RadicalDad Posted February 16, 2017 Share Posted February 16, 2017 Sometime about a year ago, I complained on these forums that Spamcop has become all but useless when using Outlook on an Exchange server. The spam report ALWAYS comes back pointing to my own email server, even when a cursory look shows the obvious source of the spam. I've all but stopped reporting on Spamcop for this reason. Someone suggested on that ancient thread that I post a sample for folks to look at. OK, here one is. Note also that Spamcop also misses the bogus hyperlink ("Click here!"), not doing any reporting at all on the bogus web host. Are the light still on here? Message header: Received: from MBX01D-ORD1.mex09.mlsrvr.com (172.29.128.27) by MBX01A-IAD3.mex09.mlsrvr.com (172.29.64.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.544.27 via Mailbox Transport; Wed, 15 Feb 2017 20:56:00 -0500 Received: from MBX05C-ORD1.mex09.mlsrvr.com (172.29.128.24) by MBX01D-ORD1.mex09.mlsrvr.com (172.29.128.27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.544.27; Wed, 15 Feb 2017 19:56:00 -0600 Received: from gate.forward.smtp.iad3a.emailsrvr.com (204.232.172.40) by MBX05C-ORD1.mex09.mlsrvr.com (172.29.128.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.544.27 via Frontend Transport; Wed, 15 Feb 2017 19:55:59 -0600 Return-Path: liysc25@nottingham.ac.uk X-spam-Threshold: 95 X-spam-Score: 0 X-spam-Flag: NO X-Virus-Scanned: OK X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-13735-c X-CMAE-Scan-Result: 0 X-CNFS-Analysis: v=2.2 cv=QPAqfUDL c=1 sm=1 tr=0 a=wMuiOM+aJX97FqABAv1gmw==:117 a=wMuiOM+aJX97FqABAv1gmw==:17 a=n2v9WMKugxEA:10 a=KXl77lDgDEgIEtoqJYcA:9 a=jMgyydZaAAAA:8 a=TMeMXT5H6L7W2mJr2DcA:9 a=wPNLvfGTeEIA:10 a=zOPv43MEAAAA:8 a=jt-rlJBq7EhYDvrx:21 a=_W_S_7VecoQA:10 a=H_FcBddkztAA:10 a=-FEs8UIgK8oA:10 a=NWVoK91CQyQA:10 a=sRwWbsoZOIyncXQJl99K:22 a=jKBK-nmJ8lQYDYSZPBHD:22 X-Orig-To: XXX X-Originating-Ip: [128.243.43.129] Authentication-Results: smtp27.gate.iad3a.rsapps.net; iprev=pass policy.iprev="128.243.43.129"; spf=pass smtp.mailfrom="liysc25@nottingham.ac.uk" smtp.helo="uidappmx06.nottingham.ac.uk"; dkim=none (message not signed) header.d=none X-Classification-ID: 0fa97262-f3eb-11e6-9265-782bcb33f754-1-1 Received: from [128.243.43.129] ([128.243.43.129:52055] helo=uidappmx06.nottingham.ac.uk) by smtp27.gate.iad3a.rsapps.net (envelope-from <liysc25@nottingham.ac.uk>) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTP id F6/CD-22337-EA605A85; Wed, 15 Feb 2017 20:55:59 -0500 Received: from uidappmx06.nottingham.ac.uk (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 752592DF798_8A506AEB for <XXX>; Thu, 16 Feb 2017 01:55:58 +0000 (GMT) Received: from smtp4.nottingham.ac.uk (smtp4.nottingham.ac.uk [128.243.220.65]) by uidappmx06.nottingham.ac.uk (Sophos Email Appliance) with ESMTP id 603AD2D2135_8A506AEF for <XXX>; Thu, 16 Feb 2017 01:55:58 +0000 (GMT) Received: from [130.65.254.18] (helo=DESKTOP-55DHA5K.sjsu.edu) by smtp4.nottingham.ac.uk with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.85) (envelope-from <liysc25@nottingham.ac.uk>) id 1ceBFz-0002mF-Az for XXX; Thu, 16 Feb 2017 01:53:16 +0000 Content-Type: multipart/alternative; boundary="===============1385527312==" MIME-Version: 1.0 Subject: A document folder is shared with you! To: <XXX{AT}blk-ink.com> From: " '' Dropbox Support '' " <XXX{AT}dropbox3665.com> Date: Wed, 15 Feb 2017 17:53:12 -0800 Message-ID: <E1ceBFz-0002mF-Az@smtp4.nottingham.ac.uk> Sender: <liysc25@nottingham.ac.uk> X-MS-Exchange-Organization-Network-Message-Id: d19fd38f-f441-4628-3ea4-08d4560ef49e X-MS-Exchange-Organization-AVStamp-Mailbox: SMEXyGDz;1322100;0;This mail has been scanned by Trend Micro ScanMail for Microsoft Exchange; X-MS-Exchange-Organization-SCL: 0 X-MS-Exchange-Organization-AuthSource: MBX05C-ORD1.mex09.mlsrvr.com X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.0240672 Message body: Hello, Someone shared a folder with you on Dropbox. Click here to view documents. Dropbox Support. Happy sharing! NB: This message is sent to XXX Quote Link to comment Share on other sites More sharing options...
