Jump to content


  • Content Count

  • Joined

  • Last visited

Everything posted by gnarlymarley

  1. gnarlymarley

    Google Network a Frequent Source of spam

    I am not sure why, but for some reason, spammers do not send spam to my yahoo account any more. I probably get two spams a year there and I don't know why so little. I wonder if the difference between my experience with google is that with hotmail, my average reporting time is around 8 hours, but with gmail reporting through spamcop, my average reporting time is about 30 minutes. I might need to speed up my hotmail reporting to see if that makes a difference.
  2. I remember when I used to submit tons of reports to the postmaster address. Kind of interesting that if someone lets the spamming go on, they get spammed, no matter what their address is. I find it easier to have my address and postmaster sharing the same box and then I can filter on the "To:".
  3. gnarlymarley

    Google Network a Frequent Source of spam

    I see the same thing coming to my hotmail. As near as I can tell, the spammers are spinning up and down cloud instances as fast as they can to prevent getting caught. Either they reached a point where they gave up on my gmail, or else google sometimes deals with it. With my hotmail seems to be a day or two in between the spam like this.
  4. gnarlymarley

    Spammer Bcc'ing replies to himself?

    If you mouse over the "posted [date] at [time]", it should show the year with the time in GMT or UTC format. I have had this happen a year or two ago where someone signed up with an impersonator acount on facebook and started trying to friend everyone. Somehow the scammer/spammer must have got a list of contacts and is attempting each one until they find someone that will reply. If it stays quiet enough, they will eventually give up. If you click the report links, they should come up with the tracking URLs. You might have to click a "parse" link at the top to find it.
  5. gnarlymarley

    Ancient routing information.

    Sure is old information. If you don't see this updated soon, I would suggest you can also try contacting deputies[at]admin.spamcop.net. abuse net endurance.com = abuse@websitewelcome.com, eig-abuse@endurance.com Using best contacts eig-abuse@endurance.com abuse@websitewelcome.com
  6. Interesting they list the two addresses. I have seen it where companies want different abuse addresses to track where it comes in from. Would be nice if companies would keep their contact information up to date in whois. I also noticed it is prefering the /23 over the /16. Using smaller IP block (/ 9 vs. / 16 ) Removing 1 larger (> / 9 ) route(s) from cache
  7. interesting combination of manual entry and refuse to bother.
  8. gnarlymarley

    sendmail woes

    ping looks for an A record. Email servers look for a MX record.
  9. I noticed the reporting address seems to have changed for in the SpamCop whois mirror after it was manually updated. Looks like it should be abuse@hostopia.com.au instead of abuse#web24.com.au@devnull.spamcop.net. See below. https://www.spamcop.net/sc?action=rcache;ip= $ whois [spamcop mirror] inetnum: - netname: HOSTOPIA-AU descr: Hostopia Australia Web Pty Ltd country: AU org: ORG-JAHP1-AP admin-c: HAA3-AP tech-c: HAA3-AP abuse-c: AH908-AP status: ALLOCATED PORTABLE remarks: -------------------------------------------------------- remarks: To report network abuse, please contact mnt-irt remarks: For troubleshooting, please contact tech-c and admin-c remarks: Report invalid contact via www.apnic.net/invalidcontact remarks: -------------------------------------------------------- mnt-by: APNIC-HM mnt-lower: MAINT-HOSTOPIA-AU mnt-routes: MAINT-HOSTOPIA-AU mnt-irt: IRT-HOSTOPIA-AU last-modified: 2020-08-11T19:17:02Z source: APNIC role: Hostopia Australia Administrator address: PO Box 76 country: AU phone: +61 288231020 e-mail: apxxx@hoxxxxxxxxxxxxx admin-c: HAA3-AP tech-c: HAA3-AP nic-hdl: HAA3-AP notify: apxxx@hoxxxxxxxxxxxxx mnt-by: MAINT-HOSTOPIA-AU last-modified: 2020-08-11T19:31:17Z source: APNIC https://www.spamcop.net/sc?action=showroute;ip=;typecodes=16 Reports routes for routeid: 78704091 - to: abuse@web24.com.au Administrator interested in all reports Wed Jun 3 23:36:53 2020 GMTWednesday, June 03, 2020 5:36:53 PM -0600 https://www.spamcop.net/sc?id=z6695233831zdb2126a0f580859cfda6f258ea608660z Tracking message source: Routing details for Reports disabled for abuse@web24.com.au Using abuse#web24.com.au@devnull.spamcop.net for statistical tracking. Report routing for abuse#web24.com.au@devnull.spamcop.net Yum, this spam is fresh!
  10. I am not sure what you mean. The links in my reports are sent out and some of mine get a response from AWS or CloudFlare. I think there is a limit of around eight links that will get reported. Maybe this post could be what you are talking about Linsk are not parsed when Return-Path is empty?
  11. gnarlymarley

    If reports were sent today....

