• Content count

  • Joined

  • Last visited

Everything posted by gnarlymarley

  1. What I did is to add my problem email addresses to my block list. Then the messages are blocked at my border server. I do not have to worry about sending bad bounce messages, because the problem email is not even accepted on my server. A kinda off topic action that I performed is that I setup SRS and SPF so that it would prevent others from misusing my domain. SRS works off the "return-path". This has stopped the "mail bouncing emails" that I used to get. A side note is that I have opened my my blacklist and current do not see any "bounces" for messages that "appeared to be sent from me". I am guessing that a combination of these two items has been the reason as to why it has stopped for me, however, you situation could be slightly different. If the sending (bouncing) server is on the spamcop blocklist, then just adding the could stop or slow it down. With it all said, like Lking said, the real problem needs to be worked by the postmaster of the server that is "sending you the bounces". If that said individual does not respond, then the blocklisting and/or SPF is probably your next best option.
  2. if it was truly your submit address, then I would be worried. That is something that only you should know. Now if they replied to your <report_id> address, then that is different. The reason why your submit address should be kept hidden from others is that folks could abuse it and it could be turned off. If they do not know what the submit address is, you might be okay, but you might need to get a new one through Don at the deputies address. If you are copying folks on the same email as your reporting, it would probably be best if the submit address was in the BCC field.
  3. Sounds to me like you need to setup mailhost in your spamcop configuration options. Mailhosts is mostly used where you have more than one mail server using public IPs and it is forwarding between them. With this setup, spamcop should correctly idenify the servers in the received line up to your border server and be able to correctly identify the real culprit. The neat thing about mailhosts setups is that it will fix your previous attempts of spam reports and those should display properly.
  4. IamInnocent. Yep, that is the page, but google maked a change a while ago, where using ctrl-a does not work. Instead, I used the "Copy to clipboard" button and then go to the spamcop reporting form and paste. Now for your original question, I get that message when I forward, but not as an attachment. Apparently a lot of folks prefer the "reply" style of forwarding and this style throws away the full headers. They change it so much, I am no longer sure if there is a key that you can hit when you click forward for it to send as an attachment. Your other option is to click the "Download original" and attach those files to an email, but that is probably as much work as what I do with the "Copy to clipboard" button.
  5. Looking at the spams, it would appear that the spammer is adding the X-Originating-IP header to confuse the matter. I do not see that IP listed in any Received lines. As it stands, I can trust any spam as far back as my border server. I cannot trust it past that. My border server will have the logs with the IP that for whom I need to report. They in turn can use their logs and pass it up to their suspected source.
  6. This would sure be easier to read if we had the tracking URL. If I see this correctly, then it appears that the email was forwarded through Since I am not familiar with this IP, I will take the route of it possibly okay. Another SpamCop user can take that one on. From what I see, the order of the headers are "Our-IP" and then This would mean that probably used your router to send the email. If we assume that it did come from your IP, then I would guess you already checked the server logs. The next thing I would check is your NAT router and make sure did not get hacked. I have had email seen plenty of email come directly from routers, where it completely bypasses the email server.
  7. If you can, please report every email that you receive that is actual spam, which will allow the spamcop blocklist to have all IPs listed. Also, spamtraps only use mole reporting. See below why spamcop only blocks on reported IPs. When a sufficient number of spams are reported, spamcop automatically adds it to the blocklist. Now, to make sure false-positives are not added, spamcop uses a special formula to verify that only actual spammer's IPs are added to the blocklist. This means that it will take more than one report to have the IP listed on the blocklist. I believe the issue is that folks who send legitimate email do not want to have their IP listed. This can cause issues if spamcop just started randomly adding IPs to their block list. Because of this, I maintain my own block list along side of spamcop, where I can and do block whole subnets from repeated spammers. But before I add the whole subnet to my personal blocklist, I have to check and verify that there is no legitimate emails and that there are no IPs that should not be blocked. * 3600 A
  8. The goal of spamcop is to help us (receivers of spam) to get an ISP to do something about their troublesome clients. If that fails, then just block the IP address until those responsible at that ISP decides to do something about those problematic clients. The goal of the munging is to prevent spammers from finding out who is reporting them. Most spammers do not use a mail server and therefore they are not able to figure out who to retaliate against. The spamcop report contains the ID that the mail server put on it, so the true ISP will be able to see who the email was sent to, who logged in (authenticated to) the mail server, and then do something about it. Edit: What is meant by mole reporting is that the report never goes to the ISP administrators, nor to the suspected spammer. It only is used for statistics and populating the blacklist.
  9. I usually see this when the spammer is using my local email provider. Since spamcop is external to my email provider, I have to use the "report spam" button to get it sent to the postmaster to deal with. Before the report spam buttons and back around when spamcop began, we used to forward those emails to abuse@[relatedISP].com.
  10. Interesting that the both the command-line version as well as the "Display Data" link show this as plain text. It sure does confuse the parser. I wonder why RIPENCC has changed the data?;cmd=whois
