[Mailhost configuration problem, identified internal IP as source. Please correct this situation]

Problem solved thanks to Richard from SC!
I post here in case this helps others. The problem was that they had to add "localhost" to the list of servers.
I'm glad :^)

[Mailhost configuration problem, identified internal IP as source. Please correct this situation]

BTW: Is any of you part of the SC team?

[Mailhost configuration problem, identified internal IP as source. Please correct this situation]

Thanks for all the explanations.

I was hesitant about resetting my mailhost because that has to be done by hand by the op's (the web-based method appears not to work for the mailserver at my university), and I would prefer not to bug them with extra work. 

About setting/not setting up mailhost, I did it because noticed that in the past some reports included my ISP in the list of spammers. I was hoping mailhost would resolve that (plus SC says somewhere that this will be obligatory in the near future).

This spammer is very annoying. They keep changing the name of the server and that fools the other spam filters I have set up.

 

Thanks to all!

 

 

[Mailhost configuration problem, identified internal IP as source. Please correct this situation]

19 minutes ago, Mariano said:

X-Antivirus: avast (VPS 22011604)

X-Antivirus-Status: Clean
Return-Path: <info@activitymatchdull.co>
X-Original-To: USER@astro.rug.nl
Delivered-To: USER@astro.rug.nl
Received: from localhost (localhost [127.0.0.1])
    by mailhost1.astro.rug.nl (Postfix) with ESMTP id 50FED34BCD
    for <USER@astro.rug.nl>; Sun, 16 Jan 2022 20:13:26 +0100 (CET)
X-Virus-Scanned: amavisd-new at astro.rug.nl
X-spam-Flag: NO
X-spam-Score: 5.513
X-spam-Level: *****
X-spam-Status: No, score=5.513 tagged_above=2 required=6.2
    tests=[BAYES_20=-0.001, HTML_MESSAGE=0.001,
    HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.1,
    MIME_QP_LONG_LINE=0.001, RCVD_IN_MSPIKE_BL=0.001,
    RCVD_IN_MSPIKE_L4=0.001, RCVD_IN_SBL_CSS=3.335, SPF_HELO_PASS=-0.001,
    SPF_PASS=-0.001, URIBL_BLACK=1.7] autolearn=no autolearn_force=no
Received: from mailhost1.astro.rug.nl ([129.125.6.180])
    by localhost (mailhost.astro.rug.nl [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id rvaq9I2sDGVf for <USER@astro.rug.nl>;
    Sun, 16 Jan 2022 20:13:25 +0100 (CET)
X-Greylist: delayed 632 seconds by postgrey-1.34 at mailserver1.intra.astro.rug.nl; Sun, 16 Jan 2022 20:13:22 CET
Received: from activitymatchdull.co (activitymatchdull.co [163.123.141.109])
    by mailhost1.astro.rug.nl (Postfix) with ESMTP id E20B11C709
    for <USER@astro.rug.nl>; Sun, 16 Jan 2022 20:13:22 +0100 (CET)
Date: Sun, 16 Jan 2022 13:50:33 -0500
From: "Detox Healthy Patches" <info@activitymatchdull.co>
MIME-Version: 1.0
Precedence: bulk
To: <USER@astro.rug.nl>
Subject: relief you need! You'll have more energy, feel healthier and generally
Message-ID: <ERVC2j_MBduIuAMqMMh2b_q8y639RlfLPJ-oJK7teHM.RScVWl2nZbhah1-uQBdEVfKdyHaQPqYRP_wQDm7hvQQ@activitymatchdull.co>
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Lines: 204

---

Looking at the spam, I see that at the top it says:

#################################

Received: from localhost (localhost [127.0.0.1])
    by mailhost1.astro.rug.nl (Postfix) with ESMTP id 50FED34BCD

#################################

while a few lines below it shows the actual sender:

#################################

Received: from activitymatchdull.co (activitymatchdull.co [163.123.141.109])
    by mailhost1.astro.rug.nl (Postfix) with ESMTP id E20B11C709
    for <USER@astro.rug.nl>; Sun, 16 Jan 2022 20:13:22 +0100 (CET)
#################################

 

Is this standard? (Sorry, I am not familiar with posix conventions). Could it be that this is confusing Spamcop? I can ask my university why they do it this way.

