kris

no longer changing my email in headers to x

91 posts in this topic

I save results of show original.

I forward it to my special addy to spamcop.

I get back [spamCop] has accepted 1 email for processing.

I click on the link.

Browser opens a page.

It shows the header as having been changed.

I click on view entire message.

It's what I sent you - unchanged.

Can't very well send that, now can I !!!???

I use gmail in browser.

Share this post


Link to post
Share on other sites

I don't know. I just did a submit on two spam, when I followed the links, the brief and full spam seemed to agree, and had my email address replaced with <x> as it should be.

I did notice that there seemed to be a bit of a refresh, issue but when I clicked to send the report, and then looked at the sent report all looks well.

Share this post


Link to post
Share on other sites

I can assure you reports are going out with the addresses munged. The same bug that is causing html tags to be converted to ascii is causing addresses to be displayed when you look at the message in your browser. However the report that goes out is sent correctly:

User-targeted report, see notes, if any.
https://www.spamcop.net/w3m?i=z6zzz004zfdd2e5bb2b90188260669f94dbxxx

[ Offending message ]
Return-Path: <wegwuag[at]pizda.ninka.net>
Delivered-To: <x>
Received: from vmx5.spamcop.net
by prod-sc-queue2.sv4.ironport.com (Dovecot) with LMTP id OomQJealClfyYgAA97r88g
for <x>; Sun, 10 Apr 2016 12:14:14 -0700
Received: from pizda.ninka.net (unknown [101.71.197.33])
by vmx5.spamcop.net (Postfix) with ESMTP id 0DBBBED2FE
for <x>; Sun, 10 Apr 2016 12:14:06 -0700 (PDT)
Received: from axu (unknown [140.165.46.118])
by pizda.ninka.net with SMTP id mwaAOpRAeo7IlIZv.1
for <x>; Mon, 11 Apr 2016 03:14:06 +0800
Message-ID: <2016____________5127[at]pizda.ninka.net>
From: =?utf-8?B?54eV5oC7?= <wegwuag[at]pizda.ninka.net>
To: <x>
Subject: =?utf-8?B?5pyA5paw5Ye65Y+w55qE5paw5Yqz5Yqo5ZCI5ZCM5rOV?=
Date: Mon, 11 Apr 2016 03:14:00 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0E7B_011A47D6.17D6E4E0"
X-mailer: Rnnxeyfsyy 3

Richard

Share this post


Link to post
Share on other sites

I don't know. I just did a submit on two spam, when I followed the links, the brief and full spam seemed to agree, and had my email address replaced with <x> as it should be.

I did notice that there seemed to be a bit of a refresh, issue but when I clicked to send the report, and then looked at the sent report all looks well.

I don't believe you can really see what is actually being sent.

Not a problem - I'll just remember to mung it all before I submit it. Just spoiled/used to having spamcop do it.

Share this post


Link to post
Share on other sites

As I had stated and shown, reports are going out with the addresses munged. If I suspected there was an issue I would have been the first to make the call to flip the switch on SpamCop until the problem is resolved.

There is an issue with the html rendering and display on the SpamCop pages, where mark up language is being shown instead of tag characters causing the display to not show the tags properly, outgoing reports are being interpreted properly and user addresses are munged. I'm working with our development team to get this resolved.

Richard

Share this post


Link to post
Share on other sites

I've noticed when I look at the draft report that I'm still identifiable -- the [x] thing is working in the headers, but down in the text of the quoted spam there will be a clear text copy of the address the spam was sent to  (almost always my userid[at]spamcop.net, ironically) -- usually in a fake "unsubscribe" line.  

There are also what I suspect may be unique strings to identify who the spam was sent to, though I'm just guessing on those.

Is there any preference whether I just omit that stuff or [x] it out?  It's tedious.

Share this post


Link to post
Share on other sites

yeah, when I first noticed that change a few weeks back I have taken to editing them all to x just as a matter of course.  Takes me about 30 extra seconds.  I am now down to 8/month (gmail spam auto deletes after 30 days).  YAY SPAMCOP!!!

 

:D

Edited by kris

Share this post


Link to post
Share on other sites

I'm getting a flood of more spam after having been seriously reporting for a week straight, I think because of the email addresses in the body of the spam.

