SpamCop Reporting Failure - Error In Mailhost Configuration

[csouter]

Hello everyone,

I have several email accounts, all of which are correctly

configured and have been working correctly for SpamCop reporting

for almost a year now. One of these accounts is with Gmail, which

has also been working correctly, (as far as SpamCop reporting is

concerned). The only problem I encountered with Gmail originally

was that I have to report by the "paste-into-the-box" method:

simple forwarding doesn't seem to work. Once I worked that out,

it has been working OK for the last several months, except in this

one single instance which occurred only today.

I received the following error from SpamCop when I tried reporting

the message referred to below:

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust anything beyond this header

No source IP address found, cannot proceed.

Thinking that my mailhost configuration had somehow gotten messed

up, I deleted the Gmail host and then added it back. I received

five test messages, all of which were successful. I then

submitted (via the "paste-into-the-box" method) two spams I had

just received in my Gmail "spam" folder. Both reports went

through OK. I then tried the message referred to below once

again. The same error was returned again.

The Tracking URL from the last filed reporting attempt is as

follows:

http://www.spamcop.net/sc?id=z1065998506zd...843e1c924c0eabz

Now, I'm no expert on the internet email system, (or anything else

to do with computers, for that matter), so I can't see what's

wrong with the headers in the offending message. If anyone else

would care to take a look at the tracking URL, I would appreciate

it if they could maybe let me know what the problem is.

I particularly wanted to report this message because it is a

"pump-and-dump" stock spam. I have already forwarded it to

KnujOn, but I think that the originating ISP should know about it

as well. (I always do this "double-barrelled" reporting - SpamCop

for the originator and KnujOn for the URLs and the stock junk).

Also, I would like to mention that I opened the Gmail account last

February, and this spam message is the first that has ever gotten

past Gmail's spam filters and found its way into my Inbox, (rather

than the spam folder, that is). (For that matter, Gmail has never

given me a false positive, either. Legitimate emails have never

gone to my spam folder).

It's just a little frustrating when everything has worked OK for

me for almost a year now. What worries me the most is that the

spammers may have found some way around SpamCop's parsing engine,

or, at least, one particular spammer has managed it.

Anyway, if someone here could take the time to look at the URL

referred to above and maybe shed a little light on the problem, I,

for one, would be very much obliged to you.

Thanks in advance for your help.

Best regards to all

Chris Souter

(Sydney, Australia)

[Farelf]

...Thinking that my mailhost configuration had somehow gotten messed

up, I deleted the Gmail host and then added it back. I received

five test messages, all of which were successful. I then

submitted (via the "paste-into-the-box" method) two spams I had

just received in my Gmail "spam" folder. Both reports went

through OK. I then tried the message referred to below once

again. The same error was returned again.

The Tracking URL from the last filed reporting attempt is as

follows:

http://www.spamcop.net/sc?id=z1065998506zd...843e1c924c0eabz

Hi Chris. I'm afraid I don't know what Gmail headers usually look like but what I see in the report from your tracking URL (and even in your post above) you seem to have some strange line wrapping (when viewing "entire message"). When you tried pasting in the submission box, did the result look more like this: http://www.spamcop.net/sc?id=z1066339431zf...7905a57bea216ez than like the version in your tracker? How this has happened and why your email submissions might be affected I have no idea but it is the only thing I can see that is "wrong" but, as said, not knowing exactly what Gmail headers should be like. I believe the line wrapping thing has come up before and hopefully someone can comment on whether this is likely to be the problem and how to fix it.

[Wazoo]

Second on Farelf's remarks .... additionally, the headers don't show a GMail account in use, rather a GoogleGroups MX in the mix .... though you may have a GMail account and a GoogleGroups address, these aren't the same thing at all ....

[StevenUnderwood]

...what I see in the report from your tracking URL (and even in your post above) you seem to have some strange line wrapping (when viewing "entire message").

But if you look at the tracker analysis, there is no wrapping at all on those lines, so that should not be a problem.

[Farelf]

But if you look at the tracker analysis, there is no wrapping at all on those lines, so that should not be a problem.

