Jump to content
klappa

Spamcop cannot find source IP

Recommended Posts

I just copy/paste the ipv6 into a whois, then copy/paste the resulting ipv4, replacing the ipv6 in the headers - yes it's munging, but it works and like RobieBue says, it amounts to ripping the "ipv6 disguise" off, so in my view, a legit munging. Curiously Hotmail doesn't have this problem, since it puts the ipv6 into a parenthesis that somehow,  the spamcop parser ignores, and thus parses correctly. Again, Spamcop should provide a workaround, like they did for "eudora users" - why not one for "gmail users", Spamcop? 

Share this post


Link to post
Share on other sites
1 hour ago, ChuckGary61 said:

it puts the ipv6 into a parenthesis that somehow,  the spamcop parser ignores

https://www.rfc-editor.org/rfc/rfc822.txt

     3.4.3.  COMMENTS

        A comment is a set of ASCII characters, which is  enclosed  in
        matching  parentheses  and which is not within a quoted-string
        The comment construct permits message originators to add  text
        which  will  be  useful  for  human readers, but which will be
        ignored by the formal semantics.  Comments should be  retained
        while  the  message  is subject to interpretation according to
        this standard.  However, comments  must  NOT  be  included  in
        other  cases,  such  as  during  protocol  exchanges with mail
        servers.

I currently modify the Gmail Received: header like so, commenting the 6to4 address with parentheses and inserting the IPv4 equivalent :

Received: by 10.2.33.9 (2002:a02:2109:0:0:0:0:0) with SMTP id e9-v6csp39361jaa;
        Thu, 24 May 2018 20:09:34 -0700 (PDT)
Edited by SpamStoolie
Explanation/example

Share this post


Link to post
Share on other sites
4 hours ago, SpamStoolie said:

I think this graph is quite telling: https://www.spamcop.net/spamgraph.shtml?spamyear

In mid-March, the ratio of spam reports to spam submissions dropped to about 1 to 1. In late march, the number of submissions was briefly higher than the number of reports.

Now, the ratio of reports to submissions is increasing, but both are lower than before.

I wonder if anyone who matters is watching the numbers…

Share this post


Link to post
Share on other sites
On 4/26/2018 at 7:34 AM, SpamStoolie said:

The 2nd header seems to be the only troublemaker.

If this header is removed, the message parses properly.

That was only working off and on previously, Google seem to be "um and arring" now with googles/gmail update cannot even read spam in spam folder.

Share this post


Link to post
Share on other sites
7 hours ago, cwg said:

Something weird is going on with the parser right now involving gmail spam, even if I use the outlook/eudora workaround form spamcop is NOT finding links.

To get around this you can do this, Use the two part submission form, in Gmail open full headers, copy headers omitting the first two lines, I think copy starting from the date line and ending with omitting the last line,  paste that in, then copy body loosing the first syntax and paste that in, now if you submit Sapmcop will parse all including links..

Share this post


Link to post
Share on other sites
9 hours ago, BoZz said:

To get around this you can do this, Use the two part submission form, in Gmail open full headers, copy headers omitting the first two lines, I think copy starting from the date line and ending with omitting the last line,  paste that in, then copy body loosing the first syntax and paste that in, now if you submit Sapmcop will parse all including links..

Works about well as a watergun in a firefight.

https://www.spamcop.net/sc?id=z6467209537z5ce16d11466090755a84c95202c4d422z

Share this post


Link to post
Share on other sites
1 hour ago, cwg said:

Works about well as a watergun in a firefight.

Are you suggesting that google is not the correct abuse address or are you suggesting that the bounce of the spam report is the problem?

If you have a better email address to submit gmail/google spam reports that would be a positive addition to the anti-spam effort.  The efforts against spam  and for net neutrality need to be community efforts.

Share this post


Link to post
Share on other sites

No, it's not picking up the LINKS in the message.

9 minutes ago, Lking said:

Are you suggesting that google is not the correct abuse address or are you suggesting that the bounce of the spam report is the problem?

If you have a better email address to submit gmail/google spam reports that would be a positive addition to the anti-spam effort.  The efforts against spam  and for net neutrality need to be community efforts.

 

Share this post


Link to post
Share on other sites

That is the lowest priority.  Trying to stop/block the spam is the top priority.

Share this post


Link to post
Share on other sites
42 minutes ago, Lking said:

Are you suggesting that google is not the correct abuse address or are you suggesting that the bounce of the spam report is the problem?

If you have a better email address to submit gmail/google spam reports that would be a positive addition to the anti-spam effort.  The efforts against spam  and for net neutrality need to be community efforts.

