kris

no longer changing my email in headers to x

91 posts in this topic

Different trick for identifying the reporter -- this was mentioned previously -- putting the email name into the text/HTML of the spam, which escapes SpamCop's munging.

Here I've saved the report and Tracking ID:

https://www.spamcop.net/sc?id=z6236844858z3d5106ac10e29667b71893b01da1f0c8z

________________

EXAMPLE FOLLOWS, this is the pattern:

----------------------------
Good evening hank,

As promised, I have attached the spreadsheet...

<p>Good evening hank,</p>
<p><br>As promised, I have att

Share this post


Link to post
Share on other sites

https://www.spamcop.net/sc?id=z6236973560z5b1aa3607bf05dd2af67a459dd3f3a38z

 

"From:" line contains userid after report is created (not submitted, not deleted)

 

Anyone know how long I should keep the unreported spam available by tracking number?

It can't be reported after 3 days, and there's no easy way I can find to decide which unreported spam to delete.

But I don't want to delete it all until I know the deputies or whoever has actually gotten use out of looking at it.

Share this post


Link to post
Share on other sites

Here's one where the SpamCop report munged one email and left the other readable.

As usual not reported, not cancelled, tracking ID left for whoever is looking into this.

And please if anyone is, let me know when someone DID look so I can delete the unreported spam as it's building upl.


https://www.spamcop.net/sc?id=z6237794345z48e0a86c6d732b15a00973a6b762fe70z

ORIGINAL:
a href=3D"http://www.yu333.us/unsubscribe.php?remove=3Dhank[at]s=
pamcop.net">Click here</a> to unsubscribe from future mailings.</div><a hre=
f=3D"http://www.yu333.us/spam-notification.php?report=3Dhank[at]spamcop.net">C=
lick here to report this email</a></center>

 

REPORT DRAFT:
<a href=3D"http://www.yu333.us/unsubscribe.php?remove=3Dhank[at]s=
pamcop.net">Click here</a> to unsubscribe from future mailings.</div><a hre=
f=3D"http://www.yu333.us/spam-notification.php?report=3Dx">C=
lick here to report this email</a></center>

 

Share this post


Link to post
Share on other sites

Hm, how long has SpamCop been sending spammers my (fixed) IP address in reports?

One more thing to look for and delete manually, I just noticed it's included in the report:
https://www.spamcop.net/sc?id=z6237797426z1f52d394025a5d6f6bc40e906872f878z

 

Hello?

They didn't have my IP number before SpamCop inserted it.  This is really wrong.

I've changed some numerals to "n" in the quote:

Quote

  (Recipient:abuse[at]vnn.vn)
Received: from [7n.1nn.5n.nnn] by spamcop.net
    with HTTP; Tue, 10 May 2016 15:02:21 GMT
From: "hr" <preview[at]reports.spamcop.net>

 

You might as well send them my name and address.
 

 

Share this post


Link to post
Share on other sites

Well dang.  I can't even edit that IP address OUT because it's not in the material I submit.

It's added by the report editor.

 

I'm done reporting for now, I've given the spammers enough free help.

Please, SpamCop person whoever you are, if you read this, email me when this is fixed.

You know how to reach me.

Share this post


Link to post
Share on other sites

grumble. Ok, my ISP can somewhat hide my IP address details, so it only points to them.  I'll keep reporting.

Share this post


Link to post
Share on other sites

Things may have changed.

Quote

  
If you don't want to hear from me again, please [let me know](http://infinite-
stream-5194.herokuapp.com/optout?m=mmm_0rWd57&email=x).![](http

This quote was from down in the body of the spam. Note that at the end where "email=x" was changed from my email.

Tracking URL for the full spam.  It has taken a while for me to get an example with my email down in the body.

I do not forward my email so don't have an example where there are is something like myemail[at]domain forwarded to different_email[at]domain2 and needing to have both emails muged.

Share this post


Link to post
Share on other sites
On ‎06‎/‎05‎/‎2016 at 1:41 AM, hank said:

Another with the "From:" line not munged. Report left unsent and not cancelled

https://www.spamcop.net/sc?id=z6236417442zde669a800ba4e5cebe115aa6e3c42803z

Same for me. The "To:" line is munged, the "From:" line isn't

https://www.spamcop.net/sc?id=z6238600290z8a3ceb605e34f0f96f792cf993fa0922z

 

This is bad because To=From is common in spam

Share this post


Link to post
Share on other sites

Latest workaround spammers are using to identify reporter

-- last few days, dozen or so of these --

putting the userid in the text after the word "hello"

and the reports sent include that unless it's manually munged

(they know the ISP (spamcop.net, always)

I've substituted "xyz" for the userid here:

-----quote----

hello xyz

Attached please find the bills report for your review
Thank you.

 

Regards,

Elsie Dillard

--b2_e8ef25037e5946057173021e051ecfa5
Content-Type: text/html; charset = "iso-8859-1"
Content-Transfer-Encoding: 8bit

<html>

<body>

<p>hello xyz</p>

 

-----end quote-----

Share this post


Link to post
Share on other sites

Does anyone know if the bug reports submitted are readable by us ordinary users?

Any way to know if they do or don't need further information about spam that fits patterns revealing the reporter email?

Another that doesn't mung the "From:" line

with "From:" and "To:" exactly the same and both using spamcop.net address:


https://www.spamcop.net/sc?id=z6239248459z8b6d5e3fc80574051dbe0c0f85073f3dz

Share this post


Link to post
Share on other sites

No bug reports are not readable by ordinary users, or spammers who could use the information to get around the system or know if their "new" trick is working.

