Jump to content


  • Posts

  • Joined

  • Last visited

Everything posted by InvisiBill

  1. I think there was a misunderstanding here. A lot of my comments were general information for anyone who happens to read this thread, nothing against you personally. I am completely agreeing with you that if Cloudflare is proxying material that they have been properly informed violates some law, they need to stop or face the consequences. However, Cloudflare doesn't have access to the original source of the material. I've seen this mentioned in the statements they've made when people have accused them of things before (implying there are a decent number of people who don't understand this), and it's completely true. Just like Google can remove the search results but has no access to the actual website, Cloudflare can remove the proxying functions spreading that website out, but they have no ability to do anything with the original server (since it's someone else's property). I'm not suggesting transactional immunity, I'm just pointing out that Cloudflare can only change things in their own systems, not in their customers' completely independent systems. And just to explicitly state it, the original copy still being there is not a valid excuse for Cloudflare to not terminate their proxying service either. I also wasn't trying to say that you shouldn't attempt a legal fight over this. I was simply pointing out that there are a lot of things that make these cases very difficult to win. The CAN-spam Act was passed 13 years ago. In the first 5 years spam was explicitly illegal, it actually increased 10-fold. I wish more spam and online fraud would get prosecuted, but we seem to have gotten the short end of the stick here. Unfortunately, it's much easier to steal resources and abuse others online than it is to track those people down and make them face the consequences. At least in this case, it's an established business and not some random spammer hiding in a shady country somewhere, so it's a much more solid target. I genuinely wish you luck in this battle, and hope you succeed in stopping blatantly criminal actions. I don't personally have the resources for legal fights, so I just stick to helping people on the technical side of things.
  2. Cloudflare is 100% correct that they don't have any access to the customer's content. They're simply a middleman handing things back and forth. You have just as much access to the original content as they do. However, as a middleman proxying things back and forth, Cloudflare is completely in control of handing that content back and forth through their own systems. That's their entire point of existing. They absolutely cannot be expected to remove the original content, as it's entirely someone else's system. They absolutely should be expected to stop proxying content when notified that it's illegal. Google can't take down the actual sites listed in their search results (because it's someone else's system), but they are expected to remove links from their own system which point to those systems. I see no reason why Cloudflare should be treated any differently. Caveats: You telling them that you don't like something doesn't make it illegal and/or necessary for them to remove it. Laws are complex. Even if there is some allegedly illegal content, there are procedures to be followed in dealing with it. Laws frequently lag behind technology. Even if something is illegal offline (and should be elsewhere according to common sense), it may not be illegal online due to technicalities in laws. The anonymity of the internet, its international nature, and the technological cluelessness of our lawmakers all contribute to making legal fights against these sorts of things very difficult. I'm not in any way qualified to give you legal advice, but I wish you luck in fighting against those who enable spam and other fraud.
  3. No it doesn't. You can find the tracking URL of past reports by viewing the report in your history and clicking the "Parse" link at the top. No, we can't. We need the tracking URL.
  4. On principal, I disagree with that advice. Sure, it's the best way to simply stop getting the spam (when dealing with a well-known entity like this). But spam from a legitimate company is still spam. Simply unsubscribing from spam that you never signed up for reinforces the idea that it's ok to spam people, and the victims can just remove themselves if they don't want it. It shouldn't require work on my part to stop you from abusing my resources and annoying me. If Mailchimp's reputation and ability to deliver emails is important for continued growth, then they need to make sure they're not doing things to give themselves a bad reputation and impact deliverability (like providing spamming services). By reporting any spam they send me, I'm simply calling a spade a spade, no more or less. KNERD, check the email, including the links in the footer as well as in the email headers, for an "abuse" link rather than a plain unsubscribe. It should unsubscribe you as well, while alerting the mailing service that their customer was spamming you.
  5. ICANN itself acts that way. http://www.knujon.com/
  6. In a URL, parameters are the things after the question mark. In your SpamCop tracking URL, it's "id=z6289054704z1ca8c0c6638bb944ad328cf46dd3ee00z". That tells the webpage that the item "id" has a value of "z6289054704z1ca8c0c6638bb944ad328cf46dd3ee00z". When you go to the spamcop.net domain and load the /sc page, it pulls up the report with an ID of "z6289054704z1ca8c0c6638bb944ad328cf46dd3ee00z". Every single tracking URL loads the same /sc page on the webserver, but each one has its own unique ID. Spammers can use this to put an encoded version of your email address or other info into the URLs. That "9020321_hcywgultvlggov_1_track57_57_2_79206" at the end is probably specific to you in some way. SpamCop removes this so that the reported URLs don't give away your identity to the offender. The effectiveness will depend on how tricky the spammer is about disguising your details and how smart SpamCop's algorithms are.
