Snowbat

Even at reporting time, the cached address was abuse@microsoft.com. The problem is whatever SpamCop is trying to do at the "Using rdns to route to correct Microsoft department" stage.

13.64.0.0 - 13.107.255.255 is Microsoft but SpamCop reports 13.68.154.53 directly to the spammer. I've seen similar misreporting for other Microsoft-hosted spammers. https://www.spamcop.net/sc?id=z6713311620zae746f26cf2e5fb58c2b5b7dfb392cb3z Tracking message source: 13.68.154.53: Routing details for 13.68.154.53 [refresh/show] Cached whois for 13.68.154.53 : abuse@microsoft.com Using best contacts abuse@microsoft.com Using rdns to route to correct Microsoft department host 13.68.154.53 = envio.dabitoconta04.com. (cached) abuse net envio.dabitoconta04.com = postmaster@dabitoconta04.com, postmaster@envio.dabitoconta04.com If reported today, reports would be sent to: Re: 13.68.154.53 (Administrator of network where email originates) postmaster@envio.dabitoconta04.com postmaster@dabitoconta04.com

137.116.0.0 - 137.116.255.255 is Microsoft but SpamCop reports 137.116.138.125 directly to the spammer. I've seen similar misreporting for other Microsoft-hosted spammers. https://www.spamcop.net/sc?id=z6713309826zc4ee960634635eecc3aee8ec8c16b756z Tracking message source: 137.116.138.125: Routing details for 137.116.138.125 [refresh/show] Cached whois for 137.116.138.125 : abuse@microsoft.com Using best contacts abuse@microsoft.com Using rdns to route to correct Microsoft department host 137.116.138.125 (getting name) no name host 137.116.138.125 = bonus14.ativandopontos-agorabonusoonline.com. (old cache) abuse net ativandopontos-agorabonusoonline.com = postmaster@ativandopontos-agorabonusoonline.com If reported today, reports would be sent to: Re: 137.116.138.125 (Administrator of network where email originates) postmaster@ativandopontos-agorabonusoonline.com

40.74.0.0 - 40.125.127.255 is Microsoft but SpamCop reports 40.83.112.59 directly to the spammer. I've seen similar misreporting for other Microsoft-hosted spammers. https://www.spamcop.net/sc?id=z6710180092z696fdaf09331d4788f922556d0e571fcz Routing details for 40.83.112.59 [refresh/show] Cached whois for 40.83.112.59 : abuse@microsoft.com Using best contacts abuse@microsoft.com Using rdns to route to correct Microsoft department host 40.83.112.59 = descontosapp27.confiraseusdescontosepontos.com. (cached) abuse net confiraseusdescontosepontos.com = postmaster@confiraseusdescontosepontos.com If reported today, reports would be sent to: Re: 40.83.112.59 (Administrator of network where email originates) postmaster@confiraseusdescontosepontos.com

20.33.0.0 - 20.128.255.255 is Microsoft but SpamCop reports 20.90.82.75 directly to the spammer. I've seen similar misreporting for other Microsoft-hosted spammers. https://www.spamcop.net/sc?id=z6710176742za59c59960c7ca612142f7013dcb98e0ez Tracking message source: 20.90.82.75: Routing details for 20.90.82.75 [refresh/show] Cached whois for 20.90.82.75 : abuse@microsoft.com Using best contacts abuse@microsoft.com Using rdns to route to correct Microsoft department host 20.90.82.75 = descontosapp108.confiraseusdescontosepontos.com. (cached) abuse net confiraseusdescontosepontos.com = postmaster@confiraseusdescontosepontos.com If reported today, reports would be sent to: Re: 20.90.82.75 (Administrator of network where email originates) postmaster@confiraseusdescontosepontos.com

