william_sc Posted September 12, 2017 Share Posted September 12, 2017 I am wondering why the following headers (sanitized to protect the innocent) would direct abuse reports to the emails noted for MF.com, rather than comcast.net? What is happening is that, since MF.com is internal routing, the abuse reports get sent to my company and we get blacklisted. Received: from bnwems02.CNA.COMPANY.com (IP) by rtwems08.CNA.COMPANY.com (IP) with Microsoft SMTP Server (TLS) id 15.0.1320.4 via Mailbox Transport; Tue, 12 Sep 2017 12:17:10 -0400 Received: from bnwems03.CNA.COMPANY.com (IP) by bnwems02.CNA.COMPANY.com (IP) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Tue, 12 Sep 2017 12:17:09 -0400 Received: from mx0a-00266502.MF.com (IP) by bnwems03.CNA.COMPANY.com (IP) with Microsoft SMTP Server (TLS) id 15.0.1320.4 via Frontend Transport; Tue, 12 Sep 2017 12:17:09 -0400 Received: from MFS.filterd (m0122629.MFOPS.net [127.0.0.1]) by mx0a-00266502.MF.com (IP/IP) with SMTP id v8CGFOtS000474 for <LASTNAMEw@COMPANY.com>; Tue, 12 Sep 2017 12:17:08 -0400 Received: from esa2.COMPANY.MP.com (esa2.COMPANY.MP.com [IP]) by mx0a-00266502.MF.com with ESMTP id 2cvau2gx07-1 (version=TLSv1.2 cipher=RC4-SHA bits=128 verify=NOT) for <LASTNAMEw@COMPANY.com>; Tue, 12 Sep 2017 12:17:08 -0400 Received: from o1.delegates.cioarena.com ([IP]) by esa2.COMPANY.MP.com with ESMTP/TLS/DHE-RSA-AES128-GCM-SHA256; 12 Sep 2017 12:16:25 -0400 Received: by filter1077p1mdw1.sendgrid.net with SMTP id filter1077p1mdw1-27332-59B80858-15 2017-09-12 16:16:24.588092298 +0000 UTC Received: from STAVRO-PC (c-24-13-33-151.hsd1.il.comcast.net [IP]) by ismtpd0004p1iad1.sendgrid.net (SG) with ESMTP id 1QC0oXBlSTOHRHSxN1R2Ig for <LASTNAME_FI@COMPANY.com>; Tue, 12 Sep 2017 16:16:24.313 +0000 (UTC) From: XXX YYY <XXX@cioarena.com> To: "LASTNAME, FNN" <LASTNAME_FI@COMPANY.com> Subject: [External] RE: Reserved Ticket for FIRSTNAME LASTNAME to CIOarena NYC at the Conrad Hotel Thread-Topic: [External] RE: Reserved Ticket for FIRSTNAME LASTNAME to CIOarena NYC at the Conrad Hotel Thread-Index: AQHTK+KVaazU6gxqLkyJiimUpkwZ/Q== Date: Tue, 12 Sep 2017 16:16:24 +0000 Message-ID: <20170912111627.504209864@cioarena.com> Content-Language: en-US X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-Exchange-Organization-AuthSource: bnwems03.CNA.COMPANY.com X-MS-Has-Attach: X-MS-Exchange-Organization-SCL: 0 X-MS-Exchange-Organization-PCL: 2 X-MS-TNEF-Correlator: received-spf: Pass (esa2.COMPANY.MP.com: domain of bounces+5440949-49ec-LASTNAME_FI=COMPANY.com@delegates.cioarena.com designates 168.245.23.176 as permitted sender) identity=mailfrom; client-ip=168.245.23.176; receiver=esa2.COMPANY.MP.com; envelope-from="bounces+5440949-49ec-LASTNAMEw=COMPANY.com@delegates.cioarena.com"; x-sender="bounces+5440949-49ec-LASTNAMEw=COMPANY.com@delegates.cioarena.com"; x-conformance=spf_only; x-record-type="v=spf1" Content-Type: multipart/alternative; boundary="_000_20170912111627504209864cioarenacom_" MIME-Version: 1.0 Link to comment Share on other sites More sharing options...