Please see this... I am pasting a spam I received and when I did what I had mentioned it picked the body as well

 

START FROM DATE AND LEAVE LINES BEFORE THIS       
Thu, 31 May 2018 02:51:36 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKJ3mJapj2hhOaW4VDqrDHdQQXXqzg17PcurlUNY0E6tk3tWorR56T1FYHIAqAOhCNBlBAwr
X-Received: by 2002:aa7:d911:: with SMTP id a17-v6mr7206063edr.21.1527760296524;
        Thu, 31 May 2018 02:51:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527760296; cv=none;
        d=google.com; s=arc-20160816;
        b=WU78ZGhu29UmL+oLRRfQCok4w3Ph4k7cjEEeS8X/nSWR9AwVcs1k0z3lsKk969a7gP
         kMq+iqXUIuqee8NxwsnmYXLnbKVNR+xZ8h0OxFg0eJvKVbfzg52T0RgPHEd4KCpBJ2uX
         nsmqvqp/SlAKIPyb+kSdbcdpdlAxLVH7AmaIAqDkAKoFchkrfwqrRVYvw4RUnW7aBTJV
         rOdPKKAztIqQDv4foHcZoyCUhlRck+FLx87hZaNq2ha1bfBj2A4oxyXhp+ckQjjrYkT+
         VmzmKyCJOzNdygOOVRemCOM0iiskpvaKYqIPtaQbwnow4PuThaFrEY1ShAvHFZAdBFRS
         BwbQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=mime-version:subject:date:message-id:to:from:reply-to
         :list-unsubscribe:submitter:sender:dkim-signature
         :domainkey-signature:dkim-signature:arc-authentication-results;
        bh=ZSxUwM1yBNjFwwfhtX2iQLz8/HWOU9bsVu7UgSzuTe8=;
        b=W0GSyZTG2DQg3HOUGcxGoUYF3zTwe8hNApEkUgokLRrT34SeLNVJt/QGrvnOOXrlKR
         /O6OTcWSW4w8+Bm7msi3byg3P8Hu/OO80OUyczQve2P6Ce+A/7KbFZrmgXy6uCyqREut
         MG9q75GthmxHcS1ESzNasqjrZxMYd0XtDZ29dLQVTxKRsfBenBsIA69ZWDCr9vn1H6Cp
         OqOftnZ9GsEdS31B3a1C3OnAWpSmbrvUU9YwgZJC34Dkh4bFmWQfXc3YF/MDHZKHrevn
         zlXEPZJ7CG8Vo/ggHJNbnQshqVAQeqGj4ICTMR/SRWxIemqDY8mYGBUcUqON0EL5QchK
         BXCw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@activetrail.com header.s=at header.b=bpMX7AYw;
       dkim=pass header.i=@greencardorganization.com header.s=at header.b=iLaQ5Zkj;
       spf=pass (google.com: domain of reply@activetrail.com designates 91.199.29.225 as permitted sender) smtp.mailfrom=reply@activetrail.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=greencardorganization.com
Return-Path: <reply@activetrail.com>
Received: from i2.ms225.atmailsvr.net (i2.ms225.atmailsvr.net. [91.199.29.225])
        by mx.google.com with ESMTPS id y30-v6si928533edy.155.2018.05.31.02.51.36
        for <xxxxxxx@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 31 May 2018 02:51:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of reply@activetrail.com designates 91.199.29.225 as permitted sender) client-ip=91.199.29.225;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@activetrail.com header.s=at header.b=bpMX7AYw;
       dkim=pass header.i=@greencardorganization.com header.s=at header.b=iLaQ5Zkj;
       spf=pass (google.com: domain of reply@activetrail.com designates 91.199.29.225 as permitted sender) smtp.mailfrom=reply@activetrail.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=greencardorganization.com
X-IADB-IP: 91.199.29.225
X-IADB-IP-REVERSE: 225.29.199.91
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; q=dns/txt; d=activetrail.com; s=at; h=X-BBounce:X-IADB-URL:Sender:Submitter:X-Feedback-ID:From:To:Date:Subject:MIME-Version:Content-type:Content-Transfer-Encoding; bh=ZSxUwM1yBNjFwwfhtX2iQLz8/HWOU9bsVu7UgSzuTe8=; b=bpMX7AYweE0lacnyMs/qP9Up9J3Yojg4+C0D+YXN68nRdrjd2SjFiIuQ2iRlSg7AHoVu l/L2YrB+h31+0uY5H/p4ZTGB0brRbOU8GB19L0+akUxqksrQnCrlncCLDRkcQybSthD5+a +/dp+hK/r9oFj7ZTbcWeCRRDhj2kabK8w=
DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws; d=greencardorganization.com; s=at; h=x-bbounce:x-iadb-url:sender:submitter:x-feedback-id:from:to:date:subject:mime-version:content-type; b=OTdBmINYQ7j6nl0qd1JLNqXnNFL7oVnsHN6IfdB1d3PkQ+TfG6pc4mJ8AtWSDs832a1f pLQ97eejSj4T5VqZpI7zWPxhOnX9nBHX25ec03/ZVpvM1SkmxTBKQWxEdIxrvXDaPmLhcC c0N3xTIuwa0WnxmpZDgLHucNg0DqN684E=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; q=dns/txt; d=greencardorganization.com; s=at; h=X-BBounce:X-IADB-URL:Sender:Submitter:X-Feedback-ID:From:To:Date:Subject:MIME-Version:Content-type:Content-Transfer-Encoding; bh=ZSxUwM1yBNjFwwfhtX2iQLz8/HWOU9bsVu7UgSzuTe8=; b=iLaQ5Zkj+arrZ5U4rg4ByU0KqNjgm/EaPLm5hG/7kRFS+FatXpSylZ/hxLvfx+MDNcds j4ncZ/QVCplWdWTEt0LXgsUS2qICGRlbnJr31IhhlFVmZ1vcnznq+sgciVz6QKzI1htgzi HGIRPM8zrXzMBr86/aAnkD0kqgoTMaoWI=
X-BBounce: 41807088|384921|xxxxxxxx@gmail.com|68|0|129495|7
X-IADB-URL: http://www.isipp.com/iadb.php
Sender: "USA.GCO" <d.smith@greencardorganization.com>
Submitter: reply@activetrail.com
X-Feedback-ID: 129495:129495.384921.0:G3:atgfbl
From: "USA.GCO" <d.smith@greencardorganization.com>
To: "xxxxxxx@gmail.com" <xxxxxxxx@gmail.com>
Message-ID: <52fccccf76c742ebae306b2d740a8531@greencardorganization.com>
Date: Thu, 31 May 2018 12:41:38 +0300
Subject: Important update regarding your US Green Card 

