Jump to content


  • Posts

  • Joined

  • Last visited

Recent Profile Visitors

1,386 profile views

remay's Achievements


Member (2/6)



  1. I am getting sporadic spam/scam emails into my hosting company's email server that are MISSING the first 2-3 lines of the headers, which makes them unreportable to SC (or any other abuse contact). Below and attached is a recent email that is missing the first 2-3 lines of the headers. I have contacted my hosting company about this issue and they claim the emails are this way because of the way they have been sent, NOT by the way their email server is processing them. For emails that have this problem, the hosting company claims the following: Look at the two lines: Received by and Received from. First one say in the end "with smtp" and 2nd one says in the end "with http" a) "With smtp" means: mail server received the email from any "Email Client". Since smtp server received it directly from an external IP, it shows the IP address b) "With http" means: email is sent from Google's web interface. And google's smtp server received email from its local webmail server side scri_pt. So Google put an internal machine ID in place of IP (Since the IP would be local IP of google http server). Its common for Gmail and Hotmail. They don't disclose sender IP if email is sent from webmail. So you can just report that machine ID to google and their system will track and take care of spammer. I don't know if my hosting company is correct or not! I find it hard to believe that email can be delivered like this. Does anyone else experience this? If you look at the email headers, notice there is "X-SmarterMail" processing that has taken place. Could THAT processing be whacking the email headers? (missing: Return-Path: ... ) (missing: Received: from .... by emailserver3.[myserver].com with SMTP ... ) (missing: date/time stamp when email was received by emailserver3.[myserver].com) (Below is the COMPLETE email with headers, as retrieved from the email server) Received: by 2002:a19:ca4e:0:0:0:0:0 with HTTP; Tue, 12 May 2020 13:18:03 -0700 (PDT) From: chigozie gozie <cgozie7@gmail.com> To: undisclosed-recipients:; Subject: From Mrs mush and Daughter / Greetings to you & your Family, Date: Tue, 12 May 2020 13:18:03 -0700 Message-ID: <CAFWVug3jN-fUYxfwT-+Ke=eV1zPUC8YgAAaHqZrZggcK7Or=tA@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Return-Path: <cgozie7@gmail.com> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=7SmJkwt4HYfF2+9MdyFUN5MRVV9+Jx70aj2/gB7yE5Y=; b=ki1I49xVqumSL5IOZUVkhNZP/mbeTjCd55mRcc3rn0xzTzbw+XIMvhlHtHN31gL6Yy VpdVJDIGMQlQTGS5jyOBBdlFAbCR4TrAObZOn1IjUtDET/yXAxL0hIAtFn67BJeGpSq9 OVBn0jJAxVH3kvFIyuV2mJDCLsnwJvv6ZnwARFim8bsz/O8cJfcTpDm3k7tfnBDKg7pk PgwCg4SALREfPKlmBOAzNc0VLEdg2+Of6Bp4HVK6bwVdr6qTQNspkFWzn8AFB7GqfDfV lRwapEtzhFdnHK1OAQLAcVMUTYMdeuUXnC9YTgcE9I50A+oamPeI+Gcv8XyScvp/zT/+ wHUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=7SmJkwt4HYfF2+9MdyFUN5MRVV9+Jx70aj2/gB7yE5Y=; b=mLkvgeHYws87ffHFK/X7fYaD+xQCgH4q3QcQtDYKv1KexQDzqNrf7/2bOPZuOgrhtA 49jrJM+WSeQApLSGDMHpwljPaXUgwl3Su3NWCWVuXsYiLKNLYYoKluamC05iZ/SHRi78 mRmsebD9AQWbFCgUjyZS7RbB5Mj7RcqOTStWJxXZpeEHhvgf8X30GSalFvo7/Ynyk/Cv 9xrgmpnxLkPZKh0ImTjZ/WQUcU9j/Kdm4dKv+g084KXf24Tr4xZy2d/ksVHMY7pykhly Wx1LamwCoYA6qBZJsa2IxXboKRdpcdjzH0JH4euDTGnxL1inWdqiXj9UQnPtY/jrVXXn H+jA== X-Gm-Message-State: AOAM531WVDpQFIJu5hqAU+0FlfwuXQ3+ZeenhkmMzFoM946I7OtlqX9K shAXTq4XrMQ3fGPWomXBeEo3o4ySlcXZiYeUzr0= X-Google-Smtp-Source: ABdhPJwYz4FnLavDHVG8D6ByLaN1QzmMuItOFtalxTj5kOEDpcnKdry4u++7KRab0WJho9xhbLdrHNgMQt1YZDuK2K8= X-Received: by 2002:ac2:58d7:: with SMTP id u23mr6545768lfo.119.1589314683974; Tue, 12 May 2020 13:18:03 -0700 (PDT) X-CTCH-RefId: str=0001.0A09020D.5EBB0483.004D,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0 X-CTCH-AVLevel: Unknown X-Rcpt-To: <x> X-SmarterMail-spam: SPF [Pass]: -2, Cyren [Unknown]: 0, SpamAssassin [raw:7]: 12, DK [None]: 0, DKIM [Pass]: -1 X-SmarterMail-SpamDetail: spam detection software, running on the system "spamassassin1.serverpoint.com", has X-SmarterMail-SpamDetail: identified this incoming email as possible spam. The original message X-SmarterMail-SpamDetail: has been attached to this so you can view it (if it isn't spam) or label X-SmarterMail-SpamDetail: similar future email. If you have any questions, see X-SmarterMail-SpamDetail: the administrator of that system for details. X-SmarterMail-SpamDetail: Content preview: Dearest, This mail might come to you as a surprise and the X-SmarterMail-SpamDetail: temptation to ignore it, I am Mrs Joyce mush and Daughter, from Cote D'Ivoire. X-SmarterMail-SpamDetail: I want to transfer the sum of $3,500,000 Usd in your account, you help me X-SmarterMail-SpamDetail: invest it in your country for my daughter future education. [...] X-SmarterMail-SpamDetail: Content analysis details: (7.3 points, 6.0 required) X-SmarterMail-SpamDetail: pts rule name description X-SmarterMail-SpamDetail: ---- ---------------------- -------------------------------------------------- X-SmarterMail-SpamDetail: 0.0 T_WHOAMI EmailFilter1 X-SmarterMail-SpamDetail: 3.0 SUBJ_YOUR_FAMILY Subject contains "Your Family" X-SmarterMail-SpamDetail: 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider X-SmarterMail-SpamDetail: (cgozie7[at]gmail.com) X-SmarterMail-SpamDetail: 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in X-SmarterMail-SpamDetail: digit (cgozie7[at]gmail.com) X-SmarterMail-SpamDetail: 0.0 LOTS_OF_MONEY Huge... sums of money X-SmarterMail-SpamDetail: 1.0 FREEMAIL_REPLY From and body contain different freemails X-SmarterMail-SpamDetail: 0.0 FILL_THIS_FORM Fill in a form with personal information X-SmarterMail-SpamDetail: 2.0 FILL_THIS_FORM_LONG Fill in a form with personal information X-SmarterMail-SpamDetail: 1.0 MONEY_FRAUD_3 Lots of money and several fraud phrases X-SmarterMail-TotalSpamWeight: 9 Dearest, This mail might come to you as a surprise and the temptation to ignore it, I am Mrs Joyce mush and Daughter, from Cote D'Ivoire. I want to transfer the sum of $3,500,000 Usd in your account, you help me invest it in your country for my daughter future education. Recently my doctor told me that my health condition is very bad due to cancer problem having known my condition i decided to contact you. Send me these informations; Full name, Address, Sex, Age, Occupation, Phone/Mobile,State of origin, Country.I am waiting for your reply so that i give you more details . Hoping to receive your response immediately, E-mail Reply To; joycemush3@gmail.com Thanks. Sincerely . From Mrs mush and Daughter. 0-2-2.txt
  2. Well, ok... I guess. That still doesn't explain the inconsistency in SC dection. Here are more examples: (picked up originating IP but not hotmail IP addr) Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03hn0242.outbound.protection.outlook.com. []) Received: from [] ( https://www.spamcop.net/sc?id=z6409167115za761b3104214b72db296057e7e7d1c25z(detected X-Originating-IP )X-Originating-IP: []https://www.spamcop.net/sc?id=z6407552726zb56b967b54eb78cfb1ad7d9571f6e59fz As far as confusing the matter, I feel the X-Originating-IP address is valid enough since they almost ALWAYS lead back to afrinic.net controlled IP addresses. SO I will CONTINUE to report them manually. I just wish SC would do it more consistently, because it DOES sometimes.
