Jump to content

gnarlymarley

Memberp
  • Content Count

    460
  • Joined

  • Last visited

Posts posted by gnarlymarley


  1. 4 hours ago, MIG said:

    (I offered to do the grunt work if SCF Admins or whomever currently carries the work/maintenance burden wanted some willing assistance). This translates to, the table/topic existing, any identified addresses forwarded to SCFA who'd then update the table/pinned topic.

    I am just trying to understand.  So if I understand correctly, you are offering to update the current tables that Don D'Minion (I haven't seen him for a while) used to update such as can be seen at https://www.spamcop.net/sc?action=showroute;ip=150.107.103.51;typecodes=16?


  2. On 5/17/2019 at 2:31 PM, lisati said:

    Having some kind of table for us to use does sound like it might have some merit. There's also a section of this forum that some contributors use to submit updates and corrections. under Spamcop Reporting Help -> Routing/Report Address issues

    Lisati/MIG,

    Though I would like this access, I would prefer not to give spammers more access than they really need.

    On 5/17/2019 at 7:17 PM, MIG said:

    Yep, the SCR Help R&RA is there, is a good resource, and (my understanding) is that it's for corrections,

    While it would be nice to be able to correct addresses in our own table, it is not a good idea to open it up to people that are using the forums to put in their spam, or even to paste in bad abuse addresses.  Forum spam posted in the R&RA is why I like the deputies to act as a double check what shows up there.


  3. On 4/26/2019 at 3:39 AM, Jelmer Jellema said:

    If I understand this correctly, it is because of the dot in the seconds Received header?

    I believe if it because that dot.  At least mine was.

    23 hours ago, MIG said:

    fully resolved, this surprised me, so, I tried a different account & browser, same result.

    Now that is weird.  My suspicion is that maybe with mailhosts turned on, it fails at the dot and with mailhosts turned off it works?


  4. On 4/24/2019 at 6:59 PM, RobiBue said:

    I like Idea #2!, especially if everybody is on-board.

    a) it would convince amazon to clean up their act with spammers and hosting them,
    b) especially if they start losing legitimate clientele :)

    The sad part is many folks are not willing to part with their perks in order to block the spams.  Probably not very many business would change either.

     

    6 hours ago, HeatherReid43 said:

    . email-abuse at amazon.com 

    . ipmanagement at amazon.com

    I did notice spamcop has been sending reports to the ipmanagment address.


  5. On 7/4/2018 at 2:29 AM, petzl said:

    compromised/forged web and or email accounts
    If Microsoft Windows Defender is available to you, use it
    Scan for Malware! 
    THEN
    Change log-on to a more secure password-Phrase! 

    unidress, Also one quick note you might want to make sure your routers are also secure.  I have seen email that actually came from a hacked router to my email account.


  6. On 2/11/2019 at 10:55 AM, Lking said:

    2. If your friend is not receiving emails (including yours) your friend's email system is blocking INCOMING email and it is your friend's system that is causing the problem.

     

    nitesh, Please note that anyone can put into their email servers anything they want on the blocking message, such as can be seen from https://www.spamcop.net/fom-serve/cache/293.html's configuration suggestions.  What usually happens is folks change the dns, but don't change the message to go with it.  This can lead to erroneous messages about spamcop or something else blocking a message, but in reality it is the local email provider that did something.  The email administrator may have made a mistake on the receiving email server's configuration file.  What will probably need to happen is your friend might need to call the local support to figure out why it says spamcop has blocked the email, when it is not listed in the spamcop blacklist. 


  7. On 3/6/2019 at 4:58 PM, dennis562 said:

    spamcop.mimecast.org Blocked - see https://www.spamcop.net/bl.shtml?198.61.254.91. - https://community.mimecast.com/docs/DOC-1369#550 [bEjCcA39P3SxsOV3CZ9qSw.us331]"

    Looks like mimecast may have setup their own blacklist.

    On 3/6/2019 at 5:11 PM, petzl said:

    Or it could be a fake bounce from someone you are mailing too?

    dennis562, When I first looked at adding a blacklist to my MTA about twenty years ago, I had to key in the deny message into mailer configuration file.  As you can see from this link (https://www.spamcop.net/fom-serve/cache/294.html), anyone can put anything they want into that message.  This is what petzl means about a fake bounce.


  8. 5 hours ago, petzl said:

    They always use free accounts doubt if they give AmazonAWS contact info
    AmazonAWS  are not the only ones to stupid to fix this Google another.

    There are a few options you have left when the adminstrator is useless if you really want to stop the spam.

    1. Keep reporting for two or three years and the spammer will give up.
    2. Block the whole IP range.  (this could be a problem as the emails from this forum appear to come from amazon, so this could block legitimate email.)
    3. Implement SPF checks on the MTA and hopes that blocks it (only works if you have the ability to control the MTA.)
    4. Use greylisting to make sure that only servers can connect and send you email (again, only works if you can change the MTA behavior.)

