Jump to content

gnarlymarley

Memberp
  • Content Count

    441
  • Joined

  • Last visited

Posts posted by gnarlymarley


  1. 22 hours ago, remay said:

    I don't know if my hosting company is correct or not! I find it hard to believe that email can be delivered like this.

     Does anyone else experience this?

    If you look at the email headers, notice there is "X-SmarterMail" processing that has taken place. Could THAT processing be whacking the email headers?

    I have not seen any missing headers in my emails.  It is customary to place the headers by the receiving email server.  The problem you will have with your hosting company not providing that information is you do not know the IP of where the spam came from.  Not knowing the IP makes it unreportable.

    Per RFC2076 section 3.4, your hosting company should not be modifying any existing headers, but per the email, it does appear they are modifying and removing them.  If might be good if they were to bring their server into RFC compliance.


  2. 2 hours ago, ArtmakersWorlds said:

    I really wish someone would come up with a way of bouncing spam right back to who ever sent it.   And if it's not bounceable?  say some wanky forged return address?  Then it's not deliverable either.   Never would get any if this were the case.

    I use exim and spamassassin for that bouncing spam during the SMTP connection.  Once an email is sent on the SMTP communication it is scanned by spamassassin and if good, the SMTP accept command is sent.  This way, the sending server has to deal with the spam.  If the sending server wrongfully accept to relay the email and didn't verify the address, then it will be bounced to the server admin so they can fix the hole.


  3. 1 hour ago, RobiBue said:

    I don't know how an "opt-in check" could work...

    Ooops.  Sorry, by "opt-in check" I meant single or double opt-in.  Some of the big social media sites are not even doing the single opt-in.  

    1 hour ago, RobiBue said:

    've been fighting spam now for close to 20 years, and even back in the day, double opt-in was suggested to the companies affected by these malicious login attempts. I just don't understand how short the memory of some people is. I am sure some of these IT guys were also affected by these spamming opt-ins...

    Yeah, some picked it up and starting doing the double opt-in, but only took a few years and they all forgot about it.  Sometimes I wish people didn't have a short memory.  In one spam report, I put a note that they should delete their email list and should be using "double opt-in" and then the spam stopped very quickly.


  4. On 4/27/2020 at 8:15 PM, gnarlymarley said:

    If it is still not working for you, you might want to try the deputies[at]admin.spamcop.net as I believe the have access to the mail server logs.

    Bob, I am getting the reporting noticed that it accepted my attachments as normal.

    On 4/27/2020 at 11:40 AM, Bob said:

    I submitted 4 spam messages this morning with the same result:  no email received that reports were ready, went to website, found them as Reports Saved, cleared by reported them.

    Are you still having issues with this?


  5. On 4/22/2020 at 11:29 AM, Phineas Fudrucker said:

    The Proofpoint agents are named scapp04.lereta.net and scapp05.lereta.net whereas the MX is mx02.lereta.com so I guess the confusion is understandable.  How can I work around this?

     

    It also might take the email address in each received line and try to compare it.  If your ISP adds something like .local to the host that might be something that could make the parser think it is a completely different domain/email address.  Might be able to make sure that email is the same for every received line.

    On 4/23/2020 at 10:53 AM, Phineas Fudrucker said:

    I may have found a solution.

    We can hope your solution works.


  6. 2 hours ago, Lking said:

    A spammer can of course forge the "Date:" header entry visible to all, and if they control their ISP they could control the date in the first "Received:" line in the header visible using the source with a ctrl-U

     

    ~o~,

    I have seen it where the spammers inject a Received line with an old date.  It might be good to check that you have mailhosts enabled too where spamcop will only trust the header added by your ISP.  If it is getting to that header, then the spammer should not be able to affect your ISP's date.  I have also seen some ISP border servers "hold" the emails for more than two days, which will make them old.


  7. 6 hours ago, kolor said:

    My report is just useless.

    I don't think it is useless either.  In researching the whole /24, it does appear this might be some snowshow spamming.  Hopefully other people will report their spam soon too so it can be listed.  Too bad they haven't sent any to me.

    5 hours ago, Lking said:

    I do not think so. Your report must me one of many/several reports to add an IP to the blocklist.

    I agree.  It may take some time for this to be listed.


  8. On 4/26/2020 at 2:04 PM, Bob said:

    I don't see a bounce flag when I log into Spamcop.

    If I remember correctly, this bounce flag button was very noticeable.  It had replaced the field where you can paste in your spam.  I think this is something you would have noticed.

    blob.png.b7ff3973dc5b723fc5e473d6aa2b8617.png

    6 hours ago, Bob said:

    Got it -- thanks.  Logged into reporting>preferences and the email address is correct.

