Mariano

Problem solved thanks to Richard from SC! I post here in case this helps others. The problem was that they had to add "localhost" to the list of servers. I'm glad :^)

BTW: Is any of you part of the SC team?

Thanks for all the explanations. I was hesitant about resetting my mailhost because that has to be done by hand by the op's (the web-based method appears not to work for the mailserver at my university), and I would prefer not to bug them with extra work. About setting/not setting up mailhost, I did it because noticed that in the past some reports included my ISP in the list of spammers. I was hoping mailhost would resolve that (plus SC says somewhere that this will be obligatory in the near future). This spammer is very annoying. They keep changing the name of the server and that fools the other spam filters I have set up. Thanks to all!

Looking at the spam, I see that at the top it says: ################################# Received: from localhost (localhost [127.0.0.1]) by mailhost1.astro.rug.nl (Postfix) with ESMTP id 50FED34BCD ################################# while a few lines below it shows the actual sender: ################################# Received: from activitymatchdull.co (activitymatchdull.co [163.123.141.109]) by mailhost1.astro.rug.nl (Postfix) with ESMTP id E20B11C709 for <USER@astro.rug.nl>; Sun, 16 Jan 2022 20:13:22 +0100 (CET) ################################# Is this standard? (Sorry, I am not familiar with posix conventions). Could it be that this is confusing Spamcop? I can ask my university why they do it this way. Thanks

