nh905 Posted April 13, 2019 Share Posted April 13, 2019 I am getting a growing amount of spam that Spamcop does not appear to be able to process. Here is an example: Return-Path: <bounce@facebook.com> Delivered-To: nxxxxxx-sinet:ca-x X-Envelope-To: x Received: from nxxxxxx.mail.pairserver.com [216.146.195.93] by aws.sinet.ca with IMAP (fetchmail-6.3.17) for <x> (single-drop); Fri, 12 Apr 2019 19:10:05 -0400 (EDT) Received: (qmail 55752 invoked from network); 12 Apr 2019 10:53:51 -0000 Received: from localhost (HELO mta.mail1.g20.pair.com) (127.0.0.1) by localhost with ESMTPS (DHE-RSA-AES256-GCM-SHA384 encrypted); 12 Apr 2019 10:53:51 -0000 Received: from localhost (localhost [127.0.0.1]) by mta.mail1.g20.pair.com (Postfix) with SMTP id 64B5CB816D for <x>; Fri, 12 Apr 2019 04:53:51 -0600 (MDT) X-Virus-Check-By: mail1.g20.pair.com Received: from localhost (localhost [127.0.0.1]) by mta.mail1.g20.pair.com (Postfix) with SMTP id E5FB9B8167 for <x>; Fri, 12 Apr 2019 04:53:50 -0600 (MDT) Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not authorized by default to use 'bounce@facebook.com' in 'mfrom' identity (mechanism '-all' matched)) receiver=mail1.g20.pair.com; identity=mailfrom; envelope-from="bounce@facebook.com"; helo=mx-out.facebook.com; client-ip=85.119.146.106 Received: from mx-out.facebook.com (unknown [85.119.146.106]) by mta.mail1.g20.pair.com (Postfix) with ESMTP for <x>; Fri, 12 Apr 2019 04:53:49 -0600 (MDT) Received: from localhost (127.0.0.1) by .tFPOSZzTeEdkt6@facebook.com id FlkmbeavpeML for <x>; Fri, 12 Apr 2019 10:34:40 +0200 (envelope-from <contact@facebook.com>) From: Loblaw Companies Limited <CADB@facebook.com> Content-Type: text/html References: x Message-ID: <Flkm____________________QAeQ@mail.facebook.com> Reply-To: x To: x List-ID: 4SnNh9SKemslH4Awfatr Subject: Checkout // Confirmation needed Date: Fri, 12 Apr 2019 10:34:40 +0200 View entire message Parsing header: Reading from the bottom, my interpretation is that the mail was accepted by a mail gateway at 85.119.146.106 that claims to be mx-out.facebook.com, which forwarded the mail to the pair.com mail gateway that I use. However, 85.119.146.106 does not have a reverse DNS entry, and is definitely not associated with mx-out.facebook.com. Since Spamcop cannot figure out where to send the abuse report, it stops. It looks like the root cause is that pair.com is not following mail gateway 'best practices' by accepting email from a mail gateway that does not have a reverse DNS entry. Am I on the right track? Thanks, Norbert Quote Link to comment Share on other sites More sharing options...
Lking Posted April 13, 2019 Share Posted April 13, 2019 Please provide a Tracking URL so that others can see how 'SpamCop does not handle' you submission. Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted April 15, 2019 Share Posted April 15, 2019 On 4/13/2019 at 11:07 AM, nh905 said: Received: from localhost (127.0.0.1) by .tFPOSZzTeEdkt6@facebook.com id A tracking URL would be helpful. Last time I got this, it turned out to be a dot in a domainname that was not supposed to be there. Parsing your output mentally, I suspect it is the dot starting above. Mine was a double dot that the spammers put in to prevent parsing. If you remove the dot at the beginning of that hostname, does it parse? Quote Link to comment Share on other sites More sharing options...
MIG Posted April 15, 2019 Share Posted April 15, 2019 (edited) Hey nh905, While you're collecting Spamcop tracking URL for Lking & GnarleyMarley.... & the rest of us curious critters 85.119.146.106 & 216.146.195.93 Cheers! Edited April 15, 2019 by MIG Quote Link to comment Share on other sites More sharing options...
nh905 Posted April 15, 2019 Author Share Posted April 15, 2019 @gnarlymarley, that was it. I viewed the entire message, copied it and removed the leading period, and created a new report which SpamCop successfully processed and sent to abuse@selectel.ru. Next step is to see if I can brush up on my Linux scripting to remove the leading period programmatically. I would provide SpamCop tracking URLs if my email address were obfuscated. Thanks to everyone who responded. I knew SELECT-NET controls the address range that the mail gateway is using but am trying to streamline the reporting of spam. Quote Link to comment Share on other sites More sharing options...
