RobiBue

That's great you got it solved! 👍 Also, Thanks Richard

yes, this is standard. Every email server (MTA or MX) the email passes through, adds a new received line at the top (lately -- that means as of "several years ago" -- with SPF headers and other spoofing detection like DKIM and such), so the topmost received line is yours, then every previous one is the one before that, and somewhere along the line, there is the one the originating email (spam?) came from... now spammers can inject fake received lines, but they all will appear below the originating mail host, and that's what SC tries to discern. since the top one says it received it from localhost by ***.rug.nl, it is expecting the next (previous) received from line, below, to be BY localhost to close the chain but it is again BY ***.rug.nl, so it fails and it does, so why it fails I don't know (but that is probably only because the mailhosts are set up since without them it seems to work fine...) somewhere I see mailhost1 and then mailhost (without the 1) in the chain... I personally do not use mailhosts (all I have is spam in my gmail account which I forward through a gscript I wrote a few years ago to SC) and thus don't have that issue. Albeit some years ago google changed their email system to IPv6 and broke the chain because SC didn't recognize the IPv6 address to be the equivalent of a IPv4 private address... it was later fixed... somehow... Since I don't use mailhosts, I can't really help with how to set them up, but I have heard/read that removing them and reinserting them helps... somehow those localhost lines seem to be the ones causing the problem (second received line from top)

@Mariano, if you submitted but canceled the report, you should still have them under the [past reports] tab View recent reports link. it would look something like this: there, if you click on the ID (not the email address) you would be able to see the email (and headers) HTH

I went ahead and checked the first link in the list you posted back in July: (although I changed the encrypted part) $ wget --spider https://scri_pt.google.com/macros/s/AKfycbw1eXviwEFD_uGw7gK79uwwZZbwrU3R4fRrx7OD0dDi8Qf5KdyJkRFswHVFtlted9Emng/exec?bnVueWFAYnVzaW5lLnNz Spider mode enabled. Check if remote file exists. --2022-01-16 12:54:55-- https://scri_pt.google.com/macros/s/AKfycbw1eXviwEFD_uGw7gK79uwwZZbwrU3R4fRrx7OD0dDi8Qf5KdyJkRFswHVFtlted9Emng/exec?bnVueWFAYnVzaW5lLnNz Resolving scri_pt.google.com (scri_pt.google.com)... 108.177.122.113, 108.177.122.101, 108.177.122.102, ... Connecting to scri_pt.google.com (scri_pt.google.com)|108.177.122.113|:443... connected. HTTP request sent, awaiting response... 403 Forbidden Remote file does not exist -- broken link!!! that's one of x links returning 403 Forbidden (broken link) I don't know if it's something I am doing wrong or if google is taking action on the link macros, but I get the same result with the link of the spam message above (although to ensure that the feedback wouldn't propagate back to your address I removed the encoded part behind the /exec? here's what I got: $ wget --spider https://scri_pt.google.com/macros/s/AKfycbwxSkjAa2XYVTeCyAQcgUJcbxxS9mZJU2GCM6FbXzjPCUg8XAU79aGJNF_VX8hf1nmXXg/exec Spider mode enabled. Check if remote file exists. --2022-01-16 13:09:38-- https://scri_pt.google.com/macros/s/AKfycbwxSkjAa2XYVTeCyAQcgUJcbxxS9mZJU2GCM6FbXzjPCUg8XAU79aGJNF_VX8hf1nmXXg/exec Resolving scri_pt.google.com (scri_pt.google.com)... 108.177.122.100, 108.177.122.138, 108.177.122.102, ... Connecting to scri_pt.google.com (scri_pt.google.com)|108.177.122.100|:443... connected. HTTP request sent, awaiting response... 403 Forbidden Remote file does not exist -- broken link!!! to me it does seem like google is taking action.... when I left the --spider option out, the results were a constant TypeError: Cannot read property 'split' of undefined (line 6, file "Code") which means that the link breaks (I tried adding my own variation of "hash" with the same result)

after some deeper researching, @Foxie is correct and the &#12290 = U+3002 = 。which is, according to http://www.unicode.org/reports/tr46/#Compatibility_Processing a valid "IDEOGRAPHIC FULL STOP" character accepted by browsers (or at least should. Now, it is possible that SC, due to its age, has not been implemented for this "newer" Domain Naming using local characters still, without the parser's information there is little for us to help with. again, if Foxie could provide the TRACKING URL for the spam message (here is the latest TRACKING URL I got, but I never get any special URL link) I am providing this link solely to prove that my information is not "leaked" even though my email address would show in the subject line but SC replaced it with an X. this is found right after the spam was submitted for parsing and it is found as follows at the top of the parse: SpamCop v 5.4.0 © 2022 Cisco Systems, Inc. All rights reserved. Here is your TRACKING URL - it may be saved for future reference: https://www.spamcop.net/sc?id=z6736978831z87d37b033a8accb77b57420189670c67z Skip to Reports Delivered-To: x [...]

