[Resolved] ISP threatens to disable email forwards

[lknight004]

I've been receiving complaints from my own Domain provider where my email address is being spoofed as the spam sender. Such spoofing was not an issue previously. Prior to last week, SpamCop did not send reports to my own ISP. In the past, SpamCop handled those cases where the faked source address was the same as the destination address. Is this the result of a bug in the new software, or has the spammer that created the email in this report outfoxed SpamCop's parsing and source address resolution? (I'm not a techie, so I can't tell).

I have stopped reporting spam in order to keep Pair Networks from disabling email alias forwarding for my domain. But that kinda defeats the purpose of SpamCop.

I am attaching the complaint that I received from my Domain ISP. They have sent me several complaints over the previous week, but this is the first one to contain the threat in the last paragraph.

Thanks,

-- ldk[at]spamcop.net

Date: Sat, 22 Aug 2009 12:16:42 EDT [08/22/2009 12:16:42 PM EDT]

From: pair Networks Abuse <abuse[at]pair.com>

To: 4489052196[at]reports.spamcop.net

Subject: Re: [A9O4G7Q] [spamCop (66.39.2.36) id:4489052196], and these mounted apart on another 3"

Headers: Show All Headers

Hello,

Please be more careful with the spam reporting software you are using. The

report below was sent to us because the mail was sent to you, not because

a spammer was on our system. In effect, you just reported your own account

with us as a spam source. We are trying our best to handle reports to find

actual spammers when they do appear on our system, and this sort of thing

is most unhelpful to that effort.

Please examine this message again to see how you manage to report

yourself, and check your reporting software for ways to avoid this in the

future. We appreciate your efforts on this.

If you continue to report your own account, we will be forced to disable

your e-mail forwards in order to keep the server from being blacklisted.

Thank you,

Jon C.

pair Networks

abuse[at]pair.com

[StevenUnderwood]

The IP that SpamCop found is a pair.com address.

1. It would help us figure out what happened if you provide a TrackingURL. If you look in past reports, find the SpamID 4489052196, click that link and parse the spam again, you can get the URL.

2a. If you do not have MailHosts configured, please do so. That is the reason they are there, to help eliminate reporting your own provider. They are not infalible, however (see 2b)

2b. If you have MailHosts configured, one of the hosts in your path may have made a change that has not been picked up yet (likely pair.com in this case without seeing the evidence). This is why it is still important to monitor where your reports are going and to double check anytime one of your providers is the target of your reports.

[turetzsr]

I've been receiving complaints from my own Domain provider where my email address is being spoofed as the spam sender.

...Sorry if I'm reading this incorrectly but I don't believe this could be an issue -- SpamCop does not report anything based on any e-mail address in spam, it only reports based on IP addresses.

<snip>

Date: Sat, 22 Aug 2009 12:16:42 EDT [08/22/2009 12:16:42 PM EDT]

From: pair Networks Abuse <abuse[at]pair.com>

To: 4489052196[at]reports.spamcop.net

Subject: Re: [A9O4G7Q] [spamCop (66.39.2.36) id:4489052196], and these mounted apart on another 3"

<snip>

Hello,

Please be more careful with the spam reporting software you are using. The

report below was sent to us because the mail was sent to you, not because

a spammer was on our system. In effect, you just reported your own account

with us as a spam source. We are trying our best to handle reports to find

actual spammers when they do appear on our system, and this sort of thing

is most unhelpful to that effort.

<snip>

...It is entirely possible that your provider is correct. Please read the following:

• SpamCop wiki entry "SelfReporting."
  
• The link in the SpamCop FAQ (to which there is a link near the top left of each SpamCop Forum page) labeled "How can I unsend a Report?"
  

[Edit] StevenUnderwood posted as I was composing the above and his response is more concise. Treat mine as a source of additional technical information (the first bulleted reference) and additional steps you should take to partially redress the impact of reporting your own provider (the second bulleted reference).

[SpamCopAdmin]

Handled by email.

User needs to configure Mailhosts.

Unfortunately, when the parse runs into a slow DNS lookup, it will abandon it and go after the server it can't get information on. It looks like that is what is happening in this case.

The defense against that is configuring Mailhosts.

Turetzsr is right. No responsible spam fighter or abuse desk will ever pay any attention to the email address on spam.

- Don D'Minion - SpamCop Admin -

[lknight004]

Thanks to all responders.

I have not configured Mailhosts and I will endeavor to do so to solve the problem. This was not apparently necessary in the past, but since I do not receive (legitimate) mail directly into my SpamCop account -- only via alias forwards -- the Mailhost solution should be straightforward. I do archive my SpamCop reports so I expect I will be able to look back and see what has been happening.

Again, I'm not a techie, so if someone would kindly point me to a FAQ or other relevant explanation of the Mailhosts function, I would be interested to understand this better.

Again, thanks for your responses.

--Lee

[Wazoo]

Again, I'm not a techie, so if someone would kindly point me to a FAQ or other relevant explanation of the Mailhosts function, I would be interested to understand this better.

