Jump to content

ANGEL

Members
  • Posts

    28
  • Joined

  • Last visited

Posts posted by ANGEL

  1. On 1/31/2019 at 11:51 AM, Lking said:

    Are you referring to the " Re: User Notification " check-box and email entry box on the reporting spam page?  I was miss lead by the link to the preference page.


    Hello Lking,
    Thank you for your comprehensive response &  I'm sorry for the late reply.

    Yes. I was trying to circumvent anyone getting confused, given there's 2 "User Notification" fields, ended up confusing you, big fail me!  

    Re [SpamCop.net screen layout and options is a legacy from "before time"],  I like [SC.net/parser format]: it works & is very functional without a lot of unnecessary bells & whistles.

    Re [In the beginning [analysis][Bcc copy of report was added], I'm glad, I like this and combined with all the SCF information/help & tips & tricks, I've finally been able to get on top of endless spam floods.

    Re [many SpamCop users do analysis of the source of the spam they receive and want to send report to destinations other than/ in addition to those identified by the parser] Their analysis methodology/work/results has been hugely beneficial for me.

    Re [user can un-check where spam Reports are sent] I'm not clear why a user would choose to un-check a check-box that SC has defined, speaking for myself, I trust SC to know better than me... 

    Re [forwarding original spam to ALL other parties] you & other SCF members have guided me on this before, I do get it, I just get cranky with scum.

    Re [Only once in this time have I identifiably been the target of retaliation] The irony for me was, after 20 yrs of endless spam I stumbled onto SC, after a mth I hit a week with NO spam, initially, I thought they're may have been something wrong with my mail, then miffed, there's a certain satisfaction seeing the parser pump out its results & hitting "Send spam Report/s Now":)

    Thanks again. 

     

  2. 4 hours ago, Lking said:

    For security reasons you can not link to the page of personal preferences.  For others with a SpamCop.net account ANGEL is talking about the <Preferences> tab, "Report Handling Options" on spamcop.net

    I think the simplest answer to why a restriction on how many copies "of every spam you submit " would be to limit the required outgoing bandwidth.  Take a look at <Statistics> tab, Total spam report volume Currently there is something like 600,000 reports being sent in 24hrs.

    Sending all reports to a third party could open SpamCop to charges of abuse clogging the email system.  Reading into your question, I too want to report spam to multi activities. To do this when I submit spam I also address my email to several US gov actives and a group in Australia.

     

    Hey Lking,

    Thank you for answering.

    Sometimes I find it difficult to write posts in a way that clearly define the issue/s...

    Not wishing/suggesting or desiring to link to adding another address to [personal preferences][Personal copies of outgoing reports] page, just put that in there so possible convo participants were clear about which [User_Notification (User defined recipient)] field I was referring to.

     Pre-defined in preferences (User defined recipient)= Bcc to reporter of spam =  (me)
     

    Online Parser, more of these fields: ✔️z_User_Notification (User defined recipient)✔️ = field I can add another email address or more to before I hit "send"....

    Re [Sending all reports to a third party could open SpamCop to charges of abuse clogging the email system] I hear you; I certainly do not wish to be  counterproductive to SC in any way, it is by far & away the most effect tool I've used to reduce spam. 

    The reason I'd like to do "reporting to other interested parties" is, the parser mungs my email address; I learnt some brill info from Robibue & you to I think, to perform a  little pre-SC-Parser-submission-surgery: find & manually mung every instance of my email address the spammer has used, being fairly new to "fighting back" I initially though the parser would automatically do this...

    I'm not so comfortable forwarding original spam to ALL other parties I think would like to know/should know the spammer is using ; always concerned I'll give my email address to a spammer or source for spammers...

    Re [I also address my email to several US gov actives and a group in Australia} I do this to, as in "forward" original spam to ACMA & FTC... If there are additional "gov agencies" I'd be keen to add them to my tool kit: would you mind kindly sharing the addresses/info of the authorities you report to please?

    Cheers.

  3. On 1/18/2019 at 4:38 AM, Lking said:

    Not sure "Us mere mortals" is the issue.  It is all the spammers and trolls of this forum that would be the issue. They do seem to find the holes well enough with out a menu.

    What's new in v5? The important stuff, a full suite of emojis,😀 yeah!!!

    image.thumb.png.2e0b759982db96da950e3cfb4ea2da56.png

  4. 3 hours ago, RobiBue said:

    Sorry it's taken me so long to reply, but I've been busy and could only do minimalistic replies, so I have waited until I had more time to delve in deeper...

