killj Posted August 26, 2017 Share Posted August 26, 2017 Quote Delivered-To: x Received: by 10.107.2.68 with SMTP id 65csp2186079ioc; Sat, 26 Aug 2017 04:18:16 -0700 (PDT) X-Received: by 10.55.132.6 with SMTP id g6mr1926112qkd.300.1503746296803; Sat, 26 Aug 2017 04:18:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1503746296; cv=none; d=google.com; s=arc-20160816; b=Zerq3X2n0hd0C5Od8hCJtyltjeSOWuMADHws6yJhu9KOwp0dTwrHXEqscYejlJNk/p j92TP5hOGfpuRdaTQaptRNVmcFuBRhmuDjzF1OmNEGM7KSE/OQiy/zkRsU2VwpvwOYtn Pnr/qXpFatvbY5wpiyx313aQrMsPSRNY2vZpCNqvoNlLRcciyjSW0+RMSDMdoieQedwt EGxR8KQCg0Mhj9CLfqikr/hb5/9BnH7ELWAfXYOYfGCHSN8jg4O41ZBgNP0foEGjovcM ISx9kGt3D09J5kqDE/6jVuDulNNvD1wWimoKMBuvaK14rQkdC+lum3AN0TlEMD+E17Ku cS0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:subject:references:in-reply-to:message-id:to:from:date :dkim-signature:arc-authentication-results; bh=V+eP/Qj7VBVVh51vC0RQFx8L81CO68+kXGGZ4/gc+Y4=; b=xxna3qOAt1+YJFx9peHmgHUMNfmmyg684Y2t9skgxjcXnxNCzmnQ+IofieftlVlMFy E+1pWRCamd+yIniU8NCA4mWjXk8mV+DN7LevCHQI3BPqPz+Ua12WWalZY8QQ9FeVy9is hSE7r71Cq6xlk2fX3LDp3CgxEAl0zV4jQqN7DB/LuDgxsf+BsDZJQs5T8ThUZCYUGJ8E 6BuwcPtqOTamlcTVFh1dDmLTAEsE+wgH0McSgbyErqwc+O8EMJ/bndjosuWNxKHu0zG0 rXMP7AKKteK0mcVU6m9bbSfYGKsBacIfZP5SWegKPX7BhprBB9ADJ8PIeHKU8KTd2ZWf 6s2A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=P5/V/auN; spf=pass (google.com: domain of alex.affforce@gmail.com designates 2607:f8b0:400d:c09::242 as permitted sender) smtp.mailfrom=alex.affforce@gmail.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: <alex.affforce@gmail.com> Received: from mail-qk0-x242.google.com (mail-qk0-x242.google.com. [2607:f8b0:400d:c09::242]) by mx.google.com with ESMTPS id w62si8071734qkd.55.2017.08.26.04.18.16 for <x> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 26 Aug 2017 04:18:16 -0700 (PDT) Received-SPF: pass (google.com: domain of alex.affforce@gmail.com designates 2607:f8b0:400d:c09::242 as permitted sender) client-ip=2607:f8b0:400d:c09::242; Received: by mail-qk0-x242.google.com with SMTP id o65so1812295qkl.2 for <x>; Sat, 26 Aug 2017 04:18:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:message-id:in-reply-to:references:subject:mime-version; bh=V+eP/Qj7VBVVh51vC0RQFx8L81CO68+kXGGZ4/gc+Y4=; b=P5/V/auNhS16DgWXiV9ZPDyU8SNnqzuHPrkPSDhx0VmBRv/hlHYmDQwQ+2buByIiTL 5QatvPS0+HMqZaVtSryRQ7SpPhabgtw1FvgGgYLGQZ4qn05QvhLAhuFBSn3cIQjwAiHz OyIPVswfVox5Jq5/0Q5FEJri0c95hrsguoXIYBGWMKI2zVal0/a24rGxEP+0UTBrn4SD L03NRKn3pIC6MYJJViz6nAJwa/cJEYMshwiB7LvEmA93b2ZHnsAf5CFJDHNavsONWd9T xGxAudHOonrVcThEddmF05z6s1gsv67hJvxMgx4j4/sfi+AIFJ5f19zlhP1aOlOliFuv UV/w== X-Received: by 10.55.156.13 with SMTP id f13mr1776268qke.141.1503746296078; Sat, 26 Aug 2017 04:18:16 -0700 (PDT) Return-Path: <alex.affforce@gmail.com> Received: from k3.ciumbek.com (k3.ciumbek.com. [144.217.216.210]) by smtp.gmail.com with ESMTPSA id w15sm5678662qkw.84.2017.08.26.04.18.15 for <x> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 26 Aug 2017 04:18:15 -0700 (PDT) Date: Sat, 26 Aug 2017 13:18:14 +0200 (CEST) From: Alex Sterg <alex.affforce@gmail.com> To: x <x> Message-ID: <2195_____________________5442@974a20dbfbf4> In-Reply-To: <71363098.85153.1503488201029@974a20dbfbf4> References: <71363098.85153.1503488201029@974a20dbfbf4> Subject: Re: Your Private Streaming Ad Network MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_97256_1796137420.1503746294656" Correct me if I'm wrong, but I believe the spam comes from k3.ciumbek.com. [144.217.216.210], whose administrator is Woodpecker.co Sp. z o.o., and abuse email is abuse@ovh.ca (according to whois). But the only option I'm given by Spamcop is to report to abuse@google.com Why? Another example: Quote Delivered-To: x Received: by 10.176.7.42 with SMTP id h39csp2065963uah; Sat, 26 Aug 2017 00:56:45 -0700 (PDT) X-Received: by 10.25.170.67 with SMTP id t64mr299754lfe.98.1503734205905; Sat, 26 Aug 2017 00:56:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1503734205; cv=none; d=google.com; s=arc-20160816; b=jIKQYZGFDT153Dtp9EudII1FhIIznRLG32i5KryvmrFpyZ0Iy6h6ak8UizF7ABnrz+ n9d4XMONmQct3GCKNOyfHui/hRn+GQ5IrOcNRpJy3AppAbPYaCvRItpJyo/QVkOJpdsb 68Dy+NaATe31W57pOTysmx81taagHIxvFriLbypgZjAZR9J67iXYoqaf8JALqH4FIxWt 6E438Hs2GtrKLFGJvePNj2VIarBq0Oj1mH0f2CKjmj2VKy3gkt7yTHqerIhWL4OUcSy3 Dfd4dKlt02BC2/xUobsHVzAGymqktuLq0LewNPXL/DWrChMi3xLSsjFuS+tEliqHgjdT dFBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:message-id:date:reply-to:to:from:arc-authentication-results; bh=og/VmK32cwZ/y/CIbxrm2k91EG2PHefOWSapAO/hTTU=; b=alKoC91eqiVXF8gxdOitDuNTN7R3+uY4XX9FeT7S1rdBQrpUnZX+/J1oNhk4s9g4qJ zMtlA0XO543NwvBtijEDQatGFaNf3Hv5Ayt0TIOmUGiEzzzjI5BZPmgGKiuORcq7f3fr 2jg5q1LCxwrSN2/ghsa/JoBC5QfH/YBqnrGkzgwUaokAcSfgCmZ9Jd2nD7folPTyBPKD splPYYiFfDQ99nIW2dHGK/H/JV0bFjBqfHbnGXMgZ7PhgSyYOxV00KydOGbR8NK0SEKj t/OSCZK4/oE83LiI7EY4EqovChEwWo8Kd3yYO7Y9SwFn3vTycX7hk+ulDPWNMEewzn1t uDRA== ARC-Authentication-Results: i=1; mx.google.com; spf=neutral (google.com: 89.161.146.53 is neither permitted nor denied by best guess record for domain of mm.max@leonclub.pl) smtp.mailfrom=mm.max@leonclub.pl Return-Path: <mm.max@leonclub.pl> Received: from cloudserver024945.home.net.pl (cloudserver024945.home.net.pl. [89.161.146.53]) by mx.google.com with ESMTPS id y18si3740798lja.433.2017.08.26.00.56.45 for <x> (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 26 Aug 2017 00:56:45 -0700 (PDT) Received-SPF: neutral (google.com: 89.161.146.53 is neither permitted nor denied by best guess record for domain of mm.max@leonclub.pl) client-ip=89.161.146.53; Return-Path: <mm.max@leonclub.pl> Received: from sb1.open.kumulacje24.co (217.61.124.180) (HELO sb1.open.kumulacje24.co.) by leonclub.home.pl (89.161.146.53) with SMTP (IdeaSmtpServer 0.82) id a813ac7c3c2b57c7; Sat, 26 Aug 2017 09:56:44 +0200 From: Mm Max <mm.max@leonclub.pl> To: Pl x <x> Reply-To: 9a8dc@leonclub.pl Return-Path: dc2f8@leonclub.pl Date: Sat, 26 Aug 2017 09:56:43 +0200 Message-ID: <9ebe____________________________7829@leonclub.pl> Subject: Lottopark.pl - Ogromne kumulacje lotto z całego świata. Content-Type: text/plain; charset=utf-8 Here I can only report to 217.61.124.180 (abuse@staff.aruba.it) but I can't report to 89.161.146.53 (abuse@home.pl) which would make much more sense IMO. Link to comment Share on other sites More sharing options...
