Jump to content
rdorsch

Spamcop generates reports against my own domain!

Recommended Posts

Hello,

I recently had the problem that I received spam, reported spam to spamcop, spamcop informed the hoster and the hoster deactivated *my* server. Looking into the issue, I found that my domain was mentioned in the spam email, that was pretty much the only text string I could read in the (Asian) email. I did not read "Please make sure this email IS spam:" confirmation page carefully enough, which most likely listed my domain, and the process started.

I have not seen that int he past 10+ years I have been reporting to spamcop, but since then many times now. 

Since the domain which is referenced in the spam email and my mail domain are the same, it should be trivial to catch such false positives by spamcop. I am just wondering if anything changed in the spamcop setup or if I can somewhere configure that spamcop never generates reports against my own domain submitted by me.

 

Many thanks

Rainer

Share this post


Link to post
Share on other sites
Posted (edited)
16 hours ago, rdorsch said:

Since the domain which is referenced in the spam email and my mail domain are the same, it should be trivial to catch such false positives by spamcop. I am just wondering if anything changed in the spamcop setup or if I can somewhere configure that spamcop never generates reports against my own domain submitted by me.

Seems strange a provider would shut down a website with one complaint?
Make sure it has not been compromised, change password.
Run a virus scan on your computer. If you are competing against a similar website you are possibly being attacked, often done for blackmail as well!
Your mailhosts are not necessarily  the same as a domain. have a look
But then SpamCop only stops reporting your email "domain"

Contact your provider

Edited by petzl

Share this post


Link to post
Share on other sites
19 hours ago, rdorsch said:

I found that my domain was mentioned in the spam email,

I had a similar situation happen to me about two decades ago with an admin from a well known education institution confusing the internal links of the spam as the source of the spam.  This is why I prefer to report just the source instead of the links inside.  If I see any on my reports that might be valid (innocents caught in the crossfire), I uncheck those.

Share this post


Link to post
Share on other sites
6 hours ago, petzl said:

Seems strange a provider would shut down a website with one complaint?
Make sure it has not been compromised, change password.
Run a virus scan on your computer. If you are competing against a similar website you are possibly being attacked, often done for blackmail as well!
Your mailhosts are not necessarily  the same as a domain. have a look
But then SpamCop only stops reporting your email "domain"

Contact your provider

The story with the provider is a separate topic, but long story short: The spamcop reports are processed automatically, normally they disable the host immediately (which does not make sense, but this is at least what they communicated). After calling them, they checked the issue and reenabled the server immediately.

I do not understand why I should run a virus scan if my server is not the source of the spam.

Mailhost and website are the same domain, even the same host.

rd@h370-wlan:~$ dig bokomoko.de

; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> bokomoko.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43604
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bokomoko.de.                   IN      A

;; ANSWER SECTION:
bokomoko.de.            214     IN      A       37.120.169.230

;; Query time: 0 msec
;; SERVER: 192.168.4.1#53(192.168.4.1)
;; WHEN: So Mai 24 09:58:43 CEST 2020
;; MSG SIZE  rcvd: 56

rd@h370-wlan:~$ dig www.bokomoko.de

; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> www.bokomoko.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49796
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.bokomoko.de.               IN      A

;; ANSWER SECTION:
www.bokomoko.de.        299     IN      CNAME   netcup.bokomoko.de.
netcup.bokomoko.de.     299     IN      A       37.120.169.230

;; Query time: 39 msec
;; SERVER: 192.168.4.1#53(192.168.4.1)
;; WHEN: So Mai 24 09:57:24 CEST 2020
;; MSG SIZE  rcvd: 81

rd@h370-wlan:~$ dig -t MX bokomoko.de

; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> -t MX bokomoko.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34232
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;bokomoko.de.                   IN      MX

;; ANSWER SECTION:
bokomoko.de.            299     IN      MX      10 mail.bokomoko.de.