For example:

--------excerpt follows---------
Reference: 126928844

Please note that this message was sent to the following e-mail address: =
hank[at]spamcop.net ...

... Dear customers, spamcop.net recommends =
our new project ...

...

Please note that this message was sent to the following e-mail address: =
<font color=3D"blue">hank[at]spamcop.net</font><br>
Please do not reply to this =


-------end excerpt---------

(I don't know if the "Reference" is their key to my email address, but maybe.

-------

It would be a kindness if Spamcop Reporting could be tweaked to find _all_ instances of the email address, in addition to those in the official headers.

Now that I've started searching each by hand, I'm hoping the reports will be less useful to the spammers for listwashing, which is the main point of doing this.  I could just delete the crap in way less time than it takes to report it.  But it's good to report.

Share this post


Link to post
Share on other sites
3 minutes ago, hank said:

I'm getting a flood of more spam after having been seriously reporting for a week straight, I think because of the email addresses in the body of the spam.

That would certainly do it, imho.

Share this post


Link to post
Share on other sites

Today when I check the drafts, the "x" is being  properly substituted for my email address down at the bottom of the spam, where they give a fake "unsubscribe" link.  

Seems someone fixed this.  Thank you.

Share this post


Link to post
Share on other sites

PS, the spammers are quick.

In today's spam from the same sites, near as I can tell, the "unsubscribe" link that formerly went through reporting with my email in it (thank you whoever fixed that at Spamcop yesterday) now has 

(don't click this)

You can <a href="http.\\ipaem, com/6UvEa5">update your preferences or unsubscribe from this list</a>


which Sophos Mac detects as a site serving malware:

_________________________
High Risk Website Blocked

    Location:  [http xed out to break the link] cabselectra, com \cgi
    Access has been blocked as the threat has been found on this website.

----------------------------------

 

Share this post


Link to post
Share on other sites

To avoid you adding links to spammer's website, that the search engines that scan this forum all the time, it is better, more informative, to include the Tracking URL, not the spam in part or whole.

I edited you post remove links that search engines would find.

Share this post


Link to post
Share on other sites

Not sure which "you" Lking refers to.

 

I get a "spam report id" number -- where do I find the "Tracking URL"?

Share this post


Link to post
Share on other sites

Oh, ok, I get the Tracking URL when I select the checkbox to see more details, it appears at the top before I actually send the report.

 

Share this post


Link to post
Share on other sites

I can make a new thread for this if that's more appropriate, but it's related.

Now that all the userid[at]spamcop addresses are being Xed out of the fake unsubscribe lines in reporting, I notice that the spam (and the reports) have what looks like a different unique code for "unsubscribe" -- maybe it's just another malware trap, maybe it's a real tracking code, can I tell somehow?

Two examples from the 2 latest spams -- this is how they are both in the original and in the report as viewed before submitting it:

You can ....earthgi.com/LQ2iK3 update your preferences or unsubscribe from this list

You can ... bracecodes.com/ZFbiP8 update your preferences or unsubscribe from this list
 

(is it ok to post even that much?

I'm guessing I ought to be making sure these don't go into the report -- advice welcome.
I know the more tiresome they can make it to do reports, the happier the spammers are.

 

Share this post


Link to post
Share on other sites

OK, spammers got clever fast -- today's has this email that got through Spamcop -- as usual down at the bottom of the report.

They've hidden it by slightly changing the email - they put "3D" in front of my Spamcop userid.

Here, I've changed my userid to [xyz] to show you what they did:

<center><div><a href=3D"http://www.drek673.com/unsubscribe.php?remove=3D[xyz][at]spamcop.net">Click here</a> to unsubscribe from future mailings.</div><a =
href=3D"http://www.drek673.com/spam-notification.php?report=3D[xyz][at]spamcop.=
net">Click here to report this email</a></center>

 

QUESTION --- I don't want to submit this report with my email address in it, obviously.

On the DRAFT report:  Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net/sc?id=z6234062813zf95d9149a5effb6c2b9e202308e0ad4az
I cancelled that report -- anyone at Spamcop can still find that TRACKING URL, I confirmed it still exists.
What the spammers are doing is mixing a few characters into the beginning of the email, so Spamcop won't find it and [x] it out, I think.

