Celtkin Posted October 22, 2009 Share Posted October 22, 2009 I frequently receive spam like the one below that, when I report the spam to Spamcop, I receive an error message "No source IP address found, cannot proceed." What is it about the example below is thwarting Spamcop's ability to parse the source IP? spam follows: Delivered-To: ***** Received: by 10.151.15.18 with SMTP id s18cs31693ybi; Thu, 22 Oct 2009 15:56:00 -0700 (PDT) Return-Path: <kingsson88[at]gmail.com> Received-SPF: pass (google.com: domain of kingsson88[at]gmail.com designates 10.150.127.36 as permitted sender) client-ip=10.150.127.36; Authentication-Results: mr.google.com; spf=pass (google.com: domain of kingsson88[at]gmail.com designates 10.150.127.36 as permitted sender) smtp.mail=kingsson88[at]gmail.com; dkim=pass header.i=kingsson88[at]gmail.com Received: from mr.google.com ([10.150.127.36]) by 10.150.127.36 with SMTP id z36mr30873483ybc.326.1256252160121 (num_hops = 1); Thu, 22 Oct 2009 15:56:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=EE05xFD7BE6ufXnyQ6nkwmIN/6WEQtMnpqPGth2m/xU=; b=mbUwSAy4FVg8IqQ5XNvbXvRu/BKJaLgaBs3GRnZKBKXFqIprgV+8G7DHqeppHh864B RppE8ZdqjWayIljDN0JbcW6Jw8llPCEfjejpOzKHdMP+5kcycQvzB9GfxssmhBlLRZVP SKzsAg5oRWYmOVHyiAJBiNxy6cOZsHjwlhEYU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=tupZlif0y3kygUedXgFyCx8WzJeYIw3+X8DcWWy2Nd0orafAM8tm3481sv+kFYwaKW Y0udvQsphsXsk7J8Z02fjbiOiAKD/DZz4xlDexRYIgEPL4OqaDS98kfUBLZRsj62idmk IOJruLJpRJnI/JNAx3cwq8TJ26OQyr+mEOn74= MIME-Version: 1.0 Received: by 10.150.127.36 with SMTP id z36mr16683402ybc.326.1256252157243; Thu, 22 Oct 2009 15:55:57 -0700 (PDT) Date: Thu, 22 Oct 2009 17:55:57 -0500 Message-ID: <2e36c0470910221555t217bd110l3523eb236ef9f6ed[at]mail.gmail.com> Subject: Hottest "WORLDWIDE" Home Business "EVER" $$$$$ From: Markcoz Davis <kingsson88[at]gmail.com> To: cbran211[at]islc.net Content-Type: multipart/alternative; boundary=000e0cd723e694b30804768dff54 --000e0cd723e694b30804768dff54 Moderator edit: Body removed as the question is about the headers and we all get enough spam of our own. Link to comment Share on other sites More sharing options...
rconner Posted October 22, 2009 Share Posted October 22, 2009 I frequently receive spam like the one below that, when I report the spam to Spamcop, I receive an error message "No source IP address found, cannot proceed."It'd be a very big help if you could post this as a tracking link, so we can see for ourselves what SpamCop said about it. -- rick Link to comment Share on other sites More sharing options...
StevenUnderwood Posted October 22, 2009 Share Posted October 22, 2009 Received: by 10.151.15.18 with SMTP id s18cs31693ybi; Thu, 22 Oct 2009 15:56:00 -0700 (PDT) Received: from mr.google.com ([10.150.127.36]) by 10.150.127.36 with SMTP id z36mr30873483ybc.326.1256252160121 (num_hops = 1); Thu, 22 Oct 2009 15:56:00 -0700 (PDT) Received: by 10.150.127.36 with SMTP id z36mr16683402ybc.326.1256252157243; Thu, 22 Oct 2009 15:55:57 -0700 (PDT) I have purged the headers down to only the received lines to make it easier to show you thie issue. Any IP address in the 10.x.x.x range is allowed only on internal networks. There are probably millions of networks (including my home network) using those ranges of IP addresses. This message was sent from the google network to the google network, never touching the internet. As such, there are no IP addresses that can be reported automatically. SpamCop needs to ignore the 10.x.x.x because they are not unique. You can see that the message started in Google and that is where you can send a manual report. Link to comment Share on other sites More sharing options...
