RadicalDad

Spamcop no longer works with Outlook/Exchange

9 posts in this topic

Sometime about a year ago, I complained on these forums that Spamcop has become all but useless when using Outlook on an Exchange server.  The spam report ALWAYS comes back pointing to my own email server, even when a cursory look shows the obvious source of the spam.  I've all but stopped reporting on Spamcop for this reason.  Someone suggested on that ancient thread that I post a sample for folks to look at.  OK, here one is.  Note also that Spamcop also misses the bogus hyperlink ("Click here!"), not doing any reporting at all on the bogus web host.  Are the light still on here?

Message header:

Received: from MBX01D-ORD1.mex09.mlsrvr.com (172.29.128.27) by
 MBX01A-IAD3.mex09.mlsrvr.com (172.29.64.20) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
 15.1.544.27 via Mailbox Transport; Wed, 15 Feb 2017 20:56:00 -0500
Received: from MBX05C-ORD1.mex09.mlsrvr.com (172.29.128.24) by
 MBX01D-ORD1.mex09.mlsrvr.com (172.29.128.27) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
 15.1.544.27; Wed, 15 Feb 2017 19:56:00 -0600
Received: from gate.forward.smtp.iad3a.emailsrvr.com (204.232.172.40) by
 MBX05C-ORD1.mex09.mlsrvr.com (172.29.128.24) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
 15.1.544.27 via Frontend Transport; Wed, 15 Feb 2017 19:55:59 -0600
Return-Path: liysc25@nottingham.ac.uk
X-spam-Threshold: 95
X-spam-Score: 0
X-spam-Flag: NO
X-Virus-Scanned: OK
X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-13735-c
X-CMAE-Scan-Result: 0
X-CNFS-Analysis: v=2.2 cv=QPAqfUDL c=1 sm=1 tr=0 a=wMuiOM+aJX97FqABAv1gmw==:117 a=wMuiOM+aJX97FqABAv1gmw==:17 a=n2v9WMKugxEA:10 a=KXl77lDgDEgIEtoqJYcA:9 a=jMgyydZaAAAA:8 a=TMeMXT5H6L7W2mJr2DcA:9 a=wPNLvfGTeEIA:10 a=zOPv43MEAAAA:8 a=jt-rlJBq7EhYDvrx:21 a=_W_S_7VecoQA:10 a=H_FcBddkztAA:10 a=-FEs8UIgK8oA:10 a=NWVoK91CQyQA:10 a=sRwWbsoZOIyncXQJl99K:22 a=jKBK-nmJ8lQYDYSZPBHD:22
X-Orig-To: XXX
X-Originating-Ip: [128.243.43.129]
Authentication-Results: smtp27.gate.iad3a.rsapps.net; iprev=pass policy.iprev="128.243.43.129"; spf=pass smtp.mailfrom="liysc25@nottingham.ac.uk" smtp.helo="uidappmx06.nottingham.ac.uk"; dkim=none (message not signed) header.d=none
X-Classification-ID: 0fa97262-f3eb-11e6-9265-782bcb33f754-1-1
Received: from [128.243.43.129] ([128.243.43.129:52055] helo=uidappmx06.nottingham.ac.uk)
 by smtp27.gate.iad3a.rsapps.net (envelope-from <liysc25@nottingham.ac.uk>)
 (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTP
 id F6/CD-22337-EA605A85; Wed, 15 Feb 2017 20:55:59 -0500
Received: from uidappmx06.nottingham.ac.uk (localhost.localdomain [127.0.0.1])
 by localhost (Email Security Appliance) with SMTP id 752592DF798_8A506AEB
 for <XXX>; Thu, 16 Feb 2017 01:55:58 +0000 (GMT)
Received: from smtp4.nottingham.ac.uk (smtp4.nottingham.ac.uk [128.243.220.65])
 by uidappmx06.nottingham.ac.uk (Sophos Email Appliance) with ESMTP id 603AD2D2135_8A506AEF
 for <XXX>; Thu, 16 Feb 2017 01:55:58 +0000 (GMT)
Received: from [130.65.254.18] (helo=DESKTOP-55DHA5K.sjsu.edu)
 by smtp4.nottingham.ac.uk with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
 (Exim 4.85)
 (envelope-from <liysc25@nottingham.ac.uk>)
 id 1ceBFz-0002mF-Az
 for XXX; Thu, 16 Feb 2017 01:53:16 +0000
Content-Type: multipart/alternative; boundary="===============1385527312=="
MIME-Version: 1.0
Subject: A document folder is shared with you!
To: <XXX{AT}blk-ink.com>
From: "   '' Dropbox Support ''  " <XXX{AT}dropbox3665.com>
Date: Wed, 15 Feb 2017 17:53:12 -0800
Message-ID: <E1ceBFz-0002mF-Az@smtp4.nottingham.ac.uk>
Sender: <liysc25@nottingham.ac.uk>
X-MS-Exchange-Organization-Network-Message-Id: d19fd38f-f441-4628-3ea4-08d4560ef49e
X-MS-Exchange-Organization-AVStamp-Mailbox: SMEXyGDz;1322100;0;This mail has
 been scanned by Trend Micro ScanMail for Microsoft Exchange;
X-MS-Exchange-Organization-SCL: 0
X-MS-Exchange-Organization-AuthSource: MBX05C-ORD1.mex09.mlsrvr.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.0240672
 

Message body:

Hello,

Someone shared a folder with you on Dropbox.

