Jump to content


  • Content Count

  • Joined

  • Last visited

Posts posted by gnarlymarley

  1. I had a similar one but it seems the rdns redirect is bouncing, so mine went back to hotmail.  It appears the idea behind this might be so SpamCop can sent to the related abuse department.  It appears that SpamCop may have worked directly with the Microsoft abuse department on this part of the code.

    Tracking URL: https://www.spamcop.net/sc?id=z6640795915z6babc4f58dd1fd8e9d6265ff6ca18ce3z


    Tracking message source:
    Routing details for
    [refresh/show] Cached whois for : abuse@microsoft.com
    Using best contacts abuse@microsoft.com
    Using rdns to route to correct Microsoft department
    host (getting name) no name
    failed, using default abuse@hotmail.com
    abuse@hotmail.com redirects to report_spam@hotmail.com


  2. On 6/30/2020 at 2:16 PM, jhg said:

    Can anyone at SC shed some light on why sendgrid is devnulled?

    It would say something like bounces if they are rejecting the report.  This looks like it was manually turned off.  My suspicion is a deputy turned off their reports.  I think sendgrid if went in with their ISP account and turned off reports, we could get a message that "ISP does not wish to receive reports".  You can try a deputy at deputies[at]admin[dot]spamcop[dot]net.

  3. On 7/9/2020 at 3:12 PM, petzl said:

    Opera is still doing this but comes right mystically?
    Turning VPN off has no effect
    Possibly another WIN10 feature,
    Goes back to normal by closing browser and restarting?

    I wonder if the off button is not working since it appears to only work for a little bit on restart.  I wonder if you would be able to do something like a traceroute through the VPN.  Here is my thought, back in May I experience an ISP issue on IPV4 where this forum became an island.  During that same time, other people on this topic were able to get to the forum just fine.  It maybe possible that verizon or some other ISP is still having issues, but ones that only affect certain internet destinations.  I imagine it works on startup until the opera VPN has a chance to connect.  If you could do a traceroute both through the opera VPN and also when it is disabled, you might be able to see where the problem is.  (When I had my problem for a few weeks, I did notice that there was a 15 min time window during the day when it would work normally.)

  4. On 7/7/2020 at 2:31 PM, petzl said:

    Seems Opera Browsers won't connect
     FireFox works no trouble

    maybe not the problem, but a possibility.  If I recall correctly, there used to be a setting in opera that would allow bidirectional usage of other people's internet.  I think it was there to enable a faster download of other people on your same ISP to use their cache to download webpages faster.  If this option was enabled, maybe it could have contributed to the issue.

  5. On 6/24/2020 at 11:11 PM, fnsp_stastny said:

    Oh, I'm sorry I forgot to write IP.

    One note is that you can try is to do a local lookup and see if it is cashed in the blocklist by your local DNS.  Another thing to note is that a few decades back, there were some email providers that mistakenly blamed the spamcop blacklist for blocking email when in fact, it was their own blocklist they were using.

    nslookup -type=any

    If the IP is not on the blocklist, but is still blocked, it is likely the email provider has setup a badly configure rbl entry in the receiving email server.

  6. On 6/24/2020 at 3:05 AM, Jericho said:

    I also noticed that my average reporting time never drops below 4 hours, no matter how fast I submit my reports.

    I probably have a million plus reports of the past few decades that sure keep my average up.


    On 6/27/2020 at 10:52 PM, Jericho said:

    Why are the IPs not included in the Spamcop blocking lists?

    I believe I saw the term snowshoe spamming. that explains this.  I have about a thousand of my own spamtrap email accounts and one thing I noticed is that the IP never seems to be repeated.  If you look at what Lking sent above, the spammer is doing that do they will not get listed.  Can be amazing how many IP blocks are out there that they can use with this "hopping" method.

  7. On 6/23/2020 at 7:01 PM, el_gallo_azul said:

    I use Yahoo! Mail, since I want to be able to always access my email (irrespective of location and available hardware), and I can't find any "Forward as attachment" option.

