Jump to content


  • Content Count

  • Joined

  • Last visited

Posts posted by Steve

    This is the result I get from the SC parser upon trying to parse the email to report:


    Tracking message source:

    Routing details for
    Report routing for ip-box@ripn.net
    I refuse to bother ip-box@ripn.net
    Message is 30 hours old not listed in cbl.abuseat.org not listed in dnsbl.sorbs.net not listed in accredit.habeas.com not listed in plus.bondedsender.org not listed in iadb.isipp.com


    Finding links in message body

    Recurse multipart:
       Parsing text part
       Parsing HTML part
       No html links found, trying text parse
    no links found


    Finding IP block owner:

    Routing details for
    Report routing for ip-box@ripn.net
    I refuse to bother ip-box@ripn.net


    Sorry, no reporting addresses found for
    Nothing to do.


    I went ahead and manually reported the email to the abuse address since SC basically refused to.

  2. https://www.spamcop.net/sc?id=z6629778003z5e644dc4a48c7fddcdc37d472089d0f5z

    Tried refreshing the page several times and nothing worked to bring up the abuse contact for this IP Address. Upon running a check at whois.nic.ad.jp, I got this result:


    [ JPNIC database provides information regarding IP address and ASN. Its use   ]
    [ is restricted to network administration purposes. For further information,  ]
    [ use 'whois -h whois.nic.ad.jp help'. To only display English output,        ]
    [ add '/e' at the end of command, e.g. 'whois -h whois.nic.ad.jp xxx/e'.      ]
    Network Information:            
    a. [Network Number]   
    b. [Network Name]               BIHORO
    g. [Organization]               Bihoro Town
    m. [Administrative Contact]     JP00155955 (densan@town.bihoro.hokkaido.jp)
    n. [Technical Contact]          JP00155955 (densan@town.bihoro.hokkaido.jp)
    p. [Nameserver]
    [Assigned Date]                 2017/11/20
    [Return Date]                   
    [Last Update]                   2017/11/20 14:11:04(JST)
    Less Specific Info.
    Open Computer Network
            SUBA-131-13P [Sub Allocation]               
    More Specific Info.
    No match!!

    Let's see what happens when I manually report it to densan@town.bihoro.hokkaido.jp.



    Parsing header:
    0: Received: from anshin.town.bihoro.hokkaido.jp (anshin.town.bihoro.hokkaido.jp. []) by mx.google.com with ESMTP id 5si1319690pga.103.2020.; Tue, 21 Apr 2020 02:20:24 -0700 (PDT)

    Hostname verified: anshin.town.bihoro.hokkaido.jp
    Gmail/Postini received mail from sending system

    1: Received: from [] (unknown []) by anshin.town.bihoro.hokkaido.jp (Postfix) with ESMTPA id CDA9B20D474F; Tue, 21 Apr 2020 18:18:05 +0900 (JST)

    No unique hostname found for source:

    Possible forgery. Supposed receiving system not associated with any of your mailhosts

    Will not trust this Received line.

    Tracking message source:

    "whois" (Getting contact from whois.apnic.net mirror)
    Display data:
       Redirect to nic.ad.jp:
       Display data:
       "whois" (Getting contact from jpnic)
       Display data:
       "whois JP00155955/e@whois.nic.ad.jp" (Getting contact from jpnic)
       nothing found
       nothing found

    No reporting addresses found for, using devnull for tracking.

    Message is 17 hours old not listed in cbl.abuseat.org listed in dnsbl.sorbs.net ( 1 ) not listed in accredit.habeas.com not listed in plus.bondedsender.org not listed in iadb.isipp.com



  3. On 2/16/2020 at 11:39 AM, DiverDoc said:

    Look - I'm really sorry if this is a nuisance question and I have searched the forum for this topic, but nothing seems to quite match up. The first time I reported a certain spammer, I got the above message and subsequent reports of the same spammer show the identical message after I submit the spam: 

    Report spam To:

    RE: (Administrator etc ...)


    Can one of you such bright people please advise me what this means and how I should proceed with future instances of spam from this sender?



    Just forward the email with full headers to abuse AT sendgrid DOT com (replace AT with @ and DOT with "."). They usually send an auto-reply email back letting you know they've received it and someone will handle the abuse report. Whether they actually take action, we'll never know.



