Jump to content
Sign in to follow this  
JMark

Is SpamCop still relevant?

Recommended Posts

resilt in zero Received: lines is some sort of e-mail client that offers up some 'simple' header display that strips out what someone considered unimportant data ????? Definitely not usefull at all from a spamcop.net Reporting perspective.

I can't presume to speak on behalf of the OP. I have,, however, received notification emails sent by a well-known email provider (who shall remain nameless) which lacked some of the headers that you'd normally expect, such as "Received." It was as if they hadn't configured their system properly.

Share this post


Link to post
Share on other sites
I have,, however, received notification emails sent by a well-known email provider (who shall remain nameless) which lacked some of the headers that you'd normally expect, such as "Received." It was as if they hadn't configured their system properly.

if it's just a 'notification' the lack of RFC mandated headerlines is more than possible, the 'notification' being triggered by the e-mail server, kicking a 'localhost' tool into action which then simply 'places' the error condition/notice' into the user's InBox. Whether that notice included the 'complete' attempted e-mail or not would be a configuration issue. but even at best, that e-mail would be either embedded or showing up as an attachment to the notification. Either way, something not normally to be handled via the SpamCop.net Parsing & Reporting System.

Share this post


Link to post
Share on other sites
if it's just a 'notification' the lack of RFC mandated headerlines is more than possible, the 'notification' being triggered by the e-mail server, kicking a 'localhost' tool into action which then simply 'places' the error condition/notice' into the user's InBox. Whether that notice included the 'complete' attempted e-mail or not would be a configuration issue. but even at best, that e-mail would be either embedded or showing up as an attachment to the notification. Either way, something not normally to be handled via the SpamCop.net Parsing & Reporting System.

A thoughtful reply, however irrelevant to my situation. All of the specimens presented were sent to Spamcop as received. They were not email server "error" attachments or embeds. I know not to attempt to send these on.

On another note, I have not received any more of these emails sans "Received:" headers since my last post. I get a half dozen spams a week and it has been a week or more since my last corrupted one. I have made no systemic changes. If desired, I can post a sampling of the recent successfully parsed spams if it would be helpful.

Share this post


Link to post
Share on other sites
So in short, most spammers have found around SC reporting, SC developers do not bother to keep up with spammer developments and the one of the most common email clients is not supported.

So why should I bother?

Sadly, SpamCop really does not hold much relevancy anymore. Recently, the spammers have really began exploiting several commonly known exploits out there to trick SpamCop into not only reporting innocent hosts, also, including reporters' information back to the spammer (double whammy). I am thinking Cisco is no longer interested in this pet project & has simply quit investing into it. Project needs to be released into SourceForge to keep the heartbeat.

:(

Share this post


Link to post
Share on other sites
<snip>

Recently, the spammers have really began exploiting several commonly known exploits out there to trick SpamCop into not only reporting innocent hosts, also, including reporters' information back to the spammer (double whammy).

...This has been true since I started using SpamCop years ago. It is the duty of the SpamCop user to attempt to minimize these potential problems by reviewing the e-mail addresses to which SpamCop is offering to send notifications.
I am thinking Cisco is no longer interested in this pet project & has simply quit investing into it. Project needs to be released into SourceForge to keep the heartbeat.
...There is sufficient evidence, I would say, from posts and follow-ups by SpamCop (Cisco) employees to contradict this assertion.

Share this post


Link to post
Share on other sites
The latest example....

Same sitution. I don't see yet where you have explained or even suggested how you are getting/trying to Report e-mail with absolutely no Received: lines in the headers.

This was spam received in my Outlook v14 Inbox this morning, 2/28/11 at 3:02 est. Forwarded via Spamgrabber v5.0

"Outlook v14" actually means nothing to me at present. Why wouldn't there be any evidemce of the "forwrded by Spamgrabber" in the headers? As stated before, without Received lines in the headers, the only thing that can be said is that this e-mail did not traverse the known Internet at all, pointing once again to a 'localhost' scenario.

Share this post


Link to post
Share on other sites
"Outlook v14" actually means nothing to me at present.