    I don't see the "Forward as attachment" as an option in the webmail version.

    On 6/23/2020 at 7:01 PM, el_gallo_azul said:

    Do you happen to know if "Forward as attachment" actually just attaches a text file of the full email header?

    That is basically what it is, so you can save the "raw message"  as a notepad txt file and then attach it to a new message.  Or else you can use something like the thunderbird email client that forward as an attachment.

  8. On 6/19/2020 at 2:14 AM, Hanco said:

    Separately, noticed a significant uptick in 419 Scammer emails. They often have a US phone number on them so I report the number to the FTC. I also call it (my number withheld) and if it sounds like the guy was asleep I repeat every few minutes at my leisure, put on a voice, ask stupid questions, generally really waste their time. I might be a sadist in this respect...I don’t feel at all guilty about doing it 😂

    My phone company has a special number that I can call that will disable callerID.  Hopefully you also have this option to block callerID enabled, so they are not able to retaliate to your number. if they can see the callerID....

  9. On 6/19/2020 at 10:03 AM, KNERD said:

    I guess I will need to look at spam Assassin.

    Either that or maybe see if your mail server supports special filtering rules.  Before I went to spamassassin, I was doing weird helo accept/deny rules as well as maintaining my own blocklist.


    On 6/19/2020 at 10:03 AM, KNERD said:

    Maybe time for a campaign to ARIN to have their IP addresses revoked? Do they even do that?

    They can revoke the IP address for policy violations but that doesn't always stop the spammer.  The ISP's ISP should be checking that their customers are using valid ranges.  I had one in Europe that has assumed two class C networks without being assigned them.  It took a few months for them to stop using them.

  10. Can we get http://forum.spamcop.net to have IPv6 enabled similar to http://www.spamcop.net?  From what I understand cloudfront.net seems to indicate it could be free.

    On 23 may 2020, risebroadband and verizon had a IPv4 routing issue that prevented me from accessing the forum because it was hosted at cloudfront.net.  It took quite a few days to get the issue resolved.  I still do not know who had the broken router, but if we had IPv6 enabled on the forum, it could have been accessible during this period.

    IPv4 Routing Problem:

    C:\>tracert forum.spamcop.net
    Tracing route to spamcop.invisionmanaged.net []
    over a maximum of 30 hops:
      2    12 ms    11 ms    11 ms
      3     9 ms    21 ms     9 ms
    63-248-56-128.static.layl0101.digis.net []
      4     8 ms     9 ms     9 ms  63-248-56-49.static.layl0101.digis.net
      5    13 ms    11 ms    14 ms
    ip65-46-60-157.z60-46-65.customer.algx.net []
      6    23 ms    25 ms    23 ms []
      7     *        *        *     Request timed out.
      8     *        *        *     Request timed out.
      9     *        *        *     Request timed out.
     10     *        *        *     Request timed out.
     11     *        *        *     Request timed out.
     12     *        *        *     Request timed out.
     13     *        *        *     Request timed out.
     14     *        *        *     Request timed out.
     15     *        *        *     Request timed out.
     16     *        *        *     Request timed out.
     17     *        *        *     Request timed out.
     18     *        *        *     Request timed out.
     19     *        *        *     Request timed out.
     20     *        *        *     Request timed out.
     21     *        *        *     Request timed out.
     22     *        *        *     Request timed out.
     23     *        *        *     Request timed out.
     24     *        *        *     Request timed out.
     25     *        *        *     Request timed out.
     26     *        *        *     Request timed out.
     27     *        *        *     Request timed out.
     28     *        *        *     Request timed out.
     29     *        *        *     Request timed out.
     30     *        *        *     Request timed out.
    Trace complete.

    kinda working during the only 10 min period of the day:

    C:\>tracert forum.spamcop.net
    Tracing route to spamcop.invisionmanaged.net []
    over a maximum of 30 hops:
      1     1 ms     1 ms     2 ms  DD-WRT []
      2    11 ms    23 ms    14 ms
      3    10 ms    12 ms    11 ms
    63-248-56-128.static.layl0101.digis.net []
      4    11 ms    13 ms     8 ms  63-248-56-49.static.layl0101.digis.net
      5    20 ms    19 ms    11 ms
    ip65-46-60-157.z60-46-65.customer.algx.net []
      6    27 ms    25 ms    26 ms []
      7    34 ms    43 ms    28 ms
      8    25 ms    24 ms    24 ms
      9    36 ms    27 ms    66 ms
     10     *        *        *     Request timed out.
     11     *        *        *     Request timed out.
     12     *        *        *     Request timed out.
     13     *        *        *     Request timed out.
     14     *        *        *     Request timed out.
     15     *        *        *     Request timed out.
     16    25 ms    26 ms    28 ms
     17    30 ms    48 ms    40 ms
     18     *        *        *     Request timed out.
     19     *        *        *     Request timed out.
     20     *        *        *     Request timed out.
     21     *        *        *     Request timed out.
     22     *        *        *     Request timed out.
     23    25 ms    33 ms    44 ms
    server-13-226-234-24.lax50.r.cloudfront.net []
    Trace complete.


  11. 5 hours ago, rdorsch said:

    Hmm....I think that helped to recover it, I clicked on "Parse" to recover it:



    This appears to be only the URL specified and not coming directly from your server.  Running it through google translate, it appears to be the normal whois email address testing.  Sounds like they are sending out spam to attempt to send a bill to random domains to try to extort money.  Been a while since I got one of those.

    (I think what petzl is talking about is where I have seen IP cameras and routers get hacked and the spam sent from there, but this does not appear to be coming directly from your server.  If it was coming directly from your server, I would check the server and any devices that might be sharing the same IP for possible intrusions.)

  12. It would appear that the forum only does http.  From what I can tell, the hosting is done on cloudflare.net.  So as long as that is the SSL cert, then you can login using https.  I would advise against sharing this password with other places.  I found the following, so I am not sure if there are plans in the works to fix this.  Maybe submit a new feature request?


  13. On 5/19/2020 at 12:05 PM, Spamnophobic said:

    OK I know we have been here before, but could somebody examine my tracking url:


     perhaps forum seniors or SpamCop staff can suggest how to get these new ones reported?

    Okay, I am confused with the tracking URL.  It seems to be the message you tried to report is one that was sent directly to your submit address.  I see the vmx and the app009.  Are you trying to report a spam from someone that sent it directly to your submit address?  (I am glad your submit address was replaced by an x in here as I don't want to know what it is.)  If your submit address is in the wild, I would suggest you contact deputies[at]admin[dot]spamcop[dot]net.

  14. 19 hours ago, rdorsch said:

    I found that my domain was mentioned in the spam email,

    I had a similar situation happen to me about two decades ago with an admin from a well known education institution confusing the internal links of the spam as the source of the spam.  This is why I prefer to report just the source instead of the links inside.  If I see any on my reports that might be valid (innocents caught in the crossfire), I uncheck those.

  15. 17 hours ago, Appleseed said:

    Outlook put stuff to headers. If you want to report messages from Outlook, you have to start copy paste from the last "Received: from" line in message source and ignore all outlooks stuff before that.

    For me, if I copy the message to notepad first and maximize the window and then copy all again, I don't seem to have a problem.  There appears to be a really long line added that has weird line breaks if copied straight across.

  16. 3 hours ago, displayname said:

    why can't i just forward (not as attachment)? its the same content formatted differently, but will make huge difference to users: instead of doing 1 step (forward to address) we have to do 5:

    Forwarding as an attachment contains some hidden lines that track message source.  When forwarding (not as attachment) those tracking lines are lost.  This is why SpamCop requires it to be an attachment.  The lines that get lost when forwarding not as an attachment are the "Recevied:" lines as defined by RFC2076.

