DaveC Posted December 28, 2017 Share Posted December 28, 2017 Hi - First post- This was going to be a quick question but having read a few comments thought I had better put in as much info as possible. I am getting a spam daily in this format When I submit it it just comes up with a devnull stats message Please can anyone help me decipher the header and suggest where it might have come from so I can do some DIY reporting - I have very limited knowledge Apologies if this is in the wrong part of the forum - happy for it to be moved if required. It actually rejects the item if I send using the 2 part form but does a bit better by email?? Return-Path: <> Received: from cm12gb1 (10.101.251.12) by mail.svcgb1.int.opaltelecom.net (8.6.146) id 5A3442BC0068C050 for ME***@tiscali.co.uk; Wed, 27 Dec 2017 09:16:49 +0000 Message-ID: <5A3442BC0068C050@ms13gb1.int.opaltelecom.net > (added by postmaster@mail.svcgb1.int.opaltelecom.net) Received: from 01.healtingoods.xyz ([85.93.19.55]) by mx.talktalk.net with SMTP id U7pRe5Bkfn260U7pReUxjt; Wed, 27 Dec 2017 09:16:49 +0000 X-Delivered-To: ME**@tiscali.co.uk from:=?UTF-8?B?SW5zdXJhbmNlIFF1b3Rl?= <contact@georgia.gov> subject:ME***@tiscali.co.uk =?UTF-8?B? QXJlIHlvdSBhbmQgeW91ciBmYW1pbHkgcHJvdGVjdGV kPyA=?= date:Wed, 27 Dec 2017 10:16:50 +0100 to:ME***@tiscali.co.uk reply-to:<reply@georgia.gov> content-type:text/html; X-Priority:1 X-CMAE-Envelope: MS4wfCzmZzns6p4GUALWbyjysr4DYzbkgQxkJ24nLEE 2mV5IdQ32AsistMbejuszTGVwUtghVQNCMbhfCBUDqd 0/pYHn5K5APIfN4rOWtRpY2JOOdry486E+ bxs1jDtYjGNl/4P3t7Ef6m8HfwY0c7XQmSo= The "Body" is just an image with links even when I send the links they are ignored at spamcop. Image is at: http://thelib.ru/go?url=0xD90CDD28/gSNnm.png http://5.189.188.248/Creatives/gSNnm.png http://5.189.188.248 is https://contabo.de/ Clickable Link ishttps://webmail.tiscali.co.uk/cp/ps/Mail/ExternalUR LProxy? d=tiscali.co.uk&u=ME***&url=http://thelib.ru/go::cp ::2915::cp::url::cp::61::cp::0xD90CDD28/134ii98828 4uo229qu779ic182wn50rr&urlHash=1.4490098802 000302E22 Bits I really struggle with are http://thelib.ru/go::cp::2915::cp::url::cp::61::cp::0xD9 0CDD28/134ii988284uo229qu779ic182wn50rr&url Hash=1.4490098802000302E22 what is this bit about? /go::cp::2915::cp::url::cp::61::cp::0xD90CDD28 *************************************************************Received: from 01.healtingoods.xyz ([85.93.19.55]) 85.93.19.55 is http://www.poulter.de/ seems to be a personal domain? Is the email likely to be from there or just being bounced. If bounced and I contact them is there anything they can do to stop it or am I just wasting my time? SpamCop v 4.8.6 © 2017 Cisco Systems, Inc. Allrights reserved. Here is your TRACKING URL - it may be saved forfuture reference:https://www.spamcop.net/sc?id=z6432302980z3d6073bb26a9063ac0d9fbd4cee039f6z Skip to Reports Return-Path: <> Received: from cm12gb1 (10.101.251.12) by mail.svcgb1.int.opaltelecom.net (8.6.146) id 5A3442BC0068C050 for ME***@tiscali.co.uk; Wed, 27 Dec 2017 09:16:49+0000 Message-ID <5A34________C050@ms13gb1.int.opaltelecom.net> (added by postmaster@mail.svcgb1.int.opaltelecom.net) Received: from 01.healtingoods.xyz ([85.93.19.55]) by mx.talktalk.net with SMTP id U7pRe5Bkfn260U7pReUxjt; Wed, 27 Dec 2017 09:16:49 +0000 X-Delivered-To: x from:=?UTF-8?B? SW5zdXJhbmNlIFF1b3Rl?= <x> x =?UTF-8?B? QXJlIHlvdSBhbmQgeW91ciBmYW1pbHkgcHJvdGVjdGV kPyA=?