51.132.0.0 - 51.132.255.255 is Microsoft but SpamCop reports 51.132.220.203 directly to the spammer. I've seen similar misreporting for other Microsoft-hosted spammers. https://www.spamcop.net/sc?id=z6693942163zc7ac658ce6e5c206330d702233efe297z Routing details for 51.132.220.203 [refresh/show] Cached whois for 51.132.220.203 : abuse@microsoft.com Using best contacts abuse@microsoft.com Using rdns to route to correct Microsoft department host 51.132.220.203 (getting name) no name host 51.132.220.203 = v1v015.atrasofaturaviv0.com. (old cache) abuse net atrasofaturaviv0.com = postmaster@atrasofaturaviv0.com If reported today, reports would be sent to: Re: 51.132.220.203 (Administrator of IP block - statistics only) postmaster@atrasofaturaviv0.com

20.33.0.0 - 20.128.255.255 is Microsoft but SpamCop reports 20.73.0.72 directly to the spammer. I've seen similar misreporting for other Microsoft-hosted spammers. https://www.spamcop.net/sc?id=z6692876685z0b26f07c4b20c3a2543ebe996cd74d4fz Routing details for 20.73.0.72 [refresh/show] Cached whois for 20.73.0.72 : abuse@microsoft.com Using best contacts abuse@microsoft.com Using rdns to route to correct Microsoft department host 20.73.0.72 = vi44.viv0digital.com. (cached) abuse net viv0digital.com = postmaster@viv0digital.com In this case, the spammer is sending "invoice reminders" purporting to be from Brazilian carrier Vivo with "download/print" link that redirects to a java scri_pt-wrapped malware download.

Both Postfix and Sendmail insert text in parentheses at that point so I doubt that it's non-compliant. SpamCop's code to identify a valid IPv4 address is clearly flawed/incomplete though.

Could be. While reporting some spam to Microsoft myself, if it's hosted on Azure, I get a reply saying they've forwarded it to their CERT team for review and action but if it's a 365/Exchange Online tenant, they tell me to report it to junk@office365.microsoft.com myself. Needless to say, I don't bother. A trillion dollar tech company should be able to forward their own e-mail internally or organize their ARIN WHOIS entries to point to the correct abuse reporting mailboxes.

168.61.0.0 - 168.63.255.255 is a Microsoft netblock. Why isn't SpamCop reporting this to abuse@microsoft.com? > Using rdns to route to correct Microsoft department Whatever SpamCop is trying to do here is clearly broken and likely to deliver reports directly to spammers hosted on Microsoft. https://www.spamcop.net/sc?id=z6688120180z0a1b0241c33ca6804206730ae435f1fbz Tracking message source: 168.61.170.142: Routing details for 168.61.170.142 [refresh/show] Cached whois for 168.61.170.142 : abuse@microsoft.com Using best contacts abuse@microsoft.com Using rdns to route to correct Microsoft department host 168.61.170.142 = nago8.subnovoavisos.com. (cached) abuse net nago8.subnovoavisos.com = postmaster@nago8.subnovoavisos.com, postmaster@subnovoavisos.com

52.145.0.0 - 52.191.255.255 is a Microsoft netblock. Why is SpamCop not reporting this to abuse@microsoft? https://www.spamcop.net/sc?id=z6688108903z76b3e0f67ee7620d683a17e0735c5873z Tracking message source: 52.175.53.32: Routing details for 52.175.53.32 [refresh/show] Cached whois for 52.175.53.32 : abuse@microsoft.com Using best contacts abuse@microsoft.com Using rdns to route to correct Microsoft department host 52.175.53.32 = w1.subnovoavisos.com. (cached) abuse net w1.subnovoavisos.com = postmaster@w1.subnovoavisos.com, postmaster@subnovoavisos.com > Using rdns to route to correct Microsoft department Whatever SpamCop is trying to do here is clearly broken and likely to deliver reports directly to spammers hosted on Microsoft.

52.132.0.0 - 52.143.255.255 is a Microsoft netblock. Why is SpamCop not reporting this to abuse@microsoft? > Using rdns to route to correct Microsoft department Whatever SpamCop is trying to do here is clearly broken and likely to deliver reports directly to spammers hosted on Microsoft.

