Jump to content
klappa

Spamcop doesn't parse the spam links

Recommended Posts

Hi Klappa,

I can try to explain what’s happening here:

In the topmost (last) Received: line 

Received: from CO1NAM04HT207.eop-NAM04.prod.protection.outlook.com
 (2603:10a6:4:2b::32) by DB4PR03MB524.eurprd03.prod.outlook.com with HTTPS via
 DB6PR0801CA0064.EURPRD08.PROD.OUTLOOK.COM; Tue, 2 Oct 2018 00:49:39 +0000

notice the address 2603:10a6:4:2b::32

which is a valid assigned IPv6 address belonging to M$.

The next Received: line

Received: from CO1NAM04FT010.eop-NAM04.prod.protection.outlook.com
 (10.152.90.52) by CO1NAM04HT207.eop-NAM04.prod.protection.outlook.com
 (10.152.91.103) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.1185.13; Tue, 2
 Oct 2018 00:49:37 +0000

appears to come from IP address 10.152.90.52, which is a private network address, so it is not trusted.

The following (preceding) Received: line

Received: from sfac11.wysweb.com.au (101.0.109.195) by
 CO1NAM04FT010.mail.protection.outlook.com (10.152.90.150) with Microsoft SMTP
 Server id 15.20.1185.13 via Frontend Transport; Tue, 2 Oct 2018 00:49:36
 +0000

which actually contains the spamming IP address 101.0.109.195 could already have been forged by the untrusted host mentioned above.

The problem is that M$/Hotmail/Outlook breaks the chain causing SpamCop to report the wrong address.

This is not SpamCop‘s fault, but M$’s.

Share this post


Link to post
Share on other sites
56 minutes ago, klappa said:

problem but lately Spamcop is having problem to parse the links in spam

The links in the body of spam are the lowest priority task for the parser.  If you look at the "Statistics" tab  you will see thy are processing ~5 spam/second on average.  If you submit spam at times of high load, parsing the links in the body of your spam may not be done to avoid falling behind on the higher priority task.

Its an old reference but reminds me of "Lucy on the candy assembly line" from I Love Lucy ~ years ago (B/W TV) but a classic!

Share this post


Link to post
Share on other sites

Hi,

Same thing here for month, now... ?

I mainly receive spam on my hotmail address, and every time I submit a spam, I now get something similar :

Parsing header:
host 2603:10a6:3:e5:0:0:0:21 (getting name) no name
0: Received: from AM5EUR03HT212.eop-EUR03.prod.protection.outlook.com (2603:10a6:3:e5::21) by HE1P190MB0284.EURP190.PROD.OUTLOOK.COM with HTTPS via HE1PR0902CA0011.EURPRD09.PROD.OUTLOOK.COM; Wed, 3 Oct 2018 09:06:23 +0000
No unique hostname found for source: 2603:10a6:3:e5:0:0:0:21
Hotmail/MSN received mail from sending system 2603:10a6:3:e5:0:0:0:21

1: Received: from AM5EUR03FT042.eop-EUR03.prod.protection.outlook.com (10.152.16.52) by AM5EUR03HT212.eop-EUR03.prod.protection.outlook.com (10.152.17.135) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.1185.13; Wed, 3 Oct 2018 09:06:22 +0000
Internal handoff or trivial forgery

2: Received: from 99h37.org (117.97.128.120) by AM5EUR03FT042.mail.protection.outlook.com (10.152.17.168) with Microsoft SMTP Server id 15.20.1185.13 via Frontend Transport; Wed, 3 Oct 2018 09:06:21 +0000
No unique hostname found for source: 117.97.128.120
Possible forgery. Supposed receiving system not associated with any of your mailhosts
Will not trust this Received line.

So, every report is send to " report_spam@hotmail.com " witch is completely useless.

Share this post


Link to post
Share on other sites

as i mentioned, it's M$'s (microsoft's) fault because they break the chain.

I do agree, that it is pointless to report your own email provider instead of the source, but there's nothing we mere "customers/end-users" can do if the big wigs don't want to play along.

 

Share this post


Link to post
Share on other sites

Okay, so the proper procedure for Hotmail and other Micro$oft accounts is to uncheck the report about the sending address and just report any spamvertised links?

Or would it be better to flood Micro$oft with as many spam reports as possible? Maybe with a note saying what the problem is?

Also, since this seems to be a universal problem, wouldn't it be a good idea to add it to the MailHosts and Reporting forums' pinned info? (I didn't see it on either one, but I didn't look carefully, either, he said sheepishly.)

 

Share this post


Link to post
Share on other sites

I suspect that something similar to what others have reported for Gmail is happening. The workaround I generally use is similar to the Gmail workaround, commenting out the first Received line encountered as you scroll down the message source.

Share this post


Link to post
Share on other sites

Hmmm... in most cases, the first Received line is just the first line, right?

That does seem to work. Interesting.

Thanks!

 

Share this post


Link to post
Share on other sites

Hmmm... in most cases, the first Received line is just the first line, right?

Thanks!

 

Edited by MyNameHere

Share this post


Link to post
Share on other sites

Update: For several weeks, I have been stripping off the first Received line from my Hotmail spam and including it in the "Additional notes" box. It looks like the proper sender is now being reported.

Bonus: My incoming spam count has gone 'way down. Might or might not be related.

Share this post


Link to post
Share on other sites

Update: For several weeks, I have been stripping off the first Received line from my Hotmail spam and including it in the "Additional notes" box. It looks like the proper sender is now being reported.

Bonus: My incoming spam count has gone 'way down. Might or might not be related.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×