= date:Wed, 27 Dec 2017 10:16:50 +0100 x reply-to:<x> content-type:text/html; X-Priority:1 X-CMAE-Envelope: MS4wfCzmZzns6p4GUALWbyjysr4DYzbkgQxkJ24nLEE 2mV5IdQ32AsistMbejuszTGVwUtghVQNCMbhfCBUDqd 0/pYHn5K5APIfN4rOWtRpY2JOOdry486E+ bxs1jDtYjGNl/4P3t7Ef6m8HfwY0c7XQmSo= Content-Type: text/plain X-SpamCop-note: Converted to text/plain by SpamCop (outlook/eudora hack) View entire message Parsing header:This header is incomplete. Please supply the full headers of the spam you're trying to report. No source IP address found, cannot proceed. By email CLICK 'BACK' BUTTON TO RETURN TO SPAMCOP ######################################## ######################################## Return-Path: <> Received: from cm12gb1 (10.101.251.12) by mail.svcgb1.int.opaltelecom.net (8.6.146) id 5A3442BC0068C050 for ME***@tiscali.co.uk; Wed, 27 Dec 2017 09:16:49 +0000 Message-ID: <5A3442BC0068C050@ms13gb1.int.opaltelecom.n et> (added by postmaster@mail.svcgb1.int.opaltelecom.net) Received: from 01.healtingoods.xyz ([85.93.19.55]) by mx.talktalk.net with SMTP id U7pRe5Bkfn260U7pReUxjt; Wed, 27 Dec 2017 09:16:49 +0000 X-Delivered-To: ME**@tiscali.co.uk from:=?UTF-8?B?SW5zdXJhbmNlIFF1b3Rl?= <contact@georgia.gov> subject:ME***@tiscali.co.uk =?UTF-8?B? QXJlIHlvdSBhbmQgeW91ciBmYW1pbHkgcHJvdGVjdGV kPyA=?= date:Wed, 27 Dec 2017 10:16:50 +0100 to:ME***@tiscali.co.uk reply-to:<reply@georgia.gov> content-type:text/html; X-Priority:1 X-CMAE-Envelope: MS4wfCzmZzns6p4GUALWbyjysr4DYzbkgQxkJ24nLEE 2mV5IdQ32AsistMbejuszTGVwUtghVQNCMbhfCBUDqd 0/pYHn5K5APIfN4rOWtRpY2JOOdry486E+ bxs1jDtYjGNl/4P3t7Ef6m8HfwY0c7XQmSo= ----Original Message---- From: contact@georgia.gov Date: 27/12/2017 9:16 To: <ME***@tiscali.co.uk> Subj: ME***@tiscali.co.uk Are you and your family protected? Avoid NHS waiting lists - find out more http://thelib.ru/go?url=0xD90CDD28/gSNnm.png http://5.189.188.248/Creatives/gSNnm.png http://5.189.188.248 is https://contabo.de/ "> REPORT SpamCop v 4.8.6 © 2017 Cisco Systems, Inc. Allrights reserved. Here is your TRACKING URL - it may be saved forfuture reference:https://www.spamcop.net/sc?id=z6432306412zed1cce979ae307a328ee9f5ff2f5ecc1z Skip to Reports Return-Path: <> Received: from cm12gb1 (10.101.251.12) by mail.svcgb1.int.opaltelecom.net (8.6.146) id 5A3442BC0068C050 for x; Wed, 27 Dec 2017 09:16:49 +0000 Message-ID: <5A34________C050@ms13gb1.int.opaltelecom.net> (added by postmaster@mail.svcgb1.int.opaltelecom.net) Received: from 01.healtingoods.xyz ([85.93.19.55]) by mx.talktalk.net with SMTP id U7pRe5Bkfn260U7pReUxjt; Wed, 27 Dec 2017 09:16:49 +0000 X-Delivered-To: x from:=?UTF-8?B?SW5zdXJhbmNlIFF1b3Rl?= <contact@georgia.gov> subject:x =?UTF-8?B? QXJlIHlvdSBhbmQgeW91ciBmYW1pbHkgcHJvdGVjdGV kPyA=?= date:Wed, 27 Dec 2017 10:16:50 +0100 to:x x content-type:text/html; X-Priority:1 X-CMAE-Envelope: MS4wfCzmZzns6p4GUALWbyjysr4DYzbkgQxkJ24nLEE 2mV5IdQ32AsistMbejuszTGVwUtghVQNCMbhfCBUDqd 0/pYHn5K5APIfN4rOWtRpY2JOOdry486E+ bxs1jDtYjGNl/4P3t7Ef6m8HfwY0c7XQmSo= View entire message Parsing header: Received: from cm12gb1 (10.101.251.12) by mail.svcgb1.int.opaltelecom.net (8.6.146) id 5A3442BC0068C050 for x; Wed, 27 Dec 2017 09:16:49 +0000 host 10.101.251.12 (getting name) no name 10.101.251.12 discarded Received: from 01.healtingoods.xyz ([85.93.19.55]) by mx.talktalk.net with SMTP id U7pRe5Bkfn260U7pReUxjt; Wed, 27 Dec 2017 09:16:49 +0000 host 85.93.19.55 = vega.poulter.de (cached) vega.poulter.de is 85.93.19.55 Possible spammer: 85.93.19.55 Received line accepted Tracking message source: 85.93.19.55: Routing details for 85.93.19.55 support@isp4p.net bounces (34229 sent : 18323 bounces) Using support#isp4p.net@devnull.spamcop.net for statistical tracking. info@ip-interactive.de bounces (1100 sent : 640 bounces) Using info#ip-interactive.de@devnull.spamcop.net for statistical tracking. Report routing for 85.93.19.55: support#isp4p.net@devnull.spamcop.net, info#ip- interactive.de@devnull.spamcop.net Message is 12 hours old 85.93.19.55 not listed in cbl.abuseat.org 85.93.19.55 not listed in dnsbl.sorbs.net 85.93.19.55 not listed in accredit.habeas.com 85.93.19.55 not listed in plus.bondedsender.org 85.93.19.55 not listed in iadb.isipp.com Finding links in message body Parsing text part error: couldn't parse head Message body parser requires full, accurate copy of message More information on this error.. no links found Please make sure this email IS spam: From: =?UTF-8?B?SW5zdXJhbmNlIFF1b3Rl?