Edited by hank
confirmed tracking ID survives cancelling report

Share this post


Link to post
Share on other sites

A new way spam is preserving email addresses in reports -- watch out, got to review every single report -- this spam report would have sent my -forwarding_ address to the spammer   (here I've replaced my forwarding userid with [xyz] and I cancelled the report, edited the original and resubmitted it)

Received: from n.mx.sonic.net (b.spam-proxy.sonic.net [69.12.208.80])
    by b.spam.sonic.net (8.14.4/8.14.4) with ESMTP id u41GKvJh016768
    (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT)
    for &lt;[xyz][at]lds.[xyz].net&gt;; Sun, 1 May 2016 09:20:57 -0700
Received: from esa1.spamcop.iphmx.com (esa1.spamcop.iphmx.com [68.232.142.20])
    by n.mx.sonic.net (8.14.9/8.14.9) with ESMTP id u41GKuAA022012
    for &lt;[xyz][at][xyz].net&gt;; Sun, 1 May 2016 09:20:57 -0700
Message-Id: &lt;973054$98n44[at]esa1.spamcop.iphmx.com&gt;

 

 

Share this post


Link to post
Share on other sites

yes +1 !!!  I have become a firm believer in "take a minute and edit/check the entirety of spam for my/any email, and the part before the [at] as well "!

 

I mung everything I find and do not rely on spamcop to mung it - it's enough that they report it!!!

Edited by kris

Share this post


Link to post
Share on other sites

What's sad is, almost _all_ the spam I get now is forwarded from Spamcop.  So the listwashing and email harvesting is happening almost entirely because of my reporting containing these identifiers.

All my other ISPs use one or more filters.

I get one or two junk/spam items a week from all of the rest, and five or six a day via Spamcop.

So tempting just to quit  using the Spamcop address -- though there are several hundred sites out there I'll have to change, as I was a paying mail customer for years back when Spamcop was the most reliable filtering service available.

Nothing stays the same ....

Share this post


Link to post
Share on other sites

I don't understand - i get no spam from spamcop.

Share this post


Link to post
Share on other sites
31 minutes ago, hank said:

What's sad is, almost _all_ the spam I get now is forwarded from Spamcop.  So the listwashing and email harvesting is happening almost entirely because of my reporting containing these identifiers.

All my other ISPs use one or more filters.

Without rehashing other post during the last 48hrs, and the history of the SpamCop mail service (which was/is separate from the reporting system), you are correct the email forwarded by spamcop.net does not filter the forwarded email. It does forward everything.

For a full history see SpamCop Email System & Accounts Those who have a <x>[at]spamcop.net email account had an account when the changes were made over a year ago (Oct 2014?).

As has been reiterated in other resent threads, the email forwarding has been continued as a service to those who had been using the email service. Looking at the "SpamCop Email System & Accounts" forum referenced above, many people had/have, intricate webs of email addresses and forwarding to unwind. The service has been continued, without revenue, as a service to those long time users.

Share this post


Link to post
Share on other sites

ah, yes, I never used spamcop's pop. sorry.

Share this post


Link to post
Share on other sites

OK, I didn't get a "Tracking URL" for the report that would have sent the forwarding email to the spammer, because I cancelled it.

I have    Reportid: 6451831003 To: cancelled[at]devnull.spamcop.net   but I understand you can't see those.

Next time I see the forwarding email included in the draft report, I'll try again to figure out how to keep the Tracking URL when I am cancelling the report.

Doing my best here.  I believe the spammers figured out that Spamcop just forwards and are really hammering on the site knowing their spam will be forwarded.

At least I sure started getting a lot more of it in the past few months.

I'm working through changing email at all the sites where I registered with my Spamcop email address.  Those several hundred go back to the 1200 baud days.  Once they're changed I can delete the reporting account or change the email for it or whatever makes sense.

Edited by hank

Share this post


Link to post
Share on other sites

oh I get a lot of devnull's - sometimes they are all devnull's for a particular piece of spam. I report back to spamcop anyway ("submit")!  EDIT: there is never any point in hammering the poor soul whose web page was used by the spammer!  Spamcop does this correctly imho.

Edited by kris

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now