Gingko
-
Posts
46 -
Joined
-
Last visited
Content Type
Profiles
Forums
Events
Posts posted by Gingko
-
-
6 hours ago, ninth said:
It does not matter how long your server has operated if there are vulnerabilities in security system and may have been hacked...report to server admin. I checked all the 6 IPs in the headers and OVH france was the only one not blacklisted and the russian IP was listed but not the source of abuse - likely in a local network of other spammers. All the rest were not consistent DNS and level 2 listed for sending spam.
If the messages go to IPs not known to your server it should not go through those routers as Robi explained. This is a case of do not shoot the messenger and expect them to resolve problems for free when they did not cause them. SC is an automatic program that is updated to stay current to report spam not to be a webmaster of all trades and your best bet now is to take the aussies good advice.
My server is a bare metal dedicated server.
No one but myself is administrator of it.
I have full listing of its SMTP logs kept for 24 days, I'd know if it has been hacked, at least at this level. -
3 hours ago, RobiBue said:
Hello Ginko,
you seem to be running into the mailhost problem.
on yours, the last received line is claimed to be a forgery (I am not quite sure why) but it's clear that it's complaining about mailhosts:
Possible forgery. Supposed receiving system not associated with any of your mailhosts
I ran an example from this first one you mentioned and this is the result:
https://www.spamcop.net/sc?id=z6852725851zc170c42b2748612531d95d02d1c43095zon mine, without mailhosts set up, it goes straight to the russian IP : whois for 136.169.211.136 : abuse (at) ufanet.ru
some people don't have mailhost problems, I never use them since I don't have my own mailhosts I run through...
I don't think so.
My mailhost is kim8.reeves.fr (currently 87.98.218.11), it has been registered for more than 10 years, and there is no recent change on it.
None of the 51.195.100.62 or 136.169.211.136 IPs are mine.
And this problem came out starting june 2023, whereas I report from this mailhost (which hasn't changed recently) the very same way for much much much much much longer than that without this kind of problem.
But 51.195.100.62, although not mine, is also OVH, like my 87.98.218.11.
I don't know why 136.169.211.136 is claimed to be forgery.
Maybe it is actually forgery, in some way.
Otherwise it is likely a Spamcop bug.
Gingko -
On 6/27/2023 at 2:00 AM, petzl said:
I don't understand why you wrote that?
Some here get their jollies from fake help requests
136.169.211.136 is not OVH? it's Russia Always send a SC track URL in your request makes aid replies easier!
OVH used to be black-hat and obnoxious, They have servers in different countries, must have their spammers now trained, not had spam from them for years?
When they refused to stop sent complaint to that countries CERT seems OVH didn't like that?
Would help if I could see at least one SC track, But your choice! (OVH would have your server from your report)
"We offer a completely free and fully functional 2 weeks trial here. No credit card required."
51.195.100.62 OVH have free offer spammers delight you can ask them to reset password but SpamCop should be reporting to the Russian source?
But falls over if it does not have it's DNS set up correctlyActually, it looks like you were asking for the tracking URL of my sample.
My sample is one out of five, and in all of these cases, spams are reported to OVH, and OVH misunderstood it as sent by myself.
For the record, here are the tracking URLs for all of them:Submitted: 07/06/2023 14:35:43 +0200:
https://www.spamcop.net/sc?id=z6849854102zed06af770ac057586f0ce80e985399edz
Submitted: 10/06/2023 13:04:22 +0200:
https://www.spamcop.net/sc?id=z6850200976z96a521840b9823cf50bcc66986d9950bz
Submitted: 21/06/2023 05:49:43 +0200:
https://www.spamcop.net/sc?id=z6851513926z7e5877d656928d255a2174580d8cf21cz
Submitted: 22/06/2023 16:34:05 +0200:
https://www.spamcop.net/sc?id=z6851713322z1510237a4f610445d6ee38ea4d5bd4f0z
https://www.spamcop.net/sc?id=z6851713324zf8111491b846f64ad5d3e7c5338e551czThe Received fields quoted above comes from the first one.
