EkriirkE Posted November 30, 2020 Share Posted November 30, 2020 Occasionally I will get an email where the body is not parsed/ignored and I got another today that I did some poking around, and I found that if the Return-Path header exists and is empty (`Return-Path: <>`), the body is ignored. Removing or populating it resolve the issue. Quote Link to comment Share on other sites More sharing options...
petzl Posted November 30, 2020 Share Posted November 30, 2020 2 hours ago, EkriirkE said: Occasionally I will get an email where the body is not parsed/ignored and I got another today that I did some poking around, and I found that if the Return-Path header exists and is empty (`Return-Path: <>`), the body is ignored. Removing or populating it resolve the issue. BEFORE you submit a spam at top of page there is a tracking URL copy this track and past it here, then one can see what is happening. example Here is your TRACKING URL - it may be saved for future reference:https://www.spamcop.net/sc?id=z6690533908ze72fd31a4dff786edaf29eccae16c308z Quote Link to comment Share on other sites More sharing options...
EkriirkE Posted November 30, 2020 Author Share Posted November 30, 2020 20 minutes ago, petzl said: BEFORE you submit a spam at top of page there is a tracking URL copy this track and past it here, then one can see what is happening. example Here is your TRACKING URL - it may be saved for future reference:https://www.spamcop.net/sc?id=z6690533908ze72fd31a4dff786edaf29eccae16c308z What are you going on about? You can't get a tracking link for a spam you haven't submitted yet. That's a catch 22. And I'm not trying to report spamcop report links Quote Link to comment Share on other sites More sharing options...
petzl Posted December 1, 2020 Share Posted December 1, 2020 1 hour ago, EkriirkE said: What are you going on about? You can't get a tracking link for a spam you haven't submitted yet. That's a catch 22. And I'm not trying to report spamcop report links Unless headers are shown safest way is by a Tracking URL ,Without one or headers have no idea what you are on about either? If you paste headers replace your email address with a x Quote Link to comment Share on other sites More sharing options...
EkriirkE Posted December 1, 2020 Author Share Posted December 1, 2020 I forward as attachments, been doing so for over a decade. This is a bug which only affects about 1 spam a year. I doubt my methods of simply clicking the forward button are randomly "mis pasting" an email of thousands consistently Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted December 1, 2020 Share Posted December 1, 2020 On 11/30/2020 at 2:12 PM, EkriirkE said: Occasionally I will get an email where the body is not parsed/ignored and I got another today that I did some poking around, and I found that if the Return-Path header exists and is empty (`Return-Path: <>`), the body is ignored. Removing or populating it resolve the issue. I have seen this a while ago, but I didn't have time to do any research on it. I will have to pay attention for the next time I get a spam that has links, but they get ignored. (I think mine were August or July, so they are probably past the 90 days so I will not be able to get tracking URLs.) Quote Link to comment Share on other sites More sharing options...
EkriirkE Posted December 2, 2020 Author Share Posted December 2, 2020 2 hours ago, gnarlymarley said: I have seen this a while ago, but I didn't have time to do any research on it. I will have to pay attention for the next time I get a spam that has links, but they get ignored. (I think mine were August or July, so they are probably past the 90 days so I will not be able to get tracking URLs.) This is a failed parse https://www.spamcop.net/sc?id=z6693341449z0778223c9998b219a4bda561ffbc4addz this version parsed https://www.spamcop.net/sc?id=z6693545149z7a985f0f94faa3a5d9a2fa784fd2555bz The only difference is I removed the Return-Path header Quote Link to comment Share on other sites More sharing options...
petzl Posted December 2, 2020 Share Posted December 2, 2020 1 hour ago, EkriirkE said: This is a failed parse https://www.spamcop.net/sc?id=z6693341449z0778223c9998b219a4bda561ffbc4addz this version parsed https://www.spamcop.net/sc?id=z6693545149z7a985f0f94faa3a5d9a2fa784fd2555bz The only difference is I removed the Return-Path header 194.150.215.174 (Bounce) so SpamCop does not lookup links Possibly your email addy is on the reply address Quote Link to comment Share on other sites More sharing options...
EkriirkE Posted December 2, 2020 Author Share Posted December 2, 2020 1 hour ago, petzl said: 194.150.215.174 (Bounce) so SpamCop does not lookup links Possibly your email addy is on the reply address No. Read the posts. Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted December 4, 2020 Share Posted December 4, 2020 On 11/30/2020 at 4:42 PM, EkriirkE said: Here is your TRACKING URL - it may be saved for future reference:https://www.spamcop.net/sc?id=z6690533908ze72fd31a4dff786edaf29eccae16c308z I think this may have caused some confusion as the above tracking URL is missing the body. See below for verification test. On 12/1/2020 at 5:09 PM, EkriirkE said: This is a failed parse https://www.spamcop.net/sc?id=z6693341449z0778223c9998b219a4bda561ffbc4addz So I took your link that failed to parse and I added something in the return-path. The links would parse again. So I submitted it as is and it fails to parse. Clearly, it appears you have caught a problem or bug here where SpamCop is broken. Working (changed return-path): https://www.spamcop.net/sc?id=z6693978467z3560f51112de7e9fcadc539b521ce73bz Not working: https://www.spamcop.net/sc?id=z6693978389zca5cee5269c5f353471c599d70e7c266z As you can see by comparing, I submitted the same thing twice, except I added an email in the return path. Quote Link to comment Share on other sites More sharing options...
