Jump to content

gnarlymarley

Memberp
  • Content Count

    460
  • Joined

  • Last visited

Posts posted by gnarlymarley


  1. Does this post help?

    http://forum.spamcop.net/topic/9324-unable-to-process-message-hearders-in-reporting-tab/?do=findComment&comment=63654

    If I click "Process spam" without having the textbox above filled out, I get a similar message.  Try going to https://www.spamcop.net/, without the sc at the end of the URL.


  2. 8 hours ago, ewv said:

    Another example:

    https://www.spamcop.net/sc?id=z6690587707z0afbb907bf385a3a5839c4d16a400f48z

    This has not been reported so as to not duplicate.

    Hmmm, I noticed your second line does not properly match the first one.  Specifically the "by 0.0.0.0:2500" section does not match a mailchannels line of "inbound-egress-6.mailchannels.net".  Something is strange where the headers do not see to match up.  If nothing was lost, then this would be from an internal mailchannels user.

    1: Received: from TrololoVPN ([UNAVAILABLE]. [163.172.137.93]) by 0.0.0.0:2500 (trex/5.18.10); Thu, 12 Nov 2020 21:07:09 +0000
    No unique hostname found for source: 163.172.137.93
    Possible forgery. Supposed receiving system not associated with any of your mailhosts
    Will not trust this Received line.

     


  3. 6 minutes ago, petzl said:

    ?
    process_milters-daemon.rn-mailsvcp-relay-lapp04.rno.apple.com

    --- 11/06/20 10:59:48 AUS Eastern Summer Time
    --- reading URL process_milters-daemon.rn-mailsvcp-relay-lapp04.rno.apple.com
    --- error: Host not found

    I wonder if it is considered an "internal IP".  It is interesting that it picks up the 8.1.0.6 IP from what appears to be a software version number.

    Server 8.1.0.6.20200729 64bit

    Probably a regex border issue seeing the period as an end of sentence?


  4. 1 hour ago, Thorin said:

    Isn't there a way to make reports go to the damned dnsadministrator@aamc.org or jbartell@aamc.org which is another contact reported by whois?

    I believe this is what the forum subsection for reporting address issues is for.

    http://forum.spamcop.net/forum/39-routing-report-address-issues/


  5. 5 hours ago, Andrew Axe said:

    rbl.websitewelcome.com, see Blocked - see 550 http://www.spamcop.net/w3m?action=checkblock&ip=201.28.14.210"

    The RBL from your message seems to be for rbl.websitewelcome.com, but yet they tried to give you a link to spamcop.net.  I don't like it when people give the wrong rejection message for their RBLs.


  6. On 10/16/2020 at 5:33 PM, Outernaut said:

    Mail arrives at server and in cPanel > Global Email Filters is where I enter the IP, and choose what to do with that IP next time email arrives.

    After reading https: //docs.cpanel.net/knowledge-base/email/how-to-configure-email-filters/, it appears that Global Email Filters uses spamassassin.  Spamassassin usually scans the email after it has be received, but before it was accepted.  This means a bounce should not originate from your server.

    On 10/20/2020 at 12:37 PM, Outernaut said:

    Can someone tell me where I should be asking this question? Should I open a account at cPanel and ask them? 

    I think a question here is whether cPanel's Global Email Filter's "Fail with Message" does it before or after it is accepted.  A message can be sent along with the rejection to the sending server at the time of rejection.  It maybe good ask the cPanel folks if your question does not get a reply.


  7. If I am reading this correctly, it would appear that something has gone weird with the IP addresses on received lines 1 and 2.  The server names do not match, nor do the IPs match.  Either hotmail is not reporting all the received lines to you or else, this is a hotmail internal email.


  8. On 10/30/2020 at 1:48 AM, Deckard said:

    Is there a tool to reliably detect spamvertised images maybe on upload?

    There was a tool I knew about years ago called dansguardian, but I am not sure if it is still a viable tool.  I understand it could scan images.


  9. On 10/27/2020 at 2:31 PM, petzl said:

    Doesn't appear to be fixed.  I see line #7 has the problem still

    7: Received: from process_milters-daemon.rn-mailsvcp-relay-lapp04.rno.apple.com by rn-mailsvcp-relay-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.6.20200729 64bit (built Jul 29 2020)) id <0QF100500ALEFW00@rn-mailsvcp-relay-lapp04.rno.apple.com> for x (ORCPT x); Thu, 13 Aug 2020 20:24:51 -0700 (PDT)
    No unique hostname found for source: 8.1.0.6
    mac.com received mail from sending system 8.1.0.6

     


  10. 1 hour ago, petzl said:

    Need to sign up with a valid credit card warning each spam complaint will be charged $100. a reply below took over a month for one.

    As much as I agree with this, I remember a company called "America OnLine" (AOL) who has sent out floppies and later CDs in the 1990s.  You could use their free month, but they required a valid credit card.  I didn't feel like giving it to them, so I never used the free month.  My guess is that maybe why they didn't get the customer base they desired.

    I do not have a good replacement scheme for your suggestion and it appears it would stop the spammers.