cutedeedle Posted October 24, 2009 Share Posted October 24, 2009 I seem to be having a similar problem that causes no report to be filed, so I can't give you past tracking links because it's now after the fact. When it happens again I will post with a tracking link. I'm getting a bunch of drug offers via spam in the past week, just started recently. Not a single one can be reported -- either it's not associated with "any of my mail hosts" (which I've already tried to resubmit e-mails to verify but no dice), or it's a suspected forgery, or some other message that indicates it can't trace the original source. I use Mailwasher Pro to submit all spam. I also just tried submitting my last report by viewing the raw source in MWPro, logging into SpamCop, copying/pasting properly into the form, but it still won't trace back to the spammer. I never bring down spam into Outlook. Thank God for MWPro and the "delete/bounce" option! I have to assume it's the same spammer but without our beloved SpamCop parsing it properly that's just a guess. Not sure what else to do. I thought maybe reconfirming my mailhost would help, but I got configurations errors no matter how I submitted the e-mail back to SpamCop. I use Network Solutions to host my incoming e-mail using my own domain name, so I have reason to believe I'm not always assigned the same mail server with NSI. Oh worra worra worra! Any ideas? Ignore the spammer for now? Thanks muchly, Carole Link to comment Share on other sites More sharing options...
rconner Posted October 24, 2009 Share Posted October 24, 2009 I seem to be having a similar problem that causes no report to be filed, so I can't give you past tracking links because it's now after the fact. When it happens again I will post with a tracking link. I'm getting a bunch of drug offers via spam in the past week, just started recently. Not a single one can be reported -- either it's not associated with "any of my mail hosts" (which I've already tried to resubmit e-mails to verify but no dice), or it's a suspected forgery, or some other message that indicates it can't trace the original source. Actually these messages, when you see them, are not really failures -- they mean that SpamCop has found a source for the spam -- that is, a host not associated with any of your mail hosts, and whose info appears to have been forged. If you like, you should be able to retrieve tracking links for your past submissions even though SpamCop did not follow through. The page on tracking links points to how to do this. Then you can post one here. -- rick Link to comment Share on other sites More sharing options...
cutedeedle Posted October 24, 2009 Share Posted October 24, 2009 If you like, you should be able to retrieve tracking links for your past submissions even though SpamCop did not follow through. The page on tracking links points to how to do this. Then you can post one here. Thanks Rick, but SpamCop doesn't produce reports for these "druggie" spammers lately, at least in my case. I go to my "Past reports" and I can see all of my submitted spams but each entry just says in the 3rd line: No reports filed I'm sure I'll be getting another spam soon so I was just wondering if there's something wrong with the reporting mail host from NSI -- I really don't think I have just one that serves my domain mail. Carole Link to comment Share on other sites More sharing options...
Miss Betsy Posted October 24, 2009 Share Posted October 24, 2009 If you can see the submitted spam and can post the tracking link here, it will show what spamcop did with the headers and perhaps someone will see where the problem is that no reports are sent. Also, you /never/ want to use the bounce function in Mailwasher Pro!!!! What that does is send your spam to the forged return path to some poor person who is the spammer's choice to be forged. Sometimes it is not much of a problem, but a few people get absolutely inudated with them and it is a real nuisance. Miss Betsy Link to comment Share on other sites More sharing options...
