Jump to content


  • Content Count

  • Joined

  • Last visited

Everything posted by gnarlymarley

  1. Ricardo_63, this "Received:" line should be added by the receiving email server. And should not be disabled by any spammer. Though RFC2882 might be confusing, RFC5321 explains this well in section 3.7.2, where your ISP should be adding that line. 3.7.2. Received Lines in Gatewaying When forwarding a message into or out of the Internet environment, a gateway MUST prepend a Received: line, but it MUST NOT alter in any way a Received: line that is already in the header section. Another way to think of it, is if your ISP refused to put this line on your email, then they must provide another way for you to get the information via a phone call or log access. If they refused to tell you the sending IP and helo hostname, then the offending email must be counted as spam send "by your email provider".
  2. gnarlymarley

    Is there a SpamCop Outage

    This is the problem with internet islands where you can travel from your house to either island, but you cannot travel directly from one island to another. This is where your ISP is working, but your VPN's ISP would not have been talking to SpamCop's ISP. When someone at those ISP found out there was a problem, they could fix it. This is why the problem started happening by itself and would have fixed itself. (Most of my internet traffic goes through about five different ISPs between my computer and the server.)
  3. I do find it interesting that the whois entry says "ArubaCloud UK Cloud Services" based out of London, UK. If the email address doesn't work for you, then you might want to try https://www.aruba.it/en/report-abuse.aspx.
  4. gnarlymarley

    SpamCop on cPanel - do-able?

    I am not familiar with cPanel, but I am with SpamAssassin. I currently have version 3.4 and there is a a rule in it called RCVD_IN_BL_SPAMCOP_NET that brings in block list functionality. I was looking at and the version 2.6 appears to have the rule in it. Later versions all seem to have it. Is this the type of integration you are looking for? I am not sure if you have a special score for it or would be using the default score.
  5. From what I see on your tracking URL, there are some missing Received lines. I see you have the Received and by sections, but no from section. Received: by smtp50.i.mail.ru with esmtpa (envelope-from <investor@bit.com>) I would expect to see a like such as the following where it has the from: Received: from [IP.add.re.ss] (helo=server.name.org) by smtp50.i.mail.ru with esmtpa (envelope-from <investor@bit.com>) SpamCop uses the part between the from and the by to determine the message source.
  6. Most ISPs don't go in and decode the base64. For those that do or might, I just decode it, strip out my address, and then reencode it. This might be a good feature to have and there are perl modules that can decode/encode it.
  7. gnarlymarley

    Spammers using web "middleman" URLS (tb42trk.com)

    I believe they are called URL shorteners. How they work, is a person can type/paste in a URL into the shorteners site and get a shortened link. Visiting the shortened link passes a 302 or a 301 redirect and your browser will be redirected directly to the longer URL. During the redirect, the shortener tracks the usage. Shorteners were started because links (such as forum post) can be quite long. http://forum.spamcop.net/topic/11594-my-url-shortener-website-is-spamvertised-what-to-do/ http://forum.spamcop.net/topic/10541-resolve-redirections-of-url-shrinking-url-redirection-services/
  8. gnarlymarley

    Russian spam can't be reported

    The only problem I can see is the missing date and something weird with the third received line. But then you probably have this resolved by now with the mailhosts tab.
  9. I had a similar one but it seems the rdns redirect is bouncing, so mine went back to hotmail. It appears the idea behind this might be so SpamCop can sent to the related abuse department. It appears that SpamCop may have worked directly with the Microsoft abuse department on this part of the code. Tracking URL: https://www.spamcop.net/sc?id=z6640795915z6babc4f58dd1fd8e9d6265ff6ca18ce3z
  10. We need to have SpamCop automatically detect when an entire IP range is transferred from one registrar to another. Right now, there are a lot of manual updates being put in to get the reports to the correct destination. This should be automated so that the correct whois entries can be detected without manual human intervention. Routing details for [refresh/show] Cached whois for : search-apnic-not-arin@apnic.net I refuse to bother search-apnic-not-arin@apnic.net. Using search-apnic-not-arin#apnic.net@devnull.spamcop.net for statistical tracking. Using last resort contacts search-apnic-not-arin#apnic.net@devnull.spamcop.net I believe this is what it would detect in the code. ReferralServer: whois://whois.apnic.net
  11. gnarlymarley

    Sendgrid reports dev'nulled?

