Jump to content
klappa

Something wrong with Outlook reporting

Recommended Posts

I have two different e-mails one is Outlook the other one is Gmail. Every time i get a spam on my Outlook e-mail it in almost all cases reports directly to report_spam@hotmail.com. However sometimes i get the same spam on my Gmail e-mail (the spammer supposedly have both of my e-mail addresses.). But the Gmail one reports to the correct spam contacts wherever the Outlook always reports to the hotmail abuse address which it shouldn't do except the spammer send me spam from one using one of Microsofts services? Only in a few instances does Spamcop report to the right abuse contacts when using Outlook, i have no idea why it works in those cases but oh well.

Why does it do this? If i recollect rightly this haven't always been the case and it always used to send to the correct instances or abuse contacts.

Here's two Spamcop reports, first one from Outlook and the other one from the Gmail e-mail.

https://www.spamcop.net/sc?id=z6499645284z69efc272a2d2f2b47876f5ca99aa42ddz

https://www.spamcop.net/sc?id=z6499643222z25c6ac08119c343450665e089fa8cf61z

Since Gmail doesn't work with Spamcop without breaking i had to convert the 6to4 address to an ipv4-address. It's a bad joke which Spamcop haven't correted for years now but i leave that for another time.

It just shows that it is meaningless to report spam using Outlook since Spamcop can't handle them properly. At least Outlook is using a proper IPV6 address than a 6to4 private address like Gmail does but it doesn't help Spamcop parsing them properly to the right abuse contacts using Outlook either way.

Something is broken.

Edited by klappa

Share this post


Link to post
Share on other sites

from the tracking URLs (thanks for those BTW) it does not appear that you have mail hosts setup.  Once I setup mailhosts, my hotmail.com reporting shows as properly and does get reported to the spammer.

https://www.spamcop.net/fom-serve/cache/397.html

Once you setup mail hosts, previously submited spams will show the correct IP addrress.  The hard part is getting all your emails setup with mailhosts.  How mailhosts works, is it attempts to track all the handoffs from the ISP border server to the internal servers.  This means it will not try to report internal servers as admins moving from IPv4 NAT (who were erroneously told that IPv6 does not support NAT) used public IPs for their private servers.  Mailhosts will properly assign that blame to the edge of your email provider's network.

Share this post


Link to post
Share on other sites
On 11/15/2018 at 3:24 PM, gnarlymarley said:

from the tracking URLs (thanks for those BTW) it does not appear that you have mail hosts setup.  Once I setup mailhosts, my hotmail.com reporting shows as properly and does get reported to the spammer.

https://www.spamcop.net/fom-serve/cache/397.html

 Once you setup mail hosts, previously submited spams will show the correct IP addrress.  The hard part is getting all your emails setup with mailhosts.  How mailhosts works, is it attempts to track all the handoffs from the ISP border server to the internal servers.  This means it will not try to report internal servers as admins moving from IPv4 NAT (who were erroneously told that IPv6 does not support NAT) used public IPs for their private servers.  Mailhosts will properly assign that blame to the edge of your email provider's network.

Thank you for the explanation but i only use one e-mail. I do have my Hotmail mailhost setup correctly. Don't quite understand what you mean but the problem i have is that the mailhost didn't properly assign that blame to the edge as you said. I did the mailhost verification again and reported a new spam mail. It doesn't seem to work still. As the original sender is sent from somewhere in Bosnia. It could be fake though.

https://www.spamcop.net/sc?id=z6501940819zcc4d6ab64a99582789746cbfa88ebe99z

 

Share this post


Link to post
Share on other sites

Klappa, I don't think your problems are unique to you.  With both gmail and Outlook you have created almost a "perfect storm" apposing reporting of spam.

Have you looked at the other threads about handling the IPV6 issues?  They do include suggestions for handling the headers before reporting.

It would be nice if SpamCop could handle the IPV6 problem "today" but it was reported in an other thread that the conversion process opened a security vulnerability that is currently being work.  I have no clue about timing for resolution.

Share this post


Link to post
Share on other sites
41 minutes ago, Lking said:

It would be nice if SpamCop could handle the IPV6 problem

SpamCop does handle IPV6?
I don't use a Hotmail/Outlook account but read where Microsoft pointyheads obscure the source, pointing abuse back to them which should work with their "superdooper " ARC nonsense. Relying on their own lazy abuse department (the object is to obscure source IP)
https://www.spamcop.net/sc?id=z6501740491z127c9ce8f5531c397f9a64f4aa786df9z

Edited by petzl

Share this post


Link to post
Share on other sites
6 hours ago, Lking said:

Yes petzl, I miss spoke.