petzl Posted September 12, 2017 Share Posted September 12, 2017 1 hour ago, william_sc said: I am wondering why the following headers (sanitized to protect the innocent) would direct abuse reports to the emails noted for MF.com, rather than comcast.net? What is happening is that, since MF.com is internal routing, the abuse reports get sent to my company and we get blacklisted. What's the IP you are not making it easy? 148.163.151.35 a lot of spam reported through that IP each report is sent to registered abuse address? SCAN INFECTED COMPUTER MOBILES FOR MALWARE - THEN Change Passwords for email accounts etc! Could be you have a compromised computer does not appear to be a Botnet but may be a "sink" for a botnet Link to comment Share on other sites More sharing options...
william_sc Posted September 12, 2017 Author Share Posted September 12, 2017 When I run the headers through spamcop, it only reports to the address for "MF.com". It doesn't even mention the comcast.com. This is not a one-off problem. Dozens of similar headers with the internal "MP" and "MF" filter routing ignore the original "Received:" line. So, over the past few weeks since implementing the additional internal spam filters, all emails submitted to spamcop have been reporting "COMPANY.com" as the abuser. Link to comment Share on other sites More sharing options...
petzl Posted September 12, 2017 Share Posted September 12, 2017 15 minutes ago, william_sc said: When I run the headers through spamcop, it only reports to the address for "MF.com". It doesn't even mention the comcast.com. This is not a one-off problem. Dozens of similar headers with the internal "MP" and "MF" filter routing ignore the original "Received:" line. So, over the past few weeks since implementing the additional internal spam filters, all emails submitted to spamcop have been reporting "COMPANY.com" as the abuser. got the IP wrong so updated reply the injection IP that's being reported is 148.163.151.35 you are not email marketing? removed Link to comment Share on other sites More sharing options...
Lking Posted September 12, 2017 Share Posted September 12, 2017 Of course if we had a Tracking URL "we" could see why the parser chose not to process down to the comcast.net entry. Link to comment Share on other sites More sharing options...
william_sc Posted September 12, 2017 Author Share Posted September 12, 2017 No. This is an email I received (that was marketing), and I am submitting it to spamcop. Instead of reporting to the ISP of the offender (comcast), it reports to my company, blacklisting us in the process. Link to comment Share on other sites More sharing options...
william_sc Posted September 12, 2017 Author Share Posted September 12, 2017 "proofpoint", is the internal filtering, which gets forwarded to us. Link to comment Share on other sites More sharing options...
william_sc Posted September 12, 2017 Author Share Posted September 12, 2017 Well, it looks like you can figure out a lot more stuff than I'm comfortable posting on a public forum. Link to comment Share on other sites More sharing options...
petzl Posted September 12, 2017 Share Posted September 12, 2017 2 minutes ago, william_sc said: Well, it looks like you can figure out a lot more stuff than I'm comfortable posting on a public forum. yes take care! without seeing a tracking URL from SpamCop we are in the dark! At top of page after SpamCop parsehttps://www.spamcop.net/sc?id=z6406210361z274d5c6e68b8c25bbe871163ab0dac4cz Link to comment Share on other sites More sharing options...
william_sc Posted September 12, 2017 Author Share Posted September 12, 2017 Yes, I see that. But then if I post it, rather confidential information is revealed in a public forum. I can't do that. If one of you wants to chat with me direct, I can see about making that happen. Link to comment Share on other sites More sharing options...