    It would say something like bounces if they are rejecting the report. This looks like it was manually turned off. My suspicion is a deputy turned off their reports. I think sendgrid if went in with their ISP account and turned off reports, we could get a message that "ISP does not wish to receive reports". You can try a deputy at deputies[at]admin[dot]spamcop[dot]net.
  12. gnarlymarley

    Is there a SpamCop Outage

    I wonder if the off button is not working since it appears to only work for a little bit on restart. I wonder if you would be able to do something like a traceroute through the VPN. Here is my thought, back in May I experience an ISP issue on IPV4 where this forum became an island. During that same time, other people on this topic were able to get to the forum just fine. It maybe possible that verizon or some other ISP is still having issues, but ones that only affect certain internet destinations. I imagine it works on startup until the opera VPN has a chance to connect. If you could do a traceroute both through the opera VPN and also when it is disabled, you might be able to see where the problem is. (When I had my problem for a few weeks, I did notice that there was a 15 min time window during the day when it would work normally.)
  13. gnarlymarley

    Is there a SpamCop Outage

    maybe not the problem, but a possibility. If I recall correctly, there used to be a setting in opera that would allow bidirectional usage of other people's internet. I think it was there to enable a faster download of other people on your same ISP to use their cache to download webpages faster. If this option was enabled, maybe it could have contributed to the issue.
  14. gnarlymarley

    Cannot find ip range in whois output

    one possible option would be to do a regex swap when the whois is pulled into the cache such as: s/inetnum/inet6num/
  15. gnarlymarley

    blocklist removed

    One note is that you can try is to do a local lookup and see if it is cashed in the blocklist by your local DNS. Another thing to note is that a few decades back, there were some email providers that mistakenly blamed the spamcop blacklist for blocking email when in fact, it was their own blocklist they were using. nslookup -type=any If the IP is not on the blocklist, but is still blocked, it is likely the email provider has setup a badly configure rbl entry in the receiving email server.
  16. gnarlymarley

    Reporting spam has no effect

    I probably have a million plus reports of the past few decades that sure keep my average up. I believe I saw the term snowshoe spamming. that explains this. I have about a thousand of my own spamtrap email accounts and one thing I noticed is that the IP never seems to be repeated. If you look at what Lking sent above, the spammer is doing that do they will not get listed. Can be amazing how many IP blocks are out there that they can use with this "hopping" method.
  17. I don't see the "Forward as attachment" as an option in the webmail version. That is basically what it is, so you can save the "raw message" as a notepad txt file and then attach it to a new message. Or else you can use something like the thunderbird email client that forward as an attachment.
  18. gnarlymarley

    Increase in spam out of google lately. Anyone know why?

    My phone company has a special number that I can call that will disable callerID. Hopefully you also have this option to block callerID enabled, so they are not able to retaliate to your number. if they can see the callerID....
  19. gnarlymarley

    Eonix.net helping spammers?

    Either that or maybe see if your mail server supports special filtering rules. Before I went to spamassassin, I was doing weird helo accept/deny rules as well as maintaining my own blocklist. They can revoke the IP address for policy violations but that doesn't always stop the spammer. The ISP's ISP should be checking that their customers are using valid ranges. I had one in Europe that has assumed two class C networks without being assigned them. It took a few months for them to stop using them.
  20. gnarlymarley

    spamcop forum on IPv6?

