Jump to content

gnarlymarley

Memberp
  • Content Count

    441
  • Joined

  • Last visited

Everything posted by gnarlymarley

  1. gnarlymarley

    ripe whois -B

    RIPE whois now requires a "-B" for to be able to get actual email abuse email addresses from it. $ whois 91.219.88.121@whois.ripe.net [whois.ripe.net] % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '91.219.88.0 - 91.219.91.255' % Abuse contact for '91.219.88.0 - 91.219.91.255' is 'a.kazakov@ktstelecom.ru' If for any reason that the local RIPE whois cache is bypassed, it would be good to see this option added as a possibility so we can have SpamCop see the automatically capture the proper abuse addresses. [me@ ~]$ whois -h whois.ripe.net -- 'MP18628-RIPE' % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to 'MP18628-RIPE' person: Michail Pudikov address: 20 Partsyezda str. 11b address: Tashtagol, Russia phone: +7 3842 396006 nic-hdl: MP18628-RIPE created: 2010-09-20T09:37:31Z last-modified: 2016-02-25T13:06:00Z source: RIPE # Filtered mnt-by: KUZB-MNT % This query was served by the RIPE Database Query Service version 1.94 (WAGYU) [me@ ~]$ whois -h whois.ripe.net -- '-B MP18628-RIPE' % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Information related to 'MP18628-RIPE' person: Michail Pudikov address: 20 Partsyezda str. 11b address: Tashtagol, Russia phone: +7 3842 396006 nic-hdl: MP18628-RIPE created: 2010-09-20T09:37:31Z last-modified: 2016-02-25T13:06:00Z source: RIPE mnt-by: KUZB-MNT e-mail: noc@kts42.ru notify: noc@kts42.ru % This query was served by the RIPE Database Query Service version 1.94 (WAGYU) [me@ ~]$
  2. Ah, I thought you mean the IP range. I did send a note to the SCA about the possibility of implementating this in Feb, when I had also them fixed the both a RIPE IP range and an APNIC IP range. They thought it was a good idea. I figure I would post it here for the rest to see just in case there was anything else I missed. If I understood the SCA correctly at the time, this was thought to be in the works for the 5.0 upgrade. I should also admit that I have never seen any typos from the manually fixed entries. One note, if this is implemented, I am not sure how far one would follow the referrers. I know IPv6 on Hurricane Electric goes down to data put in on when a tunnel was created. (AKA, but someone setting up a free account at the time.)
  3. At this time I am unable to find my RIPE IP (because the link is past 90 days), but it used to be accessible from https://www.spamcop.net/sc?id=z6524466667z591f1e62a326f6b7f0346018215c0821z. If you have restore capabilities, you can find it. I noticed this down on Feb 24th, so it would be that day or before. If I can location the IP again, I can post it. (I figure I can post it now and keep searching through all my spam to see if I can find it.) I am starting to think this is all of them and previously the SCA has been manually putting in the forward from ARIN to APNIC or RIPE or LACNIC, or AFRINIC. The whois program I was referring to is the one ran by the whois command on freebsd, but it also works on linux the same way. That program detects the referrer and does a whois look up at the referred server. We are, but in this day and age with IPv4 runout, the registrars are dividing and passing small IP blocks back and forth and I imagine the intensity of those transfers will increase. If this could be automated, it could alleviate the addition of human error (since most of us are getting it from the whois anyway) and also expedite the process of getting updated information. All
  4. Sorry about that. Using a Code takes out the links. Both sections I posted are from the same whois output. (One is from above and the second from further down.) If you look at [refresh/show], you can see that that it has the ReferralServer entry in the Display data area, but the whois chain stops at the ARIN output without apppearing to try to query APNIC. I would expect SpamCop to follow the ReferralServer between registries like my whois program does, or when it forwards to LACNIC (Such as on [refresh/show] for 177.38.191.21). (I have another example of it not following at from 158.140.160.0 below since the original IP has a manually entered entry on it Routing details for 150.107.103.51.) The feature I would like added is to have it automatically follow the referral without any manual intervention. .......................... Parsing input: 150.107.103.51 Routing details for 150.107.103.51[refresh/show] Cached whois for 158.140.160.0 : search-apnic-not-arin@apnic.netI refuse to bother search-apnic-not-arin@apnic.net. Using search-apnic-not-arin#apnic.net@devnull.spamcop.net for statistical tracking. Using last resort contacts search-apnic-not-arin#apnic.net@devnull.spamcop.net .......................... Tracking details Display data:"whois 150.107.103.51@whois.arin.net" (Getting contact from whois.arin.net )Found AbuseEmail in whois search-apnic-not-arin@apnic.net150.0.0.0 - 150.255.255.255:search-apnic-not-arin@apnic.netRouting details for 150.107.103.51I refuse to bother search-apnic-not-arin@apnic.net. Using search-apnic-not-arin#apnic.net@devnull.spamcop.net for statistical tracking. Using last resort contacts search-apnic-not-arin#apnic.net@devnull.spamcop.net .......................... Parsing input: 158.140.160.0 Routing details for 158.140.160.0[refresh/show] Cached whois for 158.140.160.0 : search-apnic-not-arin@apnic.netI refuse to bother search-apnic-not-arin@apnic.net. Using search-apnic-not-arin#apnic.net@devnull.spamcop.net for statistical tracking. Using last resort contacts search-apnic-not-arin#apnic.net@devnull.spamcop.net
  5. gnarlymarley