I do not believe you mis-spoke. It is an IPv6 problem.
SpamCop doesn't resolve the 6to4 private addresses, which are in IPv6 format, and that qualifies as an "IPv6 problem" that we all wish SpamCop would be able to handle "today"

Share this post


Link to post
Share on other sites
1 hour ago, RobiBue said:

I do not believe you mis-spoke. It is an IPv6 problem.

There was a time when SC did not handle any IPv6 IPs.  Now they do handle IPv6 IPs that are correctly applied.  As petzl stated:

 

9 hours ago, petzl said:

{Microsoft} obscure the source, pointing abuse back to them which should work with their "superdooper " ARC nonsense.

Which leads back to same old problem, SC can't be expected (at least by me) to maintain a parser that handles ever ISP and spammer variant of the standards whether implemented intentionally to obscure or through incorrect used of the the system.

Share this post


Link to post
Share on other sites

From what I understand, when Julian Haight designed SpamCop, it looked at every possible correctly chained IP address, where it was sent from, and who received it, making sure that spoofed headers would not confuse the chain. If he were still running this system, he would have correctly implemented the 6to4 IPv6 checks, which apparently Cisco/Talos has no intention to do. For them to claim the implementation would cause a security vulnerability is pure BS in my not so humble opinion. It just shows, that their programmers are not as good as one would expect from a company of such security weight.

It's an email header parser/analyzer for heavens' sake. And it's broken (on the IPv6 6to4 address side at least.)

Share this post


Link to post
Share on other sites
21 hours ago, RobiBue said:

From what I understand, when Julian Haight designed SpamCop, it looked at every possible correctly chained IP address, where it was sent from, and who received it, making sure that spoofed headers would not confuse the chain. If he were still running this system, he would have correctly implemented the 6to4 IPv6 checks, which apparently Cisco/Talos has no intention to do. For them to claim the implementation would cause a security vulnerability is pure BS in my not so humble opinion. It just shows, that their programmers are not as good as one would expect from a company of such security weight.

It's an email header parser/analyzer for heavens' sake. And it's broken (on the IPv6 6to4 address side at least.)

Then what is the point using Spamcop when it's not even compatible with the two biggest e-mail webhosts today? Mailing the Spamcop devs doesn't fix the problem either. Cisco just doesn't care about Spamcop anymore.

I give up!

Edited by klappa

Share this post


Link to post
Share on other sites

petzl ( I always go to type pretzel!😁et all - not sure if this information will be of any use..., a SC admin advised:

" A couple of years ago Hotmail had to give up two /16 networks they were
using (33,554,432 IP addresses) as they were not assigned to them.
Microsoft had to quickly reconfigure their network and used IPv6 to do so.
Unfortunately when doing so, they did not do it carefully and make sure
they had full name resolution through out the network, where the forward
and reverse dns on each server matches.  This means we can't trust their
headers and will often take them as the source of the spam.
All is not lost though, as Hotmail's parsing engines when they receive
the report does pass through the report to the right party.  It also
helps Hotmail block new spam from that source.
Microsoft is working on resolving the issue, but it is a couple of
hundred thousand servers.  They have told us though the fix is measured
in years, not weeks or months."

On that basis I continue to to always "send" any parsed results that are directed to MSOL, if only to "let them know they have work to do.

On  a completely separate subject & everybody probably knows this, but, for newbies like me, I found adding my email address to [https://www.spamcop.net/mcgi?action=prefmenu] > Preferences > Personal copies of outgoing reports, has saved me mega work, I was always forgetting to take note of TRACKING URL, which made life difficult when I needed to submit an issue to the SCF. Now I get all SC reports, any followup is a breeze.

Since starting using SC, spam has gone from 10/20 daily to 1 o 2 every other day...

image.png.aee0879eb3491aa0d117056acc30a9f7.pngSC


 

Share this post


Link to post
Share on other sites

All one has to do is go to you SpamCop account put a IPV6 number in report box press "submit spam" and SpamCop will give a abuse address for it.

Share this post


Link to post
Share on other sites
11 hours ago, klappa said:

Then what is the point using Spamcop when it's not even compatible with the two biggest e-mail webhosts today? Mailing the Spamcop devs doesn't fix the problem either. Cisco just doesn't care about Spamcop anymore.

 

I use hotmail and I do not see any problems with spamcop, if I strip off the top broken piece.

Share this post


Link to post
Share on other sites

Thanks Petzl! You've given me another thing to test out, now I just have to wait till I get some spam - never thought I'd be saying that!