'51.120.0.0 - 51.120.255.255' is Microsoft but Spamcop reports 51.120.93.44 directly to the spammer. I've seen similar misreporting for other Microsoft-hosted spammers. https://www.spamcop.net/sc?id=z6684582776z5cbae5f333ad4fcd75bb14237027b98dz Tracking message source: 51.120.93.44: Routing details for 51.120.93.44 [refresh/show] Cached whois for 51.120.93.44 : abuse@microsoft.com Using best contacts abuse@microsoft.com Using rdns to route to correct Microsoft department host 51.120.93.44 = apps03.assistaemcasa.org. (cached) abuse net assistaemcasa.org = postmaster@assistaemcasa.org

40.74.0.0 - 40.125.127.255 is Microsoft but SpamCop reports 40.78.83.67 directly to the spammer. I've seen similar misreporting for other Microsoft-hosted spammers. https://www.spamcop.net/sc?id=z6642045732zc34f39654039de5566045cb551a1d653z Tracking message source: 40.78.83.67: Routing details for 40.78.83.67 [refresh/show] Cached whois for 40.78.83.67 : abuse@microsoft.com Using best contacts abuse@microsoft.com Using rdns to route to correct Microsoft department host 40.78.83.67 = fim5.lotesecasasparafamilia.com. (cached) abuse net fim5.lotesecasasparafamilia.com = postmaster@lotesecasasparafamilia.com, postmaster@fim5.lotesecasasparafamilia.com

13.64.0.0 - 13.107.255.255 is Microsoft but Spamcop reports 13.76.230.92 directly to the spammer. I've seen similar misreporting for other Microsoft-hosted spammers. https://www.spamcop.net/sc?id=z6641771792z5771a00ed9c2fa22af1c6b531b432316zTracking message source: 13.76.230.92: Routing details for 13.76.230.92 [refresh/show] Cached whois for 13.76.230.92 : abuse@microsoft.com Using best contacts abuse@microsoft.com Using rdns to route to correct Microsoft department host 13.76.230.92 = dizer6.lotesecasasparafamilia.com. (cached) abuse net dizer6.lotesecasasparafamilia.com = postmaster@lotesecasasparafamilia.com, postmaster@dizer6.lotesecasasparafamilia.com Message is 5 hours old

52.224.0.0-52.255.255.255 is Microsoft but Spamcop reports 52.243.34.34 directly to the spammer. I've seen similar misreporting for other Microsoft-hosted spammers. https://www.spamcop.net/sc?id=z6640814149z1c2164e3e761afd7d9d053e0ead1aef0z Tracking message source: 52.243.34.34: Routing details for 52.243.34.34 [refresh/show] Cached whois for 52.243.34.34 : abuse@microsoft.com Using best contacts abuse@microsoft.com Using rdns to route to correct Microsoft department host 52.243.34.34 = id1.saudoemprimeirolugarfiqueemcasavendofilmes.com. (cached) abuse net id1.saudoemprimeirolugarfiqueemcasavendofilmes.com = postmaster@saudoemprimeirolugarfiqueemcasavendofilmes.com, postmaster@id1.saudoemprimeirolugarfiqueemcasavendofilmes.com

13.64.0.0 - 13.107.255.255 is Microsoft but Spamcop reports 13.67.72.254 directly to the spammer. I've seen similar misreporting for other Microsoft-hosted spammers. https://www.spamcop.net/sc?id=z6638070882z5bc61e892de0d6008e2b49d86b5592d4z Tracking message source: 13.67.72.254: Routing details for 13.67.72.254 [refresh/show] Cached whois for 13.67.72.254 : abuse@microsoft.com Using best contacts abuse@microsoft.com Using rdns to route to correct Microsoft department host 13.67.72.254 = toca8.familiadesucessocsgoooooo.com. (cached) abuse net toca8.familiadesucessocsgoooooo.com = postmaster@familiadesucessocsgoooooo.com, postmaster@toca8.familiadesucessocsgoooooo.com

52.132.0.0 - 52.143.255.255 is Microsoft but Spamcop reports 52.138.55.160 directly to the spammer. I've seen similar misreporting for other Microsoft-hosted spammers. https://www.spamcop.net/sc?id=z6637276977z8c88d696b11a340247839b0d7a9a2c90z Tracking message source: 52.138.55.160: Routing details for 52.138.55.160 [refresh/show] Cached whois for 52.138.55.160 : abuse@microsoft.com Using best contacts abuse@microsoft.com Using rdns to route to correct Microsoft department host 52.138.55.160 = user15.pj-santanderesfera.com. (cached) abuse net pj-santanderesfera.com = postmaster@pj-santanderesfera.com

