Jump to content

gnarlymarley

Memberp
  • Content Count

    482
  • Joined

  • Last visited

Everything posted by gnarlymarley

  1. The cause of listing section says that spam is being received by spamtraps and users coming from 208.180.40.71. Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam less than 10 times in the past week I have seen where a virus, malware, spyware, or router can be remotely controlled and then the hacker uses the device to send spam. If that is an open MTA, then anyone can connect and use it it to send spam. I see the time is changing between 23 and 22 hours, so it would appear that the spam action is still going on. According to the neighborhood section of https://www.spamcop.net/w3m?action=blcheck&ip=208.180.40.71, I do not see 208.180.40.68 listed. It would appear to be almost all is from 208.180.40.71. Securing that IP, and/or the router in front of it should help eliminate the spam that appears to be coming from it.
  2. I should also note, that this might be a good idea to have all devices (such as camera or refrigerators) that share that same IP to be checked for sending spam. Hackers love abusing other people's computers so their IPs get listed instead of their own. Once all the devices are secured, the IP will be automatically removed from the list.
  3. gnarlymarley

    Reporting spam has no effect

    In my past, I would just block the whole range if I were to get a reply like that. Now I just use SpamAssassin and mark the range as more likely spam. With enough of their customer's emails being blocked, they will the give up and find another provider.
  4. The IP does appear to be listed. https://www.spamcop.net/w3m?action=blcheck&ip=208.180.40.71 208.180.40.71 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 22 hours. It appears that enough reports were files to get 208.180.40.71 listed. Since I am just a user, I am not able to look up much more. I would suggest that you have your employee scan their computer for viruses and have them make sure they do not have malware or spyware.
  5. There could be some old cache pointing to old information. You might want to try doing a "refresh/show" on the report to see if the address gets fixed. If this does not help and if the deputies do not respond, I would suggest contacting the admins at deputies[at]admin[dot]spamcop[dot]net.
  6. gnarlymarley

    URL host links limit

    I have noticed that sometimes spammers use too many URLs in their spam. Would it be possible to group links by hostname and processs them by that? When the report is sent, they combine there. Moving it to the hostname means if all the links share the same hostname, they can still be reported. This would also save on DNS look ups if the links are below the limit. https://www.spamcop.net/sc?id=z6698896959z37653b35adb76c14bc27cd5541f78a03z
  7. gnarlymarley

    URL host links limit

    Here is another tracking URL that demonstrates what I mean by combining. In this example, we can see that it looks up two different hostnames. It would be nice if these could be grouped by server name so that it would only have to do two look ups instead of four. https://www.spamcop.net/sc?id=z6698611793zb63e53a6ab1d3867166620a089eae7a8z
  8. gnarlymarley

    Nothing to do is back

    Or if you have already submitted, you can click on past reports, click on the link by the IP, then Parse, and you should have the tracking URL.
  9. gnarlymarley

    forwarded spam being returned

    I don't currently have a problem submitting my forwarded spam all week. Last time I had a problem with the forwarding, I was able to check out the reply and the headers to find it was my ISP that was blocking the forwarding.
  10. gnarlymarley

    Google Network a Frequent Source of spam

    I am not sure why, but for some reason, spammers do not send spam to my yahoo account any more. I probably get two spams a year there and I don't know why so little. I wonder if the difference between my experience with google is that with hotmail, my average reporting time is around 8 hours, but with gmail reporting through spamcop, my average reporting time is about 30 minutes. I might need to speed up my hotmail reporting to see if that makes a difference.
  11. I remember when I used to submit tons of reports to the postmaster address. Kind of interesting that if someone lets the spamming go on, they get spammed, no matter what their address is. I find it easier to have my address and postmaster sharing the same box and then I can filter on the "To:".
  12. gnarlymarley

    Google Network a Frequent Source of spam

    I see the same thing coming to my hotmail. As near as I can tell, the spammers are spinning up and down cloud instances as fast as they can to prevent getting caught. Either they reached a point where they gave up on my gmail, or else google sometimes deals with it. With my hotmail seems to be a day or two in between the spam like this.
  13. gnarlymarley

    Spammer Bcc'ing replies to himself?

    If you mouse over the "posted [date] at [time]", it should show the year with the time in GMT or UTC format. I have had this happen a year or two ago where someone signed up with an impersonator acount on facebook and started trying to friend everyone. Somehow the scammer/spammer must have got a list of contacts and is attempting each one until they find someone that will reply. If it stays quiet enough, they will eventually give up. If you click the report links, they should come up with the tracking URLs. You might have to click a "parse" link at the top to find it.
  14. gnarlymarley

    Ancient routing information.

