?id=z5480893055z2...be75da4113b621z http://www.spamcop.net/sc?id=z5480091811zd...a9a725a8c33e5fz

Another one: http://www.spamcop.net/sc?id=z5480868139z9...a9dc9341a394e3z

Hotmail is already on my Mailhosts. I don't think I've seen this particular error before. I have not seen it since.

I'm in the same boat as dolorite. When I started reporting today (after a break of about two days), I got Sorry, your account has been disabled. Sorry, your account has been disabled. Please check your email for an explanation or contact SpamCop service. There was no email from SpamCop. I've just checked again (to verify my email address is working) and now there *is* an email from SpamCop (it was sent in the last 20 minutes): I have not submitted more spams than normal.