C2H5OH Posted February 16, 2017 Share Posted February 16, 2017 (edited) Have you looked at the second pinned topic "Outlook received header problem" in the list above? Outlook now routinely rearranges the header lines when forwarding, so if you are running Outlook you *may not* forward your spams as an attachment for processing. Does this apply to your situation? If not - have you registered your mailhosts? - Also, is that bmorris address live? If so you'd be advised not to advertise it. I'd have edited it out for you if I knew how to do that... HTH Edited February 16, 2017 by C2H5OH corrected typo Quote Link to comment Share on other sites More sharing options...
Lking Posted February 16, 2017 Share Posted February 16, 2017 Edited the OP in this thread to remove references to bmorris{AT} addresses as "our drinking friend" suggested. You forgot to do this as you did last time. This is a prime example for why a Tracking URL is the way to reference an example of spam. That would also let the rest of us see what the SpamCop parser did with the example. 9 hours ago, RadicalDad said: Note also that Spamcop also misses the bogus hyperlink ("Click here!"), has no meaning not seeing the results of the processing. Quote Link to comment Share on other sites More sharing options...
RadicalDad Posted February 16, 2017 Author Share Posted February 16, 2017 Thanks everyone. I was thinking someone would put the headers and body through the parser themselves. That is also why I left my original email address intact - thought the parser might need it. (I also thought about munging the address, but that address has been harvested many times by spammers, so I wasn't too worried. Still, removal by Lking is appreciated.) Here is the parser tracking URL: https://www.spamcop.net/sc?id=z6357239923z2f559431f437c6b4b950f1c320499087z The "click here" hyperlink is not retained by Spamcop when using the "view entire message" link from the parser. Failing to process these hyperlinks is a problem in addition to Spamcop always pointing at my mail host as the culprit. The "click here" URL is http;⁄⁄winnermistak,xyz⁄ppdpureoffice99888/index.php?userid=xxx@xxx.com (email address munged). Provided here for reference. I don't suggest anyone click on this. Quote Link to comment Share on other sites More sharing options...
Lking Posted February 16, 2017 Share Posted February 16, 2017 Of course no one else can process your spam and get anything but an error message. For example, if I submitted your spam none of the header would match my mailhost settings so the parser would just throw the example out. Don't know why SC dropped the link in the text except part of clearing your email witch would have been sent as a parameter in the link. But you are correct winnermistak.xyz surly is not a drop box link. When the parser goes down the sequence of Received: header entries, two internal IP are found first (172.16.0.0/12) followed by a break in the chain, so nothing usable. The link in the body would have been a low level priority even if it had not been lost. Notice I broke that link in your last post. I wouldn't want an unknown link laying around for someone to click on in ignorance. Quote Link to comment Share on other sites More sharing options...
RadicalDad Posted February 16, 2017 Author Share Posted February 16, 2017 What I am noticing is that Spamcop doesn't work at all for me anymore. Wondering if all my headers have a break in the chain now so that nothing will ever be usable for Spamcop again. I currently use Outlook 2016 with an Exchange 2016 host. Have others reported this as a problem? I use the "Outlook/Eudora" work-around submission form (well, it used to be called that) via web browser (in answer to the question by C2H5OH). Appreciate you breaking the spammy link. Good idea. As above, the Spamcop parser doesn't seem to catch any of those for me now. Is there any way to fix this? spam filtering by my mail host is very good these days, so I only submit stuff to Spamcop that is extra slimy and got through my filter, in hopes it makes it to the Spamcop RBL and will be blocked for others. If that isn't the way things work, then there probably isn't a reason for me to keep using Spamcop at all. Quote Link to comment Share on other sites More sharing options...
Lking Posted February 16, 2017 Share Posted February 16, 2017 Doing a search on "Outlook" I see problems going back to 2004. With OL messing with the header before you can get/forward it there is no fix farther down stream (towards SC). A quick look at the history leads me to believe that what OL does with the header has changed over time, so a "fix" would also have to be dynamic. That is not a workable situation. Which is to bad for your reporting. Have you looked at the possibility of using something like Thunderbird for you email? I have used it 'for ever' without problem. There also is an addon to help with reporting (to SpamCop and others). Quote Link to comment Share on other sites More sharing options...