    What do do with Amazon hosted spammers

    This also does pose a question since much of the updates (such as the IP 150.107.103.51 shows) are manually entered from whois. I believe should be automatically picked up from the whois system. If the programmers could fix whois, I do not believe it will fully eliminate manual entries. However, that would greatly reduce the amount of manual entries.
  6. gnarlymarley

    What do do with Amazon hosted spammers

    MIG, Yeah, that does need to be updated. I have seen occasional updates there, which could be Richard doing the updates. I would probably suggest more than one person who can do those updates.
  7. gnarlymarley

    How i delist my domain?

    Wilma, I have also seen routers that had been hacked. You might always want to check your routers and IoT devices such as IP cameras. Anything that is sharing that same IP could have been used to send the unwanted email.
  8. gnarlymarley

    What do do with Amazon hosted spammers

    This is unfortunate. Don, you will also be remembered.
  9. gnarlymarley

    What do do with Amazon hosted spammers

    I am just trying to understand. So if I understand correctly, you are offering to update the current tables that Don D'Minion (I haven't seen him for a while) used to update such as can be seen at https://www.spamcop.net/sc?action=showroute;ip=150.107.103.51;typecodes=16?
  10. gnarlymarley

    What do do with Amazon hosted spammers

    Lisati/MIG, Though I would like this access, I would prefer not to give spammers more access than they really need. While it would be nice to be able to correct addresses in our own table, it is not a good idea to open it up to people that are using the forums to put in their spam, or even to paste in bad abuse addresses. Forum spam posted in the R&RA is why I like the deputies to act as a double check what shows up there.
  11. gnarlymarley

    Report Ends With "Parsing Header:"

    I believe if it because that dot. At least mine was. Now that is weird. My suspicion is that maybe with mailhosts turned on, it fails at the dot and with mailhosts turned off it works?
  12. gnarlymarley

    What do do with Amazon hosted spammers

    The sad part is many folks are not willing to part with their perks in order to block the spams. Probably not very many business would change either. I did notice spamcop has been sending reports to the ipmanagment address.
  13. gnarlymarley

    How i delist my domain?

    unidress, Also one quick note you might want to make sure your routers are also secure. I have seen email that actually came from a hacked router to my email account.
  14. gnarlymarley

    Mail Rejected/Blacklisted

    nitesh, Please note that anyone can put into their email servers anything they want on the blocking message, such as can be seen from https://www.spamcop.net/fom-serve/cache/293.html's configuration suggestions. What usually happens is folks change the dns, but don't change the message to go with it. This can lead to erroneous messages about spamcop or something else blocking a message, but in reality it is the local email provider that did something. The email administrator may have made a mistake on the receiving email server's configuration file. What will probably need to happen is your friend might need to call the local support to figure out why it says spamcop has blocked the email, when it is not listed in the spamcop blacklist.
  15. gnarlymarley

    Message blocked but IP is not on blacklist

    Looks like mimecast may have setup their own blacklist. dennis562, When I first looked at adding a blacklist to my MTA about twenty years ago, I had to key in the deny message into mailer configuration file. As you can see from this link (https://www.spamcop.net/fom-serve/cache/294.html), anyone can put anything they want into that message. This is what petzl means about a fake bounce.
  16. gnarlymarley