MailHost Configuration of your Reporting Account has its own Forum section. Had you followed previously suggested/provided links, you'd find that the single-page-access-expanded SpamCop FAQ here is broken into sections, and again, the MailHost Configuration stuff is in its own section. There is also the SpamCop Wiki provided as yet another source of data. Not sure why its needed, but .. there are multiple Search tools available right at the top of he page.

[Farelf]

In addition to the resources referred to by Wazoo (and referenced from some of them) is the SC official FAQ (from spamcop.net/help.shtml - http://www.spamcop.net/fom-serve/cache/397.html.

That content has been in place for some time and some users have found some further detail and elaboration useful/necessary. The history, wrinkles, developments, elaborations and general discussions about it all (including when things don't quite go according to expectation) are teased out in forum section http://forum.spamcop.net/forums/index.php?showforum=7.

The Wiki article http://forum.spamcop.net/scwik/MailHostConfiguration is a user's-view clarification of the whole thing while the article http://forum.spamcop.net/scwik/MailHost is a precis of the technical background to what is meant by 'mailhost' and where it fits into the the scheme of things in the e-mail process.

The reason 'we' (other users) in the forums are keen for users to help themselves and explore what is in place as thoroughly as they are able is because some get into trouble with self-reporting and other pitfalls (yes, even with mailhosts configured) if they are not aware of the potential. But (as some reassurance), the greater majority seem to manage somehow, most of the time, anyway. But there are many other things users of the SC reporting system and the SC mail system can find out from the experiences and knowledge of other users without it becoming too technical. There may not always be somebody around to answer individual requests - but odds are the answers are already in here 'somewhere' for the finding.

[lknight004]

MailHost Configuration of your Reporting Account has its own Forum section. Had you followed previously suggested/provided links...

Dear Wazoo,

I have been a SpamCop user since 2002, when Julian was doing amazingly original work to combat the exponential growth of spam. In the years since, as anti-spam functionality became ubiquitous, I continued to support SC with my annual $30 and with my time reporting spammers, even though equivalent functionality became available to me for free from my other service providers, including Pair.

Over the past 7 years, I have NEVER needed to configure a SC MAILHOSTS file to avoid reporting problems. Now, while I was away on holiday concurrent with a SC software upgrade and suddenly begin to receive threats from Pair, you ask why didn't I think to research the SC documentation, rather than politely ask for a Mailhosts FAQ pointer? DUH!

You, dear Wazoo, are a forum administrator; which you apparently interpret as a license to be arrogant rather than generous as are your users and SpamCop Admin Don D'Minion (who, by the way, diagnosed the cause and politely offered a fix less than an hour after I posted).

I didn't ask 'Whats a mailhosts', but rather, 'where can Mailhosts information be found'. Nevertheless, I am glad to have given you an opportunity to show off your encyclopedic knowledge and wisdom, and I stand humbled and cowed before your obviously superior intellectual prowess. I promise never again to annoy your Forum-Administratorship with my stupid questions, until I have proven myself worthy to be in your presence.

Before I leave, I would like once again to thank the users and in particular Don D'Minion for the helpful answers they graciously provided in YOUR forum.

Sincerely,

Lee Knight

[Farelf]

...I didn't ask 'Whats a mailhosts', but rather, 'where can Mailhosts information be found'.

Lee, did the links (and the sequence of links) I provided meet your needs?

[lknight004]

Lee, did the links (and the sequence of links) I provided meet your needs?

Farelf,

Yes, I think I understand the Mailhosts system now, thank you very much. It's amazing that this didn't bite me until now, since it went into place in 2004. I also better understand Wazoo's apparent frustration after reading his/her voluminous explanation effort in FAQ Entry: MailHost Configuration problems. WHEW!!

Nevertheless, I would NEVER have found any of that without you Farelf .

Still, I'm afraid all the docs and posts delve so deeply into the Mailhost 'why', that a humble user is at a loss to distill a 'how' from the morass. May I suggest a brain-dead dialog such as the following?

User: Help! My email provider says I'm reporting myself as a spammer!

Guru: Don't panic. Do the following:

1. Go to http://www.spamcop.net and log in with your User ID and Password

2. Select the 'Mailhosts' tab

3. In the first blank field enter your email address (me[at]mydomain.com)

4. In the second blank field put your email provider's domain name (emailprovider.net)

5. Select "Go To Next Step"

6. Make sure all mail servers are selected

7. Click 'Proceed'

8. Login to your email account (such as http://webmail.spamcop.net)

9. When mail arrives from [spamCop] open the message as plain text (look for something like: 'Message Source'), select 'all' and copy

10. Reopen the same message normally (HTML format) and click the link in the middle of the message that says http://www.spamcop.net/mcgi?action=mhreturn

11. In the resulting window, go to the first empty box (says "Paste headers (or entire intact email) here:") right-click, select 'paste' and click the "Process Sample" button

12. If you get an error, you probably didn't copy/paste the whole email as plain text. Go back and look for words like 'show headers', 'message source' etc. You need it all, but it has to be plain text.

13. If all else fails, go to http://forum.spamcop.net/forums/index.php?showforum=7 and post a question for your friendly administrators -- but DON'T copy the email from SpamCop into your forum post.

You get the idea.