  7. For anyone else who stumbles upon this thread while trying to fix an issue, https://www.spamcop.net/mcgi?action=mhedit is what you're looking for. SpamCop doesn't have any magical powers to know which servers are or aren't "your ISP". It works by sending an email to you directly, and noting which servers are involved when you submit the email back to SpamCop. If anything in your mailflow has changed (including behind the scenes stuff at your ISP), you'll need to redo your mailhost config to make SpamCop aware of the new setup. It's the same thing you had to do when you first set up your SpamCop account, and there's a tab for it at the top of the SpamCop page.
  8. With GMail, you can simply add "+whatever" onto your username to create unlimited, instant aliases. I set up something similar on my mail server hosted at Site5 using filters on the catchall address. Technically these alias emails come in under the catchall, then filters sort them into users' mailboxes. But it still ends up that I can create a "new" email address on the fly and it will end up in my own mailbox. The aliases themselves don't do anything to stop spam, but they make it easy to identify the source and filter it if it becomes a problem.
  9. jazz25 appears to be the spammer here. It seems he registered just to post about this review, and trying to get us to flag it. I don't see how the review is any sort of unsolicited commercial content, therefore it has absolutely nothing to do with spam. The closest I can link this to spam is jazz25's associating this to his business performance. I have no experience with GB Car Deals. I have just as much reason to believe the anonymous reviewer as I do Jazz. If you can get a sworn affidavit from every current and former employee ensuring that they didn't write this, I'll be happy to do what I can to mark it as fake.
  10. The only IP that can be trusted is the one that handed the message to your mail system (since your mail system directly interacted with it). Anything before that could be forged header lines, and can't be trusted. You will see this on nearly every email you submit to SpamCop.
  11. mx1.tb.ukmail.iss.as9143.net bizsmtp Connection rejected. Your IP is in RBL. Please see https://www.spamcop.net/bl.shtml? mx1.tb.ukmail.iss.as9143.net has chosen to block your email. They did this despite SpamCop's warning that they shouldn't do so. The rejection notice implies that they made their decision at least partially based on SpamCop's data regarding your mail server's IP, but that IP isn't currently in the SCBL and doesn't appear to have any recent history in it either. Compare it to https://www.spamcop.net/w3m?action=blcheck&ip= to see what a listed spammer IP looks like. SpamCop simply makes a list of mail servers that have sent multiple spams to their spamtraps and to their registered users. Many people and organizations make use of that data to help determine if a message is spam or not. Unlike some other RBLs, SpamCop doesn't try to block innocent users in hopes that collateral damage will cause someone to take action. They track actual IPs that have sent multiple spams, and the IPs automatically delist after a little while if they don't send more spam. Personally, that's exactly what I want in an RBL. As precise as possible and self-cleaning as long as the spamming doesn't continue. Unfortunately, shared hosts are prime targets for collateral damage. When you have a thousand people sharing a mail server, one bad person can cause problems for the other 999. The better hosts (like Apple) will take steps to keep spammers from creating accounts in the first place, and remove them quickly when they do get in. But just like living in an apartment complex, sometimes your neighbors will do things that cause issues for you, even if you personally did nothing wrong and the apartment works as quickly as possible to fix the problem. The receiving mail system (assumed to be your father's ISP) is saying that Apple's mail server is the problem. As someone trying to use that server to send mail to their system, they're simply letting you know that they've chosen not to accept your email because they've decided it's spam. They're implying via the link that this decision is based on SpamCop's data about the server, but currently the SCBL doesn't list that IP, and it doesn't look like it has at all recently. Your personal static IP has seemingly nothing to do with this decision (though only the ISP can say for sure). The only reason any of this falls on you is because you want to send an email to your father. You're perfectly free to ignore the error and wait for it to resolve itself (assuming the server ever was listed in the SCBL, it's already been delisted). However, it's in the best interests of your father, as a customer of the ISP, to let them know when their systems aren't working properly. Generally a lack of complaints is interpreted as everything working properly, which tends to lead to things staying the same (or even adding more of the problematic item, since it's assumed to be good). Your father's ISP is the one denying your service. They have come to the conclusion that it's best for them to simply block any mail server that has recently sent spam to a SpamCop user/spamtrap (at least that's what is implied by their rejection notice, though it may not even be accurate). Even SpamCop doesn't think this is a good idea. I guarantee that even if SpamCop were shut down, the ISP would simply find another RBL (probably one less careful than SpamCop) to use for blocking mail. The problem is how the ISP has chosen to deal with incoming mail from potential spammers, not that SpamCop has chosen to make a list of servers that have sent spam. FYI, it looks like they have a history of false positives in trying to block spam coming into these servers. https://www.google.com/search?q=mx1.tb.ukmail.iss.as9143.net
  12. I'm guessing you need to update your mailhost configuration. SpamCop doesn't have any magical powers to know which servers are or aren't "your ISP". It works by sending an email to you directly, and noting which servers are involved. If anything in your mailflow has changed, you'll need to redo your mailhost config to make SpamCop aware of the new setup.