    Sure is old information. If you don't see this updated soon, I would suggest you can also try contacting deputies[at]admin.spamcop.net. abuse net endurance.com = abuse@websitewelcome.com, eig-abuse@endurance.com Using best contacts eig-abuse@endurance.com abuse@websitewelcome.com
  15. Interesting they list the two addresses. I have seen it where companies want different abuse addresses to track where it comes in from. Would be nice if companies would keep their contact information up to date in whois. I also noticed it is prefering the /23 over the /16. Using smaller IP block (/ 9 vs. / 16 ) Removing 1 larger (> / 9 ) route(s) from cache
  16. interesting combination of manual entry and refuse to bother.
  17. gnarlymarley

    sendmail woes

    ping looks for an A record. Email servers look for a MX record.
  18. I noticed the reporting address seems to have changed for in the SpamCop whois mirror after it was manually updated. Looks like it should be abuse@hostopia.com.au instead of abuse#web24.com.au@devnull.spamcop.net. See below. https://www.spamcop.net/sc?action=rcache;ip=182.160.134.78 $ whois 182.160.134.78 [spamcop mirror] inetnum: 182.160.128.0 - 182.160.191.255 netname: HOSTOPIA-AU descr: Hostopia Australia Web Pty Ltd country: AU org: ORG-JAHP1-AP admin-c: HAA3-AP tech-c: HAA3-AP abuse-c: AH908-AP status: ALLOCATED PORTABLE remarks: -------------------------------------------------------- remarks: To report network abuse, please contact mnt-irt remarks: For troubleshooting, please contact tech-c and admin-c remarks: Report invalid contact via www.apnic.net/invalidcontact remarks: -------------------------------------------------------- mnt-by: APNIC-HM mnt-lower: MAINT-HOSTOPIA-AU mnt-routes: MAINT-HOSTOPIA-AU mnt-irt: IRT-HOSTOPIA-AU last-modified: 2020-08-11T19:17:02Z source: APNIC role: Hostopia Australia Administrator address: PO Box 76 country: AU phone: +61 288231020 e-mail: apxxx@hoxxxxxxxxxxxxx admin-c: HAA3-AP tech-c: HAA3-AP nic-hdl: HAA3-AP notify: apxxx@hoxxxxxxxxxxxxx mnt-by: MAINT-HOSTOPIA-AU last-modified: 2020-08-11T19:31:17Z source: APNIC https://www.spamcop.net/sc?action=showroute;ip=182.160.134.78;typecodes=16 Reports routes for 182.160.134.78: routeid: 78704091 182.160.128.0 - 182.160.191.255 to: abuse@web24.com.au Administrator interested in all reports Wed Jun 3 23:36:53 2020 GMTWednesday, June 03, 2020 5:36:53 PM -0600 https://www.spamcop.net/sc?id=z6695233831zdb2126a0f580859cfda6f258ea608660z Tracking message source: 182.160.134.78: Routing details for 182.160.134.78 Reports disabled for abuse@web24.com.au Using abuse#web24.com.au@devnull.spamcop.net for statistical tracking. Report routing for 182.160.134.78: abuse#web24.com.au@devnull.spamcop.net Yum, this spam is fresh!
  19. I am not sure what you mean. The links in my reports are sent out and some of mine get a response from AWS or CloudFlare. I think there is a limit of around eight links that will get reported. Maybe this post could be what you are talking about Linsk are not parsed when Return-Path is empty?
  20. gnarlymarley

    If reports were sent today....

    That almost looks like something that has been reported already. You can see if it was reported by going to your past history.
  21. gnarlymarley

    Linsk are not parsed when Return-Path is empty

    I think this may have caused some confusion as the above tracking URL is missing the body. See below for verification test. So I took your link that failed to parse and I added something in the return-path. The links would parse again. So I submitted it as is and it fails to parse. Clearly, it appears you have caught a problem or bug here where SpamCop is broken. Working (changed return-path): https://www.spamcop.net/sc?id=z6693978467z3560f51112de7e9fcadc539b521ce73bz Not working: https://www.spamcop.net/sc?id=z6693978389zca5cee5269c5f353471c599d70e7c266z As you can see by comparing, I submitted the same thing twice, except I added an email in the return path.
  22. gnarlymarley

    Linsk are not parsed when Return-Path is empty

    I have seen this a while ago, but I didn't have time to do any research on it. I will have to pay attention for the next time I get a spam that has links, but they get ignored. (I think mine were August or July, so they are probably past the 90 days so I will not be able to get tracking URLs.)
  23. gnarlymarley

    No data / Too much data

    Does this post help? http://forum.spamcop.net/topic/9324-unable-to-process-message-hearders-in-reporting-tab/?do=findComment&comment=63654 If I click "Process spam" without having the textbox above filled out, I get a similar message. Try going to https://www.spamcop.net/, without the sc at the end of the URL.
  24. Petzl, your link required authentication. Did you mean https://www.spamcop.net/fom-serve/cache/401.html?
  25. Hmmm, I noticed your second line does not properly match the first one. Specifically the "by 0.0.0.0:2500" section does not match a mailchannels line of "inbound-egress-6.mailchannels.net". Something is strange where the headers do not see to match up. If nothing was lost, then this would be from an internal mailchannels user. 1: Received: from TrololoVPN ([UNAVAILABLE]. [163.172.137.93]) by 0.0.0.0:2500 (trex/5.18.10); Thu, 12 Nov 2020 21:07:09 +0000 No unique hostname found for source: 163.172.137.93 Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust this Received line.
×