gnarlymarley

MIG, This is one that does nearly sound legitimate and had me going for about 10 days now, but I think I have cracked it. It appears that the bounce should be coming from 162.255.118.61 or 162.255.118.62 and not 54.240.8.31. The MX record for client76701.host appears to be namecheap.com, not amazon. The more I look at this, the more I think backscatter

I will explain further. Yes, I believe this does need to be updated as long as SC is not identifying the proper email addys. I also believe we should be able to figure out "why SC is not identifying the proper source" and we should be able to fix it. The "NEVER will" part needs human intervention with "both" the programmers to fix SC and also putting manual entries. I believe if SC could be fixed, it would automatically determine "most of the proper addys", but there would still be a smaller percentage that needs to be manually entered (due to bad whois or some other circumstance).

Yes. I suspect the function that they expect that rather than the parser dying, it would come up with something like "Not one of your mailhosts". Then they could continue their submissions with one account that has mailhosts enabled.

I went through my logs and noticed I didn't have any from the the IP range of 2402:bc00::/32. The last time I had anything from 2402::/16 was in 2017. So I definitely missed this.

This also does pose a question since much of the updates (such as the IP 150.107.103.51 shows) are manually entered from whois. I believe should be automatically picked up from the whois system. If the programmers could fix whois, I do not believe it will fully eliminate manual entries. However, that would greatly reduce the amount of manual entries.

MIG, Yeah, that does need to be updated. I have seen occasional updates there, which could be Richard doing the updates. I would probably suggest more than one person who can do those updates.

Wilma, I have also seen routers that had been hacked. You might always want to check your routers and IoT devices such as IP cameras. Anything that is sharing that same IP could have been used to send the unwanted email.

This is unfortunate. Don, you will also be remembered.

I am just trying to understand. So if I understand correctly, you are offering to update the current tables that Don D'Minion (I haven't seen him for a while) used to update such as can be seen at https://www.spamcop.net/sc?action=showroute;ip=150.107.103.51;typecodes=16?

Lisati/MIG, Though I would like this access, I would prefer not to give spammers more access than they really need. While it would be nice to be able to correct addresses in our own table, it is not a good idea to open it up to people that are using the forums to put in their spam, or even to paste in bad abuse addresses. Forum spam posted in the R&RA is why I like the deputies to act as a double check what shows up there.

I believe if it because that dot. At least mine was. Now that is weird. My suspicion is that maybe with mailhosts turned on, it fails at the dot and with mailhosts turned off it works?

The sad part is many folks are not willing to part with their perks in order to block the spams. Probably not very many business would change either. I did notice spamcop has been sending reports to the ipmanagment address.

unidress, Also one quick note you might want to make sure your routers are also secure. I have seen email that actually came from a hacked router to my email account.

Looks like mimecast may have setup their own blacklist. dennis562, When I first looked at adding a blacklist to my MTA about twenty years ago, I had to key in the deny message into mailer configuration file. As you can see from this link (https://www.spamcop.net/fom-serve/cache/294.html), anyone can put anything they want into that message. This is what petzl means about a fake bounce.

There are a few options you have left when the adminstrator is useless if you really want to stop the spam. Keep reporting for two or three years and the spammer will give up. Block the whole IP range. (this could be a problem as the emails from this forum appear to come from amazon, so this could block legitimate email.) Implement SPF checks on the MTA and hopes that blocks it (only works if you have the ability to control the MTA.) Use greylisting to make sure that only servers can connect and send you email (again, only works if you can change the MTA behavior.) The reason most businesses offer the free accounts is it falls under the idea of advertising. If someone cannot check out the service, then they are less likely to use it. Kind of problem as it pulls in the jerks, but also pulls in paid accounts as well......

jimmywalter, See post from MIG above.

I am unable to tell if jimmywalter is using office365 webmail or if using outlook.live.com. I call it hotmail, but in outlook.live.com over by the sign out button is three dots that once clicked will have a "source message" link that has the full source. In offfice 365 web outlook, there is only an options and properties tab that gives the headers. The outlook application gives the same. So if jimmywalter is using office365 webapp, there is no forward as attachment and no message source. If jimmywalter is using outlook.live.com, there is no forward but is a message source that can allow the full headers and body to be copied/pasted into the spamcop webform.

A tracking URL would be helpful. Last time I got this, it turned out to be a dot in a domainname that was not supposed to be there. Parsing your output mentally, I suspect it is the dot starting above. Mine was a double dot that the spammers put in to prevent parsing. If you remove the dot at the beginning of that hostname, does it parse?

MIG, For the outlook office365 webapp, you are absolutely correct. The hotmail version of the web app will let me view the source. What sucks about the webapp, is that I can only get it to show me the headers. Apparently what Jimmywalter might need to do (and what I have been doing for a while) is access it over imap using both fetchmail and thunderbird.

I used to want to have a higher reporting preference for the links in the body, until the spammer one day about two decades ago used an website from my company in one of their spams. The spam came from a prominent university and the administrator mistook the link for the source of the spam. This nearly got me fired for being the recipient of the spam during the argument that ensued. Since then, I don't care as much about the links in the body and I know those can be spoofed (as well as the Received lines in the header), but the IP that my mail server records as the source is the only one I know that I can trust as being accurate.

MIG, To answer your question jimmywalter will not be able to post a tracking URL because I believe the error of "SpamCop could not find your spam message in this email" is in the response email that would normally contain the tracking URL. When the forwarded message is not an attachment, instead of a tracking URL, SpamCop provides this error. jimmywalter, this might useful to know. I use the Outlook application to create a new message and drag in the email to the forwarded message when I want to "forward as an attachment". Doing a google search yields results such as save the email as a eml file and then attach that to a new message, so I am not sure it is possible with the web application. There might be some key sequence such as something like ctrl+shif+F that might do a forward as an attachment that I am not aware of.

Outlook by defaut does not support forwarding as an attachment. The "forward" button is misleading. What I do to forward as an attachment is to create a new email that will be sent to spamcop, then drag the message I want to attach to the body of my new email.

yep, I do remove the top line, just like I do with gmail. I think this is a mailhosts problem where the mailhost section probably records every address. It seems to be too many address for it the parser to be able to detect that any address for 2603:1000::/24 is a valid mailhosts. I think the problem becomes that 20,282,409,603,651,670,423,947,251,286,016 (2^104) is just too many addresses for the mailhosts entry to record.

I use hotmail and I do not see any problems with spamcop, if I strip off the top broken piece.

I also have done the drag and drop method in thunderbird in the past, but I find it actually supports the forward as attachment. Thanks for the heads up for when I they force the new OL junk on me in a few years.