For the last couple of weeks, SpamCop has not been correctly parsing spam from my Hotmail account. Any idea what's going on here? Two days ago, I deleted and reran mailhosts for this service but the problem persists. https://www.spamcop.net/sc?id=z6378762559z9e42c80ad962a6642989b272eaee79eaz https://www.spamcop.net/sc?id=z6378762599z963fee002594ef1c3daff0952e466158z https://www.spamcop.net/sc?id=z6378762629z8baabe40e498cbe86c2260097091518bz https://www.spamcop.net/sc?id=z6378762639ze0cd6e76c908a12c1c8ca5553f342b84z https://www.spamcop.net/sc?id=z6378762644z410c37853971273a9de5f9f27ce6f8e3z https://www.spamcop.net/sc?id=z6378762902z2657a78dda3fef60e268f0981100b651z https://www.spamcop.net/sc?id=z6378762909z6c9d303ab453ac2154f15c00a5679f5az https://www.spamcop.net/sc?id=z6378762912z9d3975fe9be4f7d1c6aae30513c8722fz https://www.spamcop.net/sc?id=z6378762954zc9ad3fff16b35c0f4944d00e3fb863eez https://www.spamcop.net/sc?id=z6378763074z9b67a7250f57077a54fbe03e9fcd595az https://www.spamcop.net/sc?id=z6378763254zb4b48a0dd4f105809f20ede6ecdbf006z https://www.spamcop.net/sc?id=z6378763258z72c3b5dd2ea8860af33f5d3c0257f0c6z https://www.spamcop.net/sc?id=z6378763636z034beb54ac57c50dbf09508daa7ff4c5z https://www.spamcop.net/sc?id=z6378763925z449957c88a851d16252cee9de803b257z https://www.spamcop.net/sc?id=z6378951357z10d1d3e42ae81a1447647881d0d9e017z https://www.spamcop.net/sc?id=z6378951360zf352675756ac2d94503af4b8d321969bz https://www.spamcop.net/sc?id=z6378951467zb021e76dd1332491d92b8e3cd39f1cf9z https://www.spamcop.net/sc?id=z6378954042zfecb1df612b2cbecfb69cb4a2e92c512z https://www.spamcop.net/sc?id=z6378954113zdae910ce6dc7784fedef7b308453eb08z https://www.spamcop.net/sc?id=z6378954169z48b59cbf560c5792d41fbb8e0f1c9410z https://www.spamcop.net/sc?id=z6378954182zdb6fafd7f501cd173eb7dbcd62f506fez https://www.spamcop.net/sc?id=z6378955431ze937e7b255a9db4c853c1f339c5663d6z https://www.spamcop.net/sc?id=z6378955479zfb1ffb94829210c5e66876da6110d418z https://www.spamcop.net/sc?id=z6378955491z6bdb65fab486e93e5de4a0fed6b35bb0z https://www.spamcop.net/sc?id=z6378955496z10f110021ce8ffc0e5c9f30a198bebd8z https://www.spamcop.net/sc?id=z6378956202z2151ed96656ef09afbfbda82b5ba09c1z https://www.spamcop.net/sc?id=z6378956209z74e287b105ff93ad043b1e0fd1f06b4dz https://www.spamcop.net/sc?id=z6378956212zea7c1ea8733cbd45235f93381821b57fz https://www.spamcop.net/sc?id=z6379246945z4d4fa92acc977540ebed5abd01c2f5a9z https://www.spamcop.net/sc?id=z6379246996z00c07466cdb9fd55076080a68ac83ac9z https://www.spamcop.net/sc?id=z6379247042zd4cb115a1c92f198d367fc41348c12c3z https://www.spamcop.net/sc?id=z6379247072zd64fb2dbb49c22a46d0154e02375d0bbz