    Can we get http://forum.spamcop.net to have IPv6 enabled similar to http://www.spamcop.net? From what I understand cloudfront.net seems to indicate it could be free. On 23 may 2020, risebroadband and verizon had a IPv4 routing issue that prevented me from accessing the forum because it was hosted at cloudfront.net. It took quite a few days to get the issue resolved. I still do not know who had the broken router, but if we had IPv6 enabled on the forum, it could have been accessible during this period. IPv4 Routing Problem: C:\>tracert forum.spamcop.net Tracing route to spamcop.invisionmanaged.net [] over a maximum of 30 hops: 2 12 ms 11 ms 11 ms 3 9 ms 21 ms 9 ms 63-248-56-128.static.layl0101.digis.net [] 4 8 ms 9 ms 9 ms 63-248-56-49.static.layl0101.digis.net [] 5 13 ms 11 ms 14 ms ip65-46-60-157.z60-46-65.customer.algx.net [] 6 23 ms 25 ms 23 ms [] 7 * * * Request timed out. 8 * * * Request timed out. 9 * * * Request timed out. 10 * * * Request timed out. 11 * * * Request timed out. 12 * * * Request timed out. 13 * * * Request timed out. 14 * * * Request timed out. 15 * * * Request timed out. 16 * * * Request timed out. 17 * * * Request timed out. 18 * * * Request timed out. 19 * * * Request timed out. 20 * * * Request timed out. 21 * * * Request timed out. 22 * * * Request timed out. 23 * * * Request timed out. 24 * * * Request timed out. 25 * * * Request timed out. 26 * * * Request timed out. 27 * * * Request timed out. 28 * * * Request timed out. 29 * * * Request timed out. 30 * * * Request timed out. Trace complete. C:\> kinda working during the only 10 min period of the day: C:\>tracert forum.spamcop.net Tracing route to spamcop.invisionmanaged.net [] over a maximum of 30 hops: 1 1 ms 1 ms 2 ms DD-WRT [] 2 11 ms 23 ms 14 ms 3 10 ms 12 ms 11 ms 63-248-56-128.static.layl0101.digis.net [] 4 11 ms 13 ms 8 ms 63-248-56-49.static.layl0101.digis.net [] 5 20 ms 19 ms 11 ms ip65-46-60-157.z60-46-65.customer.algx.net [] 6 27 ms 25 ms 26 ms [] 7 34 ms 43 ms 28 ms 8 25 ms 24 ms 24 ms 9 36 ms 27 ms 66 ms 10 * * * Request timed out. 11 * * * Request timed out. 12 * * * Request timed out. 13 * * * Request timed out. 14 * * * Request timed out. 15 * * * Request timed out. 16 25 ms 26 ms 28 ms 17 30 ms 48 ms 40 ms 18 * * * Request timed out. 19 * * * Request timed out. 20 * * * Request timed out. 21 * * * Request timed out. 22 * * * Request timed out. 23 25 ms 33 ms 44 ms server-13-226-234-24.lax50.r.cloudfront.net [] Trace complete. C:\>
  21. Rainer, This appears to be only the URL specified and not coming directly from your server. Running it through google translate, it appears to be the normal whois email address testing. Sounds like they are sending out spam to attempt to send a bill to random domains to try to extort money. Been a while since I got one of those. (I think what petzl is talking about is where I have seen IP cameras and routers get hacked and the spam sent from there, but this does not appear to be coming directly from your server. If it was coming directly from your server, I would check the server and any devices that might be sharing the same IP for possible intrusions.)
  22. gnarlymarley

    Invalid certificate of forum.spamcop.net

    Seems to still be the same. Maybe you can submit something to the new features to get it fixed. http://forum.spamcop.net/forum/10-new-feature-request/
  23. gnarlymarley

    Bad Certificate for SpamCop

    It would appear that the forum only does http. From what I can tell, the hosting is done on cloudflare.net. So as long as that is the SSL cert, then you can login using https. I would advise against sharing this password with other places. I found the following, so I am not sure if there are plans in the works to fix this. Maybe submit a new feature request?
  24. gnarlymarley

    New spammer trick?

    Okay, I am confused with the tracking URL. It seems to be the message you tried to report is one that was sent directly to your submit address. I see the vmx and the app009. Are you trying to report a spam from someone that sent it directly to your submit address? (I am glad your submit address was replaced by an x in here as I don't want to know what it is.) If your submit address is in the wild, I would suggest you contact deputies[at]admin[dot]spamcop[dot]net.
  25. I had a similar situation happen to me about two decades ago with an admin from a well known education institution confusing the internal links of the spam as the source of the spam. This is why I prefer to report just the source instead of the links inside. If I see any on my reports that might be valid (innocents caught in the crossfire), I uncheck those.