Jump to content
Calion

Leave "reportphishing@apple.com” unchecked by default

Recommended Posts

I get a lot of spam that is apparently sent from Apple servers. However, almost none of it is phishing attempts. Therefore, I have to uncheck “reportphishing@apple.com” on each of the several messages that I report daily that SpamCop identifies as originating at “mac.com” (I find this unlikely; I suspect that they’re just spoofing it to look like it’s from the same domain as my email address, but whatever). Unless SpamCop wants me to report all these messages to "reportphishing@apple.com,” could that option please be unchecked by default?

Example: https://www.spamcop.net/sc?id=z6477895008z56a97be36e2c0ea3041c633f01754484z

Edited by Calion

Share this post


Link to post
Share on other sites

I actually believe, Apple should look into the configuration of their SMTP server named st11p00im-smtpin002.

When it receives the email, it places the host name st11p00im-smtpin002.me.com into the Received: header as "received by",
then, when it sends the message on its merry way, the same server is now known as st11p00im-smtpin002.mac.com.

me.com is an apple domain, just like the mac.com is.

My take is, that some admin forgot to change the domain name on the server...

If I were you, I'd get in touch with Apple. They'd more than likely be willing to fix their server mis-configuration...

Share this post


Link to post
Share on other sites
6 hours ago, Calion said:

I get a lot of spam that is apparently sent from Apple servers. However, almost none of it is phishing attempts. Therefore, I have to uncheck “reportphishing@apple.com”

There is a unsubscribe link try using it? Then if it still comes it is legally a phishing scam.

They have your email address anyhow

Share this post


Link to post
Share on other sites

I want to expand on my theory about the mis-configured server...

Ok, the topmost (last) Received header

Received: from st11p00im-smtpin002.mac.com ([17.172.80.20])
          by ms55025.mac.com (Oracle Communications Messaging Server 8.0.1.3.20170906 64bit (built Sep  6 2017))
          with ESMTP id <0PD000KG3DK8YJD0@ms55025.mac.com>
          for x;
         Sun, 05 Aug 2018 22:09:44 +0000 (GMT)

The mail server "ms55025.mac.com" receives the message
from server "st11p00im-smtpin002.mac.com" and identifies the IP address [17.172.80.20] which in turn was received in the previous Received header (below)
by     server "st11p00im-smtpin002.me.com" (notice the coincidental same name, but me.com instead of mac.com domain -- both apple domains nonetheless)
from the Russian server "kknd1.ru" and identified to be IP address [84.22.137.8]  (rDNS identifies the address as kknd1.ru)

Received: from kknd1.ru (kknd1.ru [84.22.137.8])
          by st11p00im-smtpin002.me.com (Oracle Communications Messaging Server 8.0.2.2.20180531 64bit (built May 31 2018))
          with ESMTP id <0PD0005G5DK5U970@st11p00im-smtpin002.me.com>
          for x (ORCPT x);
         Sun, 05 Aug 2018

Of course, sadly enough, at the moment, if I ping either me or mac servers, I get nil...

but the Russian server is there...

Share this post


Link to post
Share on other sites
On 8/7/2018 at 6:17 PM, petzl said:

There is a unsubscribe link try using it? Then if it still comes it is legally a phishing scam.

They have your email address anyhow

I’m confused. It’s a phishing scam for Apple when it in no way purports to come from Apple?

Share this post


Link to post
Share on other sites
On 8/7/2018 at 8:38 PM, RobiBue said:

I want to expand on my theory about the mis-configured server...

Ok, the topmost (last) Received header


Received: from st11p00im-smtpin002.mac.com ([17.172.80.20])
          by ms55025.mac.com (Oracle Communications Messaging Server 8.0.1.3.20170906 64bit (built Sep  6 2017))
          with ESMTP id <0PD000KG3DK8YJD0@ms55025.mac.com>
          for x;
         Sun, 05 Aug 2018 22:09:44 +0000 (GMT)

The mail server "ms55025.mac.com" receives the message
from server "st11p00im-smtpin002.mac.com" and identifies the IP address [17.172.80.20] which in turn was received in the previous Received header (below)
by     server "st11p00im-smtpin002.me.com" (notice the coincidental same name, but me.com instead of mac.com domain -- both apple domains nonetheless)
from the Russian server "kknd1.ru" and identified to be IP address [84.22.137.8]  (rDNS identifies the address as kknd1.ru)


Received: from kknd1.ru (kknd1.ru [84.22.137.8])
          by st11p00im-smtpin002.me.com (Oracle Communications Messaging Server 8.0.2.2.20180531 64bit (built May 31 2018))
          with ESMTP id <0PD0005G5DK5U970@st11p00im-smtpin002.me.com>
          for x (ORCPT x);
         Sun, 05 Aug 2018

Of course, sadly enough, at the moment, if I ping either me or mac servers, I get nil...

but the Russian server is there...

This sounds to me like SpamCop is misidentifying the offending domain as mac.com when it’s actually (in this case) kknd1.ru.

Share this post


Link to post
Share on other sites
12 hours ago, Calion said:

This sounds to me like SpamCop is misidentifying the offending domain as mac.com when it’s actually (in this case) kknd1.ru.

Yes and no...

SpamCop can only follow the trail of the received headers, and unfortunately Apple breaks that trail with their server announcing to be from domain me.com in the first header, but then being identified to be from Mac.com.

So yes, SpamCop is misidentifying the offending domain...

And no, SpamCop identifies Mac.com as the offending domain because Apple has broken the chain, and believes that kknd1.ru is a spoofed header.

Share this post


Link to post
Share on other sites
19 hours ago, Calion said:

I’m confused. It’s a phishing scam for Apple when it in no way purports to come from Apple?

Not sure but it looked to me to be coming through a "chat" group?

Share this post


Link to post
Share on other sites

Regardless, essentially none of these are phishing schemes for Apple. So should I be sending them to reportphishing@apple.com?

Here are some further examples:

https://www.spamcop.net/sc?id=z6479695862z1021bf7eed9c5e421ab77e7ed3c68892z

https://www.spamcop.net/sc?id=z6479695853z24341f49a2f2ac2e8d7679e8dbd82093z

https://www.spamcop.net/sc?id=z6479695831z41ebc038af38bb3d45b0bf68ec49e02ez

https://www.spamcop.net/sc?id=z6479695767z562a8a4e3c17e754681a1f9b8001df15z

None of them are phishing scams for Apple, though one is a phishing scam for LinkedIn.

Edited by Calion
adding links

Share this post


Link to post
Share on other sites

I would suggest that "apple" should be made aware of all spam that is designed to look like it comes from them, phishing or not.

Share this post


Link to post
Share on other sites

Sure. Every one of these is being sent to “abuse@apple.com.” The question is, should they also be sent to “reportphishing@apple.com”?

Share this post


Link to post
Share on other sites
6 hours ago, Calion said:

Sure. Every one of these is being sent to “abuse@apple.com.” The question is, should they also be sent to “reportphishing@apple.com”?

YES leave it

Edited by petzl

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×