    What do do with Amazon hosted spammers

    There are a few options you have left when the adminstrator is useless if you really want to stop the spam. Keep reporting for two or three years and the spammer will give up. Block the whole IP range. (this could be a problem as the emails from this forum appear to come from amazon, so this could block legitimate email.) Implement SPF checks on the MTA and hopes that blocks it (only works if you have the ability to control the MTA.) Use greylisting to make sure that only servers can connect and send you email (again, only works if you can change the MTA behavior.) The reason most businesses offer the free accounts is it falls under the idea of advertising. If someone cannot check out the service, then they are less likely to use it. Kind of problem as it pulls in the jerks, but also pulls in paid accounts as well......
  17. jimmywalter, See post from MIG above.
  18. gnarlymarley

    No reporting -> Less spam

    They do that by mapping some sort of combination of the from, links in the body, special keywords in the subject, and who they sent the message to. I think the from of the report is the report id, so each report should be different. How I think they track it is they see which spam gets reported and then assume only people who those were sent to is reporting it. When I saw the "to" I noticed they kept changing it until they could narrow it down. Now I think they do this in BCC mode. Yeah, that would be really annoying. Or when the mailing list stops sending you emails in 2003, you stay subscribed, and they start sending again in 2018..... How I know the legitimate email blocking is happening is two points. i have my own email server that sends me nightly report. When it sent out two reports (after a few years of sending them), I noticed I didn't get them at my gmail account and research on that MTA said gmail thought it was spam. The other point is when I would forward spamcop emails, the reply was rejected on three separate occasions. I had to login to my spamcop account and click the "problem fixed" button.
  19. I am unable to tell if jimmywalter is using office365 webmail or if using outlook.live.com. I call it hotmail, but in outlook.live.com over by the sign out button is three dots that once clicked will have a "source message" link that has the full source. In offfice 365 web outlook, there is only an options and properties tab that gives the headers. The outlook application gives the same. So if jimmywalter is using office365 webapp, there is no forward as attachment and no message source. If jimmywalter is using outlook.live.com, there is no forward but is a message source that can allow the full headers and body to be copied/pasted into the spamcop webform.
  20. gnarlymarley

    No reporting -> Less spam

    For me, my spam is up and down. I noticed that gmail is lately blocking a lot of the spam. It is also rejecting some of my legitimate email as if it were spam too. I dislike it went folks sign up on a mailing list and then mark it as spam instead of unsubcribing because I am fighting the gmail spam police who tend to block that instead of just putting it in my spam folder.
  21. gnarlymarley

    Report Ends With "Parsing Header:"

    A tracking URL would be helpful. Last time I got this, it turned out to be a dot in a domainname that was not supposed to be there. Parsing your output mentally, I suspect it is the dot starting above. Mine was a double dot that the spammers put in to prevent parsing. If you remove the dot at the beginning of that hostname, does it parse?
  22. MIG, For the outlook office365 webapp, you are absolutely correct. The hotmail version of the web app will let me view the source. What sucks about the webapp, is that I can only get it to show me the headers. Apparently what Jimmywalter might need to do (and what I have been doing for a while) is access it over imap using both fetchmail and thunderbird.
  23. I used to want to have a higher reporting preference for the links in the body, until the spammer one day about two decades ago used an website from my company in one of their spams. The spam came from a prominent university and the administrator mistook the link for the source of the spam. This nearly got me fired for being the recipient of the spam during the argument that ensued. Since then, I don't care as much about the links in the body and I know those can be spoofed (as well as the Received lines in the header), but the IP that my mail server records as the source is the only one I know that I can trust as being accurate.
  24. MIG, To answer your question jimmywalter will not be able to post a tracking URL because I believe the error of "SpamCop could not find your spam message in this email" is in the response email that would normally contain the tracking URL. When the forwarded message is not an attachment, instead of a tracking URL, SpamCop provides this error. jimmywalter, this might useful to know. I use the Outlook application to create a new message and drag in the email to the forwarded message when I want to "forward as an attachment". Doing a google search yields results such as save the email as a eml file and then attach that to a new message, so I am not sure it is possible with the web application. There might be some key sequence such as something like ctrl+shif+F that might do a forward as an attachment that I am not aware of.
  25. gnarlymarley

    Spamcop not finding link in encoded message

    MisterBill, I think I found the issue. I took your spam and submitted it with one header change https://www.spamcop.net/sc?id=z6533324339z74dcc1bd7d7a1f5d7cd9d6b0c6410d96z I changed: Content-Type: multipart/alternative; boundary="B_ALT_" to this: Content-Type: text/plain; charset="windows-1252" From what I know of the message format, the boundary is missing from the message body as defined by the Content-Type. The type multipart/alternative means that there should be part of the body as text and part as html. Rather than change the Content-Type like I did. Maybe you could figure out how to find both types of the body so that you can properly report the full body.
×