Jump to content

RobiBue

Memberp
  • Posts

    453
  • Joined

  • Last visited

Recent Profile Visitors

3,808 profile views

RobiBue's Achievements

Advanced Member

Advanced Member (3/6)

0

Reputation

  1. oddly enough, slippery egg noodles are one way of crunching numbers, but Wat is a slippery dish that can be enjoyed while fighting spam. Just a geek could possibly know. (or someone fluent in crunching search numbers Enjoy whichever dish you prefer, as tastes in this world, encompassing different cultures, vary 😂
  2. no, those are only visible for the reporter (OP.) the top one is the link we can use, the other two, the OP would need to access those reports and post the tracking URLs. I sometimes go into [Past Reports] tab and select from the reporting time I choose the spam I'm interested in. There, it depends on which link was chosen: 1. I always choose my own reported link (to myself) where at the bottom, below the drop-down box (Please select one..) and the [Proceed] button (I don't use those) there is a link Show how SpamCop traced this message which is actually the tracking URL, but only for my own report. 2. If the link clicked is a different one (for one of the ISPs,) then at the top there is a Parse link which again is the tracking URL (not the address shown in the URL bar for that page itself) 3. or by clicking on either link to get to the parse screen and post the tracking URL given there as Here is your TRACKING URL - it may be saved for future reference: https://www.spamcop.net/sc?id=z6872954240z195cc201101d96d3efa15fe9001511f2z all three aforementioned and given links point to the same spam on my reports, but each taken from a different source. HTH
  3. that header looks wrong to me: lines 12 and 14 seem to be without a space at the start of the line. and then line 21 seems like an empty line which causes the next part to become the body.... followed by many more empty lines.... maybe one or more of those is your problem... (my 2cents)
  4. SpamCop has been around for decades (2½ IIRC) and at the beginning, along with n.a.n.a.e and the different abuse desks at the serious ISPs it was a delight when spammers would face either whacking with a clue-by-four or even charged criminally in court, but now providers don't take it seriously anymore, probably due to the lack of manpower and the increased automatization of their systems. besides, since CISCO took over, their main cyber product is talos which takes preference and SC is only a minor side-toy (at least that's the way I see it) that allows users to report spam (if it helps, good, if it doesn't, not much lost) to propagate abusing MXs into blocklists If someone with more knowledge behind the scenes would like to correct my stance I would greatly appreciate it if I'm wrong, but with an explanation Every now and then SC does get an "update" but a lot, as you say, has been neglected...
  5. I wish I could help you there, as I have really no idea how it works or is supposed to work (well, I do have an idea on the latter, but not specifics.) anyhoo, that said, I noticed in your list a plain antispamcloud.com (49.) which puts me to thinking if that's a catch-all of your possible MXs... just thinking out loud here... hoping that an expert in this matter could chime in soon...
  6. ok, I'm no xprt on mailhosts since I don't use them anyway, but do you have one of those on your list that matches one in your Received: lines when you look at the raw email headers? go from the top down and use the email that you received from SC... that's at least what I would do ... edit: from top down meaning the Received: lines, not the list HTH
  7. for me, afaicr*, sendgrid has always been dev/nulled... * as far as I can remember
  8. SC doesn't continue past the first unmatched host due to the nature of spams: spammers historically insert/inject fake Received: headers to fool systems to keep parsing past the actual spammer host. and that's where SC usually does its best and stops at the first fake encounter. it is unfortunate that M$ handles their MX hosts the way they do, causing them to be marked as spam source. I maintain that M$ needs to fix their system to the way it was intended, and not the way they would prefer it to be hidden.
  9. like Lking said, the parser removes personal info ( as well as possible) . That's why the tracking URL is always helpful. The problem with hotmail/outlook/microsoft is that their host names do not return IP addresses Host AS8P193MB2383.EURP193.PROD.OUTLOOK.COM (checking ip) IP not found ; AS8P193MB2383.EURP193.PROD.OUTLOOK.COM discarded as fake. so already the first host, failing to return the IP address, causes the parser to throw away the remaining Received: lines and therefore uses the first IP address (in this case the IPv6 given on the Received: for that host) to find the abuse contact. This is Microsoft's fault that they try to hide their hosts and therefore the spam is presumed to come from them. They should fix their DNS records or keep getting hit by reports.
  10. and therein lies the problem, twitter/X doesn't care. besides, links in spam messages are low priority, even though the spamvertised sites should be also shut down... yet many times spammers add innocent bystanders/third parties to their junk and those are the ones that suffer in the end. Important is to stop the source, where the spam comes from... edit: this one for instance: https://www.spamcop.net/sc?id=z6863557071z9dd95abcddd5d6187a8a0877d4c50b88z online.net is the one I want to look into my junk twitter/X is just a redirect and who knows how many other redirects behind that link... I'm not going to follow that rabbithole today... done it before and too often. I'd need to check the http(s) return headers and currently I don't have the will to go after it... I'd like the end-server/host but I don't want the link to reveal my info, so I'm not going there now... did I already mention that? LOL