    While the Gmail hack is no longer necessary, unfortunately Microsoft's outlook "hack" is still needed due to its difference...

    looking at the unmodified Received: headers in https://www.spamcop.net/sc?id=z6513483714z596b7c076a2121c3ce82e632cf6e31a3z

    
    [line]  (Received origin/destination)
    [0001]  Received: from PU1APC01HT007.eop-APC01.prod.protection.outlook.com (2603:10a6:800:92::20)
    [0002]              by VI1PR06MB5360.eurprd06.prod.outlook.com
    [0003]  Received: from PU1APC01FT052.eop-APC01.prod.protection.outlook.com (10.152.252.54)
    [0004]              by PU1APC01HT007.eop-APC01.prod.protection.outlook.com (10.152.252.101)
    [0005]  Received: from iainternalmeds.com (69.160.26.74)
    [0006]              by PU1APC01FT052.mail.protection.outlook.com (10.152.253.137)
    (only the Received: lines are relevant here. Omitting the timestamps as well as the transfer method/protocol)

    Line [0002] is the host from which you picked the email up.
    Lines [0001] and [0004] should have the same host name and number, but only the host name is the same, so SC cannot safely confirm that it is the same host and with right determines the following: "Internal handoff or trivial forgery".
    Lines [0003] and [0006] also should have the same host name/address, but neither are equal, and therefore line [0005] is also a possible forgery.

    It looks complicated like this, but by keeping in mind, that the header lines are actually filled from the bottom up, let's "flip" the above Received: header lines:

    
    [line]  (Received origin/destination)
    [0005]  Received: from iainternalmeds.com (69.160.26.74)
    [0006]              by PU1APC01FT052.mail.protection.outlook.com (10.152.253.137)
    [0003]  Received: from PU1APC01FT052.eop-APC01.prod.protection.outlook.com (10.152.252.54)
    [0004]              by PU1APC01HT007.eop-APC01.prod.protection.outlook.com (10.152.252.101)
    [0001]  Received: from PU1APC01HT007.eop-APC01.prod.protection.outlook.com (2603:10a6:800:92::20)
    [0002]              by VI1PR06MB5360.eurprd06.prod.outlook.com
    (only the Received: lines are relevant here. Omitting the timestamps as well as the transfer method/protocol)

    [0005] sent it
    [0006] received it which then in turn sent it as [0003]  (PU1APC01FT052 is the same, but then the sub-domain name differs as well as the private IP address)
    [0004] received it which then in turn sent it as [0001] (here all: host, sub-domain, and domain are exactly the same, but unfortunately the address is not)
    [0002] received it in the end, waiting for you to pick it up.

    Therefore, unfortunately, Received: line [0001]/[0002] is the only trusted Received header: and the rest: [0003]/[0004], and [0005]/[0006] are possible forgeries in the eye of SC.

    By removing the top Received: line (here [0001]/[0002]) in outlook recipients, SC treats the following Received lines as Private/internal handoffs and correctly identifies the culprit in [0005].

    This is not SC's fault, and SC cannot fix it. This fix has to come from M$ themselves, and, although SC did fix it in Gmail's sector, which, though Gmail's fault, and rightly also in Gmail's mail-server's code to be fixed, as 6to4 addresses should not propagate with private networks, is in the end a needed fix in SC's parser, and hopefully, whoever fixed it, made sure that only private networks are affected in the 2002:: 6to4 range, because it is possible (and allowed) to have valid IPv4 networks translated and propagated in IPv6 6to4 addresses. (please forgive the long-winding-ultra-long-complex-sentence. I hope it is understandable ;)🙃.)

    So in the end, the answer is as follows:

    For Gmail users: you do not have to remove/replace the 1st (topmost) Received: header.

    For Outlook users: you still have to remove/replace the 1st (topmost) Received: header. Sorry. :(

    This should answer both parts of the question. HTH

    RobiBue,

    Thank you so much for taking super care and investing time and energy to provide comprehensive explanation. As I'm still on my SCLplates logical/comprehensive responses aid my learning & understanding.

    I'm really grateful!

    I do understand why MS is in such a state, SCAdmin have previously advised MS made some "errors" when trying to fix other MS errors, SCA also advised the time frame for MS fix is likely to be years; so I'm cool with still modifying any source data I submit to SC.

    Rome wasn't built in a day, MS architects don't seem to often refer to their building sketches so, fix years away, may happen after I'm dead in which case I don't expect to be worrying about scum🤥🦹‍♂️🦹‍♀🤥s.

    Back to your excellent information, dunno what your day job is but you could easily/successfully be writing tech training doco.

    Don't answer this by telling me you make a quid by being a 🤥🦹‍♂️🦹‍♀🤥r!

    Thanks a bunch:)

     

     

     

     

     

  5. 1 hour ago, lisati said:

    What I'm seeing is that the modification(s) still seem to be necessary.

    Thank you Lisati :)There's a bunch of us asking this .

