[tinyurl.com spam links report to abuse@cloudflare.com rather than abuse@tinyurl.com]

1 hour ago, petzl said:

Cloudfare is the abuse address listed for tiny URL so SpamCop is sending report to the listed address 
   abuse[AT]tinyurl[DOT]com seems correct but you will have to add it yourself to report.

This is because tinyurl[dot]com is hosting their services at cloudflare rather than at their own data center.

[Abuse contact for '193.27.228.0 - 193.27.228.255' is 'info@starcrecium.com']

On 3/16/2021 at 1:32 PM, DRSpalding said:

% Abuse contact for '193.27.228.0 - 193.27.228.255' is 'info@starcrecium.com'

From what I can see, it appears to start out with that, then the abuse.net moves it over.  If this is not the case, then if you would have a track URL that shows it that you would be willing to share.

whois: 193.27.228.0 - 193.27.228.255 = info@starcrecium.com
Routing details for 193.27.228.255
Using abuse net on info@starcrecium.com
No abuse net record for starcrecium.com
Using default postmaster contacts postmaster@starcrecium.com
postmaster@starcrecium.com bounces (31 sent : 16 bounces)
Using postmaster#starcrecium.com@devnull.spamcop.net for statistical tracking.

 

[TLS support for SMTP host for spam submission]

14 hours ago, readefries said:

I wanted to send spam reports via mail, but due the the lack of TLS of the receiving mailhost of Spamcop this gets bounced.

Probably would be a good feature to have.  Is your system not capable of sending without SMTP encryption?

[Received via a relay in bl.spamcop.net]

16 hours ago, GBond said:

What exactly does "Received via a relay in bl.spamcop.net" mean?

I checked out the site and this appears to be coming from the SpamAssassin section.  It really means "IP listed in bl.spamcop.net".  This means your outbound IP is/was listed in bl.spamcop.net.  See what petzl said to look up your email server's IP on bl.spamcop.net.

3 hours ago, petzl said:

Try checking Blocklist
https://www.spamcop.net/bl.shtml

 

[spam Showing Up With Old Dates/Times]

4 hours ago, Outernaut said:

The reference is: https://www.spamcop.net/sc?id=z6706263625z7a716025061c9bf82331039e2ea81dcfz

It looks like your spammer has an old date in their spam but the email is being sent today.

Your ISP received: Mon, 15 Mar 2021 15:43:46 -0600
Spammer trick Date: Thu, 11 Mar 2021 02:42:49 +0100

Seems the spammer is trying to trick you into thinking it is old, when it is new.  Looking at the Received headers, I don't understand why the spammer would do this.

[Response on reporting spam]

7 hours ago, Rohan said:

After reporting spam, I mostly get more spam, which after two days or so minimize. Can you tell me what the cause of that can be?

This could also be a form a listwashing where the spammer might be trying to figure out who is reporting.  So they increase their spam on certain people until the figure out who is reporting them.  Also could be some sort of retaliation if they know your address already.

[About that announcement in the report window]

8 hours ago, Outernaut said:

In a shell, does that mean we will no longer be able to report spam to SC, or does the change affect how we report?

If I see the correct one, It is talking about the blacklist mirrors.

3 hours ago, Lking said:

The way I read the notice, they are talking about the SCBL, not reporting spam that feeds the SCBL.

I think I read the same, where this should not affect reporting.  But it might affect blacklist look ups.

[abuse@cloudflare.com ignoring spam reports]

3 hours ago, ewv said:

What is a practical reporting address for cloudflare.com?  My reports to abuse@cloudflare.com, the standard spamcop address, are ignored.

That is a good question.  I did find an abuse form at https: //www.cloudflare.com/abuse/form, but I also searched and found some articles saying that the abuse email doesn't work for some time.  It maybe that they have abandoned the abuse email.

[interestingly spam in my inbox has slowed down considerably!]

Don't worry.  One of my oldest email accounts had stopped receiving lots of spam years ago and now is back to receiving about four spams a day again and it seems to be going up.  My guess is maybe the spammers are doing some listwashing to try to figure out who is reporting.

[spam Showing Up With Old Dates/Times]

13 hours ago, Outernaut said:

This is a example: https://www.spamcop.net/sc?id=z6706167000zcd603f42bf470b11f07d5489c8829d4dz (rejected saying it was to large (not! Rejected because it appears old?)