  13. The submitted email for that report has no body. SC's parser needs to have a body to work properly. http://forum.spamcop.net/topic/16745-yahoo-spam-empty-message-spam-in-subject/ is a current thread regarding that limitation, though yours doesn't seem to be the "subject spam" that others are seeing.
  14. I too have seen a huge uptick in spams with a long subject (like 4KB) and no body lately. If this is spammers' latest trick to get around SC reporting, it would be nice if SC could handle that. I like the idea of prompting something to the effect of "No body in email - is that on purpose or did you screw up while submitting it?" I submitted three of them today as attachments to an email, and still got the "missing body" error (so that's not a fix/workaround for the issue). It's rather annoying to have to copy/paste/edit each spam manually.
  15. It might be an issue with how SC is programmed to look the info up. It appears to look up the IP (https://www.spamcop.net/sc?action=showcmd;cmd=whois to get the contact, which it then looks up for the abuse info (https://www.spamcop.net/sc?action=showcmd;cmd=whois tf2854-ripe%40whois.ripe.net). The abuse info is in the IP result, but not the contact result. It appears SC is walking right past the info it needs.
  16. Is there something specific you're having trouble doing with MailWasher? I have the older version (I don't use it enough to find it worth the price of buying a license for the new version; I got my current license for free because I donated a few bucks before it went to a paid product), but from what I've seen it's quite similar, just with an updated look. In the older version, you simply put in your unique SpamCop submission address in MW's SpamCop settings, and make sure you have your SMTP settings configured so that you're able to send out email. When you report the spam from MW, it simply forwards a copy to your SC address. If you want to check incoming emails against the SpamCop Blacklist, you can add bl.spamcop.net as another DNSBL (if it isn't already in the default settings). Personally, I use MW mostly as an email notification app. It's a tiny bit easier to report spams from MW than from Thunderbird, but I wouldn't be too upset if I lost MW for some reason. Its actual spam categorization is rather wonky for me without white/blacklisting every address, seeming like chunks of the learning are resetting every time I restart MW. The Bounce feature it originally had does nothing against the really annoying spammers and harms innocent bystanders. Perhaps the new version is better, and maybe others use it differently, but to me it's a decent notifier that also happens to have a button for SpamCop reporting (so it kills two birds with one stone), but isn't all that amazing otherwise. I do also have SpamAssassin configured very well on my mail server, so I simply don't get that much spam to begin with.
  17. To further explain one of the previous suggestions, if you forward 10 spams as 10 attachments to a single email, you'll get back one email with 10 links in it. It sounds like SpamGrabber sends a separate email for each spam (MailWasher Pro does this too), so you end up getting 10 emails back. If you use Firefox with Greasemonkey or another browser/addon that supports user scripts, https://userscripts-mirror.org/scripts/show/34417 will automate some of the submission stuff. After you submit one report, it will automatically advance to the next one. You'll still have to click Submit 10 times, but you shouldn't need a bunch of clicks in between them. If you're a free user, there's still the delay, but it automatically jumps to the next Submit button with no work on your part (sometimes when I'm really impatient I'll open each link in a new tab in parallel). There's an auto-submit option in the scri_pt, but that's a level of risk comparable to Quick Reporting. It also highlights a few of the more important header lines in the spam on the report screen, to make it easier to see the details at a glance. Ideally, the SpamCop report should be correct, and you just need to hit Submit to send it on its way. You want to make sure that the IP getting reported is the proper one (and not your own ISP's relay, for example). You're supposed to make sure that any reported links are actually spam-related. It's possible if the spammer is disguising the link, that the SC parser might pick up the decoy text as another URL, even if the site being used as the decoy isn't really the one spamming you. You're really just double-checking to make sure the parser didn't find something it shouldn't have.