  11. 19 hours ago, Outernaut said:

    I sent a email out from me@y.com to myself at a telecom email address. The headers showed the IP for the shared host email IP, followed by my ip at the telecom. If I understand you correctly, then my IP is showing? Is there a handy-dandy how-to for noobs you could recommend that addresses this issue of 'to bounce or just delete'. ?

    It is correct that your IP will be showing since you started the test email.  Your IP will not be showing when someone else starts the email as it will be their IP.

    These suggests to send bounces to a local address and look at them:
    https://www.spamcop.net/fom-serve/cache/380.html

    This suggests to check the device if it is the source of the spam:
    https://www.spamcop.net/fom-serve/cache/405.html


  12. On 10/15/2020 at 10:53 AM, Snowbat said:

    '51.120.0.0 - 51.120.255.255' is Microsoft but Spamcop reports 51.120.93.44 directly to the spammer. I've seen similar misreporting for other Microsoft-hosted spammers.

     

    That is a good question. I would almost expect abuse@microsoft.com to be on the list as well in addition to the administrator's abuse address. I think this might be microsoft's cloud and it is going to the server admin, which may or may not be the spammer.


  13. 1 hour ago, Snowbat said:

    52.132.0.0 - 52.143.255.255 is a Microsoft netblock. Why is SpamCop not reporting this to abuse@microsoft?

    That is a good question. I would almost expect abuse@microsoft.com to be on the list as well in addition to the administrator's abuse address. I think this might be microsoft's cloud and it is going to the server admin, which may or may not be the spammer.


  14. 3 minutes ago, Snowbat said:

    168.61.0.0 - 168.63.255.255 is a Microsoft netblock. Why isn't SpamCop reporting this to abuse@microsoft.com?

    That is a good question.  I would almost expect abuse@microsoft.com to be on the list as well in addition to the administrator's abuse address.  I think this might be microsoft's cloud and it is going to the server admin, which may or may not be the spammer.


  15. 1 hour ago, Snowbat said:

    Whatever SpamCop is trying to do here is clearly broken and likely to deliver reports directly to spammers hosted on Microsoft.

    That is a good question.  I would almost expect abuse@microsoft.com to be on the list as well.  I think this might be microsoft's cloud and it is going to the server admin, which may or may not be the spammer.


  16. 15 hours ago, OneTimeOnly said:

    Since I'm in charge of IT, I was required to figure out why the messages from the contact-us form didn't reach the email under our domain which as a result led me to the Junkmail/Spamcop logs.

    I am not sure if this could be done in Cpanel, but one thing I had done for my RBL section was to add an exclusion for certain accounts in my exim setup.  It is easier if the accounts are hidden and say alias accounts to the real thing.

    local_parts = !postmaster : !abuse

    Something I have also done is to use a scoring system such as spamassassin, so that a single RBL is not able to let me mail server block email.


  17. 14 hours ago, OneTimeOnly said:

    Other IP addresses are 

    • 50.31.49.42
    • 167.89.12.138
    • 50.31.49.41

    I did find the following post where it appears that 50.31.49.41 has been used quite a bit in the past to sent spam.

     


  18. 41 minutes ago, Outernaut said:

    GURUS! Is it best practice to bounce, or not to bounce and just delete them?

     

    I think some clarification needs to be around the word bounce.  If you are bouncing during the smtp connection, then the bounce will not originate from your server, but will be sent from the sending server.  If you accept the email, and then bounce later, it will be coming from your server.

    My preference is to disable anything that might show my server's IP, such as a bounce after SMTP accept, and to have my server to reject during the SMTP connection so the IP in the bounce would be the sending server's IP, not mine.


  19. 1 hour ago, Outernaut said:

    First of all, I don't accept public wmail from clients. Either they use their real email, or they don't get a reply. So, when invoices go out, it's to real email address.

    Ah, so any bounces from "postmaster@client_host.com" or from "<>" might have been rejected to your account.  Also, those bounce replies would have gone to either "From: billing@anotherdomain.TLD" or to the mail__envelope_from you setup when the emails were sent.  If you like, and it is visable, you can set to the mail headers "Warnings-To: billing@anotherdomain.TLD" or "Errors-To: billing@anotherdomain.TLD" to get problems, but these headers usually go out with the emails and could be visible.


  20. 16 hours ago, lanny said:

    As it turns out this was caused by my sending mailserver (Mailu) which replaces Recevied lines (even in attachments).

     

    Ouch.  That doesn't sound good.  With the Received lines being replaced, the only way to find the IP is to go back to the logs on each server and look up the "id" from the received line.  (That is, as long as it didn't change that too.)


  21. 21 hours ago, o.ukraintsev said:

    we have received a summary report on one of our IPs

    I am a volunteer too.  You mentioned a summary report and ARF format.  If I remember correctly those came from the "ISP Control Center" account as an hourly or daily email as "Third party interested in daily aggregate summary reports".

    19 hours ago, Lking said:

    The spam report you received does contain a copy of the offending email (most likely with the destination address obscured).

    There would have been a separate email that Lking is talking about that contain a link to the spam.  This email would have been sent to abuse address as defined in your local internet registry's whois service.

×