Farelf Posted October 25, 2009 Share Posted October 25, 2009 Thanks Rick, but SpamCop doesn't produce reports for these "druggie" spammers lately, at least in my case. I go to my "Past reports" and I can see all of my submitted spams but each entry just says in the 3rd line: No reports filed... Yes, you're right IIRC, those ones don't give you a report ID to click on in the past reports - the parse details for those ones can only be caught during the parse (as Miss Betsy says) - where it says near the top of the page (like this dummy one):Here is your TRACKING URL - it may be saved for future reference: http://www.spamcop.net/sc?id=z3438104837z1...3ce08689865fb4z If you still have the spam message you can go to the paste-in box on your member page and re-do it from there, pasting in the full headers and message - and capture a new tracking URL. As Rick has said, the parser has done its job, just that there is seems to be no authentic, identifiable external source 'stamped' by the servers handling the message. There are several ways that can happen and when you can give a tracker someone will have a go at explaining it and whether there is anything that can/needs to be done about it. Link to comment Share on other sites More sharing options...
rconner Posted October 25, 2009 Share Posted October 25, 2009 Also, you /never/ want to use the bounce function in Mailwasher Pro!!!! What that does is send your spam to the forged return path to some poor person who is the spammer's choice to be forged. Sometimes it is not much of a problem, but a few people get absolutely inudated with them and it is a real nuisance.As someone who does frequently get bombed by blowback bounces, let me add my hearty endorsement to this. It does absolutely no earthly good at all to pretend to bounce incoming spam, because even if the spammers were inclined to remove bounced addresses, they will simply never see the bounce. The only ones who will get your Mailwasher bounces are those (like me) who have had their addresses stolen by spammers and dropped into the from- or return-path fields of outgoing spam. This does you no good at all, and in fact places you in the position of a mail abuser. Plus, these bounces cannot fool an experienced e-mail analyst. I'll tentatively opine that this pretend-bounce feature may be useful occasionally for tricking annoying correspondents (e.g., ex-dates) into leaving you alone, but it is useless against serial professional spammers. -- rick Link to comment Share on other sites More sharing options...
cutedeedle Posted October 25, 2009 Share Posted October 25, 2009 K. I've been duly chastised. My drug pusher friends have thoughtfully offered more items for sale and here's the SC tracking: http://is.gd/4B7Wl Thanks y'all! Carole Link to comment Share on other sites More sharing options...
cutedeedle Posted October 25, 2009 Share Posted October 25, 2009 My drug pusher friends have thoughtfully offered more items for sale and here's the SC tracking: http://is.gd/4B7Wl Just in case, another one: http://www.spamcop.net/sc?id=z3440501102zd...247411d715e7cbz Link to comment Share on other sites More sharing options...
StevenUnderwood Posted October 25, 2009 Share Posted October 25, 2009 Just in case, another one: http://www.spamcop.net/sc?id=z3440501102zd...247411d715e7cbz Should the receiving system (by cm-mr16) be on your mailhost list? That SHOULD be a fqdn placed there by that server. Since that is the only received header available, it looks like your ISP is not including it's fqdn in the headers. You should bring this up to them. Mailhost would then recognize at least the domain of the receiving system and accept that line. Otherwise, you are missing some headers. P.S. I am not about to follow your earlier link, no matter how safe you propose it to be. Link to comment Share on other sites More sharing options...
cutedeedle Posted October 25, 2009 Share Posted October 25, 2009 Should the receiving system (by cm-mr16) be on your mailhost list? That SHOULD be a fqdn placed there by that server. Since that is the only received header available, it looks like your ISP is not including it's fqdn in the headers. You should bring this up to them. Mailhost would then recognize at least the domain of the receiving system and accept that line. Otherwise, you are missing some headers. P.S. I am not about to follow your earlier link, no matter how safe you propose it to be. As I mentioned above in passing, I've tried to reconfigure my mailhost (again) on SC. I get nothing but errors when attempting to do so. My mail hosting provider (NSI) is not the same as my outgoing mail's ISP. I don't have an e-mail account on my own ISP, e-mail is only on NSI. So this gets convoluted, as I can't receive e-mail directly through my ISP in order to set up a mailhost pointing to that ISP. These recent spams are always rejected for reporting. Most of time in the past with other spammers my report is accepted just fine. I haven't changed my e-mail or ISP in years. Any suggestions or should I just hang in there? Link to comment Share on other sites More sharing options...
