No Source IP Address

[DDOS_spammers]

Ever since my spammers, who call themselves "RxDiler", became aware that I am using SpamCop not only are the spammers making fun of me for it, but it seems like all of my reports result in "No Source IP address found."

What does this mean -- No Source IP address found??

I have tried pasting the entire message source as well as reporting it from my 2 SpamCop webmail inboxes.

Why doesn't SpamCop utilize the IP address of the blackmarket websites they link to? On a tangentially related note, please let me know if there are any groups of annoyed spam victims who get together to DDOS the spammers (if the spammers are criminals I can't imagine there's anything ethically, legally, or morally questionable about DDOSing them). I'm ready to fight back!

PS I saw on an SEO forum (I don't do SEO, I was gathering anti-spammer intelligence) that some of these ********** spammers use Nexus to outsmart SpamCop? What is Nexus? Is that what causes "No Source IP address found?"

[gnarlymarley]

What does this mean -- No Source IP address found??

A tracking URL would be most useful, but without it, I will try to answer the question.

SpamCop tries to track mail-hops, but there exists in both IPv4 and IPv6 something called private (or internal) addressing. This is used when the message is behind a NAT (10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, FEC0::/10, or FC00::/7) and is using one of these addresses.

When SpamCop encounters one of these addresses which is not globally route-able, it cannot track the source of the spammer. If SpamCop thinks the internal mail-hops is tainted, it will stop tracking all remaining mail-hops.

[turetzsr]

<snip>

What does this mean -- No Source IP address found??

<snip>

...Please check if the "Search for" tool near the top of the page helps you find an answer to this question. If not, post back here with a description of what you did and I'll see if I can get you closer to an answer (or two or three or ...).

Why doesn't SpamCop utilize the IP address of the blackmarket websites they link to?

...To oversimplify a bit, for much the same reason a screwdriver doesn't double as a hammer -- see the SpamCop FAQ (links to which may be found near the top left of each SpamCop Forum page) entry labeled "SpamCop reporting of spamvertized sites - some philosophy."

On a tangentially related note, please let me know if there are any groups of annoyed spam victims who get together to DDOS the spammers (if the spammers are criminals I can't imagine there's anything ethically, legally, or morally questionable about DDOSing them).

<snip>

...Perhaps not ethically, legally or morally but doing so will add to internet traffic for a reason other than furthering communications and will compete with those legitimate communications, one of the principal evils for which we dislike spam.

[DDOS_spammers]

A tracking URL would be most useful, but without it, I will try to answer the question.

SpamCop tries to track mail-hops, but there exists in both IPv4 and IPv6 something called private (or internal) addressing. This is used when the message is behind a NAT (10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, FEC0::/10, or FC00::/7) and is using one of these addresses.

When SpamCop encounters one of these addresses which is not globally route-able, it cannot track the source of the spammer. If SpamCop thinks the internal mail-hops is tainted, it will stop tracking all remaining mail-hops.

I see, thank you for the information.

So, what's to stop spammers from using an address which is not globally route-able, if anything?

I will see about getting you a link; I'm not sure if I saved it but should be able to reproduce it pretty easily.

...Please check if the "Search for" tool near the top of the page helps you find an answer to this question. If not, post back here with a description of what you did and I'll see if I can get you closer to an answer (or two or three or ...)....To oversimplify a bit, for much the same reason a screwdriver doesn't double as a hammer -- see the SpamCop FAQ (links to which may be found near the top left of each SpamCop Forum page) entry labeled "SpamCop reporting of spamvertized sites - some philosophy."...Perhaps not ethically, legally or morally but doing so will add to internet traffic for a reason other than furthering communications and will compete with those legitimate communications, one of the principal evils for which we dislike spam.

Thank you, turetzsr.

I understand that not all spam-advertized sites are evil, but these are illegal and also directly owned by the spammers (I know because when I submit messages on their contact forms telling them what I think of them, they answer me in the next batch of spam).