Share this post


Link to post
Share on other sites

Hey Petzl, decided to use some existing scummy spam:

2603:10a6:6:43::31 is not a hostname
Routing details for 2603:10a6:6:43::31
[refresh/show] Cached whois for 2603:10a6:6:43::31 : abuse@microsoft.com
abuse@hotmail.com redirects to report_spam@hotmail.com
Using best contacts report_spam@hotmail.com

Parsing input: 2603:10a6:6:2b::19

2603:10a6:6:2b::19 is not a hostname
Routing details for 2603:10a6:6:2b::19
[refresh/show] Cached whois for 2603:10a6:6:2b::19 : abuse@microsoft.com
abuse@hotmail.com redirects to report_spam@hotmail.com
Using best contacts report_spam@hotmail.com

(Which we already know & we know why MS is so stuffed up with the whole spam issue, & we use the "eliminate 1st "Received: etc..") I've checked another 15 spam emails, none seem to have more than 1 IPV6  - am I using the wrong info?
 

Share this post


Link to post
Share on other sites
1 hour ago, MIG said:

2603:10a6:6:2b::19 is not a hostname
Routing details for 2603:10a6:6:2b::19
[refresh/show] Cached whois for 2603:10a6:6:2b::19 : abuse@microsoft.com
abuse@hotmail.com redirects to report_spam@hotmail.com
Using best contacts report_spam@hotmail.com

That's who it belongs to. Abuse should not need detailed info. They can work it out and sort it out (theoretically) and block offending IP's from ever sending to hotmail! Gmail the same. This is a big real weapon against spammers/rouge networks that ignore abuse reports. SendSafe/CisCo just delete emails no spamtrap nothing and from what I have seen works perfectly.

Share this post


Link to post
Share on other sites
On 11/24/2018 at 1:13 AM, gnarlymarley said:

I use hotmail and I do not see any problems with spamcop, if I strip off the top broken piece.

But if you have to do that it's broken. Spamcop doesn't work with any IPV6 addresses. Only in a very few instances i got it to work with Outlook never with Gmail.

So you're telling me i have to remove the top most Recieve line header to get Spamcop to parse the email spam right? Just like with Gmail?

Edited by klappa

Share this post


Link to post
Share on other sites
18 minutes ago, klappa said:

Spamcop doesn't work with any IPV6 addresses.

It does but won't report on a IPV6 internal network address. SpamCop won't do this with a IP4 address either
For IPV6 look-ups use

Edited by petzl

Share this post


Link to post
Share on other sites
3 minutes ago, petzl said:

It does but won't report on a IPV6 internal network address. SpamCop won't do this with a IP4 address either
For IPV6 look-ups use

But then again i have to refer to my original question. Why does all my spam from my Outlook e-mail report to Microsoft when parsing it with Spamcop?

Edited by klappa

Share this post


Link to post
Share on other sites
1 minute ago, klappa said:

But then again i have to refer to my original question. Why does all my spam from my Outlook e-mail report to Microsoft when parsing it with Spamcop?

Just send email to whatever the abuse address is for your email provider forward as attachment.

Share this post


Link to post
Share on other sites

It's a known issue. Some remove the "broken" ipv6 Received header. In the interests of preserving all the information available, I submit the spam manually, editing it read X-Received. A similar approach is sometimes helpful with emails arriving at Gmail accounts

Share this post


Link to post
Share on other sites

 Hello klappa - re [Why does all my spam from my Outlook e-mail report to Microsoft when parsing it with Spamcop?]

I've had the following explained to me:

Quote "A couple of years ago Hotmail had to give up two /16 networks they were 
using (33,554,432 IP addresses) as they were not assigned to them. 
Microsoft had to quickly reconfigure their network and used IPv6 to do so.

Unfortunately when doing so, they did not do it carefully and make sure 
they had full name resolution through out the network, where the forward 
and reverse dns on each server matches.  This means we can't trust their 
headers and will often take them as the source of the spam.

All is not lost though, as Hotmail's parsing engines when they receive 
the report does pass through the report to the right party.  It also 
helps Hotmail block new spam from that source.

Microsoft is working on resolving the issue, but it is a couple of 
hundred thousand servers.  They have told us though the fix is measured 
in years, not weeks or months." Unquote

This information allowed me to get my head around why the repetitive "report_spam@hotmail.com" was happening. And, to get a more accurate & true report from SpamCop I implemented ( as other SCF members have recommended, & I think the SC help doco also, suggests this method) Remove the first [Received: from blah-blah-blah.prod.protection.outlook.com (2603:xxc6:xx0:xx::36) before submitting to SC for parsing.

Re [But if you have to do that it's (SC) broken]

Technically, this is my opinion, SC is not broken, given the MS/Outlook/Hotmail Ipv4/Ipv6 mess, I think it's more that MS/OL/HM is broken & there's no point SC fixing their service to accommodate the mess.

