Jump to content


  • Content Count

  • Joined

  • Last visited

Posts posted by gnarlymarley

  1. 41 minutes ago, Outernaut said:

    GURUS! Is it best practice to bounce, or not to bounce and just delete them?


    I think some clarification needs to be around the word bounce.  If you are bouncing during the smtp connection, then the bounce will not originate from your server, but will be sent from the sending server.  If you accept the email, and then bounce later, it will be coming from your server.

    My preference is to disable anything that might show my server's IP, such as a bounce after SMTP accept, and to have my server to reject during the SMTP connection so the IP in the bounce would be the sending server's IP, not mine.

  2. 1 hour ago, Outernaut said:

    First of all, I don't accept public wmail from clients. Either they use their real email, or they don't get a reply. So, when invoices go out, it's to real email address.

    Ah, so any bounces from "postmaster@client_host.com" or from "<>" might have been rejected to your account.  Also, those bounce replies would have gone to either "From: billing@anotherdomain.TLD" or to the mail__envelope_from you setup when the emails were sent.  If you like, and it is visable, you can set to the mail headers "Warnings-To: billing@anotherdomain.TLD" or "Errors-To: billing@anotherdomain.TLD" to get problems, but these headers usually go out with the emails and could be visible.

  3. 16 hours ago, lanny said:

    As it turns out this was caused by my sending mailserver (Mailu) which replaces Recevied lines (even in attachments).


    Ouch.  That doesn't sound good.  With the Received lines being replaced, the only way to find the IP is to go back to the logs on each server and look up the "id" from the received line.  (That is, as long as it didn't change that too.)

  4. 21 hours ago, o.ukraintsev said:

    we have received a summary report on one of our IPs

    I am a volunteer too.  You mentioned a summary report and ARF format.  If I remember correctly those came from the "ISP Control Center" account as an hourly or daily email as "Third party interested in daily aggregate summary reports".

    19 hours ago, Lking said:

    The spam report you received does contain a copy of the offending email (most likely with the destination address obscured).

    There would have been a separate email that Lking is talking about that contain a link to the spam.  This email would have been sent to abuse address as defined in your local internet registry's whois service.

  5. On 9/30/2020 at 4:39 PM, jakeqz said:

    I know.  Often they had the Gmail address before the website, and to have two email addresses seems a complexity beyond them.  "But I can set up forwarding for you."  "Too complicated."  "An email account @yourwebsite will look more professional."  "I'm doing fine.  I just wanted a website, that's all."

    That is why I either use the imap downloading offered in email client downloads, or if I have my own server, I use fetchmail.  This way, I do not abandon the old account and replies can come from the new account.

  6. 3 hours ago, nei1_j said:

    Am I interpreting the timeline correctly, that Yahoo is delaying delivering spams?  Anyone else notice this?  Even before their last corporate takeover, I've seen this behavior from some Yahoo spams.

     Or, is it a trick by the spammer?

    The date in the receive line should be added by Yahoo's servers, and the spammer should not be able to trick the server into putting in the wrong date.  As it is possible that there could be a bug in Yahoo's servers that they might need to fix, it is more likely that Yahoo has either the wrong date or a problem with their server's ability to deliver email.  Yahoo should be the one to fix such a bug, queue processing, and the time on the servers.

  7. On 9/23/2020 at 10:03 AM, KNERD said:

    I did go back and try, and it was then finding the IP address of the old message, but more than 48 hours had passed

    Hmmm, I wonder if it works for you if you wait without doing anything.  Such as revising a tracking URL that didn't work after an hour or two.  If so, might be some other issue.

  8. On 9/27/2020 at 11:36 AM, Outernaut said:

    I find a number of 404's and wonder if SpamCop is eroding away

    I found some of the pages are still there, but when they upgrade the forum a few years back the links changed.  Trying to search for the pages seem to bring the up for me.  I don't like how the links don't always work after that upgrade.

  9. On 9/27/2020 at 12:09 PM, Outernaut said:

    Recently, none get through, and I only find out after 2 months when no one has paid - they are not getting them. I get copies from same account that sends the invoices.

    I am curious if you are not getting bounces or if the invoice emails are going to their spam folders and they are not paying attention to it.  Google has made some changes to their spam folders a few years back and now I have to check the spam folder on a daily basis for non-spam email.

  10. On 9/26/2020 at 1:48 PM, pedza said:

    I have visited spamcop site and check our mail server IP address - the result is: OUR_MAIL_SERVER_IP_ADDRESS not listed in bl.spamcop.net

    Also good to know is that some people would make their own blacklist or point it to spamhaus, but leave the "data response" section indicating it was done by SpamCop.  The following is one configuration that was found a few years back and you can see that there can be more than one blacklist on the message.

    deny    message       = rejected because $sender_host_address is in a black list at bl.spamcop.net
    dnslists      = bl.spamcop.net : sbl.spamhaus.org : xbl.spamhaus.org

    I do not like how someone people left their configurations blaming SpamCop if (such as this example) the IP is on a blacklist at SpamCop or spamhaus.  If your mail server IP is not listed in bl.spamcop.net, either it was for a small time or the email provider has their own blacklist and is blaming SpamCop.  Those, I have to use my hotmail email to ask them why since they could be blocking my other address.