@Foxie, like Petzl said: Run one through SpamCop reporting then Send the TRACK at top of page found before submitting looks like this Here is your TRACKING URL - it may be saved for future reference: https://www.spamcop.net/sc?id=z6697713791z3936f4bee8fc49cf1a24e632409448bdz nobody here will be able to do anything without the spamcop Tracking URL. (btw it is not the same as a tracking link inside the parsed email) Also, your header information gets removed by SC if that is your concern for not posting the Tracking URL...

nah, just like to keep a nonstandard standard array of measurements so there's a yard of snow in the backyard give or take ... or 🦶 🦶🦶 😁 but then, given it's in the 267K range, that could be expected 😆

Stay warm and cozy up there... lots of snow on the way ❄️☃️ Light a fire in the chimney, grab you a hot chocolate, and enjoy the winter 🎅 Hope you had a merry Christmas. Wishing you happy holidays and a good new year!

wait a minute... que? what? que? since 2012? and Manuel still looks as fresh as he did in that old post? I know NOTHING! I'm from Barcelona! joking aside (I blame it on Fawlty Towers)... Yeah, it's about time that this Cisco conglomerate uses their knowledge and background to effectively improve this spam fighting tool. edit: dang! I had completely forgot that I was involved in that thread.... (I blame that on my age!)

https://www.spamcop.net/sc?id=z6734860051zc341d4446bdd92013698b650963ff273z Tracking message source: 153.120.151.105: Routing details for 153.120.151.105 De-referencing sakura.ad.jp@abuse.net abuse net sakura.ad.jp = support@sakura.ad.jp, abuse@sakura.ad.jp Report routing for 153.120.151.105: support@sakura.ad.jp, abuse@sakura.ad.jp, abuse@sakura.ad.jp Routing details for 153.120.151.105 [refresh/show] Cached whois for 153.120.151.105 : search-apnic-not-arin@apnic.net I refuse to bother search-apnic-not-arin@apnic.net. SpamCop shouldn't stop there, but follow the whois path given! Why SC doesn't now continue checking on whois.apnic.net but instead stops, I don't know. I suppose whois.arin.net changed something and SC never got updated to the new format. If I do a whois in my cygwin terminal, whois automatically continues to the new referral: $ whois -h whois.arin.net 153.120.151.105 # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/resources/registry/whois/tou/ # # If you see inaccuracies in the results, please report at # https://www.arin.net/resources/registry/whois/inaccuracy_reporting/ # # Copyright 1997-2021, American Registry for Internet Numbers, Ltd. # NetRange: 153.0.0.0 - 153.255.255.255 CIDR: 153.0.0.0/8 NetName: APNIC-ERX-153 NetHandle: NET-153-0-0-0-0 Parent: () NetType: Early Registrations, Maintained by APNIC OriginAS: Organization: Asia Pacific Network Information Centre (APNIC) RegDate: 1993-05-01 Updated: 2010-07-30 Ref: https://rdap.arin.net/registry/ip/153.0.0.0 ResourceLink: http://wq.apnic.net/whois-search/static/search.html ResourceLink: whois.apnic.net [...] # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/resources/registry/whois/tou/ # # If you see inaccuracies in the results, please report at # https://www.arin.net/resources/registry/whois/inaccuracy_reporting/ # # Copyright 1997-2021, American Registry for Internet Numbers, Ltd. # Found a referral to whois.apnic.net. % [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html % Information related to '153.120.0.0 - 153.120.191.255' % Abuse contact for '153.120.0.0 - 153.120.191.255' is 'hostmaster@nic.ad.jp' inetnum: 153.120.0.0 - 153.120.191.255 netname: SAKURA-ISHIKARI descr: SAKURA Internet Inc. The abuse contact should be hostmaster@nic.ad.jp given in whois.apnic.net. also, looking up the abuse.net db, I get the following: https://www.abuse.net/lookup.phtml?domain=sakura.ad.jp Look up an address in the abuse.net contact database support@sakura.ad.jp (for sakura.ad.jp) abuse@sakura.ad.jp (for sakura.ad.jp)

/me thinks/ it had to do with the amount of processing on the system. if too many links were to be processed, and too many reports would be submitted, the system wait time would have been too high... at least that's how I remember it to be explained back decades ago...

