[What is my favorite food?]

oddly enough, slippery egg noodles are one way of crunching numbers, but Wat is a slippery dish that can be enjoyed while fighting spam. Just a geek could possibly know. (or someone fluent in crunching search numbers
Enjoy whichever dish you prefer, as tastes in this world, encompassing different cultures, vary 😂

[Mailhost missing, and I can't add it]

I don't have mailhosts set up, and can report just fine

[Recent slight tsunami]

no, those are only visible for the reporter (OP.)

On 11/17/2023 at 12:48 PM, Spamnophobic said:

Typical tracking URLs:

https://www.spamcop.net/sc?id=z6872438022z3beec9a957231590a431826637bc21f0z
typical backscatter

https://www.spamcop.net/mcgi?action=gettrack&reportid=7298440529
report in Spanish of original extortion spam

https://www.spamcop.net/mcgi?action=gettrack&reportid=7297979107
report in Dutch of original extortion spam

the top one is the link we can use, the other two, the OP would need to access those reports and post the tracking URLs.
I sometimes go into [Past Reports] tab and select from the reporting time I choose the spam I'm interested in. There, it depends on which link was chosen:
1. I always choose my own reported link (to myself) where at the bottom,
   below the drop-down box   (Please select one..) and the [Proceed] button (I don't use those)
   there is a link
   Show how SpamCop traced this message

   which is actually the tracking URL, but only for my own report.

2. If the link clicked is a different one (for one of the ISPs,) then at the top there is a
    Parse link which again is the tracking URL (not the address shown in the URL bar for that page itself)

3. or by clicking on either link to get to the parse screen and post the tracking URL given there as
     Here is your TRACKING URL - it may be saved for future reference:
     https://www.spamcop.net/sc?id=z6872954240z195cc201101d96d3efa15fe9001511f2z

all three aforementioned and given links point to the same spam on my reports, but each taken from a different source.

HTH
  

[Need Help reporting spam originating from OUTLOOK.COM (hotmail) via Outlook Macro]

that header looks wrong to me:

1. lines 12 and 14 seem to be without a space at the start of the line.
2. and then line 21 seems like an empty line which causes the next part to become the body....
3. followed by many more empty lines....

maybe one or more of those is your problem...

(my 2cents)

[Questions about Mailhost setup]

SpamCop has been around for decades (2½ IIRC) and at the beginning, along with n.a.n.a.e and the different abuse desks at the serious ISPs it was a delight when spammers would face either whacking with a clue-by-four or even charged criminally in court, but now providers don't take it seriously anymore, probably due to the lack of manpower and the increased automatization of their systems. besides, since CISCO took over, their main cyber product is talos which takes preference and SC is only a minor side-toy (at least that's the way I see it) that allows users to report spam (if it helps, good, if it doesn't, not much lost) to propagate abusing MXs into blocklists
If someone with more knowledge behind the scenes would like to correct my stance I would greatly appreciate it if I'm wrong, but with an explanation

Every now and then SC does get an "update"  but a lot, as you say, has been neglected...

[Questions about Mailhost setup]

I wish I could help you there, as I have really no idea how it works or is supposed to work (well, I do have an idea on the latter, but not specifics.)

anyhoo, that said, I noticed in your list a plain antispamcloud.com (49.) which puts me to thinking if that's a catch-all of your possible MXs... just thinking out loud here... hoping that an expert in this matter could chime in soon...

[Questions about Mailhost setup]

ok, I'm no xprt on mailhosts since I don't use them anyway, but do you have one of those on your list that matches one in your Received: lines when you look at the raw email headers? go from the top down and use the email that you received from SC... that's at least what I would do ...
edit: from top down meaning the Received: lines, not the list

HTH

[Spamcop dev/nulling reports to Sendgrid?]

for me, afaicr*, sendgrid has always been dev/nulled...

 

 

* as far as I can remember

[Originating network not detected for email sent to Hotmail]

SC doesn't continue past the first unmatched host due to the nature of spams:
spammers historically insert/inject fake Received: headers to fool systems to keep parsing past the actual spammer host. and that's where SC usually does its best and stops at the first fake encounter. it is unfortunate that M$ handles their MX hosts the way they do, causing them to be marked as spam source.
I maintain that M$ needs to fix their system to the way it was intended, and not the way they would prefer it to be hidden.

[Originating network not detected for email sent to Hotmail]

like Lking said, the parser removes personal info ( as well as possible) . That's why the tracking URL is always helpful.