Thanks RobiBlue: I did not cancel the report. The thing I see when I go to past reports is this: Submitted: 16/01/2022, 21:46:11 +0100: Grow another 3-6" inches in the next 30 days No reports filed To explain a bit more: I do not paste the raw email on the website. I forward the raw email as attachment. I then get an email back from Spamcop (see example below) with a link to finalise the report. When I click on that link I get one of the reports I posted above (e.g., in the original post at the top). I have no option to finalise or cancel the spam report. I had copied the headers of the email from the spammer above. But here is the email I get from Spamcop after I forward the spam to my Spamcop address: X-Antivirus: avast (VPS 22011604) X-Antivirus-Status: Clean Received: from 10.196.241.214 by atlas213.free.mail.bf1.yahoo.com with HTTPS; Sun, 16 Jan 2022 20:43:17 +0000 Return-Path: <spamid.6737270321@bounces.spamcop.net> X-Originating-Ip: [184.94.240.112] Received-SPF: pass (domain of bounces.spamcop.net designates 184.94.240.112 as permitted sender) Authentication-Results: atlas213.free.mail.bf1.yahoo.com; dkim=unknown; spf=pass smtp.mailfrom=bounces.spamcop.net; dmarc=pass(p=NONE,sp=NONE) header.from=devnull.spamcop.net; X-Apparently-To: mendez1960@yahoo.com; Sun, 16 Jan 2022 20:43:17 +0000 X-YMailISG: 25t1ArUWLDtakCh2lyUWbaWVJKJOp39fmygSDPeFzlusDj1D wIV1X7c9Y_gN9fqQxXQr8I.RBWYws6Fy2.bYkai2250ZBT85_hQzEDIzD_OL qotAf0xi.zqJBISU5WhL2JTmcmiNj9XCeo_BA7WM57AagEfeGNvoQ7w3Uj3x JcpV64Vs_cxT3Ep399Rirp783cgcRp.Km0_ev2rtEhjtqqm6YQLQoiSnupnn Yys5L0D9TApqFlm8hR9AigequRxz.44_vx6UwX.Ql6rRz1M63qezPAwcaa3n N7U69BqnAhDq_mFCUbkj4TCHHeTEEzbJt.kyzBcyEHubCLOgityQCN7thSW8 pPtzUfBZUIi3S0E_Z4YKNPzZt53C6lwoIVdwFGGUb4hGkxxYlD5dd69_q3HG 8b1b54U0IzXpIv1v54CzTeZ7kUtU1s4PDo9Qxuf8dcsR6168UEJ7It9D.lDK Lp_tNGk1nANCv6igtwa.IdOo0da4Y6KyC_gVON9CEiymdiWJ669cFf9oetrX 6lNZn3q.z2XrcZMoBSNWfTpPv.5ueofiHROlh2zJNYiZr11uQ2w1rtZI996J X4wbtSjufjEhskVe_HNZOzlkdxX86C9tQFk689sy0TrJvftx5KoXtvPHGbCb leOLsxEaFbbbR2YhcHZZoCbp9SzqAFW.QApVFtyekQsw5aeZtm3pIplKLiTW rHi5U0ipDlzdOkvbw5_FBQbWc1juQK1QX6CcOcJitqZwwXVX.hDxoz0HqtPS kONqf76ciTf4EuWZQbv9HLhyM79wQt0FpKjH9fbMvq_d0d.zaGoJn82IMI82 .uAS9fu_kGel6y2OdZhMMyPFMdXQW8nqzjveOrfvJ0n9PK79ulakN6VIvf9j 3FhMM5uPblgZAebuexSxlHl87lezvRGaAR9126l9mYDVpPSdixPh53kLCMBA y3XH9mckmaJyK4Abwlzt6MD3onRXdeIRhfOFLlkkv.jpCaWSkZ9dZZbMXM5g TeWCkEu5qtlmUZiIwFIVIUwPUfR2YXQ0B2hNP7pEWhTYYnBm2yavqaXS7HlJ ZSjmycz1ce5eNuuZ Received: from 184.94.240.112 (EHLO vmx.spamcop.net) by 10.196.241.214 with SMTPs (version=TLS1_2 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Sun, 16 Jan 2022 20:43:17 +0000 DomainKey-Signature: s=devnull; d=spamcop.net; c=nofws; q=dns; h=IronPort-SDR:X-Corpus-CASE-Score:Received:From:To: Subject:Date:Message-ID:Content-type:In-Reply-To: References; b=EhPQJWu+vLYAg7blRuiF2R7C4bjCWyDlNlRSsCFYyQoVpigqZunlZurO 2STptKPsPD1qip3cx+fFDUh8xjdofoFhVe8qIAzZ8XIMFSnhhk3DZyLfm XXDULZB8pHhzXN4; IronPort-SDR: kaCt7kGrNgN88bvrho2UWRv23L52BhWrNAiXCaJdSjjlg81w4JhVjOhvGACsraMRqkSttPsa7U xvB0pxUOsBPCBBlNOZDwv6vzxlPz9NtCId9XT8Kz2LJcaCZkvMB2BoqNpTGd7wQwtATci9JsYZ GcGNIFFal9Xh2D/ynml3O+HtoiGIOJi6ORAHRlyBEF8/HqnPA97eH+Fhmy2et1xtXU3V+5dTJ5 MFvwGM4/Xw3dWkI9zD9bzAHsB1lulMoV4XNZbk+G/H5ew4we7neBv2fXcpt7roy7muNlj25ixI TeM= X-Corpus-CASE-Score: 0 Received: from prod-sc-app009.sv4.ironport.com (HELO prod-sc-app009.spamcop.net) ([10.8.141.29]) by prod-sc-smtp-vip.sv4.ironport.com with SMTP; 16 Jan 2022 12:43:16 -0800 From: SpamCop AutoResponder <spamcop@devnull.spamcop.net> To: mendez1960@yahoo.com Subject: [SpamCop] has accepted 1 email for processing Date: Sun, 16 Jan 2022 20:43:15 GMT Message-ID: <spamid6737270321@msgid.spamcop.net> Content-type: text/plain In-Reply-To: <7A6C0399-2B5B-4B77-8110-B34611A6C4F1@astro.rug.nl> References: <7A6C0399-2B5B-4B77-8110-B34611A6C4F1@astro.rug.nl> Content-Length: 2634 PLEASE HELP SUPPORT THIS SERVICE! SpamCop is free. However, if you like the service please pay for it: https://www.spamcop.net/upgradeaccount.shtml SpamCop is now ready to process your spam. Use links to finish spam reporting (members use cookie-login please!): https://www.spamcop.net/sc?id=z6737270321z1d865d2cdd247325b4a6589df14c7965z The email which triggered this auto-response had the following headers: Return-Path: <USER@astro.rug.nl> Received: from vmx.spamcop.net (prod-sc-smtp15.sv4.ironport.com [10.8.129.235]) by prod-sc-app009.sv4.ironport.com (Postfix) with ESMTP id 3CC94838F6 for <submit.MymButMRJ56SGu6W@spam.spamcop.net>; Sun, 16 Jan 2022 12:41:02 -0800 (PST) Authentication-Results: vmx.spamcop.net; dkim=none (message not signed) header.i=none IronPort-SDR: kIPI6uPHLWcrJ5a3HYyi9JhuBgmxeNdhQh7PX7V1ZItjEGdn7kt+kf7jhKhCDZT7jE+3X0lC2v D7FqvP4yeuQwDHAK6pTFpGxuCA2WJ1UkPyzjOylN7vY1PCxFhIpNe9KhJ0EHew5N6mmycLxIPl epusattPI3bskO1C8cSQE71iedI7R6/U825ssIe8/9hCfot9vrUhlsjGpz+7qRBBsMFsEOs5bO uADOn0Qcr0XMXyA4zkSW2Tm7cGeRcsw+Xcl3ap31dScYuwuG42W9eNu/IoSOqjZHTC/Ml4wPgd NfjSAsUzdHveRPdL76bGrqzh Received: from mailhost1.astro.rug.nl ([129.125.6.180]) by vmx.spamcop.net with ESMTP; 16 Jan 2022 12:41:01 -0800 Received: from localhost (localhost [127.0.0.1]) by mailhost1.astro.rug.nl (Postfix) with ESMTP id 0534E34BCD for <submit.MymButMRJ56SGu6W@spam.spamcop.net>; Sun, 16 Jan 2022 21:41:00 +0100 (CET) X-Virus-Scanned: amavisd-new at astro.rug.nl Received: from mailhost1.astro.rug.nl ([129.125.6.180]) by localhost (mailhost.astro.rug.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xd5c_myTt3ao for <submit.MymButMRJ56SGu6W@spam.spamcop.net>; Sun, 16 Jan 2022 21:40:58 +0100 (CET) Received: from [192.168.178.130] (94-212-125-192.cable.dynamic.v4.ziggo.nl [94.212.125.192]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailhost1.astro.rug.nl (Postfix) with ESMTPSA id D131934A73 for <submit.MymButMRJ56SGu6W@spam.spamcop.net>; Sun, 16 Jan 2022 21:40:58 +0100 (CET) From: USER@astro.rug.nl Content-Type: multipart/alternative; boundary="Apple-Mail=_5098530C-608F-4EA8-B83C-7C6BA1F83316" X-Mao-Original-Outgoing-Id: 664058458.737743-171147d3a152d847ca31ae78c2908bc6 Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\)) Subject: Fwd: be happier - everyone will wonder what your secret is! Message-Id: <7A6C0399-2B5B-4B77-8110-B34611A6C4F1@astro.rug.nl> Date: Sun, 16 Jan 2022 21:40:58 +0100 To: "submit.MymButMRJ56SGu6W@spam.spamcop.net" <submit.MymButMRJ56SGu6W@spam.spamcop.net> X-Mailer: Apple Mail (2.3445.104.21) Thanks!