petzl Posted September 12, 2017 Share Posted September 12, 2017 5 minutes ago, william_sc said: Yes, I see that. But then if I post it, rather confidential information is revealed in a public forum. I can't do that. If one of you wants to chat with me direct, I can see about making that happen. Try complaining to "deputies [at] spamcop [dot] net" that will go to Cisco tech Link to comment Share on other sites More sharing options...
william_sc Posted September 12, 2017 Author Share Posted September 12, 2017 Thank you. Link to comment Share on other sites More sharing options...
petzl Posted September 12, 2017 Share Posted September 12, 2017 1 minute ago, william_sc said: Thank you. I'm just a user of SpamCop not a tech Link to comment Share on other sites More sharing options...
petzl Posted September 12, 2017 Share Posted September 12, 2017 1 hour ago, william_sc said: 24-13-33-151 your remailer is not stamping IP correctly which don't help contact your remailer service also. 24.13.33.151 should be how? Link to comment Share on other sites More sharing options...
william_sc Posted September 12, 2017 Author Share Posted September 12, 2017 12 minutes ago, petzl said: your remailer is not stamping IP correctly which don't help contact your remailer service also. 24.13.33.151 should be how? That's presumably the source IP of the offender. My take is that the spammer is sending from that IP (nicknamed "STAVRO-PC") to comcast ISP, which in turn passes it to sendgrid.net, who then sends it to cioarena.com, where it is then picked up by my company's outside filter "esa2". It then bounces around a bit internally through various firewalls and filters and arrives in my inbox. But, as I point out, when spamcop parses this, the "originator" is picked up as the esa2 server inside our network, and ignores everything earlier than that. Link to comment Share on other sites More sharing options...
petzl Posted September 12, 2017 Share Posted September 12, 2017 8 minutes ago, william_sc said: That's presumably the source IP of the offender. My take is that the spammer is sending from that IP (nicknamed "STAVRO-PC") to comcast ISP, which in turn passes it to sendgrid.net, who then sends it to cioarena.com, where it is then picked up by my company's outside filter "esa2". It then bounces around a bit internally through various firewalls and filters and arrives in my inbox. But, as I point out, when spamcop parses this, the "originator" is picked up as the esa2 server inside our network, and ignores everything earlier than that. IF its you reporting spam make sure you have put your email address in mailhosts or spamcop can get it wrong? https://www.spamcop.net/fom-serve/cache/397.html Link to comment Share on other sites More sharing options...
Lking Posted September 12, 2017 Share Posted September 12, 2017 48 minutes ago, william_sc said: Yes, I see that. But then if I post it, rather confidential information is revealed in a public forum. I can't do that. Sense the Tracking URL is yours what you see on the screen is different than what others see. For example if you click on the tracking URL petzl gave as an example, above, you will see places were <x> replaces personal information. Link to comment Share on other sites More sharing options...
william_sc Posted September 12, 2017 Author Share Posted September 12, 2017 14 minutes ago, Lking said: Sense the Tracking URL is yours what you see on the screen is different than what others see. For example if you click on the tracking URL petzl gave as an example, above, you will see places were <x> replaces personal information. Not just personal information, but hostnames, IP addresses, internal to our network. Link to comment Share on other sites More sharing options...
william_sc Posted September 12, 2017 Author Share Posted September 12, 2017 25 minutes ago, petzl said: IF its you reporting spam make sure you have put your email address in mailhosts or spamcop can get it wrong? https://www.spamcop.net/fom-serve/cache/397.html I have never done that, and it looks too risky for me to do given the multiple emails that I report. Also, since Yahoo! is one of my primary report from accounts, I still need the quick-report (since I can't forward as an attachment from Yahoo! anymore). Link to comment Share on other sites More sharing options...
petzl Posted September 12, 2017 Share Posted September 12, 2017 56 minutes ago, william_sc said: I have never done that, and it looks too risky for me to do given the multiple emails that I report. Also, since Yahoo! is one of my primary report from accounts, I still need the quick-report (since I can't forward as an attachment from Yahoo! anymore). you need to set your mailhosts or you will report yourself Link to comment Share on other sites More sharing options...