    As a SC🔰🚗🔰, info from experienced SCF members & other SC posters is invaluable; has  helped me understand some of the 🦹logic/motivation & how to effectively☠️🦹☠️as many as possible :)

    The (v4/v5) difference (I observe) is v5 is now providing:

    Message source: 2603:10c6:1:0:0:0:0:25:; Routing details for 2603:10c6:1:0:0:0:0:25
    whois for 2603:10c6:1:0:0:0:0:25 : abuse@microsoft.com; abuse@hotmail.com redirects to report_spam@hotmail.com

    That's a good thing, as, previously, when I forwarded ANY [source data spam] to MS, they'd always refuse to accept.

    I'm waiting to hear from MS now that I provided msg source/routing details (from a spam today)...

    Additionally, it'll be good if SC let us know what the v5 changes are (unless of course those changes are not for publication) 

    Thanks again & cheers!

     

     

     

     

  6. Hello Borgholio

    I think I've found/struck same issue/s 

    [http://forum.spamcop.net/topic/30224-something-wrong-with-outlook-reporting/?page=2&amp;tab=comments#comment-129011], hoping the SCF experts/experienced team members will clarify.... It's certainly interesting having [SC distribution] choices, I'd just like to know which parsing method to choose for the most accurate report... 

    Tracking your post in case the answers appear:)and hoping, SCAdmin will publish a V5 "features" guide when they recover from the update-long-haul:)

     

  7. RobiBue, you may be able to answer my question please (specific to SCv5)(IPv6 624)

    With V5, do we no longer have to  "cut"

    1st [Received: from PU1APC01HT007.eop-APC01.prod.protection.outlook.com(2603:10a6:800:92::20) blah, blah, blah, Mon, 14 Jan 2019 06:08:02 +0000]

    ?

    instead post to parser ENTIRE source data?

    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------

    • And, anyone who's game:P may be able to answer:

    if the answer's "yes"; why parsing the entire source data would result in different [Reports sent to] distributions?

    https://www.spamcop.net/sc?id=z6513483714z596b7c076a2121c3ce82e632cf6e31a3z

    as opposed to parsing modified source data  [Reports sent to] distributions

    https://www.spamcop.net/sc?id=z6513484404zf0c78fe42b97237ee395ad8a37facc9cz

    Thanks in advance!

     

     

     

     

     

     

  8. 3 hours ago, gnarlymarley said:

    Like all business owners, they get their money from somewhere.  Either they have investors, or they people that keep buying into the spams (either by entering banking information or by clicking an advertisement link).  My guess is the mostly latter.

    ANGEL,  The tracking link would have the "sc?id=" in the middle of it.  This would be your tracking link:

    
    Here is your TRACKING URL - it may be saved for future reference:
    https://www.spamcop.net/sc?id=z6512755812z8ee73d74322c131f8ca885cc287a03fcz

     

    Thank you Gnarleymarly, however, I'm a tad confused:

    a) you responded to my original post (& I took from your reply) you interrogated the url I posted - no?

    b) when I go to [ https://www.spamcop.net/w3m?i=z6898801339z8c25e92a12dc86c774a950d737412c13z ] & select [Show how SpamCop traced this message] redirects to https://www.spamcop.net/sc?id=z6512755812z8ee73d74322c131f8ca885cc287a03fcz, imo, gets to the same result, therefore, not much difference. 

    But, I'm happy to take on the learning, thank you😊

  9. 20 minutes ago, Lking said:

    Yes. 

    If they "own" a block of IPs, they can rotate the IP they uses to send spam whenever an IP gets blocked. They will never have a host block their spam because of complaints.  Sorry to say, from a business stand point owning a range of IPs makes sense.

    Thanks Lking, that adds to the helpful info posted by Gnarleymarley.

    Not that it's welcome info.

    (imo) It means they are: rich, dumb, business owners🤢

  10. 1 hour ago, gnarlymarley said:

    SC reports are directed to the administrator listed as the abuse contact for that network.  Most networks are gathered from the whois data for the IP range as appears to be the case when I browse down to your tracking URL.  I see that this report was sent to both an outlook.com address and a user defined hotmail.com address.  The IP address in question seems to be assigned to an ISP called CoreIP.  Rather than provide a real abuse address the CoreISP internet provider appears to be using one at outlook.com.

    Now you ask, if the reports are ever directed to the "source" of the spam.  There have been a number of spammers that appear to purchase a whole entire network range just so they can be the abuse contact listed in the whois.  As soon as those are found out, the deputies can block the reports from going to those addresses and/or redirect them to their upstream provider.

    Re [There have been a number of spammers that appear to purchase a whole entire network range just so they can be the abuse contact listed in the whois]

    Are they really: 

    - that rich? :wacko:

    - that dumb?:wacko:

     

    -

  11. 45 minutes ago, petzl said:

     

    Help if you sent a tracking URL

    Your email server collects a received IP address.that is are genuine IP a lot of spam has fake IP's stamped with the spam SpamCop will disregard these if there is something dodgy about it (no DNS etc)  example below.