  4. 3 hours ago, gnarlymarley said:

    Gmail works for my reports, but then I am using fetchmail (over ssl) and an scri_pt that encapsulates the spam in an attachment.  Are you using something like thunderbird or another mail client or the "Show Original" option found in the webmail?  When I click the Show Original, my emails seem intact.

    The "Show Original" option and then "Copy to clipboard" and then I paste into the submission field in SC and submit. Those emails are the only one I have problems with. All other emails go through fine.

  5. 8 minutes ago, petzl said:

    This seems posted from within Gmail to Gmail which means it is intranet spam,
    there is also no body in spam, Seems the headers are incomplete also.
    With full headers and no body, just under headers, hit enter twice and write "No body in spam" for SpamCop to work.
    Just mark it in Gmail as phishing

    Tried that and got the same result as when I originally tried submitting the spam.

  6. I've also been getting amazonaws spam. It seems another IP address is included in the spam. It's and registered to the Association of Medical Colleges (AAMC). I have tried reporting the IP address via SC to AAMC to both the dns AT aamc DOT org (which the SC parser forwards to postmaster AT aamc DOT org) and the postmaster address postmaster AT aamc DOT org on several occasions. with no response/effect. I was almost tempted a few times to write a letter and send it to them asking why their IP address appears in AmazonAWS spam. It's also ALWAYS the same content with the SAME links that aren't valid such as {spam link removed} (which the parser doesn't pick up. It only detects t.co/bit.ly links which even those get redirected and dev/nulled to twitterdoesntcareaboutspamreports@devnull.spamcop.net) or in the case of bit.ly links, sent to abuse AT bitly DOT com. Previous emails were coming from Parsec Cloud, Inc. Citrix is now being used as the bottom of the emails. Here's the original tracking url: https://www.spamcop.net/sc?id=z6585617008z355af39de650b47648e218409deb1a46z

    {Quote of spam Deleted} -- To view the deleted material follow the tracking URL above.
    Here's the parsing results for the AAMC IP address and the tracking URL: https://www.spamcop.net/sc?id=z6585618727zdf96eb88f2edb7ba97b2dad603fed48ez
    Tracking message source:

    Routing details for
    [refresh/show] Cached whois for : dnsadministrator@aamc.org
    Using abuse net on dnsadministrator@aamc.org
    No abuse net record for aamc.org
    Using default postmaster contacts postmaster@aamc.org


    Clicking on the calendly link results in this:




    Event Temple Demo
    No openings at the moment.

    If you are the owner of this account, you can log in to find out more.


    with the links being reported to abuse AT cloudflare DOT com. Not that CF can do anything to take down the link.




  7. On 10/25/2019 at 10:07 AM, dr_bobbs said:

    OK, now I am trying to submit spam from gmail that clearly DOES have a line of body text; but I still get this error message: 


    SpamCop v 5.1.0 © 2019 Cisco Systems, Inc. All rights reserved.
    Here is your TRACKING URL - it may be saved for future reference:

    No body text provided, check format of submission. spam must have body text.
    If reported today, reports would be sent to:

    Re: (Administrator of network where email originates)



    I have tried inserting one or more blank lines, or extra lines of explanatory text. Still get the same error message.

    Submitting by pasting (since forwarding as an attachment looks like 1000x more effort than I wanted to spend to report one spam!)

    Same here. I have had problems with reporting gmail users sending spam to SC and getting the "No body text provided, check format of submission. spam must have body text."

  8. https://www.spamcop.net/sc?id=z6571118445z3f089fb00c95557d5b0557565f4701efz


    Why do reporting addresses for either an IP address associated with an email or a link in the email that SC finds an IP to associate with bounce and why does the ISP/host do nothing to fix it? Here's an example of a recent email below:




    [report history]
    Host lustergroup.com (checking ip) =
    Resolves to
    Routing details for
    [refresh/show] Cached whois for : noc-abuse@mschosting.com noc@mschosting.com
    Using abuse net on noc-abuse@mschosting.com
    abuse net mschosting.com = tmcops@tm.net.my, postmaster@mschosting.com, postmaster@eastgate.net.my, postmaster@myloca.com, abuse@tm.net.my, hostmaster@mschosting.com, abuse@mschosting.com
    Using best contacts tmcops@tm.net.my postmaster@mschosting.com postmaster@eastgate.net.my postmaster@myloca.com abuse@tm.net.my hostmaster@mschosting.com abuse@mschosting.com
    tmcops@tm.net.my bounces (21 sent : 12 bounces)

    Using tmcops#tm.net.my@devnull.spamcop.net for statistical tracking.

    postmaster@mschosting.com bounces (261 sent : 131 bounces)

    Using postmaster#mschosting.com@devnull.spamcop.net for statistical tracking.

    postmaster@eastgate.net.my bounces (257 sent : 129 bounces)

    Using postmaster#eastgate.net.my@devnull.spamcop.net for statistical tracking.

    postmaster@myloca.com bounces (280 sent : 147 bounces)

    Using postmaster#myloca.com@devnull.spamcop.net for statistical tracking.

    abuse@tm.net.my redirects to abuse@tm.com.my
    hostmaster@mschosting.com bounces (261 sent : 131 bounces)

    Using hostmaster#mschosting.com@devnull.spamcop.net for statistical tracking.



  9. https://www.spamcop.net/sc?id=z6563416674z69d183e3fd56b1d4637b0d9020b3cee0z

    Why are sendgrid reports dev'nulled? SC gives no reason for it when parsing spam email. If I report it manually to SG, I get an auto-reply.


    Auto reply:





    Subject: Thanks for reporting unsolicited email



    Thank you for the report of unwanted mail. Your complaint has now generated a ticket that will be reviewed by an actual human in the next 48 hours. If the complaint is a phishing message, it will be reviewed much sooner (usually within the hour during operational hours).

    SendGrid takes these reports of unwanted mail very seriously, and we will work to identify the offending sender and investigate their email practices. Please know that you will likely only hear back from us if we require more information on this case.

    If you would like to provide us any more detail, all you have to do is reply to this email, and additional information will be added to your ticket.

    Please note that due to security concerns we will not open attachments under any circumstance. You must provide any necessary information in plaintext in the body of your report.

    Have a great day,
    The SendGrid Compliance Team






    Tracking message source:
    Routing details for
    [refresh/show] Cached whois for : abuse{AT}sendgrid.com
    Using best contacts abuse#sendgrid.com@devnull.spamcop.net


  10. What address are you sending Amazon abuse reports to? abuse@amazonaws.com/ec2-abuse@amazon.com? If you do it through SC, they devnull the report as that address (abuse@amazonaws.com) is disabled for reports, but manually reporting it to abuse@amazonaws.com/ec2-abuse@amazon.com generates a confirmation email.



  11. Has anyone gotten AmazonAWS spam originating from AAMC.org (American Association of Medical colleges) with the IP address

    I've gotten several and when reporting this IP addy through SC, it parses the email and comes back with an abuse address of shammond@aamc.org. But if I perform a whois on the IP address, I get dnsadministrator@aamc.org. shammond@aamc.org does not appear anywhere in a whois query nor did I find it on the AAMC website. 


    Here's tracking URL for one of those emails:



    Reporting it through SC to shammond@aamc.org or manually to dnsadministrator@aamc.org yields no response back that they've received it and/or have taken action against this IP address to stop/mitigate spam being sent from it.


    Tracking message source:

    Routing details for
    [refresh/show] Cached whois for : shammond@aamc.org
    Using last resort contacts shammond@aamc.org
    Message is 12 hours old not listed in cbl.abuseat.org not listed in dnsbl.sorbs.net not listed in accredit.habeas.com not listed in plus.bondedsender.org not listed in iadb.isipp.com

    clicking on Routing details for
    [refresh/show] reveals this info:

    Tracking details

    Display data:
    "whois" (Getting contact from whois.arin.net )
    Found AbuseEmail in whois dnsadministrator@aamc.org -
    Routing details for
    Using abuse net on dnsadministrator@aamc.org
    No abuse net record for aamc.org
    Using default postmaster contacts postmaster@aamc.org


    If that's the case, why doesn't SC send reports to the postmaster address then?

