Jump to content
Sign in to follow this  
flagginator

Where did this report go?

Recommended Posts

If one was to believe that isaack_meyeruy <a> afb1.ssc.edinburgh.ac.uk was a valid e-mail address that might have been connected with this e-mail, then the SpamCop parser would have also included a suggested target of;

129.215.13.3 is an mx ( 7 ) for afb1.ssc.edinburgh.ac.uk

host 129.215.13.3 (getting name) = renko.ucs.ed.ac.uk.

129.215.13.3 is an mx ( 7 ) for afb1.ssc.edinburgh.ac.uk

Cached whois for 129.215.13.3 : abuse[at]ed.ac.uk

Using abuse net on abuse[at]ed.ac.uk

abuse net ed.ac.uk = abuse[at]ed.ac.uk

Using best contacts abuse[at]ed.ac.uk

However, the parser doesn't bother with all of that, as the only Received: line starts the bogus stuff long before this address shows up.

Received: from aol.com (4.27.161.145:4062) by xmailserver.test with ....

aol.com does not coincide with the IP address 'offered'

The fact that there is an additional Port number associated with the IP address is another sign that this isn't your "normal" e-mail ....

The rest of the decision process is seen in the parse .. thinking that even if you didn't have the "show Technical details" glag set .. you'd see at least some of the result ..???

What is it that you were figuring should have happened?

OK, did the next check, looked at the "whole" spam .. maybe your question dealt with the URL in the body? .... That issue would be addressed by having to ask a question or two ... how did you "handle" this spam for submittal, perhaps the tools might come in to play ...

the Header lines and the body content don't match. The body 'content' as shown in your submittal is not in Base-64 encoding.

Content-Type: text/plain

Content-Transfer-Encoding: base64

European Vic0din, Viagra, Cialas, Valium..Available 0nline

N0 Prescription Needed..Discreet 3-5 day UPS shipping!

---> http://vkv3v61bcb.warehousemed5.net/bam/?man=d1scounted

So from this side of the screen, it could either be the spammer playing games so that it can't be parsed, or you copied the body contents in from a "displayed / rendered" screen suich that the Base-64 crap had already been decoded ... can't tell from here ....

Share this post


Link to post
Share on other sites

What is Spamcop.net Level 3 reporting?

Submission was rendered from a View Source and View Options of an HTML email.

Edited by flagginator

Share this post


Link to post
Share on other sites
What is Spamcop.net Level 3 reporting?

Submission was rendered from a View Source and View Options of an HTML email.

23810[/snapback]

Level3 is a major backbone provider (www.level3.net). They use a private reporting address for spamcop reports and that's why you don't see the address and only see the Level3 reporting message.

Edited by louisd

Share this post


Link to post
Share on other sites
What is Spamcop.net Level 3 reporting?

This like the third or fourth time you've asked this questions. It's been explained everytime you ask it.

Submission was rendered from a View Source and View Options of an HTML email.

And, therin lies the problem with that spam submittal. You are not providing the "actual" and "full" e-mail ... For an example, I've rcently done up a thing over in the new "How ti use ..." Forum ... take a look at the entry under Reporting, titled along the lines of 'secure handling of e-mail' .... the difference bewtween the "rendered HTML displayed" and what the e-mail really looks like was a case study..

Share this post


Link to post
Share on other sites

Issue 1: I provided a tracking URL this time so I can finally get an answer. No, I don't have the answer, and you failed again to provide an answer...and I was expecting this reply from you...so you did not disappoint :)

Issue 2: When you look at an HTML email, what's in front of the HTML curtain is not important. Case in point: eBay and PayPal phishing emails. The curtain looks like an official PayPal or eBay communication. But when you look behind the curtain, you see the HTML that is important from a spamming point of view. The way to see the HTML is to VIEW SOURCE.

For HTML emails I either forward them by attachment, or I do a View/Options to get the headers, then do a View Source to get the HTML. I paste the header into the view source and then it's ready for submission.

This procedure should give a full and accurate rendering for Spamcop.net to parse.

Share this post


Link to post
Share on other sites

Wazoo:

OK I read your post and found it confusing but I think I'm with you.

Straight forwarding of emails to spamcop won't be entirely helpful to spamcop.net parser.

The preferred way to submit emails is by ATTACHMENT. That way spamcop.net parser gets the whole message and it's in a format where it can parse any headers and/or HTML.

Sometimes when I'm unable to forward by attachment, I use an alternative method for submitting HTML emails as follows:

1. Open email.

2. In Outlook click on View --> Options --> Internet Headers --> Right-click --> Select All --> Right-click --> Copy

3. Right-click on blank portion of email body --> View Source.

4. Ctrl+V in View Source notepad to paste email header into View Source notepad.

5. Ctrl+A to select all.

6. Open </>http://www.spamcop.net

7. Paste (ctrl+v) into reporting Window.

8. Report Now.

That sends an ACCURATE and helpful copy of the email to spamcop.net

Share this post


Link to post
Share on other sites

Level3 ... answers from several folks, to include Deputy Ellen, found at http://forum.spamcop.net/forums/index.php?showtopic=2516 ... I still don't see why you see all these repeated answers as non-answers ...????

