Jump to content

rdorsch

Members
 View Profile  See their activity

  • Posts

    12

  • Joined

  • Last visited

 Content Type 

Posts posted by rdorsch

    spamcop_from_address and spamcop_to_address do not work on new server (?)

    in SpamCop Reporting Help

    Posted

    Hi,

    I migrated my mailserver to a new machine. I report spam using

    spamassassin -r < message

    called by a inotify scri_pt, monitoring an IMAP directory in which I move spam manually.

    In the past I had spamcop_from_address and spamcop_to_address in local.cf and this worked well. In the new machine, I see that local.cf gets read 

    Jun  5 17:53:00.309 [11949] dbg: config: read file /etc/spamassassin/local.cf

    but the spam reports do not use the spamcop_from_address and spamcop_to_address ... 

    Jun  5 17:53:10.028 [11949] dbg: reporter: SpamCop sent FROM <user>@<machine>
Jun  5 17:53:10.029 [11949] dbg: reporter: SpamCop received 250 sender <<user>@<machine>> ok
Jun  5 17:53:10.196 [11949] dbg: reporter: SpamCop sent TO spamassassin-submit@spam.spamcop.net

    and my spam reports do not get work 😞

    Fancy is that both machines use spamassassin 3.4.2

    Any hint is welcome.

    Rainer

     

     

    Spamcop generates reports against my own domain!

    in SpamCop Reporting Help

    Posted

    8 hours ago, petzl said:

    Talking about your PC a virus check is a must. Could be you have been compromised.
    I even use a VPN this encrypts my communications to and from Computer. Even my Skype calls are encrypted.
    Win!0 here just use Windows defender which right now seems very good.

    I am not doubting that that virus checks are useful in particular if you are running a windows PC (which I do not :-) ).

    But that is only relevant here, if my systems are the spam source, not the spam destination.

    Spamcop generates reports against my own domain!

    in SpamCop Reporting Help

    Posted

    44 minutes ago, Lking said:

    The system obviously does not like your attachment.

    You can recover the tracking URL by logging into your reporting account and clicking on the <Past Reports> tab This will list "Report Numbers? when you select the correct report the Tracking URL will be part of the next screen.

    Hmm....I think that helped to recover it, I clicked on "Parse" to recover it:

    https://www.spamcop.net/sc?id=z6633595354za3c7f1c70eca174576d1527014496a1dz

    Spamcop generates reports against my own domain!

    in SpamCop Reporting Help

    Posted

    52 minutes ago, Lking said:

    If I understand the issue correctly without a Tracking URL another thing to consider is, if your email and domain are on the same host and IP. As you know spamcop looks at IPs not domain names directly.  Having your domain listed in a spam is odd.  spam I have received, even those requesting to buy one of my domains, don't include the domain in the body.

    In any case your point is well taken. If the domain in the body of the spam is the same as a domain in your mailhost configuration, the solution should be relative straight forward.

    I would suggest a post in New Feature Request with a Tracking URL as an example to illustrate your request/suggestion.

    Many thanks for your reply, I opened a new feature request as you suggested. For completeness I include here the tracking URLs:

    Submitted: 14.5.2020, 17:40:25 +0200: 
    =?UTF-8?B?6L+Q6YCB5bu66K6uIDMwLzUvMjAyMA==?=
    7058512602 ( http://www.bokomoko.de/ ) To: abuse@netcup.de
    7058512598 ( 185.222.58.117 ) To: complain@rootlayer.net

     

    Here is the new feature request:

     

     

    Don't generate abuse message against reporter

    in New Feature Request

    Posted

    This topic was discussed already on 

    and Lking proposed to open a feature request here.

     

    The issue is:

    • I received spam and reported it to spamcop:
      Submitted: 14.5.2020, 17:40:25 +0200: 
      =?UTF-8?B?6L+Q6YCB5bu66K6uIDMwLzUvMjAyMA==?=
      7058512602 ( http://www.bokomoko.de/ ) To: abuse@netcup.de
      7058512598 ( 185.222.58.117 ) To: complain@rootlayer.net
    • Apparently, the (Chinese?) spam contained my own domain: www.bokomoko.de
      image.thumb.png.ab9ef14bc41c15c157167bb5a26c071b.png
    • Unfortunately, I did not notice this in the generated report and confirmed that.

    Since I received in the past days multiple of these emails and I deselected my own domain (except on the first spam I received), I suggest that spamcop handles this situation better. As an immediate measure, my wife suggested to stop reporting spam to spamcop, if that has the risk that our email server gets shutdown in the middle of Corona home schooling.

    Feature request is:

    • Spamcop should support per reporter whitelists for domains which should never be reported to spamcop
    • If the effort for this is too high: Never generate abuse reports for the domains referenced in the body of the spam mail, if the match the spam destination domain 
    • If the effort for this is too high: Make the default to not generate abuse reports for domains referenced in the body of the spam email to reduce false positives 

    If there is further information I can provide, please let me know.

