Jump to content

SpamCop does not recognize my spam and spammer


Hattula

Recommended Posts

I and a couple of my friends get a lot of spam.

I have forwarded them to email address submit.xxxxxxxxxxxx[at]REMOVEspam.spamcop.net
and the answer begins like this:
SpamCop encountered errors while saving spam for processing:
SpamCop could not find your spam message in this email:
I just made my server rule for all my spam rules..
that all spam Forwarded Your e-mail address submit.xxxxxxxxxxxx[at]REMOVEspam.spamcop.net.
How can I get you to understand that these e-mails are spam?
The email sender have a different address but the spam design and the content is always similar...
Sorry, I need to spam your e-mail that you understand that those are all spam!
Best Regards
Hattula
Link to comment
Share on other sites

Welcome to the forum and the fight.
This forum is populated by other users of the SpamCop anti-spam tools. As such this is a user-to-user forum to help others use.

At the top of the screen where you review you submitted spam, you will see something similar to:

SpamCop v 4.8.3 © 2016 Cisco Systems, Inc. All rights reserved.
Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net/sc?id=z6222177106z2ad01cfcb5912955469ac1d61c4d46c8z

For others to see exactly what the spam processor has found in you submitted spam, it would be most helpful if you provided the TRACKING URL so "we" could see what you see. Without that link we are only guessing and can provide only general guidance.

Also it would be helpful if you would tell us what tools, email applications, and procedures you use to forward spam. Some tools, LookOut for example, provide extra challenges to submitting spam.

I have moved you post to a more appropriate location.

Link to comment
Share on other sites

Hi Lou,

Many Thanks for You!

I use Mozilla Thunderbird and have a lot of spam mails..

Now I have send ten minutes and send reports already dozens URL's

I have already removed a lot of Tracking URL's

But I have spam report id's... is those id's usefull for you?

I can collect URL's or id's and share here, what you want in future.

Best Regards

Hattula

Link to comment
Share on other sites

spam report id's are only useful to you, others can not use them. However, if you click on a report id to view the report, at the top is a link "PARSE" Clicking on that will re-parse the spam and display the TRACKING URL that the rest of us can use to view the spam and how it was processed.

Thunderbird does make it easy to report spam, including full header, by either doing a cut-and-past into the SpamCop reporting webpage (<CTRL>-U, <CTRL>-A, <CTRL>-C and then <CTRL>-V) or by forwarding the spam as an attachment to your private reporting email address. I also use TB to report spam.

Link to comment
Share on other sites

Hi,

Ok,

My spam has decreased considerably! :-)

http://www.spamcop.net/sc?id=z6222188688z637299595a3732c0ca0f1a88abf0a563z

http://www.spamcop.net/sc?id=z6222188918z55b7fdb414f89b531f32d0f28305126bz

http://www.spamcop.net/sc?id=z6222188963zafd223cd1488073bc288d76273fb7d5fz

http://www.spamcop.net/sc?id=z6222188992z3d7ea0ad241ced64eec78f65137e115ez

http://www.spamcop.net/sc?id=z6222189220z291b333b8c913ab64201caa9655c86cfz

http://www.spamcop.net/sc?id=z6222190254zef89b47652e836358c882f98558d37d5z

http://www.spamcop.net/sc?id=z6222191113z119eac08422be3bb71e6fd276e8bd6f0z

http://www.spamcop.net/sc?id=z6222191651z1a300cdb060c72f381431759e04f919bz

http://www.spamcop.net/sc?id=z6222204529ze509d9940bf9b4a80bf94dc6b3ca5bf7z

http://www.spamcop.net/sc?id=z6222204556zdd7275c22131681230abdf208f98d82cz

http://www.spamcop.net/sc?id=z6222223832z96f54866421f3dea64a04b23d601df97z

http://www.spamcop.net/sc?id=z6222225253zbda5905136fdd3c0237660e800b7a9ecz

http://www.spamcop.net/sc?id=z6222688451z3c306f2f66134ea5315fd399ae4be762z

http://www.spamcop.net/sc?id=z6222685214z66327cb99da61de28bb890ccc0434446z

http://www.spamcop.net/sc?id=z6222704096zb40542124406de03e3d8f943447b071fz

I think at that spammer have a following domains:

http;//silver-goods,net

http;//impeccable-luxury,com

http;//lovely-money,com

http;//flower-coin,com

http;//fantasticsuccesstrophies,com

http;//kittenbargains,net

http;//panda-promotions,net etc.

