Jump to content
SpamCop Upgrades

gnarlymarley

Memberp
 View Profile  See their activity

  • Posts

    839

  • Joined

  • Last visited

 Content Type 

Posts posted by gnarlymarley

    Reply-To abuse

    in New Feature Request

    Posted

    On 9/26/2020 at 7:26 PM, jakeqz said:

    Mostly, though, they have a `Reply-To` header with a Gmail address.

    Spammers started using Reply-To a few decades ago because they could mask the from as an invalid and prevent bounces.

    On 9/26/2020 at 7:26 PM, jakeqz said:

    But when I report these emails as spam, SpamCop does not send a report to Google.

    Yep, and SpamCop does not send a report for the "from:" address either.  Only the source IP, any relay IPs, and the URLs are reported.

    On 9/26/2020 at 7:26 PM, jakeqz said:

    I think it should offer the option to report to the provider of any email address listed in `Reply-To`.

    This is an interesting idea, but the from and reply-to could be spoofed to catch innocent people.  I think I almost vote to have a feature like this added, if it were not for the possible spoofing.

    Microsoft/MSN Mailhosts missing IP addresses

    in Mailhost Configuration of your Reporting Account

    Posted

    6 hours ago, unitacx said:

    Eventually you will get the spam reporting address as the outside server.
    
    On mine, there were three outlook.com "Received:" headers, followed by an "Authentication-Results:" header. By removing those first three "Received:" headers, I was able to get to the source of my sample email.

    Eventually you should start to recognize the external and internal headers and might be able to shorten step 3.

    spam with no sender source? How is that?

    in SpamCop Reporting Help

    Posted · Edited by gnarlymarley

    3 hours ago, KNERD said:

    Just reported email again. It is not obtaining the IP address again,

    One question that I am not sure if you know, you can revisit any of your tracking URLs and from my experience they will get any mailhost changes you make.  You have about 48 hours from the time the email was received by your border server to report.

    blob.png.f06363a59d26cf3083143ce64b57440b.png

    18 hours ago, petzl said:

    Your server IP static? Not dynamic?  The email host update has fixed issues.

    My email provider's IP is dynamic and I have never had a problem reporting or using mailhosts.  Then I use exim and KNERD seems to be using postfix.  Maybe SpamCop might be parsing the headers from different servers differently?

     

    spam with no sender source? How is that?

    in SpamCop Reporting Help

    Posted

    On 9/13/2020 at 4:50 PM, petzl said:

    Your email provider  has not stamped a received FROM IP line

    Outernaut, I expect to see an IP somewhere in the Received line such as the following. 

    Received: from oksupp ([IP.add.re.ss]) by elm.nocdirect.com
    On 9/13/2020 at 2:08 PM, Outernaut said:

    Did this come from the internal site to where it was sent?

    Without the IP address in the Received line, I would have to assume this came from the internal site directly.  Which is probably what SpamCop is doing.

    "Identified internal IP as source" for spam received by my personal email server

    in SpamCop Reporting Help

    Posted

    13 hours ago, Brian Kendig said:

    Edit: aha, when I remove my FQDN and just say "by 216.53.249.115", then SpamCop accepts it, interesting...

    I wonder if SpamCop might be having problems with the IP of the receiving server too.  If you change it to the follow, it will probably work.  It may only want one entry for the receiving host. 

    by www.enchanter.net with esmtps

    Spamcop says email possible forgery

    in SpamCop Reporting Help

    Posted

    On 8/27/2020 at 9:57 AM, denby said:

    I don;'t know how they are actually getting to my email inbox, but they have wierd from addresses.

    Spammers use the unicode and base64 to try to hide from spam filters.  (Most spam filters can be plain text.)

    On 8/27/2020 at 9:57 AM, denby said:

    Any suggestions on how to stop them?

    If your filtering can do regular expressions then you can look for UTF-8.  Some filtering programs will let you filter for the "raw" headers or the decoded headers. 

    From: "=?eq7rzAaUmUTF-8?B?

    I suspect this might be a mix, but I do see a UTF-8 in the middle.  Usually that start the unicode section.

    Reporting spam sent to Hotmail: SC wrongly indicates internal Hotmail IPv6 IPs as the source

    in SpamCop Lounge

    Posted

    On 8/25/2020 at 1:01 AM, LaserMoon said:

    When I report spam sent to Hotmail addresses, SpamCop wrongly indicates one of the internal Hotmail IPv6 IPs as the source.