= <contact@georgia.gov> subject:x =?UTF-8?B? QXJlIHlvdSBhbmQgeW91ciBmYW1pbHkgcHJvdGVjdGV kPyA=?= date:Wed, 27 Dec 2017 10:16:50 +0100 to:x x content-type:text/html; X-Priority:1 (x =?UTF-8? B? QXJlIHlvdSBhbmQgeW91ciBmYW1pbHkgcHJvdGVjdGV kPyA=?= date:Wed, 27 Dec 2017 10:16:50 +0100 to:x x content-type:text/html; X-Priority:1) ----Original Message---- From: contact@georgia.gov View full message Report spam to: Re: 85.93.19.55 (Administrator of network where email originates) To: support#isp4p.net@devnull.spamcop.net (Notes) To: info#ip-interactive.de@devnull.spamcop.net (Notes) Link to comment Share on other sites More sharing options...
Lking Posted December 28, 2017 Share Posted December 28, 2017 Dave, Welcome to the fight to control spam. First it would be most helpful when you have questions about spam or what the SC parser has done, to include the TRACKING URL for the submitted spam. The Tracking URL is at the top of the screen Quote SpamCop v 4.8.6 © 2017 Cisco Systems, Inc. All rights reserved. Here is your TRACKING URL - it may be saved for future reference:https://www.spamcop.net/sc?id=z6432306412zed1cce979ae307a328ee9f5ff2f5ecc1z This approach to posting questions also has the advantage of not making the thread a long scroll; Depending on the browser used the thread (questions) can be in one window and the spam/parser results in another. Point in case, I finely scrolled down far enough to find your Tracking URL(s) and changed my "Quote" example above to include one of the TWO Tracking URLs in your post Quote https://www.spamcop.net/sc?id=z6432302980z3d6073bb26a9063ac0d9fbd4cee039f6z and https://www.spamcop.net/sc?id=z6432306412zed1cce979ae307a328ee9f5ff2f5ecc1z It is hard for me to figure out what is going on, but it seems that the second Tracking URL (...ccc1z) is the email you received which included a forwarded message. The first Tracking URL (....9f6z) is an attempt to submit the "Original message" to the parser. Assuming this is correct, you can not cobble together a message and get a valid results. That is why ...9f6z ends with. Quote This header is incomplete. Please supply the full headers of the spam you're trying to report. No source IP address found, cannot proceed. The "Original message" should not be reported by you. You can only report spam you receive, not something forwarded to you. Looking at Tracking URL ...cc1z. I think the answer you are looking for to do your own reporting to the source of the email you received is Quote host 85.93.19.55 = vega.poulter.de (cached) vega.poulter.de is 85.93.19.55 Possible spammer: 85.93.19.55 Received line accepted Tracking message source: 85.93.19.55: support@isp4p.net bounces (34229 sent : 18323 bounces) Using support#isp4p.net@devnull.spamcop.net for statistical tracking. info@ip-interactive.de bounces (1100 sent : 640 bounces) Using info#ip-interactive.de@devnull.spamcop.net for statistical tracking. The parser decided that the source of the message was 85.93.19.55. SC found support[at]isp4p.net as an abuse address for that IP address, however, ~half of the reports sent to that mailbox are bounced so not to clog the internet with messages that will be bounced (and the return message) SC just tracks the information with a devnull message. The same is also true for an alt abuse address info[at]ip-interactive.de Again welcome to the fight Link to comment Share on other sites More sharing options...
