MyNameHere Posted December 23, 2015 Posted December 23, 2015 I've noticed that all the spam I report from my Hotmail account is reported to the same place for the message source: danorm [at] microsoft.com After trying and discarding a bunch of received lines, the parser always ends up with an address that looks like "2a01:111:f400:7e4a:0:0:0:208," which is then reported to the above email address. For the past week, at least, the "2a01:111:f400" part has been constant, with some minor variations in the "7e4a" part and the "208" part. This happens even for legitimate emails that I parsed just to see where they would be reported.... Any ideas? Thanks!
MyNameHere Posted December 23, 2015 Author Posted December 23, 2015 Reporting URL: https://www.spamcop.net/mcgi?action=gettrack&reportid=6396232610
Dave_L Posted December 23, 2015 Posted December 23, 2015 That's not a tracking URL. On that page, which only you can view, look for: "Here is your TRACKING URL - it may be saved for future reference:"
MyNameHere Posted December 24, 2015 Author Posted December 24, 2015 Tracking URL: https://www.spamcop.net/sc?id=z6202092832z56555340852d4093f4f78c465ff19ae0z
petzl Posted December 24, 2015 Posted December 24, 2015 Tracking URL: https://www.spamcop.net/sc?id=z6202092832z56555340852d4093f4f78c465ff19ae0z 2a01:111:f400:7e46:0:0:0:208 abuse[at]microsoft.com have had SpamCop send reports to danorm[at]microsoft.com
MyNameHere Posted December 28, 2015 Author Posted December 28, 2015 I want to raise the question again, simply because it seems so unlikely to me: How is it that the SpamCop parser always says my spam came from Microsoft? Surely, some spam is coming from somewhere else. This strikes me as being a likely parser problem. ???
Lking Posted December 28, 2015 Posted December 28, 2015 Received: from SN1PR19MB0445.namprd19.prod.outlook.com (10.163.228.23) by CY1PR19MB0444.namprd19.prod.outlook.com (10.164.0.15) with Microsoft SMTP Server (TLS) id 15.1.361.13 via Mailbox Transport; Wed, 23 Dec 2015 11:25:21 +0000Received: from BY1PR19CA0038.namprd19.prod.outlook.com (10.162.139.176) by SN1PR19MB0445.namprd19.prod.outlook.com (10.163.228.23) with Microsoft SMTP Server (TLS) id 15.1.361.13; Wed, 23 Dec 2015 11:25:21 +0000Received: from BL2NAM02FT006.eop-nam02.prod.protection.outlook.com (2a01:111:f400:7e46::208) by BY1PR19CA0038.outlook.office365.com (2a01:111:e400:51a3::48) with Microsoft SMTP Server (TLS) id 15.1.361.13 via Frontend Transport; Wed, 23 Dec 2015 11:25:20 +0000Received: from BAY004-MC5F5.hotmail.com (10.152.76.55) by BL2NAM02FT006.mail.protection.outlook.com (10.152.76.239) with Microsoft SMTP Server (TLS) id 15.1.355.15 via Frontend Transport; Wed, 23 Dec 2015 11:25:19 +0000Received: from ded1.exinary.com ([199.217.119.143]) by BAY004-MC5F5.hotmail.com with Microsoft SMTPSVC(7.5.7601.23143); Wed, 23 Dec 2015 03:25:18 -0800From: Google Reminder <guama[at]sunmed.com> Of course I don't know about "all" your other spam, but the example you provided in #5 above never left microsoft; so the parser assumes the reliable source must be microsoft. As an email header goes through the internet getting to its destination each server adds a 'Received:' entry to the header, parts of which can easily be forged. In this case Received: from ded1.exinary.com ([199.217.119.143]) can not be relied on to be valid. For example if I do a WhoIs on the domain name I get: Registrant Name: Support Team Registrant Organization: Exinary Technologies Pvt Ltd Registrant Street: Technopark Campus, Trivandrum Registrant City: Trivandrum Registrant State/Province: Kerala Registrant Postal Code: 695581 Registrant Country: IN Registrant Phone: +91.8129291097 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: mail[at]exinary.com Notice the country code IN (India) On the other hand doing a WhoIs on the IP address results in: OrgName: Hosting Solutions International, Inc. OrgId: SERVE-6 Address: 210 North Tucker Blvd. Address: Suite 910 City: Saint Louis StateProv: MO PostalCode: 63101 Country: US Even the casual observer would question why one of the high tech companies in the Technopark in India would use a St Louis MO hosting service. So dropping back to the server in 'BAY004' for hotmail we end up with Microsoft as a place to send the spam report. QED