If the software team needs more information, they will ask, I am sure.

Share this post


Link to post
Share on other sites

Another way of hiding the reporter's name -- use an equals sign instead of [at] in the address.

This survives automatic report generation:

[ Offending message ]
Return-Path: <bounce+e5f758.0c42fe-xyz=spamcop.net[at]vip6.unicef.org.uk>

 

Share this post


Link to post
Share on other sites

Another:

https://www.spamcop.net/sc?id=z6241035604z6be0c779a7578733fbc021a60947f30fz

has the userid "hank" visible in these three ways that survived the spam report:

...   for <x>; Wed, 18 May 2016 20:30:47 +0000 (UTC)

Received: by mail.hank.local (Postfix, from userid 47)
...

Message-Id: <2016_________________9191[at]mail.hank.local>

Hey hank,

I hope you're doing well. I've attached the latest draft of my proposal.
 

Share this post


Link to post
Share on other sites

Yet another trick, these lines put my SpamCop userid into text and into the filename of the attached malware.
Those survived the standard report generation process.  I didn't bother to save the unused report, just cancelled.

Getting bored.

I've replaced my userid with zyx here:

_______________

Dear zyx,
Please find attached ...
Content-Disposition: attachment; filename="zyx_copies_024E63B6.zip"

Share this post


Link to post
Share on other sites

Another spam that persists in reporting the reporter ID;
This is spam that was sent to my userid[at]spamcop.net
https://www.spamcop.net/sc?id=z6242871145z885a7f12b161ef2fbbe852769ec0092fz

Here's another like that -- this one with the header lines showing the problem

My userid is replaced with [xyz]  in these lines, which survived the report creation process

https://www.spamcop.net/sc?id=z6242868586z13a46e7ee780e6f58c31f0f2dc667d8bz


Received: by mail.[xyz].local (Postfix, from userid 178)
    id 47CF35A70E; Mon, 23 May 2016 14:11:14 -0500
To: x
Subject: Re:
From: "Glenna Pittman" <PittmanGlenna60712[at]fixed-188-64-187-188-64-214.iusacell.net>
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="------------61dfaf14bd74a877ee8ad9abc12c6411"
Message-Id: <2016_________________A70E[at]mail.[xyz].local>

Share this post


Link to post
Share on other sites

And another example (I put [xyz] in to replace my SpamCop email userid, which

was in the "From:" line as it survived generation of the report
https://www.spamcop.net/sc?id=z6242904508zd98b3e3be9b19503666f86c0ea797966z

 

I don't know if there's been a bug submitted on this problem, or if these posts are of any use figuring out how to fix the reporting system.

 

---------

Received: from 187.252.220.241.cable.dyn.cableonline.com.mx (unknown [187.252.220.241])
    by vmx5.spamcop.net (Postfix) with ESMTP id 23D3AAF548
    for <x>; Mon, 23 May 2016 23:16:15 +0000 (UTC)
Message-ID: <E513________________________E513[at]4VGEY91W>
From: <[xyz][at]spamcop.net>
To: <x>
Subject: want hot night?

Share this post


Link to post
Share on other sites


https://www.spamcop.net/sc?id=z6243273964z9d03e8cc30c1d427c36d8e4483f3f308z

 

shows spamcop userid persists through the report creation -- looks like the same old bug already reported but I can't be sure, so here's another

 

Spamcop userid replaced with xyz here:

 

<center><div><a href=3D"http://www.yu333.us/unsubscribe.php?remove=3Dxyz[at]s=
pamcop.net">Click here</a> to unsubscribe from future mailings.</div><a hre=
f=3D"http://www.yu333.us/spam-notification.php?report=3Dxyz[at]spamcop.net">C=
lick here to report this email</a></center>

 

 

Share this post


Link to post
Share on other sites

and another using the method of hiding the Spamcop userid in the text and the "mail local" line.

xyz replaces my userid below -- report generator fails to catch this.


https://www.spamcop.net/sc?id=z6243293529zcbdb13fa286bd654d0b363a94e9bd77dz

for <x>; Tue, 24 May 2016 05:57:58 -0700 (PDT)
Received: by mail.xyz.local (Postfix, from userid 725)
    id F3E45993A1; Tue, 24 May 2016 14:57:57 +0200
To: x
Subject: Re:
From: "Latoya Hurst" <HurstLatoya05712[at]oudomxay.info>
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="------------d5ad171edbbcd3226f1e8a25f7a4e7c2"
Message-Id: <2016_________________93A1[at]mail.hank.local>
Date: Tue, 24 May 2016 14:57:57 +0200
X-Orthrus: tar=0 grey=no co=US os=//2 spf=neutral dkim=none

--------------d5ad171edbbcd3226f1e8a25f7a4e7c2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit

Dear xyz,

 

Share this post


Link to post
Share on other sites

More and different header lines not obscuring the SpamCop userid used for reporting (which should be obfuscated)

my SpamCop userid replaced by [xyz] below:

Content-Type: application/octet-stream; name="weekly_[xyz].zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="weekly_[xyz].zip"


https://www.spamcop.net/sc?id=z6243876841z56561e6d8adf9678204e3946d6746192z

and

 

https://www.spamcop.net/sc?id=z6243877461zbde869030775463341aaf6a36bd109e6z

I"d sure like to know if anyone reading this can do anything with the information, or if it's just me here.

Why bother?  Tell me.

Edited by hank

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now