Why does Spamcop want to report it to Google (see examples inside)?

[killj]

Quote

Delivered-To: 	x
Received: 	by 10.107.2.68 with SMTP id 65csp2186079ioc; Sat, 26 Aug 2017 04:18:16 -0700 (PDT)
X-Received: 	by 10.55.132.6 with SMTP id g6mr1926112qkd.300.1503746296803; Sat, 26 Aug 2017 04:18:16 -0700 (PDT)
ARC-Seal: 	i=1; a=rsa-sha256; t=1503746296; cv=none; d=google.com; s=arc-20160816; b=Zerq3X2n0hd0C5Od8hCJtyltjeSOWuMADHws6yJhu9KOwp0dTwrHXEqscYejlJNk/p j92TP5hOGfpuRdaTQaptRNVmcFuBRhmuDjzF1OmNEGM7KSE/OQiy/zkRsU2VwpvwOYtn Pnr/qXpFatvbY5wpiyx313aQrMsPSRNY2vZpCNqvoNlLRcciyjSW0+RMSDMdoieQedwt EGxR8KQCg0Mhj9CLfqikr/hb5/9BnH7ELWAfXYOYfGCHSN8jg4O41ZBgNP0foEGjovcM ISx9kGt3D09J5kqDE/6jVuDulNNvD1wWimoKMBuvaK14rQkdC+lum3AN0TlEMD+E17Ku cS0Q==
ARC-Message-Signature: 	i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:subject:references:in-reply-to:message-id:to:from:date :dkim-signature:arc-authentication-results; bh=V+eP/Qj7VBVVh51vC0RQFx8L81CO68+kXGGZ4/gc+Y4=; b=xxna3qOAt1+YJFx9peHmgHUMNfmmyg684Y2t9skgxjcXnxNCzmnQ+IofieftlVlMFy E+1pWRCamd+yIniU8NCA4mWjXk8mV+DN7LevCHQI3BPqPz+Ua12WWalZY8QQ9FeVy9is hSE7r71Cq6xlk2fX3LDp3CgxEAl0zV4jQqN7DB/LuDgxsf+BsDZJQs5T8ThUZCYUGJ8E 6BuwcPtqOTamlcTVFh1dDmLTAEsE+wgH0McSgbyErqwc+O8EMJ/bndjosuWNxKHu0zG0 rXMP7AKKteK0mcVU6m9bbSfYGKsBacIfZP5SWegKPX7BhprBB9ADJ8PIeHKU8KTd2ZWf 6s2A==
ARC-Authentication-Results: 	i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=P5/V/auN; spf=pass (google.com: domain of alex.affforce@gmail.com designates 2607:f8b0:400d:c09::242 as permitted sender) smtp.mailfrom=alex.affforce@gmail.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Return-Path: 	<alex.affforce@gmail.com>
Received: 	from mail-qk0-x242.google.com (mail-qk0-x242.google.com. [2607:f8b0:400d:c09::242]) by mx.google.com with ESMTPS id w62si8071734qkd.55.2017.08.26.04.18.16 for <x> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 26 Aug 2017 04:18:16 -0700 (PDT)
Received-SPF: 	pass (google.com: domain of alex.affforce@gmail.com designates 2607:f8b0:400d:c09::242 as permitted sender) client-ip=2607:f8b0:400d:c09::242;
Received: 	by mail-qk0-x242.google.com with SMTP id o65so1812295qkl.2 for <x>; Sat, 26 Aug 2017 04:18:16 -0700 (PDT)
DKIM-Signature: 	v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:message-id:in-reply-to:references:subject:mime-version; bh=V+eP/Qj7VBVVh51vC0RQFx8L81CO68+kXGGZ4/gc+Y4=; b=P5/V/auNhS16DgWXiV9ZPDyU8SNnqzuHPrkPSDhx0VmBRv/hlHYmDQwQ+2buByIiTL 5QatvPS0+HMqZaVtSryRQ7SpPhabgtw1FvgGgYLGQZ4qn05QvhLAhuFBSn3cIQjwAiHz OyIPVswfVox5Jq5/0Q5FEJri0c95hrsguoXIYBGWMKI2zVal0/a24rGxEP+0UTBrn4SD L03NRKn3pIC6MYJJViz6nAJwa/cJEYMshwiB7LvEmA93b2ZHnsAf5CFJDHNavsONWd9T xGxAudHOonrVcThEddmF05z6s1gsv67hJvxMgx4j4/sfi+AIFJ5f19zlhP1aOlOliFuv UV/w==
X-Received: 	by 10.55.156.13 with SMTP id f13mr1776268qke.141.1503746296078; Sat, 26 Aug 2017 04:18:16 -0700 (PDT)
Return-Path: 	<alex.affforce@gmail.com>
Received: 	from k3.ciumbek.com (k3.ciumbek.com. [144.217.216.210]) by smtp.gmail.com with ESMTPSA id w15sm5678662qkw.84.2017.08.26.04.18.15 for <x> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 26 Aug 2017 04:18:15 -0700 (PDT)
Date: 	Sat, 26 Aug 2017 13:18:14 +0200 (CEST)
From: 	Alex Sterg <alex.affforce@gmail.com>
To: 	x <x>
Message-ID: 	<2195_____________________5442@974a20dbfbf4>
In-Reply-To: 	<71363098.85153.1503488201029@974a20dbfbf4>
References: 	<71363098.85153.1503488201029@974a20dbfbf4>
Subject: 	Re: Your Private Streaming Ad Network
MIME-Version: 	1.0
Content-Type: 	multipart/alternative; boundary="----=_Part_97256_1796137420.1503746294656"

 

Correct me if I'm wrong, but I believe the spam comes from k3.ciumbek.com. [144.217.216.210], whose administrator is

Woodpecker.co Sp. z o.o., and abuse email is abuse@ovh.ca (according to whois).