C2H5OH Posted February 16, 2017 Share Posted February 16, 2017 RadicalDad is using the web form to report, so the Outlook forwarding problem isn't the culprit in this case. Maybe a re-learn of Mailhosts might fix this. Is it possible the OP's mail/Internet provider has added new servers and routes? Quote Link to comment Share on other sites More sharing options...
lisati Posted February 16, 2017 Share Posted February 16, 2017 51 minutes ago, Lking said: A quick look at the history leads me to believe that what OL does with the header has changed over time, so a "fix" would also have to be dynamic. That is not a workable situation. Which is to bad for your reporting. Agreed, it's a pain. It's one of those things that seem to be sent to trip us up when using automated tools to assist the reporting process,. Quote Link to comment Share on other sites More sharing options...
Display Name Posted November 8, 2018 Share Posted November 8, 2018 I'm experiencing a similar problem. Since I switched my email provider to Microsoft Exchange several months ago, SpamCop doesn't work properly. Reported spam comes back as if I sent it or Hotmail. I've updated the Mailhost 2-3 times with no success. Below are Internet Headers from spam received today, and the unfiled SpamCop report. https://www.spamcop.net/sc?id=z6499008424z8acc0ee596f8bbfb989f4627aa15b9f7z Received: from DM5PR19MB1033.namprd19.prod.outlook.com (2603:10b6:3:ef::17) by DM5PR19MB1034.namprd19.prod.outlook.com with HTTPS via DM5PR04CA0055.NAMPRD04.PROD.OUTLOOK.COM; Thu, 8 Nov 2018 14:05:18 +0000 Received: from DM5PR19CA0037.namprd19.prod.outlook.com (2603:10b6:3:9a::23) by DM5PR19MB1033.namprd19.prod.outlook.com (2603:10b6:3:33::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1294.31; Thu, 8 Nov 2018 14:05:16 +0000 Received: from BY2NAM05FT008.eop-nam05.prod.protection.outlook.com (2a01:111:f400:7e52::204) by DM5PR19CA0037.outlook.office365.com (2603:10b6:3:9a::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1294.21 via Frontend Transport; Thu, 8 Nov 2018 14:05:16 +0000 Authentication-Results: spf=pass (sender IP is 135.84.83.8) smtp.mailfrom=zcsend.net; kiklisre.com; dkim=pass (signature was verified) header.d=ultimatelistingmachine.com;kiklisre.com; dmarc=pass action=none header.from=ultimatelistingmachine.com;compauth=pass reason=100 Received-SPF: Pass (protection.outlook.com: domain of zcsend.net designates 135.84.83.8 as permitted sender) receiver=protection.outlook.com; client-ip=135.84.83.8; helo=senderb8.zcsend.net; Received: from senderb8.zcsend.net (135.84.83.8) by BY2NAM05FT008.mail.protection.outlook.com (10.152.100.145) with Microsoft SMTP Server id 15.20.1339.3 via Frontend Transport; Thu, 8 Nov 2018 14:05:15 +0000 Received: from [172.30.235.251] (172.30.235.251) by senderb8.zcsend.net id hsh19o2b20gn for <mark@kiklisre.com>; Thu, 8 Nov 2018 06:05:15 -0800 (envelope-from <bounce_635269412+a.165f4add1e682b7_11699e4bfba2da7_v2@zcsend.net>) DKIM-Signature: a=rsa-sha1; b=FEGnleuA/BlVlftK+xVwUU2QP32V64woG3SPBMDpaRRAuVw9fzWgP4CeT5mVBQlhTsW+PzodugISYyJFQlc2YhLjHBT39b6Xv9CYRi7YE8A+8I5qBYcRDnJCBALG3XCxtHUcTPR6DYFK2Ecdx+dT15LPGoj6Sih0+2BQR/ytl2g=; c=simple/simple; s=13148; d=ultimatelistingmachine.com; v=1; bh=pqngKF5vK8W1XhRKZvBKzI5L0sA=; h=date:from:reply-to:to:message-id:subject:mime-version:content-type; DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=13148; d=ultimatelistingmachine.com; h=date:from:reply-to:to:message-id:subject:content-type; b=BvPQENsYc4aO5jgKvwJbuEMu2HIBD4XKt3D2ssbJo9RJpI3EmwV0s7aez6IDPy7zlzhyoy5ENcn1 UzhPLAFGCN3S8yrO+G18G7DL/wSaTnw46IF1+V8iXKacVJJlsLRYlKfqb4ZrOuw3u3RJI5G87TwP pQlca+BJJzS6UdrtzzU= Date: Thu, 8 Nov 2018 06:05:15 -0800 (PST) From: "Isaiah Colton" <info@ultimatelistingmachine.com> Reply-To: info@ultimatelistingmachine.com To: Mark Kiklis <mark@kiklisre.com> Message-ID: <zcb.2d5a885a69b60a9729d9bcc50ca93989a1185630859ca1fd0.165f4add1e682b7.1541685915027@zcsend.net> Subject: =?UTF-8?B?SXQncyBub3QgdG9vIGxhdGUsIHRoZXJl4oCZ?= =?UTF-8?B?cyBzdGlsbCB0aW1lIHRvIHJlZ2lzdGVyIQ==?= MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_444254_618844940.1541685915026" X-JID: 2d5a885a69b60a9729d9bcc50ca93989a1185630859ca1fd0.165f4add1c014e9 X-campaignid: zohocampaigns.2d5a885a69b60a9729d9bcc50ca93989a1185630859ca1fd0.zcb.165f4add1e682b7.11699e4bfba2da7 X-Zoho-RID: zohocampaigns.2d5a885a69b60a9729d9bcc50ca93989a1185630859ca1fd0.zcb.165f4add1e682b7.11699e4bfba2da7 X-Mailer: Zoho Campaigns List-Unsubscribe: <https://zcs1.maillist-manage.com/ua/optout?od=2d5a885a69b60a9729d9bcc50ca93989a1185630859ca1fd0&rd=165f4add1e682b7&sd=165f4add1e40741&n=11699e4bfba2da7>,<mailto:leave_635269412+165f4add1e682b7_165f4add1e40741@zcsend.net> List-Unsubscribe-Post: List-Unsubscribe=One-Click X-Report-Abuse: <Please send a copy of this message along with header to abuse+2d5a885a69b60a9729d9bcc50ca93989a1185630859ca1fd0_zcb_165f4add1e682b7@zohocampaigns.com>, <https://zcs1.maillist-manage.com/campaigns/ReportAbuse.zc?od=2d5a885a69b60a9729d9bcc50ca93989a1185630859ca1fd0&rd=165f4add1e682b7&sd=165f4add1e40741&n=11699e4bfba2da7> Return-Path: bounce_635269412+a.165f4add1e682b7_11699e4bfba2da7_v2@zcsend.net X-MS-Exchange-Organization-ExpirationStartTime: 08 Nov 2018 14:05:16.0799 (UTC) X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000 X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit X-MS-Exchange-Organization-Network-Message-Id: 5f61450b-60c6-4f7b-6a52-08d64583358a X-EOPAttributedMessage: 0 X-EOPTenantAttributedMessage: 128da5be-3c4b-4c18-b5c2-05fd27d74781:0 X-MS-Exchange-Organization-MessageDirectionality: Incoming X-Forefront-Antispam-Report: CIP:135.84.83.8;IPV:NLI;CTRY:US;EFV:NLI;SFV:BLK;SFS:;DIR:INB;SFP:;SCL:6;SRVR:DM5PR19MB1033;H:senderb8.zcsend.net;FPR:;SPF:None;LANG:en;CAT:SPM; X-Microsoft-Exchange-Diagnostics: 