;; Query time: 132 msec
;; SERVER: 192.168.4.1#53(192.168.4.1)
;; WHEN: So Mai 24 09:57:35 CEST 2020
;; MSG SIZE  rcvd: 61

rd@h370-wlan:~$ dig mail.bokomoko.de

; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> mail.bokomoko.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36872
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;mail.bokomoko.de.              IN      A

;; ANSWER SECTION:
mail.bokomoko.de.       294     IN      A       37.120.169.230

;; Query time: 17 msec
;; SERVER: 192.168.4.1#53(192.168.4.1)
;; WHEN: So Mai 24 09:57:47 CEST 2020
;; MSG SIZE  rcvd: 61

rd@h370-wlan:~$

 

Share this post


Link to post
Share on other sites
3 hours ago, gnarlymarley said:

I had a similar situation happen to me about two decades ago with an admin from a well known education institution confusing the internal links of the spam as the source of the spam.  This is why I prefer to report just the source instead of the links inside.  If I see any on my reports that might be valid (innocents caught in the crossfire), I uncheck those.

That is a good point, my own host might not be the only innocent victim. The longer I think about that the more I come to the conclusion that spamcop should here fix things, since the default is dangerous for the reporter and may trigger false positives. My wifes opinion was please stop reporting spam to spamcop altogether, if the risk is that our email infrastructure gets shutdown over the weekend (in the middle of Corona home schooling). I think spamcop should consider to

  • As default do not report links inside (to reduce false positives altogether)
  • At least protect the reporter and let the reporter configure a whitelist for internal links (or at least support to whitelist the spam recipient domain)

I am still puzzled that I have not seen that kind of issue for many years but now very frequent.

Share this post


Link to post
Share on other sites
On 5/23/2020 at 2:49 AM, rdorsch said:

Since the domain which is referenced in the spam email and my mail domain are the same,

If I understand the issue correctly without a Tracking URL another thing to consider is, if your email and domain are on the same host and IP. As you know spamcop looks at IPs not domain names directly.  Having your domain listed in a spam is odd.  spam I have received, even those requesting to buy one of my domains, don't include the domain in the body.

In any case your point is well taken. If the domain in the body of the spam is the same as a domain in your mailhost configuration, the solution should be relative straight forward.

I would suggest a post in New Feature Request with a Tracking URL as an example to illustrate your request/suggestion.

Share this post


Link to post
Share on other sites
52 minutes ago, Lking said:

If I understand the issue correctly without a Tracking URL another thing to consider is, if your email and domain are on the same host and IP. As you know spamcop looks at IPs not domain names directly.  Having your domain listed in a spam is odd.  spam I have received, even those requesting to buy one of my domains, don't include the domain in the body.

In any case your point is well taken. If the domain in the body of the spam is the same as a domain in your mailhost configuration, the solution should be relative straight forward.

I would suggest a post in New Feature Request with a Tracking URL as an example to illustrate your request/suggestion.

Many thanks for your reply, I opened a new feature request as you suggested. For completeness I include here the tracking URLs:

Submitted: 14.5.2020, 17:40:25 +0200: 
=?UTF-8?B?6L+Q6YCB5bu66K6uIDMwLzUvMjAyMA==?=
7058512602 ( http://www.bokomoko.de/ ) To: abuse@netcup.de
7058512598 ( 185.222.58.117 ) To: complain@rootlayer.net

 

Here is the new feature request:

 

 

Share this post


Link to post
Share on other sites
12 minutes ago, rdorsch said:

Many thanks for your reply, I opened a new feature request as you suggested. For completeness I include here the tracking URLs:

Submitted: 14.5.2020, 17:40:25 +0200: 
=?UTF-8?B?6L+Q6YCB5bu66K6uIDMwLzUvMjAyMA==?=
7058512602 ( http://www.bokomoko.de/ ) To: abuse@netcup.de
7058512598 ( 185.222.58.117 ) To: complain@rootlayer.net

"What we have here is a failure to communicate"

An example of a tracking URL is https://www.spamcop.net/sc?id=z6634628358z460dafae0c54205ace1fe027dc2ff311z

This can be found near the top of the screen after you submit the spam. If you submit by email the tracing URL is the link sent to you to review and complete/submit your spam.

In my example above you will see the tracking URL on the third line.  IF we had access to the tracking URL someone could cut and past the body of the spam into google translate and see why your domain is in the body.

Share this post


Link to post
Share on other sites

I submit by email, but after having completet the confirmation mail, I delete it. The data I added are from my report history on spamcop.net. If there is no way to extract it from there, it is gone.

What I still have is the spam email itself (attached).