I believe that DDOS-ing spammers would definitely further legitimate communications because it would make services like email and FaceBook useful for friendly, academic, and business purposes. For example, the spammers infiltrated my FaceBook account, started posting spam and, infinitely worse, started sending me spam from the names of my FaceBook friends. I fought it for months, then eventually I had to quit FaceBook. They looked up the company I worked for and called me there 10x per day until I eventually just quit.

So if we make spamming unprofitable for them -- you spam one of us and your website gets knocked the **** offline -- then people can legitimately use email, Facebook, and phones again because it won't be infected with spammers. That's the whole point. I had to buy a Spamcop.net account because my gmail was overrun with spam and even Spamcop.net doesn't really help much. So lets stop them! I am willing to pay up to a few hundred dollars for some professional support even, but I would like to get some community support/insight.

I did some googling and it turns out that there was a group who did this with some sucess back in 2005 called SpamSlayer. But I do not know the whole story yet, I am still researching and I have some non-spam-related work I have to do now but I will be returning to this thread and to that research later tonight or tomorrow.

Thank you both.

[turetzsr]

...Personally, I still think reporting spammers to the abuse address of the machine that is the source of the spam or its "upstream" is the far better approach, both because it is more likely to be effective and because it uses minimal internet resources. A DDOS is only likely to be effective once and for only a short time because defenses against DDOS are readily available. See, for example, Steve Sybesma's post in Forum article "FAQ Entry: The Link Analysis Process."

[mrmaxx]

I have started seeing this problem myself... Here's a tracking URL for the latest one...

http://www.spamcop.net/sc?id=z5332326658zf...ba05d2885cec7dz

If you check it, you'll see that it will come back as "no source IP address."

And here's the headers of the offending message:

Return-Path: <juhjjjjjjsjsjsjssjjs[at]msn.com>

Delivered-To: spamcop-net-x

Received: (qmail 19807 invoked from network); 20 May 2012 17:19:24 -0000

X-spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter7

X-spam-Level: *******

X-spam-Status: hits=7.8 tests=DATE_IN_PAST_03_06,FORGED_MUA_OUTLOOK,

FROM_LOCAL_NOVOWEL,MISSING_HEADERS,RDNS_NONE version=3.2.4

Received: from unknown (192.168.1.108)

by filter7.cesmail.net with QMQP; 20 May 2012 17:19:24 -0000

Received: from unknown (HELO fetchmail.cesmail.net) (64.88.168.84)

by mx71.cesmail.net with SMTP; 20 May 2012 17:19:24 -0000

X-Apparently-To: x via 98.136.183.142; Sun, 20 May 2012 10:14:54 -0700

X-YahooFilteredBulk: 195.4.92.94

Received-SPF: softfail (transitioning domain of msn.com does not designate 195.4.92.94 as permitted sender)