STOP HERE LEAVING THE LINES BELOW

MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----5B573397F06844CE9E91626DCD0EE9A2"
Dear Bozz,=C2=A0=20

We approved your eligibility for a U.S. Green Card a couple of weeks ago.=
=20
It is our responsibility to inform you that the U.S. government has made se=
veral changes to the eligibility certificates.=C2=A0=20
This means that your Green Card eligibility certificate may have been cance=
led.=20

What can you do?=C2=A0=20
As part of our services, GCO automated system will perform for you an updat=
ed Green Card eligibility check and will give you an immediate result at=C2=
=A0 no charge!=20





Click to Start the Check: http://trailer.web-view.net/Links/0XAAADC68DC6EB0=
CDFF5F75DB6ED0E543CC4AC361B98CE0C9B3CD5C5F6BAC80314A24DB94162992588242CC8BA=
0ECC4EBF22F6B942503C48A0046461CFF22C4392EA45B0491EAE6318.htm Click to Start=
 the Check=20



We hope that you are still eligible for a U.S. Green Card and have the appr=
oval to submit your application today.=20

Best of luck,=20

Dan Smith=20
Senior Agent=20
Green Card Organization=20
Address: USA Miami Florida=20
Phone: +1888-433-0135=20


To Unsubscribe from GCO emails - Click Here: http://trailer.web-view.net/Ou=
t_0XD6C23B51985777D96334B6E6F01D721FA9E73A849CF2A86BFFECCFAE89D530CC552835B=
8FF6C759D.htm=20

 

 

 

 

Share this post


Link to post
Share on other sites
34 minutes ago, BoZz said:

Please see this... I am pasting a spam I received and when I did what I had mentioned it picked the body as well

Learn to past the track which is provided at top of page before you submit. Not considered legal when one alters headers,  you are best to submit from your Gmail account to real abuse address, include full body and text I also download them and attach "original.txt" to submission.

 

 

 

 

 

 

 

 

 

 

Share this post


Link to post
Share on other sites

Incredibly frustrating that you not only have to cut lines of text to make the parser work, but that it's different lines of text depending on what service the e-mail was received at.

The whole "For Gmail - hop up and down on your left leg while patting your head with your right hand and rubbing your tummy with your left hand in a counter-clockwise direction"; for Hotmail - hop up and down on your right leg while patting your head with your left hand and rubbing your tummy with your right hand in a clockwise direction" thing is just unworkable for me. 

