Jump to content

jakeqz

Members
 View Profile  See their activity

  • Posts

    8

  • Joined

  • Last visited

 Content Type 

Posts posted by jakeqz

    Originating network not detected for email sent to Hotmail

    in New Feature Request

    Posted · Edited by jakeqz

    27 minutes ago, RobiBue said:

    SC doesn't continue past the first unmatched host due to the nature of spams:
    spammers historically insert/inject fake Received: headers to fool systems to keep parsing past the actual spammer host. and that's where SC usually does its best and stops at the first fake encounter. it is unfortunate that M$ handles their MX hosts the way they do, causing them to be marked as spam source.
    I maintain that M$ needs to fix their system to the way it was intended, and not the way they would prefer it to be hidden.

    Hmm.  M$ spam filtering is awful.  They keep putting genuine mail in the Junk folder and spam in the inbox, regardless of DKIM or SPF.  It was so atrocious that I used to have a filter to move any email with `@` in the sender address to the inbox - until they decided that filters could only be run after spam classification and not on the 'junk mail' folder.  They also randomly reject messages with 550 codes because "part of your network is on our blocklist".  These are emails sent via GoDaddy.  I've tried to contact both companies to resolve the problem.  Both blame each other.

    If Microsoft made cars, they would crash every 50 miles.  I hope they are not involved with self-driving cars.  Though I don't trust the other players either.  Once they are unleashed, I will be cowering at home, watching RoboCop or 2001.

    Originating network not detected for email sent to Hotmail

    in New Feature Request

    Posted

    2 minutes ago, RobiBue said:

    The problem with hotmail/outlook/microsoft is that their host names do not return IP addresses 

    Host AS8P193MB2383.EURP193.PROD.OUTLOOK.COM (checking ip) IP not found ; AS8P193MB2383.EURP193.PROD.OUTLOOK.COM discarded as fake.

    so already the first host, failing to return the IP address, causes the parser to throw away the remaining Received: lines and therefore uses the first IP address (in this case the IPv6 given on the Received: for that host) to find the abuse contact.

    This is Microsoft's fault that they try to hide their hosts and therefore the spam is presumed to come from them. They should fix their DNS records or keep getting hit by reports

    That's what I thought.  But why can't SpamCop carry on parsing the `Received` header lines to get to the originator, regardless of Microsoft's shenanigans.  That way, we would be able to report spam to the originating ISP, who might actually listen.

    Originating network not detected for email sent to Hotmail

    in New Feature Request

    Posted

    23 hours ago, petzl said:

    Years ago Hotmail abuse wanted SpamCop reported to a different address. This may now be a ignored legacy address?

    You seem to be answering a different question from the one I asked.

    It seems that SpamCop is failing to parse the email headers received at Microsoft accounts, for example failing to recognize that the originator of a spam email was Google (or whomever), and thus failing to send spam reports to the originator's ISP.

    This is not related to the reporting address for spam originating from Microsoft's systems.  I am referring to spam that has originated elsewhere, that is *received* by a Microsoft-based email account.

     

    Originating network not detected for email sent to Hotmail

    in New Feature Request

    Posted · Edited by jakeqz
    remove extra blank lines from paste

    Every time I report a spam message received at my Hotmail account, SpamCop determines the contact for "administrator of network where email originates" to be report_spam@hotmail.com.

    However, inspection of the mail headers shows that not to be the case, e.g.: 