StevenUnderwood Posted October 25, 2009 Share Posted October 25, 2009 As I mentioned above in passing, I've tried to reconfigure my mailhost (again) on SC. I get nothing but errors when attempting to do so. My mail hosting provider (NSI) is not the same as my outgoing mail's ISP. I don't have an e-mail account on my own ISP, e-mail is only on NSI. So this gets convoluted, as I can't receive e-mail directly through my ISP in order to set up a mailhost pointing to that ISP. These recent spams are always rejected for reporting. Most of time in the past with other spammers my report is accepted just fine. I haven't changed my e-mail or ISP in years. Any suggestions or should I just hang in there? If you do not receive ANY email though your ISP, then they are not the one with the problem and you do not need to add them to your mailhosts. Replace "ISP" with "mail provider" in my above message. You need to find out who is placing this garbage in the headers: Received: from unknown (HELO cloudmark1) (10.49.16.91) by 0 with SMTP; 25 Oct 2009 19:04:56 -0000 Received: from [213.167.192.251] ([213.167.192.251:23428] helo=4d1jl02) by cm-mr16 (envelope-from <verna.boucher_me[at]tds.mb.ca>) (ecelerity 2.2.2.41 r(31179/31189)) with ESMTP id 8D/C8-04885-451A4EA4; Sun, 25 Oct 2009 15:04:56 -0400 Nowhere does it show where the internal system (cloudmark1) received the message unless that is the same cm-mr16 machine. There is nothing to indicate that they are the same system. Ask your mail provider to fix their headers. Link to comment Share on other sites More sharing options...
cutedeedle Posted October 26, 2009 Share Posted October 26, 2009 Thanks for the pointers. I've compared two SC "accepted" reports vs. two "nothing to do" reports, and you're right, the trouble is in the lines like this: by cm-mr16 (envelope-from <verna.boucher_me[at]tds.mb.ca>) I don't think it's a problem with Network Solutions or all of my spam headers would likely be similar. Since I have reason to believe these latest spam blasts are from the same source I guess I will have to suck it up. Network Solutions won't be interested in helping run this down. Can't blame them, I'm just a little fish in their big pond. Oh well. Thanks for all the input everyone. Link to comment Share on other sites More sharing options...
Miss Betsy Posted October 26, 2009 Share Posted October 26, 2009 How do you know that NSI won't be interested in helping you run this down? It certainly would be worth an email to the support desk showing them the headers and asking them to fix it. They might be grateful. Miss Betsy Link to comment Share on other sites More sharing options...