  17. On 4/30/2020 at 8:22 AM, Lking said:

    Without any additional reports an IP will automatically be removed from the SCBL after 24 hours.


    The IP will be automatically delisted once the problem is resolved, and may have been already.  I ran across the follow post about the captcha.  I have not been able to duplicate the issue with the captcha not loading.  If you are still having the issue, maybe you can try hitting the refresh button to the right of the circle to see if it will allow the captcha to load.


  18. On 5/10/2020 at 2:03 PM, petzl said:
    On 5/10/2020 at 1:56 PM, Outernaut said:

    Sorry, but that was gone after I posted the query. Yet reading everyone's response has helped me understand it better. I've no idea how, after email is checked for at minimum, 5 minutes and as for this one, as I've seen with as few others, show up two or three days late.  Thanks for the help.

    Without seeing a Tracking URL.
     Sometimes a server is turned off when it is found spewing spam

    When turned on again it spews out remaining spam.


    A tracking URL would be able to help us debug the issue.  What you will be looking for is there is a "Date:" header and a "Received:" header.  SpamCop does not look at the "Date:" header.  It gets it time from the "Received:" headers.  If you do not have mailhosts enabled, SpamCop will attempt to find your border server.  The age of an email comes from the time gathered at the border email server.

  19. 1 hour ago, FranklinCat said:
    Is there something I can check for and tweak in the submission that will avoid the problem?  I submit using my submit......@spam.spamcop.net address including spam as attachment.

    That sure is a lot of received lines.  From what I can see, the source appears to be a fastmail user.  SpamCop is really good at detecting company to company connections, but RFC9181 IPs can be assigned to every company.  The source of will need to be looked at by a fasthost admin, which is why SpamCop gives you the message "identified internal IP as source".

  20. 1 hour ago, ArtmakersWorlds said:

    See?  NOT a techno geek here. Please explain this like your talking to your grandma ok? 

    Lets see if this helps.  Spamassassin is a computer application that integrates with the email server for parsing spam at the time it is being received.  For example, someone using a hotmail account could send email to my email account.  My email server and spamassassin check the email for spamminess and either will accept or reject it.  This happens while hotmail still has a connection to my server still open.  The rejection notice will come from hotmail's servers as it is will not be able to send.

    As near as I can tell yahoo does not do any spam filtering, just address blocking.  The filters only seem to be able to move spam to non-spam folders.

  21. 1 hour ago, ArtmakersWorlds said:

    Ok, NOT being a computer tech here, how would I use spamassassin with yahoo email on a mac computer.   If that's even possible? I think it's not. 

    Will not be possible with yahoo.  Hmmm, spamassassin plugs into the border email server.  I know with my yahoo account they don't do much good for spam filtering.  I think yahoo's only option is to block email address, but I am not sure the asterisk is working for me.  This is why I went with my own domain and email server so I could do better filtering.

  22. On 5/12/2020 at 8:04 AM, KNERD said:

    A week later more spams would start arriving from eonix.net, Looking, I see they are coming from a new block of IP addresses at a different location.

    Some ISP do this and then return the old block and poor folks might get a spammy block when they request a new range.  Years ago, I started blocking at the firewall level.  Then I started blocking using a SMTP blocking list.  Now I just use spamassassin and it makes the decision to block or not at the SMTP edge.

    On 5/12/2020 at 8:04 AM, KNERD said:

    The spam from eonix.net listed on Sorbs is still getting to my email server, but legit mail such as from PayPal is getting blocked by Sorbs!

    This is the reason why I use spamassassin now is because clean emails can be on the block list and still be accepted, while spammy emails with the block lists it can tell the SMTP mailer to reject it.  Spamassassin also lets me do some custom parsing rules which can single out ISPs such as eonix (either via headers, message body, or just connecting host).