    You can try reporting to deputies[at]admin[dot]spamcop[dot]net, or by requesting a feature in the New feature forum.  Many have mentioned a similar problem in the past Microsoft mailhosts missing IP addresses.

    On 8/25/2020 at 1:30 AM, petzl said:

    I don't believe Hotmail provides a source IP, just the IP of their own email server.

    LaserMoon, I believe the issue to be that microsoft opened themselves up to using around 5,192,296,858,534,827,628,530,496,329,220,096 IP addresses when they moved to using IPv6 public addresses and spamcop might not be able to store them all.

    "Sorry, SpamCop has encountered errors"

    in SpamCop Reporting Help

    Posted

    14 hours ago, mgolden said:

    host 2001:67c:2050:104:0:1:25:1 = mx1.mailbox.org (cached)
    mx1.mailbox.org is 2001:67c:2050:104:0:1:25:1
    Host dobby24a.heinlein-hosting.de (checking ip) = 10.192.2.23
    Sorry, SpamCop has encountered errors:

    The email sample you submitted for X
    appears to traverse more than one domain.  
    Please ensure that you configure each mailhost individually and in order.

    mgolden,

    I am not sure if this could be your problem but last time I saw this message, it turned out to be one email of mine was forwarding to another.  If you have multiple emails involved in a chain then you might need to report them in a backwards order, such as under the "how" section of https://www.spamcop.net/fom-serve/cache/397.html.

    Eonix.net helping spammers?

    in SpamCop Reporting Help

    Posted

    5 hours ago, petzl said:

    Only staff might be able to access that link. I are just a SpamCop member.

    fritz2cat, The link you gave seems to be only accessible by you or SpamCop deputies.  However, you can find an accessible link with munged information if you click on that link and then click on "Parse".  That page should have your Tracking URL near the top.  (As a side note, if you view that while logged out, you should see the munged information on it.)

    Here is your TRACKING URL - it may be saved for future reference:
    https://www.spamcop.net

    Eonix.net helping spammers?

    in SpamCop Reporting Help

    Posted

    16 hours ago, fritz2cat said:

    I end up blocking their CIDR one by one as they are offending.

    I just want to automate it now...

    I automated this using cron scri_pt and a firewall.  The problem I saw is the scri_pt happened to catch some legitimate emails and blocked those hosts until it was too late for me to get them back.  (There is a grey area of false positives and false negatives where something will be missed and legitimate stuff will be caught.  This is why I prefer filtering the emails rather than straight blocking.)

    How to know who is spam my IP address?

    in SpamCop Blocklist Help

    Posted

    On 8/18/2020 at 3:22 AM, MariaLuiss said:

    I've a brands store of different products and my subscribers had opted in either by subscription cards or via our website.

    Hopefully your website uses something like a confirmed opt-in.  There are spammers that have been going around to websites and signing up other people's email addresses in order to get revenge for being reported for actual spam.  The reports don't seem to be enough to make it onto the blocklist: https://www.spamcop.net/w3m?action=checkblock&ip=173.249.157.30

    OVH.Net spam ?

    in SpamCop Reporting Help

    Posted

    I did want to make a note that last night some spam scri_pt started sending me spam from a OVH.net server and about three minutes after I reported it, the spam stopped.  I am not sure if I lucked out or if I happened to report at the time someone was in their office.

    SpamCop says it's too old, it's not

    in SpamCop Reporting Help

    Posted

    On 8/6/2020 at 10:37 AM, Lking said:

    If you search for "Tracking URL" (including the quotes) using the search tool, top right of each page, you will find 112 local references to "Tracking URL" that may be more helpful than a internet wide search.

    Outernaut,

    Lking is talking bout the search box on http://forum.spamcop.net in the top right of the page that you can use to search for "Tracking URL".  This limits the search to just forum.spamcop.net.

    As a side note, the "Tracking URL" can be found at the top of the report page or in the reply email (if you submitted via email).  The tracking URL happens to be the same link as URL itself before you submit the page.

    blob.png.52ae275159e98cf0ecd602fe6111d799.png

    Incidentally, you can also find this from your past reports if you were able to submit them.

