Jump to content
5280 Guy

Constant reporting problems

Recommended Posts

I use Gmail and copy the headers when I submit a report.    This is spam that I keep getting from Jim Cramer.  It doesn't seem like reporting is working.  I have stripped out the regular part of the response and have only included the errors.  Any suggestions?

Thanks.


Routing details for 10.157.33.183
I refuse to bother abuse@iana.org.

Using abuse#iana.org@devnull.spamcop.net for statistical tracking.
Using last resort contacts abuse#iana.org@devnull.spamcop.net
Chain error mx.google.com not equal to last sender received line discarded
Tracking message source: 2002:a9d:21b7:0:0:0:0:0:
Display data:
"whois 10.157.33.183@whois.arin.net" (Getting contact from whois.arin.net )
Found AbuseEmail in whois abuse@iana.org
10.0.0.0 - 10.255.255.255:abuse@iana.org
Routing details for 10.157.33.183
I refuse to bother abuse@iana.org.
Using abuse#iana.org@devnull.spamcop.net for statistical tracking.
Using last resort contacts abuse#iana.org@devnull.spamcop.net
Yum, this spam is fresh!
Message is 0 hours old
2002:a9d:21b7:0:0:0:0:0 not listed in cbl.abuseat.org
2002:a9d:21b7:0:0:0:0:0 not listed in dnsbl.sorbs.net
2002:a9d:21b7:0:0:0:0:0 not listed in accredit.habeas.com
2002:a9d:21b7:0:0:0:0:0 not listed in plus.bondedsender.org
2002:a9d:21b7:0:0:0:0:0 not listed in iadb.isipp.com
Finding links in message body
Parsing text part
error: couldn't parse head
Message body parser requires full, accurate copy of message
More information on this error..
no links found

Please make sure this email IS spam: 
From: Jim Cramer <offers@thestreet.com> (Here is your limited-time club invitation)
 ------=_Part_23590669_2119084344.1524930398294
 Content-Type: text/plain; charset=utf-8

View full message

 

Report Spam to:

Re: 2002:a9d:21b7:0:0:0:0:0 (Administrator of network where email originates)
 To: abuse#iana.org@devnull.spamcop.net (Notes)

Re: User Notification (Notes)
 To:  

Additional notes (optional - max 2000 characters):

  

ATTENTION: Report only those e-mail addresses and web sites that you think your spammer has used. Avoid checking any boxes left empty unless you know that your spammer has used the addresses or sites thus identified. Each false report that you submit means wasted time for a network administrator, so take care. The last thing SpamCop wants are network administrators so accustomed to false claims that they no longer take these spam reports seriously.

 

 

 

 

 

 


Comments for:abuse#iana.org@devnull.spamcop.net (2002:a9d:21b7:0:0:0:0:0) 
 
Return to report

Comments for:User Notification () 
 
Return to report

 

© 2018 Cisco Systems, Inc. All rights reserved. HTML4 / CSS2 Firefox recommended - Policies and Disclaimers

Share this post


Link to post
Share on other sites
14 minutes ago, 5280 Guy said:

Any suggestions?

I suggest that in the future you include the Tracking URL instead of copying part of the report.  That way we all could see the header, and other sources of any problem. I this case the Tracking URL is:

Quote

SpamCop v 4.9.0 © 2018 Cisco Systems, Inc. All rights reserved.
Here is your TRACKING URL - it may be saved for future reference:

https://www.spamcop.net/sc?id=z6461933973z4767a21d25b34cc44e73745c9fbc6e84z

 

26 minutes ago, 5280 Guy said:

It doesn't seem like reporting is working.

Reporting spam to SpamCop does add to the SpamCop Block List (SCBL).  Unless your ISP uses the SCBL to filter incoming email you will not see a direct result of your submissions.  Gmail does not use the SCBL.   Another possibility is that the ISP of the source of the spam will stop providing internet access to the spammer. However, in this case for one of several reasons SpamCop will not send spam reports to the source ISP (" I refuse to bother abuse@iana.org. ")

I suggest you also read several other current threads regarding parsing of gmail headers.  Use the Search engine in the top right corner of the screen.  Search for gmail.

 

Share this post


Link to post
Share on other sites

Here is the whole deal.  This used to work, but now I get errors every time.SpamCop v 4.9.0 © 2018 Cisco Systems, Inc. All rights reserved.
Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net/sc?id=z6461933973z4767a21d25b34cc44e73745c9fbc6e84z

Header/body/ parser results deleted by moderator.

Edited by Lking
edited to make thread readable.

Share this post


Link to post
Share on other sites

The advantage of including the Tracking URL in your post is that you DO NOT then need to clutter the thread with the long content of the reported spam. Anyone that wants to can click on the Tracking URL link and see the details.  

Share this post


Link to post
Share on other sites
9 hours ago, 5280 Guy said:

OK Gmail is getting "spoofed" headers you need to only copy from including this line

ARC-Authentication-Results: i=1; mx.google.com;

Then it will parse correctly  https://www.spamcop.net/sc?id=z6462122803z4edf40cea6065e3f021240fc039e11d2z

Look at headers of your non-Gmail spam you will see they don't contain these spoofed headers.
included spoofed headers in notes and send to abuse at gmail as well

Edited by petzl

Share this post


Link to post
Share on other sites

Lately there almost all of my reports is re-directed to abuse#iana.org{AT}devnull.spamcop.net  and I don't think it's right.

Share this post


Link to post
Share on other sites
1 hour ago, lepa71 said:

Lately there almost all of my reports is re-directed to abuse#iana.org{AT}devnull.spamcop.net  and I don't think it's right.