  18. He's suggesting that you post one of the tracking links here along with your question. It's easier for us to figure out what's going on when we can see an actual example of the spam. That's sort of true, but it's another way of disrupting spammers. If your filters are good enough that no spam gets through, then nobody on the server actually sees the spam, and therefore it's 0% effective. Unfortunately, this can only be completely effective if everyone protects every mail server perfectly. While simply filtering out spam on your server may feel like you're just ignoring it, that's really about the best you can do to personally stop spam (along with reporting it to anti-spam organizations as you're already doing). You're not directly harming the spammers by just filtering the spam out, but you are making their spamming attempts less valuable. While spam is illegal in the US, even here it's nearly impossible to actually get a spammer via the legal system. In most cases of action against spammers, it's done by the spammer's host, solely because they don't want to be associated with spammers and lose legitimate business because of it. In a country with little regard for others' IP and laws (like China), it's just going to be that much worse. There are some ISPs who cater to spammers - they're able to make enough from the spammers that they don't bother to try keeping a good image. There are also spammers who try to set things up so that they get spam reports rather than their upstream hosts (so you're sending reports to the people sending the spam rather than the ISP they're spamming through). Some ISPs are simply understaffed and don't have the manpower and/or technical skills to actually stop spammers on their network. There are a lot of reasons why spammers don't get stopped. I'm not surprised that one from China is still going, but I wouldn't necessarily say it's simply because of some loophole in Chinese law. Even if you don't directly get the spammer shut down, additional reports will help to get the IP/URL added to blacklists, which will help more spam filters catch it and therefore keep it from being seen (which essentially makes it worthless).
  19. I would suggest re-adding mailhosts for your email address at https://www.spamcop.net/mcgi?action=mhedit. Microsoft has a lot of mail servers involved with their stuff, and I'm thinking your SpamCop settings might not be up to date. I have accounts at Hotmail and protected by Microsoft's cloud filtering service, so when I look at your tracking URL, it shows the MS IPs as verified and actually targets the last IP as the source of the spam. Parsing header: host 2a01:111:f400:7e46:0:0:0:208 = mail-bl2nam02lp0208.outbound.protection.outlook.com (cached) mail-bl2nam02lp0208.outbound.protection.outlook.com is 2a01:111:f400:7e46:0:0:0:208 0: Received: from SN1PR19MB0445.namprd19.prod.outlook.com ( by CY1PR19MB0444.namprd19.prod.outlook.com ( with Microsoft SMTP Server (TLS) id 15.1.361.13 via Mailbox Transport; Wed, 23 Dec 2015 11:25:21 +0000 Internal handoff at Hotmail/MSN 1: Received: from BY1PR19CA0038.namprd19.prod.outlook.com ( by SN1PR19MB0445.namprd19.prod.outlook.com ( with Microsoft SMTP Server (TLS) id 15.1.361.13; Wed, 23 Dec 2015 11:25:21 +0000 Internal handoff at Hotmail/MSN 2: Received: from BL2NAM02FT006.eop-nam02.prod.protection.outlook.com (2a01:111:f400:7e46::208) by BY1PR19CA0038.outlook.office365.com (2a01:111:e400:51a3::48) with Microsoft SMTP Server (TLS) id 15.1.361.13 via Frontend Transport; Wed, 23 Dec 2015 11:25:20 +0000 Hostname verified: mail-bl2nam02lp0208.outbound.protection.outlook.com Hotmail/MSN received mail from Hotmail/MSN ( 2a01:111:f400:7e46:0:0:0:208 ) 3: Received: from BAY004-MC5F5.hotmail.com ( by BL2NAM02FT006.mail.protection.outlook.com ( with Microsoft SMTP Server (TLS) id 15.1.355.15 via Frontend Transport; Wed, 23 Dec 2015 11:25:19 +0000 Internal handoff at Hotmail/MSN 4: Received: from ded1.exinary.com ([]) by BAY004-MC5F5.hotmail.com with Microsoft SMTPSVC(7.5.7601.23143); Wed, 23 Dec 2015 03:25:18 -0800 Hostname verified: ded1.exinary.com Hotmail/MSN received mail from sending system Tracking message source: Routing details for [refresh/show] Cached whois for : abuse[at]hostingsolutionsinternational.com Using abuse net on abuse[at]hostingsolutionsinternational.com abuse net hostingsolutionsinternational.com = postmaster[at]hostingsolutionsinternational.com, abuse[at]hostingsolutionsinternational.com Using best contacts postmaster[at]hostingsolutionsinternational.com abuse[at]hostingsolutionsinternational.com Sorry, this email is too old to file a spam report. You must report spam within 2 days of receipt. This mail was received on Wed, 23 Dec 2015 03:25:18 -0800 Message is 12.6 days old not listed in cbl.abuseat.org not listed in dnsbl.sorbs.net not listed in accredit.habeas.com not listed in plus.bondedsender.org not listed in iadb.isipp.comI'm not sure if it's better or worse, but my config points to the IP that connected to Hotmail to send the spam, rather than reporting it to Hotmail itself. I don't know if the ISP is going to do anything about the IP sending spam through Hotmail, or how vigilant Hotmail is about removing spammers, so I don't know which method of reporting would be more effective.