Spamcop is correct saying that it isn't a routable address. the 。 code doesn't parse as a valid URL "period" even though in some browsers it does display like a period. in other words, the URL is invalid and will not parse. besides, many times, spammers place links and fake links in their spam to try to deceive automated systems and laypersons making them believe that it's a real address. As petzl suggested: parse the spam email and post the TRACKING URL. That way others can help you understand or direct you to the real culprit.

interesting read! Thanks for the info @yurs5

I mostly use it to follow links manually without downloading any malware (hence my --spider flag in the wget call) to get to the origin of the scam instead of hitting only the first link with a complaint

(Please don't ask for a Tracking URL as this is just an informative post and not a help wanted ) Lately, all spams I have been getting are phishing spams containing an attachment which is encoded in base64 (mostly short) I then run it through the trusty online base64 decoder to get the source (mostly something like <body onload="document.location.href=window.atob('aHR0cHM6Ly94dm94Mi5iZW1vYnRyay5jb20vZ28vYWM2LXNvbWUgdHJhY2luZyBudW1iZXJzPyM=');" /> note: the .atob link was modified by me to keep the original website domain intact but changed the tracing info) I then run only the atob text through the decoder again to receive the website it would "take me to" (although there is more)... https://xvox2.bemobtrk.com/go/ac6-some tracing numbers?# now, I open my cygwin terminal and start a get --spider website command (--spider to keep the last page from downloading because usually that part doesn't interest me) the result I get is something like this (I also changed some tracing information that is not relevant to this post -- mostly anything in [%..%]) $ wget --spider https://xvox2.bemobtrk.com/go/ac6sometracingnumbers?# Spider mode enabled. Check if remote file exists. --2021-10-24 08:35:10-- https://xvox2.bemobtrk.com/go/ac6sometracingnumbers? Resolving xvox2.bemobtrk.com (xvox2.bemobtrk.com)... 35.153.222.28, 54.172.72.35, 3.232.85.129, ... Connecting to xvox2.bemobtrk.com (xvox2.bemobtrk.com)|35.153.222.28|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://go.2coo.xyz/click?pid=[%number%]&offer_id=[%offer%]&bemobdata=[%somemoredata%] [following] Spider mode enabled. Check if remote file exists. --2021-10-24 08:35:10-- https://go.2coo.xyz/click?pid=[%number%]&offer_id=[%offer%]&bemobdata=[%somemoredata%] Resolving go.2coo.xyz (go.2coo.xyz)... 172.67.142.95, 104.21.79.57, 2606:4700:3034::ac43:8e5f, ... Connecting to go.2coo.xyz (go.2coo.xyz)|172.67.142.95|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://trace.affiliateedge.com/visit/?bta=[%btanumber%]&nci=[%ncinumber%]&afp=[%afpinformation%] [following] Spider mode enabled. Check if remote file exists. --2021-10-24 08:35:11-- https://trace.affiliateedge.com/visit/?bta=[%btanumber%]&nci=[%ncinumber%]&afp=[%afpinformation%] Resolving trace.affiliateedge.com (trace.affiliateedge.com)... 35.234.86.61 Connecting to trace.affiliateedge.com (trace.affiliateedge.com)|35.234.86.61|:443... connected. HTTP request sent, awaiting response... 302 Object moved Location: https://www.luckyredcasino.com/?btag=[%btagcode%] [following] Spider mode enabled. Check if remote file exists. --2021-10-24 08:35:12-- https://www.luckyredcasino.com/?btag=[%btagcode%] Resolving www.luckyredcasino.com (www.luckyredcasino.com)... 104.18.226.39, 104.18.227.39, 2606:4700::6812:e227, ... Connecting to www.luckyredcasino.com (www.luckyredcasino.com)|104.18.226.39|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Remote file exists and could contain further links, but recursion is disabled -- not retrieving. add that with a modification note to the spam source and let every single one of the link owners know that they need to keep their phishing clients from accessing the web! Here it was (including the original source of the phishing spam) ( https://trace.affiliateedge.com/visit/?bta=... ) To: google-cloud-compliance@google.com ( https://www.luckyredcasino.com/?btag=... ) To: abuse@cloudflare.com ( https://go.2coo.xyz/click?pid=... ) To: abuse@cloudflare.com ( 134.0.112.147 ) To: abuse@reg.ru I am hoping that they all get their act together Sometimes I do check the resulting file, mostly when it's a direct 200 result and not a 302 redirect and there I sometimes find in the source something like this or a JS which loads a page similarly and just run it as above... <body onload="document.location.href=window.atob('aHR0cHM6Ly94dm94Mi5iZW1vYnRyay5jb20vZ28vYWM2LXNvbWUgdHJhY2luZyBudW1iZXJzPyM=');" />