-
On 6/24/2023 at 1:50 AM, petzl said:
Learn how to get a SpamCop Track URL link shown at top of page BEFORE submitted.
SpamCop only detects the IP of any weblinks, not the Registrar, times have changed
ISP's do not act on IP's of weblinks unless they have no Registrar!
I use windows program to lookup the/a Registrar
There are web based ones not used by me, so take care.
https://www.whois.com/whoisI don't understand why you write this.
I don't have any problem about Spamcop submitting.
I have problems with the OVH abuse service which does not correctly interpret Spamcop reports which are correct. -
Hello.
I am a Spamcop user for more than 20 years.
I use to report all spams I receive since I subscribed to it.
Among these spams, many come from a host of which I am also a client because I am a tenant of several dedicated servers with them : OVHcloud (actually from their low cost subsidiary company Kimsufi) .
One of them hosts a Postfix server for relaying mails, and a Dovecot server for receiving them.
For several weeks, many reports that I send to OVHcloud via Spamcop generate emails that OVHcould sends to me stating that I am the spammer and that I should take action against it.Whereas in reality, these are spam messages that are sent by other OVHcloud customers and of which I am the recipient.
Here is a sample of the Received: field found in the headers of one of these spams. “xxxxxxx” replaces the domain name of my server.QuoteReceived: from mail.key-consulting.tech (mail.key-consulting.tech [51.195.100.62]) by xxxxxxx (Postfix) with ESMTPS id 3CE881D600B5 for <x>; Wed, 7 Jun 2023 11:45:58 +0200 (CEST) Received: from 136.169.211.136.dynamic.ufanet.ru (unknown [136.169.211.136]) by mail.key-consulting.tech (Postfix) with ESMTPSA id 0591D1BBBD90; Wed, 7 Jun 2023 09:26:45 +0000 (UTC)
Of course, I filed a complaint to the OVHcloud support.
The only answers that a got are the following (here translated from French) :- Do not use Spamcop for reporting spams (and instead, use another one known as less efficient).
-
If you no longer wish to receive emails from our abuse team, I invite you to contact Spamcop so that it no longer provides your domain name when reporting them, or use our reporting form directly on our site:
https://www.ovh.com/abuse/#!/ - In the report, a service that belongs to you is identified, which, suddenly, creates a ticket in your name.
- As indicated, if your service is indicated in the report, then a ticket will be created.
I understand there that for them, everything is normal, your server appears in spam and therefore it is normal that you are detected as a spammer.
Is there a place other than OVHcloud where I could file a complaint about this ?
Regards,
Gingko -
I received another one (with 18 messages inside !!!).
Is there a way to change my submitting email address (the one like submit.XXXXXXXXXX@spam.spamcop.net) without having to create a new account and delete the old one ? -
Although it could originate from the same person (if my submitting email address have been compromised), I think this problem could be a different one …
-
Actually it is like if someone had taken my submitting email address and submitting spams on my behalf ...
Could a spammer be vicious enough to do that ? -
Here is all five ones for the last wrong message that I received today at 14:13 CEST (France) :
https://www.spamcop.net/sc?id=z6708034972zfd55febd84fb1cbd66e982f252c3ddf3z https://www.spamcop.net/sc?id=z6708034973zaa15011cff947eefd65aaf5f2af26523z https://www.spamcop.net/sc?id=z6708034974z7fff06613177fa351c546cb0cafe6329z https://www.spamcop.net/sc?id=z6708034975z8f47aee91b0584734e709ebc586bacfbz https://www.spamcop.net/sc?id=z6708034976zfe17294606aa89171417a2d879782523z
-
Just received another one.
Along with quite long mail with subject "[SpamCop] Errors encountered" and beginning with :
QuoteSpamCop encountered errors while saving spam for processing:
SpamCop could not find your spam message in this email:
Gingko -
Hello,
Since yesterday I have a strange problem :
I recurrently (… ahem … at least twice so far) receive spam confirmation emails where all message, when I want to "finish spam reporting" for them, display "Mailhost configuration problem, identified internal IP as source / Mailhost: / Please correct this situation - register every email address where you receive spam".
I know how to proceed with "Mailhost configuration problem".