But the only option I'm given by Spamcop is to report to abuse@google.com

 

Why?

 

Another example:

Quote

Delivered-To: x
Received: by 10.176.7.42 with SMTP id h39csp2065963uah;        Sat, 26 Aug 2017 00:56:45 -0700 (PDT)
X-Received: by 10.25.170.67 with SMTP id t64mr299754lfe.98.1503734205905;        Sat, 26 Aug 2017 00:56:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1503734205; cv=none;        d=google.com; s=arc-20160816;        b=jIKQYZGFDT153Dtp9EudII1FhIIznRLG32i5KryvmrFpyZ0Iy6h6ak8UizF7ABnrz+         n9d4XMONmQct3GCKNOyfHui/hRn+GQ5IrOcNRpJy3AppAbPYaCvRItpJyo/QVkOJpdsb         68Dy+NaATe31W57pOTysmx81taagHIxvFriLbypgZjAZR9J67iXYoqaf8JALqH4FIxWt         6E438Hs2GtrKLFGJvePNj2VIarBq0Oj1mH0f2CKjmj2VKy3gkt7yTHqerIhWL4OUcSy3         Dfd4dKlt02BC2/xUobsHVzAGymqktuLq0LewNPXL/DWrChMi3xLSsjFuS+tEliqHgjdT         dFBw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;        h=subject:message-id:date:reply-to:to:from:arc-authentication-results;        bh=og/VmK32cwZ/y/CIbxrm2k91EG2PHefOWSapAO/hTTU=;        b=alKoC91eqiVXF8gxdOitDuNTN7R3+uY4XX9FeT7S1rdBQrpUnZX+/J1oNhk4s9g4qJ         zMtlA0XO543NwvBtijEDQatGFaNf3Hv5Ayt0TIOmUGiEzzzjI5BZPmgGKiuORcq7f3fr         2jg5q1LCxwrSN2/ghsa/JoBC5QfH/YBqnrGkzgwUaokAcSfgCmZ9Jd2nD7folPTyBPKD         splPYYiFfDQ99nIW2dHGK/H/JV0bFjBqfHbnGXMgZ7PhgSyYOxV00KydOGbR8NK0SEKj         t/OSCZK4/oE83LiI7EY4EqovChEwWo8Kd3yYO7Y9SwFn3vTycX7hk+ulDPWNMEewzn1t         uDRA==
ARC-Authentication-Results: i=1; mx.google.com;       spf=neutral (google.com: 89.161.146.53 is neither permitted nor denied by best guess record for domain of mm.max@leonclub.pl) smtp.mailfrom=mm.max@leonclub.pl
Return-Path: <mm.max@leonclub.pl>
Received: from cloudserver024945.home.net.pl (cloudserver024945.home.net.pl. [89.161.146.53])        by mx.google.com with ESMTPS id y18si3740798lja.433.2017.08.26.00.56.45        for <x>        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);        Sat, 26 Aug 2017 00:56:45 -0700 (PDT)
Received-SPF: neutral (google.com: 89.161.146.53 is neither permitted nor denied by best guess record for domain of mm.max@leonclub.pl) client-ip=89.161.146.53;
Return-Path: <mm.max@leonclub.pl>
Received: from sb1.open.kumulacje24.co (217.61.124.180) (HELO sb1.open.kumulacje24.co.) by leonclub.home.pl (89.161.146.53) with SMTP (IdeaSmtpServer 0.82) id a813ac7c3c2b57c7; Sat, 26 Aug 2017 09:56:44 +0200
From: Mm Max <mm.max@leonclub.pl>
To: Pl x <x>
Reply-To: 9a8dc@leonclub.pl
Return-Path: dc2f8@leonclub.pl
Date: Sat, 26 Aug 2017 09:56:43 +0200
Message-ID: <9ebe____________________________7829@leonclub.pl>
Subject: Lottopark.pl - Ogromne kumulacje lotto z całego świata.
Content-Type: text/plain; charset=utf-8

 

Here I can only report to 217.61.124.180 (abuse@staff.aruba.it) but I can't report to 89.161.146.53 (abuse@home.pl) which would make much more sense IMO.

[Lking]

It would be easier for the rest of use to answer "Why?" if we could see what the parser did.  If you would provide the Tracking URL the we could see why the parser stopped at the google received line.

Just guessing but often the parser will indicate in the report that the next list is a "forgery" or some other reason for not trusting the following entries.