1;BY2NAM05FT008;1:Rv4bR45hDTUmb9SLNBmTDQBymeUX0adKYyQQuWocjKgV3hW/hdj7loV+N20CMRQTjXtizjXSX1CEr2YBQ6to/b+LdSdQZWSmv9E3CsGKYgYrBVHl/4bE64iAjdrSzHHE X-MS-Exchange-Organization-AuthSource: BY2NAM05FT008.eop-nam05.prod.protection.outlook.com X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 5f61450b-60c6-4f7b-6a52-08d64583358a X-Microsoft-Antispam: BCL:1;PCL:0;RULEID:(7020095)(4652040)(5600074)(711020)(4605076)(4608076)(4614076)(1401272)(8001031)(1421009)(1402068)(71702078);SRVR:DM5PR19MB1033; X-Microsoft-Exchange-Diagnostics: 1;DM5PR19MB1033;3:UIONKwqsF22DC0QWSyMpsKBC35NMOtX0M2eafSxhilHAdg4dsp5pJtmRICg8PIcQhmLuvlWFsFLuVSfcvgmmjpzekWLBaVw6kDE//lZQn7Ha9emXA6XzQY3hUKoXBmyEZyMOnW5MZWT6Oi5mX4W7yHCC9/HmsHt8zCQT/js75rsU61DmImopF+hpi+wdmhuyviU1qX7pfyh00QJd4JQqQFYH5rtYfp1SCsUIXufREHPfNqinIX8UI2mro5ROwqycxmLBv49llkzf8q3uZ5Q5S8nSQoFVmW4nXcz+je777dgHaZIL+2qwx3lV17odGCMtr3JppfGuroRXIqs1hn/Vkw==;25:NwVYWut6Jo/O3+fUec+jT/85WAF4dBc4kNprJnZVBvhEwjCkKKv9//lT62U3d6JU7ZG6U2QQToc/PrBEM5qu18umr7ahvrjrEEsIL0mza2s1Fu4XOfryW0fTMhuE3+i5aG7Ee0QxTbIyWy2UuYRizYjJ/TRBZGI1SkRZ0jX8VcXKX62eFlGLItjcwQf/rSWvWu0A4GPkZFz11M7qXVbypRwaFfh2tGxI9kW753JrhNE0eH6/pS6DMppP1txLTxTxxn2ymCqFI2PAgutqmtkbu2bvws1aOQrI52IIsNUvvjCZRdMQ0PayCwF3aRetuKbgpEdTO+nFQXUEX+xgtPMfYQ==;31:3XINPW1S8Klg2sK7uyB700UtJycvghNo2ObtVZkyK/+3PRTi8QVJLxLOaoC0/i9L8tMgs1l6f1vDgKK+6OhjkKMIxC8MVTsB1K7OdflkOPLKZVljJy3BD39frQiYmmkF1mpZa565zrOOw/CSB6iovXR27s3fPX14TXlxtheoT9oamR3wZgre9Pkrvh7zfB4QLr+H3fZsLUl0JxRgJrK7nStx+tjAbJ+R+1k3na8mBb4= X-MS-TrafficTypeDiagnostic: DM5PR19MB1033: X-Exchange-Antispam-Report-Test: UriScan:(86561027422486)(64217206974132)(31418570063057)(128460861657000)(81160342030619); X-Exchange-Antispam-Report-CFA-Test: BCL:1;PCL:0;RULEID:(2018062399030)(2018011200283)(701105)(2401047)(920008026)(8121501046)(52410047)(2018011210174)(2018011211064)(2018011212028)(2018011213028)(2018011214028)(2018011215028)(2018011216028)(2018011217028)(2018011218028)(2018011219092)(2018011220252)(2018011221063)(2018011222027)(2018011223027)(2018011224027)(2018011225035)(2018011229035)(2018011232269)(2018011233052)(2018021202149)(98810176)(98804176)(2018021203149)(98815176)(98811176)(1430482)(1431068)(1432130)(1459058)(1630038)(823301158)(823300264)(823311075)(9101536074)(93006095)(93005095)(10201501046)(3002001)(3231382)(901025)(902075)(913088)(7045084)(944501410)(9300000249)(9301004277)(52103095)(52105095)(52106170)(52408095)(98821027)(98822027)(52401380)(52505095)(52406095)(52305095)(52206095)(88860288)(1610001)(8301001075)(8301003183)(148016)(201708071742011)(7699051)(76991095);SRVR:DM5PR19MB1033;BCL:1;PCL:0;RULEID:;SRVR:DM5PR19MB1033; X-Microsoft-Exchange-Diagnostics: 