No source IP address found, cannot proceed.

[ANGEL]

Unable to submit spam:

https://www.spamcop.net/sc?id=z6497285331z69cf215c2810e4c269e23c502673fab1z

Help please....

[ANGEL]

Sorted, used the split form submission & removed the first "Received: from... etc" statement.

See, monkeys can be trained!

[Boothy99]

Hello,

I've recently joined and had some success in sending in some spam to SpamCop. However, a number of submissions are unable to proceed due to "This header is incomplete. Please supply the full headers of the spam you're trying to report. No source IP address found".

I am aware that some spammers insert false sender / IP's above the genuine one. Unfortunately, however I try to remove sections of the headers, I get nowhere. I read on this forum about removing lines (all lines?) above ARC. The only reference in the extracted headers I can find is DMARC. Again, I failed when I removed text before this term. 

I have sent a recent spam email to SpamCop without removing anything from the headers - via forwarding the mail from my tablet AquaMail app along with complete copied headers as the body of the email.

Could anyone kindly tell me exactly what I should / should not be forwarding along with the original email so I can get somewhere with this, please?. The failed attempts are driving me bonkers.

Here is the link -

https://www.spamcop.net/sc?id=z6595087778z758d665bc9d4ae4d72f881d2e0382a82z

Thanks in advance. 

Edited November 25, 2019 by Boothy99
Required additional explanation.

[Lking]

Welcome to the forum

SpamCop has always successfully stived for a low/zero false positive spam source. As a result, SpamCop enjoys a good reputation.  Unless you are familiar with the email standards it may be counter productive to edit the header.  It is better to not identify a spammer that to falsely identify some (any).

I am not familiar with AquaMail, maybe other users have some experience with that mail app and can help.

The header in your link is "confused." I don't know if this is due to the way you submitted the spam, your mail app or mis configuration by the spammer.

A cleaner example would be a better place to start.

[Boothy99]

Thanks LKing,

It's not just me then .... the headers were similar / same on a couple of email programs I viewed them on - all with multiple confusing "received" in the text. Hard to find the end of the crud and the start of the useful information. I've been getting multiple spams (mainly from Trib° in the senders name) which change frequently, and get around my virgin mail filters.

I'll find it difficult to find a "cleaner" header from recent emails as they look pretty much like the one I posted above.... but there'll be plenty to choose from daily.

Thanks.

Edited November 25, 2019 by Boothy99
Typo's

[Boothy99]

If it helps ... I'll post a couple more that were labeled "Nothing to do" by SpamCop. They're all definitely spam. 

https://www.spamcop.net/sc?id=z6595069327z8ae3e4bc616dfde2198736ec02ec3d14z

https://www.spamcop.net/sc?id=z6595018747z5de0fb76112d4d0c9c79610048071af5z

https://www.spamcop.net/sc?id=z6594999144z96d48fb5c7537a72d947f5564d0a5801z

 

[petzl]

1 hour ago, Boothy99 said:

If it helps ... I'll post a couple more that were labeled "Nothing to do" by SpamCop. They're all definitely spam. 
https://www.spamcop.net/sc?id=z6594999144z96d48fb5c7537a72d947f5564d0a5801z

212.54.57.77 is spamsource abuse[AT]as9143.net
the abuse desk is asleep at wheel seems it's continually reported
https://www.spamcop.net/w3m?action=checkblock&ip=212.54.57.77
Don't know why SpamCop is not picking it up?

[Boothy99]

Thanks for taking a look petzl,

It's been a number of your posts I'd been reading to try to get to the bottom of this stream of spam from some irritating little twerp(s), thanks.

I'm hoping to get to the bottom of why my forwarded emails are getting nowhere. Would love to get a positive result on these.

I'd just Google'd one of the IP addresses that keep turning up in the spam, and found a recent discussion on my ISP Forum - Virgin Media, relating to the same spam here ...

https://community.virginmedia.com/t5/Email/Receiving-old-Emails/td-p/4073300

Notably, the emails all have a date originating with  "26 July". I'll look into this, but simply blocking the spam getting to me personally via a filter, just doesn't quite do it for me. I'd like to get the sender(s) blocked ASAP.

[petzl]

3 hours ago, Boothy99 said:

I'm hoping to get to the bottom of why my forwarded emails are getting nowhere. Would love to get a positive result on these.

Have you tried copy and paste text headers and body manually into SpamCop parser?
 

[Boothy99]

Not yet petzl, but I'll have a go at that and post back ASAP with how it goes. ..(Using the "Report spam" tab on SpamCop webpage, yes?).