Also, there's lots of broken things in this world, however, they still work to some degree, that being the case, are better than nothing.

I know for myself, after 15 years of faithfully marking all HM phishing emails as [block] & or [phishing] and not seeing any reduction in the emails, in fact, sometimes there was an substantial increase, to the point where I thought someone on the MS/OL/HM inside was a spammer or was facilitating spammers; a month ago, I found SpamCop, started using it and now, hand on heart, today was the first time in 7 days a spam email was received.

So for me, using SC & using the workaround, removing the first "received" line is a small price to pay. 


 

Edited by MIG
added quote - unquote

Share this post


Link to post
Share on other sites
On 11/29/2018 at 2:15 AM, petzl said:

Just send email to whatever the abuse address is for your email provider forward as attachment.

What are you talking about? I don't think you understand my initial question. It always sends to report_spam at hotmail dot com no matter what.

On 11/29/2018 at 4:53 AM, lisati said:

It's a known issue. Some remove the "broken" ipv6 Received header. In the interests of preserving all the information available, I submit the spam manually, editing it read X-Received. A similar approach is sometimes helpful with emails arriving at Gmail accounts

Editing it how? Changing it Receive line to X-Received? For Gmail i just delete the Receive line and Spamcop can parse it otherwise it can't.

23 hours ago, MIG said:

 Hello klappa - re [Why does all my spam from my Outlook e-mail report to Microsoft when parsing it with Spamcop?]

I've had the following explained to me:

Quote "A couple of years ago Hotmail had to give up two /16 networks they were 
using (33,554,432 IP addresses) as they were not assigned to them. 
Microsoft had to quickly reconfigure their network and used IPv6 to do so.

Unfortunately when doing so, they did not do it carefully and make sure 
they had full name resolution through out the network, where the forward 
and reverse dns on each server matches.  This means we can't trust their 
headers and will often take them as the source of the spam.

All is not lost though, as Hotmail's parsing engines when they receive 
the report does pass through the report to the right party.  It also 
helps Hotmail block new spam from that source.

Microsoft is working on resolving the issue, but it is a couple of 
hundred thousand servers.  They have told us though the fix is measured 
in years, not weeks or months." Unquote

This information allowed me to get my head around why the repetitive "report_spam@hotmail.com" was happening. And, to get a more accurate & true report from SpamCop I implemented ( as other SCF members have recommended, & I think the SC help doco also, suggests this method) Remove the first [Received: from blah-blah-blah.prod.protection.outlook.com (2603:xxc6:xx0:xx::36) before submitting to SC for parsing.

Re [But if you have to do that it's (SC) broken]

Technically, this is my opinion, SC is not broken, given the MS/Outlook/Hotmail Ipv4/Ipv6 mess, I think it's more that MS/OL/HM is broken & there's no point SC fixing their service to accommodate the mess.

Also, there's lots of broken things in this world, however, they still work to some degree, that being the case, are better than nothing.

I know for myself, after 15 years of faithfully marking all HM phishing emails as [block] & or [phishing] and not seeing any reduction in the emails, in fact, sometimes there was an substantial increase, to the point where I thought someone on the MS/OL/HM inside was a spammer or was facilitating spammers; a month ago, I found SpamCop, started using it and now, hand on heart, today was the first time in 7 days a spam email was received.

So for me, using SC & using the workaround, removing the first "received" line is a small price to pay. 


 

Thanks! But no matter how many spam i report to Microsoft directly nothing happens. Send the spam reports to Microsoft is like sending them into a void. You never know for certain they'll care or even do something about it so I don't trust them with any spam-reports unless the spammer is sending from their servers directly.

Edited by klappa

Share this post


Link to post
Share on other sites

Hey klappa, I absolutely agree , I  may not have communicated clearly, my experience prior to using SC, years using MS "mark as junk, phishing spam & or blocking" resulted in an increase in spam😬 >> Stumbled upon SC, started using, almost every parsed report resulted in: Report to: abuseATmicrosoft.com🤬, (sorry I previously said abuseAThotmail.com)  until the "Quote ... Unquote" process was explained, I refined my submissions, ever since I get "truer" (is that even a word?) results..

If I use your original https://www.spamcop.net/sc?id=z6499645284z69efc272a2d2f2b47876f5ca99aa42ddz & don't remove the first "Received: from DM3NAM03HT165.eop-NAM03.prod.protection.outlook.com.... etc, etc....+0000" I get "Report to: "abuseATmicrosoft.com", however, removing 1st "Received: from..." results in Report to: mail-abuseATcert.br & abuseATlocaweb.com.br

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×