Jump to content


  • Content Count

  • Joined

  • Last visited

Posts posted by jseymour

  1. This can be done within the cPanel interface. Under Mail Manager -> Default Address Maintenance, add this to your domain:

    :fail: no such address here

    This will result in rejects like the following:

    2007-12-16 10:32:00 H=spammer.example.net (706167c405e3d8) [] F=<spambot[at]example.com> rejected RCPT <me[at]mydomain.example.org>: no such address here

    Thanks. Unfortunately, I don't have access to cPanel. I believe my hosting company (Site5) uses cPanel, but the interface they provide to us is something they developed on their own.

    The closest analogy I see is in my "Email Forwarders" settings - where I have my wildcard address set to ":fail: No Such User Here". However, the mail server still accepts all incoming messages and then generates a bounce after-the-fact.

    Your reject entry above doesn't speak to me, either. I don't see a three-digit response code - which begs the question: Is this a SMTP reject or a "bounce" message?

    Finally, I sent a suggestion to Site5 that they should fix this deficiency, but they have (so far) ignored me. When my renewal comes up, I am considering switching to a more email-friendly host (if I can find one).

  2. ...By going to the top of the screen and entering "cPanel exim" in the box next to the "Search for -->" button and then pressing that button, the following link was returned, right at the top: Bouncing Yahoo Groups and my Web Host. See if that helps. If not, you might try the same search yourself and see if any of the other hits is of value.

    Thanks. I did a search before posting and didn't see anything that looked useful.

    There's a lot of information available about how to set up an RBL (including the thread you pointed me to). However, I've not seen anything about rejecting based on recipient information.

    Part of my problem is that I'm a little out of my league. I'm familiar with mail servers in general (having run a couple of Postfix servers for several years), but I have no clue about cPanel and Exim.

    Based on the Exim documentation I've seen, it appears to be possible - but I don't know if cPanel provides access to the appropriate option(s).

  3. My hosting company (Site5) does not appreciate the importance of rejecting bad email addresses at the SMTP level. Instead, they accept all messages and then generate a new bounce if the recipient is unknown.

    I'm sure we all know the problem with this method.

    Site5 is running cPanel and uses the Exim mail server. Does anyone know if this combination can be made secure with regards to invalid recipients?

    If it can, I'm going to try to get them to set it up properly. If it can't, I'll be looking for a new hosting company...

    (Their response to my problem ticket was not promising: "It is fairly common behavior for a server to accept a message and then bounce it after the fact as long as the domain is configured on the server.")

    -Jim Seymour

  4. Curious ... how many times in the past have you seen the line;

    Removing whitespace from mangled header

    It's unusual enough that it caught my eye ....

    I don't recall seeing that before. However, I usually Quick-Report my Yahoo! messages, so I don't normally see that level of detail.

    And yes, there's another thing ... if one follows the View entire message link, someone has their address stuffed into an X-Line: .... which has been discussed of late in another Forum section .... I'm surprised to see that this line is in fact filtered out the parsed spam .. 

    Ah, yes. It took me awhile to grok what you were saying...

    If you follow the tracking URL and take the link to "View entire message", you can see my spamcop.net address plain as day - even though the same line is excised from the parse details.

    spooky. Is somebody doing something about this?

    I send all my messages unmunged, so I'm willing to take the risk of exposure there - but I'd rather not have my email addresses available to web crawlers...

  5. This part has been discussed previously.  Yahoo does not properly identify the originating IP address and gets many reports because of this.  Since you did not provide proper tracking urls, we can not see if this is the case here.


    Sorry about the URLs. I thought the ones I had were tracking URLs. These should be better:




    All three of these look to me as though the Received lines go back through Yahoo, yet Spamcop stops at the Yahoo IP since it's not on the list.

    I've gone through the mailhost configuration, but none of the test messages went through 216.39.53.* so nothing changed in my mailhost setup.

    Am I right in assuming that Spamcop maintains a list of "Yahoo" IP addresses and when a test message goes through one, it adds the list to your mailhost config?