X-YMailISG: seyKWi8WLDu.LeqOLAXi_HdaDzOMNfCrkldlOp0PEqGer9Pz

vSFVhlV1sPBQoaIii0aCVe1Gm2UmfJyPv7tuskByuMiue2zLeCKLqRfng_it

WM_19mAvvGme8dPcJ_JGIm5ZzQVOuyi7YOkRy3w4MsjAzJ1nn9_KE9wZLUMK

_bghrqn8JzObErRv.KkmS1MEhW1OPqtZu_vH7HqZP9__.mKHJd5VspU0QBVN

rb8K5aBhkd038GVYlh0RGTENjYP6e.sD6iTX2USOo.UR2eYmzN2JO9q0mz4c

hz4l2GNLLuv4RrytWRD4TEcGLBC7nQ0lxowNIW8AcpblYTCYg30fjXF8w9UF

X15TPfuvmvWSUZVd5RPzKOekTyUuoXfxjvXUne53b3OX_E73zdI0rlkogfsM

NwDk3d1V3s953U0I4pXgr2G8zEp7n2kbb35YDEB6FcXzerCPtL48zvZ6S5Du

pGL1sU2GWX0KZCPAFFlZ2ej6AnL_CFpAR1gLURJDtDraKw.GNQwOfy5nhgP3

xRGiINsMjjkhsTBJXP0NpgjX6eBotrZqH0yKWUgwxyi5dGqCGIHe1JDcO1oL

7eJuosVjOQtFZRbgCrm6pkOsBg695gZDLHFPEA1ut77DnN.dyy5EzIES8Z.Y

QN_gEIDt1Kx8T7jkRxG0.LAOkk6NjXsA.ckcZ_lIN8.bHj1RyIw_0SswrP64

vkxBgIQBAnnkH3wU_Ym9h8eUMJ5H7VvspikCXTWmkb3YYOCOVH64NtmgG56_

UmMFP1KlJCTxJk.ie78Wq5d7Tg5_28YJufWiaXo_rNyAx6xud2vi7.pVqwcL

AbFhaUyy0ZX456XgfwlmXyWr8eEI8pO66Ui1YbqxVBtJwAWtDcOxUSqVh38z

UVs9RKANSwK89yPzOVQjvb5wGJC8Z4kTaNt4MxAZWMTCA.LTGKZSBPjn144L

5WiuOVGICEXRlBxfLZg116B_YbVxcJ.U9EOiu7tAkZsIaMcZTGm2XgJnP6Gb

kDgIv52.at9ZjNUWke8kkQ1bpDAOBbteFubkQBCUGCxda_mFfkYR0U4eX5At

6oktHa_IibTyeWCuRuOcfIapz6C8RxQTnaSavs0N0XyOMTX0WtlE8Von.w3O

NAZkaEJ..h6S87roh4WBHvf4ChKsrxdaRjntyVrZ.hrQSuSFkLnDxrnVNbVr

vg5A2Vixi1_ELoXmHJ707AYChMN3afAbwQ1I8dJ9yCfxigMlUlbgEw8agkBK

g5HQrdM9ZIw02xYVB_Uw0PQMPgt4HGezesRmc4PoQhKjhXK6yTB9lKfa1IBw

5Y4fr1OannWE19R2MZnWvmTNK_OY4cPnCkT8v_.SICfS7UaqM7t7epmPRO.x

6iFgjWtFJVThjHQmNZ.bGaqTmaKQ_58FQwRnx7kAguWvVOPjQLSBWaNUex3d

2Ht0RVXqRbU8ezGl6iwjkFSyHhWr2M0RiNF9R53g49U0sD.kCtgFTMDBPnfH

GEL2zagToUxfuSBxR7dyPq5ZADEjvAraCguZlesO51f82h9XzZigd9IaQ25E

jYfOUUtCdtqCulQOKJ9n7YDRfHUqUMxPve87fAWiEH4Ik6jAC.5VnnZgyqo3

DLUHQP0pT6OXCwQ9

X-Originating-IP: [195.4.92.94]

Authentication-Results: mta1286.mail.sk1.yahoo.com from=msn.com; domainkeys=neutral (no sig); from=msn.com; dkim=neutral (no sig)

Received: from any-pop-star-new.mail.am0.yahoodns.net [98.139.215.231]

by fetchmail.cesmail.net with POP3 (fetchmail-6.2.1)

for x (single-drop); Sun, 20 May 2012 13:20:42 -0400 (EDT)

