Jump to content


  • Content Count

  • Joined

  • Last visited

Everything posted by gnarlymarley

  1. gnarlymarley

    support for DKIM-Signature

    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=viverelavela.com; s=turbo-smtp; x=1544178043; h=DomainKey-Signature: Received:Received:MIME-Version:From:Reply-To:To:Subject: Content-Type:Content-Transfer-Encoding:Date:Message-ID; bh=K3Oe1 kiUPrPyJIlOVf2MjQxxIABLTrz3/oGMMhm7Dfc=; b=Penr5h12pXZlZ4bS0rJDX Hmmmm, I notice there is not a space or a tab in front of the received or content-type lines. Per the RFCs that indicates it is not tied to the above, but is a new line. Did those come that way in the original email, or is that from a line wrapping?
  2. gnarlymarley

    wondering about efficiency of reporting spams

    This is in part why I prefer double-opt-in lists. Because single-opt-in lists, anyone can use your email address and sign you up or something. Some lists are legitimate, but the admins do not care. A common practice two decades ago was for a the first list would sometimes unsubscribe you and at the same time find other lists they could put your address on with the intent of getting you in trouble. Always a good reminder to have a double-opt-in list for when someone wants "revenge".
  3. gnarlymarley

    Something wrong with Outlook reporting

    I use hotmail and I do not see any problems with spamcop, if I strip off the top broken piece.
  4. Clive, this idea might help if you own access to your email server. If their hostname is always *.local, then you might be able to block it based on the hostname or the IP, or else firewall it. The emails will fill up and their sysadmin will have to deal with the space. I had put in the following check (below is exim for my server) years ago which would straight up block those emails. # Helo can't be localhost, *.local, *.localdomain or *.lan # defer deny message = HELO can't be $sender_helo_name. Please contact your ISP. local_parts = !postmaster condition = ${if match\ {$sender_helo_name}\ {\N(localhost|\.local(domain)?|\.lan)$\N}\ {yes}{no}}
  5. SenderID was to protect the "from". However, the original folks that worked with Microsoft to on senderID said it was a mistake, and that protecting the mfrom was better. This is why I have a senderID record that says don't check the from, but in your case, it may have saved you if they were sending to hotmail or exchange server. This is probably a good time to verify your record if you need more information about how it works. The limit was raised if you wanted to report more. See this page: https://www.spamcop.net/fom-serve/cache/350.html. If you are attaching then to emails (for forward-as-attachment, you can attach more than one bounce to the same email and get back more than one tracking URL in the reply email. This might help you report them faster. I am not sure if there is a limit on how many attachments may be on one forwarding email, but I have done as much as three in the past. SpamCop has a special algorithm that would mean it would prefer it coming into a spamtrap for it to get onto the blacklist. I believe you might be able to do it yourself, but it could take a while. I think this whole thing is someone didn't check your email address for SPF and tried to use it in their scam and that is why it has bounced. I do not think you are wasting your time reporting them.
  6. The SPF record does not protect the from but does protect the mfrom. These two addresses can be separate. The mfrom is found in the headers, usually in the received line, and the from will be below it. You might notice a mailing list will change the mfrom and add a reply-to, but they usually do not change the "from". The bounces will be coming from the mfrom. Hopefully the bounces indicate some sort of rejection due to SPF. If not, you may need to look that your record uses the "-all" instead of the "~all". Both are different, but only one will cause a receiver to reject email, the other will cause the receiver to send it to a spam folder. It might be good to include a tracking URL from one of the munged reports.
  7. gnarlymarley

    Why my Exchange IP Blacklsited ?

    There are a few reasons why your external IP shows up on the blocklist. I commend you for wanting to find out why. SpamCop is a spam reporting service, that we can use to report unwanted email. If you have a mailing list, then hopefully it is a double-opt-in, so that people getting revenge do not add someone unknowingly to your list. If you are a normal user like me, what you will need to do is to check all devices that connect to the internet using that IP including the NAT router itself for being open SMTP relays, being hacked, or some sort of open ports. Sounds to me like someone is using one of your devices (it could even be a router or camera) to send unwanted email. They are using your device so that your IP gets on the blacklist instead of their IP. If you can secure all your device and prevent them from abusing your system so that emails stop, you will see that it will no longer be listed.
  8. gnarlymarley

    ISP has indicated spam will cease

    The "ISP has indicated spam will cease; ISP resolved this issue sometime after" is in part why I automated the forward-as-attachment portion of my spamtraps. Though, I do still see some messages that come about two minutes after their date where they mark it as resolved, the faster reporting rate seems to limit how often i get that ISP resolved issue message.
  9. I also have done the drag and drop method in thunderbird in the past, but I find it actually supports the forward as attachment. Thanks for the heads up for when I they force the new OL junk on me in a few years.
  10. gnarlymarley