Truth - but I've not seen such disparity between "views" before, looks sort of mangled. I thought it had to mean something. But I have a feeling Wazoo has put his finger on it. Something has changed, but just what? Chris S, can you dig up a tracker from before you started having troubles? We have to eliminate some possibilities but have only clues as yet.

[csouter]

Truth - but I've not seen such disparity between "views" before, looks sort of mangled. I thought it had to mean something. But I have a feeling Wazoo has put his finger on it. Something has changed, but just what? Chris S, can you dig up a tracker from before you started having troubles? We have to eliminate some possibilities but have only clues as yet.

Hello, everyone, and thanks for reading!

I've been looking for some other tracking URLs for recent reports

from GMail, and here are the last three:

http://www.spamcop.net/sc?id=z1066565885z5...4f57d6c440abe2z

http://www.spamcop.net/sc?id=z1066565340zc...ef5b70313abb40z

http://www.spamcop.net/sc?id=z1066794963z7...7529f3354ad0eez

I'm not sure about the line-wrapping issue, because I just paste

the highlighted material straight into the submission box.

I have been using the same method ever since I started reporting

from Gmail:

Gmail and SpamCop should both be open and logged-in at the same

time; they will, of course, be in separate browser windows or

browser tabs.

1. Open message

2. Click "More options"

3. Click "Show original" (A new browser window will open)

4. From drop-down "Edit" menu, choose "Select all"

5. From drop-down "Edit" menu, choose "Copy"

6. Switch to SpamCop reporting browser window or tab

7. Right-click in submission box

8. Choose "Paste" from right-click popup menu.

9. Press "Process spam" button.

10. Wait for result of parsing

11. Click "Send spam Report(s) Now" button

12. Wait for confirmation of reporting

13. Repeat Steps 1-12 for each subsequent message

14. Quit when finished

This method has always worked, even before I re-setup the Gmail

host configuration. It still works now, just *not* with this

particular message.

I am aware that I am not supposed to quote spam messages in this

forum, but I think that to make myself clearer, I need to quote

this one, rather than simply give the Tracking URL. (You have

already visited that URL anyway). So, please accept my apologies

in advance.

I saved a plain ASCII copy of the offending message, which is

quoted below. Please note that it starts with a blank line, which

is how the text editor rendered it on opening the file. The first

dashed line below represents the top of the text editor's window

when the file is opened. Note that the text is not wrapped, which

is the text editor's default setting. The dashed line following

the last line of text represents the position of the cursor after

pressing <Ctrl+End>.

------------------------------------------------------------------

X-Gmail-Received: ff534277618cc2919c30c583020085db34afc23e

Delivered-To: csouter[at]gmail.com

Received: by 10.90.71.3 with SMTP id t3cs841379aga;

Fri, 15 Sep 2006 01:02:02 -0700 (PDT)

Received: by 10.35.8.1 with SMTP id l1mr403554pyi;

Fri, 15 Sep 2006 01:02:01 -0700 (PDT)

Return-Path: <JeromeJeffersonj[at]glwb.net>

Received: from pl044.nas937.p-okayama.nttpc.ne.jp (pl044.nas937.p-okayama.nttpc.ne.jp [219.102.50.44])

by mx.googlegroups.com with SMTP id c21si5865532pyc.2006.09.15.01.01.58;

Fri, 15 Sep 2006 01:02:01 -0700 (PDT)

Received-SPF: neutral (googlegroups.com: 219.102.50.44 is neither permitted nor denied by best guess record for domain of JeromeJeffersonj[at]glwb.net)

Received: from [219.102.50.44] (helo=kaabo)

by go4-mailrelay.itecnethost.com with smtp (Exim 4.60)

(envelope-from <JulietteStuartx[at]itecnethost.com>)

id 1JUZXZ-0009O2-1o

Message-ID: <13837.148076.5830.982516[at]itecnethost.com>

From: "Charlie-Madrid" <HelgaHagerw[at]itecnethost.com>

To: csouter[at]gmail.com

Cc: francocarlo[at]gmail.com, apdman[at]gmail.com

Subject: WARNING HEY

Date: Fri, 15 Sep 2006 03:02:16 -0600

MIME-Version: 1.0

Content-Type: text/plain

Content-Transfer-Encoding: 7bit

The Bull Report Rep ort

Fri, 15 Sep 2006 03:02:16 -0600 HY W I IS GOING TO BLOW UP!