Richard W Posted December 4, 2020 Share Posted December 4, 2020 I've put this in our developers' queue to have a look at. The key is here: Reports regarding this spam have already been sent: Re: 194.150.215.174 (Bounce) Reportid: 7097982956 To: noc@galaxydata.ru The spam with the blank RP is treated as a bounce by the system Richard Quote Link to comment Share on other sites More sharing options...
EkriirkE Posted May 25, 2021 Author Share Posted May 25, 2021 (edited) On 12/4/2020 at 10:50 AM, Richard W said: I've put this in our developers' queue to have a look at. The key is here: Reports regarding this spam have already been sent: Re: 194.150.215.174 (Bounce) Reportid: 7097982956 To: noc@galaxydata.ru The spam with the blank RP is treated as a bounce by the system Richard Hey there, thank you for doing this - and it seemed to have been fixed not long after you replied. But Today I just got another batch of junk with the same issue - Blank return path, and body is not parsed for links https://www.spamcop.net/sc?id=z6712715786z1416bf0f0b6a7ffe450e2a9c97905829z https://www.spamcop.net/sc?id=z6712715787zb1414092e94d60b523f717f18fdd4839z https://www.spamcop.net/sc?id=z6712715788z0a2699e6ef9471feb51823978b7eb85fz https://www.spamcop.net/sc?id=z6712715785zb54e90205f1b3f4b44a5f39ba5e2e2aaz https://www.spamcop.net/sc?id=z6712715784ze2b85ac6a1e66855cbf667e4afe4c558z Edited May 25, 2021 by EkriirkE links- Quote Link to comment Share on other sites More sharing options...
petzl Posted May 25, 2021 Share Posted May 25, 2021 (edited) 22 hours ago, EkriirkE said: https://www.spamcop.net/sc?id=z6712715784ze2b85ac6a1e66855cbf667e4afe4c558z abuse[AT]civo[DOT]com 74.220.23.10 (SpamCop not correct) reporting looks to be ignored!https://www.ncsc.gov.uk Maybe including "incidents[AT]ncsc[DOT]gov[DOT]uk" is needed!https://www.spamcop.net/w3m?action=checkblock&ip=74.220.23.10 Other hosts in this "neighborhood" with spam reports 74.220.22.16 74.220.22.24 74.220.22.44 74.220.22.112 74.220.22.121 74.220.22.206 74.220.22.238 74.220.23.12 74.220.23.42 74.220.23.56 74.220.23.62 74.220.23.84 74.220.23.95 74.220.23.139 74.220.23.177 74.220.23.185 74.220.23.188 74.220.23.228 https://check.spamhaus.org/listed/?searchterm=74.220.23.10 This IP address has been observed to be involved in at least one of the following activities; sending spam, snowshoe spamming, or hosting botnet command and controllers (C&Cs). It may also be hijacked IP space, or associated with bulletproof hosting. As a result, this IP address is listed in the Spamhaus Blocklist (SBL)https://www.civo.com/about seem the site/COMPANY behind attacks? Registrar Abuse Contact Email: mail to: abuse[AT]register[DOT]it Edited May 25, 2021 by petzl Quote Link to comment Share on other sites More sharing options...
RobiBue Posted May 26, 2021 Share Posted May 26, 2021 (edited) The problem is not where the spam is coming from. the problem for the OP is that whenever a bounce is detected, the links in the spam do not parse. also, manual reporting is not for everybody, and SC was designed to automate the process, not make it harder. It's a pity that Julian is not involved anymore... I miss him... and if @Richard W can look into this again, it would be fantastic wink wink BTW @EkriirkE I like your interests status it sounds fun to peruse stuff for something it's not meant to be 😄 Edited May 26, 2021 by RobiBue minor correction Quote Link to comment Share on other sites More sharing options...
petzl Posted May 26, 2021 Share Posted May 26, 2021 (edited) 2 hours ago, RobiBue said: The problem is not where the spam is coming from. the problem for the OP is that whenever a bounce is detected, the links in the spam do not parse. The first link is not reachablehttps://d00.nyc3.digitaloceanspaces.com/10507.htm Edited May 26, 2021 by petzl Quote Link to comment Share on other sites More sharing options...
RobiBue Posted May 26, 2021 Share Posted May 26, 2021 (edited) for me and for SC it resolves. just paste the link to the parser... Quote SpamCop v 5.3.0 © 2021 Cisco Systems, Inc. All rights reserved. Parsing input: https://d00.nyc3.digitaloceanspaces.com/10507.htm Host d00.nyc3.digitaloceanspaces.com (checking ip) = 162.243.189.2Routing details for 162.243.189.2[refresh/show] Cached whois for 162.243.189.2 : abuse@digitalocean.com Using best contacts abuse@digitalocean.com Statistics: 162.243.189.2 not listed in bl.spamcop.netMore Information. 162.243.189.2 not listed in cbl.abuseat.org 162.243.189.2 not listed in dnsbl.sorbs.net Reporting addresses:abuse@digitalocean.com it does redirect to a different website though... Edit: now, 12 hours later I got the chance to revisit the issue: <Error> <Code>UserSuspended</Code> <BucketName>d00</BucketName> <RequestId>tx0000000000000348ca477-0060aed878-c814a11-nyc3c</RequestId> <HostId>c814a11-nyc3c-nyc3-zg03</HostId> </Error> digital ocean does seem to act upon reports! It would just be nice if SC would parse bounces regardless... Edited May 26, 2021 by RobiBue new info Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.