    Received: from AS8P193MB2383.EURP193.PROD.OUTLOOK.COM (2603:10a6:20b:44c::5)
 by AS8P193MB2382.EURP193.PROD.OUTLOOK.COM with HTTPS; Tue, 3 Oct 2023
 15:28:10 +0000
Received: from DU2PR04CA0207.eurprd04.prod.outlook.com (2603:10a6:10:28d::32)
 by AS8P193MB2383.EURP193.PROD.OUTLOOK.COM (2603:10a6:20b:44c::5) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6813.36; Tue, 3 Oct
 2023 15:28:09 +0000
Received: from DB8EUR05FT010.eop-eur05.prod.protection.outlook.com
 (2603:10a6:10:28d:cafe::15) by DU2PR04CA0207.outlook.office365.com
 (2603:10a6:10:28d::32) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6838.33 via Frontend
 Transport; Tue, 3 Oct 2023 15:28:09 +0000
Authentication-Results: spf=pass (sender IP is 209.85.214.181)
 smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
 header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;compauth=pass
 reason=100
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
 209.85.214.181 as permitted sender) receiver=protection.outlook.com;
 client-ip=209.85.214.181; helo=mail-pl1-f181.google.com; pr=C
Received: from mail-pl1-f181.google.com (209.85.214.181) by
 DB8EUR05FT010.mail.protection.outlook.com (10.233.238.203) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.6863.25 via Frontend Transport; Tue, 3 Oct 2023 15:28:09 +0000
X-IncomingTopHeaderMarker:
 OriginalChecksum:1830A70AD80F9A9C5DDA0956A6565E0F07486E1A53319B5F648B1C48091097A4;UpperCasedChecksum:F6F09C646996FB69260BCD16869957B70CCEA6E4056F0FB0C4A00A22B3220D63;SizeAsReceived:2722;Count:15
Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-1c724577e1fso8065395ad.0
        for <REDACTED@hotmail.com>; Tue, 03 Oct 2023 08:28:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1696346889; x=1696951689; darn=hotmail.com;
        h=to:from:subject:mime-version:date:message-id:from:to:cc:subject
         :date:message-id:reply-to;
        bh=SrLg2YvJLmqd/+QGi/H6iXVpfTMuSJ/YkMnF3dKFxcY=;
        b=inLfrt/5c226G2qeHRW4LBG8CN1hEFspRxBc9OpLZPfy1DvHy0Rm1Dp7rH3cnObzwC
         FfiF5OopH1nHYCNRSlLcHA4Yh8ON5/lcd3HyF4gqx4bM4fjEhnX15ardKHATJYUwIiL5
         WhTgym6KzAZ6ssPgkqRH1CMXh9d6Vrmmwl7+MqIlokt/4tygvusCi67m5nLGUyElcrIn
         vhfgWV3Zr/AK/LDK7XmcPvhVKnn6l3/DcrXqONCWO8NRgBUsFuxHiyajDcjG196dTnqm
         niLqcDuMFZK5J8vVBeRzbaY2QFc/XIKm7V2zyGizduZmYlrve9w7ZB9ahIGOm1mMUQHp
         ghLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1696346889; x=1696951689;
        h=to:from:subject:mime-version:date:message-id:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=SrLg2YvJLmqd/+QGi/H6iXVpfTMuSJ/YkMnF3dKFxcY=;
        b=XOtzEjAUbRUhMuueFPR3cxa3uJh0E4nxH6DENlHbGRgnvj3ygVTKM85EtLFCSkQTEi
         a4FfE/fN1Z0T7iIHFAuAw08LHeyDw5AIek6yP2cbwavAjmUu5YC1JS17D49ifZ1mQhqT
         kSHejXedg0LyL0uZDDTfY5qh3m0tzIkinDQKCWNa6zHcD1s3FJBKLgNTTmBgXQ/2HGbK
         /orVUdXUx5qlytYpufirA73Gt5P5Xp2FlAPvrjT0sETStHbtX/7FFw+ULYlSWkYp9nuT
         BPlfHBdCxsFeJP9dN/ede/WXndmIrm1nfQHihly32ZRIM61XIJtYbW1vOQiQSFR5OxR6
         tEyw==
X-Gm-Message-State: AOJu0YwJLUyGX20LZl+O5SxCIaqp3yQjJHIWR9rYgpaDz36Pc85hu5CP
	pxUgS3eaH+6OurJqH5F8ex7xaRUEB+YoUA==
X-Google-Smtp-Source: AGHT+IHjAbwzOFNeIlpniig2zRnSU6TaV+3PT+rABrqG4ehNHpUCCJLU505M1rpEM7ZWBMKSNJw0EA==
X-Received: by 2002:a17:902:f7cf:b0:1c6:dcb:1e31 with SMTP id h15-20020a170902f7cf00b001c60dcb1e31mr13918357plw.4.1696346888858;
        Tue, 03 Oct 2023 08:28:08 -0700 (PDT)
Return-Path: REDACTED@gmail.com
Received: from [172.26.16.51] ([43.153.79.51])
        by smtp.gmail.com with ESMTPSA id n11-20020a170902e54b00b001c446f12973sm1693302plf.203.2023.10.03.08.28.08
        for <REDACTED@hotmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 03 Oct 2023 08:28:08 -0700 (PDT)

    It seems to me that this email originated from Google, but this is not being picked up by SpamCop.  Is it missing some of the earlier headers added lower down due to something Microsoft have have inserted.  Or am I missing something?