petzl Posted December 29, 2017 Share Posted December 29, 2017 8 hours ago, DaveC said: Hi - First post- This was going to be a quick question but having read a few comments thought I had better put in as much info as possible. I am getting a spam daily in this format When I submit it it just comes up with a devnull stats message Please can anyone help me decipher the header and suggest where it might have come from so I can do some DIY reporting - I have very limited knowledge Apologies if this is in the wrong part of the forum - happy for it to be moved if required. It actually rejects the item if I send using the 2 part form but does a bit better by email?? At top of submission before you submit is a tracking URL send this not waste time with FULL HEADERS!Here is your TRACKING URL - it may be saved for future reference: SpamCop has problems with leacy issues where abuse addresses are hard-coded in and never expire even when that address goes belly up Always check abuse address with a WhoIs program like IPNetInfo to confirm abuse address (SpamCop is not being maintained so most of it's info is rubbish) Also send a report to yourself to see what abuse desk does (they are useless) always in notes put in offending IP at least! Link to comment Share on other sites More sharing options...
DaveC Posted December 29, 2017 Author Share Posted December 29, 2017 Hi Thanks LKing for the quick informative reply. and petzl for the additional observations The 2 messages are the same message. The first Message 039f6z was submitted using the two part submission form Header then Body As there is nothing in the body that can be copied I extracted the links for the image and for the " click here" link. and put them in the body section ( I did not tinker with the header in any way.) I have always extracted the links in previous submissions over maybe 2 years and SC picked them up -reports have been sent to those links when I felt it was good to do so. Over the last 3 weeks I have done this and they are all rejected saying the header is incomplete. (I dont understand why? as I open the full header select it copy it and paste it as I have always done.) The second attempt was to send the same message to SC via my email link it does suggest this "Submitting spam via email (may work better)" as part of the incomplete header message. I have not tried this very often and may have misunderstood the instructions. When I have forwarded phishing emails to banks or building societies or amazon or BT etc I copy the header off the spam email and paste it just above the actual spam message as I have assumed that if I dont do that it will be lost to whoever I send it to and the forwarded email they receive will have very little information. In this case had I not pasted the header and the links for the body all that would have been received atSC would be ----Original Message---- From: contact@georgia.gov Date: 27/12/2017 9:16 To: <ME***@tiscali.co.uk> Subj: ME***@tiscali.co.uk Are you and your family protected? Avoid NHS waiting lists - find out more SC came up with poulter.de, then prepared null reports for the spread of domains, is Abuse contact for '85.93.19.0 - 85.93.19.255' is '' support@isp4p.net & info@ip-interactive.de I have looked at the site by name however and he has this page http://www.poulter.de/impressum.html with a report address of webmaster@poulter.de. This is where I propose to send a report but first I was wondering if the spam was actually coming from there or just being bounced via there. I have been reporting spam for over 10 years - it was always Russian sites with Pills - now it is anything!! anywhere!! Maybe on a pay per click crap scheme? otherwise I dont know why they do it? My latest observation is that Pinterest is littered with images of spam pages - I am not registered with them but send them lists of pages with these images on - sometimes they fix them sometimes they dont. I suppose I should register then I could report them individually but that is more time consuming. This is the sort of thing I mean https://www.pinterest.co.uk/anwarmailer/ Link to comment Share on other sites More sharing options...
Lking Posted December 29, 2017 Share Posted December 29, 2017 6 hours ago, DaveC said: I have always extracted the links in previous submissions over maybe 2 years and SC picked them up When things work before and not work now, my first question is 'what has changed?' Has your email app changed? been updated? As stated in one of the links in the results Quote SpamCop has become more and more strict over the years about the formatting of spam. Although SpamCop is very tolerant of formatting errors and formatting tricks produced by spammers, it has also grown less and less tolerant of errors introduced by users after the spam is received. There are different views of where SC sends spam reports. If you better destinations for reports, Suggested updates can be posted to <Reporting Help> <Routing/ Reporting Address Issues> Link to comment Share on other sites More sharing options...
DaveC Posted December 29, 2017 Author Share Posted December 29, 2017 I am not aware of any changes in email however they mess with it on a regular basis. Personally I cant see why they cant spot an email ,that gets here through a series of smoke and mirrors, is not at the very least diverted to a spam folder - doesnt even flag as possible spam which I see on Gmail. I had read the para re introduced errors but probably like most other users would think that did not apply to me. I have asked poulter.de if they are aware that spam appears to be coming from one of their domains. Even if it is blocked the spammer will simple switch to another - I am sure they will have a list of semi unused sites with leaky security. Will report back if anything happens and if I get a spam in a format that I can add in the links and get SC to pick them up and prepare a report I will come back and show what I mean. Best wishes for the new year. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.