I went back and looked at this example and I do see why your email client has an old date.  So the email client might be displaying an old date, but the spammer has added their old date.  Stuff like this is all reportable, but maybe the spammer is banking your ISP has an issue and you don't report all the spam.

Received: by cmsmtp; Sun, 14 Mar 2021 14:02:22 -0600

Date added by spammer:

Date: Thu, 11 Mar 2021 02:42:49 +0100

P.S. Thank you for your help too!

[spam Showing Up With Old Dates/Times]

4 hours ago, Outernaut said:

This is a example: https://www.spamcop.net/sc?id=z6706167000zcd603f42bf470b11f07d5489c8829d4dz (rejected saying it was to large (not! Rejected because it appears old?)

Hmmm, the example says it is only 5 hours old and came in on 14 Mar 2021.  I tried refreshing a couple of times.  I wonder if it says it is old when you first go to report it?

Tracking message source: 99.79.57.23:
Routing details for 99.79.57.23
[refresh/show] Cached whois for 99.79.57.23 : abuse@amazonaws.com
Using abuse net on abuse@amazonaws.com
abuse net amazonaws.com = abuse@amazonaws.com
Using best contacts abuse@amazonaws.com
Reports disabled for abuse@amazonaws.com
Using abuse#amazonaws.com@devnull.spamcop.net for statistical tracking.
Message is 5 hours old

How an email might possibly be old is for instance, the 10.0.153.220 server could have held it internally for a few days.  SpamCop goes off the date on the Received line where it picks up the spammers IP.  This means if your ISP hold an email for four days, SpamCop would call it old, even though it may have just barely arrived.

[dot xyz dot com]

7 hours ago, pusser_uk said:

Reporting to abuse@microsoft.com or report_spam@hotmail.com, where it originates, seems obviously not to work but just to multiply the amount of spam that returns.

My dot-xyz spam has lasted a few months and now it has dropped.  It could be list washing.  Probably more like petzl said it could be working and the administrators turning off the sites.  It is interesting that for me, yesterday the links changed to dot-im.

6 hours ago, petzl said:

I suspect your reports are working (tried a link and came up dead) Appears you are/maybe being spammed by a "hosting site" 

 

[amazonaws.com now accepting reports]

Perhaps amazon doesn't like the format of SpamCops reports.  If you do not hear anything you can the deputies at deputies[at]admin[dot]spamcop[dot]net.

[Irrelevant websites in SC reports]

3 hours ago, Tau said:

Here are all the URls with the websites SC wants to report. I'm a noob in html and many other things related to internet, but it seems to me that these URl's structure is strange: they ALL include another website into them, and a subdomain related to image hosting, but they are not tagged with html code related to images, thus identified by SC parsing process.

For a quick crash course, everything between the "://" and the first "/" is the domain.  The part immediately after the first "/" is there to make you think it is someone else's domain in order to add confusion.  So as below, example,com is the what will get reported, even though they are trying to get you to think this is a valid image site.

https :// example,com /i.pinimg,com/

2 hours ago, Lking said:

One of the disadvantages of a well indexed internet content is that the bots/spiders that craw the internet for content do not read the content quite the same way you, a human does.

This is what Lking means when he sayd bots.  As the bots add a separate domain name after the first "/" in the URL of where they stole the image/content from.

[parse page failing to load?]

On 2/8/2021 at 7:34 PM, anyone8 said:

Well, if we both reached the same conclusion at the same time, we can't both be wrong, right?  Thanks!

✔️

[SpamCop parsing errors?]

On 2/8/2021 at 10:55 AM, Tau said:

These urls have pinimg.com in them (except the first one that has pynimg, which obviously is a typo), and this is a Pinterest alias, there URL are fake images links, and these domains are not involved with the spam, so yes it seems irrelevant that SC proposes to report to the hosts admins.
 I suppose that SC proposes to report them because in html view, they appear to be clickable (it's only one digit in the body), I think I understand that now.  

As an administrator of my own server, I want to know when a link is being abused.  If I can tell it is not spam, I may chose to ignore that report.  This is why even though my items are not spam, I still want the reports.  I get to make the final decision whether I take down the items, not SpamCop.

[Back again with more nothing to do when reporting]

On 2/12/2021 at 7:17 PM, RobiBue said:

I don't know if @Richard W or @Lking or another forum admin could figure out where your "nothing to do" problem lies... several years ago Don D'Minion (3rd message in following thread: 

I wonder, if you kept up the page that gave you a "nothing to do" and reloaded it later if it would work for you.  It seems strange that the page would just start working.