    
    Received: from WINDOWS-COSBPNE (unknown [113.140.86.66]) my email server
    	by vmx5.spamcop.net (Postfix) with ESMTP id 07FDAAF6FB
    	for <xxx[AT]spamcop.net>; Wed,  9 Jan 2019 13:31:08 -0800 (PST)
    Received: from jakwcdbio (Unknown [182.111.98.3]) claimed/fake email server stamped source

    DNS LOOKUPS
    Forward and Reverse DNS lookups are performed to see, if the name to IP and IP to name DNS lookups produce the same results. This feature is used to see if DNS is correctly set up for a host and can be an indicator for a malicious host.

     

    Hi Petzl, what does "Help if you sent a tracking URL" mean please?

  12. 1 hour ago, gnarlymarley said:

    SC reports are directed to the administrator listed as the abuse contact for that network.  Most networks are gathered from the whois data for the IP range as appears to be the case when I browse down to your tracking URL.  I see that this report was sent to both an outlook.com address and a user defined hotmail.com address.  The IP address in question seems to be assigned to an ISP called CoreIP.  Rather than provide a real abuse address the CoreISP internet provider appears to be using one at outlook.com.

    Now you ask, if the reports are ever directed to the "source" of the spam.  There have been a number of spammers that appear to purchase a whole entire network range just so they can be the abuse contact listed in the whois.  As soon as those are found out, the deputies can block the reports from going to those addresses and/or redirect them to their upstream provider.

    Thank you Gnarlymarley, 

    Your answer is exactly the information I needed & clarifies the issue:)

    Re [As soon as those are found out..], is there anything we [SC] users can do/need to do, to facilitate [action by SC deputies](apart from submitting spam to SC)?

  13. :)Thank you Lking!!, Re "I do not forward one account to another", me neither, however, I have setup the other MH's/email addresses, just to get some "actual" experience with the process, it all fits together better, in my brain:blink:, if I can do it as well as read it. And, I've dug out my cuisenaire rods to assist:lol:

    Back to your elaborate explanation, you sure are creative, busboy at greasyspoon indeed! I wonder if there is such a place? I wonder if I'd eat there? Probably^_^

    2015 - the bit that confused me "soon, all SpamCop users will be required to use this new system", as a newbie, I created a SC account, no prob, after some days I read the help, MH config etc, and at that stage could not work out how I'd been able to sign in/setup so easily, if the MHC was required, given it is way past 2015.

    As you've probably concluded, I get confused easily, I failed Comp Sci, well not failed technically, just sent my teachers spare in the process of getting thru...That's why patient, specific, analytical folks such as yourself are gold. 

    Thanks again!

     

     

  14. Hello LKing, Thank you! I did read "one host covered more than 1 email address..", got a bit confused, that's when I tried to register the 2nd email address - the doco that references: Example 1: A, B, C  & Example 2: A, B, C, lead to some of the confusion...

    Secondly, the date (2015 ?) of the "Configure Mail Hosts" "SpamCop is undergoing a major renovation... etc", " Soon, all SpamCop users will be required to use this new system", added to confusion...

    For this exercise, as you twigged, I do have 1 host & 3 mail addresses, my mistake was assuming I had to add each email address. 3 hosts, 3 emails addresses.

     I always do check the parser before sending/submitting, not sure tho what your advice is suggesting I will find specific to the mail host issue, may I ask please if you'd elaborate on that point please?

    As always, very appreciative of your helpful advice, many thanks😊

     

     

    image.png

    image.png

  15. Setup - Mailhost for 1 email account, 1st problem - no field to add 2nd email address (for same host), so > Setup Mailhost for 2nd email account - got the following "information"

    https://www.spamcop.net/mcgi

    host xxxx:xxxx:x:xx:0:0:0:xx (getting name) no name

    Test email processed succesfully.

    xxxx's replaced actual "Relaying IPsv6"

    Help please - what an I missing? (be nice)😉

     

  16. Microsoft Outlook (all versions) Outlook does not properly forward mail with the headers and message body intact. It is not possible to use SpamCop's email submission system with Outlook unless you use one of the below add-on programs or similar macro.

    This is not making sense, up until today I've successfully submitted spam received by https://outlook.live.com/mail/ have always been able to extract source & no issues with formatting, empty spaces, nor have I had to use add-on programmes/macros... ?

    This doco - https://www.spamcop.net/fom-serve/cache/122.html - Microsoft Outlook (all versions) doesn't seem to cover OL Live or OL 2016 app...

    Tad confused...

     

×
×
  • Create New...