Normally.
But this also corresponds to messages that I actually never submitted.
True for all messages in the same confirmation mail.
Is it possible that there would be a bug mismatching confirmation messages, or their submitted spams themselves, between users?
Regards,
Gingko -
In the meantime, I sorted all the spams that I received from this "spam cluster" (that I identified as part of the same group by several common features).
I have 158 spams so far, starting January 9th, incoming in two mailboxes hosted by the same ISP.
They are coming from 10 different sources, the most active being :- ncdhost.com (43 spams)
- hopone.net (41 spams)
- dacentec.com (23 spams)
- ni.net.tr (16 spams)
The six others (datashack.net, heymman.com, layer6.net, uaservers.net, vernet.lv, wholesaleinternet.net) have less messages, and sometimes lasted only for a short period, meaning that the spammer can already having been shutted down by this hosting service.
I could eventually forward all of them to their respective senders, but does it worth the attempt?
Gingko -
One more thing about these spams:
Although it is difficult to completely verify, I have some reasons to think that some of these spams, received once by SFR, could have be handled internally by SFR and distributed more than once to the recipient at random intervals.
I receive many of these spams several times with identical contents, like if they would come back after having been completely deleted from the mailbox.
After reporting, they could sometimes have been seen as duplicated reports.And if I look at my past reports history ( https://members.spamcop.net/mcgi?action=showhistory ), I can see that about half of them have been handled as "No reports filed" by Spamcop, without any more explanation.
Gingko -
9 hours ago, petzl said:
You need to forward from your email account with this preamble at top of report
http://173.240.15.12
Name: lebis.disians.com
IP: 173.240.15.12
Domain: disians.com\
Registrar Abuse Contact Email: mailto:abuse[AT]web.com
EMAIL IP 173.240.15.12 abuse[AT]bigboxhost.com SpamCop has this wrong
http://b.link/E-Leclerc-fr
IP 18.208.23.249 abuse[AT]amazonaws.com
Then paste headers and text body as you did for SpamCopI don't understand.
Where should I forward this if it is not to Spamcop?
I hope you are not telling me to forward directly to the spammer or to some hosting service related to it?
Gingko -
1 hour ago, Lking said:
Thanks for the information. The tracking URI others suggested would have given others access to the information you provided above AND allowed visibility to the actions by the parser.
I would think that a talk with your email service provider is in order. As you noted the delays reflected by the top three Receive entries is, I think, excessive. Have you brought this to your ISP's attention? They may not be aware of the delay, nor the consequences. It is likely that none of their other customers report spam and care about the delay in receiving spam. I am amused by the server name: front26-smtp-dirty.sfrmc.priv.atos.fr Does you other email go through this server? Or only spam?
I would not want to assign motive to the delay in receiving spam. As I said, your provider my not be aware of the delay caused by the spam filtering/ email Authentication process.
For your reference the tracking URL can be found a the top of the reporting screen
following the lines above.
The ISP has be contacted by many angry users (not by me yet) for several weeks, and they only give hackneyed answers like "we are working on it" (for weeks !).
About tracking URL, ok, so you are speaking about URLs specifics to a particular spam as it changes for each spam.
For the quoted headers above, the tracking URL is https://www.spamcop.net/sc?id=z6611133626z038eafa006f7aed4232b8a0c6617a97az
And NO, if I look at the headers of some regular mails, they do NOT go through front26-smtp-dirty.sfrmc.priv.atos.fr.