Lking Posted April 15, 2019 Share Posted April 15, 2019 1 hour ago, nh905 said: I would provide SpamCop tracking URLs if my email address were obfuscated. If you logoff SC and then go to the Tracking URL you will see that your email address is replaced with "x" Quote Link to comment Share on other sites More sharing options...
nh905 Posted April 15, 2019 Author Share Posted April 15, 2019 1 hour ago, Lking said: If you logoff SC and then go to the Tracking URL you will see that your email address is replaced with "x" I just logged into a private Firefox session (I normally use Chrome) and displayed what I think is a Tracking URL (the one in the response from SpamCop when it has accepted an email for processing. Although I see several instances of <x>, I also see my email in several places. That might be due to the way I am getting spam to SpamCop. My Mail application does not retain headers in the right sequence for SpamCop. I have automation on one of my servers that uses IMAP to pull mail from a SpamReporting folder I set up and then forwards the message to SpamCop. Thanks, Norbert Quote Link to comment Share on other sites More sharing options...
MIG Posted April 16, 2019 Share Posted April 16, 2019 6 hours ago, nh905 said: 1. I also see my email in several places. 2. Might be due to the way I am getting spam to SpamCop. Hey Norbet, Unfortunately scummy spammers "bury" legitimate email addresses, i.e. yours, mine... in the spam. Spamcop cannot mung these. It's not due to the "way" you're getting spam to SpamCop. To deal with this I a) Copy the spam source data to a text file/notepad. b) Search for every instance of my email address & or my unique email identifier, for example, grasshopper@greengrass.net, where ever "grasshopper" is found I replace... e.g. deadslug@greengrass.net c) Copy the contents of the text file to the SC parser, parse.... When I first starting using SCF I'd freak about the fact my email address was visible when/if I posted a SC Tracking URL, however, the very wise and experienced SCF Masters assured & convinced me, the spammers had my email address anyway. Hand on heart, my unsolicited spam has gone from 100/daily to 1 a month if I'm lucky, sometimes I now get pissed off that I haven't got any spammers to destroy☺️ Cheers! Quote Link to comment Share on other sites More sharing options...
Jelmer Jellema Posted April 26, 2019 Share Posted April 26, 2019 We have the same trouble with more and more e-mails. See for example https://www.spamcop.net/sc?id=z6541277205z262b53d0d8f53ad38a6303589a630c33z If I understand this correctly, it is because of the dot in the seconds Received header? Could it be that spammers found a new way to block Spamcop from parsing their mails? We send the spams as an attachment to spamcop, so it would be hard to change each of them manually. Would it be possible to fix the parser in such a way that it won't hickup on messages like this? Cheers, Jelmer Quote Link to comment Share on other sites More sharing options...
MIG Posted April 26, 2019 Share Posted April 26, 2019 (edited) Hey Jelmer, Just putting "automation" aside, for a moment, I've just parsed the link you posted & get: https://www.spamcop.net/sc?id=z6541305991z244053acf8840b94d8ed4b353b382ceaz, fully resolved, this surprised me, so, I tried a different account & browser, same result. Is it this one spam that's a issue or are there more of the same? Please let us know? Cheers! Edited April 26, 2019 by MIG Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted April 27, 2019 Share Posted April 27, 2019 On 4/26/2019 at 3:39 AM, Jelmer Jellema said: If I understand this correctly, it is because of the dot in the seconds Received header? I believe if it because that dot. At least mine was. 23 hours ago, MIG said: fully resolved, this surprised me, so, I tried a different account & browser, same result. Now that is weird. My suspicion is that maybe with mailhosts turned on, it fails at the dot and with mailhosts turned off it works? Quote Link to comment Share on other sites More sharing options...