    Spamcop generates reports against my own domain!

    in SpamCop Reporting Help

    Posted

    3 hours ago, gnarlymarley said:

    I had a similar situation happen to me about two decades ago with an admin from a well known education institution confusing the internal links of the spam as the source of the spam.  This is why I prefer to report just the source instead of the links inside.  If I see any on my reports that might be valid (innocents caught in the crossfire), I uncheck those.

    That is a good point, my own host might not be the only innocent victim. The longer I think about that the more I come to the conclusion that spamcop should here fix things, since the default is dangerous for the reporter and may trigger false positives. My wifes opinion was please stop reporting spam to spamcop altogether, if the risk is that our email infrastructure gets shutdown over the weekend (in the middle of Corona home schooling). I think spamcop should consider to

    • As default do not report links inside (to reduce false positives altogether)
    • At least protect the reporter and let the reporter configure a whitelist for internal links (or at least support to whitelist the spam recipient domain)

    I am still puzzled that I have not seen that kind of issue for many years but now very frequent.

    Spamcop generates reports against my own domain!

    in SpamCop Reporting Help

    Posted

    6 hours ago, petzl said:

    Seems strange a provider would shut down a website with one complaint?
    Make sure it has not been compromised, change password.
    Run a virus scan on your computer. If you are competing against a similar website you are possibly being attacked, often done for blackmail as well!
    Your mailhosts are not necessarily  the same as a domain. have a look
    But then SpamCop only stops reporting your email "domain"

    Contact your provider

    The story with the provider is a separate topic, but long story short: The spamcop reports are processed automatically, normally they disable the host immediately (which does not make sense, but this is at least what they communicated). After calling them, they checked the issue and reenabled the server immediately.

    I do not understand why I should run a virus scan if my server is not the source of the spam.

    Mailhost and website are the same domain, even the same host. 

    rd@h370-wlan:~$ dig bokomoko.de

; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> bokomoko.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43604
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bokomoko.de.                   IN      A

;; ANSWER SECTION:
bokomoko.de.            214     IN      A       37.120.169.230

;; Query time: 0 msec
;; SERVER: 192.168.4.1#53(192.168.4.1)
;; WHEN: So Mai 24 09:58:43 CEST 2020
;; MSG SIZE  rcvd: 56

rd@h370-wlan:~$ dig www.bokomoko.de

; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> www.bokomoko.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49796
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.bokomoko.de.               IN      A

;; ANSWER SECTION:
www.bokomoko.de.        299     IN      CNAME   netcup.bokomoko.de.
netcup.bokomoko.de.     299     IN      A       37.120.169.230

;; Query time: 39 msec
;; SERVER: 192.168.4.1#53(192.168.4.1)
;; WHEN: So Mai 24 09:57:24 CEST 2020
;; MSG SIZE  rcvd: 81

rd@h370-wlan:~$ dig -t MX bokomoko.de

; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> -t MX bokomoko.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34232
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;bokomoko.de.                   IN      MX

;; ANSWER SECTION:
bokomoko.de.            299     IN      MX      10 mail.bokomoko.de.

;; Query time: 132 msec
;; SERVER: 192.168.4.1#53(192.168.4.1)
;; WHEN: So Mai 24 09:57:35 CEST 2020
;; MSG SIZE  rcvd: 61

rd@h370-wlan:~$ dig mail.bokomoko.de

; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> mail.bokomoko.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36872
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;mail.bokomoko.de.              IN      A

;; ANSWER SECTION:
mail.bokomoko.de.       294     IN      A       37.120.169.230

;; Query time: 17 msec
;; SERVER: 192.168.4.1#53(192.168.4.1)
;; WHEN: So Mai 24 09:57:47 CEST 2020
;; MSG SIZE  rcvd: 61

rd@h370-wlan:~$

     

    Spamcop generates reports against my own domain!

    in SpamCop Reporting Help

    Posted

    Hello,

    I recently had the problem that I received spam, reported spam to spamcop, spamcop informed the hoster and the hoster deactivated *my* server. Looking into the issue, I found that my domain was mentioned in the spam email, that was pretty much the only text string I could read in the (Asian) email. I did not read "Please make sure this email IS spam:" confirmation page carefully enough, which most likely listed my domain, and the process started.

    I have not seen that int he past 10+ years I have been reporting to spamcop, but since then many times now. 

    Since the domain which is referenced in the spam email and my mail domain are the same, it should be trivial to catch such false positives by spamcop. I am just wondering if anything changed in the spamcop setup or if I can somewhere configure that spamcop never generates reports against my own domain submitted by me.

     

    Many thanks

    Rainer

×
×
  • Create New...