  3. When submitting the numerous African scam emails to SC, SC inconsistently detects the X-Originating-IP address that is contained in most of them. Below are some examples. I'd say that about 10% of X-Originating-IP addresses listed in emails submitted to SC are detected and reported by SC. For the rest of those IP addresses, it requires manual email submission outside of SC to the abuse contacts. Why does SC detect and report so few of the X-Originating-IP addresses? (detected X-Originating-IP )X-Originating-IP: NOT detect X-Originating-IP - NOTE that I tried removing the brackets and did a test submission, but the IP address was still not detected)X-Originating-IP: []https://www.spamcop.net/sc?id=z6406866999z99adf4922fa966b5fed68ebaf3b2fd37zX-Originating-IP: []https://www.spamcop.net/sc?id=z6406728731z23dd15f2eb5e25f40a46806c87083ddaz
  4. re: " the header is processed and reports sent " No report was "sent" or processed. There was nothing in the report history webpage. See below. So... I doubt anyone is looking into the issue. I guess I submitted to the wrong forum... Submitted: 10/23/2016, 11:57:18 AM -0500: DEAR FRIEND, CAN I TRUST YOU? No reports filed Submitted: 10/23/2016, 11:46:21 AM -0500: DEAR FRIEND, CAN I TRUST YOU? No reports filed Submitted: 10/23/2016, 11:42:44 AM -0500: DEAR FRIEND, CAN I TRUST YOU? No reports filed Submitted: 10/23/2016, 11:33:20 AM -0500: DEAR FRIEND, CAN I TRUST YOU? No reports filed Submitted: 10/23/2016, 11:32:53 AM -0500: DEAR FRIEND, CAN I TRUST YOU? SPF: PASS with IP 2a00:1450:400c:c09:0:0:0:243... No reports filed Submitted: 10/23/2016, 11:32:19 AM -0500: DEAR FRIEND, CAN I TRUST YOU? No reports filed Submitted: 10/23/2016, 11:26:39 AM -0500: DEAR FRIEND, CAN I TRUST YOU? No reports filed
  5. That post did not apply to my issue at all. As I indicated: "Submitted email directly at spamcop website" " There is one blank line separating the headers from the body. I tried adding more, with no better result. "
  6. Submitted email directly at spamcop website using the " Paste entire spam (headers, blank line, body) " method, like I do with all the other submissions I make. But this one produced: 2a00:1450:400c:c09:0:0:0:243 not listed in cbl.abuseat.org 2a00:1450:400c:c09:0:0:0:243 not listed in dnsbl.sorbs.net 2a00:1450:400c:c09:0:0:0:243 not listed in accredit.habeas.com 2a00:1450:400c:c09:0:0:0:243 not listed in plus.bondedsender.org 2a00:1450:400c:c09:0:0:0:243 not listed in iadb.isipp.com No body text provided, check format of submission. spam must have body text. When viewing the email, there is clearly a body. The email was retrieved directly from gmail's "Original message" output, and pasted into the website field, just like others that I have submitted. There is one blank line separating the headers from the body. I tried adding more, with no better result. Seems spamcop has an issue processing this email: https://www.spamcop.net/sc?id=z6322627898zb99bde9cef22f4244354756ef95903c3z
  7. Tried to report (via spamcop website manual entry) an email that included a website URL in the body, but spamcop indicated: Tracking message source: Routing details for [refresh/show] Cached whois for : grzegorz.szar[at]network.net.pl Using last resort contacts grzegorz.szar[at]network.net.pl ISP has indicated spam will cease; ISP resolved this issue sometime after Sunday, May 13, 2007 7:11:33 AM -0500 That's fine, but spamcop also disabled the reporting of the actual website/domain being promoted in the email body: If reported today, reports would be sent to: Re: (Administrator of IP block - statistics only) grzegorz.szar[at]network.net.pl Re: http://kumadira.hk/?a=636-10706 (Administrator of network hosting website referenced in spam) abuse[at]prodigy.net My question is why? Why not still process the complaint against the website? I would like to request a change to spamcop so that it DOES process the website/domain even if the source of the email has been "resolved" by the ISP. Nothing was "resolved" regarding the website/domain. It still needed to be reported. Here is the tracking URL: http://www.spamcop.net/sc?id=z1300312549z6...d7ef6c6c4d832fz
