Jump to content


  • Content Count

  • Joined

  • Last visited

Posts posted by gnarlymarley

  1. 5 hours ago, petzl said:

    Only staff might be able to access that link. I are just a SpamCop member.

    fritz2cat, The link you gave seems to be only accessible by you or SpamCop deputies.  However, you can find an accessible link with munged information if you click on that link and then click on "Parse".  That page should have your Tracking URL near the top.  (As a side note, if you view that while logged out, you should see the munged information on it.)

    Here is your TRACKING URL - it may be saved for future reference:

  2. 16 hours ago, fritz2cat said:

    I end up blocking their CIDR one by one as they are offending.

    I just want to automate it now...

    I automated this using cron scri_pt and a firewall.  The problem I saw is the scri_pt happened to catch some legitimate emails and blocked those hosts until it was too late for me to get them back.  (There is a grey area of false positives and false negatives where something will be missed and legitimate stuff will be caught.  This is why I prefer filtering the emails rather than straight blocking.)

  3. On 8/18/2020 at 3:22 AM, MariaLuiss said:

    I've a brands store of different products and my subscribers had opted in either by subscription cards or via our website.

    Hopefully your website uses something like a confirmed opt-in.  There are spammers that have been going around to websites and signing up other people's email addresses in order to get revenge for being reported for actual spam.  The reports don't seem to be enough to make it onto the blocklist: https://www.spamcop.net/w3m?action=checkblock&ip=

  4. I did want to make a note that last night some spam scri_pt started sending me spam from a OVH.net server and about three minutes after I reported it, the spam stopped.  I am not sure if I lucked out or if I happened to report at the time someone was in their office.

  5. On 8/6/2020 at 10:37 AM, Lking said:

    If you search for "Tracking URL" (including the quotes) using the search tool, top right of each page, you will find 112 local references to "Tracking URL" that may be more helpful than a internet wide search.


    Lking is talking bout the search box on http://forum.spamcop.net in the top right of the page that you can use to search for "Tracking URL".  This limits the search to just forum.spamcop.net.

    As a side note, the "Tracking URL" can be found at the top of the report page or in the reply email (if you submitted via email).  The tracking URL happens to be the same link as URL itself before you submit the page.


    Incidentally, you can also find this from your past reports if you were able to submit them.

  6. On 8/6/2020 at 1:25 AM, Outernaut said:

    spam Assassin/spam Filters seems stuck in the domain name/TLD groove when it comes to blocking senders.

    For TLD, I use the blacklist_from annd it works for me.

    blacklist_from *.su
    blacklist_from *.ga
    blacklist_from *.cn

    For the IP, it maybe it doesn't like too many wildcards, so you might want to try:

    blacklist_from 170.*
    blacklist_from 173.*

  7. On 8/6/2020 at 12:23 AM, Outernaut said:

    I hope it is enough, and not too much.


    Hmmmm, are you saying the bitcoin email is too old?  When I copied it to my account and cancelled the report, it says it is new enough to report it.


    21 hours ago, Outernaut said:

    Lord Google says it's (Tracking URL) is for web sites.

    By tracking URL, they mean the one at the top of the SpamCop report page where it says the email is too old.

  8. On 8/1/2020 at 1:24 PM, Outernaut said:

    IF it will let me block IP addresses - as in 170.###.###.###.

    I suspect you might be able to do that with the following but the manual is not completely clear on how:

    blacklist_from []

    Since I run my own name server, I setup my own black list there such as:

    *.170.blacklist.local. IN A
    *.170.blacklist.local. IN TXT "blocked whole range 20200802"


  9. 6 hours ago, Outernaut said:

    *BTW - SCBL by lord Google is  "Santa Clara Baseball League", and other teams belonging to the league.

    SCBL means SpamCop Blocking List or SpamCop Black List.

    Also, for me google says it is "Southern Collegiate Baseball League".

  10. 2 hours ago, Tesseract said:

    The analysis by petzl seems correct (braeburn.macports.org is in my mailhosts). I don't know why the parser would fail on this particular message alone

    Interesting, I had submitted a copy to my account without mailhosts and it appears to have worked.


    When I try to submit with mailhosts, I get the same pause (yes, I know I don't have your mail hosts.)


    This would almost indicate maybe the double dot hostname problem.  Hang on, maybe try changing the two dots as below to a single and try submitting again.

    Received: from DESKTOP-JQ04P8P..home


  11. 8 hours ago, Tesseract said:


     The parsing ends almost as soon as it begins, having only looked at one host. Other recent reports have been OK.

    Nothing immediately stands out for me, but I do see an IPv6 address:

    whois.ripe.net found abuse contacts for 2a01:4f8:211:2c54::2 = abuse@hetzner.de

    Might be good to get the deputies looking at this at deputies[at]admin[dot]spamcop[dot]net.

  12. On 7/27/2020 at 12:25 AM, nei1_j said:

    Ok.  So the whole "Received:" line is a forgery.

    Nope, I am saying that it came from is the source, but user/owner of the computer tied to that IP probably didn't send the message themselves.  They "let" someone else use their computer because they didn't patch it.  Spammers love it when they can use someone else's cameras, routers, computer, refrigerator, or other IOT device to send their stuff so they don't get caught.