  11. Years ago when I first saw multiple providers doing this, I started opening up the source and copying. Nowadays, I have setup my own email server and forward all email to spamcop through that server. I find that when I can control who blocks, it is much easier. If you have a second email account, you can setup that in thunderbird and forward to spamcop using that connection.
  12. Actually, I would agree with Lking as you will see the same issue with quick reporting as you see with normal reporting. I believe the issue is somewhere between earthlink and spamcop mail servers, before you even get to the spamcop code. Quick reporting uses the same mail servers that normal reporting uses. I am guessing that once the problem is resolved, you "should" get all the delayed message coming in. Since I was able to send stuff in successfully, I would tend to believe the issue lies on the earthlink outbound email side.
  13. So far, I have never seen an issue between mailhosts and the returning acknowledgement from forwarded spam. My question is when you login, do you see a line right above where you manually submit where it says to "report unreported spam"? I am thinking the issue might be some sort of delay with the inbound mail server and accepting reports. From what I have seen, if you spam makes it to the mailhosts section of the code, you will see it right above the form on the manual submit page. If the unreported link is missing from that section, then your email is not making it to the spamcop code and the issue could be with your outbound email servers. I has forwarded something this morning (around six and a half hours ago) and did get the acknowledgement back, so that part should be working. For quick reporting, you just change the "submit" portion of your special (and should always be hidden) submit link to "quick". You might also need to see the attached.
  14. yeah. I also noticed that your report has a double dot in the hostnames. I wonder if spammers have figured out to fool SpamCop. It very well could be related to the following post since it appears to be stopping around the same point.
  15. Sounds like you might need to have mailhosts setup. mailhosts is to prevent all of your local servers (which forward email from one to the other) from being listed in the reports.
  16. Interesting that the hostname starts with a dot in the submissions where it stops at: View entire message Parsing header:
  17. I am not sure if hiccup is the right word. Whenever I look at your tracking link, as well as a few of my own, they all show errors. It seems to be an issue that is rare, but consistent. I submitted one a few days ago and have not heard back yet. Maybe they were upgrading the system while you were trying to originally submit.
  18. You might want to edit your post to remove your special reporting email address that I am not supposed to know. as for the error, I usually get that when the email I am reporting is not an attachment when forwarding. see Of course, this could be anything from forwarding and not as an attachment to your spam filter removing the attachment.
  19. This does not have much to do with actual reporting, but probably should be answered. No DNS spoofing. This is nothing more than an ISP who has started using the private address in their routers, but forgot to block it on their borders. We have been seeing private addresses more since the IPv4 runout occurred a few years ago. Also, you forgot about line #14 which is also a private address. For me, I just usually block these private addresses on my border firewall. I am sure if you were able to dig further you would probably see that line #13, #15, #16, and #17 are also private address, but they actually blocked those. Now if you start to see the same IP repeated in multiple lines, you would probably know that they are NAT'ting their private addresses.
  20. Seems to me this might be a parser error as it stops on the double period. Hopefully, the deputies are will be seeing this. If not, then might be good to get Don on this at service[at] Host (checking ip)
  21. The reply email (with subject of something like "[SpamCop] Errors encountered") should have some headers near the bottom. Since this email was not able to submit the spam, it does not contain a tracking URL. The bottom of the email should contain the message or part of it that was attempted to be submitted. If it only has part, you can compare the " Content-Type" to see if your sent email has the same boundary tag. Usually when I had issues in the past, it was due to my mail client not aways sending it as an attachment. If you are not able to figure this out, my email from years ago, suggested to email the service address to get more information. Please check your email for an explanation or email for more information. I would not be surprised if cPanel is doing some sort of spam filtering and randomly removing attachments for you.
  22. I found this thread that talks about cPanel removing attachements after you forward. This this spot on the cPanel where you have to allow attachments to head to users. I am not sure why anyone would make attachment filter a default.
  23. I went to and got the following not listed in My guess is that someone was using to send actual spam, it got reported, and now the issue is resolved. When spammers use legitimate email services, it usually gets solved much quicker with the affending party being kicked off.
  24. All spamcop does for us users is to report spam back to the original administrator. I would tend to agree with InvisiBill. As for the issue at stake, I cannot click that "flag as inappropriate" button as the entry was not sent to me. The only person that can morally click the "flag as inappropriate" button is jazz25.
  25. I am not sure I entirely understand the question. What I see is a email that came from and the email has given authorization through a spf check. What happened is that was involved to send the email. If that IP is behind a NAT, then any number of hosts (which use that NAT) could have been used to send the email, including the NAT router itself. What we do know is that any of these devices could have been hacked or else the email was sent by a legitimate person. I am guessing that this is what you meant by possible forgery. Also, if you have any ties to, it might be in your best interest to check for hacking to prevent further usage of that IP by spammer jerks.