I just got one spam in this account; I forwarded it to my usual Spamcop address and I get again the same message I posted in the first post of this thread. That's all; there is no other report I can send to help track down the issue: SpamCop v 5.4.0 © 2022 Cisco Systems, Inc. All rights reserved. Here is your TRACKING URL - it may be saved for future reference: https://www.spamcop.net/sc?id=z6737268214zc14769c972a1e7911c024300e846b532z Mailhost configuration problem, identified internal IP as source Mailhost: Please correct this situation - register every email address where you receive spam No source IP address found, cannot proceed. Add/edit your mailhost configuration Finding full email headers Submitting spam via email (may work better) Example: What spam headers should look like Nothing to do. I then forwarded the same spam to a different Spamcop account in which I have not set the mailhost. Here is the report I get in that case. None of the addresses mentioned in the report correspond to my ISP (astro.rug.nl). I wonder why in the other case Spamcop would think that the spam comes from my ISP: SpamCop v 5.4.0 © 2022 Cisco Systems, Inc. All rights reserved. Here is your TRACKING URL - it may be saved for future reference: https://www.spamcop.net/sc?id=z6737268372zcb07d704fa5d85c5e2222fc431c18620z http://www.activitymatchdull.finance/Wpfabpo/gSw5ur1BtMgyE6Cxqt5lLgRik8E1nM_KG5kgZlUPq7TG10X2vECy-ubppo6-jhaZHeRwjdTbS4NyweUxQOWvAVpXNakxbp7xfPRN3gIyWYRlRyQLGdDEIe2u9VFRI2LxsJOUmCCsnrieC3ANqbHpcOocSL-zgJKnBr3rYH61vPl9xbbmGvHFAKlsLEnWej-x.IgpWqOx_BYJwTRuVjzNFQtL-aphMjhrPVudmkuszWr4 http://www.activitymatchdull.finance/Jehbxsac/bhscd841828rqibea/4rWzsukmduVPrhjMhpa-LtQFNzjVuRTwJYB_xOqWpgI/x-jeWnELslKAFHvGmbbx9lPv16HYr3rBnKJgz-LScoOcpHbqNA3CeirnsCCmUOJsxL2IRFV9u2eIEDdGLQyRlRYWyIg3NRPfx7pbxkaNXpVAvWOQxUewyN4SbTdjwReHZahj-6oppbu-yCEv2X01GT7qPUlZgk5GK_Mn1E8kiRgLl5tqxC6EygMtB1ru5wSg Please make sure this email IS spam: From: "Detox Healthy Patches" <info@activitymatchdull.co> (relief you need! You'll have more energy, feel healthier and generally ) Improve your body and mind with this totally natu ral Japanese remedy= View full message Report spam to: Re: 163.123.141.109 (Administrator of network where email originates) To: abuse@serverion.com (Notes) To: info@serverion.com (Notes) Re: http://www.activitymatchdull.finance/Jehbxsac/b... (Administrator of network hosting website referenced in spam) To: abuse@cloudflare.com (Notes) Re: http://www.activitymatchdull.finance/Wpfabpo/gS... (Administrator of network hosting website referenced in spam) To: abuse@cloudflare.com (Notes) Finally, I checked the raw spam and I do not find any reference to my ISP in the body. The name of the mail server and IP of my ISP appear only in the header as part of the delivery process (see below). Does this help? If not, I'd be happy to provide more info (but at the moment I am not sure what else I could provide...) Thanks Mariano X-Antivirus: avast (VPS 22011604) X-Antivirus-Status: Clean Return-Path: <info@activitymatchdull.co> X-Original-To: USER@astro.rug.nl Delivered-To: USER@astro.rug.nl Received: from localhost (localhost [127.0.0.1]) by mailhost1.astro.rug.nl (Postfix) with ESMTP id 50FED34BCD for <USER@astro.rug.nl>; Sun, 16 Jan 2022 20:13:26 +0100 (CET) X-Virus-Scanned: amavisd-new at astro.rug.nl X-spam-Flag: NO X-spam-Score: 5.513 X-spam-Level: ***** X-spam-Status: No, score=5.513 tagged_above=2 required=6.2 tests=[BAYES_20=-0.001, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_MSPIKE_BL=0.001, RCVD_IN_MSPIKE_L4=0.001, RCVD_IN_SBL_CSS=3.335, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLACK=1.7] autolearn=no autolearn_force=no Received: from mailhost1.astro.rug.nl ([129.125.6.180]) by localhost (mailhost.astro.rug.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rvaq9I2sDGVf for <USER@astro.rug.nl>; Sun, 16 Jan 2022 20:13:25 +0100 (CET) X-Greylist: delayed 632 seconds by postgrey-1.34 at mailserver1.intra.astro.rug.nl; Sun, 16 Jan 2022 20:13:22 CET Received: from activitymatchdull.co (activitymatchdull.co [163.123.141.109]) by mailhost1.astro.rug.nl (Postfix) with ESMTP id E20B11C709 for <USER@astro.rug.nl>; Sun, 16 Jan 2022 20:13:22 +0100 (CET) Date: Sun, 16 Jan 2022 13:50:33 -0500 From: "Detox Healthy Patches" <info@activitymatchdull.co> MIME-Version: 1.0 Precedence: bulk To: <USER@astro.rug.nl> Subject: relief you need! You'll have more energy, feel healthier and generally Message-ID: <ERVC2j_MBduIuAMqMMh2b_q8y639RlfLPJ-oJK7teHM.RScVWl2nZbhah1-uQBdEVfKdyHaQPqYRP_wQDm7hvQQ@activitymatchdull.co> Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Lines: 204