Click here to view documents.

Dropbox Support.

Happy sharing!

NB: This message is sent to XXX



 

Share this post


Link to post
Share on other sites

Have you looked at the second pinned topic "Outlook received header problem" in the list above?

Outlook now routinely rearranges the header lines when forwarding, so if you are running Outlook you *may not* forward your spams as an attachment for processing.

Does this apply to your situation?

If not - have you registered your mailhosts?

- Also, is that bmorris address live? If so you'd be advised not to advertise it. I'd have edited it out for you if I knew how to do that...

 

HTH

 

Edited by C2H5OH
corrected typo

Share this post


Link to post
Share on other sites

Edited the OP in this thread to remove references to bmorris{AT} addresses as "our drinking friend" suggested.  You forgot to do this as you did last time.

This is a prime example for why a Tracking URL is the way to reference an example of spam.  That would also let the rest of us see what the SpamCop parser did with the example.

9 hours ago, RadicalDad said:

Note also that Spamcop also misses the bogus hyperlink ("Click here!"),

has no meaning not seeing the results of the processing.

Share this post


Link to post
Share on other sites

Thanks everyone.  I was thinking someone would put the headers and body through the parser themselves.  That is also why I left my original email address intact - thought the parser might need it.  (I also thought about munging the address, but that address has been harvested many times by spammers, so I wasn't too worried.  Still, removal by Lking is appreciated.)

Here is the parser tracking URL: https://www.spamcop.net/sc?id=z6357239923z2f559431f437c6b4b950f1c320499087z

The "click here" hyperlink is not retained by Spamcop when using the "view entire message" link from the parser.  Failing to process these hyperlinks is a problem in addition to Spamcop always pointing at my mail host as the culprit.  The "click here" URL is http;⁄⁄winnermistak,xyz⁄ppdpureoffice99888/index.php?userid=xxx@xxx.com (email address munged).  Provided here for reference.  I don't suggest anyone click on this.

Share this post


Link to post
Share on other sites

 Of course no one else can process your spam and get anything but an error message.  For example, if I submitted your spam none of the header would match my mailhost settings so the parser would just throw the example out.

Don't know why SC dropped the link in the text except part of clearing your email witch would have been sent as a parameter in the link.  But you  are correct winnermistak.xyz surly is not a drop box link.

When the parser goes down the sequence of Received: header entries, two internal IP are found first (172.16.0.0/12) followed by a break in the chain, so nothing usable.

The link in the body would have been a low level priority even if it had not been lost.  Notice I broke that link in your last post. I wouldn't want an unknown link laying around for someone to click on in ignorance.

Share this post


Link to post
Share on other sites

What I am noticing is that Spamcop doesn't work at all for me anymore.  Wondering if all my headers have a break in the chain now so that nothing will ever be usable for Spamcop again.  I currently use Outlook 2016 with an Exchange 2016 host.  Have others reported this as a problem?  I use the "Outlook/Eudora" work-around submission form (well, it used to be called that) via web browser (in answer to the question by C2H5OH).

Appreciate you breaking the spammy link.  Good idea.  B)  As above, the Spamcop parser doesn't seem to catch any of those for me now. 

Is there any way to fix this?  spam filtering by my mail host is very good these days, so I only submit stuff to Spamcop that is extra slimy and got through my filter, in hopes it makes it to the Spamcop RBL and will be blocked for others.  If that isn't the way things work, then there probably isn't a reason for me to keep using Spamcop at all.

Share this post


Link to post
Share on other sites

Doing a search on "Outlook" I see problems going back to 2004.  With OL messing with the header before you can get/forward it there is no fix farther down stream (towards SC).

A quick look at the history leads me to believe that what OL does with the header has changed over time, so a "fix" would also have to be dynamic.  That is not a workable situation.  Which is to bad for your reporting.

Have you looked at the possibility of using something like Thunderbird for you email?  I have used it 'for ever' without problem. There also is an addon to help with reporting (to SpamCop and others).

Share this post


Link to post
Share on other sites

RadicalDad is using the web form to report, so the Outlook forwarding problem isn't the culprit in this case.

Maybe a re-learn of Mailhosts might fix this. Is it possible the OP's mail/Internet provider has added new servers and routes?

Share this post


Link to post
Share on other sites
51 minutes ago, Lking said:

A quick look at the history leads me to believe that what OL does with the header has changed over time, so a "fix" would also have to be dynamic.  That is not a workable situation.  Which is to bad for your reporting.

Agreed, it's a pain. It's one of those things that seem to be sent to trip us up when using automated tools to assist the reporting process,.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now