hank Posted May 6, 2016 Share Posted May 6, 2016 Different trick for identifying the reporter -- this was mentioned previously -- putting the email name into the text/HTML of the spam, which escapes SpamCop's munging. Here I've saved the report and Tracking ID: https://www.spamcop.net/sc?id=z6236844858z3d5106ac10e29667b71893b01da1f0c8z ________________ EXAMPLE FOLLOWS, this is the pattern: ---------------------------- Good evening hank, As promised, I have attached the spreadsheet... <p>Good evening hank,</p> <p><br>As promised, I have att Link to comment Share on other sites More sharing options...
hank Posted May 6, 2016 Share Posted May 6, 2016 https://www.spamcop.net/sc?id=z6236973560z5b1aa3607bf05dd2af67a459dd3f3a38z "From:" line contains userid after report is created (not submitted, not deleted) Anyone know how long I should keep the unreported spam available by tracking number? It can't be reported after 3 days, and there's no easy way I can find to decide which unreported spam to delete. But I don't want to delete it all until I know the deputies or whoever has actually gotten use out of looking at it. Link to comment Share on other sites More sharing options...
hank Posted May 7, 2016 Share Posted May 7, 2016 Another with "From:" line not munged: TRACKING URLhttps://www.spamcop.net/sc?id=z6237064356z900c263bc2e1fe6bfe7992bf4871b953z (not submitted, not deleted) Anyone know how long I should keep the unreported spam available by tracking number? Link to comment Share on other sites More sharing options...
hank Posted May 9, 2016 Share Posted May 9, 2016 Here's another way of identifying the reporter: https://www.spamcop.net/sc?id=z6237493931zb2546593e3d0470be63b34986e96ac31z report not submitted and not deleted, left for SpamCop to look at Quote [ Offending message ] Return-Path: <sender-hank=spamcop.net[at]heritagemails.com> Link to comment Share on other sites More sharing options...
hank Posted May 10, 2016 Share Posted May 10, 2016 Another: https://www.spamcop.net/sc?id=z6237603177z70d07f74084ed6b6861539b4d5ee245ez Link to comment Share on other sites More sharing options...
hank Posted May 10, 2016 Share Posted May 10, 2016 Here's one where the SpamCop report munged one email and left the other readable. As usual not reported, not cancelled, tracking ID left for whoever is looking into this. And please if anyone is, let me know when someone DID look so I can delete the unreported spam as it's building upl. https://www.spamcop.net/sc?id=z6237794345z48e0a86c6d732b15a00973a6b762fe70z ORIGINAL: a href=3D"http://www.yu333.us/unsubscribe.php?remove=3Dhank[at]s= pamcop.net">Click here</a> to unsubscribe from future mailings.</div><a hre= f=3D"http://www.yu333.us/spam-notification.php?report=3Dhank[at]spamcop.net">C= lick here to report this email</a></center> REPORT DRAFT: <a href=3D"http://www.yu333.us/unsubscribe.php?remove=3Dhank[at]s= pamcop.net">Click here</a> to unsubscribe from future mailings.</div><a hre= f=3D"http://www.yu333.us/spam-notification.php?report=3Dx">C= lick here to report this email</a></center> Link to comment Share on other sites More sharing options...
hank Posted May 10, 2016 Share Posted May 10, 2016 "From" header line not munged in this one: TRACKING URLhttps://www.spamcop.net/sc?id=z6237796498zf44272e75b854643348d4e40558c666dz Link to comment Share on other sites More sharing options...
hank Posted May 10, 2016 Share Posted May 10, 2016 Hm, how long has SpamCop been sending spammers my (fixed) IP address in reports? One more thing to look for and delete manually, I just noticed it's included in the report:https://www.spamcop.net/sc?id=z6237797426z1f52d394025a5d6f6bc40e906872f878z Hello? They didn't have my IP number before SpamCop inserted it. This is really wrong. I've changed some numerals to "n" in the quote: Quote (Recipient:abuse[at]vnn.vn) Received: from [7n.1nn.5n.nnn] by spamcop.net with HTTP; Tue, 10 May 2016 15:02:21 GMT From: "hr" <preview[at]reports.spamcop.net> You might as well send them my name and address. Link to comment Share on other sites More sharing options...
hank Posted May 10, 2016 Share Posted May 10, 2016 Well dang. I can't even edit that IP address OUT because it's not in the material I submit. It's added by the report editor. I'm done reporting for now, I've given the spammers enough free help. Please, SpamCop person whoever you are, if you read this, email me when this is fixed. You know how to reach me. Link to comment Share on other sites More sharing options...
hank Posted May 10, 2016 Share Posted May 10, 2016 grumble. Ok, my ISP can somewhat hide my IP address details, so it only points to them. I'll keep reporting. Link to comment Share on other sites More sharing options...