 

Thanks

[Mailhost configuration problem, identified internal IP as source. Please correct this situation]

Thanks RobiBlue: I did not cancel the report. The thing I see when I go to past reports is this:

---

Submitted: 16/01/2022, 21:46:11 +0100:
Grow another 3-6" inches in the next 30 days
No reports filed

 

To explain a bit more: I do not paste the raw email on the website. I forward the raw email as attachment. I then get an email back from Spamcop (see example below) with a link to finalise the report. When I click on that link I get one of the reports I posted above (e.g., in the original post at the top). I have no option to finalise or cancel the spam report. I had copied the headers of the email from the spammer above. But here is the email I get from Spamcop after I forward the spam to my Spamcop address:

 

X-Antivirus: avast (VPS 22011604)
X-Antivirus-Status: Clean
Received: from 10.196.241.214
 by atlas213.free.mail.bf1.yahoo.com with HTTPS; Sun, 16 Jan 2022 20:43:17 +0000
Return-Path: <spamid.6737270321@bounces.spamcop.net>
X-Originating-Ip: [184.94.240.112]
Received-SPF: pass (domain of bounces.spamcop.net designates 184.94.240.112 as permitted sender)
Authentication-Results: atlas213.free.mail.bf1.yahoo.com;
 dkim=unknown;
 spf=pass smtp.mailfrom=bounces.spamcop.net;
 dmarc=pass(p=NONE,sp=NONE) header.from=devnull.spamcop.net;
X-Apparently-To: mendez1960@yahoo.com; Sun, 16 Jan 2022 20:43:17 +0000
X-YMailISG: 25t1ArUWLDtakCh2lyUWbaWVJKJOp39fmygSDPeFzlusDj1D
 wIV1X7c9Y_gN9fqQxXQr8I.RBWYws6Fy2.bYkai2250ZBT85_hQzEDIzD_OL
 qotAf0xi.zqJBISU5WhL2JTmcmiNj9XCeo_BA7WM57AagEfeGNvoQ7w3Uj3x
 JcpV64Vs_cxT3Ep399Rirp783cgcRp.Km0_ev2rtEhjtqqm6YQLQoiSnupnn
 Yys5L0D9TApqFlm8hR9AigequRxz.44_vx6UwX.Ql6rRz1M63qezPAwcaa3n
 N7U69BqnAhDq_mFCUbkj4TCHHeTEEzbJt.kyzBcyEHubCLOgityQCN7thSW8
 pPtzUfBZUIi3S0E_Z4YKNPzZt53C6lwoIVdwFGGUb4hGkxxYlD5dd69_q3HG
 8b1b54U0IzXpIv1v54CzTeZ7kUtU1s4PDo9Qxuf8dcsR6168UEJ7It9D.lDK
 Lp_tNGk1nANCv6igtwa.IdOo0da4Y6KyC_gVON9CEiymdiWJ669cFf9oetrX
 6lNZn3q.z2XrcZMoBSNWfTpPv.5ueofiHROlh2zJNYiZr11uQ2w1rtZI996J
 X4wbtSjufjEhskVe_HNZOzlkdxX86C9tQFk689sy0TrJvftx5KoXtvPHGbCb