WATCH IT TOMORROW MORNING!

Compan y ~ H ollywood Intermedia te I nc

~Sym bol~ ~HYW I~

Cur rently at ~ 0.158

O utlook ~ VERYST RONG BU Y

Rec ent Ne ws~

Hollywood I n t e r m e d i a t e In c a provider of digital intermediate

film mastering services, announced today the world premiere

of "The Sensation of Sight" at the San Sebastian Film Festival.

Get more info at Yahoo Financ e

We strongly urge our members to get in while there's still

time. THIS is the one all of you been waiting for!!!

again into sound That is the outline of the thing which you will

Black smoldring smoke from the green wood expires

Charles Sumner was struck down in the United States Senate on

------------------------------------------------------------------

As you can see, nothing is wrapped. (However, maybe it will be

after I paste this whole message into the forum window in the

browser. I'll just have to see what it looks like after I have

previewed the message before submission).

[Edit #1: The "Received:" line is wrapped in the preview after the

[219.102.50.44]) character sequence; the "Received-SPF: line

is wrapped after the words "domain of". Nothing else is wrapped

in the preview. The line breaks in the ASCII file correspond exactly

to the preview, with the two exceptions I have mentioned above.

Everything else corresponds to the ASCII file, even the white space.]

[Edit #2: The "Received-SPF:" line unwraps completely if I maximise the

browser window. The "Received:" line still breaks at the same spot.

Neither the "Received:" line, nor the "Received-SPF:" line

is wrapped in the plain ASCII file.

BTW, my screen resolution is 1280 X 1024.]

Regarding Wazoo's point about Google Groups:

I am a member of some Google Groups, and, in fact, I tried to

elicit some interest there (and also in the eBay User Forums)

about the reporting and investigation of spam, specifically in

relation to a case I recently had, of an "eBay PowerSeller"

spamming former customers from outside of eBay. It was at around

that time that I also started receiving spam in my Gmail account.

Basically, the reaction in both forums was: "Get a life! Just

delete it! Forget about it!" I referred them to the KnujOn

website, which has a lot of *very* convincing material in support

of the argument "Don't just delete: report it, too!" I'm sorry to

say that nobody gave a damn! I was very disappointed in their

attitude towards this growing problem. I have not actually left

the groups, but I haven't visited them in a long time. At any

rate, I never gave out my email address publicly in these groups,

not even my Gmail address to the Google Groups.

Anyway, to follow on from Wazoo's point, (using my own cock-eyed

reasoning) could it be at all possible that a spam message which

was directed to Google Groups (or one of them in particular)

could, by some mysterious alchemy within the internet mail system,

end up in my particular Gmail Inbox? The email headers also show

that the message was cc'd to two other Gmail addresses (probably

invalid, if you know what I mean). If the message was directed to

the Google Groups server, how did it get to the Gmail server?

(I quite realise that some experts might think that this is a stupid

question, but I really don't have time to wade through hundreds

of pages of RFCs looking for answers, so, please don't flame me,

just offer suggestions/theories, if you have any).

One other possibility: Could the Google Groups MX have been

hacked by a spammer exploit? In this regard, I know that Gmail

must have been having big problems one day last week (I can't

now remember which day, but about a week or ten days ago).

Nothing was getting through for a period of about 24 hours. Then

I started receiving messages that were up to 24 hours old. Gmail

offered no explanation for this on their website or their login

page. Just a thought, although I can't imagine that a DDOS on

Gmail could have any hope of succeeding.

That's all the information and/or suggestions I can supply at the

moment. I would really like to thank you all for the interest you

have shown in this problem.

Best regards to you all,

Chris Souter

(Sydney, Australia).

[Wazoo]

Having been up for something like 40 hours, that red text is simply too hard to read. Technically, the posting of the spam and all the other "red text" didn't do much to 'further' explain things (to me) .....