    If it is still not working for you, you might want to try the deputies[at]admin.spamcop.net as I believe the have access to the mail server logs.


  9. 2 hours ago, petzl said:

    Snoeshoe spam dodges block list by using different IP's from same provider.

    One benefit of snowshoe spam that I can see, is the spammer is not able to put in a single IP where the "ISP has resolved this issue".  This means that I am able to report every spam.

    I have seen where the ISP/spammer marks "The issue is resolved" and by the time I go to report the spam, SpamCop doesn't let me further report as the issue has been "resolved".  (Mole reporting just changes the resolution time to the current time.)  This also prevents me from adding to the block list statistics.


  10. Looks like they are striking back with a new set of links for me.  (Google is not the source of the email, but the links inside point there.)  I am starting to see a number of links in the body where one of the following domains appears multiple times with a different four character alpha numeric code.

    https://kolw.page.link/4_digit_alpha_numeric
    https://lopw.page.link/4_digit_alpha_numeric
    https://johr.page.link/4_digit_alpha_numeric

    I will see how long it takes to for google to respond.  With each message containing 10+ unique links it would appear that they can sign up faster than we would ever be able to shut them down.


  11. 15 hours ago, Hanco said:

    It takes over a week, maybe ten days before they shutdown his account unfortunately.  Then he just switches mode of operation to another method.

     

    That time can be damaging.  Amazon is four days and I think theirs is too long.   By the time a week goes by a spammer could have already moved on anyway, so the account could be abandoned by the time they shut it down.

    9 hours ago, ArtmakersWorlds said:

    I really wish instead of just deleting the users account someone would go after them legally.

    For me, I would make it no longer economically viable.  If I could speed up the disable process, then the captcha alone would deter them.  It may be they figured out who I was and dropped me off their list, but not likely.  Probably what is more likely is mine was different spammer.


  12. 21 hours ago, RobiBue said:

    what does this mean? [WARNING: UNSCANNABLE EXTRACTION FAILED]

    I have seen this a few times in the reply email after I forwarded something to my submit address.  As near as I can tell, the submitted spam seemed intact and I was able to report it.  Judging how it moved the subject line of line up to between when vmx.spamcop.net got it from me and sent it onto the next node, I would guess this was done by the external vmx.spamcop.net node.

    Received: from vmx.spamcop.net (prod-sc-smtp8.sv4.ironport.com [10.8.129.218])
            by prod-sc-app010.sv4.ironport.com (Postfix) with ESMTP id B579451B67
            for <submit.xxxxxxxxxxxxxx@spam.spamcop.net>; Mon,  6 Apr 2020 20:02:23 -0700 (PDT)
    Subject: [WARNING: UNSCANNABLE EXTRACTION FAILED](Ma

     


  13. 14 hours ago, RobiBue said:

    oddly enough, spotify sent me an activation link which I never clicked on, but it seems that whoever created the account was able to log in anyway, twice even...

    I can say it was weird that both spotify and pinterest had weird interests picked, but I didn't pay attention to netflix.

    14 hours ago, RobiBue said:

    and I am fairly sure that my email account isn't being accessed without my knowledge :)

    my email address has definitely been used several times though...

    I can verify that my gmail accounts were not accessed as at the bottom of webmail there is a details button to tell me where the last logins came from.  Spotify and pinterest ask me to confirm only once, while the acounts were being used, but netflix spammed me daily to confirm.  So I can say that noone of mine had emails that were confirmed (I know this when I opened up the confirm email the link said it was still waiting for me to confirm), but clearly the accounts were being used.

    14 hours ago, RobiBue said:

    there seems to be something badly wrong if spotify sends me a confirmation to activate email and then the activation happens anyway... anyway, that is not spamcop's problem :) that is Spotify and yes, I ain't a fan of neither certain ways of opt-in/opt-out either :)

    Interesting that netflix didn't care about me reporting all their confirm email notices through SpamCop.  With pinterest I got a human on real quick.


  14. On 4/10/2020 at 3:58 PM, petzl said:

    Probably used that password there also?

    After linkedin got hacked a few years back, I went to unique passwords so I could tell who and where the hack occurred.

    On 4/10/2020 at 10:31 AM, RobiBue said:

    Somebody in the Ukraine created a spotify account with my gmail address

     I had this happen to me recently but it was spotify, instragram, pinterest, and netflix.  What I found was interesting with netflix is they appeared to be using the account to get a free month since they did not verify the email before allowing services.  I am not a fan of single-opt-in services nor have I been for over two decades.