Again, thanks Farelf, for sending the pointer that I needed to get this thing working!

--Lee

[rconner]

Over the past 7 years, I have NEVER needed to configure a SC MAILHOSTS file to avoid reporting problems. Now, while I was away on holiday concurrent with a SC software upgrade and suddenly begin to receive threats from Pair, you ask why didn't I think to research the SC documentation, rather than politely ask for a Mailhosts FAQ pointer? DUH!

As I understand it (from the perspective of a user, not an "official" SpamCop person of any sort), the Mailhost Config procedure is a bit like a flu shot. Maybe you won't need it, but maybe you will. And, whether you need or not can suddenly change depending on outside events. Perhaps your provider changed its mail setup somehow without your knowing, such that SC can no longer figure out the proper mail path (this has happened to me on occasion). Unfortunately, you just have to be vigilant and pay attention to your outgoing reports if they start getting uniformly directed to your own ISP.

-- rick

[Farelf]

...thanks Farelf...

You're most welcome Lee.

...Still, I'm afraid all the docs and posts delve so deeply into the Mailhost 'why', that a humble user is at a loss to distill a 'how' from the morass. May I suggest a brain-dead dialog such as the following?

User: Help! My email provider says I'm reporting myself as a spammer!

Guru: Don't panic. Do the following:

1. Go to http://www.spamcop.net and log in with your User ID and Password

2. Select the 'Mailhosts' tab

3. In the first blank field enter your email address (me[at]mydomain.com)

4. In the second blank field put your email provider's domain name (emailprovider.net)

5. Select "Go To Next Step"

6. Make sure all mail servers are selected

7. Click 'Proceed'

8. Login to your email account (such as http://webmail.spamcop.net)

9. When mail arrives from [spamCop] open the message as plain text (look for something like: 'Message Source'), select 'all' and copy

10. Reopen the same message normally (HTML format) and click the link in the middle of the message that says http://www.spamcop.net/mcgi?action=mhreturn

11. In the resulting window, go to the first empty box (says "Paste headers (or entire intact email) here:") right-click, select 'paste' and click the "Process Sample" button

12. If you get an error, you probably didn't copy/paste the whole email as plain text. Go back and look for words like 'show headers', 'message source' etc. You need it all, but it has to be plain text.

13. If all else fails, go to http://forum.spamcop.net/forums/index.php?showforum=7 and post a question for your friendly administrators -- but DON'T copy the email from SpamCop into your forum post.

...

Thanks for that. Part of 'our' problem is we find it hard to imagine/remember what it is like for someone coming to these things for the first time. We're not trained 'customer service' reps we're (mostly) just other users, we don't have 'scripts' (and there may not always be someone around to deliver them if we did) but maybe we should have a few anyway. We do have extensive FAQs and the Wiki (and the preserved dialog in these forums and in the newsgroups) but, as countless others have pointed out before you, even with the FAQs, etc. it is a challenge to find the right starting point and a clear impression of any process involved. It is even a challenge just finding these forums and the newsgroups these days.

Thanks again for the careful and detailed feedback, that is helpful.

[lknight004]

it is a challenge to find the right starting point and a clear impression of any process involved. It is even a challenge just finding these forums and the newsgroups these days.

That's exactly right. Don provided the starting point (Mailhosts) and you pointed to the correct spot in the docs. Before that, I assumed it was just another 'bug after upgrade'.

But hey, SpamCop was never intended to be a 'retail' offering, and I was an 'early adopter' so I've always expected a learning curve. Still, I don't 'live' in the Forums (I didn't even know the Forum existed until I realized the SpamCop.help newsgroup was was not up to date ) so you might say I was a little 'behind the times'. That's why I documented and posted my steps.

Bottom line: SC provides a needed service and I support it. You guys probably feel the same way. But user AND admin expectations must be managed, and that requires a little patience on both sides.

So, good on'ya, Farelf. Mission accomplished.

--Lee

[Wazoo]

So, good on'ya, Farelf. Mission accomplished.

Tagging this as Resolved. Thanks for the follow-up and feedback.

[Miss Betsy]

You're most welcome Lee.Thanks for that. Part of 'our' problem is we find it hard to imagine/remember what it is like for someone coming to these things for the first time. We're not trained 'customer service' reps we're (mostly) just other users, we don't have 'scripts' (and there may not always be someone around to deliver them if we did) but maybe we should have a few anyway. We do have extensive FAQs and the Wiki (and the preserved dialog in these forums and in the newsgroups) but, as countless others have pointed out before you, even with the FAQs, etc. it is a challenge to find the right starting point and a clear impression of any process involved. It is even a challenge just finding these forums and the newsgroups these days.

Thanks again for the careful and detailed feedback, that is helpful.

The FAQs were intended to be 'scripts' so that when we found an answer that seemed to work, anyone could use it by linking to it. Also newcomers could find them without our help. Unfortunately, they are not always clear and, usually, we don't get feedback on what could be improved. Maybe the feedback here should be added to the FAQ. Part of the reason our FAQs are not clear is because techies need to understand the why before they get to the how. non-technically fluent people like me are content with the 'how' and to think about the 'why' later.