The problem with hotmail/outlook/microsoft is that their host names do not return IP addresses

Host AS8P193MB2383.EURP193.PROD.OUTLOOK.COM (checking ip) IP not found ; AS8P193MB2383.EURP193.PROD.OUTLOOK.COM discarded as fake.

so already the first host, failing to return the IP address, causes the parser to throw away the remaining Received: lines and therefore uses the first IP address (in this case the IPv6 given on the Received: for that host) to find the abuse contact.

This is Microsoft's fault that they try to hide their hosts and therefore the spam is presumed to come from them. They should fix their DNS records or keep getting hit by reports.

 

 

[twitter spam reporting]

and therein lies the problem, twitter/X doesn't care.

besides, links in spam messages are low priority, even though the spamvertised sites should be also shut down... yet many times spammers add innocent bystanders/third parties to their junk and those are the ones that suffer in the end.

Important is to stop the source, where the spam comes from...

edit:
this one for instance: https://www.spamcop.net/sc?id=z6863557071z9dd95abcddd5d6187a8a0877d4c50b88z
online.net is the one I want to look into my junk
twitter/X is just a redirect and who knows how many other redirects behind that link... I'm not going to follow that rabbithole today... done it before and too often. I'd need to check the http(s) return headers and currently I don't have the will to go after it... I'd like the end-server/host but I don't want the link to reveal my info, so I'm not going there now... did I already mention that? LOL

[Persistent spam from bangmodhosting.com]

just to clarify:
this spam does seem to have originated at google (there's a BUT at the end):

https://toolbox.googleapps.com/apps/messageheader/

adding the whole header in that tool shows the following: (as image(s) since I doubt that the formatting will remain)

 

I also went ahead and verified the DKIM record:

https://powerdmarc.com/dkim-record-lookup/

 

BUT:

either the spammer found a way to send the spam from google through an open proxy (116.206.125.107:52034 (port 52034) )
OR
managed to spoof the DKIM record and inject the headers below the 116.206.125.107 proxy.

I say that because there is a "disconnect" between these two Received lines:

Received: from [116.206.125.107] (port=52034 helo=nsacct.org)
	by a2plcpnl0219.prod.iad2.secureserver.net with esmtp (Exim 4.95)
	id 1qkPWK-00CryP-Gv
	for x;
	Sun, 24 Sep 2023 06:51:42 -0700
Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65])
        by mx.google.com with SMTPS id o8-20020a17090a9f8800b0025678d34362sor791813pjp.5.2023.06.26.06.46.26
        for <x>
        (Google Transport Security);
        Mon, 26 Jun 2023 06:46:26 -0700 (PDT)

 

Personally, I wouldn't trust anything below the first of these two... (my opinion and 2¢)

 

P.S. (edit)
forgot to mention that 116.206.125.107 is listed in several blocklists...

https://www.spamcop.net/sc?track=116.206.125.107

Statistics:

116.206.125.107 listed in bl.spamcop.net (127.0.0.2)
More Information.
116.206.125.107 not listed in cbl.abuseat.org
116.206.125.107 listed in dnsbl.sorbs.net ( 1 )

and https://dnslytics.com/dns-blackhole-list/116.206.125.107

[Hotmail.com spam]

LOL... reminds me of three automakers... anyway, enough politic hinting from my side... (or I'll get into big trouble with Lking )

I know it's not funny, and I can feel the frustration, especially when it comes to an email address owned for quite a while.

I had similar situation here with an email account I had for close to 20 years and lost it, but not because I chose to...

My email provider's domain was "bought out" by the government and the owner of the domain gave us a grace period to move our e-mail data to a different host. I had already had my accounts at Y!, Hotmail, and gmail and been using gmail to pull from the other mail hosts, but always replying with my non-google address... so when the announcement came, I switched the sending address to the gmail address and stayed like that since.

I occasionally use hotmail/outlook/M$ for "specific" purposes, and Y! when it comes to taunt spammers and scammers 🤪

[Persistent spam from bangmodhosting.com]

this is a screenshot of my inbox (spam only) of the last 5-6 days (top-most just reported this morning):

top-most: https://www.spamcop.net/sc?id=z6862927956zf058e0bc88a451cd86b58917bcc0e2e0z
second-top: https://www.spamcop.net/sc?id=z6862876096z7da6505d55ea3f03a9345d59a7fa5816z

about 95% have been online.net spam and 95% of those from their proxad.net/iliad-enterprises.fr "division"

the rest are hotmail/microsoft and google... haven't had a Y! spam in a while...

[3 Basic Reporting Questions After Logon]

1. just "forwarding" the spam to the reporting email address will do nothing if the spam is not forwarded as "attachment" including headers.
   a) if spam is forwarded as attachment including headers and body and the spam message is less than 50kB then you will receive an email from SC with the link to parse and report the spam.
   b) if spam is >50kB then, from my memory and experience, the spam will not parse due to message being too large.
well, when I say "will do nothing" is a bit  false. You will get an email saying that there is nothing to do or that the spam message was not found.

