Jump to content


  • Content Count

  • Joined

  • Last visited

Everything posted by gnarlymarley

  1. gnarlymarley

    Why not use abuse-mailbox listed in whois info

    I don't see the abuse-mailbox in the SpamCop cached whois, but I do see it in the APNIC whois. My guess would be this is part of why it does not use it.
  2. Outlook by defaut does not support forwarding as an attachment. The "forward" button is misleading. What I do to forward as an attachment is to create a new email that will be sent to spamcop, then drag the message I want to attach to the body of my new email.
  3. SC just looks at link provided the link in this case is a redirect link with a abuse address that bounces. Try to be better than SpamCop is you have the time In the case of porn spammers send to the CERT of that country as well. To answer this question about link redirection, around two decades ago SC was programmed to never follow links due to the thought that spammers were tracking which links were clicked. By clicking the link, the spammer will have the IP of your computer along with the the knowledge that the link worked, so they can send more spam. This is why SpamCop would originally just grab the hostname/IP from the link without following it.
  4. gnarlymarley

    Spamcop not finding link in encoded message

    MisterBill, I can see Base64 decoding works, but I also noticed that when there are no links, i see the following output. I am thinking this might be in part the cause why it is it is not finding the links is that maybe something in the headers tells it not to check. The following from: https://www.spamcop.net/sc?id=z6518576003zacb0684ecc1a3a9c08ea7d4865cd6840z
  5. I just checked both yours and mine and they come back. I am not sure how long it takes for the cached whois to expire. Seeing the owner, I am not surprised about the /dev/null. [refresh cache] $ whois NET-3-128-0-0-1@whois.arin.net [whois.arin.net] . . . . NetRange: - CIDR: NetName: AT-88-Z . . . . OrgAbuseEmail: abuse@amazonaws.com [refresh cache] $ whois [whois.ripe.net] . . . . inetnum: - netname: PL-INTER-SAT-20141203 country: PL org: ORG-PTAO1-RIPE admin-c: JO3356-RIPE . . . . abuse-mailbox: jacek@inter-sat.pl
  6. Yeah, I am not sure if there is someone that has the ability to fix these cache entries. It is a tragedy now that we are here, but at the same time it is at least populating the blacklist. Display data: "whois" (Getting contact from whois.arin.net ) Redirect to ripe Display data: "whois" (Getting contact from whois.ripe.net) whois.ripe.net (nothing found) [whois.ripe.net] %ERROR:201: access denied for
  7. I have been using IMAP with hotmail for about two decades to get this, but in the current setup, you have the three dots in the upper right corner. Click those and then you should see "message source". It should pop up in the window for you with the source.
  8. gnarlymarley

    Details of update to Spamcop 5.0 coming tomorrow?

    One thing I have noticed is better whois parsing. https://www.spamcop.net/sc?id=z6506971100z5bbf5782126fab6d9454281867af1419z Hopefully, no more attempts to use search-apnic-not-arin@apnic.net as an abuse address.
  9. gnarlymarley

    leaseweb spam

    RobiBue, I just tried your tracking URL and it seems to be pointing properly to a leaseweb abuse address. I think the 5.0 upgrade may have solved this issue.
  10. gnarlymarley

    SC parser report distribution question

    yes, but I had to click the "Show how SpamCop traced this message" to find it. It does kinda get the same results. The issue is it also gives me access to a menu item that I normally do not see as a spamcop user, but only as a provider. The link you sent will allow me to respond as you to the report back to the original submitter. i am not comfortable with such a link. The spammers do have access to this form, and they could select the option that "it was not spam" on your behalf. I understand why petzl only wants the tracking URL.
  11. gnarlymarley

    SC parser report distribution question

    Like all business owners, they get their money from somewhere. Either they have investors, or they people that keep buying into the spams (either by entering banking information or by clicking an advertisement link). My guess is the mostly latter. ANGEL, The tracking link would have the "sc?id=" in the middle of it. This would be your tracking link: Here is your TRACKING URL - it may be saved for future reference: https://www.spamcop.net/sc?id=z6512755812z8ee73d74322c131f8ca885cc287a03fcz
  12. gnarlymarley

    SC parser report distribution question

    SC reports are directed to the administrator listed as the abuse contact for that network. Most networks are gathered from the whois data for the IP range as appears to be the case when I browse down to your tracking URL. I see that this report was sent to both an outlook.com address and a user defined hotmail.com address. The IP address in question seems to be assigned to an ISP called CoreIP. Rather than provide a real abuse address the CoreISP internet provider appears to be using one at outlook.com. Now you ask, if the reports are ever directed to the "source" of the spam. There have been a number of spammers that appear to purchase a whole entire network range just so they can be the abuse contact listed in the whois. As soon as those are found out, the deputies can block the reports from going to those addresses and/or redirect them to their upstream provider.
  13. There have been a few different passwords used. However, the one today has a unique password that was used back in November. It is similar to the format of the October scams, but not similar to the early December copycat scams. Of course with a spamtrap account that has never had a password of its own and likewise does not have its own browser. I did not that this scam did not talk about the webcam, unlike the ones back in November. If it was a different person, then I would expect that I would be able to find some sort of link to the so called password somewhere on the internet. Though, this could be a darkweb link that I know nothing of.
  14. Ha, I thought this guy has given up, but seems he came back for another try. Been a long while since I have seen this come into my "spamtrap" account. I though they had given up on it. Amazing how an account could have a password without an /etc/password entry. http://www.spamcop.net/sc?id=z6508576087z8ae70bcdece03f0236640dc90110bceaz
  15. Sounds like they might be morphing now. I got the following sent to an address that has not has this stuff yet. More phishing... Urgent : Someone has your password http://www.spamcop.net/sc?id=z6506112137zb5e259ccf80b3b62fcb7a72e9509c841z I have to chuckle at these liars how seem to be getting desperate. I hope it means they are losing the battle.......
  16. gnarlymarley