  6. I have a Yahoo email address that is forwarded to my Spamcop account (I pay Yahoo for the account and have set up automatic forwarding).

    When I report spam that comes through that path, the reports often go back to Yahoo, not the true originating IP.

    It appears that Yahoo is sending through a series of IPs in the 216.39.53.* net and Spamcop's Yahoo mailhost does not know about them.

    I've seen ~50 different IP addresses used out of 63 messages in the past four weeks. What's the procedure for getting these IPs added as legitimate?

    Here are a couple of recent examples:

    Email from / 11 Apr 2006 04:45:08 -0000

    http://www. spamcop.net/w3m?i=z1716073746za...035a895230d10bz

    Email from / 10 Apr 2006 13:00:42 -0000

    http://www. spamcop.net/w3m?i=z1715137723zb...d545b68362fef4z

    Moderator Edit: link broken as they were not Tracking URLs, rather "Abuse Center" links for an ISP to take some action on the 'report' ....

  7. Awhile back, I posted a query about Spamcop's incoming virus filters catching (and silently discarding) phishing attempts. This was confirmed by the support folks.

    While this is annoying, it's not a huge deal. I keep copies of all email that my system forwards to spamcop, so I can manually drop the phishes into my "Held Mail" folder and then report them. It's an extra step - but it doesn't happen often enough to be a major hassle.

    However, today, a friend sent me a forwarded, tasteless picture that vanished into the Spamcop blackhole...

    My suspicion is that Spamcop's mail system decided it was a virus and silently deleted it, which begs the question: What criteria does Spamcop use for silently deleting a message? I understand (and agree) about deleting viruses - but this kind of false positive seems like something is misconfigured. (While the picture was tasteless, the message itself was harmless - a 2-part MIME message: one part plain text, the other part a JPG with a Michael Jackson joke).

    Additional technical details for those who care: I run two mail servers (one at home and one at work). Each system forwards certain messages to accounts at spamcop.net. In the case of my work email, Spamcop then filters the messages and returns the good ones back to a "secret" account on my mail server. This all works quite well - but outages in the past have made me paranoid, so I have a second copy of all such messages delivered to a special local holding account. The servers are running Mandrake Linux 9.1 and Postfix 2.0.6 and I have two different Spamcop accounts (one for each server).

  8. Your research was a bit convoluted.  It was suggested earlier that you'd want to contact JT.  You say you asked the Deputies (who then would have had to contact JT, get an answer) and then they replied to you.


    In all fairness, let me say that JT gets hammered from many directions.

    Indeed. I did send an email to JT back in February (with the Subject of "Phishing attempts being silently deleted?"), but saw no response. After a few more phishes went missing, I tried the deputies.

    I didn't mean to sound like I was complaining about a lack of response. It's true, I got no "official" response to repeated postings here and one email - but I never considered this issue to be "grave", so I tried not to make a fuss.

    Sorry if I breached some etiquette by going to the deputies to get a resolution...

  9. For those keeping score at home, these vanishing phish emails keep showing up. I finally contacted the deputies and got an answer confirming that they are being deleted by the anti-virus software.

    It's not quite what they want - but apparently, it's not something they can change.

    Since I don't receive a lot of these, I can live with that explanation. It's frustrating, but since I keep local copies of all messages that I forward to Spamcop, I can still manually report the ones that go into the A/V black hole.

  10. You should probably contact JT directly: support<at>spamcop.net and ask the question, offering your logs if needed.  And if you could post and answers here, that would be great to help out the next person.


    These are still infrequent, but I've seen about four over the last couple weeks. Here's another:


    My system received this phish attempt this morning at 06:39:20. It was forwarded on to my Spamcop account two seconds later. Spamcop accepted the message with a 250, but it never showed up in my Held Items (nor was it returned to me).

    It is as if this phish was treated as a virus and deleted silently - which (to me) is a bug.

    I asked support[at]spamcop.net about this, but got no response.

  11. Got another one today.


    The message was silently deleted by Spamcop when my mail server forwarded it. I had to copy the message (using IMAP) into my Held folder so I could report it.