william_sc Posted September 12, 2017 Author Share Posted September 12, 2017 1 minute ago, petzl said: you need to set your mailhosts or you will report yourself This is bigger than just me. It's my entire company. The problem is emails sent to my company through these filters, not my personal emails. Entering mailhosts for me only solves the problem for me, and creates a risk for my personal emails. Sorry, please help me figure out what else might be causing it. Link to comment Share on other sites More sharing options...
petzl Posted September 12, 2017 Share Posted September 12, 2017 48 minutes ago, william_sc said: This is bigger than just me. It's my entire company. The problem is emails sent to my company through these filters, not my personal emails. Entering mailhosts for me only solves the problem for me, and creates a risk for my personal emails. Sorry, please help me figure out what else might be causing it. just needs your ONE email address? Not every email address (unless a different domain addy) SpamCop will send you a verification email for each host which you copy and past into top link For Fastmail I got two validate emails from SpamCop which identifies all mailhosts Link to comment Share on other sites More sharing options...
william_sc Posted September 13, 2017 Author Share Posted September 13, 2017 Ok, I did a bit of hacking and have found two variants of the same header, one that "works" and one that "fails". https://www.spamcop.net/sc?id=z6406368915z3c233e5f6b35df52e43f378d28d0b9f2z This one parses "correctly" by picking up the IP of the originator. https://www.spamcop.net/sc?id=z6406369049zc70613d15e81e38ceff9ce99252dac8ez This one parses incorrectly, by picking up the intermediate IP (in this case, I randomly picked an IP, which happens to be NASA.) The one difference is the top (newest) Received: line: 127.163.151.35 (parses correctly) vs 129.163.151.35 (parses incorrectly and flags NASA). Ideas? Received: from null.net (129.163.151.35) by s03.null.net (255.254.253.252); 07 Sep 2017 10:55:26 -0400 Received: from null.com ([255.254.253.252]) by esa3.null.edu with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Sep 2017 10:55:21 -0400 From: User <User@bogusemail.com> To: "x" <x> Subject: This is spam! Date: Thu, 7 Sep 2017 14:55:18 +0000 Message-ID: <6c29________________________2fda@anywheres.au> Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_6c296c4007fa2384928b5c7de3d02fdasmtp13abcdefgcom_" MIME-Version: 1.0 Body of Message Link to comment Share on other sites More sharing options...
petzl Posted September 14, 2017 Share Posted September 14, 2017 Quote Ok, I did a bit of hacking and have found two variants of the same header, one that "works" and one that "fails". https://www.spamcop.net/sc?id=z6406368915z3c233e5f6b35df52e43f378d28d0b9f2z This one parses "correctly" by picking up the IP of the originator. https://www.spamcop.net/sc?id=z6406369049zc70613d15e81e38ceff9ce99252dac8ez This one parses incorrectly, by picking up the intermediate IP (in this case, I randomly picked an IP, which happens to be NASA.) The one difference is the top (newest) Received: line: 127.163.151.35 (parses correctly) vs 129.163.151.35 (parses incorrectly and flags NASA).deas? Your problems should end if you just used SpamCops mailhost program? Just requires you to have your email address to be sent a validation which identifiess your mailhost This belongs in the just "too easy" basket? You are making reporting hard for yourself! Link to comment Share on other sites More sharing options...
william_sc Posted September 14, 2017 Author Share Posted September 14, 2017 10 hours ago, petzl said: Your problems should end if you just used SpamCops mailhost program? Just requires you to have your email address to be sent a validation which identifiess your mailhost This belongs in the just "too easy" basket? You are making reporting hard for yourself! I'm going to say this again, this isn't just me, it's the entire company. Everyone who reports spam through spamcop is getting this problem. Solving it only for me with my email (a) only fixes it for my reporting and (b) makes it harder when I have to report through other emails. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.