    Or maybe it relates to this:

    Quote
    Parsing header:

    Received:  from AS8P193MB2383.EURP193.PROD.OUTLOOK.COM (2603:10a6:20b:44c::5) by AS8P193MB2382.EURP193.PROD.OUTLOOK.COM with HTTPS; Tue, 3 Oct 2023 15:28:10 +0000

    host 2603:10a6:20b:44c:0:0:0:5 (getting name) no name
    Possible spammer: 2603:10a6:20b:44c:0:0:0:5
    Received line accepted

    Received:  from DU2PR04CA0207.eurprd04.prod.outlook.com (2603:10a6:10:28d::32) by AS8P193MB2383.EURP193.PROD.OUTLOOK.COM (2603:10a6:20b:44c::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6813.36; Tue, 3 Oct 2023 15:28:09 +0000

    Masking IP-based 'by' clause.

    Received:  from DU2PR04CA0207.eurprd04.prod.outlook.com (2603:10a6:10:28d::32) by AS8P193MB2383.EURP193.PROD.OUTLOOK.COM with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6813.36; Tue, 3 Oct 2023 15:28:09 +0000

    host 2603:10a6:10:28d:0:0:0:32 (getting name) no name
    2603:10a6:20b:44c:0:0:0:5 not listed in cbl.abuseat.org
    2603:10a6:20b:44c:0:0:0:5 not listed in dnsbl.sorbs.net
    2603:10a6:20b:44c:0:0:0:5 is not an MX for AS8P193MB2382.EURP193.PROD.OUTLOOK.COM
    2603:10a6:20b:44c:0:0:0:5 is not an MX for AS8P193MB2383.EURP193.PROD.OUTLOOK.COM
    2603:10a6:20b:44c:0:0:0:5 is not an MX for AS8P193MB2382.EURP193.PROD.OUTLOOK.COM
    Possible spammer: 2603:10a6:10:28d:0:0:0:32
    Host AS8P193MB2383.EURP193.PROD.OUTLOOK.COM (checking ip) IP not found ; AS8P193MB2383.EURP193.PROD.OUTLOOK.COM discarded as fake.
    Routing details for 2603:10a6:20b:44c:0:0:0:5
    [refresh/show] Cached whois for 2603:10a6:20b:44c:0:0:0:5 : abuse@microsoft.com
    Using best contacts abuse@microsoft.com
    Using rdns to route to correct Microsoft department
    host 2603:10a6:20b:44c:0:0:0:5 (getting name) no name

    failed, using default abuse@hotmail.com

    abuse@hotmail.com redirects to report_spam@hotmail.com

    Chain error AS8P193MB2383.EURP193.PROD.OUTLOOK.COM not equal to last sender received line discarded

    It seems SpamCop may be rejecting genuine Microsoft hostnames as fake when they are in fact not.

     

    Reply-To abuse

    in New Feature Request

    Posted

    On 9/29/2020 at 9:14 PM, gnarlymarley said:

    This is an interesting idea, but the from and reply-to could be spoofed to catch innocent people.  I think I almost vote to have a feature like this added, if it were not for the possible spoofing.

    Perhaps if there are no links (or anything that looks like a URL) in the message body, this option could be provided.  The default could also be unchecked, with some brief explanatory note, along the lines of "if this spam email is trying to solicit direct replies, rather than clicking on links, you can report it to the provider of the account that would receive such replies".

    On 9/27/2020 at 8:03 PM, Outernaut said:

    It seems there is to much for the giants to even care about when they can just pass the buck, and the spam, to it's customers victims. 

    I'm not so sure.  About 96 hours ago I manually I sent a buch of these such emails as specimens to network-abuse@google.com.  I was getting about 2-3 a day.  I now haven't received any in almost the last 48 hours.  Fingers crossed.

    On 9/27/2020 at 8:03 PM, Outernaut said:

    Too, I am amazed at the number of clients that sport a good domain and use name@gmail.com of boss@mywebsite.com.  I often ask "Why don't to you use your own domain address and promote that instead of promoting google?" I'm met with that 'deer in the headlights stare'.

    I know.  Often they had the Gmail address before the website, and to have two email addresses seems a complexity beyond them.  "But I can set up forwarding for you."  "Too complicated."  "An email account @yourwebsite will look more professional."  "I'm doing fine.  I just wanted a website, that's all."

    Reply-To abuse

    in New Feature Request

    Posted

    I get a lot of spam emails trying to sell SEO services.  (They often purport to come from email addresses at domains that are registered but not on DNS, so there is no IP address for the domain.  That’s probably irrelevant, though.)

    Mostly, though, they have a `Reply-To` header with a Gmail address.  And the purpose of the emails is to solicit replies from interested parties.

    But when I report these emails as spam, SpamCop does not send a report to Google.

    I think it should offer the option to report to the provider of any email address listed in `Reply-To`.  If Google received enough spam reports for a specific email address, they would close down the associated accounts, and this kind of spam could be significantly reduced.

    WDYT?

×
×
  • Create New...