 leOLsxEaFbbbR2YhcHZZoCbp9SzqAFW.QApVFtyekQsw5aeZtm3pIplKLiTW
 rHi5U0ipDlzdOkvbw5_FBQbWc1juQK1QX6CcOcJitqZwwXVX.hDxoz0HqtPS
 kONqf76ciTf4EuWZQbv9HLhyM79wQt0FpKjH9fbMvq_d0d.zaGoJn82IMI82
 .uAS9fu_kGel6y2OdZhMMyPFMdXQW8nqzjveOrfvJ0n9PK79ulakN6VIvf9j
 3FhMM5uPblgZAebuexSxlHl87lezvRGaAR9126l9mYDVpPSdixPh53kLCMBA
 y3XH9mckmaJyK4Abwlzt6MD3onRXdeIRhfOFLlkkv.jpCaWSkZ9dZZbMXM5g
 TeWCkEu5qtlmUZiIwFIVIUwPUfR2YXQ0B2hNP7pEWhTYYnBm2yavqaXS7HlJ
 ZSjmycz1ce5eNuuZ
Received: from 184.94.240.112 (EHLO vmx.spamcop.net)
 by 10.196.241.214 with SMTPs
 (version=TLS1_2 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
 Sun, 16 Jan 2022 20:43:17 +0000
DomainKey-Signature: s=devnull; d=spamcop.net; c=nofws; q=dns;
  h=IronPort-SDR:X-Corpus-CASE-Score:Received:From:To:
   Subject:Date:Message-ID:Content-type:In-Reply-To:
   References;
  b=EhPQJWu+vLYAg7blRuiF2R7C4bjCWyDlNlRSsCFYyQoVpigqZunlZurO
   2STptKPsPD1qip3cx+fFDUh8xjdofoFhVe8qIAzZ8XIMFSnhhk3DZyLfm
   XXDULZB8pHhzXN4;
IronPort-SDR: kaCt7kGrNgN88bvrho2UWRv23L52BhWrNAiXCaJdSjjlg81w4JhVjOhvGACsraMRqkSttPsa7U
 xvB0pxUOsBPCBBlNOZDwv6vzxlPz9NtCId9XT8Kz2LJcaCZkvMB2BoqNpTGd7wQwtATci9JsYZ
 GcGNIFFal9Xh2D/ynml3O+HtoiGIOJi6ORAHRlyBEF8/HqnPA97eH+Fhmy2et1xtXU3V+5dTJ5
 MFvwGM4/Xw3dWkI9zD9bzAHsB1lulMoV4XNZbk+G/H5ew4we7neBv2fXcpt7roy7muNlj25ixI
 TeM=
X-Corpus-CASE-Score: 0
Received: from prod-sc-app009.sv4.ironport.com (HELO prod-sc-app009.spamcop.net) ([10.8.141.29])
  by prod-sc-smtp-vip.sv4.ironport.com with SMTP; 16 Jan 2022 12:43:16 -0800
From: SpamCop AutoResponder <spamcop@devnull.spamcop.net>
To: mendez1960@yahoo.com
Subject: [SpamCop] has accepted 1 email for processing
Date: Sun, 16 Jan 2022 20:43:15 GMT
Message-ID: <spamid6737270321@msgid.spamcop.net>
Content-type: text/plain
In-Reply-To: <7A6C0399-2B5B-4B77-8110-B34611A6C4F1@astro.rug.nl>
References: <7A6C0399-2B5B-4B77-8110-B34611A6C4F1@astro.rug.nl>
Content-Length: 2634

PLEASE HELP SUPPORT THIS SERVICE!
SpamCop is free.  However, if you like the service please pay for it:
https://www.spamcop.net/upgradeaccount.shtml

SpamCop is now ready to process your spam.