InvisiBill Posted January 5, 2016 Posted January 5, 2016 I would suggest re-adding mailhosts for your email address at https://www.spamcop.net/mcgi?action=mhedit. Microsoft has a lot of mail servers involved with their stuff, and I'm thinking your SpamCop settings might not be up to date. I have accounts at Hotmail and protected by Microsoft's cloud filtering service, so when I look at your tracking URL, it shows the MS IPs as verified and actually targets the last IP as the source of the spam. Parsing header: host 2a01:111:f400:7e46:0:0:0:208 = mail-bl2nam02lp0208.outbound.protection.outlook.com (cached) mail-bl2nam02lp0208.outbound.protection.outlook.com is 2a01:111:f400:7e46:0:0:0:208 0: Received: from SN1PR19MB0445.namprd19.prod.outlook.com (10.163.228.23) by CY1PR19MB0444.namprd19.prod.outlook.com (10.164.0.15) with Microsoft SMTP Server (TLS) id 15.1.361.13 via Mailbox Transport; Wed, 23 Dec 2015 11:25:21 +0000 Internal handoff at Hotmail/MSN 1: Received: from BY1PR19CA0038.namprd19.prod.outlook.com (10.162.139.176) by SN1PR19MB0445.namprd19.prod.outlook.com (10.163.228.23) with Microsoft SMTP Server (TLS) id 15.1.361.13; Wed, 23 Dec 2015 11:25:21 +0000 Internal handoff at Hotmail/MSN 2: Received: from BL2NAM02FT006.eop-nam02.prod.protection.outlook.com (2a01:111:f400:7e46::208) by BY1PR19CA0038.outlook.office365.com (2a01:111:e400:51a3::48) with Microsoft SMTP Server (TLS) id 15.1.361.13 via Frontend Transport; Wed, 23 Dec 2015 11:25:20 +0000 Hostname verified: mail-bl2nam02lp0208.outbound.protection.outlook.com Hotmail/MSN received mail from Hotmail/MSN ( 2a01:111:f400:7e46:0:0:0:208 ) 3: Received: from BAY004-MC5F5.hotmail.com (10.152.76.55) by BL2NAM02FT006.mail.protection.outlook.com (10.152.76.239) with Microsoft SMTP Server (TLS) id 15.1.355.15 via Frontend Transport; Wed, 23 Dec 2015 11:25:19 +0000 Internal handoff at Hotmail/MSN 4: Received: from ded1.exinary.com ([199.217.119.143]) by BAY004-MC5F5.hotmail.com with Microsoft SMTPSVC(7.5.7601.23143); Wed, 23 Dec 2015 03:25:18 -0800 Hostname verified: ded1.exinary.com Hotmail/MSN received mail from sending system 199.217.119.143 Tracking message source: 199.217.119.143: Routing details for 199.217.119.143 [refresh/show] Cached whois for 199.217.119.143 : abuse[at]hostingsolutionsinternational.com Using abuse net on abuse[at]hostingsolutionsinternational.com abuse net hostingsolutionsinternational.com = postmaster[at]hostingsolutionsinternational.com, abuse[at]hostingsolutionsinternational.com Using best contacts postmaster[at]hostingsolutionsinternational.com abuse[at]hostingsolutionsinternational.com Sorry, this email is too old to file a spam report. You must report spam within 2 days of receipt. This mail was received on Wed, 23 Dec 2015 03:25:18 -0800 Message is 12.6 days old 199.217.119.143 not listed in cbl.abuseat.org 199.217.119.143 not listed in dnsbl.sorbs.net 199.217.119.143 not listed in accredit.habeas.com 199.217.119.143 not listed in plus.bondedsender.org 199.217.119.143 not listed in iadb.isipp.comI'm not sure if it's better or worse, but my config points to the IP that connected to Hotmail to send the spam, rather than reporting it to Hotmail itself. I don't know if the ISP is going to do anything about the IP sending spam through Hotmail, or how vigilant Hotmail is about removing spammers, so I don't know which method of reporting would be more effective.
MyNameHere Posted January 5, 2016 Author Posted January 5, 2016 I would suggest re-adding mailhosts for your email address at https://www.spamcop.net/mcgi?action=mhedit. Microsoft has a lot of mail servers involved with their stuff, and I'm thinking your SpamCop settings might not be up to date. I have accounts at Hotmail and protected by Microsoft's cloud filtering service, so when I look at your tracking URL, it shows the MS IPs as verified and actually targets the last IP as the source of the spam. [snip] Yep, I think you're psychic. Just this morning I went to the mailhosts and found that nothing was set up. I thought I had done that, but I did it again, and now it's finding non-Microsoft sources for most of my spam emails. Thanks!
Recommended Posts
Archived
This topic is now archived and is closed to further replies.