  8. Looking for the best/most effective (or really ANY) way to shut down a spammer who references "traffix" in each email and originates from 66.17.241, 65.111.16 or 208.53.7 to promote offers. I have reported the spammer 1-4 times a day for the last couple of months, but the spam still continues. The spammer uses new/unused domains in almost every email. I have compiled a list below. I have also been reporting the domain that is eventually reached after going through all the re-direct URLs. I have used spamcop as well as direct email to the following addresses. Nothing has stopped the emails. Here is a recent report: spamcop.net/sc?id=z1295320116zb1dff6525d3f0761e0ba6b7ca5e1cdb3z reports have been sent to: bill[at]greenlightpromotion.com moultriecomplaints[at]gmail.com abuse[at]guilfordcommunications.com, abuse[at]cogentco.com domains used in spam emails - in chronological order from most recent at the top: left.FIRMAMENTMEDIA.COM SHELL.SUBTERFUGECONSULTANTS.COM sally.BETENOIREMEDIA.COM fortune.AUTODIDACTSOLUTIONS.COM blue.NECROSISEMEDIA.COM else.TRUMPETLIKESBUZZ.COM elkins.SHELASOLUTIONS.COM fort.TEREDINESESOLUTIONS.COM sow.SYRINXESOLUTIONS.COM fibula.HUBRISESOLUTIONS.COM COOK.COGITATIONMEDIA.COM apple.BOUNCINGCHAIRS.COM chris.OATMEALPOWERSOLUTIONS.COM cell.APTUSHOST.COM trim.tremulousegroup.com box.pugilistgroup.com lome.MABERTHOST.COM omega.FRANLOUHOST.COM torlage.RENFROEGROUP.COM eastway.BELLEFONTEGROUP.COM baseball.BASALTHOST.COM SUMMER.DANDLEMEDIA.NET SWIM.CONVIVIALSOLUTIONS.COM FLOWER.SUPERNALSOLUTIONS.COM trim.tremulousegroup.com tampa.BEEKMANHOST.COM horseshoe.ETOWAHMEDIA.COM florence.DEPRECATEGROUP.COM PLEASE.PALINDROMEHOST.COM sorrow.ATROXSOLUTIONS.COM finger.APPELLOGROUP.COM TOM.FIRSTAMELIORATE.COM wheel.AFFABLEMEDIA.COM ride.CHARYHOST.COM blue.NECROSISEMEDIA.COM better.REPLAYTHESTART.COM elkins.SHELASOLUTIONS.COM elkins.SHELASOLUTIONS.COM bylas.PINEDALESOLUTIONS.COM saratoga.SIDCOSOLUTIONS.COM werdin.PETTUSGROUP.COM ormond.VAIROMEDIA.COM emony.WILDOTMEDIA.COM emony.WILDOTMEDIA.COM saric.ZINGARAHOST.COM tampa.BEEKMANHOST.COM fort.teredinesesolutions.com lanvale.TINDELLMEDIA.COM QUILT.TORTUSOLUTIONS.COM mountain.sphenicehost.com mountain.sphenicehost.com gate.BIDDABLECONSULTANTS.COM florence.DEPRECATEGROUP.COM down.FAIRSHAKESOLUTIONS.COM chris.OATMEALPOWERSOLUTIONS.COM cell.APTUSHOST.COM cell.APTUSHOST.com bone.APPROPINQUOGROUP.com panther.saccateehost.com austin.tutelaryegroup.com bananna.comityhost.com bananna.comityhost.com strike.pugnaciousgroup.com finger.APPELLOGROUP.COM drum.rapprochementemedia.com slim.histrionicesolutions.com zeta.HAUSERSOLUTIONS.COM hawk.TENEBRIFICEHOST.COM torlage.RENFROEGROUP.COM phi.DORMANSOLUTIONS.COM wellington.CHELYANMEDIA.COM espn.ESPADRILLESOLUTIONS.COM baseball.BASALTHOST.COM macon.PILTONHOST.COM sybarite.CARTECAYMEDIA.COM taft.TRANSMUTE4.COM else.TRUMPETLIKESBUZZ.COM quay.CONDIGNGROUP.NET miser.cudgelemedia.com delta.ELMHURSTHOST.COM ROSE.ROOSEMEDIA.NET ginco.POWELTONGROUP.COM trim.tremulousegroup.com fort.teredinesesolutions.com horseshoe.ETOWAHMEDIA.COM mountain.sphenicehost.com steft.DISTRAITPRO.COM gate.BIDDABLECONSULTANTS.COM zebra.BURNINGCLIFF.COM bolo.FLUTELIKESAIR.COM chris.OATMEALPOWERSOLUTIONS.COM exhausted.APUDSOLUTIONS.COM notright.ARBUSTUMHOST.COM unhappy.ATREBATUMMEDIA.COM east.FIGUREDOUTHOPE.COM up.CRUELTOGREAT.COM toe.APPONOMEDIA.COM so.sadtruthbetoldsolutions.com theory.quondammedia.com falcon.sacristyemedia.com FOM.YOURVICISSITUDE.COM heavy.DILATORYGROUP.COM vercile.CHARESTMEDIA.COM believe.dubietymedia.com Bragi.HIGHFALUTINGROUP.COM antelope.ineffablehost.com Freyr.EQUERRYSOLUTIONS.COM des.CARILONGROUP.COM rue.ABERCOMMEDIA.COM green.MAMMONEGROUP.COM delphos.SIGMANMEDIA.COM suman.KENOVAMEDIA.COM lucid.encumbranceahost.com birth.renascentesolutions.com birth.renascentesolutions.com brim.reconditemedia.com salmon.diktatgroup.com milborne.LANGARHOST.COM sables.DALLAIREGROUP.COM agathe.CLOUTIERMEDIA.COM tapped.JOCUNDMEDIA.COM tenshaw.SLOCUMHOST.COM ARCH.ABATINGHOST.COM harlou.OLCOTTGROUP.COM NORDALE.LOUDENDALEGROUP.COM ozark.HOGSTENMEDIA.COM AFRICA.AFICIONADOMEDIA.NET