  15. 7 hours ago, GodzFire said:

    I was PM'ed by someone who told me I need to talk to a staff or mod to have a new spamcop ID assigned to see if that fixes it. Just wondering how I do that.

    I did have see some delays this morning, but you said it happened this past year.  Last time I had this happen to me (where all inbound emails were lost) I had a "SMTP disabled" with a button to reenable on the reporting page.  If you do not have this button, I would suggest you contact the deputies at deputies[at]admin[dot]spamcop[dot]net as per https://www.spamcop.net/fom-serve/cache/12.html.  I believe they have the ability to look at mail servers logs to help in the research.


  16. The IPv6 ranges returned from the lacnic whois is being properly detected.  It appears that most of the whois servers return inet6num, but lacnic seems to be returning inetnum.  For documentation, the IPv4 seems to be coming back as NetRange for all whois.  It would appear that lacnic is going to stay with this as they have used this since they started on IPv6.  Can we have the code in the whois section be able to pick up lacnic's IPv6 range?

    The tracking URL that was fixed by the deputies on 24 Feb but have screenshot of before fix: https://www.spamcop.net/sc?id=z6618132220z787713e4d45691f5d7d62752a3a7f109z

    blob.png.f5b66b94572cd9eba88f25aa229912e6.png

    Forum post from 2013: http://forum.spamcop.net/topic/13290-gmail-spam-from-ipv6/

    Forum post from 2018: http://forum.spamcop.net/topic/30227-cannot-find-ip-range-in-whois-outputno-reporting-addresses-found-for-200112f0601a902000150/

    Whois refresh page:

    blob.thumb.png.225acba8c6446b37dfa82e2029af702d.png


  17. On 3/29/2020 at 10:50 PM, Baloo said:

    Though gnarlymarley's question was obviously not for me, I have the exact same problem: spinning circle to the left of the blue refresh button.

    I am not sure what I was thinking either.  I went back to look at Ostap's post and he has the image with the spinning wheel.  I think I was just asking for confirmation.

    On 3/30/2020 at 12:37 AM, Baloo said:

    Nope, it's a Win10. Turned off my antivirus, same thing. I even tried in a virtualbox Win10 with a completely fresh install/Chrome - same thing.

    Interesting.  I have tried this with this on edge, internet explorer, chrome, and firefox on win10, win vista, and win 7 and it seems to work for me.  I also tried it with chrome on android and works.  I have both AVG and avast, but web http filter is turned off for me.  (My win10 is a work computer and uses the work's proxy filter, so I might not be able to duplicate the issue on my win10.)


  18. On 3/25/2020 at 11:58 AM, jprogram said:

    By the way, all the e-mail servers that send the same spam are at completely random server providers. Therefore, I do not know how Spamcop would handle this.

    They sent it from different ISP to limit how quickly their IP is put into a blocklist.  If they can jump around enough, their can keep sending out their spam for days.  Now if everyone who got it reported it, we could get them on the block lists faster.  This is why they like to remotely use routers and IP cameras to send their spam as they don't care if good people get blocked.  SpamCop does have requirements to be added to the blocking list.  My guess is what you saw for the change from Mivocloud to Psychz is that either they wanted to change, or Mivocloud turned off their service and the spammer moved on.

    (In my opinion, the faster we inconvience the spammer, they less they will desire to spam.)


  19. 13 hours ago, efa said:

    I have to understand if there is some I can do to stop this flooding.

     The source is fixed, so should be very simple to identify the responsible.

    If the administrator doesn't care (or is even supportive of the spammer's actions), then that it will continue.  What I did in the past (because they kept jumping around on IPs) was to block the whole IP range first in a firewall, then I did my own block list.  This got their attention and they moved on to another ISP.

    9 hours ago, petzl said:

    Keep reporting them they may get on he SpamCop Blocklist, Cisco is likely to add the spammers ISP, silently, add to their and owners/customers of their servers blacklist,

    This might be an issue as if you have the block list enable, then the reports stop and the IP falls off the list quicker.  Hopefully, they run across a spamtrap which I believe it will continue to accept spam while it is on the block list.


  20. On 3/23/2020 at 8:09 AM, efa said:

    apparently the first block is not listed in any BL:

    Being on a BL is only as useful if your email server/spam filter is configured to use it.  A lot of providers discount BLs these days because some honest people can be blocked.

    On 3/23/2020 at 4:45 PM, petzl said:

    Pay to forward the spam you receive to "abuse[AT]mapp[DOT]com" include full text and body.

    Some admins have got overwhelmed by spam reports and just blocked all of SpamCop.  Having a report sent by other means might cause the admin to ignore and block reports those too.  I would prefer if the admins would just take action quicker rather than to just hit the delete all button.

×