 

spam_mail.mbox

Share this post


Link to post
Share on other sites

The system obviously does not like your attachment.

You can recover the tracking URL by logging into your reporting account and clicking on the <Past Reports> tab This will list "Report Numbers? when you select the correct report the Tracking URL will be part of the next screen.

Share this post


Link to post
Share on other sites
44 minutes ago, Lking said:

The system obviously does not like your attachment.

You can recover the tracking URL by logging into your reporting account and clicking on the <Past Reports> tab This will list "Report Numbers? when you select the correct report the Tracking URL will be part of the next screen.

Hmm....I think that helped to recover it, I clicked on "Parse" to recover it:

https://www.spamcop.net/sc?id=z6633595354za3c7f1c70eca174576d1527014496a1dz

Share this post


Link to post
Share on other sites
14 hours ago, rdorsch said:

I do not understand why I should run a virus scan if my server is not the source of the spam

Talking about your PC a virus check is a must. Could be you have been compromised.
I even use a VPN this encrypts my communications to and from Computer. Even my Skype calls are encrypted.
Win!0 here just use Windows defender which right now seems very good.

Share this post


Link to post
Share on other sites
5 hours ago, rdorsch said:

Hmm....I think that helped to recover it, I clicked on "Parse" to recover it:

 https://www.spamcop.net/sc?id=z6633595354za3c7f1c70eca174576d1527014496a1dz

Rainer,

This appears to be only the URL specified and not coming directly from your server.  Running it through google translate, it appears to be the normal whois email address testing.  Sounds like they are sending out spam to attempt to send a bill to random domains to try to extort money.  Been a while since I got one of those.

(I think what petzl is talking about is where I have seen IP cameras and routers get hacked and the spam sent from there, but this does not appear to be coming directly from your server.  If it was coming directly from your server, I would check the server and any devices that might be sharing the same IP for possible intrusions.)

Share this post


Link to post
Share on other sites
3 hours ago, gnarlymarley said:

(I think what petzl is talking about is where I have seen IP cameras and routers get hacked and the spam sent from there, but this does not appear to be coming directly from your server.  If it was coming directly from your server, I would check the server and any devices that might be sharing the same IP for possible intrusions.)

Yes smart TV's, Amazon, google devises, mobile phones, baby monitors, security camera's, are now on the list for hackers
Internet of Things (LoT) is the new threat.

Share this post


Link to post
Share on other sites
8 hours ago, petzl said:

Talking about your PC a virus check is a must. Could be you have been compromised.
I even use a VPN this encrypts my communications to and from Computer. Even my Skype calls are encrypted.
Win!0 here just use Windows defender which right now seems very good.

I am not doubting that that virus checks are useful in particular if you are running a windows PC (which I do not :-) ).

But that is only relevant here, if my systems are the spam source, not the spam destination.

Share this post


Link to post
Share on other sites
On 5/25/2020 at 4:58 PM, rdorsch said:

I am not doubting that that virus checks are useful in particular if you are running a windows PC (which I do not 🙂 ).

But that is only relevant here, if my systems are the spam source, not the spam destination.

Go here to see if your Email address is listed?
https://monitor.firefox.com/breaches

Share this post


Link to post
Share on other sites

Thanks for sharing the useful link.

 

Fortunately, so far my domain did not show in the pwned list :-)

 

The relation to spam here is that one of my smtpauth passwords would show up, correct?

Share this post


Link to post
Share on other sites
Posted (edited)
18 hours ago, rdorsch said:

Thanks for sharing the useful link.

Fortunately, so far my domain did not show in the pwned list 🙂

The relation to spam here is that one of my smtpauth passwords would show up, correct?

"smtpauth passwords would show up, correct?"
pwned is the term
https://monitor.firefox.com/breaches
I have a throwaway gmail address for facebook to read newspapers, seems pwned claims it gets breached often?
Bit of a pain to change all passwords Facebook, Gmail, cancel the "News account" clickbait I never wanted
pwned lists all that show compromised, my passwords are upper/lowercase, alphanumeric with symbols.
Put up a FaceBook page with REAL name to see if I could contact "lost friends"
before I even used it facebook appears to of sold my info to a Russian spam crime gang,
Still get phishing from them but has slowed to so far one a month. Reporting does work

Edited by petzl

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×