Celtkin Posted April 7, 2010 Author Share Posted April 7, 2010 I am getting these errors more and more frequently from "Get rich quick" scams. Can you tell me how to submit these reports. Delivered-To: celtkin[at]gmail.com Received: by 10.115.49.11 with SMTP id b11cs165103wak; Tue, 6 Apr 2010 19:44:15 -0700 (PDT) Return-Path: <zillionaire.mygifts123[at]gmail.com> Received-SPF: pass (google.com: domain of zillionaire.mygifts123[at]gmail.com designates 10.231.169.144 as permitted sender) client-ip=10.231.169.144; Authentication-Results: mr.google.com; spf=pass (google.com: domain of zillionaire.mygifts123[at]gmail.com designates 10.231.169.144 as permitted sender) smtp.mail=zillionaire.mygifts123[at]gmail.com; dkim=pass header.i=zillionaire.mygifts123[at]gmail.com Received: from mr.google.com ([10.231.169.144]) by 10.231.169.144 with SMTP id z16mr496287iby.25.1270608255059 (num_hops = 1); Tue, 06 Apr 2010 19:44:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:received:message-id :subject:from:to:content-type; bh=R2eBdHnHra0JNVm4X2Satk3NBWSGXWjtn8g0/08TWuo=; b=qG7g/gyU4Hbe0JmR7Ub6UbDp9mIBe6pYnww+/eILjGBES1gz/ESYoOqpWhZnmTcX3q 0BbwyGtTFPIVYsgS7JBsQJ9uz9Lu/dyfSlxqM0O/B8UdVb8AWUGlWMsEal6dUoEWn6ph a3oKrdnJDdwIpln6GPhadzIP7VfdcUdF3NJ0g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=CtWjd2cE5Odl7aR/9GQNoayI1LGCMy1fcqUbggz2wX7aqT692vqV4PrdM3yTMFCs/E hHSDFbSzRutNYy8pMhPBPgcY5rJUYmCuI/xcDVtliAgUkaPZsKjJZX/vy1NwSDpBhObc /4NHUKRFwRSP/c2qAE2wphbL2QrCYbR7Ur0gg= MIME-Version: 1.0 Received: by 10.231.59.199 with HTTP; Tue, 6 Apr 2010 17:52:12 -0700 (PDT) Date: Tue, 6 Apr 2010 19:52:12 -0500 Received: by 10.231.169.144 with SMTP id z16mr325829iby.25.1270601533021; Tue, 06 Apr 2010 17:52:13 -0700 (PDT) Message-ID: <q2ha169d061004061752ze8cbf51bn3ed523f96a9e80ac[at]mail.gmail.com> Subject: 125% Money Back Guarantee $$$$$ From: Melvin Davis <zillionaire.mygifts123[at]gmail.com> To: cbran211[at]islc.net Content-Type: multipart/alternative; boundary=0016e6d26c5a06e54a04839af9b2 <Body of spam deleted - has no bearing on the question asked, answers or explanations that have preceded or follow this particular query subject matter> Hard not to note that this is the second Post from this Topic-starter. Both Posts have had the same edit-action taken, both Posts were dealing with the same subject, used the same Titile, etc. etc. I will admit that the earlier Topic was a bit highjacked and veered away from this specific question-answer. but .... actual responses were provided in both Topics ... gmail-to-gmal internal network mail .. simple as that. Merging this 'new' Topic into the first one started by the same user, as it is a continuation of the same question ... and even more, the original was Posted (correctly) into the "Reporting Help" Forum section, as compared to this Post being made into the non-associated Spamcop Email System & Accounts Forum section. PM sent. Link to comment Share on other sites More sharing options...
petzl Posted April 7, 2010 Share Posted April 7, 2010 I am getting these errors more and more frequently from "Get rich quick" scams. Can you tell me how to submit these reports. Would help if you told us what email program you use Not sure if Google show the source IP address of received email? They haven't done so in this case The race/war is on to provide a complete web service Google are one that do not want outsiders reporting their spam problem except to them! Shortly Google hope to put out a computer & computer operating system in competition with Microsoft (etc) which will include their own email, browser, pictures, news and all other applications. Their intention appears to be to make other email provision obsolete Snipped rant by me, Petzl (author) Link to comment Share on other sites More sharing options...
Fonman805 Posted April 7, 2010 Share Posted April 7, 2010 I am getting these errors more and more frequently from "Get rich quick" scams. Can you tell me how to submit these reports. It appears that all the IP addresses in the header are internal to Google's own network, so the message never went out to the Internet. The way to report internal spam is directly to Google through their own email client. Typing 'No source IP address found, cannot proceed' into the search box at the top of the page would show you a list of several previous questions and detailed answers to the same issue, including one of your very own from Oct. 22, 2009. See your earlier post and responses here. BTW, it is not recommended to post an entire spam message here, just post the Tracking URL from the top of the parse results view instead. Or see [How-to] Post a Question Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.