Received: from 127.0.0.1 (EHLO mout4.freenet.de) (195.4.92.94)

by mta1286.mail.sk1.yahoo.com with SMTP; Sun, 20 May 2012 10:14:54 -0700

Received: from [195.4.92.142] (helo=mjail2.freenet.de)

by mout4.freenet.de with esmtpa (ID webmaster[at]kay-manteufel.de) (port 25) (Exim 4.76 #1)

id 1SW9iW-00043U-Pz; Sun, 20 May 2012 19:14:52 +0200

Received: from localhost ([::1]:56262 helo=mjail2.freenet.de)

by mjail2.freenet.de with esmtpa (ID webmaster[at]kay-manteufel.de) (Exim 4.76 #1)

id 1SW9iW-0008Fl-Ev; Sun, 20 May 2012 19:14:52 +0200

Received: from [195.4.92.28] (port=41092 helo=18.mx.freenet.de)

by mjail2.freenet.de with esmtpa (ID webmaster[at]kay-manteufel.de) (Exim 4.76 #1)

id 1SW9g7-0005Rh-M6; Sun, 20 May 2012 19:12:23 +0200

Received: from [188.72.238.156] (port=2077 helo=User)

by 18.mx.freenet.de with esmtpa (ID webmaster[at]kay-manteufel.de) (port 587) (Exim 4.76 #1)

id 1SW9g7-0006Zj-9X; Sun, 20 May 2012 19:12:23 +0200

Reply-To: <infonmshhccax[at]yahoo.es>

From: "FROM CHRIST STAFFORD"<juhjjjjjjsjsjsjssjjs[at]msn.com>

Subject: from barrister christopher stafford

Date: Sun, 20 May 2012 17:12:44 +0530

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_0030_01C2A9A6.1BBCFFF0"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2600.0000

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

Message-ID: <1SW9________j-9X[at]18.mx.freenet.de>

X-SpamCop-Checked:

X-SpamCop-Disposition: Blocked SpamAssassin=7

As you can see, at least to a human, it appears that it should at *least* be safe to report 195.4.92.94 as an offending source, as that's the last hop before Yahoo. So why is SpamCop not picking that up??? Is it because the spammers are inserting that big, long garbage block? I've been reporting for years now, and it appears that the spammers have found a new trick to keep SpamCop from reporting them. Note that this was in my "held mail" on the mail side of things, so it never left SpamCop/CESmail.

[Farelf]

Different problem mrmaxx - Don has responded concerning this spam in http://forum.spamcop.net/forums/index.php?...c=12394&hl= but probably worth leaving "here" anyway because surely others would come to a similar conclusion as that you reached.

IF that scrap of internal IPv6 routing was not coded as such (and without mailhosting, thus forcing chain tests) the result would be like:

http://www.spamcop.net/sc?id=z5332497025zf...32e678fe7b4c67z

BUT of course we're not permitted to modify the headers that way and must wait patiently (or otherwise) for the IPv6 code implementation for the parser.

Interesting result though ... and tracks back to a network with an unreceptive abuse handler.

[mrmaxx]

Different problem mrmaxx - Don has responded concerning this spam in http://forum.spamcop.net/forums/index.php?...c=12394&hl= but probably worth leaving "here" anyway because surely others would come to a similar conclusion as that you reached.

IF that scrap of internal IPv6 routing was not coded as such (and without mailhosting, thus forcing chain tests) the result would be like:

http://www.spamcop.net/sc?id=z5332497025zf...32e678fe7b4c67z

BUT of course we're not permitted to modify the headers that way and must wait patiently (or otherwise) for the IPv6 code implementation for the parser.

Interesting result though ... and tracks back to a network with an unreceptive abuse handler.

Ahh... Thanks. Too bad. OH, well... there's always the upstream.

[turetzsr]

Ahh... Thanks. Too bad. OH, well... there's always the upstream.

...You could also use the modified version (be sure to cancel it, though!) to find the correct abuse addresses and send manually reports. Just don't mention SpamCop in your manual LARTs. <g>

[Farelf]

Now I'm starting to get the things (IPv6 internal routing), well one of them, a standard "Euromillions lottery" phish with selmanjeffory[at]yahoo.com.hk as the drop-box, also transiting through freenet.de. The hard-sell text (much improved on the crude and incredible attempts of yesteryear) is all in a .txt attachment which would be automatically decoded by one's mail program if the thing was opened. Don't do that folks, in general a security risk even if apparently harmless in this instance (no web-bugs or other links I could see).