As a result of getting constant spam in my Hotmail account over the last three months, I'm shutting it down - during the "30 day cooling of period", I'm having mail redirected from it to my Gmail account. But, the redirected spam e-mails I get there are now basically unreportable. No matter which line of text I cut as per the instructions in this thread, I either get Microsoft or Google as the source, not the actual source. That's of no use at all.

The whole attraction of SpamCop for me was that it was a simple matter of cutting-and-pasting the headers. Now it's devolved into a sort of guessing game - "Cut this line, and see what happens!".

Share this post


Link to post
Share on other sites
On 5/31/2018 at 8:27 PM, Lking said:

That is the lowest priority.  Trying to stop/block the spam is the top priority.

Well, it shouldn't be. That's like plugging holes in the ceiling instead of getting the upstairs neighbour to repair the leak in his plumbing. As long as there are things to spamvertise the spam will keep coming.

 

99.9% of the spam that makes it into my inbox is not of the kind that spamvertises sites on hijacked home computers but of the kind sent by otherwise legit companies who don't have any number of free servers for hosting their site at their disposal and who consider that it's OK to spam anyone of whom they have an address on file.

 

Sadly Spamcop have become more and more lenient with the spam ISPs those companies use, refusing to send reports to what seems a growing minority (and the others including Amazon apparently couldn't care less anyway). And that too many links exploit makes it way too easy to prevent getting reports about links in your spam: just repeat your links a few times (5x seems to be enough already) and you can sleep easy.

Share this post


Link to post
Share on other sites
4 hours ago, RJVB said:

Well, it shouldn't be. That's like plugging holes in the ceiling instead of getting the upstairs neighbour to repair the leak in his plumbing. As long as there are things to spamvertise the spam will keep coming.

 

I understand the frustration, and I do have the same point of view, although I do admit that the reason of the lowest priority is that many spammers use legit links that will clog abuse mailboxes from these legit ISPs.

as an example (although I haven't had one recently) spammers have added "terms of conduct" and similar links from 3rd party ISPs which SC will use to send reports to them.

Also, random images found on the internet either akamaized or from other providers have been used as links before (although these IIRC have been since disabled by SC)

Share this post


Link to post
Share on other sites

It is a matter of a difference in philosophy. 

SpamCop's objective is to keep spam out of inboxes, directly by building a Block List to be used to filter incoming email (top priority). As a second priority SpamCop tries to send host, not the spammer, a spam Report so that a responsible ISP can take appropriate action with the source of spam.  As a third priority, the spamvertised links in the body of spam are evaluated.

KnujOn, recently folded, took another approach - they followed the money.  Their thinking was that if the profit stream is choked off the spam will stop.  KnujOn tried working with ICANN, Internet Corporation for Assigned Names and Numbers, to get registrars to follow established rules controlling spammer's domains, the spamverised domains and WHOIS information.

Share this post


Link to post
Share on other sites
7 hours ago, RobiBue said:

I understand the frustration, and I do have the same point of view, although I do admit that the reason of the lowest priority is that many spammers use legit links that will clog abuse mailboxes from these legit ISPs.

as an example (although I haven't had one recently) spammers have added "terms of conduct" and similar links from 3rd party ISPs which SC will use to send reports to them.

Also, random images found on the internet either akamaized or from other providers have been used as links before (although these IIRC have been since disabled by SC)

This is where intelligence should step up, where we should, at least I do, remove tick marks for the legit infringed sites before sending the complaints.

Share this post


Link to post
Share on other sites
52 minutes ago, BoZz said:

This is where intelligence should step up, where we should, at least I do, remove tick marks for the legit infringed sites before sending the complaints.

It's the IP email source that may get blocked not the site. SpamCop does not block sites.

Share this post


Link to post
Share on other sites

Re-read my comment about plugging holes in your ceiling or instead plugging the hole in the plumbing somewhere above your ceiling. Or ponder the Dutch proverb "mopping with the tap open".

 

And BoZz, ++. I also untick inappropriate boxes (unless they'\re going to a SC-internal NULL address). And I have a series of optional boxes to tick or untick for recipients I configured in my preferences that correspond to the sh*t I'm currently getting.

 

But I'm getting very close to the point where I figure out how again one sends spams to SpamCop's auto-reporting address, given the increasingly apparent futility of wasting my time doing manual reports. The spammers have won anyway.

 

Share this post


Link to post
Share on other sites
8 hours ago, nullDozzer said:

So spamcop doesn't work with with emails recieved in gmail and they're not planning to fix it at all? 

They might? Don't look good for CisCo they may just drop SpamCop?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×