Thanks again for your input.

[Boothy99]

 

Nope ...got this after copy/paste complete header / leaving a blank line / then pasting the complete contents of the email, as-is.

For Tracking URL https://www.spamcop.net/sc?id=z6595219959z800489aae9b3c8255211f4e5ac6b6d55z

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust this Received line.

Mailhost configuration problem, identified internal IP as source

Mailhost:
Please correct this situation - register every email address where you receive spam

No source IP address found, cannot proceed.

 

Edited November 26, 2019 by Boothy99
Corrected grammar

[petzl]

3 hours ago, Boothy99 said:

Nope ...got this after copy/paste complete header / leaving a blank line / then pasting the complete contents of the email, as-is.

For Tracking URL https://www.spamcop.net/sc?id=z6595219959z800489aae9b3c8255211f4e5ac6b6d55z

That is working but you haven't submitted it
Check with you provider that they are giving you proper headers?
It may be your email APP doing this

Edited November 26, 2019 by petzl

[Boothy99]

Right ..... so ... even though this (and other) entry has "no source IP" etc, I can still send it in and it'll be processed effectively? 

OK ... I'll go back and send them before the 2 day deadline. Cheers.

[Boothy99]

Sent that one as-is (no email to say it's failed).

Tried the last report I'd sent ... but now get "No data / Too much data. You are most likely submitting a very large email. Please trim... etc". 

This brings up a newbie point that I can't find an exact FAQ for -

... How and where do I edit this unparsed report? I can view entire message from the link beneath the truncated entry - but there's nowhere to crop / cut. Do I need to re-send the report from the original email but use the 2-part reporting web page to separate headers / body, rather than send-by-email reporting?

This report gave the particular brick wall issue ...

https://www.spamcop.net/sc?id=z6595087778z758d665bc9d4ae4d72f881d2e0382a82z

Edited November 26, 2019 by Boothy99
Typo

[petzl]

1 hour ago, Boothy99 said:

This report gave the particular brick wall issue ...

https://www.spamcop.net/sc?id=z6595087778758d665bc9d4ae4d72f881d2e0382a82z

It lookas to me your email app is not seperating the headers from the body?

[ravenstar68]

14 hours ago, petzl said:

212.54.57.77 is spamsource abuse[AT]as9143.net
the abuse desk is asleep at wheel seems it's continually reported
https://www.spamcop.net/w3m?action=checkblock&ip=212.54.57.77
Don't know why SpamCop is not picking it up?

Hi Petzel

Just to clarify what's going on here:

212.54.57.77 isn't a spamming server.  Rather it's one of the inbound servers used by Virgin Media.  AS9143 is Ziggo Internet who are another Liberty Global owned company.  They run email servers in the Netherlands and when Google closed their Apps for ISP service, rather than going with one of the other big mail providers, Virgin Media effectively went in house and shifted their email provision over to Ziggo between July and December 2015.  (shudders at the memory)

Boothy hadn't trained Spamcop to recognise the inbound server chain by using the MailHosts tab and adding his ntlworld.com email address.  He's not the only one by all means and as we can see by the thread he has corrected this.

[ravenstar68]

Boothy

I would also make sure that you post the WHOLE email rather than just the headers you think are correct.  Spamcop's system does parse the mail and among other things will look for the blank line between the headers and body (as I discussed over on the VM forums earlier).

The easiest way is to go into webmail and then highlight the mail in question and select view source.  Click in the window that pops up and then press

CTRL-A  (select all)
CTRL+C (Copy to clipboard)

This will allow spamcop to parse the email body for links.

Here's a working example

https://www.spamcop.net/sc?id=z6595387734zd88c2c465869cb155be7423f95f19d0fz

Here's the point at which Virgin Media's server picked up the email from the sender:

2: Received: from turn-girlmaybe.org ([3.112.155.93]) by mx2.tb.ukmail.iss.as9143.net with ESMTP id ZY86iqwyCemITZY8einp1f; Tue, 26 Nov 2019 11:32:09 +0100
Hostname verified: ec2-3-112-155-93.ap-northeast-1.compute.amazonaws.com
blueyonder.co.uk received mail from sending system 3.112.155.93

However it continue to parse the mail and finds more received headers (In this case these particular mails have a particular feature in that the initial send headers appear to have been lifted from a comcast server)

3: Received: from dovdir1-asb-05o.email.comcast.net ([96.114.154.181]) 6d7242eb83c1e7a47de48e21c6757765 by dovback1-asb-21o.email.comcast.net with LMTP id 0ICZM+sGO13mPQAADPwQFg for <x>; Fri, 26 Jul 2019 13:58:04 +0000

Hostname verified: resimta-po-34v.sys.comcast.net

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust this Received line.