1;DM5PR19MB1033;4:wYg4r3kQAgFsTd58rOek4aIUy9qGDVF5USD5iwL8O/JNtCT1E3k+aqEdTeX8OJ380GTVqXjvgvCJxpIYx/UJKasUt/48kKXcQH6mGBnXYJCNRNWhKFc9AQWAD0SR5BNSJlYtV788qf6CBIEqJhaamcD7zMfSxOC9L29fz7eo8BLCgE+fQi5sG+pd56vos3YV22jpzpjo58pQihEirl0cOmXbSa9GsFhjo/l0VAFXWh8zajQ9YsMwUPizeiIbmw4GGuxQEUun2X5ZDLN5s6mDHEu/6Gxwz4WBTqXY75I5Qmr+bgvWqhCVAGIw1XI6pJA2HxzJXMUWXKH51oSA1mxlxYkKn7Bgx5oWfXQel2yE60r/MIFn4UZQJeMMc760rq5YgOmwjAN0o2FUA+KLuWFY8lH1J01VNTkME97yDLMT0Nbv9r0CgphdFNdLCPLBMSr4tJ382EWhqsZv6EIWEEUZVg==;23:fyeecQbn3YwvFjMxLE5A1qPnLsfhVTap2nMyp8T5VDWFZIk4jhVamLgUd9BhF7jZ8n7ZKtlehetl/HspqB5hUBXXY3TKPVd8GsGwImYFFwwFicGNsdm1ew9L6H3Fo0AvTAJHzaphreXnj1GZRuGTxjB97QBHPIGGak+1LV/6m78= X-MS-Exchange-Organization-SCL: 6 X-Microsoft-Exchange-Diagnostics: 1;DM5PR19MB1033;6:ciZtT//SoWcqAVcb9r3GUetwpf8fxdg0aNj/XqdizdKhAthUi4Nx7dNwIgb9VCBzsHkYacDwoL2WeNA6uTN9yoqnUc8LUpc8QfjqDJVfpUOV5H5QMOCpc2RThRPDRreN6uGFy4ndxZTfb6IxvsN4frCEc7DjlbP0MgSXuljtnpLUCvjl8ikVdi5gepbw2lYmsWtIcOXQn3Ne/0eyPwoTXLo7u/haSL85nniLBlyXT+6mx7Fvkk9saJ2SDjUmwxTV+dvWoGDBlkRUu7ouaDOLnhMGFnNpvYQhuHHoI5Ikn4qRjbwLhDBQprlupWYpPVQcAAiNPqJaWxsqkoi+ZVXD7VfmRPezMtB6PtsqidBQKHq8gupQIx86s1WbCnLW/ylzwfzq/YQhN8UsPpiIP6ZART7Bsr44++crat6iRy12g6GxfIPWBEGt4q+RqPOGmeQ8osfGGoxF+fB1CyX4TWxg9A==;5:qXNfKksOP6Umg1a5z4mKYyOtohJCSI43htUhvMiH+IVAo4UoAq4i1gBGvNlLNCB4vqtChqqRFWX/WXgUmuft5O27/1+HRWy/wCELjGQsSPNtXyqwH8B2AXVlL6Ed/far8neAmKlyfRbRi7a1AAnbks/Y9ipg8mY+HabxIf7Ma34=;7:gq3/bfZR/ALhuMKDeQFrx40pHbaGhWN3Rg8kAak1zNVDANTSci0oM1SmFnUL3VDfgI3fqEe2lxry4+SJluHISW9BYSlw9Dpz297cyLSrZXXxS3MI8OH6pV+XdrCh90hMK/49W0G6a6yTGaPE2MQwQw== SpamDiagnosticOutput: 1:4 X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Nov 2018 14:05:15.8924 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 5f61450b-60c6-4f7b-6a52-08d64583358a X-MS-Exchange-CrossTenant-Id: 128da5be-3c4b-4c18-b5c2-05fd27d74781 X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR19MB1033 X-MS-Exchange-Transport-EndToEndLatency: 00:00:02.1379059 X-MS-Exchange-Processed-By-BccFoldering: 15.20.1294.024 X-Microsoft-Exchange-Diagnostics: 1;DM5PR19MB1034;9:tb7LnpYxzZldoaLMYGqIfdEky7oyRagBcSdsb0Cu7FK2WPtXxi0A/BdJWB/2FP+hz1WFixTfsMuLwDY4gHcKFtMTnKNBRmhLe2aFjGlk/JiQ8aj+vcay2HmhAG9rcjbv X-Microsoft-Antispam-Mailbox-Delivery: kl:1;ucf:0;jmr:1;ex:0;auth:0;dest:J;ENG:(750119)(520011016)(520007050); X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?F8cAtsy99n74V/YtBn8NbKai1CpNAQb2k9KwiKXTWYsmh2T2GwxdT4yKIzr6?= =?us-ascii?Q?Vs7Vz/TbO/eRQNx2rQTTYVaHUjM6k7zLlWqVdGpu5h5vik7E/w0VN8rBDHCT?= =?us-ascii?Q?80dKOIk2IB+JMh5U3BlfYbH4nuOTpNyNo09AqIFKTuKE3SpkDRG0M577JQrw?= =?us-ascii?Q?G3oL+BnGMnTt0tqxoOhr3d64USDnGe/eUlKnxLtoSrFuMPzYJX+A4UfSgMou?= =?us-ascii?Q?rX3++8+wFLt1wz8O92RNb1hBcVwPmi59sXMeQN37zs1ZdhDu80761OoUozqe?= =?us-ascii?Q?tRFv7BqL89A6yVBULRfyhqIlOawBw3VU/ZBb7bv6HCOXTZei6R8cM/e9eg2T?= =?us-ascii?Q?Z7vGwo03EfbISurtpQe3ZDWZRVyxUwfQEh5CO5zWnr8z+uMkc+PfYfryyP3b?= =?us-ascii?Q?iWWELWtrNEQONEz9lK8ksQ7rRhR3E2Oi1e3WpUNLfVdPSlIrhEMKBiwJRuP9?= =?us-ascii?Q?eQrEEadNDYtizKK/U/hd/i4Iailej3VM6mQbmq+znF8AsLTsFxd5dxDCvvkj?= =?us-ascii?Q?nyDmJ7+/pfKCxKmDAyhqqJyfs9MC5Q936vZ58zscewN2CqO3I18fkdiQn/Lr?