    SpamCop on cPanel - do-able?

    in SpamCop Reporting

    Posted

    On 8/6/2020 at 1:25 AM, Outernaut said:

    spam Assassin/spam Filters seems stuck in the domain name/TLD groove when it comes to blocking senders.

    For TLD, I use the blacklist_from annd it works for me. 

    blacklist_from *.su
blacklist_from *.ga
blacklist_from *.cn

    For the IP, it maybe it doesn't like too many wildcards, so you might want to try: 

    blacklist_from 170.*
blacklist_from 173.*

    SpamCop says it's too old, it's not

    in SpamCop Reporting Help

    Posted

    On 8/6/2020 at 12:23 AM, Outernaut said:

    I hope it is enough, and not too much. 

    

 

    Hmmmm, are you saying the bitcoin email is too old?  When I copied it to my account and cancelled the report, it says it is new enough to report it.

    https://www.spamcop.net/sc?id=z6644990035z0e890411edb1e0e0d2060b4fd4260904z

    21 hours ago, Outernaut said:

    Lord Google says it's (Tracking URL) is for web sites.

    By tracking URL, they mean the one at the top of the SpamCop report page where it says the email is too old.

    SpamCop on cPanel - do-able?

    in SpamCop Reporting

    Posted

    On 8/1/2020 at 1:24 PM, Outernaut said:

    IF it will let me block IP addresses - as in 170.###.###.###.

    I suspect you might be able to do that with the following but the manual is not completely clear on how: 

    blacklist_from [170.0.0.0/8]

    Since I run my own name server, I setup my own black list there such as: 

    *.170.blacklist.local. IN A 127.0.0.1
*.170.blacklist.local. IN TXT "blocked whole range 20200802"

     

    Parsing truncated

    in SpamCop Reporting Help

    Posted

    2 hours ago, Tesseract said:

    The analysis by petzl seems correct (braeburn.macports.org is in my mailhosts). I don't know why the parser would fail on this particular message alone

    Interesting, I had submitted a copy to my account without mailhosts and it appears to have worked.

    https://www.spamcop.net/sc?id=z6644191965z228c8ee5751b9ef3fba5a127fdc8818fz

    When I try to submit with mailhosts, I get the same pause (yes, I know I don't have your mail hosts.)

    https://www.spamcop.net/sc?id=z6644192306zf677ca6824be06de2a49d01b38114656z

    This would almost indicate maybe the double dot hostname problem.  Hang on, maybe try changing the two dots as below to a single and try submitting again. 

    Received: from DESKTOP-JQ04P8P..home

     

    Parsing truncated

    in SpamCop Reporting Help

    Posted

    8 hours ago, Tesseract said:

    https://www.spamcop.net/sc?id=z6643995729z6c0b835925fc83fc6ac686ba27423c1fz

     The parsing ends almost as soon as it begins, having only looked at one host. Other recent reports have been OK.

    Nothing immediately stands out for me, but I do see an IPv6 address: 

    whois.ripe.net found abuse contacts for 2a01:4f8:211:2c54::2 = abuse@hetzner.de

    Might be good to get the deputies looking at this at deputies[at]admin[dot]spamcop[dot]net.

    OVH.Net spam ?

    in SpamCop Reporting Help

    Posted

    On 7/27/2020 at 12:25 AM, nei1_j said:

    Ok.  So the whole "Received:" line is a forgery.

    Nope, I am saying that it came from 51.79.145.214 is the source, but user/owner of the computer tied to that IP probably didn't send the message themselves.  They "let" someone else use their computer because they didn't patch it.  Spammers love it when they can use someone else's cameras, routers, computer, refrigerator, or other IOT device to send their stuff so they don't get caught.

    On 7/27/2020 at 1:17 AM, petzl said:

    51.79.145.214 is where it came from and reported correctly to OVH

    Keep reporting these as we at least need to get them to patch or fix the problem.  If it is a person that has let someone else use their machine, they need to deal with the problem.

    OVH.Net spam ?

    in SpamCop Reporting Help

    Posted

    On 7/25/2020 at 2:48 PM, nei1_j said:

    Are you saying that Newegg was hacked?!?

    Nope, I am saying that OVH customers were probably hacked.  The spammer is just using the Newegg hostname to try to get past spam filters.  (Some people who get a spam report that supposedly came from their discount it and ignore it because they "didn't send it".)

×
×
  • Create New...