    That almost looks like something that has been reported already. You can see if it was reported by going to your past history.
  12. gnarlymarley

    Linsk are not parsed when Return-Path is empty

    I think this may have caused some confusion as the above tracking URL is missing the body. See below for verification test. So I took your link that failed to parse and I added something in the return-path. The links would parse again. So I submitted it as is and it fails to parse. Clearly, it appears you have caught a problem or bug here where SpamCop is broken. Working (changed return-path): https://www.spamcop.net/sc?id=z6693978467z3560f51112de7e9fcadc539b521ce73bz Not working: https://www.spamcop.net/sc?id=z6693978389zca5cee5269c5f353471c599d70e7c266z As you can see by comparing, I submitted the same thing twice, except I added an email in the return path.
  13. gnarlymarley

    Linsk are not parsed when Return-Path is empty

    I have seen this a while ago, but I didn't have time to do any research on it. I will have to pay attention for the next time I get a spam that has links, but they get ignored. (I think mine were August or July, so they are probably past the 90 days so I will not be able to get tracking URLs.)
  14. gnarlymarley

    No data / Too much data

    Does this post help? http://forum.spamcop.net/topic/9324-unable-to-process-message-hearders-in-reporting-tab/?do=findComment&comment=63654 If I click "Process spam" without having the textbox above filled out, I get a similar message. Try going to https://www.spamcop.net/, without the sc at the end of the URL.
  15. Petzl, your link required authentication. Did you mean https://www.spamcop.net/fom-serve/cache/401.html?
  16. Hmmm, I noticed your second line does not properly match the first one. Specifically the "by" section does not match a mailchannels line of "inbound-egress-6.mailchannels.net". Something is strange where the headers do not see to match up. If nothing was lost, then this would be from an internal mailchannels user. 1: Received: from TrololoVPN ([UNAVAILABLE]. []) by (trex/5.18.10); Thu, 12 Nov 2020 21:07:09 +0000 No unique hostname found for source: Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust this Received line.
  17. You can try adding the same email address to your mailhosts again and then go back to the previous tracking URL to see if it picks it up. I don't think the mailhosts updates itself automatically.
  18. gnarlymarley

    MTA version parsed as IP address

    I wonder if it is considered an "internal IP". It is interesting that it picks up the IP from what appears to be a software version number. Server 64bit Probably a regex border issue seeing the period as an end of sentence?
  19. gnarlymarley

    Any point in reporting spam from AMAZONAWS?

    I believe this is what the forum subsection for reporting address issues is for. http://forum.spamcop.net/forum/39-routing-report-address-issues/
  20. gnarlymarley

    Unblock my IP?

    The RBL from your message seems to be for rbl.websitewelcome.com, but yet they tried to give you a link to spamcop.net. I don't like it when people give the wrong rejection message for their RBLs.
  21. gnarlymarley

    To Bounce or Not to Bounce?

    After reading https: //docs.cpanel.net/knowledge-base/email/how-to-configure-email-filters/, it appears that Global Email Filters uses spamassassin. Spamassassin usually scans the email after it has be received, but before it was accepted. This means a bounce should not originate from your server. I think a question here is whether cPanel's Global Email Filter's "Fail with Message" does it before or after it is accepted. A message can be sent along with the rejection to the sending server at the time of rejection. It maybe good ask the cPanel folks if your question does not get a reply.
  22. The IPv6 ranges returned from the lacnic whois is being properly detected. It appears that most of the whois servers return inet6num, but lacnic seems to be returning inetnum. For documentation, the IPv4 seems to be coming back as NetRange for all whois. It would appear that lacnic is going to stay with this as they have used this since they started on IPv6. Can we have the code in the whois section be able to pick up lacnic's IPv6 range? The tracking URL that was fixed by the deputies on 24 Feb but have screenshot of before fix: https://www.spamcop.net/sc?id=z6618132220z787713e4d45691f5d7d62752a3a7f109z Forum post from 2013: http://forum.spamcop.net/topic/13290-gmail-spam-from-ipv6/ Forum post from 2018: http://forum.spamcop.net/topic/30227-cannot-find-ip-range-in-whois-outputno-reporting-addresses-found-for-200112f0601a902000150/ Whois refresh page:
  23. gnarlymarley

    Cannot find ip range in whois output

    Or in perl speak: $whoisoutput =~ s/inetnum/inet6num/ if $whoisoutput =~ m/inetnum:.*?::/; The if is so IPv4 is ignored. Would be better to have full IPv6 address detection in place of the "::".
  24. gnarlymarley

    "Hotmail" spam reporting stopped?

    If I am reading this correctly, it would appear that something has gone weird with the IP addresses on received lines 1 and 2. The server names do not match, nor do the IPs match. Either hotmail is not reporting all the received lines to you or else, this is a hotmail internal email.
  25. gnarlymarley

    Detect/block spamvertisement images

    There was a tool I knew about years ago called dansguardian, but I am not sure if it is still a viable tool. I understand it could scan images.