    The reason most businesses offer the free accounts is it falls under the idea of advertising.  If someone cannot check out the service, then they are less likely to use it.  Kind of problem as it pulls in the jerks, but also pulls in paid accounts as well......


  9. On 4/15/2019 at 1:42 AM, klappa said:

    How would they every be able to trace you though munged reports? And why would the host or ISP send them the munged reports? It sounds crazy. I don't think you're the only recipient and he sends to hundreds upon hundreds of others he would never be able to trace it back to you.

    They do that by mapping some sort of combination of the from, links in the body, special keywords in the subject, and who they sent the message to.  I think the from of the report is the report id, so each report should be different.  How I think they track it is they see which spam gets reported and then assume only people who those were sent to is reporting it.  When I saw the "to" I noticed they kept changing it until they could narrow it down.  Now I think they do this in BCC mode.

    2 hours ago, RobiBue said:

    but I dislike it even more, when an emailer, after me having unsubscribed from *ALL* their emails, decides that I might still be interested, regardless of my decision.

    Yeah, that would be really annoying.  Or when the mailing list stops sending you emails in 2003, you stay subscribed, and they start sending again in 2018.....

    2 hours ago, RobiBue said:

    WRT gmail blocking/rejecting legitimate email: I haven't had that encounter yet, or the person that got rejected never got in touch with me about it...

    How I know the legitimate email blocking is happening is two points.  i have my own email server that sends me nightly report.  When it sent out two reports (after a few years of sending them), I noticed I didn't get them at my gmail account and research on that MTA said gmail thought it was spam.  The other point is when I would forward spamcop emails, the reply was rejected on three separate occasions.  I had to login to my spamcop account and click the "problem fixed" button.


  10. On 4/11/2019 at 11:42 PM, MIG said:

    via https://outlook.live.comin/on a web browser. What used to be called [Hotmail].

    I am unable to tell if jimmywalter is using office365 webmail or if using outlook.live.com.

     

    On 4/11/2019 at 11:42 PM, MIG said:

    When you say "about the webapp, I can only get it to show me headers", I don't understand.

    • I call it hotmail, but in outlook.live.com over by the sign out button is three dots that once clicked will have a "source message" link that has the full source.
    • In offfice 365 web outlook, there is only an options and properties tab that gives the headers.  The outlook application gives the same.

    So if jimmywalter is using office365 webapp, there is no forward as attachment and no message source.  If jimmywalter is using outlook.live.com, there is no forward but is a message source that can allow the full headers and body to be copied/pasted into the spamcop webform.


  11. On 4/10/2019 at 9:37 PM, RobiBue said:

    my gmail inbox/spam folder has also dropped drastically.

    For me, my spam is up and down.  I noticed that gmail is lately blocking a lot of the spam.  It is also rejecting some of my legitimate email as if it were spam too.  I dislike it went folks sign up on a mailing list and then mark it as spam instead of unsubcribing because I am fighting the gmail spam police who tend to block that instead of just putting it in my spam folder.


  12. On 4/13/2019 at 11:07 AM, nh905 said:

    Received: from localhost (127.0.0.1) by .tFPOSZzTeEdkt6@facebook.com id

    A tracking URL would be helpful.  Last time I got this, it turned out to be a dot in a domainname that was not supposed to be there.  Parsing your output mentally, I suspect it is the dot starting above.  Mine was a double dot that the spammers put in to prevent parsing.  If you remove the dot at the beginning of that hostname, does it parse?


  13. On 3/29/2019 at 10:14 PM, MIG said:

    Outlook web mail, 

    It's not possible to: 

    • [Save email as .eml] or any other format.
    • When using Outlook web mail there's no [key sequences] to [forward an attachment].

    MIG,

    For the outlook office365 webapp, you are absolutely correct.  The hotmail version of the web app will let me view the source.  What sucks about the webapp, is that I can only get it to show me the headers.  Apparently what Jimmywalter  might need to do (and what I have been doing for a while) is access it over imap using both fetchmail and thunderbird.


  14. 18 hours ago, JohnS said:

    Now there is so much extra stuff in the first part of the body, it never finds the source links because it is truncated.

    I used to want to have a higher reporting preference for the links in the body, until the spammer one day about two decades ago used an website from my company in one of their spams.  The spam came from a prominent university and the administrator mistook the link for the source of the spam.  This nearly got me fired for being the recipient of the spam during the argument that ensued.  Since then, I don't care as much about the links in the body and I know those can be spoofed (as well as the Received lines in the header), but the IP that my mail server records as the source is the only one I know that I can trust as being accurate.


  15. On 3/6/2019 at 7:58 PM, MIG said:

    Are you able to post a SpamCop Report URL, it will start with https://www.spamcop.net/sc?id= , please?