[killj]

Quote

Parsing header:

 

Received:  by 10.176.7.42 with SMTP id h39csp2065963uah; Sat, 26 Aug 2017 00:56:45 -0700 (PDT)

 

no from
host 10.176.7.42 (getting name) no name

10.176.7.42 discarded

 

Received:  by 10.25.170.67 with SMTP id t64mr299754lfe.98.1503734205905; Sat, 26 Aug 2017 00:56:45 -0700 (PDT)

no from
host 10.25.170.67 (getting name) no name

10.25.170.67 discarded

 

Received:  from cloudserver024945.home.net.pl (cloudserver024945.home.net.pl. [89.161.146.53]) by mx.google.com with ESMTPS id y18si3740798lja.433.2017.08.26.00.56.45 for <x> (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 26 Aug 2017 00:56:45 -0700 (PDT)

host 89.161.146.53 (getting name) = cloudserver024945.home.net.pl.
cloudserver024945.home.net.pl is 89.161.146.53
Possible spammer: 89.161.146.53
89.161.146.53 is not an MX for cloudserver024945.home.net.pl.
Host cloudserver024945.home.net.pl. (checking ip) = 89.161.146.53
Received line accepted
 

Received:  from sb1.open.kumulacje24.co (217.61.124.180) (HELO sb1.open.kumulacje24.co.) by leonclub.home.pl (89.161.146.53) with SMTP (IdeaSmtpServer 0.82) id a813ac7c3c2b57c7; Sat, 26 Aug 2017 09:56:44 +0200

Masking IP-based 'by' clause.

Received:  from sb1.open.kumulacje24.co (217.61.124.180) (HELO sb1.open.kumulacje24.co.) by leonclub.home.pl with SMTP (IdeaSmtpServer 0.82) id a813ac7c3c2b57c7; Sat, 26 Aug 2017 09:56:44 +0200

host 217.61.124.180 = sb1.open.kumulacje24.co (cached)
89.161.146.53 not listed in cbl.abuseat.org
89.161.146.53 listed in dnsbl.sorbs.net ( 1 )
89.161.146.53 is not an MX for mx.google.com
89.161.146.53 is not an MX for cloudserver024945.home.net.pl
89.161.146.53 is an MX for leonclub.home.pl
Possible spammer: 217.61.124.180
Host leonclub.home.pl (checking ip) = 89.161.146.53
89.161.146.53 not listed in cbl.abuseat.org
89.161.146.53 listed in dnsbl.sorbs.net ( 1 )
217.61.124.180 is not an MX for leonclub.home.pl
89.161.146.53 is an MX for leonclub.home.pl
   Chain test:leonclub.home.pl =? cloudserver024945.home.net.pl
   Host cloudserver024945.home.net.pl (checking ip) = 89.161.146.53
   89.161.146.53 is an MX for leonclub.home.pl
   89.161.146.53 is mx
   leonclub.home.pl and cloudserver024945.home.net.pl have close IP addresses - chain verified
Possible relay: 89.161.146.53
Received line accepted

 

Quote

If reported today, reports would be sent to:

Re: 217.61.124.180 (Administrator of IP block - statistics only)

abuse@staff.aruba.it

Re: http://www.superkumulacje24.com/ (Administrator of network hosting website referenced in spam)

abuse@cloudflare.com

 

 

Above is the parsing log from the second email. It says "Possible spammer: 89.161.146.53" but doesn't give me a chance to report it to home.pl.

[Lking]

On 8/26/2017 at 9:16 AM, Lking said:

If you would provide the Tracking URL the we could see why the parser stopped at the google received line.

 

[killj]

Tracking URL:

https://www.spamcop.net/sc?id=z6401410508zfc545d5e8343992c8abac3145dc3fbabz

 

[Lking]

Yes the parser 'said' 89.161.146.53 was the Possible spammer. Later in the analysis,

11 hours ago, killj said:

Possible relay: 89.161.146.53

and

11 hours ago, killj said:

Possible spammer: 217.61.124.180

identified as the spammer.  If you want to send a report to the possible relay you of course may.  The parser does two things 1) collects IP information from the SCBL and 2) help you as the reporter sent spam reports to the ISP for the spammer.  If in your judgment the suggested destination for the spam reports are not correct you may uncheck the suggested destination(s) and send the reports to others.

[killj]

Yes, I can always uncheck, but I can't check the additional IPs.

If I understand the headers correctly, the spammer connected from 217.61.124.180 (his ISP, ot rather some proxy) and sent some email using his account at home.pl (89.161.146.53).

Home.pl is a hosting company, where he probably has an account at.

So, correct me if i'm wrong, but sending a spam report to 217.61.124.180 makes little sense, since it's just some proxy, or (at best) his ISP. I can't imagine my ISP disconnecting me from the internet for sending some spam and thus such a spam report would probably go to /dev/null.. I can however imagine my hosting provider cancelling my account for sending spam. For that reason I'd rather send my spam report to home.pl.  But I can't. I mean I can do it manually, but:

- reports from SC are probably more important for hosting providers or ISPs than emails from some individual people, and

- why use SC if everything has to be done manually?

 

Does that make sense?