2. pasting the entire spam (headers, blank line, body) if the size is larger than 50 kB (kiloByte) will return an error that the size is too large.
    a) delete portion of the spam body to get it < 50kB
    b) if spam is less than 50kB then if the [√] Show technical details is checked, you will receive a nice new screen with all the parsing goodies and submit the spam to the necessary authorities.

3. single address is either
    a) an IP address 142.250.72.164
    b) a website: www.google.com
    c) or an email address spammer@gmail.com
the result of the parse is only informative letting you know where to report or who to contact with regard of the input you entered. I use it occasionally.

i.e. a) example
 

Parsing input: 142.250.72.164
Routing details for 142.250.72.164
[refresh/show] Cached whois for 142.250.72.164 : network-abuse@google.com
Using best contacts abuse@google.com
Statistics:
142.250.72.164 not listed in bl.spamcop.net
More Information.
142.250.72.164 not listed in cbl.abuseat.org
142.250.72.164 not listed in dnsbl.sorbs.net

Reporting addresses:
abuse@google.com 

nothing is reported. it just lets you know the details of the address you entered.

c) example:
 

Parsing input: spammer@gmail.com
142.251.2.26 is an MX ( 5 ) for gmail.com
Routing details for 142.251.2.26
[refresh/show] Cached whois for 142.251.2.26 : network-abuse@google.com
Using best contacts abuse@google.com
Statistics:
142.251.2.26 not listed in bl.spamcop.net
More Information.
142.251.2.26 not listed in cbl.abuseat.org
142.251.2.26 not listed in dnsbl.sorbs.net

Reporting addresses:
abuse@google.com 

Hope this info helps

[Traverse more than one domain during configuration]

2 hours ago, Gort said:

“The email sample you submitted for ________@swbell.net appears to traverse more than one domain. 
Please ensure that you configure each mailhost individually and in order.”

this only means that when you receive an email (lets say the configuration one from SC) it does travel through different domains after SC sent it.

apparently swbell flows through att, and that's where the domain "conflict" arises.

I don't use mailhosts, but you might have to configure the two att and the swbell hosts and in the correct order as the message implies.

I don't know if that's enough help but it's all I can give.

good luck either way

[Spamcop message from report]

in the [Past Reports] tab:

click the View Recent Reports link (not this one as it's only for demonstration )

and you will get a list akin to the following (unless you haven't submitted anything, then you'd have to select a larger time frame)

there you can click on any of the number links, but it matters which one you click on...

if it's the one from a link, you won't get much but parsing information of that link

but if you click on the one that has your email address at the end if you chose to report to yourself, then you get the following:

Otherwise you'll get the raw message with a "Parse" link at the top (like this):

 

[SpamCop could not find your spam message in this email]

it's been a while, but many web mail providers have been departing from the send email as attachment option. why, I'm not sure... security? or they don't think it's necessary...

in gmail you can only do it in their scrⅰpting application. at least that's what I do as it's easier for me, but you do have the option to view the raw message and from there save it as a file and attach it to the submission email or copy and paste it into the submission form on the SC webpage.

 

[Making SpamCop user-friendly]

while there is the possibility to go from tothrough the sitemap link, there is no way the other way unless it's through a tracking URL link in a post.

Personally I have two tabs open (well, it's actually more, but that's beside the point,) one to the parsing section, and one to the forum section. with that I have my bases covered and just have to switch tabs.

HTH

P.S. yes, the SC URLs above are pics, not text, to keep it from linking. I know, it's not fair . Quirks of life.

[Mailhosts configuration error]

in my Firefox browser Y!  goes like this:

from top down: inside the message the three dots, then View raw message, a new tab opens with the raw information (headers and other good stuff)

 

HTH

[twitter spam gets redirected to twitterdoesntcareaboutspamreports@devnull.spamcop.net]

https://www.spamcop.net/sc?id=z6859184909z00ab2e047c4e7420ff368152daec2c55z

SC's parser has been redirecting twitter spam to /dev/null for quite a long time (there is no date to when the redirect was added for us users to see) but on a search through the forum I found a reference dating back to Oct. 2019.

Quote

Tracking link: http://t.co/0PKeBwOmkS

[report history]
Host t.co (checking ip) = 104.244.42.69
Resolves to 104.244.42.69
Routing details for 104.244.42.69
[refresh/show] Cached whois for 104.244.42.69 : net-abuse@twitter.com
tcoabuse@twitter.com redirects to twitterdoesntcareaboutspamreports@devnull.spamcop.net
Using best contacts twitterdoesntcareaboutspamreports@devnull.spamcop.net

after Musk bought twitter, I mean X, the redirect should be removed to at least let them prove their willingness to fight spam, or at least to prevent abuse.