So I'm only going to focus on parts of two lines;

in your 'problem' spam;

Received-SPF: neutral (googlegroups.com: (in addition to the by mx.googlegroups.com )

your other three examples;

Received-SPF: neutral (gmail.com: ..... by mx.gmail.com

Received-SPF: error (gmail.com: error .... by mx.gmail.com

Received-SPF: neutral (gmail.com: .... by mx.gmail.com

Bottom line .... I'm saying that you have configured the gmail.com servers as part of your MailHost configuration of your Reporting account ..

I don't believe that you have a GoogleGroups server configured in that list ..... not even sure that you can add one of these ... as I'm really, really tired, I can admit to being wrong .. so I'll just toss out here that there's the possibility that some user found one of your posts in one of those GoogleGroups and "made contact" with you from that screen .... thus invoking the use of a GoogleGroups MX server .... Google handled the rest of it 'internally' ....

The only thing I can come up with for the odd wrapping would be the window/font size, though noting that I still don't think I saw what tools were in use (again, I gave up trying to focus on all the red text).... just also noting that this 'kind' of issue just came up during the attempted roll-out of the updated Horde/IMP web-mail application .. Mac users really complaining ...

A non-MailHost configured parse can be seen at http://www.spamcop.net/sc?id=z1066946900zd...c4217609098b86z

[csouter]

Having been up for something like 40 hours, that red text is simply too hard to read. Technically, the posting of the spam and all the other "red text" didn't do much to 'further' explain things (to me) .....

So I'm only going to focus on parts of two lines;

in your 'problem' spam;

Received-SPF: neutral (googlegroups.com: (in addition to the by mx.googlegroups.com )

your other three examples;

Received-SPF: neutral (gmail.com: ..... by mx.gmail.com

Received-SPF: error (gmail.com: error .... by mx.gmail.com

Received-SPF: neutral (gmail.com: .... by mx.gmail.com

Bottom line .... I'm saying that you have configured the gmail.com servers as part of your MailHost configuration of your Reporting account ..

I don't believe that you have a GoogleGroups server configured in that list ..... not even sure that you can add one of these ... as I'm really, really tired, I can admit to being wrong .. so I'll just toss out here that there's the possibility that some user found one of your posts in one of those GoogleGroups and "made contact" with you from that screen .... thus invoking the use of a GoogleGroups MX server .... Google handled the rest of it 'internally' ....

The only thing I can come up with for the odd wrapping would be the window/font size, though noting that I still don't think I saw what tools were in use (again, I gave up trying to focus on all the red text).... just also noting that this 'kind' of issue just came up during the attempted roll-out of the updated Horde/IMP web-mail application .. Mac users really complaining ...

A non-MailHost configured parse can be seen at http://www.spamcop.net/sc?id=z1066946900zd...c4217609098b86z

Thanks for looking, Wazoo! Now, GET SOME SLEEP!!!!!!

Sorry about the red text. I thought it would help to differentiate the message text from the surrounding

post. I apologise!

I don't really understand what you're saying about the Received-SPF: lines. As I said before, I'm no mail

expert... I'll try and research it a bit more in an effort (probably futile, at my age) to increase my highly

inadequate technical understanding of the topic.

Thanks for your help.

Best regards

Chris Souter

[Wazoo]

I used the SPF lines as they were easy to 'find' ..... the actual 'critical' headr line is above that .. the line that includes the "by mx.googlegroups.com" (that fails) as compared to the parsed samples that show "by mx.gmail.com" ... this is the line line that takes it outside your MailHosted Configurations, as the googlegroups MX server is not in your (or probably anyone else's) database.

[csouter]

I used the SPF lines as they were easy to 'find' ..... the actual 'critical' headr line is above that .. the line that includes the "by mx.googlegroups.com" (that fails) as compared to the parsed samples that show "by mx.gmail.com" ... this is the line line that takes it outside your MailHosted Configurations, as the googlegroups MX server is not in your (or probably anyone else's) database.

Thanks, everyone for your help. The whole thing remains a mystery to me.

I'm not really looking forward to it, but I think I'm gong to have to start wading through the RFCs so as to try and gain some understanding of this (to me, at least) very complex topic.

Wazoo, I hope you had a GOOD SLEEP!

Thanks and regards to all

Chris Souter