Outlook v14 is the version number of Outlook 2010, which has been out for more than a year. I generally try to be specific to more expeditiously arrive at the issue. If you prefer, I will be more general in my references in the future.

Why wouldn't there be any evidemce of the "forwrded by Spamgrabber" in the headers?

Because, Spamgrabber, a product recommended by Spamcop for Outlook users, forwards as an attachment. How would an attachment be stamped as "Forwarded by?" Does Spamgrabber do that?

As stated before, without Received lines in the headers, the only thing that can be said is that this e-mail did not traverse the known Internet at all, pointing once again to a 'localhost' scenario.

See example in previous post.

Share this post


Link to post
Share on other sites
Outlook v14 is the version number of Outlook 2010, which has been out for more than a year. I generally try to be specific to more expeditiously arrive at the issue. If you prefer, I will be more general in my references in the future.

"v14" does not call Outlook 2010 to my mind. Outlook 2010 v14 would have specified just what was being defined.

Because, Spamgrabber, a product recommended by Spamcop for Outlook users, forwards as an attachment. How would an attachment be stamped as "Forwarded by?" Does Spamgrabber do that?

I have no idea. However, from the http://www.spamgrabber.org/ page, "a function to copy the source of a message to the clipboard so you can copy and paste easily into another application" seems like a possibility for some troubleshooting. Does this action provide more "e-mail content" than what seems to be being submitted from the 'one-click' reporting function?

Although there's the note about switching servers before all content was captured, I don't see anything like this in his support Forum. As the current download offering is listed as "Beta" perhaps you'd be better served by posting a query there and seeing what he can provide as an answer about the missing header data lines ????

Share this post


Link to post
Share on other sites
Although there's the note about switching servers before all content was captured, I don't see anything like this in his support Forum. As the current download offering is listed as "Beta" perhaps you'd be better served by posting a query there and seeing what he can provide as an answer about the missing header data lines ????

Will do. Thanks

Share this post


Link to post
Share on other sites

That message, if those are the full headers, should only be delivered within the yahoo network. In any event, complaint should be made to yahoo, apparently the spam source. If your provider is delivering them without full headers then complaint should be made to them too. I don't know about that, it is not clear to me whether you have established that there are or are there are not further headers (that is, in Outlook, a point raised in Wazoo's previous post - to be found using the web form submission process I pointed to right back near the start of your postings here, or at least that part of the process to extract the headers from Outlook for your own comparison). Assurance of full header extraction is absolutely critical to SC reporting. Are you successfully reporting any spam at all? That is worth knowing.

The spamvertized website in your most recent would defeat SC too by the way - even if it didn't, the host is the unresponsive CHINANET Guizhou province network - SC doesn't send those people reports any more since they bounce. SpamCop is not the right tool to deal with unresponsive spam website hosts but that is not an issue when parsing doesn't even get past trying to analyse the headers.

Share this post


Link to post
Share on other sites

http://www.spamcop.net/sc?id=z4949440785z0...367487731a48f9z

It would appear Yahoo is an excellent way to send spam:

Return-Path: <kathyparker5204728[at]yahoo.com>

From: "Kathy Parker" <kathyparker5204728[at]yahoo.com>

To: "Donald Alexander" <kvhuqgwpdszesx[at]hotmail.com>

Subject: re:

Date: Mon, 21 Mar 2011 07:16:57 -0400

Message-ID: <894543.51230.qm[at]web113613.mail.gq1.yahoo.com>

MIME-Version: 1.0

Content-Type: text/plain;

charset="us-ascii"

Content-Transfer-Encoding: quoted-printable

X-Mailer: YahooMailClassic/12.0.2 YahooMailWebService/0.8.109.295617

X-Yahoo-Newman-Property: ymail-3

X-Yahoo-Newman-Id: 452186.37678.bm[at]omp1009.mail.sp2.yahoo.com

Thread-Index: AQHOHjy2zEMRq9GUcixeRUoVGRRkeg==

X-SpamFlt-Status: Not Detected

X-KASFlt-Status: Profiles 20096 [Mar 21 2011]

X-KASFlt-Status: Version: 4.4.2 (May 26 2010 17:02:10)