It is true, the "How to use ..." stuff thus far has been targetted to OE6 ... Outlook is on the way, but there are so many other surrounding issues involved with that ... user at home on their own system, conected directly to the 'net' is one circumstance .. but also needing to be addresssed is the person at work that has their Outlook configured to go through the corporate server (usually an Exchange based thing) and the actual set-up, display, details, header data are actually all manipulated, changed, deleted, dropped, etc. based on what configuration settings had been made at/on the server in addition to what Outlook itself does to an e-mail. Dang hard to write a walk-through based on all those inknown conditions.

Yes, your sequence is good for some. But then would note, as you mentioned, the difference between "those that would forward and parse" and "those that won't" has to be recognized, (and even that being caveated by some that were sent wrongly but the parser didn't belch accordingly) ... somehow explained for those that don't want to know anything about headers and e-mail constructs. (and in the same mode of my using OE6 as the starting point for what's there now, there are a number of versions of Outlook out there still in use, and they all have different capabilities, some built-in tools differ, some things can be worked arounf by hacking at the Registry, on and on ....)

Share this post


Link to post
Share on other sites
That sends an ACCURATE and helpful copy of the email to spamcop.net

Except in this case because the message said it was in Base64 and the message you pasted was NOT. That makes the message not RFC compliant, and therefore it will not parse the body.

There was once upon a time the allowance to modify that header but I am not sure the current status of that "hack".

Share this post


Link to post
Share on other sites

Has anyone noticed that YesNic's whois server has been down all day, so the DNS servers domain doesn't resolve properly (ii.e. platalcia456.com). Also, the domain WAREHOUSEMED5.NET, while still functional (damn planetdomain), has already been suspended for abuse.

% nslookup -type=any platalcia456.com

Server: 127.0.0.1

Address: 127.0.0.1#53

** server can't find platalcia456.com: NXDOMAIN

% jwhois warehousemed5.net

[Querying whois.internic.net]

[Redirected to whois.planetdomain.com]

[Querying whois.planetdomain.com]

[whois.planetdomain.com]

The data contained in the database of Primus Telecommunications Pty Ltd

(PlanetDomain/PrimusDomain) is made available to assist persons in

obtaining information pertaining to the domain name registration

record. No guarantee of accuracy is offered or given. By submitting a

search request you agree to use the data for lawful purposes, and also

agree NOT to

1) use the data to allow, enable, or otherwise support any marketing

activities, regardless of the medium used. Such media includes but is

not limited to e-mail, telephone, facsimile, postal mail, SMS, and

wireless alerts.

2) sell or redistribute the data except insofar as it has been

incorporated by yourself into a value-added product or service that does

not permit the extraction of a substantial portion of the bulk data from

the value-added product or service for use by other parties.

Primus Telecommunications Pty Ltd (PlanetDomain/PrimusDomain) reserves

the right to forbid access to any party who abuses the terms and

conditions herein or who is deemed to have queried the database

excessively, and to change these terms and conditions at any time.

Domain Name: WAREHOUSEMED5.NET

Reseller..............: #1 Cheap Domains

Created on............: 29 Jan 2005 00:00:00 EST

Expires on............: 28 Jan 2006 00:00:00 EST

Record last updated on: 29 Jan 2005 00:00:00 EST

Status................: ACTIVE

Owner, Administrative Contact, Technical Contact, Billing Contact:

W.W.W marketing INc.

Carolas Espinosa (ID00160914)

1273 hudson st.

ny, ny 10011

United States

Phone: +1.2128653566

Email: account_frozen_spammer[at]planetdomain.com

Domain servers in listed order:

NS1.PLATALCIA456.COM

NS2.PLATALCIA456.COM

nslookup -type=any warehousemed5.net

Server: 127.0.0.1

Address: 127.0.0.1#53

Non-authoritative answer:

warehousemed5.net nameserver = ns1.platalcia456.com.

warehousemed5.net nameserver = ns2.platalcia456.com.

Authoritative answers can be found from:

warehousemed5.net nameserver = ns2.platalcia456.com.

warehousemed5.net nameserver = ns1.platalcia456.com.

% nslookup -type=any warehousemed5.net ns1.platalcia456.com.

nslookup: couldn't get address for 'ns1.platalcia456.com.': not found

% nslookup -type=any warehousemed5.net ns2.platalcia456.com.

nslookup: couldn't get address for 'ns2.platalcia456.com.': not found

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×