= =?us-ascii?Q?hrF/UHVNV85y7TJ6LUAoxPFeOUUVwbU6CxGaQQhKNau9W2KYvOhAiPy0HajB?= =?us-ascii?Q?2lg06Uu6YOY3gig0/yutW69vs1v1ZgPupIDQWGEn8RTb0xUSrk6vcUuYaTax?= =?us-ascii?Q?ET8ab9WxfKo90V7alX4+srDrzUr2V1PCYC4b9HtUjmhzxfnkoooeO9oNNiht?= =?us-ascii?Q?nR3/5pX8kSvUfbrqtyL9gpDyIwAnz0EuriEE0NWDk3LXWwLlqES/ou/RYwuh?= =?us-ascii?Q?ibr3RPAaa3uIQ/P4kJ5+Hb3zxku97V4dgSKP8GB/IuCpM1lKyyktcrV+rgND?= =?us-ascii?Q?7YNuBRgp8mzhDdaliGmL8AmiN3pwbOKVBjO8tc6/igC7Q2I3lX7RhGi/4J+H?= =?us-ascii?Q?NXKHXBkhL4DfxKkvxDAqwCJXvxldM5DnEOJ/FhJW7NXdytZOwAX7lPfBnPOj?= =?us-ascii?Q?1Qs093xwLnuesg+hIvHEllRClFGuXV0CUMEx6KLizXksoBbJh2882UPLQcJW?= =?us-ascii?Q?Lz+dNzsi3VqsQj13Vr8YhyeBNSq/jcRm2PoxmSdQzXfVV7y7jW2Ga1bO5rzZ?= =?us-ascii?Q?uY95KY99pijWTwgGix0QHnDCQkRXn8dT2qqaDTuqhzXqpn1f1UndLnR88HBe?= =?us-ascii?Q?52PGes7g+7daIqhcBQr/D/NrAxxZshDPmufxCmTKe+GtU4uN+/bv3nwetgIU?= =?us-ascii?Q?aYIhaQPPOG3ifD0KQRMv3Bjoq2r6yp3tMY6ew+B41A=3D=3D?= X-Microsoft-Exchange-Diagnostics: 1;DM5PR19MB1034;27:UOjD9Q8SYKKy5CoOQ8MYsczr08MzwYPYOb1o/DVsknyHi6Z95LtlHIqdZ24O2ao0yMDLgffQbHpJCG3qEnJ0DHygPB+euo9fGFFAu3cKrNaH99apptzOTB9P0gge3tS51nMI5QX1pmTOwPJLcJXvQnNEhd/hWGPrOBbuUu3kkXnP3zfhsvYcEynDkV8L7LzNb7/Pg7u1+eLjMAl7CkbTEH3Y4cyO+LE49oKoK9QVABi+xUcV31Ehp9VSr5DdQ2ZmB2+BRbk3RMinmw8pYHJ2kXNO2Mu6jCZ8jTvb4/FYbzXWCYtFGp6mV/40uNXS2XBSQEpVdI8m5HxN18m/EtAA1JPvvlHoxwyWcYYCBBmbIbg= Quote Link to comment Share on other sites More sharing options...
MIG Posted November 11, 2018 Share Posted November 11, 2018 Hi, Display Name, not sure if this will help, (someone here & maybe doco) suggested removing from the 1st [ Received: from DM5PR19MB1033.namprd19.prod.outlook.com (2603:10b6:3:ef::17) by DM5PR19MB1034.namprd19.prod.outlook.com with HTTPS via DM5PR04CA0055.NAMPRD04.PROD.OUTLOOK.COM; Thu, 8 Nov 2018 14:05:18 +0000] however, I notice the spam msg you're querying has 3 [Received: from etc] I removed the first 2 [Received: from etc] & submitted to spamcop - https://www.spamcop.net/sc?id=z6499543863za669acef9883e3921fd95624a079faefz, if it was submitted within the timeframe it would have been directed to abuse@zohocorp.com Quote Link to comment Share on other sites More sharing options...
Display Name Posted November 11, 2018 Share Posted November 11, 2018 Thank you, MIG. I'll give a shot with my next report to SpamCop. Quote Link to comment Share on other sites More sharing options...
MIG Posted November 12, 2018 Share Posted November 12, 2018 , let us know how it goes & just a little fyi, the SC Forum "Big Team" encourage us to not post full spam data in the forum, they prefer the link that's generated when a spam is processed, even if the parsing spits out errors, still post the link with whatever the issue is that's causing us to report/request help. I think, from memory, filling up the forum with full spam source data hurts their eyes or maybe it's their scrolling finger gets tired Quote Link to comment Share on other sites More sharing options...