Which part do you not thing is correct? The "devnull.spamcop.net" part? which indicates that SpamCop does not want to send a spam report to this email address? OR the "abuse{AT}iana.org" part which is where the spam report would be send IF a report was being sent?

Again a tracking URL would help the rest of us understand your concern.

Share this post


Link to post
Share on other sites

Here is one.

https://www.spamcop.net/sc?id=z6466736617zb98f035ad2768f5b6da603bd2ae4a034z

If you look it try to get the IP4 but them try to get IPv6

host 95.216.150.71 = static.71.150.216.95.clients.your-server.de (cached)
static.71.150.216.95.clients.your-server.de is 95.216.150.71
2002:a9f:3d14:0:0:0:0:0 not listed in cbl.abuseat.org
2002:a9f:3d14:0:0:0:0:0 not listed in dnsbl.sorbs.net
2002:a9f:3d14:0:0:0:0:0 is not an MX for mx.google.com

At the end. gets here

"whois 10.159.61.20@whois.arin.net" (Getting contact from whois.arin.net )
Found AbuseEmail in whois abuse@iana.org
10.0.0.0 - 10.255.255.255:abuse@iana.org
Routing details for 10.159.61.20

And this is not just one example. It started about a month ago. I see more and more of this. It does not look right. 

Share this post


Link to post
Share on other sites

 Based on what you cut/pasted from the report above, are you mixing results from the " Parsing header: " and " Finding links in message body "

The " Resolves to 95.216.150.71 " if from the body, and 10.159.61.20 is from the header.  Each results in a report being send.  10.159.61.20 and " I refuse to bother abuse@iana.org. " results in the devnull report, and the 95.216.150.70 results in a report being sent to abuse{AT}hetzner.de

Or do I not understand what you think is wrong?

Share this post


Link to post
Share on other sites
13 minutes ago, Lking said:

 Based on what you cut/pasted from the report above, are you mixing results from the " Parsing header: " and " Finding links in message body "

The " Resolves to 95.216.150.71 " if from the body, and 10.159.61.20 is from the header.  Each results in a report being send.  10.159.61.20 and " I refuse to bother abuse@iana.org. " results in the devnull report, and the 95.216.150.70 results in a report being sent to abuse{AT}hetzner.de

Or do I not understand what you think is wrong?

unfortunately, that is exactly what SC does at the moment with gmail's first (topmost) IPv6 (actually 6to4) private address Received: line:

Received: by 2002:a9f:3d14:0:0:0:0:0 with SMTP id l20-v6csp1947284uai;
        Sun, 27 May 2018 17:19:06 -0700 (PDT)

This IPv6 address is the 6to4 equivalent to 10.159.61.20 which is a private network address.

The next Received: line :

Received: from gambashoping.com (static.71.150.216.95.clients.your-server.de. [95.216.150.71])
        by mx.google.com with ESMTP id m1-v6si28198295plt.276.2018.05.27.17.19.05
        for <x>;
        Sun, 27 May 2018 17:19:06 -0700 (PDT)

shows the actual spammer IP address [95.216.150.71]. This is coincidentally also the IP address that the link in the body of the message returns.

SpamCop chokes on Gmail's "private" IPv6 address, and the rest of the Received: lines suffer from it and the real spamming IP does not get reported.

Long discussions, explanations and workarounds are listed in the following two threads:

http://forum.spamcop.net/topic/25123-address-2002adfaa9100000-gmail-not-associated-with-any-of-your-mailhosts/

http://forum.spamcop.net/topic/23516-spamcop-cannot-find-source-ip/

 

Edited by RobiBue
added more details

Share this post


Link to post
Share on other sites

RobiBue, please read the contents of the tracking URL more carefully.  It can be confusing that gambashoping.com appears in both the header and in the body.

Share this post


Link to post
Share on other sites
26 minutes ago, lepa71 said:

I don't think it's confusing. It is exactly @RobiBue is saying.

Here is another one.

https://www.spamcop.net/sc?id=z6466849060zdcafb4e78746831a976de90fabffbf97z

Maybe another confusion is. IS the  2002:a9f:3d14:0:0:0:0:0 full IPv6 or google strips it? I don't think those 0:0:0:0:0 should there that way.



 

@ Lking: I did read the contents carefully :) but I also noticed the coincidental appearance of the same IP address in both header and body which only means to me, that the spammer is advertising from his own IP address.
If I had a mail server and a web server on my network, and I would be sending mail form my mail server with links to the website on my web server, both mail server and web server addresses would have the same IP address.

@ lepa71: the IPv6 address 2002:a9f:3d14:0:0:0:0:0 is a correct 6to4 IPv6 address and can be abbreviated as 2002:a9f:3d14:: or expanded to 2002:0a9f:3d14:0000:0000:0000:0000:0000
They all mean the same and all point to the IPv4 IP address [10.159.61.20] (you can try them here and see the result.)

I have seen in past reports (besides my own) that google's mx servers utilize various 10.nnn.nnn.nnn IP addresses and it seems that several weeks ago they decided to "6to4" them, but unfortunately, with that move, SC got left behind limping...

Share this post


Link to post
Share on other sites
5 hours ago, lepa71 said:

Cut this line out and Gmail parsing works fine.
Received: by 2002:a9f:3d14:0:0:0:0:0 with SMTP id l20-v6csp3921756uai;

https://www.spamcop.net/sc?id=z6466997545zbf99b5f46d259fd01fbd6b2d8ebab0b9z

Share this post


Link to post
Share on other sites
12 hours ago, lepa71 said:

That is not really the point. If this is the case then maybe spamcop needs adjustments.

That was only working off and on previously, Google seem to be "um and arring"  now with googles update cannot even read spam in spam folder.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×