Jump to content
kris

no longer changing my email in headers to x

Recommended Posts

> a lot of devnulls

I get those too -- those are when there's no place willing to accept reports, like "hetzner")

What I'm pointing to, in case it's readable by the admin, is different --  a draft report that I cancelled because it contained my forwarding email address.

That shows up in the past reports list as Reportid: 6451831003 To: cancelled[at]devnull.spamcop.net

 

(and to repeat, I realize I should've backed up and gotten the Tracking number before cancelling, and next time I see draft reports that are sending out my forwarding address, I'll bring it up).

 

Beaten this to death for now I think.   I'll just check every single draft report carefully and [xyz] anything that might be a unique identifier

Share this post


Link to post
Share on other sites

:)

Share this post


Link to post
Share on other sites

Kris, Submitting spam does two things: 1) submitting a spam, even with all reports devnulled, feed the SpamCop Block list. 2) When a valid reporting address can be found, etc., a report is sent else it is sent to devnull for record keeping.

Share this post


Link to post
Share on other sites
4 hours ago, Lking said:

Kris, Submitting spam does two things: 1) submitting a spam, even with all reports devnulled, feed the SpamCop Block list. 2) When a valid reporting address can be found, etc., a report is sent else it is sent to devnull for record keeping.

yep, thanks :)

Share this post


Link to post
Share on other sites

Would y'all rather I created a fresh thread for email not being removed from reports in places other than headers?  Say so if I should.

Else since it's been included here I'll continue.

Here's today's:

Tracking ID:    https://www.spamcop.net/sc?id=z6234427278z1b3fcc4c9293122ea7f86c494cba85e0z

Identification in what would have been the report (I cancelled and will edit this out before resubmitting)

href=3D"http:⁄⁄www.drek673.com/unsubscribe.php?remove=3Dhan=
k[at]spamcop.net">Click here</a> to unsubscribe from future mailings.</div><a =
href=3D"http:⁄⁄www.drek673.com/spam-notification.php?report=3Dhank[at]spamcop.=
net">Click here to report this email

--------------

Questionable:  any clue whether this is also a unique identifier?

href=3D"http:⁄⁄www.drek673.com/mA7H9a"

 

Share this post


Link to post
Share on other sites

I've said it before and I'll say it again - you have to check for and mung email addys in headers and body, and also check for and mung the part before the [at] ,  ie if your addy is xyz[at]gmail.com - look for the addy, but then look for "xyz".  Mung it.  They are desperate to know who's responding.

 

I also check it when I am reporting to make sure I don't find it in "view full message"

Share this post


Link to post
Share on other sites

Today's wrinkle -- my Spamcop address forged

in Return-Path and From header lines,

and those both survive the reporting process:

https://www.spamcop.net/sc?id=z6235240134ze67bebd7069f6a1ac1b102b832bdca3bz

Is this the right way to notify Spamcop's programmers to check for this and deal with it in reports?

If I edit it out of the submitted spam, how will Spamcop know they're doing this?

I assume it's yet another trick for listwashing/validating the email

Edited by hank

Share this post


Link to post
Share on other sites

I've received spam in the past which forges my email address in the return path and from headers. For regular users of an email services, there's probably not a lot that can be done. What the bad guys put in header fields that potentially identify the origin of their mail is largely out of the control of legitimate users of that resource; this is one reason configuring "Mailhosts" for your Spamcop reporting account is important.

When I was running my own server a few years back, I made sure that I had SPF and other similar DNS records set up, which had a small degree of success when the recipient's email system was configured to use them. Another check I sometimes dis was if the "From" address matched the "To" address, which relies on me not being in the habit of sending mail to myself.

Share this post


Link to post
Share on other sites

Hank, have you checked you mailhost settings?  The reason I ask is because today I do not see the same issue.

Because you Canx the reports we can not see the spam or the reports. If I said we could I guess I was wrong.

Forging you email into the FROM: Rply-to: and/or Return-Path: are old spammer tricks to try to get the spam past simple filters.

Share this post


Link to post
Share on other sites

> we can not see the spam or report

I can still see it, in the past report view.  Would it help if I give you the reportid number?