MIG Posted November 12, 2018 Share Posted November 12, 2018 DN, here's the link where SC BIG team members give the real reasons for not posting spam full source data [ http://forum.spamcop.net/topic/27950-reporting-not-working-mainbody/ ], it's a good read Quote Link to comment Share on other sites More sharing options...
Display Name Posted November 12, 2018 Share Posted November 12, 2018 MIG, your tip works. Thanks again. Quote Link to comment Share on other sites More sharing options...
MIG Posted November 12, 2018 Share Posted November 12, 2018 Excellent DisplayName, thanks for posting. Not really my tip but I'll take acknowledgment Quote Link to comment Share on other sites More sharing options...
Rajasekar.svel Posted May 21, 2019 Share Posted May 21, 2019 On 11/11/2018 at 10:09 AM, MIG said: Hi, Display Name, not sure if this will help, (someone here & maybe doco) suggested removing from the 1st [ Received: from DM5PR19MB1033.namprd19.prod.outlook.com (2603:10b6:3:ef::17) by DM5PR19MB1034.namprd19.prod.outlook.com with HTTPS via DM5PR04CA0055.NAMPRD04.PROD.OUTLOOK.COM; Thu, 8 Nov 2018 14:05:18 +0000] however, I notice the spam msg you're querying has 3 [Received: from etc] I removed the first 2 [Received: from etc] & submitted to spamcop - https://www.spamcop.net/sc?id=z6499543863za669acef9883e3921fd95624a079faefz, if it was submitted within the timeframe it would have been directed to abuse@zohocorp.com This is from Zoho Abuse Monitoring Desk. We had taken action on the account who sent the email in 2 days of report from spamcop by warning and also unsubscribing you. Kindly let us know if you receive such complaints. Quote Link to comment Share on other sites More sharing options...
MIG Posted May 21, 2019 Share Posted May 21, 2019 (edited) Hey Rajasekar.svel, Without a working tracking URL it's a little difficult to offer commentary, however, are you posting that you've had a positive result from Zoho Abuse Monitoring Desk? In which case super! If I've misunderstood, please post a working SC tracking URL? Also, just for accuracy, SCA advise: remove the 1st/first [ Received: etc to +0000] It may well be that removing the top two [ Received: etc ] is also effective, but (imo) I don't think so, I'll test this method & post back. Cheers! G🦗H Edited May 21, 2019 by MIG Quote Link to comment Share on other sites More sharing options...
MIG Posted May 21, 2019 Share Posted May 21, 2019 (edited) Well, there you go, just removed the top two [ Received: etc ] hops & the spam parsed just fine, so, G🦗H wrong, apologies Rajasekar.svel, your (remove first two [ Received: etc ]) method is correct. Removing (first one [ Received: etc ] ) also results in a true parse. Cheers! G🦗H Edited May 21, 2019 by MIG Quote Link to comment Share on other sites More sharing options...
RadicalDad Posted May 23, 2019 Author Share Posted May 23, 2019 As the OP on this thread, which is now over two years old, I'm underwhelmed by the responses. To be clear, I'm appreciative of everyone who has responded, and respectful of the time and intellect expended by those who tried to find a way to make the parser work. However, at the end of the day, it is the Spamcop devs who need to fix this problem, and if they even exist anymore, they are nowhere to be found. They certainly aren't active on this forum. Indeed, it seems the lights were long ago turned off over there. As for the advice to try removing the first Received line, that didn't work. I tried that, and also removing the first 2 Received lines, then the first 3 Received lines, and finally all lines which referenced my email host in any way. That last trick worked, with the parser properly recognizing that Sparkpost was the source of the email. But then Spamcop decided amazonaws was the correct reporting address and all reports for amazonaws are devnulled. Here is a link for anyone who wants to look. https://www.spamcop.net/sc?id=z6549409030zca1b5ca2a3591ef1dad9030579e84550z By the time I find and delete all the references to my mail host's server farm, especially when Spamcop incorrectly redirects the spam report and then devnulls it, I'm better off just complaining directly. Spamcop has become useless. No doubt Julian Haight is crying in his beer. Quote Link to comment Share on other sites More sharing options...
MIG Posted May 24, 2019 Share Posted May 24, 2019 (edited) Hey RadicalDad, Addressing: 34.216.216.33 "parser properly recognizing Sparkpost was the source of the email. But then Spamcop decided amazonaws was the correct reporting address" https://www.talosintelligence.com/reputation_center/lookup?search=34.216.216.33 Cheers G🦗H Edited May 24, 2019 by MIG Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.