MIG Posted April 27, 2019 Share Posted April 27, 2019 (edited) 2 hours ago, gnarlymarley said: I believe if it because that dot. At least mine was. Now that is weird. My suspicion is that maybe with mailhosts turned on, it fails at the dot and with mailhosts turned off it works? Go to the top of the class✌️ Gnarlymarley, Just tested it with active Mailhosts, results same as Jelmer: https://www.spamcop.net/sc?id=z6541621305z585cc48567a257c25a06b41e90d7842az I thought SC worked with & without MH configured? At least that (may) put paid to the "thinking" that scum have found a way to bugger up the parser, but it raises another question... What to do? 🦗 Edited April 27, 2019 by MIG Quote Link to comment Share on other sites More sharing options...
petzl Posted April 27, 2019 Share Posted April 27, 2019 10 hours ago, MIG said: I thought SC worked with & without MH configured? If SC cannot find one of your mailhosts it aborts. Most have Gmail, Hotmail, etc in mailhosts so it will pass only then Quote Link to comment Share on other sites More sharing options...
MIG Posted April 27, 2019 Share Posted April 27, 2019 10 minutes ago, petzl said: If SC cannot find one of your mailhosts it aborts. Most have Gmail, Hotmail, etc in mailhosts so it will pass only then Hey Petzl, How then does SC successfully parse spam, with no Mailhosts configured As it did: Friday 26/04/19 08:21 PM https://www.spamcop.net/sc?id=z6541305991z244053acf8840b94d8ed4b353b382ceaz ? 🤔🦗 Quote Link to comment Share on other sites More sharing options...
petzl Posted April 27, 2019 Share Posted April 27, 2019 54 minutes ago, MIG said: How then does SC successfully parse spam, with no Mailhosts configured It will but you run the risk of false positives, reporting spam to your own provider. Quote Link to comment Share on other sites More sharing options...
MIG Posted April 28, 2019 Share Posted April 28, 2019 (edited) Hey Petzl: 1. "If SC cannot find one of your mailhosts it aborts. {Most have Gmail, Hotmail, etc in mailhosts so it will pass only then}" 2 "It will but you run the risk of false positives, reporting spam to your own provider." Which one is correct (iyo), can't be both? (imo) & using Jelmer's post as the example, the spam parsed perfectly using an account without Mailhosts & did not report to the users' "own" provider..... 😕🦗 Edited April 28, 2019 by MIG Quote Link to comment Share on other sites More sharing options...
lisati Posted April 28, 2019 Share Posted April 28, 2019 26 minutes ago, MIG said: Which one is correct (iyo), can't be both? I can confirm #2: Whenever I report stuff that appears to have originated in my provider's system, usually webmail, I often get a "nothing to do" or "no IP address" type of message. (I haven't had one for a while, I don't get them that often.) As for #1, I can't remember. It's always a good idea to make sure that you have mailhosts set up for ALL the email addresses that receive spam that you are likely to report, AND keep them update them if something in the way your provider processes email changes. Quote Link to comment Share on other sites More sharing options...
MIG Posted April 28, 2019 Share Posted April 28, 2019 (edited) Hey Lisati, Jelmer couldn't successfully parse a spam, ending up with [Parsing header:] error. Jelmer queried: "is it because of the .?" Jelmer further proposed/surmised, "could it be the spammers had found a way to "trick" the parser?" I parsed the spam with an account WITH MailHosts configured, same result as Jelmer: I (re)parsed the spam with an account with NO MailHosts Successful parse. In this specific case: #1. wasn't encountered. In this specific case: #2. wasn't encountered. Cheers🦗 Edited April 28, 2019 by MIG Quote Link to comment Share on other sites More sharing options...
lisati Posted April 28, 2019 Share Posted April 28, 2019 Cool. That's what's forums like this are for, amongst the various ideas that tossed into the discussion, there are often those which are helpful. Quote Link to comment Share on other sites More sharing options...
MIG Posted April 29, 2019 Share Posted April 29, 2019 3 hours ago, lisati said: Cool. That's what's forums like this are for, amongst the various ideas that tossed into the discussion, there are often those which are helpful. 👍100% Lisata, I've learnt so much from many SCF members. Yourself included! 😊🦗 Quote Link to comment Share on other sites More sharing options...