With a web sniffer I get the following website redirect for twitter:

https://twitter.com/safety/unsafe_link_warning?unsafe_link=http://yadayadayada

I changed the original to yadayadayada to prevent involuntary access...

Still, I believe it's time to let them prove themselves competent or caring...

[Request: preference to always apply "Message is larger than maximum size, 50000 bytes. Truncate?"]

On 8/15/2023 at 5:11 PM, ninth said:

If you email a copy of the raw message using the submit address instead of going through the app it is not truncated. I find this handy for the long lists of websites selling random unwanted pots so they get included in abuse reports. The most interesting info is generally in the header and this method may not be the best for those wanting to send bulk spam reports? 

I always truncate emails larger than 50k regardless if I submit them by email or post them on the website. in fact, a long time ago I wrote a scr!pt that automatically checks the size and snips the end off.

 

the request for automatically truncating such emails is valid though. I always wished there was a checkbox that if active would do just that. Thanks Scott for placing this request. I'm sure many others, even though they are accustomed to redoing the submission would like this feature

 

[Any way to automate spam reporting from email client?]

just a quick reminder about the "mole" option (from 2004)

Quote

Mole accounts are active and they do count in the stats, but they don't count in the BL.
...

When an ISP looks at aggregate counts (whether they've opted
for those mailings or look at their isp account on the webpage) they
will see 'trap reports = xx, spam reports = zz, mole reports = yy'.

 

Quote

ISPs can sign up for summary reports -- daily or hourly -- and many have
signed up. The summary reports are just that -- lists of IPs and counts of
spams -- and if looked at or scripted by an ISP/hosting company they do
indicate where there are problems or emerging issues.

I don't believe much has changed there since.

[Any way to automate spam reporting from email client?]

only paid users might have that option.

I vaguely remember that when I signed up (a loooooong time ago) there was that option on my account. . I don't have it now either...

This is what I have on mine (description text removed below the individual preferences.

[No reporting addresses for 115.71.14.193?]

OP spam is a plain old Nigerian 419 scam.

THIS IS Ambassador Mrs Mary Beth Leonard Ambassador to Nigeria. 
. 
I SHALL BE COMING TO YOUR COUNTRY FOR AN OFFICIAL MEETING ON TUESDAY AND I WILL BE BRINGING YOUR FUNDS 
THROUGH AN ATM MASTER CARD OF($4.8Million United State Dollars) ALONG WITH ME BUT THIS TIME I WILL NOT 
GO THROUGH CUSTOMS BECAUSE AS AN AMBASSADOR TO NIGERIA, I AM A US GOVERNMENT AGENT AND I HAVE THE VETO 
POWER TO GO THROUGH CUSTOMS. AS SOON AS I AM THROUGH WITH THE MEETING I SHALL THEN PROCEED TO YOUR ADDRESS. 
(SEND YOUR CELL PHONE NUMBER AND THE ADDRESS WHERE YOU WANT ME TO BRING THE PACKAGE).

the scammers more than likely found an open relay or maybe had some malware installed on the victim's server or PC:

Received: from gw.saesoldia.com (gw.saesoldia.com. [115.71.14.193])
        by mx.google.com with ESMTP id c16-20020a6566d0000000b00563eda35edesi3445418pgw.143.2023.08.07.05.46.09
        
Received: from [127.0.0.1] ([127.0.0.1])
           by gw.saesoldia.com ([127.0.0.1])
           with ESMTP id 1691412368.684522.140338211493632.gw

the bottom received line is a loop-back address, meaning internal server itself, therefore more than likely open relay, or malware...

The reason for the wikipedia link is that the scammers added the link as "proof" of who they are

Ambassador Mrs Mary Beth Leonard
TELEPHONE NUMBER
CHECK HERE VIEW MY DATA:https://en.wikipedia.org/wiki/List_of_ambassadors_of_the_United_States_to_Nigeria

yeah, view my data my a**...

and the proof that's a Nigerian 419 scam:

YOU SHOULD SEND THE FEE DIRECTLY TO THE CARGO REGISTRATION OFFICER WITH THE INFO BELOW-

amount ... $250

 

And like Steve was saying, the IP# 115.71.14.193, while SC had the reporting address corrected, it still refuses to send the report (most probably due to the NIC part in the email address, and SC refuses to bother any NIC...)

regex is a powerful tool, unfortunately it's not necessarily a smart tool, and bad things can happen if a regex is set up wrong... (like in the current thread for example)