Lking Posted May 11, 2016 Share Posted May 11, 2016 Things may have changed. Quote If you don't want to hear from me again, please [let me know](http://infinite- stream-5194.herokuapp.com/optout?m=mmm_0rWd57&email=x).![](http This quote was from down in the body of the spam. Note that at the end where "email=x" was changed from my email. Tracking URL for the full spam. It has taken a while for me to get an example with my email down in the body. I do not forward my email so don't have an example where there are is something like myemail[at]domain forwarded to different_email[at]domain2 and needing to have both emails muged. Link to comment Share on other sites More sharing options...
michaelanglo Posted May 11, 2016 Share Posted May 11, 2016 On 06/05/2016 at 1:41 AM, hank said: Another with the "From:" line not munged. Report left unsent and not cancelled https://www.spamcop.net/sc?id=z6236417442zde669a800ba4e5cebe115aa6e3c42803z Same for me. The "To:" line is munged, the "From:" line isn't https://www.spamcop.net/sc?id=z6238600290z8a3ceb605e34f0f96f792cf993fa0922z This is bad because To=From is common in spam Link to comment Share on other sites More sharing options...
hank Posted May 11, 2016 Share Posted May 11, 2016 Latest workaround spammers are using to identify reporter -- last few days, dozen or so of these -- putting the userid in the text after the word "hello" and the reports sent include that unless it's manually munged (they know the ISP (spamcop.net, always) I've substituted "xyz" for the userid here: -----quote---- hello xyz Attached please find the bills report for your review Thank you. Regards, Elsie Dillard --b2_e8ef25037e5946057173021e051ecfa5 Content-Type: text/html; charset = "iso-8859-1" Content-Transfer-Encoding: 8bit <html> <body> <p>hello xyz</p> -----end quote----- Link to comment Share on other sites More sharing options...
hank Posted May 13, 2016 Share Posted May 13, 2016 Does anyone know if the bug reports submitted are readable by us ordinary users? Any way to know if they do or don't need further information about spam that fits patterns revealing the reporter email? Another that doesn't mung the "From:" line with "From:" and "To:" exactly the same and both using spamcop.net address: https://www.spamcop.net/sc?id=z6239248459z8b6d5e3fc80574051dbe0c0f85073f3dz Link to comment Share on other sites More sharing options...
Lking Posted May 13, 2016 Share Posted May 13, 2016 No bug reports are not readable by ordinary users, or spammers who could use the information to get around the system or know if their "new" trick is working. If the software team needs more information, they will ask, I am sure. Link to comment Share on other sites More sharing options...
hank Posted May 13, 2016 Share Posted May 13, 2016 Another way of hiding the reporter's name -- use an equals sign instead of [at] in the address. This survives automatic report generation: [ Offending message ] Return-Path: <bounce+e5f758.0c42fe-xyz=spamcop.net[at]vip6.unicef.org.uk> Link to comment Share on other sites More sharing options...
hank Posted May 17, 2016 Share Posted May 17, 2016 "From" line unchanged in this report: TRACKING URL:https://www.spamcop.net/sc?id=z6240613257z1b288f3f6e873704121e1449d514780fz here's what gets the name through (xyz replaces my userid in this post) Content-type: text/html; charset=iso-8859-1 From: <xyz[at]spamcop.net> X-Orthrus: tar=0 grey=no co=US os=//2 spf=pass dkim=none Link to comment Share on other sites More sharing options...
hank Posted May 18, 2016 Share Posted May 18, 2016 Another: https://www.spamcop.net/sc?id=z6241035604z6be0c779a7578733fbc021a60947f30fz has the userid "hank" visible in these three ways that survived the spam report: ... for <x>; Wed, 18 May 2016 20:30:47 +0000 (UTC) Received: by mail.hank.local (Postfix, from userid 47) ... Message-Id: <2016_________________9191[at]mail.hank.local> Hey hank, I hope you're doing well. I've attached the latest draft of my proposal. Link to comment Share on other sites More sharing options...
hank Posted May 21, 2016 Share Posted May 21, 2016 Yet another trick, these lines put my SpamCop userid into text and into the filename of the attached malware. Those survived the standard report generation process. I didn't bother to save the unused report, just cancelled. Getting bored. I've replaced my userid with zyx here: _______________ Dear zyx, Please find attached ... Content-Disposition: attachment; filename="zyx_copies_024E63B6.zip" Link to comment Share on other sites More sharing options...