  11. On 9/28/2020 at 3:01 AM, Lodewijk said:

    If I still were getting lots of spam, and also others had the issue of their ISP's spam filter blocking their reporting to SpamCop, I would suggest the latter no longer use the word "spam" in their reporting and asking for confirmation email addresses. 

    If they cannot remove the filter, maybe one possible option is for them to whitelist the mfrom domain of SpamCop.net or give it a non-spam score.

    It would be nice to not use the word "spam" in a filter.  But then what kind of spammer would actually use the word "spam" in their emails?

  12. On 9/26/2020 at 7:26 PM, jakeqz said:

    Mostly, though, they have a `Reply-To` header with a Gmail address.

    Spammers started using Reply-To a few decades ago because they could mask the from as an invalid and prevent bounces.

    On 9/26/2020 at 7:26 PM, jakeqz said:

    But when I report these emails as spam, SpamCop does not send a report to Google.

    Yep, and SpamCop does not send a report for the "from:" address either.  Only the source IP, any relay IPs, and the URLs are reported.

    On 9/26/2020 at 7:26 PM, jakeqz said:

    I think it should offer the option to report to the provider of any email address listed in `Reply-To`.

    This is an interesting idea, but the from and reply-to could be spoofed to catch innocent people.  I think I almost vote to have a feature like this added, if it were not for the possible spoofing.

  13. 6 hours ago, unitacx said:

    Eventually you will get the spam reporting address as the outside server.
    On mine, there were three outlook.com "Received:" headers, followed by an "Authentication-Results:" header. By removing those first three "Received:" headers, I was able to get to the source of my sample email.

    Eventually you should start to recognize the external and internal headers and might be able to shorten step 3.

  14. 3 hours ago, KNERD said:

    Just reported email again. It is not obtaining the IP address again,

    One question that I am not sure if you know, you can revisit any of your tracking URLs and from my experience they will get any mailhost changes you make.  You have about 48 hours from the time the email was received by your border server to report.


    18 hours ago, petzl said:

    Your server IP static? Not dynamic?  The email host update has fixed issues.

    My email provider's IP is dynamic and I have never had a problem reporting or using mailhosts.  Then I use exim and KNERD seems to be using postfix.  Maybe SpamCop might be parsing the headers from different servers differently?


  15. 11 hours ago, KNERD said:

    No changes to the server. I even redid the mail host for it just now. Still same result

    The mailhost update may be why both seem to be reportable now.

    Tracking message source:
    Tracking message source:

    I have not noticed any delays when I update my mailhosts.

  16. On 9/13/2020 at 4:50 PM, petzl said:

    Your email provider  has not stamped a received FROM IP line

    Outernaut, I expect to see an IP somewhere in the Received line such as the following.

    Received: from oksupp ([IP.add.re.ss]) by elm.nocdirect.com
    On 9/13/2020 at 2:08 PM, Outernaut said:

    Did this come from the internal site to where it was sent?

    Without the IP address in the Received line, I would have to assume this came from the internal site directly.  Which is probably what SpamCop is doing.

  17. On 8/27/2020 at 9:57 AM, denby said:

    I don;'t know how they are actually getting to my email inbox, but they have wierd from addresses.

    Spammers use the unicode and base64 to try to hide from spam filters.  (Most spam filters can be plain text.)

    On 8/27/2020 at 9:57 AM, denby said:

    Any suggestions on how to stop them?

    If your filtering can do regular expressions then you can look for UTF-8.  Some filtering programs will let you filter for the "raw" headers or the decoded headers.

    From: "=?eq7rzAaUmUTF-8?B?

    I suspect this might be a mix, but I do see a UTF-8 in the middle.  Usually that start the unicode section.

  18. On 8/25/2020 at 1:01 AM, LaserMoon said:

    When I report spam sent to Hotmail addresses, SpamCop wrongly indicates one of the internal Hotmail IPv6 IPs as the source.

    You can try reporting to deputies[at]admin[dot]spamcop[dot]net, or by requesting a feature in the New feature forum.  Many have mentioned a similar problem in the past Microsoft mailhosts missing IP addresses.

    On 8/25/2020 at 1:30 AM, petzl said:

    I don't believe Hotmail provides a source IP, just the IP of their own email server.

    LaserMoon, I believe the issue to be that microsoft opened themselves up to using around 5,192,296,858,534,827,628,530,496,329,220,096 IP addresses when they moved to using IPv6 public addresses and spamcop might not be able to store them all.

  19. 14 hours ago, mgolden said:

    host 2001:67c:2050:104:0:1:25:1 = mx1.mailbox.org (cached)
    mx1.mailbox.org is 2001:67c:2050:104:0:1:25:1
    Host dobby24a.heinlein-hosting.de (checking ip) =
    Sorry, SpamCop has encountered errors:

    The email sample you submitted for X
    appears to traverse more than one domain.  
    Please ensure that you configure each mailhost individually and in order.


    I am not sure if this could be your problem but last time I saw this message, it turned out to be one email of mine was forwarding to another.  If you have multiple emails involved in a chain then you might need to report them in a backwards order, such as under the "how" section of https://www.spamcop.net/fom-serve/cache/397.html.