Jump to content
Sign in to follow this  
patrakov

Discard a Received line

Recommended Posts

Hello,

spammers started using techniques that avoid SpamCop reports against them:

1) Forged Received: lines pointing to IANA or some other clearly innocent party to which SpamCop doesn't want to send reports. Example:

Delivered-To: x

Return-Path: <jobs[at]careerone.com.au>

Received: from vps.inteloc.com (vps.inteloc.com [::ffff:207.58.141.13])

by ums.usu.ru with esmtp; Thu, 09 Aug 2007 02:57:22 +0600

id 0001405C.46BA2E34.00005D24

Received: from alsmwkb (180.73.241.5)

by vps.inteloc.com; Wed, 8 Aug 2007 13:57:24 -0700

Date: Wed, 8 Aug 2007 13:57:24 -0700

From: jobs[at]careerone.com.au

X-Mailer: The Bat! (v2.01)

Reply-To: oraclevac.vanessa[at]gmail.com

X-Priority: 3 (Normal)

Message-ID: <21364222.20070130045435[at]careerone.com.au>

To: x

Subject: Our company offers you high earnings!

Mime-Version: 1.0

2) Delaying replies in order to avoid getting two spam reports. I.e., I replied to their "job offer" and got a link to h ttp://w ww.form-agr eement.co m/ (which is an attempt to get my credit card number) in two days (so that SpamCop considers the original mail to be stale).

So please:

1) Add a button in the "Report spam" page (that appears after clicking a link in the "SpamCop received X emails" message) to remove trust to a certain Received: line.

2) Add a button to paste related (but stale) email that is known to be from the same user, in order for it to be parsed for abuse addresses. The "Additional information" box doesn't work for this purpose because it doesn't do this parsing.

Share this post


Link to post
Share on other sites

Hello,

spammers started using techniques that avoid SpamCop reports against them:

1) Forged Received: lines pointing to IANA or some other clearly innocent party to which SpamCop doesn't want to send reports. Example:

2) Delaying replies in order to avoid getting two spam reports. I.e., I replied to their "job offer" and got a link to http://www.form-agreement.com/ (which is an attempt to get my credit card number) in two days (so that SpamCop considers the original mail to be stale).

So please:

1) Add a button in the "Report spam" page (that appears after clicking a link in the "SpamCop received X emails" message) to remove trust to a certain Received: line.

2) Add a button to paste related (but stale) email that is known to be from the same user, in order for it to be parsed for abuse addresses. The "Additional information" box doesn't work for this purpose because it doesn't do this parsing.

1. The existing mailhost system is designed to only trust those hosts supplying your email services. If the headers are bing forged by your mail provider, you need to speak with them as the messages are actually being generated internally.

2. You should be reporting the spam as soon as you receive it. "Stale" spam does not help keep the DNSBL fresh.

2a. You should NEVER reply to a spam message as it will lead to increased spam to that address as you have now confirmed your address is live and more importantly, that you actually read the spam messages and will reply if the offer is right. You are a spammers dream come true.

Share this post


Link to post
Share on other sites

1. The existing mailhost system is designed to only trust those hosts supplying your email services. If the headers are bing forged by your mail provider, you need to speak with them as the messages are actually being generated internally.

Let me check that I understand how this would work in this case. Your system would see that 207.58.141.13 is not supposed to relay mail from third parties to me, and is not supposed to forward mail from careerone.com.au to anyone - right?

Also, without replying, nobody would be able to report their website.

Edited by patrakov

Share this post


Link to post
Share on other sites

I don't see any points scored here. IANA usuallt comes up when talking about non-routable IP addresses ... neither IP address seen in your provided headers fit into the non-routable blocks. However, there is a question about what is seen to be 'your' server ... what's with the attempted IPV6 construct? There are many, many current / mainstream applications that can NOT deal with IPV6 .... seems to me that there's an entry in the SpamCop FAQ about IPV4 and IPV6 .... is it possible that this is where you got your IANA reference?

SpamCop.net's Reporting toolset is about reporting spam, not web-sites, especially web-sites 'developed after the fact .... As such, most of the requested actions are simply not valid. There are other tools, BLs, databases for that kind of reporting, complaining, action ...

Share this post


Link to post
Share on other sites

I don't see any points scored here. IANA usuallt comes up when talking about non-routable IP addresses ... neither IP address seen in your provided headers fit into the non-routable blocks. However, there is a question about what is seen to be 'your' server ... what's with the attempted IPV6 construct? There are many, many current / mainstream applications that can NOT deal with IPV6 .... seems to me that there's an entry in the SpamCop FAQ about IPV4 and IPV6 .... is it possible that this is where you got your IANA reference?

The "IPv6 construct" is always written by Courier MTA. ums.usu.ru is my mail server that runs Courier MTA. 207.58.141.13 is the spammer. 180.73.241.5 is added by the spammer to fool SpamCop into thinking that it has to contact IANA.

SpamCop.net's Reporting toolset is about reporting spam, not web-sites, especially web-sites 'developed after the fact .... As such, most of the requested actions are simply not valid. There are other tools, BLs, databases for that kind of reporting, complaining, action ...

Thanks for your reply. I understand.

Share this post


Link to post
Share on other sites

The "IPv6 construct" is always written by Courier MTA. ums.usu.ru is my mail server that runs Courier MTA. 207.58.141.13 is the spammer. 180.73.241.5 is added by the spammer to fool SpamCop into thinking that it has to contact IANA.

Thanks for your reply. I understand.

We are still in the dark without a TrackingURL, but I suspect the problem is the "IPv6 construct" written by Courier MTA.

Spamcop would look at your first line and if it does not recognize [::ffff:207.58.141.13] as an IP address, it will ignore that line and find the next line with a valid IP address. In this case, it is finding the forged IP address.

Once again, the mailhost part of spamcop reporting would not allow this to happen IF it can deal with the IPv6. You may need to have the IPv6 turned off, if possible, or it may not be able to work with spamcop.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×