Regarding the forging of the email address: I was not correct in my explanation. The spams that I receive come from outside my domain. I checked the full raw email and there is no reference to our domain, except in the parts of the headers where the emails were received by our server from the outside servers. I wonder how Spamcop gets that my IP is the source. I did not keep the emails, so I cannot check them again to be 100% sure. I will do it again next time to see whether I missed something. Thanks!

Hi Petzl: I configured the mailhost about 3 days ago. As I wrote originally, the procedure through the website would not work. After I feel the email address I get a message that the mailserver does not respond so the procedure cannot be completed. The mail server is up and working. I sent an email to the ops explaining the problem and they issued a waiver and installed the mailhost on my behalf. If I check, the mail servers that are configured are the correct ones. I fear that if I delete the configuration I will have to ask the operators again to set it up for me. (And I prefer not to bother them with this as much as it is not necessary). I will see what I can post here from a Spamcop report after I get the next spam. The reports I was referring to in my post did not get submitted because of the error. If I got to my past reports, they all look like this: Submitted: 15/01/2022, 12:31:04 +0100: The electric hand massager that's cheaper than going to the doctor! No reports filed

Hi: I configured mailhost for all all my email addresses. For one of the addresses I got a waiver from the op because something was not working using the regular way of setting mailhost. Since then, whenever I report a spam from that address I get the message below. Is this normal behaviour? Does it mean that if I receive spam on that address and the spammer forges my own server as sender I can no longer report spam from that address? I believe everything is set up properly, but since the address was added by the op, I am not 100% sure. Is there anything I should check/change? I could not find anything about this in the forum. Thanks Mariano P.S. I replaced the id by XXXXXX... in case spammers read this forum :^) SpamCop v 5.4.0 © 2022 Cisco Systems, Inc. All rights reserved. Here is your TRACKING URL - it may be saved for future reference: https://www.spamcop.net/sc?id=XXXXXXXXXXXXXXXXXXXXXXXXXXX Mailhost configuration problem, identified internal IP as source Mailhost: Please correct this situation - register every email address where you receive spam No source IP address found, cannot proceed. Add/edit your mailhost configuration Finding full email headers Submitting spam via email (may work better) Example: What spam headers should look like Nothing to do.