Use links to finish spam reporting (members use cookie-login please!):
https://www.spamcop.net/sc?id=z6737270321z1d865d2cdd247325b4a6589df14c7965z

The email which triggered this auto-response had the following headers:
 Return-Path: <USER@astro.rug.nl>
Received: from vmx.spamcop.net (prod-sc-smtp15.sv4.ironport.com [10.8.129.235])
    by prod-sc-app009.sv4.ironport.com (Postfix) with ESMTP id 3CC94838F6
    for <submit.MymButMRJ56SGu6W@spam.spamcop.net>; Sun, 16 Jan 2022 12:41:02 -0800 (PST)
Authentication-Results: vmx.spamcop.net; dkim=none (message not signed) header.i=none
IronPort-SDR: kIPI6uPHLWcrJ5a3HYyi9JhuBgmxeNdhQh7PX7V1ZItjEGdn7kt+kf7jhKhCDZT7jE+3X0lC2v
 D7FqvP4yeuQwDHAK6pTFpGxuCA2WJ1UkPyzjOylN7vY1PCxFhIpNe9KhJ0EHew5N6mmycLxIPl
 epusattPI3bskO1C8cSQE71iedI7R6/U825ssIe8/9hCfot9vrUhlsjGpz+7qRBBsMFsEOs5bO
 uADOn0Qcr0XMXyA4zkSW2Tm7cGeRcsw+Xcl3ap31dScYuwuG42W9eNu/IoSOqjZHTC/Ml4wPgd
 NfjSAsUzdHveRPdL76bGrqzh
Received: from mailhost1.astro.rug.nl ([129.125.6.180])
  by vmx.spamcop.net with ESMTP; 16 Jan 2022 12:41:01 -0800
Received: from localhost (localhost [127.0.0.1])
    by mailhost1.astro.rug.nl (Postfix) with ESMTP id 0534E34BCD
    for <submit.MymButMRJ56SGu6W@spam.spamcop.net>; Sun, 16 Jan 2022 21:41:00 +0100 (CET)
X-Virus-Scanned: amavisd-new at astro.rug.nl
Received: from mailhost1.astro.rug.nl ([129.125.6.180])
    by localhost (mailhost.astro.rug.nl [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id xd5c_myTt3ao
    for <submit.MymButMRJ56SGu6W@spam.spamcop.net>;
    Sun, 16 Jan 2022 21:40:58 +0100 (CET)
Received: from [192.168.178.130] (94-212-125-192.cable.dynamic.v4.ziggo.nl [94.212.125.192])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by mailhost1.astro.rug.nl (Postfix) with ESMTPSA id D131934A73
    for <submit.MymButMRJ56SGu6W@spam.spamcop.net>; Sun, 16 Jan 2022 21:40:58 +0100 (CET)
From: USER@astro.rug.nl
Content-Type: multipart/alternative;
    boundary="Apple-Mail=_5098530C-608F-4EA8-B83C-7C6BA1F83316"
X-Mao-Original-Outgoing-Id: 664058458.737743-171147d3a152d847ca31ae78c2908bc6
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Subject: Fwd: be happier - everyone will wonder what your secret is!
Message-Id: <7A6C0399-2B5B-4B77-8110-B34611A6C4F1@astro.rug.nl>
Date: Sun, 16 Jan 2022 21:40:58 +0100
To: "submit.MymButMRJ56SGu6W@spam.spamcop.net" <submit.MymButMRJ56SGu6W@spam.spamcop.net>
X-Mailer: Apple Mail (2.3445.104.21)

 

 

Thanks!

[Mailhost configuration problem, identified internal IP as source. Please correct this situation]

I just got one spam in this account; I forwarded it to my usual Spamcop address and I get again the same message I posted in the first post of this thread. That's all; there is no other report I can send to help track down the issue:

 

---

SpamCop v 5.4.0 © 2022 Cisco Systems, Inc. All rights reserved.
Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net/sc?id=z6737268214zc14769c972a1e7911c024300e846b532z

Mailhost configuration problem, identified internal IP as source

Mailhost:
Please correct this situation - register every email address where you receive spam

No source IP address found, cannot proceed.

Add/edit your mailhost configuration
Finding full email headers
Submitting spam via email (may work better)
Example: What spam headers should look like

Nothing to do.

