gnarlymarley

Does this post help? http://forum.spamcop.net/topic/9324-unable-to-process-message-hearders-in-reporting-tab/?do=findComment&comment=63654 If I click "Process spam" without having the textbox above filled out, I get a similar message. Try going to https://www.spamcop.net/, without the sc at the end of the URL.

Petzl, your link required authentication. Did you mean https://www.spamcop.net/fom-serve/cache/401.html?

Hmmm, I noticed your second line does not properly match the first one. Specifically the "by 0.0.0.0:2500" section does not match a mailchannels line of "inbound-egress-6.mailchannels.net". Something is strange where the headers do not see to match up. If nothing was lost, then this would be from an internal mailchannels user. 1: Received: from TrololoVPN ([UNAVAILABLE]. [163.172.137.93]) by 0.0.0.0:2500 (trex/5.18.10); Thu, 12 Nov 2020 21:07:09 +0000 No unique hostname found for source: 163.172.137.93 Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust this Received line.

You can try adding the same email address to your mailhosts again and then go back to the previous tracking URL to see if it picks it up. I don't think the mailhosts updates itself automatically.

I wonder if it is considered an "internal IP". It is interesting that it picks up the 8.1.0.6 IP from what appears to be a software version number. Server 8.1.0.6.20200729 64bit Probably a regex border issue seeing the period as an end of sentence?

I believe this is what the forum subsection for reporting address issues is for. http://forum.spamcop.net/forum/39-routing-report-address-issues/

The RBL from your message seems to be for rbl.websitewelcome.com, but yet they tried to give you a link to spamcop.net. I don't like it when people give the wrong rejection message for their RBLs.

After reading https: //docs.cpanel.net/knowledge-base/email/how-to-configure-email-filters/, it appears that Global Email Filters uses spamassassin. Spamassassin usually scans the email after it has be received, but before it was accepted. This means a bounce should not originate from your server. I think a question here is whether cPanel's Global Email Filter's "Fail with Message" does it before or after it is accepted. A message can be sent along with the rejection to the sending server at the time of rejection. It maybe good ask the cPanel folks if your question does not get a reply.

The IPv6 ranges returned from the lacnic whois is being properly detected. It appears that most of the whois servers return inet6num, but lacnic seems to be returning inetnum. For documentation, the IPv4 seems to be coming back as NetRange for all whois. It would appear that lacnic is going to stay with this as they have used this since they started on IPv6. Can we have the code in the whois section be able to pick up lacnic's IPv6 range? The tracking URL that was fixed by the deputies on 24 Feb but have screenshot of before fix: https://www.spamcop.net/sc?id=z6618132220z787713e4d45691f5d7d62752a3a7f109z Forum post from 2013: http://forum.spamcop.net/topic/13290-gmail-spam-from-ipv6/ Forum post from 2018: http://forum.spamcop.net/topic/30227-cannot-find-ip-range-in-whois-outputno-reporting-addresses-found-for-200112f0601a902000150/ Whois refresh page:

Or in perl speak: $whoisoutput =~ s/inetnum/inet6num/ if $whoisoutput =~ m/inetnum:.*?::/; The if is so IPv4 is ignored. Would be better to have full IPv6 address detection in place of the "::".

If I am reading this correctly, it would appear that something has gone weird with the IP addresses on received lines 1 and 2. The server names do not match, nor do the IPs match. Either hotmail is not reporting all the received lines to you or else, this is a hotmail internal email.

There was a tool I knew about years ago called dansguardian, but I am not sure if it is still a viable tool. I understand it could scan images.

Doesn't appear to be fixed. I see line #7 has the problem still 7: Received: from process_milters-daemon.rn-mailsvcp-relay-lapp04.rno.apple.com by rn-mailsvcp-relay-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.6.20200729 64bit (built Jul 29 2020)) id <0QF100500ALEFW00@rn-mailsvcp-relay-lapp04.rno.apple.com> for x (ORCPT x); Thu, 13 Aug 2020 20:24:51 -0700 (PDT) No unique hostname found for source: 8.1.0.6 mac.com received mail from sending system 8.1.0.6

As much as I agree with this, I remember a company called "America OnLine" (AOL) who has sent out floppies and later CDs in the 1990s. You could use their free month, but they required a valid credit card. I didn't feel like giving it to them, so I never used the free month. My guess is that maybe why they didn't get the customer base they desired. I do not have a good replacement scheme for your suggestion and it appears it would stop the spammers.

It is correct that your IP will be showing since you started the test email. Your IP will not be showing when someone else starts the email as it will be their IP. These suggests to send bounces to a local address and look at them: https://www.spamcop.net/fom-serve/cache/380.html This suggests to check the device if it is the source of the spam: https://www.spamcop.net/fom-serve/cache/405.html

That is a good question. I would almost expect abuse@microsoft.com to be on the list as well in addition to the administrator's abuse address. I think this might be microsoft's cloud and it is going to the server admin, which may or may not be the spammer.

That is a good question. I would almost expect abuse@microsoft.com to be on the list as well in addition to the administrator's abuse address. I think this might be microsoft's cloud and it is going to the server admin, which may or may not be the spammer.

That is a good question. I would almost expect abuse@microsoft.com to be on the list as well in addition to the administrator's abuse address. I think this might be microsoft's cloud and it is going to the server admin, which may or may not be the spammer.

That is a good question. I would almost expect abuse@microsoft.com to be on the list as well. I think this might be microsoft's cloud and it is going to the server admin, which may or may not be the spammer.

I am not sure if this could be done in Cpanel, but one thing I had done for my RBL section was to add an exclusion for certain accounts in my exim setup. It is easier if the accounts are hidden and say alias accounts to the real thing. local_parts = !postmaster : !abuse Something I have also done is to use a scoring system such as spamassassin, so that a single RBL is not able to let me mail server block email.

I did find the following post where it appears that 50.31.49.41 has been used quite a bit in the past to sent spam.

I think some clarification needs to be around the word bounce. If you are bouncing during the smtp connection, then the bounce will not originate from your server, but will be sent from the sending server. If you accept the email, and then bounce later, it will be coming from your server. My preference is to disable anything that might show my server's IP, such as a bounce after SMTP accept, and to have my server to reject during the SMTP connection so the IP in the bounce would be the sending server's IP, not mine.

Ah, so any bounces from "postmaster@client_host.com" or from "<>" might have been rejected to your account. Also, those bounce replies would have gone to either "From: billing@anotherdomain.TLD" or to the mail__envelope_from you setup when the emails were sent. If you like, and it is visable, you can set to the mail headers "Warnings-To: billing@anotherdomain.TLD" or "Errors-To: billing@anotherdomain.TLD" to get problems, but these headers usually go out with the emails and could be visible.

Ouch. That doesn't sound good. With the Received lines being replaced, the only way to find the IP is to go back to the logs on each server and look up the "id" from the received line. (That is, as long as it didn't change that too.)

I am a volunteer too. You mentioned a summary report and ARF format. If I remember correctly those came from the "ISP Control Center" account as an hourly or daily email as "Third party interested in daily aggregate summary reports". There would have been a separate email that Lking is talking about that contain a link to the spam. This email would have been sent to abuse address as defined in your local internet registry's whois service.