Jelmer Jellema Posted May 10, 2019 Share Posted May 10, 2019 (edited) I'm sorry I have not responded earlier, looks like I did not get any notifications, I will look into my forum settings. I apologize for this. Thanks a lot for thinking about this problem. It is good to see something like this is picked up by advanced members to discuss and educate. As I understand correctly everything works fine with mailhosts disabled. I guess we should check our mailhosts anyway, because of recent network changes. So, how should we interpret this? The mailhost check code of SC "crashes" when it tries to parse a host with a dot, - and could be fixed - or The mailhost check code "crashes" when it tries to parse a host with a dot, while the mailhost setup for the particular reporter is out of date (but as I get it, other people, with different mailhosts, experience the same issue), We should not use mailhosts as it crashes stuff I will now first reconfigure our mailhosts, and see what happens. I will keep you posted! Jelmer Edited May 10, 2019 by Jelmer Jellema Quote Link to comment Share on other sites More sharing options...
Tesseract Posted May 10, 2019 Share Posted May 10, 2019 (edited) I received 3 pieces of spam today that broke SpamCop like this. Here's one: https://www.spamcop.net/sc?id=z6545317169z5c4be98b29b2c765f89119bfce136732z Very irritating, hope it can be fixed soon. Edited May 10, 2019 by Tesseract Quote Link to comment Share on other sites More sharing options...
MIG Posted May 10, 2019 Share Posted May 10, 2019 13 minutes ago, Tesseract said: spam broke SpamCop, like this: Here's one: https://www.spamcop.net/sc?id=z6545317169z5c4be98b29b2c765f89119bfce136732z Hey Tesseract, I reparsed, firstly I removed: From MAILER-DAEMON Fri May 10 02:41:48 2019 Return-Path: <> X-Original-To: x Delivered-To: x I also amputated the embedded http links, not necessary to get a resolved parse, just based on my understanding of information provided by knowledgeable SCF members, each time a link is parsed it's a hit for the spammer... grrrr Results: https://www.spamcop.net/sc?id=z6545327526z3c3d9b7ea27f204c8c57cac8f816abb7z Re "removed" stuff, I probably can't explain without confusing everybody, however, the previously referenced knowledgeable SCF members, I'm sure, will pitch in with sage advice... I'm curious to test again if you'd like to share the other tracking URLs please? Cheers! G🦗 H Quote Link to comment Share on other sites More sharing options...
MIG Posted May 10, 2019 Share Posted May 10, 2019 1 hour ago, Jelmer Jellema said: 1. Mailhosts disabled. I guess we should check our mailhosts anyway, because of recent network changes. (a) mailhost check code of SC "crashes" when it tries to parse a host with a dot.. (b) mailhost check code "crashes" when it tries to parse a host with a dot, while the mailhost setup for the particular reporter is out of date (but as I get it, other people, with different mailhosts, experience the same issue) (c) should not use mailhosts as it crashes stuff (d) reconfigure mailhosts Hey Jelmer, Welcome back, no apology necessary! MailHosts disabled: the successful parse was done with an account WITHOUT MailHosts, I'm reluctant to tamper with my SC account (with MailHosts) as they were a bugger to set up, reluctant to go thru that one again, "disabled" that's another thing all together....🤔 NW/ changes, chk MailHosts: yep! Good idea. (a) 🤔 (b) 🤔 (c) Not always, my rule of thumb: if SC parser produces wonky results, I change accounts (MailHosts/No MailHosts) & reparse, if, both accounts are unable to successfully parse I start digging and come here for support... (d) Good idea. Cheers! G🦗 H Quote Link to comment Share on other sites More sharing options...
Tesseract Posted May 10, 2019 Share Posted May 10, 2019 5 hours ago, MIG said: I'm curious to test again if you'd like to share the other tracking URLs please? Sure, here you go: https://www.spamcop.net/sc?id=z6545317828zc1d3eb3c90dba4ddb2914565fe8e6670z https://www.spamcop.net/sc?id=z6545318251ze1faf58f3225047c10340689918d5169z https://www.spamcop.net/sc?id=z6545409098z16a4a69219a64d0a10d0585d38e310dcz Apart from all being variations of the same message, the common factor seems to be an invalid hostname in the "by" field of the final Received line, as noticed earlier in the thread. E.g. .MpZLHMzHGsR6NQ@cpcloud.co.uk (an invalid hostname both for starting with . and for containing @) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.