X-KASFlt-Status: Envelope from:

X-KASFlt-Status: {FROM: 6+ digits before [at]}

X-KASFlt-Status: Rate: 10

X-KASFlt-Status: Status: not_detected

X-KASFlt-Status: Method: none

X-SpamFlt-Phishing: Not Detected

site:

www.14187.tuoacfqedh.com

Comment:

This is posted exactly as received. I find it insulting to read, repeatedly, such comments like "if those are the full headers." Such comments are unhelpful to the OP and will be reported as personal attacks. I do not lie. And as a computer repair business owner with 35 years of computer issue diagnosis, I am knowledgeable about many PC aspects, simply not email systems. Now, let's try to conduct ourselves in a professional manner.

Clearly, there is an issue somewhere between the sender, the senders ISP, Brighthouse, Outlook v.14 (2011,) and perhaps, the way Spamgrabber sees the headers. Some forwards to Spamcop have been successful, not all. Forwarding as attachment or using the SC copy/paste tools make no difference... same result.

Share this post


Link to post
Share on other sites
<snip>

It would appear Yahoo is an excellent way to send spam:

<snip>

...Without doubt, as frequently noted elsewhere in the SpamCop Forums. But I see nothing convincing in the headers you posted to conclude that your spam came from Yahoo -- the "From" and "X" headers are easily forged. Except that if the spam source were Yahoo it would explain the lack of expected headers.
I find it insulting to read, repeatedly, such comments like "if those are the full headers." Such comments are unhelpful to the OP and will be reported as personal attacks.... Now, let's try to conduct ourselves in a professional manner.

<snip>

...A few points about this:
  • "Touchy" OPs might, indeed, interpret this as a personal attack but it is not (necessarily) so. If, for example, Outlook is mangling the headers (as it has been accused of doing elsewhere in the SpamCop Forum), it would hardly be viewed as the OP's fault (unless the OP is known to be knowledgeable enough to know this about Outlook).
  • Personal attacks are viewed by various SpamCop Forum participants as ranging from unacceptable to encouraged. Posts interpreted as personal attacks are frequently made by the SpamCop Forum Admin, even though he is either pointing out alternative approaches that could be taken or attempting to elicit additional information he believes is necessary to properly find a resolution to the OP's problem.
  • What constitutes "a professional manner" is open to interpretation and can be endlessly and vainly argued; most of us tend to focus much more here on trying to find a resolution to the OP's question than trying to ensure a "profession manner."

Share this post


Link to post
Share on other sites

There should be a "Received" header and that is missing from your reports JMark.

One other issue that I figured out the hard-way though is that if the "from" header is empty the SC form won't process the mail. Makes you wonder how an ISP will ever allow the mail to be dispatched with an empty from.

Share this post


Link to post
Share on other sites
This is posted exactly as received.

Not sure as I Post this, but I don't believe you've actually fully explained just how you manage to actually receive and then try to submit these incompete e-mails. Yes, you've brought in Outlook and Spamgrabber, but .... what are the actual 'mechanical' steps that actually perform. Again, it's the question of just hos such an e-mail ever makes it anywhere near your InBox that's in question.

I find it insulting to read, repeatedly, such comments like "if those are the full headers." Such comments are unhelpful to the OP and will be reported as personal attacks. I do not lie.

An accusation not made anywhere that I've seen.

And as a computer repair business owner with 35 years of computer issue diagnosis, I am knowledgeable about many PC aspects, simply not email systems. Now, let's try to conduct ourselves in a professional manner.

Simply noting that 'repairing hardware' isn't necessarily the same as 'troubleshooting software.' Yet, I still have to ask why with all that experience/background would you be taking such exception to the common question brought up by so many other folks here ... the headers offered up as samples of failed submittals are all incomplete, yet you can't explain how you are getting them.

Clearly, there is an issue somewhere between the sender, the senders ISP, Brighthouse, Outlook v.14 (2011,) and perhaps, the way Spamgrabber sees the headers. Some forwards to Spamcop have been successful, not all. Forwarding as attachment or using the SC copy/paste tools make no difference... same result.