    Does Spamcop think this is normal? Is deleting phish attempts the desired behavior? Or is this a bug?

    I can see why Spamcop would get skittish about these messages, though. This one was peppered with links to valid eBay pages - and so I had to go through and uncheck several boxes before filing the reports. The casual user probably wouldn't bother, which would result in erroneous reports.

  12. Twice in the last few days, I have received phishing attempts to an address that my mail server forwards along to Spamcop. In both cases, the message never appeared in my "Held Mail" folder - just as if it were a virus (but it's not).

    I checked my mail server logs and the forwarding was accepted by Spamcop's mail server with a 250 response. (In the past, I've noticed some forwarded messages are rejected by Spamcop, but this is not the case here).

    This makes me think it was either a couple of transient flukes, or Spamcop is doing some content-based silent rejection - which seems counter to the intent of spam reporting.

    Anybody see something similar?

    The two phishes were for Citibank and eBay respectively. Here's the tracking URL for the most recent one: http://mailsc.spamcop.net/sc?id=z732343727...07bcff545d55b3z

  13. I do not understand the implications of the "quick reporting." Is there something I can read about quick reporting? What makes a quick report less "beefy" than a full one?

    Quick reporting sends a report only for the source of the message. It does not examine the body to report any websites. It still feeds the blacklist, though, so I consider it an adequate substitute if you don't have time to do "full" reporting. (I will usuually pick and choose certain messages for full reporting, then quick-report the rest).

    Also, I read the FAQ on mailhost. I do not fully understand the implications of that as well.

    The biggest problem with quick-reporting (and reporting in general) is that Spamcop occasionally hiccups while traversing the Received: lines and incorrectly determines a legitimate relay as the source.

    The point of mailhosts is that you identify who is supposed to relay your messages. In the simplest case, you tell Spamcop who your ISP is. If a message arrives from the ISP, then Spamcop knows to keep going back when studying the Received lines.

    It is meant to minimize these hiccups and make quick reporting safer...

  14. 1) How much spam is left?

    This has been asked for many times and never implemented. I conclude, therefore, that it is either very difficult or the powers-that-be don't think it's important. I agree, though, that it would be nice.

    2) Process all spam in queue (optionally, say in blocks of 10 or some sensible number).

    The big problem, though, is that people make stupid mistakes. If submissions are easier, then those same people can make those same stupid mistakes on a grand scale, and this degrades the quality of Spamcop reports. For those who are careful, the "quick reporting" feature is probably the best compromise.

    OK, so it looks like Steve beat me to the punch and said essentially the same things I did... But dammit! I'm posting this anyway since it's all typed up... B)

  15. I just deployed SPF on my MTA.  It was quite a lot of

    effort, but it's blocking *all* spam.

    This, by itself, is not very meaningful. Does it also not block legitimate mail?

    Don't get me wrong. I like SPF (though I haven't implemented it, yet). But aren't there a *lot* of people who haven't published SPF records?

  16. Does anyone have any ideas why?  I know my spam load hasn't decreased significantly this month. 

    Well, one of my accounts has seen a noticeable decrease in spam. I suspect listwashing - but who knows?

    Also, Spamcop has had some hiccups recently. Perhaps reporting efficiency was hit hard enough to explain the lower numbers for June?

  17. Select Style  - We have no submit button!

    Assuming you mean the "Site Style" drop-down... with Mozilla (1.7), the change was instant. There's no need for a Submit button.

    Textarea (for submitting spam) doesn't fit inside of the default table. Kinda looks off, might want to make that fit.

    I don't see that - or I don't understand what you're seeing.

    Everything else looks great!

    I agree. I like the new look.

  18. It was my recollection that Julian did this quite a while ago .. now whether that extended to JT's servers .. and in light of the recent relocation ...?????  No idea at present, honestly ..

    As I recall, Julian added an SPF record for reports.spamcop.net because nobody is supposed to be sending mail with those addresses except for Spamcop's servers. However, spamcop.net by itself is set to "v=spf1 ?all" - which is as it should be (since people send using their spamcop.net addresses from all over the world).