Ah, I can resubmit from the copy there, though it's not exactly the original.  If it helps, here ya go:
https://www.spamcop.net/sc?id=z6235271988zc4e90e71d575033074e5c7c3c4632b64z
 

Yes, I"ve checked my mail hosts, I went through the instructions to set them all and double checked.

But if you see a problem please let me know.

Next time I see something weird, I will leave the report open, not sent, not cancelled, and post the tracking number.

 

Edited by hank

Share this post


Link to post
Share on other sites

Hank, Going back to your previous post ( > we can not see the spam or report ), some clarification seems to be in order.

  • You as the reporter, have access to data that the rest of us do not.
  • A Report id is only of value to you because it is tied to your reporting account.  For example 6454372356 a report I send, does not lead you to a report.
  • Your comment "if you see a problem" leads me to believe that you have a miss understanding. This forum is a place for users to try to assist other users with issues reporting spam while using the SpamCop tool(s). As a peer-to-peer forum, no one here has unusual access to the SpamCop database or what is going on behind the scene.
  • Your last example reinforces my earlier question "Is spamcop.net included in the paths listed in your mailhost?" 

Have you tried dropping an email to "deputies AT admin DOT spamcop DOT net"

Share this post


Link to post
Share on other sites

Yes, Spamcop as a mailhost was entered following the instructions as required, it is the first mail host I listed, before adding the other email providers I use. 

Under Mailhost name:  SpamCop  I have "spamcop.net" as one of approximately 50 different "Hosts/Domains" listed in the pulldown list.

I have verified, again today as you asked.  Yes, it's listed.  I'm happy to double-check anything and everything, seriously.

EDIT

I have emailed as you suggested.

Thank you.

Edited by hank

Share this post


Link to post
Share on other sites

PS, Richard, can you verify whether or not your comment applies to what I'm seeing?  Can you verify that what we're seeing isn't actually being sent out?

If  so I'll quit asking about it.  I just haven't figured out what you're describing could apply to what I'm (not) seeing.

Quote

There is an issue with the html rendering and display on the SpamCop pages, where mark up language is being shown instead of tag characters causing the display to not show the tags properly, outgoing reports are being interpreted properly and user addresses are munged. I'm working with our development team to get this resolved.

Richard

 

Share this post


Link to post
Share on other sites

I'll file a bug report on the exact matches as those should be munged.  I can't say whether the address is being munged in the delivered report or not.  In the ones I check in the past, they were munged.  This looks to be a different situation though.  The only real way of checking is to send yourself a report and see what you get.

I can't really make an argument on munging the from address where it is not an exact match with the recipient address though.  sameLHS [at]gmail.com is not a match with the address the spam was sent to. 

If its any consolation, this does look to be gamut spam, so the reports are not going back to the spammer/bot operator.  But it is a door we need to get closed again.

Richard

Share this post


Link to post
Share on other sites

Thank you Richard.

>  The only real way of checking is to
>  send yourself a report and see what you get.

OK.  Is that something that should be obvious how to do, without accidentally tagging myself as a spammer by mistake?

Share this post


Link to post
Share on other sites
1 hour ago, hank said:

OK.  Is that something that should be obvious how to do, without accidentally tagging myself as a spammer by mistake?

Sending yourself a copy of the report will not get you tagged. For example, when copies of a spam report are sent to an upstream nod, the node is not flagged as a spammer. Before clicking the Send reports button, add you address to AND click the box to send reports.

 

Edit: I have miss spoke. I do not see how to add a report. Looked at both submit[at] and webpage submission. ???

Share this post


Link to post
Share on other sites

Yeah, I've learned never to tell anybody anything relying on my own memory.

Stuff changes too fast, I have to try everything myself and make sure it works as I expect.

Which is why I'm here, of course.

____________

What's "gamut spam"?   I haven't found that defined, searched for a while.
____________

 

Share this post


Link to post
Share on other sites

OK, I just sent myself 2 reports -- it's the bottom blank box under the other reports, and when I type a (throwaway) email address in there, the box automatically checks.  The report shows up in email.

Confirmed -- the "From" header line is not being Xed out, in the examples for which I've left reports unsent and tracking numbers in replies above.

Whatever they're doing, it works.

Next test will be testing the "Unsubscribe" and "Report" links at the bottom of some spams.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×