Will do. Thanks

I'll suggest that all agree that there seems to be an issue. In contrast to what you find "insulting," I don't see where you are actually trying to help us help you. You've not said anything about contacting your ISP/Host to get a 'real answer' as to how these things could be getting into your InBox. (Also noting that at this point, I'm not seeing just who is actually handling/providing these e-mails to you. I know I've brought up the 'localhost scenario' at least a couple of times, but with the critical data missing, I can't tell just who the 'localhost' might be.) You might be talking to Leon directly, but from this side of the screen, all that can be seen is that you've not followed through on your Post stating that you would contact him and see if he could explain any possible Spamgrabber malfunction.

I just spent 20 minutes trying to deal with Brighthouse, but ... they want to talk to you directly.

Share this post


Link to post
Share on other sites

I have been looking over JMark's trackers here and for the most part they look to me like they were sent to a yahoo user by another yahoo user, hence the lack of received lines. In some cases there is a return path showing sunshinemails.net; looking at their bogus MX record, they may have been piping spew from their relay into a backdoor to a yahoo mail server. It happens.

When you first submitted this, spamcop fingered retn.net, gldn.net and wahome.ru. "If reported today, reports would be sent to...mailservices.yahoo.com." The key seems to be teaching to parser to ignore the NNFMP line "to properly assign blame at border."

Share this post


Link to post
Share on other sites
I have been looking over JMark's trackers here and for the most part they look to me like they were sent to a yahoo user by another yahoo user, hence the lack of received lines.

Not to argue, but here's some data from a Yahoo InBox from another Yahoo user ....

X-Originating-IP: [68.142.206.44]

Received: from [68.142.200.225] by n19.bullet.mail.mud.yahoo.com with NNFMP; 22 Feb 2011 12:57:57 -0000

Received: from [98.137.35.106] by t6.bullet.mud.yahoo.com with NNFMP; 22 Feb 2011 12:58:08 -0000

Date: 22 Feb 2011 12:58:08 +0000

Received: from [127.0.0.1] by qc9.grp.sp2.yahoo.com with NNFMP; 22 Feb 2011 12:58:08 -0000

checked a few others, to include 'Yahoo' notifications and even those had Received: lines.

Rarely usee this account, so not sure if it has the same issues as GMail ... different content based on whether the sender was using the web-site itself or SMTP/IMAP, but ... the point remains, some sort of Received: lines have always been present. If only because these folks are big enough that the 'oncoming' e=mail servers are not the same as the servers used to serve up the e-mail to the end-user/account holder, thus there is movement through their network at a minimum.

Share this post


Link to post
Share on other sites

I called Brighthouse again as they did not respond to my March 2 emailed inquiry. Sean, actually with Time Warner, who said he studied network security in college, said that indeed there are ways to spoof email headers so they do not have a "Received from:" header and even alter the date to make it appear that the email is indeed older than it was was when received. Sean said he was prohibited from explaining how this works, although I personally suspect it is sent via an anonymous remailer service.

In short, my original assertion is accurate: spammers have the ability to bypass the Spamcop parsing system, by delivering to my Brighthouse email Inbox emails sans "Received from" headers and at times, altered date headers.

And yes, I have been troubleshooting OSes and related issues, but as stated before, I am not familiar with MIME.

But with the demise of the Rustock botnet and the spammers ability to bypass the capabilities of Spamcop, then perhaps it is no longer and issue.

Share this post


Link to post
Share on other sites
<snip>

In short, my original assertion is accurate: spammers have the ability to bypass the Spamcop parsing system, by delivering to my Brighthouse email Inbox emails sans "Received from" headers and at times, altered date headers.

<snip>

...Sad for us victims. Fortunately, most spammers do not seem to have caught on to the trick. At least I do not recall ever having seen an instance of this, thus SpamCop is still relevant. :) <g>

Share this post


Link to post
Share on other sites
I called Brighthouse again as they did not respond to my March 2 emailed inquiry. Sean, actually with Time Warner, who said he studied network security in college, said that indeed there are ways to spoof email headers so they do not have a "Received from:" header and even alter the date to make it appear that the email is indeed older than it was was when received. Sean said he was prohibited from explaining how this works, although I personally suspect it is sent via an anonymous remailer service.