That is exactly what wants or needs to be avoided -- to redo the reports. Even though the message to the abuse departments didn't get sent, the spam got processed by SC and entered in the SCBL. every time the same identical spam gets reported, the reports get skewed and SC ends up being listed as unreliable due to skewed reports, and as a SC user, I don't think that would be a good thing. One report for one spam recipient. That's the goal. at least that's the goal I thought we were aiming for... Hence my inquiry into resending only the emails to the abuse depts, instead of resubmitting the spam over and over until the errors finally subside.

While the spam was processed, the 3 mentioned Vietnamese abuse departments will never receive a report to act upon. Well, never for this specific submitted report due to the smtpEnvelope/smtpFrom errors (452 and 550). I'm not counting google's report since that one gets /dev/null'ed right away without any further decorum.

sorry, I don't seem to be making myself clear. I'm not talking about the devnull reports, I am talking about reports that because of either Can't send report: smtpEnvelope ... or OP's [an error occurred while processing this directive] errors (assuming that if I check with [Past Reports] tab and the report was processed, but emails to me and the abuse depts of non-devnulled isps) were not sent — I can tell reports were not sent because I didn't receive mine — could be retried to send to a later time or manually triggered to re-send... edit 2021.10.18-04:50:00 CDT: I'm talking about reports like these: https://forum.spamcop.net/topic/46809-server-issue/?do=findComment&comment=158695 btw, I had just an "awesome" experience with cloudflare who replied to me with an automated message, but when I checked the link I reported about, I saw that they had manually edited the page in question (or replaced it) with the following message: <p>This link has been flagged as phishing. Phishing is an attempt to acquire personal information such as passwords and credit card details by pretending to be a trustworthy source.</p> <p><strong>If you're a visitor of this website</strong><br /> The website owner has been notified and is in the process of resolving the issue. For now, it is recommended that you do not continue to the link that has been flagged.</p> <p><strong>If you're the owner of this website</strong><br /> Please log in to cloudflare.com to review your flagged website. If you have questions about why this was flagged as phishing please contact the Trust &amp; Safety team for more information.</p> yay! 🎆 (fireworks)

I understand that... I guess I wasn't clear: instead of me re-submitting the report (since it would be the same spam "reported twice") there should be an option to re-send the emails from the original report. the ones that were never sent in the first place... That's what I meant with "re-sending the report" as opposed to "re-submitting the report"

I am curious, is there a way to "re-send" a report? What I mean, when an error like that happens, I don't receive a report which I usually send to my own email for "safekeeping/bookkeeping" to confirm that the spam was reported. That would enable me to avoid double reporting on such occasions...

thanks forgot that part 😔 (although I can't confirm it, many times an error like that appears, the URL actually points to the error and not the tracking URL — will keep my eyes peeled though)

when someone gets that sort of error, they won't get a tracking URL. that error happens before the spam gets parsed. @ArtmakersWorlds an hour later, here on Central Time, the reporting works for me without error. it also could be that the spammers have figured out a way to break the system (although I highly doubt that)

it has been working for me too... clearly "speculation does not resolve the issue" but by the system working (be it on and off or even seemingly on) one can speculate that the system is being maintained and probably some disk space assigned (or even reprogrammed to account for certain 'errors') to work properly.... pure speculation here... also got a reply just moments ago from NTT Communications(OCN) (automated reply though) and from support.mchost.ru (also automated reply) something is working 😈

or an option: coal from the locomotives (they are not used atm I believe), build a steam generator, use snow (melted) for steam and viola, you got yourself some power and heat too 😀 ... when we were young 😁 I take it power or internet is out again... back to basic life it is

Reminds me somewhat of a Judy Collins song....