Lking Posted August 26, 2017 Share Posted August 26, 2017 It would be easier for the rest of use to answer "Why?" if we could see what the parser did. If you would provide the Tracking URL the we could see why the parser stopped at the google received line. Just guessing but often the parser will indicate in the report that the next list is a "forgery" or some other reason for not trusting the following entries. Link to comment Share on other sites More sharing options...
killj Posted August 30, 2017 Author Share Posted August 30, 2017 Quote Parsing header: Received: by 10.176.7.42 with SMTP id h39csp2065963uah; Sat, 26 Aug 2017 00:56:45 -0700 (PDT) no fromhost 10.176.7.42 (getting name) no name 10.176.7.42 discarded Received: by 10.25.170.67 with SMTP id t64mr299754lfe.98.1503734205905; Sat, 26 Aug 2017 00:56:45 -0700 (PDT) no fromhost 10.25.170.67 (getting name) no name 10.25.170.67 discarded Received: from cloudserver024945.home.net.pl (cloudserver024945.home.net.pl. [89.161.146.53]) by mx.google.com with ESMTPS id y18si3740798lja.433.2017.08.26.00.56.45 for <x> (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 26 Aug 2017 00:56:45 -0700 (PDT) host 89.161.146.53 (getting name) = cloudserver024945.home.net.pl.cloudserver024945.home.net.pl is 89.161.146.53Possible spammer: 89.161.146.5389.161.146.53 is not an MX for cloudserver024945.home.net.pl.Host cloudserver024945.home.net.pl. (checking ip) = 89.161.146.53Received line accepted Received: from sb1.open.kumulacje24.co (217.61.124.180) (HELO sb1.open.kumulacje24.co.) by leonclub.home.pl (89.161.146.53) with SMTP (IdeaSmtpServer 0.82) id a813ac7c3c2b57c7; Sat, 26 Aug 2017 09:56:44 +0200 Masking IP-based 'by' clause. Received: from sb1.open.kumulacje24.co (217.61.124.180) (HELO sb1.open.kumulacje24.co.) by leonclub.home.pl with SMTP (IdeaSmtpServer 0.82) id a813ac7c3c2b57c7; Sat, 26 Aug 2017 09:56:44 +0200 host 217.61.124.180 = sb1.open.kumulacje24.co (cached)89.161.146.53 not listed in cbl.abuseat.org89.161.146.53 listed in dnsbl.sorbs.net ( 1 )89.161.146.53 is not an MX for mx.google.com89.161.146.53 is not an MX for cloudserver024945.home.net.pl89.161.146.53 is an MX for leonclub.home.plPossible spammer: 217.61.124.180Host leonclub.home.pl (checking ip) = 89.161.146.5389.161.146.53 not listed in cbl.abuseat.org89.161.146.53 listed in dnsbl.sorbs.net ( 1 )217.61.124.180 is not an MX for leonclub.home.pl89.161.146.53 is an MX for leonclub.home.pl Chain test:leonclub.home.pl =? cloudserver024945.home.net.pl Host cloudserver024945.home.net.pl (checking ip) = 89.161.146.53 89.161.146.53 is an MX for leonclub.home.pl 89.161.146.53 is mx leonclub.home.pl and cloudserver024945.home.net.pl have close IP addresses - chain verifiedPossible relay: 89.161.146.53Received line accepted Quote If reported today, reports would be sent to: Re: 217.61.124.180 (Administrator of IP block - statistics only) abuse@staff.aruba.it Re: http://www.superkumulacje24.com/ (Administrator of network hosting website referenced in spam) abuse@cloudflare.com Above is the parsing log from the second email. It says "Possible spammer: 89.161.146.53" but doesn't give me a chance to report it to home.pl. Link to comment Share on other sites More sharing options...
Lking Posted August 30, 2017 Share Posted August 30, 2017 On 8/26/2017 at 9:16 AM, Lking said: If you would provide the Tracking URL the we could see why the parser stopped at the google received line. Link to comment Share on other sites More sharing options...
killj Posted August 30, 2017 Author Share Posted August 30, 2017 Tracking URL: https://www.spamcop.net/sc?id=z6401410508zfc545d5e8343992c8abac3145dc3fbabz Link to comment Share on other sites More sharing options...
Lking Posted August 30, 2017 Share Posted August 30, 2017 Yes the parser 'said' 89.161.146.53 was the Possible spammer. Later in the analysis, 11 hours ago, killj said: Possible relay: 89.161.146.53 and 11 hours ago, killj said: Possible spammer: 217.61.124.180 identified as the spammer. If you want to send a report to the possible relay you of course may. The parser does two things 1) collects IP information from the SCBL and 2) help you as the reporter sent spam reports to the ISP for the spammer. If in your judgment the suggested destination for the spam reports are not correct you may uncheck the suggested destination(s) and send the reports to others. Link to comment Share on other sites More sharing options...
killj Posted August 30, 2017 Author Share Posted August 30, 2017 Yes, I can always uncheck, but I can't check the additional IPs. If I understand the headers correctly, the spammer connected from 217.61.124.180 (his ISP, ot rather some proxy) and sent some email using his account at home.pl (89.161.146.53). Home.pl is a hosting company, where he probably has an account at. So, correct me if i'm wrong, but sending a spam report to 217.61.124.180 makes little sense, since it's just some proxy, or (at best) his ISP. I can't imagine my ISP disconnecting me from the internet for sending some spam and thus such a spam report would probably go to /dev/null.. I can however imagine my hosting provider cancelling my account for sending spam. For that reason I'd rather send my spam report to home.pl. But I can't. I mean I can do it manually, but: - reports from SC are probably more important for hosting providers or ISPs than emails from some individual people, and - why use SC if everything has to be done manually? Does that make sense? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.