gnarlymarley

This also does pose a question since much of the updates (such as the IP 150.107.103.51 shows) are manually entered from whois. I believe should be automatically picked up from the whois system. If the programmers could fix whois, I do not believe it will fully eliminate manual entries. However, that would greatly reduce the amount of manual entries.

MIG, Yeah, that does need to be updated. I have seen occasional updates there, which could be Richard doing the updates. I would probably suggest more than one person who can do those updates.

Wilma, I have also seen routers that had been hacked. You might always want to check your routers and IoT devices such as IP cameras. Anything that is sharing that same IP could have been used to send the unwanted email.

This is unfortunate. Don, you will also be remembered.

I am just trying to understand. So if I understand correctly, you are offering to update the current tables that Don D'Minion (I haven't seen him for a while) used to update such as can be seen at https://www.spamcop.net/sc?action=showroute;ip=150.107.103.51;typecodes=16?

Lisati/MIG, Though I would like this access, I would prefer not to give spammers more access than they really need. While it would be nice to be able to correct addresses in our own table, it is not a good idea to open it up to people that are using the forums to put in their spam, or even to paste in bad abuse addresses. Forum spam posted in the R&RA is why I like the deputies to act as a double check what shows up there.

I believe if it because that dot. At least mine was. Now that is weird. My suspicion is that maybe with mailhosts turned on, it fails at the dot and with mailhosts turned off it works?

The sad part is many folks are not willing to part with their perks in order to block the spams. Probably not very many business would change either. I did notice spamcop has been sending reports to the ipmanagment address.

unidress, Also one quick note you might want to make sure your routers are also secure. I have seen email that actually came from a hacked router to my email account.

nitesh, Please note that anyone can put into their email servers anything they want on the blocking message, such as can be seen from https://www.spamcop.net/fom-serve/cache/293.html's configuration suggestions. What usually happens is folks change the dns, but don't change the message to go with it. This can lead to erroneous messages about spamcop or something else blocking a message, but in reality it is the local email provider that did something. The email administrator may have made a mistake on the receiving email server's configuration file. What will probably need to happen is your friend might need to call the local support to figure out why it says spamcop has blocked the email, when it is not listed in the spamcop blacklist.

Looks like mimecast may have setup their own blacklist. dennis562, When I first looked at adding a blacklist to my MTA about twenty years ago, I had to key in the deny message into mailer configuration file. As you can see from this link (https://www.spamcop.net/fom-serve/cache/294.html), anyone can put anything they want into that message. This is what petzl means about a fake bounce.

There are a few options you have left when the adminstrator is useless if you really want to stop the spam. Keep reporting for two or three years and the spammer will give up. Block the whole IP range. (this could be a problem as the emails from this forum appear to come from amazon, so this could block legitimate email.) Implement SPF checks on the MTA and hopes that blocks it (only works if you have the ability to control the MTA.) Use greylisting to make sure that only servers can connect and send you email (again, only works if you can change the MTA behavior.) The reason most businesses offer the free accounts is it falls under the idea of advertising. If someone cannot check out the service, then they are less likely to use it. Kind of problem as it pulls in the jerks, but also pulls in paid accounts as well......

jimmywalter, See post from MIG above.

I am unable to tell if jimmywalter is using office365 webmail or if using outlook.live.com. I call it hotmail, but in outlook.live.com over by the sign out button is three dots that once clicked will have a "source message" link that has the full source. In offfice 365 web outlook, there is only an options and properties tab that gives the headers. The outlook application gives the same. So if jimmywalter is using office365 webapp, there is no forward as attachment and no message source. If jimmywalter is using outlook.live.com, there is no forward but is a message source that can allow the full headers and body to be copied/pasted into the spamcop webform.

A tracking URL would be helpful. Last time I got this, it turned out to be a dot in a domainname that was not supposed to be there. Parsing your output mentally, I suspect it is the dot starting above. Mine was a double dot that the spammers put in to prevent parsing. If you remove the dot at the beginning of that hostname, does it parse?

MIG, For the outlook office365 webapp, you are absolutely correct. The hotmail version of the web app will let me view the source. What sucks about the webapp, is that I can only get it to show me the headers. Apparently what Jimmywalter might need to do (and what I have been doing for a while) is access it over imap using both fetchmail and thunderbird.

I used to want to have a higher reporting preference for the links in the body, until the spammer one day about two decades ago used an website from my company in one of their spams. The spam came from a prominent university and the administrator mistook the link for the source of the spam. This nearly got me fired for being the recipient of the spam during the argument that ensued. Since then, I don't care as much about the links in the body and I know those can be spoofed (as well as the Received lines in the header), but the IP that my mail server records as the source is the only one I know that I can trust as being accurate.

MIG, To answer your question jimmywalter will not be able to post a tracking URL because I believe the error of "SpamCop could not find your spam message in this email" is in the response email that would normally contain the tracking URL. When the forwarded message is not an attachment, instead of a tracking URL, SpamCop provides this error. jimmywalter, this might useful to know. I use the Outlook application to create a new message and drag in the email to the forwarded message when I want to "forward as an attachment". Doing a google search yields results such as save the email as a eml file and then attach that to a new message, so I am not sure it is possible with the web application. There might be some key sequence such as something like ctrl+shif+F that might do a forward as an attachment that I am not aware of.

Outlook by defaut does not support forwarding as an attachment. The "forward" button is misleading. What I do to forward as an attachment is to create a new email that will be sent to spamcop, then drag the message I want to attach to the body of my new email.

There have been a few different passwords used. However, the one today has a unique password that was used back in November. It is similar to the format of the October scams, but not similar to the early December copycat scams. Of course with a spamtrap account that has never had a password of its own and likewise does not have its own browser. I did not that this scam did not talk about the webcam, unlike the ones back in November. If it was a different person, then I would expect that I would be able to find some sort of link to the so called password somewhere on the internet. Though, this could be a darkweb link that I know nothing of.

Ha, I thought this guy has given up, but seems he came back for another try. Been a long while since I have seen this come into my "spamtrap" account. I though they had given up on it. Amazing how an account could have a password without an /etc/password entry. http://www.spamcop.net/sc?id=z6508576087z8ae70bcdece03f0236640dc90110bceaz

Sounds like they might be morphing now. I got the following sent to an address that has not has this stuff yet. More phishing... Urgent : Someone has your password http://www.spamcop.net/sc?id=z6506112137zb5e259ccf80b3b62fcb7a72e9509c841z I have to chuckle at these liars how seem to be getting desperate. I hope it means they are losing the battle.......

yep, I do remove the top line, just like I do with gmail. I think this is a mailhosts problem where the mailhost section probably records every address. It seems to be too many address for it the parser to be able to detect that any address for 2603:1000::/24 is a valid mailhosts. I think the problem becomes that 20,282,409,603,651,670,423,947,251,286,016 (2^104) is just too many addresses for the mailhosts entry to record.

I use hotmail and I do not see any problems with spamcop, if I strip off the top broken piece.

I also have done the drag and drop method in thunderbird in the past, but I find it actually supports the forward as attachment. Thanks for the heads up for when I they force the new OL junk on me in a few years.