---

I then forwarded the same spam to a different Spamcop account in which I have not set the mailhost. Here is the report I get in that case. None of the addresses mentioned in the report correspond to my ISP (astro.rug.nl). I wonder why in the other case Spamcop would think that the spam comes from my ISP:

 

---

SpamCop v 5.4.0 © 2022 Cisco Systems, Inc. All rights reserved.

 

 

Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net/sc?id=z6737268372zcb07d704fa5d85c5e2222fc431c18620z
http://www.activitymatchdull.finance/Wpfabpo/gSw5ur1BtMgyE6Cxqt5lLgRik8E1nM_KG5kgZlUPq7TG10X2vECy-ubppo6-jhaZHeRwjdTbS4NyweUxQOWvAVpXNakxbp7xfPRN3gIyWYRlRyQLGdDEIe2u9VFRI2LxsJOUmCCsnrieC3ANqbHpcOocSL-zgJKnBr3rYH61vPl9xbbmGvHFAKlsLEnWej-x.IgpWqOx_BYJwTRuVjzNFQtL-aphMjhrPVudmkuszWr4
http://www.activitymatchdull.finance/Jehbxsac/bhscd841828rqibea/4rWzsukmduVPrhjMhpa-LtQFNzjVuRTwJYB_xOqWpgI/x-jeWnELslKAFHvGmbbx9lPv16HYr3rBnKJgz-LScoOcpHbqNA3CeirnsCCmUOJsxL2IRFV9u2eIEDdGLQyRlRYWyIg3NRPfx7pbxkaNXpVAvWOQxUewyN4SbTdjwReHZahj-6oppbu-yCEv2X01GT7qPUlZgk5GK_Mn1E8kiRgLl5tqxC6EygMtB1ru5wSg

 

Please make sure this email IS spam:
From: "Detox Healthy Patches" <info@activitymatchdull.co> (relief you need! You'll have more energy, feel healthier and generally )
  Improve your body and mind with this totally natu
 ral Japanese remedy=
View full message

 

Report spam to:

Re: 163.123.141.109 (Administrator of network where email originates)
To: abuse@serverion.com (Notes)
To: info@serverion.com (Notes)

Re: http://www.activitymatchdull.finance/Jehbxsac/b... (Administrator of network hosting website referenced in spam)
To: abuse@cloudflare.com (Notes)

Re: http://www.activitymatchdull.finance/Wpfabpo/gS... (Administrator of network hosting website referenced in spam)
To: abuse@cloudflare.com (Notes)

---

 

Finally, I checked the raw spam and I do not find any reference to my ISP in the body. The name of the mail server and IP of my ISP appear only  in the header as part of the delivery process (see below).

 

Does this help?

If not, I'd be happy to provide more info (but at the moment I am not sure what else I could provide...)

Thanks

 

Mariano

 