hank Posted May 23, 2016 Share Posted May 23, 2016 Another spam that persists in reporting the reporter ID; This is spam that was sent to my userid[at]spamcop.nethttps://www.spamcop.net/sc?id=z6242871145z885a7f12b161ef2fbbe852769ec0092fz Here's another like that -- this one with the header lines showing the problem My userid is replaced with [xyz] in these lines, which survived the report creation process https://www.spamcop.net/sc?id=z6242868586z13a46e7ee780e6f58c31f0f2dc667d8bz Received: by mail.[xyz].local (Postfix, from userid 178) id 47CF35A70E; Mon, 23 May 2016 14:11:14 -0500 To: x Subject: Re: From: "Glenna Pittman" <PittmanGlenna60712[at]fixed-188-64-187-188-64-214.iusacell.net> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="------------61dfaf14bd74a877ee8ad9abc12c6411" Message-Id: <2016_________________A70E[at]mail.[xyz].local> Link to comment Share on other sites More sharing options...
hank Posted May 23, 2016 Share Posted May 23, 2016 And another example (I put [xyz] in to replace my SpamCop email userid, which was in the "From:" line as it survived generation of the reporthttps://www.spamcop.net/sc?id=z6242904508zd98b3e3be9b19503666f86c0ea797966z I don't know if there's been a bug submitted on this problem, or if these posts are of any use figuring out how to fix the reporting system. --------- Received: from 187.252.220.241.cable.dyn.cableonline.com.mx (unknown [187.252.220.241]) by vmx5.spamcop.net (Postfix) with ESMTP id 23D3AAF548 for <x>; Mon, 23 May 2016 23:16:15 +0000 (UTC) Message-ID: <E513________________________E513[at]4VGEY91W> From: <[xyz][at]spamcop.net> To: <x> Subject: want hot night? Link to comment Share on other sites More sharing options...
hank Posted May 24, 2016 Share Posted May 24, 2016 https://www.spamcop.net/sc?id=z6243273964z9d03e8cc30c1d427c36d8e4483f3f308z shows spamcop userid persists through the report creation -- looks like the same old bug already reported but I can't be sure, so here's another Spamcop userid replaced with xyz here: <center><div><a href=3D"http://www.yu333.us/unsubscribe.php?remove=3Dxyz[at]s= pamcop.net">Click here</a> to unsubscribe from future mailings.</div><a hre= f=3D"http://www.yu333.us/spam-notification.php?report=3Dxyz[at]spamcop.net">C= lick here to report this email</a></center> Link to comment Share on other sites More sharing options...
hank Posted May 24, 2016 Share Posted May 24, 2016 and another using the method of hiding the Spamcop userid in the text and the "mail local" line. xyz replaces my userid below -- report generator fails to catch this.https://www.spamcop.net/sc?id=z6243293529zcbdb13fa286bd654d0b363a94e9bd77dz for <x>; Tue, 24 May 2016 05:57:58 -0700 (PDT) Received: by mail.xyz.local (Postfix, from userid 725) id F3E45993A1; Tue, 24 May 2016 14:57:57 +0200 To: x Subject: Re: From: "Latoya Hurst" <HurstLatoya05712[at]oudomxay.info> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="------------d5ad171edbbcd3226f1e8a25f7a4e7c2" Message-Id: <2016_________________93A1[at]mail.hank.local> Date: Tue, 24 May 2016 14:57:57 +0200 X-Orthrus: tar=0 grey=no co=US os=//2 spf=neutral dkim=none --------------d5ad171edbbcd3226f1e8a25f7a4e7c2 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Dear xyz, Link to comment Share on other sites More sharing options...
hank Posted May 24, 2016 Share Posted May 24, 2016 Another that sends the complainer's email out to the spammer (or whatever "gamut spam" means) puts the SpamCop userid into the "mail.local" line -- here replaced with xyz https://www.spamcop.net/sc?id=z6243300541z8ef37e8167002ac2d1fdaff4cb1f3defz Link to comment Share on other sites More sharing options...
hank Posted May 25, 2016 Share Posted May 25, 2016 More and different header lines not obscuring the SpamCop userid used for reporting (which should be obfuscated) my SpamCop userid replaced by [xyz] below: Content-Type: application/octet-stream; name="weekly_[xyz].zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="weekly_[xyz].zip" https://www.spamcop.net/sc?id=z6243876841z56561e6d8adf9678204e3946d6746192z and https://www.spamcop.net/sc?id=z6243877461zbde869030775463341aaf6a36bd109e6z I"d sure like to know if anyone reading this can do anything with the information, or if it's just me here. Why bother? Tell me. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.