On 2/12/2021 at 7:17 PM, RobiBue said:

added a yahoo host to the account, but from what I understand, you have no mailhosts in your account (neither have I FWIW) so the problem must lie elsewhere...

Last time I looked at someone else's tracking URL, it used their mailhosts setup, not mine.

[Irrelevant websites in SC reports]

Due to link tracking (where spammers note if you click a link), SpamCop does not follow links.  It only looks up the hostname and reports the link to the administrator.  As for the missing content, it is possible that someone else had the same link, reported it, and the administrator probably already removed it.

[parse page failing to load?]

I think I found it.

Received: from beactive.it (5.149.249.179) by xHRZDMoSZQtTgIAffdczjrWWwatOgPNzFmircaawrvITFdBVQxutRnEWUepKPlOSwGJOqJfGFYyixSZjQnQWiQxqdPmvWeFgxrYmbRuJHWQgniKgFaMzPNMarqJOpuDIqmBFzSYld.mail.protection.outlook.com id pDAvY7enim86 for <x>; Tue, 09 Feb 2021 01:00:58 +0100 (envelope-from <return@nvse2fv2dfx.work>

The hostname appears to be too long on the above line.

C:\>dig any xHRZDMoSZQtTgIAffdczjrWWwatOgPNzFmircaawrvITFdBVQxutRnEWUepKPlOSwGJOqJfGFYyixSZjQnQWiQxqdPmvWeFgxrYmbRuJHWQgniKgFaMzPNMarqJOpuDIqmBFzSYld.mail.protection.outlook.com
dig: 'xHRZDMoSZQtTgIAffdczjrWWwatOgPNzFmircaawrvITFdBVQxutRnEWUepKPlOSwGJOqJfGFYyixSZjQnQWiQxqdPmvWeFgxrYmbRuJHWQgniKgFaMzPNMarqJOpuDIqmBFzSYld.mail.protection.outlook.com' is not a legal name (label too long)

C:\>

 

[parse page failing to load?]

1 hour ago, anyone8 said:

Here's one of the tracking URLs: https://www.spamcop.net/sc?id=z6702233527zbcd30846d6b3149bd78570af38518361z

Last time I had seen this it was a double period in a hostname, but I have yet to find one in this tracking URL.

 

[SpamCop parsing errors?]

2 hours ago, Tau said:

It seems that the URLs with these domains are invalid, with the format:  https://punita=
 henna.com/i.pinymg.com/150x150/3d/2c/86/xxxxxxxxxxxxxxx 

The "=" at the end of the line is a RFC email standard.  It, in combination with the new line, are not displayed in the actual body of the email.  This is why the domain looks invalid in the raw format, but is valid in the when viewing.

2 hours ago, Tau said:

I try to check by myself before sending a report, so I didn't report them, as it seems that this is an error and it would be a false report.

Am I right? And if so, I there a way for SC to improve the parsing and avoid there fake links?
For a previous spam, I was also proposed to report Facebook, and it was obviously wrong...

If the link was included in a spam email, why would it be a false report?  Some people want to know when someone else abuse their links in spam.  Links are not put into the blocking list, only the source IP of the spam is put there.

 

[Broken captcha in signup page]

I posted a new feature request for this, so hopefully it gets resolved.

 

[Block entire ISP]

11 minutes ago, Rasmus167 said:

You blocked an entire ISP with all there 10 k customers. None of my customers receives email, not even in spam. We send important communication to our customers who don't have access to this information now. You FUC*ED us and our customers. 

A reminder that this is a user to user forum.  If you don't hear anything from SpamCop staff, you may want to contact them at deputies[at]admin[dot]spamcop[dot]net.

[Broken captcha in signup page]

2 hours ago, gmacar said:

The captcha is broken and should be fixed. Thank you.

I agree with your statement, but this issue seems to happening with different browsers.  From this other post, they tried a different browser.  If you could verify that the java scri_pt issue is also the problem, then maybe that can narrow it down.

http://forum.spamcop.net/topic/29780-captcha-problem-on-registering/

[More and more DEVNULL reports]

I don't have an IP or tracking URL so I am not able to duplicate a look up, but my memory remembers that I never got a reply from salesforce spam.  It did stop after a while, but maybe they were list washing their single opt-in lists.