Gingko -
Here is the header's of a typical spam that I received that way :
QuoteX-Account-Key: account25 X-UIDL: 1340827462.2205 X-Mozilla-Keys: Return-Path: <Info@taobao.com> Received: from msfrf2639.sfr.fr (msfrf2639.sfrmc.priv.atos.fr [10.18.203.123]) by msfrb1402 with LMTPA; Sat, 25 Jan 2020 13:52:04 +0100 X-Cyrus-Session-Id: cyrus-366491-1579956697-1-4726002118533284992 X-Sieve: CMU Sieve 3.0 Received: from filter.sfr.fr (localhost [10.18.203.96]) by msfrf2639.sfr.fr (SMTP Server) with ESMTP id BA1613A844C69 for <x>; Wed, 22 Jan 2020 03:47:55 +0100 (CET) Received: from smtp26.services.sfr.fr (front26-smtp-dirty.sfrmc.priv.atos.fr [10.18.203.96]) by msfrf2639.sfr.fr (SMTP Server) with ESMTP id AE1C449EFFE50 for <x>; Mon, 20 Jan 2020 20:29:00 +0100 (CET) X-mail-filterd: 0.4.0 X-sfr-spamrating: 100 X-sfr-spam: high Authentication-Results: sfrmc.priv.atos.fr 1; spf=fail smtp.mailfrom=Info@taobao.com smtp.helo=moratabich.xyz; dkim=none; dmarc=fail Received: from moratabich.xyz (lebis.disians.com [173.240.15.12]) by msfrf2639.sfr.fr (SMTP Server) with ESMTP id A0E671C051414 for <x>; Mon, 20 Jan 2020 20:29:00 +0100 (CET) Received: from moratabich.xyz (lebis.disians.com [173.240.15.12]) by msfrf2639.sfr.fr (SMTP Server) with ESMTP for <x>; Mon, 20 Jan 2020 20:29:00 +0100 (CET) MIME-Version: 1.0 From: E.Leclerc client special <Info@taobao.com> To: [removed] Date: Mon, 20 Jan 2020 17:55:35 +0100 Subject: Re : 2ème tentative pur [removed] Content-Type: text/html; Message-Id: <2798__________________________1C16@msfrf2635.sfr.fr>
You can see that the spam was sent on January 20th at 20:29 CET, but I received it today 13:59 CET.
There is a "Received:" line for that, but SpamCop ignore them as the three last "Received:" lines are internal handling from the receiving ISP declared in the mailhosts setup … thus this internal handling is spanning 5 days !A large part of the spams that I receive on this address has this huge internal handling time property.
And this concerns only spam.
Regular messages that I send to myself to the same address are delivered in a matter of seconds.
Gingko -
Ahem… Of course, yes, but…
What are you calling “A tracking URL”, and how could it be useful, especially in this case? -
Hello,
I have a problem that for about two week, I have two mailbox (hosted by the same operator) which are flooded by spam having weird characteristics :- Most of the received messages are already outdated, meaning that if I use Spamcop for reporting them, they are rejected because they are more than 2 days old, despite the fact that I submit them as soon as they are received.
- If I delete them from the mailbox, it happens quite often that they come back a few hours later, like if I never deleted them.
-
All of these spams originates (apparently of course as these sender address are always fake) for me (it may be different for other users) from only 3 different mailboxes :
1 - Info@taobao.com
2 - mailer-daemon@amazon.com
3 - mailer-daemon@sourceforge.net
All of this suggests that the operator itself could be involved in this situation.
I'm not the only one having this problem, actually there is a large topic (38 pages so far) from the community forum of this operator where many users are complaining about the same problem :
https://forum.sfr.fr/t5/votre-messagerie-sfr-mail/mail-suspect-reçu-de-ma-propre-adresse-mail-et-nombreux-spams/td-p/2164708The hosting operator is not less than SFR, which is one of the 4 main telephony and Internet operators on the French territory.
For me, this lasts since January 9th, and I got about 140 spams that way, so far. But for other users, this seems to be older.
I would like to know what you think about that as I fear this is likely to defeat the Spamcop system.
Regards,
Gingko
Reported spam identified as originated from myself by hosting provider
in SpamCop Reporting Help
Posted
I just tried to delete this mail host (I actually have 8 registered), and register it again.
The new result looks like very very identical to the previous one.
There is a strange point, there, anyway, that I always have wondered about.
This registration shows also all former IPs that I used from my previous server (the successive ones that this server now replaces), despite I no longer own them for many years.
It doesn't seem this can be deleted in any way.
Even after having deleted the mailhost as they comes back when registering again.
And my other mailhosts show also many IPs not belonging to me.
(they generally concern SMTP servers that I sometimes exceptionally use, like GMail, Hotmail, Yahoo, but which does belong to me)