  11. just to clarify: this spam does seem to have originated at google (there's a BUT at the end): https://toolbox.googleapps.com/apps/messageheader/ adding the whole header in that tool shows the following: (as image(s) since I doubt that the formatting will remain) I also went ahead and verified the DKIM record: https://powerdmarc.com/dkim-record-lookup/ BUT: either the spammer found a way to send the spam from google through an open proxy (116.206.125.107:52034 (port 52034) ) OR managed to spoof the DKIM record and inject the headers below the 116.206.125.107 proxy. I say that because there is a "disconnect" between these two Received lines: Received: from [116.206.125.107] (port=52034 helo=nsacct.org) by a2plcpnl0219.prod.iad2.secureserver.net with esmtp (Exim 4.95) id 1qkPWK-00CryP-Gv for x; Sun, 24 Sep 2023 06:51:42 -0700 Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id o8-20020a17090a9f8800b0025678d34362sor791813pjp.5.2023.06.26.06.46.26 for <x> (Google Transport Security); Mon, 26 Jun 2023 06:46:26 -0700 (PDT) Personally, I wouldn't trust anything below the first of these two... (my opinion and 2¢) P.S. (edit) forgot to mention that 116.206.125.107 is listed in several blocklists... https://www.spamcop.net/sc?track=116.206.125.107 Statistics: 116.206.125.107 listed in bl.spamcop.net (127.0.0.2) More Information. 116.206.125.107 not listed in cbl.abuseat.org 116.206.125.107 listed in dnsbl.sorbs.net ( 1 ) and https://dnslytics.com/dns-blackhole-list/116.206.125.107
  12. LOL... reminds me of three automakers... anyway, enough politic hinting from my side... (or I'll get into big trouble with Lking ) I know it's not funny, and I can feel the frustration, especially when it comes to an email address owned for quite a while. I had similar situation here with an email account I had for close to 20 years and lost it, but not because I chose to... My email provider's domain was "bought out" by the government and the owner of the domain gave us a grace period to move our e-mail data to a different host. I had already had my accounts at Y!, Hotmail, and gmail and been using gmail to pull from the other mail hosts, but always replying with my non-google address... so when the announcement came, I switched the sending address to the gmail address and stayed like that since. I occasionally use hotmail/outlook/M$ for "specific" purposes, and Y! when it comes to taunt spammers and scammers 🤪
  13. this is a screenshot of my inbox (spam only) of the last 5-6 days (top-most just reported this morning): top-most: https://www.spamcop.net/sc?id=z6862927956zf058e0bc88a451cd86b58917bcc0e2e0z second-top: https://www.spamcop.net/sc?id=z6862876096z7da6505d55ea3f03a9345d59a7fa5816z about 95% have been online.net spam and 95% of those from their proxad.net/iliad-enterprises.fr "division" the rest are hotmail/microsoft and google... haven't had a Y! spam in a while...
  14. 1. just "forwarding" the spam to the reporting email address will do nothing if the spam is not forwarded as "attachment" including headers. a) if spam is forwarded as attachment including headers and body and the spam message is less than 50kB then you will receive an email from SC with the link to parse and report the spam. b) if spam is >50kB then, from my memory and experience, the spam will not parse due to message being too large. well, when I say "will do nothing" is a bit false. You will get an email saying that there is nothing to do or that the spam message was not found. 2. pasting the entire spam (headers, blank line, body) if the size is larger than 50 kB (kiloByte) will return an error that the size is too large. a) delete portion of the spam body to get it < 50kB b) if spam is less than 50kB then if the [√] Show technical details is checked, you will receive a nice new screen with all the parsing goodies and submit the spam to the necessary authorities. 3. single address is either a) an IP address 142.250.72.164 b) a website: www.google.com c) or an email address spammer@gmail.com the result of the parse is only informative letting you know where to report or who to contact with regard of the input you entered. I use it occasionally. i.e. a) example Parsing input: 142.250.72.164 Routing details for 142.250.72.164 [refresh/show] Cached whois for 142.250.72.164 : network-abuse@google.com Using best contacts abuse@google.com Statistics: 142.250.72.164 not listed in bl.spamcop.net More Information. 142.250.72.164 not listed in cbl.abuseat.org 142.250.72.164 not listed in dnsbl.sorbs.net Reporting addresses: abuse@google.com nothing is reported. it just lets you know the details of the address you entered. c) example: Parsing input: spammer@gmail.com 142.251.2.26 is an MX ( 5 ) for gmail.com Routing details for 142.251.2.26 [refresh/show] Cached whois for 142.251.2.26 : network-abuse@google.com Using best contacts abuse@google.com Statistics: 142.251.2.26 not listed in bl.spamcop.net More Information. 142.251.2.26 not listed in cbl.abuseat.org 142.251.2.26 not listed in dnsbl.sorbs.net Reporting addresses: abuse@google.com Hope this info helps
×
×
  • Create New...