    leaseweb spam

    I heard from the deputies, that there might be a fix in the works for this. Hopefully it will solve the issues.
  17. gnarlymarley

    Reporting spam Send From My Own Address?

     Are you talking about the visible FROM: line which is easily forged, or the chain of Received lines in the complete header?   If they also used the hidden FROM: line, you might want to have your provider look at implementing SPF and/or some sort of check there. If you look closely at the headers, the clown will have used an IP address other than one belonging to your ISP and will see the report heading in a different direction and this should keep you safe.
  18. gnarlymarley

    Reporting spam Send From My Own Address?

    I would suggest you report it. These spammers have used my previous linkedin password, which was from the hack a year ago. Lucky I had already changed it by the time they started their scams. Also, I do not visit porn, nor do I have a camera on my computer, but yet their scam still says it caught me and they "know it is me". Ha. Probably the only way to get them to go away is for folks to stop paying them. Another post on the subject: http://forum.spamcop.net/topic/29542-help-with-a-mail-received-few-times-saying-my-email-is-hacked/
  19. gnarlymarley

    Need Help Asap

    There must be more then what Constant Contact is telling you. From what I have seen, a lot of providers give a warning before a full shutdown. dn18, There would have been some emails with a tracking URL sent to Constant Contact with more information on it regarding your three reports. The tracking link is the information that would help us as users of spamcop to figure out what and why. As Lking specified, it takes more than three reports to put the sending IP address on the blacklist, so I do not think this is what you are asking about. Constant Contact will know why with three "reports" as to why they "shutdown" your account.
  20. gnarlymarley

    support for DKIM-Signature

    I believe it is still being developed. I have occasional chat with the deputies where they are working with the developers. I did run across this report that seems to have a DKIM in it and it seems to have parsed just fine. https://www.spamcop.net/sc?id=z6505637534zf5ee6366a44d8e4afea7141b95ecf3a8z
  21. gnarlymarley

    ISP has indicated spam will cease

    I decided to watch one on Friday and Saturday. Seems the date kept updating every eight hours, where the ISP. Well, got another one, but this one seems to have the date changing about near daily. I figure it is just interesting to track and see what happens to the date. One thing I will note is that once it hits the 48 hour period, it no longer has this message. https://www.spamcop.net/sc?id=z6505705431z1770fb4b8944a1f906c29039ff622d7fz I wonder if this should be some sort of timed ban where the ISP is not able to repeatedly select this option just to ignore the spam. I know it is a courteous, but sometimes it feels like the ISP is doing nothing while just selecting this to stop the reports.
  22. gnarlymarley

    Google gmail not reportable again !!!!!

    The problem I see with IPv6 is for it to do away with NAT, it has opened up for hundreds of internal networks. SpamCop seems to remember only a select set of IP addresses with mailhosts. This means that there could be 2^72 hosts hiding behind a network. When some people scale up their data centers, they just add more servers instead of fixing the quality of the servers.
  23. I am not sure ikoula cares, which is probably why the reports were disabled. Though, I have to chuckle as I get a "final notice" email from them almost ten times a day, every day since July. https://www.spamcop.net/sc?id=z6505729959z7686637ff5e0bb14b6eed012ef6febc2z
  24. gnarlymarley

    Something wrong with Outlook reporting

    yep, I do remove the top line, just like I do with gmail. I think this is a mailhosts problem where the mailhost section probably records every address. It seems to be too many address for it the parser to be able to detect that any address for 2603:1000::/24 is a valid mailhosts. I think the problem becomes that 20,282,409,603,651,670,423,947,251,286,016 (2^104) is just too many addresses for the mailhosts entry to record.
  25. gnarlymarley

    support for DKIM-Signature

    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=viverelavela.com; s=turbo-smtp; x=1544178043; h=DomainKey-Signature: Received:Received:MIME-Version:From:Reply-To:To:Subject: Content-Type:Content-Transfer-Encoding:Date:Message-ID; bh=K3Oe1 kiUPrPyJIlOVf2MjQxxIABLTrz3/oGMMhm7Dfc=; b=Penr5h12pXZlZ4bS0rJDX Hmmmm, I notice there is not a space or a tab in front of the received or content-type lines. Per the RFCs that indicates it is not tied to the above, but is a new line. Did those come that way in the original email, or is that from a line wrapping?