  20. I am getting this error repeatedly as well. The error page shows only a blank subject line for me though (compared to emanmb's linked image with actual details of an email). I use a hosted service for my email, so I'm limited on how much troubleshooting I can do there. I'm not seeing any signs of email delivery problems though, including getting emails from SpamCop (submission notification alerts, automated responses to reports that I've submitted, etc.). I'll email Don my details later when I have access.
  21. Expanding on what others have said, don't use MailWasher's "bounce" feature. Since most email addresses are forged or non-existant, the bounce most likely won't ever actually make it back to the spammer. If it does get somewhere, it'll probably be an innocent bystander (whose email address was chosen just as randomly as yours). And finally, it's your own client sending an email that looks like bounce report. Anyone who knows anything at all about email headers can see that it came from your IP rather than directly from the mail server. If someone took the time to look at the bounce, it would actually verify that the spam went to a valid email address. The bounce feature is good for making that stalker ex think you've changed your email address. It's not good for stopping spam.
  22. johnwade, my guess is that some of your security software or the spammer's ineptitude caused there to be no HTML attachment or phishing link in the email when you opened it. That looks like a standard phishing email, which would either include an HTML form that submits data to some non-PayPal server, or a link to a hosted phishing site with a similar form. Whereas SpamCop is designed to attack the source of spam, PhishTank is designed to expose phishing URLs. I highly suggest submitting phishing emails to them, to help out everyone else. They don't actually send reports like SpamCop does, so you don't have to worry about passing personal information back to the malicious sender, it just flags the site as being bad. Usually the destination that the HTML form submits to will then forward you to the actual site that's being phished (i.e. www.hackersite.com/stealyourdata.php -> www.paypal.com), which causes PhishTank to display the actual PayPal site as the screenshot when sending them the form submission URL. While this is technically not exactly accurate, it does make the URL appear to be a standard phishing site when others are examining and voting on it (which is helpful because some people there refuse to mark anything as a phish if it doesn't have explicit logon fields).
  23. Bit.ly lets you see details about a shortened URL by adding a "+" on the end. For example, http://bit.ly/6wgJO becomes http://bit.ly/6wgJO+. Unfortunately, I don't know of any way to handle bit.ly abuse other than manually emailing them about each one. SpamCop has also said that they specifically don't try to resolve forwarded URLs like this. They alert the host doing the forwarding, which should be motivation for them to come up with a good way of handling abuse. On the other hand, if SpamCop is able to parse through forwarders to the true spam URL, it hits the spammers directly that they can't simply hide behind forwarders to obfuscate their spam links. Hmmmm... After previewing the message, my first bit.ly URL is automatically converted to the actual link. It appears SpamCop (at least the forum) has the ability to resolve obfuscated bit.ly URLs.
  24. People using Spamgourmet along with SpamCop reporting should also add it to their own mailhosts at http://www.spamcop.net/mcgi?action=mhedit (using a Spamgourmet-protected address). This will allow the parser to recognize the Spamgourmet hosts in addition to your own mailservers, so it should parse back through to the server that actually sent it to Spamgourmet. It prevents reports against Spamgourmet and reports the actual spammers - a win-win situation.
  25. To expand on what Don said, certain parts of email headers can be spoofed. All of the previous handoffs (further down in the headers) are unverifiable. The hostname that the server reports may or may not actually be its DNS name. Malicious users can add extra or fake info there. However, the IP that connects to your own mail server has to be real in order for the connection to happen. As your MXToolbox link shows, that IP resolves to that hostname and appears to be a working email server. As far as I can tell, all the facts support your side, and they're simply saying, "Nuh uh!" If they can dispute the MXToolbox results, then I'll take them seriously.
  • Create New...