I've been a professional antispammer for 12 years now, and Sean is full of it. The only way you're not going to have Received: headers for at least the final hop is if: 1) your MUA is broken and either cannot show them to you or is refusing to show them to you; 2) there's a huge bug in your MTA code, or 3) the message isn't transmitted via SMTP. It is possible to forge the content of a Received: header, but you cannot eliminate it entirely so long as the mail is transmitted using RFC822 SMTP.

Also, "spoofing" technically refers to a very difficult kind of man-in-the-middle attack. I would not trust the technical expertise of someone who refers to forging as spoofing.

Share this post


Link to post
Share on other sites
I called Brighthouse again as they did not respond to my March 2 emailed inquiry. Sean, actually with Time Warner, who said he studied network security in college, said that indeed there are ways to spoof email headers so they do not have a "Received from:" header and even alter the date to make it appear that the email is indeed older than it was was when received. Sean said he was prohibited from explaining how this works, although I personally suspect it is sent via an anonymous remailer service.

In short, my original assertion is accurate: spammers have the ability to bypass the Spamcop parsing system, by delivering to my Brighthouse email Inbox emails sans "Received from" headers and at times, altered date headers.

Agree with Kelly for the most part, "spoofing" is not a term normally used with e-mail header data forgery .... noting that she is agreeing with what I and others have been saying all along ... without any "Received:" lines, the e-mail in question did not transit the Internet, no way, no how.

Share this post


Link to post
Share on other sites
Agree with Kelly for the most part, "spoofing" is not a term normally used with e-mail header data forgery .... noting that she is agreeing with what I and others have been saying all along ... without any "Received:" lines, the e-mail in question did not transit the Internet, no way, no how.

Then how exactly did it arrive in my Brighthouse mailbox if not by internet?

Share this post


Link to post
Share on other sites
Then how exactly did it arrive in my Brighthouse mailbox if not by internet?
...As a lawyer would say, "asked and answered." :) See last sentence in earlier Wazoo reply 77432[/snapback] and first sentence in SpamCop 98 reply 77489[/snapback]. Edited by turetzsr

Share this post


Link to post
Share on other sites
Then how exactly did it arrive in my Brighthouse mailbox if not by internet?

I 'love' that you seem to simply want to continue to add to the confusion factor.

You have mentioned Outlook, Spamgrabber, Brighhouse. You have allowed this Discussion to encompass Yahoo e-mail servers, You have ignored all the posted/suggested links describing things like How to ask a good question. You state that no one here is more qualified than you to sort out your problem. OK, you finally made a partial attempt at contacting the other parties involved, unfortunately allowing yourself and 'Sean' to get off track on the actual question/issue.

Questions yet again ...

Exactly what are the steps you use to 'retreive' your e-mail? Specifics would include POP, IMAP, ???? (especially noting that if there's anything that looks like an Exchange server in the mix, then there's yet more configuration possibilities floating around.) Where and how does your use of Spamgrabber enter into the picture? You do know that you have multiple configuration/Hosting issues/questions involved ... you Registered here with an rr.com address, apparently pay money to Brighthouse, and talked to a TW guy ..... (I suppose that's where my attempt to talk to them ended up getting weird when I asked if he could tell me what software they had running, what other applications for flow control were in place, and whether or not his answer would cover "all" the e-mail servers involved, already wondering if the word 'buy-out' might enter the picture anywhere.[wondering even further what AfterBurner and crew might be up to these days<g>])

How about accessing your InBox with a different tool and see if things look the same? ThunderBird for example. Do they offer a web-mail interface?

Willing to talk to Brighthouse again and .... point them to this Discussion, somehow authorize me to make some queries on your behalf, anythng along that line? (Noting that I had an issue with trying to wade through their voice menu, not having a clue as to things like your actual address, etc. Took a stab at the town selection, for instance.)

I'd even offer to take a look at the data itself, but I'm not about to ask for your credentials.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×