    Something wrong with Outlook reporting

    from the tracking URLs (thanks for those BTW) it does not appear that you have mail hosts setup. Once I setup mailhosts, my hotmail.com reporting shows as properly and does get reported to the spammer. https://www.spamcop.net/fom-serve/cache/397.html Once you setup mail hosts, previously submited spams will show the correct IP addrress. The hard part is getting all your emails setup with mailhosts. How mailhosts works, is it attempts to track all the handoffs from the ISP border server to the internal servers. This means it will not try to report internal servers as admins moving from IPv4 NAT (who were erroneously told that IPv6 does not support NAT) used public IPs for their private servers. Mailhosts will properly assign that blame to the edge of your email provider's network.
  11. I currently use outlook 2010 at work. It also worked for me in outlook 2003 a few years back.
  12. The method I was speaking of for forward-as-attachment is for the outlook windows application. Webmail might not be able to do it because the windows application is using the windows explorer drag-and-drop. ActiveX was an "attempt" to enable this. According to microsoft.com there is no way to do this without a separate application. Which is why I started using program called fetchmail over imap and a perl scri_pt to embed the email into an attachment over a decade ago.
  13. I am not sure if google will fix this problem. Probably been going on for more than a year. See the following post, which goes back to as early as January.
  14. yeah, a spamtrap of mine seems to have gotten on the list with lots of random password. The interesting thing is that spamtrap address is just an alias account and has no password. Probably just a copycat setup from scammers who do not have the actual passwords. One can never be sure if they are the copycat or the real thing that is "masking" the password just so they do not give themselves away.
  15. Hence this is what the blacklist is for. The sad part is sometimes legitimate email needs to be sometimes rejected by servers using the blacklist in order for some admins to realize that it is best if they take action. Having their IP on the blacklist is usually a motivator for admins to clean up their servers.
  16. gnarlymarley

    url not a routable address

    Ah yes, the old nameserver trick that spammers used to do to prevent their site from being reported. Spammers would purposefully set up some bad glue entries that would cause the domain "lookup" to stop and would return a nxdomain error. For me, I found that if I kept refreshing the reporting page, with a wait in between, before I would click submit, then spamcop might rotate to their actual working server and get the IP. As Lking said, reporting URLs is less important for me these days as I have seen some spammers use my URLs to try to get me in trouble and now I am more interested in reporting the source of the spam.
  17. Lking, you are correct about the forward-as-attachment. MIG, the only way I have been able to forward-as-attachment is to create a new email, then drag the spam message from my inbox and drop onto the new email I previously created. Now that I said it out loud, maybe someone will try to change it so it no longer works.
  18. Would it be a good idea to munge the password as most of those are probably unique and would be considered spammer identifiable information? I noticed one of my scams said something about the "alleged hacking" occurred around June 28th. So good to know this has been going on since the other "thread" as far back as at least August.
  19. Also, I believe spamcop truncates to 50kb when submitting, if I remember correctly.
  20. gnarlymarley

    Dumb spam

    Also a side note, is that the spammer seems to be trying to rotate between base64 and plain text in order to use the password reported through spamcop to determine which email or password comes back.
  21. Interesting that there appear to be three different formats for this email. I know two of the formats are using the linked-in passwords from their password breach. The other one is just sending those messages to alias accounts that do not have a valid account/password, which appears to be some sort of copycat message. My suspicion is that there are three different individuals/groups that are sending this stuff out. As a side note, this is why I am not trying to share passwords and I keep track of which password I use where so I can note what got "hacked".
  22. Please keep submitting the reports. I got two versions of thisthis and it turns out one was my original linkedin password. The other is one of my spamtraps. These emails are completely false and are just looking for people who will donate to them. You can try submitting this directly to the administrators, but it appears to me that they might be spam friendly, so I am not sure that will work. The best option I can see is to get them on the spamcop blocking list.
  23. Ah ha. I found out why I do not have any 163.com spam. Apparently they are being blocked at my border. They are either not using a proper HELO, or are apparently spoofing the 163.com domain. It would appear that whomever is trying this is not inline with the SPF 163.com policy. Probably means that it is not 163.com that is spamming, but some other scammer who is abusing it. In any case, it seems to be blocking any of the stuff from reaching my inbox. 2016-12-07 03:33:34 H=(XL-20141217AHYY) [] F=<ydhknr[at]x.net> rejected RCPT <jijing667[at]163.com>: HELO should be Fully Qualified Domain Name. Please contact your ISP. 2016-12-07 03:33:35 H=(XL-20141217AHYY) [] F=<ydhknr[at]x.net> rejected RCPT <jijing667[at]163.com>: HELO should be Fully Qualified Domain Name. Please contact your ISP. .... 2018-10-16 08:13:39 H=(163.com) [] F=<top_textile[at]163.com> rejected RCPT <x[at]x.com>: SPF check failed. 2018-10-16 08:13:39 H=(163.com) [] F=<top_textile[at]163.com> rejected RCPT <x[at]x.net>: SPF check failed.
  24. gnarlymarley

    ISP has indicated spam will cease

    Reports will start going back to the administrator after some time if it keeps happening from that specific IP. I think the delay is either six or four hours. Like Lking had mentioned, it is something that was put into place to allow the administrators time to hunt down and correct the problem so they are not continuously spending time on new reports. Now if it is something glaringly still a problem, the deputies can reset that variable so that the report can go through again, but they will want to see the tracking URL. From what I have seen in the past, most administrators are able to get it all fixed within about a half hour, if not an hour.
  25. smblion, I have not seen spam from 163.com in a long while. I thought that spammer had given up from being on the block list. It appears that my persistence with reporting every single spam has worked as they no longer send me spam.