This is a peculiar feature of the way spamcop's parsing system works.  However we note that it has picked up the correct sending server previously .  So I wouldn't panic that it says possible forgery here.

Tim

[Boothy99]

Good to see you over here ravenstar68 !

Thanks for your explanation, and pointing out to ignore "Will not trust this Received line". I'd not continued sending any with that message on the report. Lesson learned. 👍

I'll try your version of extracting from webmail - highlight /CTRL-A  (select all) / CTRL+C (Copy to clipboard) 

Cheers

 

Edited November 26, 2019 by Boothy99
Typo

[ravenstar68]

What bothers me is that if I read the information right, While Spamcop does log the info on it's system, it does not actually send anything off to the Amazon reporting address.

Does anyone know why this is?

Tim

[Lking]

1 hour ago, ravenstar68 said:

it does not actually send anything off to the Amazon reporting address. 

Does anyone know why this is?

As discussed in several places there are three general reasons spamcop sends reports to @devnull.spamcop.net

• The abuse address has bounced 3(?) past spam reports
• SpamCop knows that the spam reports sent to the ISP are passed to the spammer
• The "abuse address" has ask SpamCop not to send reports

Keeping in mind that sending reports is the top priority.  Looking at the Statistics Tab I see that 3-8 spam/second are processed to identify the sending IP

[Boothy99]

On 11/26/2019 at 10:29 AM, petzl said:

It lookas to me your email app is not seperating the headers from the body?

Yes petzl ... when I look at recent reports and view the complete header - I also see when there's a (very) long string of probably garbage text, then a semi colon ... my copied text forces a space / line break (I think). I'll try pasting it into a text file and edit away those spaces, then TRY to find the beginning of the mail body and leave a space just above that. Hope that's right?

This one -

https://www.spamcop.net/sc?id=z6595709111z16c9042e25c923770d15e71286a871d2z

......has line breaks all over the place lower down, and stops sending as "too large", "nothing to do" etc.

If anyone  😉 would like to view the example in the above URL, edit a copy of the complete report, (with an obvious separating line / message, where it aught to be separated & sent - if necessary - into the 2-box reporting area?) and send it back to me as a message, I might get to learn what I need to do with all the other "too large" reports I've recently sent in.

Thanks again 👌👍

 

Edited November 27, 2019 by Boothy99
Added text

[Boothy99]

Success ... I think.

I changed my method for the type of incoming spam that always failed to be processed (where other spam reports succeed) - commonly coming in from "headlines @ Trib•••" 

Just found that on webmail for Virgin, I can save email as a file (.eml). Send as attachment, and it appears to get processed successfully. At last. So, no copying & pasting (which appears to get lengthy headers scrambled using my email app) for at least these & probably any other styles of crud-mail.

[petzl]

4 hours ago, Boothy99 said:

Success ... I think.
Just found that on webmail for Virgin, I can save email as a file (.eml). Send as attachment, and it appears to get processed successfully. At last. So, no copying & pasting (which appears to get lengthy headers scrambled using my email app) for at least these & probably any other styles of crud-mail.

That's the easiest,
You should be able to open a *.eml file with "Notepad" or text viewer

[Boothy99]

Yeh, I took a look at the .eml with a text reader. If I copy and paste from the opened headers, then line-wrap or word-wrap seems to get used and breaks up the long lines of garbage the scum-spammer has inserted (....kcfrsxkiugdsetujhfedfjiu...), which upsets SpamCop no end 😕

Recent example that does now get processed after sending .eml....

https://www.spamcop.net/sc?id=z6596879593zbf4fdf5a105382e3c3e542f528681ab6z

Save-as .eml leaves everything intact. Obviously I'll use this method from now on. Much easier to simply send in .eml as attachment without even forwarding using the original spam.

Edited December 1, 2019 by Boothy99
Typo

[Boo]

Well .... I do believe the reporting has worked (for now), unless there's a very strange coincidence going on. I've managed to send in all of up to 20+ spams a day recently, then suddenly ..received the very last one at 4am Friday. Not a single one getting to my email provider. I don't suppose it'll last too long, but THANK YOU SpamCop !!!!

By the way - it's Boothy99 here. I changed my email address for original account, but after repeated attempts at asking to re-send the confirmation email for me to click on, I've not received anything (checked every folder in Gmail including spam - nothing). Not received a reply from an administrator as yet after clicking the contact button.