    MIG, To answer your question jimmywalter will not be able to post a tracking URL because I believe the error of "SpamCop could not find your spam message in this email" is in the response email that would normally contain the tracking URL.  When the forwarded message is not an attachment, instead of a tracking URL, SpamCop provides this error.

    On 3/6/2019 at 7:58 PM, MIG said:

    May I ask, are you using Outlook application or Outlook via a web browser?

    jimmywalter, this might useful to know.  I use the Outlook application to create a new message and drag in the email to the forwarded message when I want to "forward as an attachment".    Doing a google search yields results such as save the email as a eml file and then attach that to a new message, so I am not sure it is possible with the web application.  There might be some key sequence such as something like ctrl+shif+F that might do a forward as an attachment that I am not aware of.


  16. MisterBill,

    I think I found the issue.  I took your spam and submitted it with one header change

    https://www.spamcop.net/sc?id=z6533324339z74dcc1bd7d7a1f5d7cd9d6b0c6410d96z

    I changed:

    Content-Type: multipart/alternative; boundary="B_ALT_"

    to this:

    Content-Type: text/plain; charset="windows-1252"

    From what I know of the message format, the boundary is missing from the message body as defined by the Content-Type.  The type multipart/alternative means that there should be part of the body as text and part as html.  Rather than change the Content-Type like I did.  Maybe you could figure out how to find both types of the body so that you can properly report the full body.


  17. On 2/25/2019 at 4:45 AM, jimmywalter said:

    Thanks, working better now, but still getting rejections saying they cannot find the spam. I definitely sent the original emails as attachments. I got only 6 accepted out of 13 I sent this morning. I got 7 with the not able to find message.

    Outlook by defaut does not support forwarding as an attachment.  The "forward" button is misleading.  What I do to forward as an attachment is to create a new email that will be sent to spamcop, then drag the message I want to attach to the body of my new email.


  18. On 2/21/2019 at 12:54 PM, petzl said:
    On 2/21/2019 at 12:48 PM, MIG said:

    The bit I don't understand is why SC parser doesn't also drag up amazonaws?

    SC just looks at link provided the link in this case is a redirect link with a abuse address that bounces.
    Try to be better than SpamCop is you have the time
    In the case of porn spammers send to the CERT of that country as well.

    To answer this question about link redirection, around two decades ago SC was programmed to never follow links due to the thought that spammers were tracking which links were clicked.  By clicking the link, the spammer will have the IP of your computer along with the the knowledge that the link worked, so they can send more spam.  This is why SpamCop would originally just grab the hostname/IP from the link without following it.


  19. On 3/4/2019 at 1:16 PM, RobiBue said:

    why this spam isn't parsing the links, unfortunately, I do not know.

     

    On 3/2/2019 at 1:37 PM, MisterBill said:

    Here's one of mine so folks can see what the mail looks like.

    https://www.spamcop.net/sc?id=z6526542656z686e6200afbb5e1b095fea9160ee8108z

    MisterBill,

    I can see Base64 decoding works, but I also noticed that when there are no links, i see the following output.  I am thinking this might be in part the cause why it is it is not finding the links is that maybe something in the headers tells it not to check.

    The following from: https://www.spamcop.net/sc?id=z6518576003zacb0684ecc1a3a9c08ea7d4865cd6840z

     
    Quote
    Finding links in message body

    Parsing text part
    no links found

     


  20. I just checked both yours and mine and they come back.   I am not sure how long it takes for the cached whois to expire.  Seeing the owner, I am not surprised about the /dev/null.

     

    [refresh cache]

    $ whois NET-3-128-0-0-1@whois.arin.net
    
    [whois.arin.net]
    . . . .
    NetRange:       3.128.0.0 - 3.255.255.255
    CIDR:           3.128.0.0/9
    NetName:        AT-88-Z
    . . . .
    
    OrgAbuseEmail:  abuse@amazonaws.com
    

     

     

    [refresh cache]

    $ whois 185.79.243.137@whois.ripe.net
    
    [whois.ripe.net]
    . . . .
    inetnum:        185.79.240.0 - 185.79.243.255
    netname:        PL-INTER-SAT-20141203
    country:        PL
    org:            ORG-PTAO1-RIPE
    admin-c:        JO3356-RIPE
    . . . .
    abuse-mailbox:  jacek@inter-sat.pl
    
    

  21. Yeah, I am not sure if there is someone that has the ability to fix these cache entries.  It is a tragedy now that we are here, but at the same time it is at least populating the blacklist.

    Display data:
    "whois 185.79.243.137@whois.arin.net" (Getting contact from whois.arin.net )
       Redirect to ripe
       Display data:
       "whois 185.79.243.137@whois.ripe.net" (Getting contact from whois.ripe.net)
       whois.ripe.net 185.79.243.137 (nothing found)

    [whois.ripe.net]
    %ERROR:201: access denied for 184.94.240.92

     

×