    On 7/27/2020 at 1:17 AM, petzl said: is where it came from and reported correctly to OVH

    Keep reporting these as we at least need to get them to patch or fix the problem.  If it is a person that has let someone else use their machine, they need to deal with the problem.

  13. On 7/25/2020 at 2:48 PM, nei1_j said:

    Are you saying that Newegg was hacked?!?

    Nope, I am saying that OVH customers were probably hacked.  The spammer is just using the Newegg hostname to try to get past spam filters.  (Some people who get a spam report that supposedly came from their discount it and ignore it because they "didn't send it".)

  14. 7 hours ago, nei1_j said:

    Received: from p1-002133.promo.newegg.com (214.ip-51-79-145.net. [])

    Two decades ago, spammers were advertising the wrong hostname to get past blocking filters.  When spam filtering kept getting them, some of them went to using their real hostname of the computer they had hacked.  I think most of the OVH spammers might be the "fly by night" salesman, where the OVH computers are not patched.  I think that by the time we file a report, they may have already abandoned the machine.

  15. 18 hours ago, Sven Golly said:

    Again, I think it's probably due to the number of different servers our webhost uses.

    I am not sure if this is the issue because I have a juno account on my mailhosts with 179 webhosts and I don't have any problems with it.

    18 hours ago, Sven Golly said:

    Looking at your tracking URL, the Received: lines appear to be out of order.

    Received: from outlook by outlook
    Received: from exhangelabs by reliablemail
    Received: from exhangelabs by exchangelabs
    Received: from exhangelabs by outlook
    Received: from reliablemail by reliabledns
    Received: from reliableedns by reliabledns

    In searching the forums, the first thing that popped up was an outlook issue:


    Are you using outlook?  (Apparently there don't have issues with outlook express, only outlook.)

  16. 16 hours ago, petzl said:

    Well I don't see the "received by"  line 
    Which should be followed with the
    "Received: from"

    Ricardo_63, this "Received:" line should be added by the receiving email server.  And should not be disabled by any spammer.

    On 7/24/2020 at 5:05 AM, Ricardo_63 said:

    That's the point,  where spammers it seems almost step ahead, masking mails without possibility to reported.

    Though RFC2882 might be confusing, RFC5321 explains this well in section 3.7.2, where your ISP should be adding that line.

    3.7.2.  Received Lines in Gatewaying
       When forwarding a message into or out of the Internet environment, a
       gateway MUST prepend a Received: line, but it MUST NOT alter in any
       way a Received: line that is already in the header section.

    Another way to think of it, is if your ISP refused to put this line on your email, then they must provide another way for you to get the information via a phone call or log access.  If they refused to tell you the sending IP and helo hostname, then the offending email must be counted as spam send "by your email provider".

  17. On 7/13/2020 at 8:45 PM, petzl said:

    I did nothing this started happening by itself (have now "fixed it") had do go through the myriad of options to find it.

    This is the problem with internet islands where you can travel from your house to either island, but you cannot travel directly from one island to another.  This is where your ISP is working, but your VPN's ISP would not have been talking to SpamCop's ISP.  When someone at those ISP found out there was a problem, they could fix it.  This is why the problem started happening by itself and would have fixed itself.  (Most of my internet traffic goes through about five different ISPs between my computer and the server.)

  18. I am not familiar with cPanel, but I am with SpamAssassin.  I currently have version 3.4 and there is a a rule in it called RCVD_IN_BL_SPAMCOP_NET that brings in block list functionality.  I was looking at 

     and the version 2.6 appears to have the rule in it.  Later versions all seem to have it.  Is this the type of integration you are looking for?  I am not sure if you have a special score for it or would be using the default score.

  19. On 7/22/2020 at 7:35 AM, Ricardo_63 said:

    Here is your TRACKING URL - it may be saved for future reference:

    From what I see on your tracking URL, there are some missing Received lines.  I see you have the Received and by sections, but no from section.

    Received: by smtp50.i.mail.ru with esmtpa (envelope-from <investor@bit.com>)

    I would expect to see a like such as the following where it has the from:

    Received: from [IP.add.re.ss] (helo=server.name.org) by smtp50.i.mail.ru with esmtpa (envelope-from <investor@bit.com>)

    SpamCop uses the part between the from  and the by to determine the message source.

  20. On 7/13/2020 at 12:17 PM, EkriirkE said:

    My email is still visible.  Note the first example is targeted at me directly for reporting them subject "You make compliant on Spamcorp my.visible.email erville?..." with a confusing body that pieces together a personalized message:

    Most ISPs don't go in and decode the base64.  For those that do or might, I just decode it, strip out my address, and then reencode it.  This might be a good feature to have and there are perl modules that can decode/encode it.

  21. 6 hours ago, jprogram said:

    Apparently, those are all owned by Google. So how do they work and what are those sites called?

    I believe they are called URL shorteners.  How they work, is a person can type/paste in a URL into the shorteners site and get a shortened link.  Visiting the shortened link passes a 302 or a 301 redirect and your browser will be redirected directly to the longer URL.  During the redirect, the shortener tracks the usage.  Shorteners were started because links (such as forum post) can be  quite long.



  22. On 7/4/2020 at 1:32 PM, Sven Golly said:

    The source IP appears to be: which goes back to a Russian provider.

    The only problem I can see is the missing date and something weird with the third received line.  But then you probably have this resolved by now with the mailhosts tab.