  12. On 3/2/2019 at 2:11 PM, Lking said:

    I admit I do not know which of several reasons that amazonAWS reports are being devnulled.  But in general there are several possible reasons a spam report is not sent but directed to devnull.spamcop.net

    1. The intended recipient has ask SC not the send spam reports. (SC does not want to become a "spammer" sending unwanted email)
    2. spam Reports sent to the abuse address have bounced. (a report and bounce would just clutter the bandwidth)
    3. There is evidence that the recipient is in fact the spammer not a responsible ISP. (would serve no purpose)
    4. SC did not find a valid abuse address for the IP. (Record keeping only)

    The Tracking URL report section does provide an explanation

    "<<<<<<<<<<<<<<<<<" added

    I just manually report those emails to abuse(at)amazonaws.com and ec2-abuse(at)amazon.com I do get replies back once they've received the spam report and when they've taken action or mitigated the activity of their subscriber/customer.

  13. Ran an APNIC whois and cam up with these abuse contacts:

    Kagoya Japan, Inc/KAGOYA Network Administrator Group
    nss.ipadmin@kagoya.net & support.domain@kagoya.net


    Cached whois for : search-apnic-not-arin@apnic.net
    I refuse to bother search-apnic-not-arin@apnic.net.

    Using search-apnic-not-arin#apnic.net@devnull.spamcop.net for statistical tracking.

    Using last resort contacts search-apnic-not-arin#apnic.net@devnull.spamcop.net


    Tracking URL:


  14. 2 hours ago, RobiBue said:

    yeah, that's why I'm saying, I believe that injected Received line acts somewhat as a signature placed there by the designer of the malware...

    that IP might, at one time, have been assigned there... I don't know if there is a historical IP database available ;)

    but I understand now what you meant. thanks.

    Reporting the IP address results in this address coming up: abuse@wowrack.com

    I have tried reporting this IP address several times last year and a few times an employee said they will "Null-route" the IP address. But it still shows up in spam.

  15. https://www.spamcop.net/sc?id=z6519982075zb6dffaaf6c4dde062e506799464432dez


    Tracking message source:

    Routing details for
    [refresh/show] Cached whois for : pioklo@serveradmin.pl
    Using last resort contacts pioklo@serveradmin.pl


    Why when SC parses the IP Address, does it come up with a result for a Polish IP (pioklo@serveradmin.pl) as a last resort address?  But when I query it through whois.ripe.net does it come up registered to:


    Responsible organisation: Hetzner Online GmbH 
    Abuse contact info: abuse@hetzner.de
    • role: Hetzner Online GmbH - Contact Role
    • address: Hetzner Online GmbH
    • address: Industriestrasse 25
    • address: D-91710 Gunzenhausen
    • address: Germany
    • phone: +49 9831 505-0
    • fax-no: +49 9831 505-3
    • e-mail: ripe@hetzner.de
    • abuse-mailbox: abuse@hetzner.de
    • remarks: *************************************************
    • remarks: * For spam/abuse/security issues please contact *
    • remarks: * abuse@hetzner.de, not this address. *
    • remarks: * The contents of your abuse email will be *
    • remarks: * forwarded directly on to our client for *
    • remarks: * handling. *
    • remarks: *************************************************
    • remarks:
    • remarks: *************************************************
    • remarks: * Any questions on Peering please send to *
    • remarks: * peering@hetzner.de *
    • remarks: *************************************************
    • org: ORG-HOA1-RIPE
    • admin-c: MH375-RIPE
    • tech-c: GM834-RIPE
    • tech-c: SK2374-RIPE

  16. https://www.spamcop.net/sc?id=z6519956282z3287af6539a13394828b32aaa4e4b1a7z


    Tracking message source:

    Routing details for
    [refresh/show] Cached whois for : iptech@readyspace.com.sg
    info@readyspace.com.hk bounces (31 sent : 16 bounces)
    Using best contacts

    No reporting addresses found for, using devnull for tracking.

    Message is X hours old not listed in cbl.abuseat.org not listed in dnsbl.sorbs.net not listed in accredit.habeas.com not listed in plus.bondedsender.org not listed in iadb.isipp.com


    I have tried refreshing the page with no change in result. I went ahead and manually reported the spam to the ISP.