I have receive over 20 mails for Karina Mortensen (km[at]powermediagroup.dk) where she have wrote following to me:

Dear user,

Please note that you have now been removed and blacklisted from our e-mail lists and will therefore not receive any more e-mails from us.

Kind regards,

Karina

Behind of all spam messages is this company http;//www,powermediagroup,dk

They send a lot a spam to Finland!!

Is there any possibility to get a ban whole company?

Regards

Hattula

Link to comment
Share on other sites

Hattula Note: I edited your last post to break the spammer's URL. This forum is scanned heavily and we would not want to give any SEO advantage to the spammer.

As to your OP, it looks to my like your submissions are being processed and reports are being sent. Am I missing something?

Link to comment
Share on other sites

Hi,

Now I have a spam that contains a zip file with a virus. :)

I receive this type of spam a couple of times a week..

I make a report, but after that a I receive message from SpamCop AutoResponder and wich contains a virus...

Or if I make report on site (copy header and send), Avast block new opening page becouse its contains virus. :o

How I should make report in case like this?

Recards

Hattula

Link to comment
Share on other sites

This SpamCop FAQ could answer your question https://www.spamcop.net/fom-serve/cache/283.html

This part in particular.

SpamCop does what it does and doesn't do for a reason. Do not make any material changes to spam before submitting or parsing which may cause SpamCop to find a link, address or URL it normally would not, by design, find.

In the past is has be a practice when deleting or truncating the body of a spam, to include a statement similar to 'Original body deleted to remove a virus.' If you do this be sure to include a blank line to identify the end of the header.

Link to comment
Share on other sites

I guess I have lost track of where "we" are headed. Some were along the line an anti-virus scanner looked at this spam, detected a virus and removed it, and documented the process in the header:

By adding *** VIRUS *** to the subject line

adding several free format "X" lines to the header to document when (pass 2), what (LockyDownloader java scri_pt), the scanner found and what was done (Deleted)

X-Pass-two: yesX-Antivirus: avast! (VPS 160324-2, 24.03.2016), Inbound messageX-Antivirus-Status: InfectedX-Attachment: Document2.zip#1049382525|>DFM8756173916.js	Virus: JS:LockyDownloader [Trj]	Deleted
Link to comment
Share on other sites

Hi,

My PC in home does not notified of the virus... :blink:
So, here is it.

http://www.spamcop.net/sc?id=...........058684c654a7d51557dz

Regards

Hattula

here is how I would report this using SpamCop "notes"

(it;s a Botnet IP sending them and the are millions of these IP's all over the world.

Seems they "203.115.146.150" are run by bozo's (clowns) but all one can do is try?

>

203.115.146.150 (Administrator of network where email originates)

Philippines Bayan Telecommunications

contains virus attachment

abuse[at]skyinet.net

BOTNET ATTACK HOST

http://www.abuseat.org/lookup.cgi?ip=203.115.146.150

This IP is infected (or NATting for a computer that is infected) with the kelihos spambot. In other words, it's participating in a botnet.

last detected at 2016-03-24 13:00 GMT (+/- 30 minutes), approximately 9 hours, 30 minutes ago.