  9. I was wondering if you could share some thoughts on the best/most effective way to report this spammer's intwm40.com and intwmailsc.com domains to get them shut down. I have reported well over 100 of their emails via spamcop and maybe 70-80 by direct email 1-3 times daily over the last several months In addtion to jkim[at]pccwglobal.com via spamcop, emails have been sent to: abuse[at]pccwglobal.com, abuse[at]pccwbtn.net postmaster[at]pccwglobal.com, supportamerica[at]btnaccess.com I have also reported the advertiser URL(s) that are eventually re-directed to from the spammers website, with no apparent effect. Here is a recent report: spamcop.net/sc?id=z1295332933za51cd62710a839f93fc63cef2d2726c1z Moderator edit to fix quoting
  10. re: Basically, spamcop is not a browser and not willing to wait an enternity (in network time) for it to resolve. Is there a way to REQUEST a longer timeout or some user-selectable parameter we can adjust for cases like this? I have gotten over 30 spam emails in two days promoting a site that is very much alive and functional, but spamcop fails to record it: Host kikaq.hk (checking ip) IP not found ; kikaq.hk discarded as fake. Host kikaq.hk (checking ip) IP not found ; kikaq.hk discarded as fake. : : Tracking link: http://kikaq.hk/ No recent reports, no history available Cannot resolve http://kikaq.hk/ What is the suggestion for reporting ALIVE domains/websites that spamcop does not handle?
  11. I manually enter spam emails at the spamcop.net/sc website using the text box labeled: "Paste entire spam (headers, blank line, body) - or - single address (one line only):". I always have the "Show technical details" box checked. It is taking a long time to process the email (after clicking the "Process spam" button), and then if it does it successfully, it may take a long time again, when clicking the "Send spam Report(s) Now" button. Sometimes the response is completely acceptable (a few to 10 or 15 sec). If the server is slow, I am likely to an error such as: "Gateway Timeout The proxy server did not receive a timely response from the upstream server. Reference #1.58ed23f.1166... " "An error occurred while processing your request. Reference #97.636b9d40.11665 ....." "got sigalarm, taking too long to process, aborted. Perhaps you can wait a few minutes and reload?" After these messages, there is usually the "Unreported spam Saved: Report Now" and "Remove all unreported spam" links. I have been removing all, before manually entering the next email. Hopefully, someone is trying to address these issues? [Moderator edit: originally posted as a separate article, merged here; user remay notified by PM with cc to SpamCop Forum Moderators and Admin]
  12. I can't agree totally that spamcop website reporting "back". I have seen SEVERAL occurences today of messages similar to the following after clicking on "Send spam Report(s) Now" to send the reports: An error occurred while processing your request. Reference #97.636b9d40.11665 ..... I have to "refresh" the browser, then I get the confirmation page that indicates the reports were sent.
  13. Still getting the following after submitting the report via website ... "got sigalarm, taking too long to process, aborted. Perhaps you can wait a few minutes and reload?" Since the list of abuse email addresses was shown, did the emails to them get sent, or do I need to actually re-do the report? I am seeing this set of errors more often than not, and at times that I would not expect to be peak times, but maybe these days, there ARE no peak times?
  14. That did the trick. Now I feel bad that all the spam reports got sent to the hosting company, but... they never informed me of the change. Thanks for the help!
  • Create New...