Spammers are having a field day but freenet's outgoing servers carry an awful lot of legitimate mail too, reporting there (as will mostly happen when the parser is upgraded) isn't going to make much of an impression. Manual report sent anyway. Maybe they can sanitise their gateways some more when they get enough complaints, as should happen big-time once the parser is up to speed. Yes, yes, I should also write to yahoo.hk and to the apparent originating network (leaseweb.de), SenderBase currently monitoring a jump in traffic from 1,600 to 20,000 per day from 188.72.253.214 (from magnitude 1.9 to magnitude 3.0) but barely listed in RBLs at this time ...

Standard parse

http://www.spamcop.net/sc?id=z5333965749zd...3ea8eaf1876e07z

Modified submission (cancelled)

http://www.spamcop.net/sc?id=z5333892730z1...2d40d5cee67e11z

Modified submission with link testing (cancelled)

http://www.spamcop.net/sc?id=z5333962661z1...7f8168803d72f8z

(Reports to leaseweb.de disabled - there would be a good reason for that)

Incidentally, the attachment (decoded with TOASTEDspam's base64 decoder)

EURO MILLIONS INTERNATIONAL LOTTERY PROMOTION

PRIZE AWARD DEPARTMENT UK.

REFERENCE: EML / IPP/1555002244/05

BATCH: ES34/044/ ILP /SL

Dear Lottery Winner,

We wish to congratulate you over your email success in our computer balloting held on May 15 2012.

This is a Millennium Scientific Computer Game in which email addresses were used. It is a promotional program aimed at encouraging internet users; therefore you do not need to buy ticket to enter for it. You have been approve for the star prize of �600,000:00 Euros. (Six Hundred Thousand Euros Only).

Your =E-mail address attached to Serial Number 22221415366-609 with Lucky Star Numbers 03 44 04, Winning Number 04 05 23 25 28 which =consequently won in the 6th category, you have therefore been approved for a = lump sum pay out of �600,000.00 Euros. (Six Hundred Thousand Euros Only).

CONGRATULATIONS!!!

DO KEEP IT CONFIDENTIAL.

This is part of our security protocol to avoid double claiming and unwarranted abuse of this program by some participants.

All participants were selected through a computer ballot system drawn from over 100,000 company and 50,000,000 individual email =addresses and names from all over the world. This lottery was promoted and =Sponsored by Bill Gates of Microsoft, With the support of European corporate companies and organizations to encourage the use of Internet and computers worldwide.

Your Prize as been deposited with the Royal Bank Of England,as soon has you contact me,i shall direct you on who to contact there at the bank to claim your prize.

Remember, all winning must be claimed not later than TWO WEEKS, after this date all unclaimed funds will be included in the next stake.

Please note in order to avoid unnecessary delays and complications please remember to quote your Reference Number and Batch Numbers in all correspondence.

Congratulations once more!! !!! !!!! !!!!!.

REMEMBER, YOU HAVE TO CONTACT YOUR CLAIM AGENT WITH YOUR VERIFICATION FORM BELOW TO ENABLE HIM PROCESS YOUR PRIZE MONEY IMMEDIATELY.

VERIFICATION FORM:

1. FULL NAMES:

2. ADDRESS:

3. SEX:

4. AGE:

5. MARITAL STATUS:

6. OCCUPATION:

7. NATIONALITY:

8. TELEPHONE NUMBER:

9. COUNTRY:

10. SERIAL NUMBER:/LUCKY STAR NUMBER

11. WINNING NUMBER:

12. REF NUMBER:

13. BATCH NUMBER:

Sincerely yours,

Jeffory Selman

Lottery Coordinator.

UK-ENGLAND�

A lousy €600,000.00 - I wouldn't even get out of bed for that. Whatever happened to all that wealth beyond the widest dreams of avarice? Ah, they learn, don't they?