TO REMOVE INFECTION

Norton Power Eraser is a Windows free tool and doesn't require installation. It just needs to be downloaded and run.

https://security.symantec.com/nbrt/npe.aspx

BLOCK OUTBOUND PORT 25,

RESERVE FOR LEGIT EMAIL SERVER

Make sure you are connecting to your mail server's 'authenticated mail' port 587 and not the ordinary 'unauthenticated' port 25. (ask your ISP to check for you)

CHANGE TO SECURE PASSWORD

SCAN INFECTED COMPUTER FOR MALWARE

A BOTNET infected computer/server means the all data passing through it may be compromised (bank details, log-on/password, email, etc).

CBL (abuseat.org) lists those computers that are infected with instructions on how to remove BOTNET infections

Change log-on to a more secure password!

The following Cisco site shows servers/computers with prior or existing BOTNET infections

http://www.senderbase.org/lookup/ip/?search_string=203.115.146.150

spewing spam

https://www.spamcop.net/w3m?action=checkblock&ip=203.115.146.150

>

Link to comment
Share on other sites

Ok,

This report is out of your system..

They send messages once of week and annex always included annex with virus...

SpamCop have a 48 hours limited time to report..clever to avoid your system.

You do not have the opportunity to grab them?

Link to comment
Share on other sites

Hattula,

As fellow newbie.. follow the process. If the rule is that spam has to be <48 hours, than that's the rule. Don't ask for more..

There is a shipload of spam that goes through the systems, so missing a handful doesn't make all that much difference.

What I suggest you do, is to add a filter on your webmail. In the filter you add the ip address of the MX that sends you that spam, or another common attribute that identifies the sender.

Then you set the rule to discard the e-mails that match, and poof... no more mail from that sender.

AND

Get in touch with your mail system admin. Ask him why he is not using spamcop RNDSBL's or similar. HE should already help us keep spam out of our systems !

Take care, and keep fighting the fight..

Hoot

Link to comment
Share on other sites

  • 1 month later...

Pete, I am not surprised that amazonaws.com does not respond.

The tracking URL  you provided is a little old, 26 April 2016.  Without current examples I would move on.  Even responsible managers would be hard pressed to looks at records this old to correct a problem.  I the case of Amazon, connections with a vendor could no longer exist and there would be no action for them to take.

That is not to excuse the spam nor supporting the spamvertised site.  On the other hand, the product/link referenced within the base64 part of the spam could have been a legitimate product or service, advertised to you with spam.

Link to comment
Share on other sites

On 19.5.2016 at 5:49 PM, Lking said:

Pete, I am not surprised that amazonaws.com does not respond.

The tracking URL  you provided is a little old, 26 April 2016.  Without current examples I would move on.  Even responsible managers would be hard pressed to looks at records this old to correct a problem.  I the case of Amazon, connections with a vendor could no longer exist and there would be no action for them to take.

That is not to excuse the spam nor supporting the spamvertised site.  On the other hand, the product/link referenced within the base64 part of the spam could have been a legitimate product or service, advertised to you with spam.

 

Again Amazon..

https://www.spamcop.net/sc?id=zxxxxxxxxxxxxxxxxxxxxxxx85f9ac91029820f6bcb9adf09e8

 

 

 

 

 
   

 

 
 
 
 
 
 
 
Link to comment
Share on other sites

  • 1 month later...

I have the same problem with 

SpamCop encountered errors while saving spam for processing:
SpamCop could not find your spam message in this email
 
I tried both forwarding and copying the email into the text box and sending.  The tracking URL I used is
 
submit.XXXXxxxxXXXXxxxx@spam.spamcop.net
 
The spam is apparently from my email address and contains this:
 
X-YahooFilteredBulk: 68.232.142.20
Received-SPF: pass (domain of spamcop.net designates 68.232.142.20 as permitted sender)
 
nslookup on this returns  esa1.spamcop.iphmx.com

 
Link to comment
Share on other sites

What you provided is the private email reporting address. The tracking URL of a submitted spam looks like

SpamCop v 4.8.4 © 2016 Cisco Systems, Inc. All rights reserved.
Here is your TRACKING URL - it may be saved for future reference:

Quote

That would help others to see what has happened and what can be done.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...