---

X-Antivirus: avast (VPS 22011604)
X-Antivirus-Status: Clean
Return-Path: <info@activitymatchdull.co>
X-Original-To: USER@astro.rug.nl
Delivered-To: USER@astro.rug.nl
Received: from localhost (localhost [127.0.0.1])
    by mailhost1.astro.rug.nl (Postfix) with ESMTP id 50FED34BCD
    for <USER@astro.rug.nl>; Sun, 16 Jan 2022 20:13:26 +0100 (CET)
X-Virus-Scanned: amavisd-new at astro.rug.nl
X-spam-Flag: NO
X-spam-Score: 5.513
X-spam-Level: *****
X-spam-Status: No, score=5.513 tagged_above=2 required=6.2
    tests=[BAYES_20=-0.001, HTML_MESSAGE=0.001,
    HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.1,
    MIME_QP_LONG_LINE=0.001, RCVD_IN_MSPIKE_BL=0.001,
    RCVD_IN_MSPIKE_L4=0.001, RCVD_IN_SBL_CSS=3.335, SPF_HELO_PASS=-0.001,
    SPF_PASS=-0.001, URIBL_BLACK=1.7] autolearn=no autolearn_force=no
Received: from mailhost1.astro.rug.nl ([129.125.6.180])
    by localhost (mailhost.astro.rug.nl [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id rvaq9I2sDGVf for <USER@astro.rug.nl>;
    Sun, 16 Jan 2022 20:13:25 +0100 (CET)
X-Greylist: delayed 632 seconds by postgrey-1.34 at mailserver1.intra.astro.rug.nl; Sun, 16 Jan 2022 20:13:22 CET
Received: from activitymatchdull.co (activitymatchdull.co [163.123.141.109])
    by mailhost1.astro.rug.nl (Postfix) with ESMTP id E20B11C709
    for <USER@astro.rug.nl>; Sun, 16 Jan 2022 20:13:22 +0100 (CET)
Date: Sun, 16 Jan 2022 13:50:33 -0500
From: "Detox Healthy Patches" <info@activitymatchdull.co>
MIME-Version: 1.0
Precedence: bulk
To: <USER@astro.rug.nl>
Subject: relief you need! You'll have more energy, feel healthier and generally
Message-ID: <ERVC2j_MBduIuAMqMMh2b_q8y639RlfLPJ-oJK7teHM.RScVWl2nZbhah1-uQBdEVfKdyHaQPqYRP_wQDm7hvQQ@activitymatchdull.co>
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Lines: 204

---

[Mailhost configuration problem, identified internal IP as source. Please correct this situation]

Regarding the forging of the email address: I was not correct in my explanation. The spams that I receive come from outside my domain. I checked the full raw email and there is no reference to our domain, except in the parts of the headers where the emails were received by our server from the outside servers. I wonder how Spamcop gets that my IP is the source. I did not keep the emails, so I cannot check them again to be 100% sure. I will do it again next time to see whether I missed something.

Thanks!

 

 

[Mailhost configuration problem, identified internal IP as source. Please correct this situation]

Hi Petzl: I configured the mailhost about 3 days ago. As I wrote originally, the procedure through the website would not work. After I feel the email address I get a message that the mailserver does not respond so the procedure cannot be completed. The mail server is up and working. I sent an email to the ops explaining the problem and they issued a waiver and installed the mailhost on my behalf. If I check, the mail servers  that are configured are the correct ones.

I fear that if I delete the configuration I will have to ask the operators again to set it up for me. (And I prefer not to bother them with this as much as it is not necessary).

 

I will see what I can post here from a Spamcop report after I get the next spam. The reports I was referring to in my post did not get submitted because of the error. If I got to my past reports, they all look like this:

 

Submitted: 15/01/2022, 12:31:04 +0100:
The electric hand massager that's cheaper than going to the doctor!
No reports filed

 

 

[Mailhost configuration problem, identified internal IP as source. Please correct this situation]

Hi:

I configured mailhost for all all my email addresses. For one of the addresses I got a waiver from the op because something was not working using the regular way of setting mailhost. Since then, whenever I report a spam from that address I get the message below. Is this normal behaviour? Does it mean that if I receive spam on that address and the spammer forges my own server as sender I can no longer report spam from that address?

I believe everything is set up properly, but since the address was added by the op, I am not 100% sure. Is there anything I should check/change? I could not find anything about this in the forum.

 

Thanks

 

Mariano

 

P.S. I replaced the id by XXXXXX... in case spammers read this forum :^)

 

SpamCop v 5.4.0 © 2022 Cisco Systems, Inc. All rights reserved.
Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net/sc?id=XXXXXXXXXXXXXXXXXXXXXXXXXXX
Mailhost configuration problem, identified internal IP as source
Mailhost:
Please correct this situation - register every email address where you receive spam
No source IP address found, cannot proceed.
Add/edit your mailhost configuration
Finding full email headers
Submitting spam via email (may work better)
Example: What spam headers should look like
Nothing to do.