Magna atque magnifica Oz Posted January 23, 2018 Share Posted January 23, 2018 Hello, A few days ago, I started encountering spam messages which cannot be processed due to what appears to be a problem with resolving an ipv6 address. Here is the tracking link: https://www.spamcop.net/sc?id=z6437392727zd5176b494aaf328f9c8ad3ba8a7727ebz The error I received with this particular one was: No unique hostname found for source: 2002:a17:902:aa4a:0:0:0:0 Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust this Received line. Mailhost configuration problem, identified internal IP as source The receiving account is a gmail account, and the sending IP (according to gmail) is 114.147.58.100, which belongs to ocn.ad.jp aka the ISP from Hell. There are also numerous references to ocn throughout the header, so I am confident that they are the source. The only place that the aforementioned ipv6 address occurs in the entire header is a single X-Received: line. Every gmail message I've checked has an X-Received: line (invariably with a 10.xxx.xxx.xxx IP address), so I don't know if it's a google error, or if ocn spammers have figured out how to spoof this field, or if the problem is internal to Spamcop. I couldn't find anybody having a similar problem in the forum. I even tried going through the spamcop registration process again, but that didn't solve the problem. The only thing that seems consistent is that these errors only occur with spams sent from ocn. Hopefully, somebody out there has some ideas. Link to comment Share on other sites More sharing options...
lisati Posted January 23, 2018 Share Posted January 23, 2018 When I checked the link you provided, I noticed this line: Mailhost configuration problem, identified internal IP as source Have you configured the mailhost(s) for your email accounts? Link to comment Share on other sites More sharing options...
Magna atque magnifica Oz Posted January 24, 2018 Author Share Posted January 24, 2018 22 hours ago, lisati said: When I checked the link you provided, I noticed this line: Have you configured the mailhost(s) for your email accounts? Yes. That's what I meant when I said I went through the Spamcop registration process again. Sorry if I was unclear. It's cropped up again with invision7.com, and ISP out of Malaysia. So, for the moment, it seems to be isolated to ISPs in east asia. I am certain that the problem originates with the X-Received line that Gmail throws into its headers. The usual ipv4 10.xxx.xxx.xxx works fine, but an ipv6 address seems to give the parser indigestion. The X-Received line is the ONLY place that the ipv6 address appears in these problem emails. While composing this message, I did some digging, and discovered that the ipv6 address that's been causing me grief ( 2002:a17:902: xxxx) is reserved for 6to4 conversion and translates, interestingly enough, back to ipv4 10.xxx.xxx.xxx. So, it's starting to look like an oversight in the parser where the 6to4 conversion is concerned. Link to comment Share on other sites More sharing options...
petzl Posted January 24, 2018 Share Posted January 24, 2018 1 hour ago, Magna atque magnifica Oz said: Yes. That's what I meant when I said I went through the Spamcop registration process again. Sorry if I was unclear. It's cropped up again with invision7.com, and ISP out of Malaysia. So, for the moment, it seems to be isolated to ISPs in east asia. I am certain that the problem originates with the X-Received line that Gmail throws into its headers. The usual ipv4 10.xxx.xxx.xxx works fine, but an ipv6 address seems to give the parser indigestion. The X-Received line is the ONLY place that the ipv6 address appears in these problem emails. While composing this message, I did some digging, and discovered that the ipv6 address that's been causing me grief ( 2002:a17:902: xxxx) is reserved for 6to4 conversion and translates, interestingly enough, back to ipv4 10.xxx.xxx.xxx. So, it's starting to look like an oversight in the parser where the 6to4 conversion is concerned. Yes Gmail has "upgraded(downgraded)" its headers for customers? Link to comment Share on other sites More sharing options...
A.J.Mechelynck Posted January 24, 2018 Share Posted January 24, 2018 See also Link to comment Share on other sites More sharing options...
Magna atque magnifica Oz Posted January 24, 2018 Author Share Posted January 24, 2018 6 hours ago, petzl said: Yes Gmail has "upgraded(downgraded)" its headers for customers? Not really. I have some old Gmail messages from 2013 with the same type of X-Received field. It seems to be an unintended consequence of the transition to ipv6 which Spamcop was unprepared to deal with. Understandable, because this IP range was designated for private use, and Spamcop would have no reason to expect to see them. Link to comment Share on other sites More sharing options...
petzl Posted January 24, 2018 Share Posted January 24, 2018 8 hours ago, Magna atque magnifica Oz said: Not really. I have some old Gmail messages from 2013 with the same type of X-Received field. It seems to be an unintended consequence of the transition to ipv6 which Spamcop was unprepared to deal with. Understandable, because this IP range was designated for private use, and Spamcop would have no reason to expect to see them. OK just got one of those when it was posted here? No troubles since Link to comment Share on other sites More sharing options...
Magna atque magnifica Oz Posted January 27, 2018 Author Share Posted January 27, 2018 Update: The situation is getting worse. It started with only ISPs on the Asia/Pacific rim, and now it's cropping up in spams from ISPs in the continental U.S. Half of the spam emails I received today were unreportable because of this. Link to comment Share on other sites More sharing options...
Cowboy Bob Posted February 3, 2018 Share Posted February 3, 2018 Am I to understand from this discussion that this is a rapidly escalating problem that is beyond my control, and that all I can do when I get the "nothing to report" message from SpamCop is to ignore it, and hope that sometime soon Google and/or SpamCop can figure out how to fix the problem? Link to comment Share on other sites More sharing options...
Cowboy Bob Posted February 3, 2018 Share Posted February 3, 2018 Is anyone aware of any blog posts, news articles, news releases, or any other indication that Google and/or SpamCop is aware of this new kind of spam and that they are doing anything about it (or have decided not to)? I'm very uneasy living in a world where the evidence points to the conclusion that the bad guys are winning. Link to comment Share on other sites More sharing options...
A.J.Mechelynck Posted February 3, 2018 Share Posted February 3, 2018 Cowboy Bob: As described in the thread "IPv6 still unsupported?" mentioned a few posts earlier in this thread, when SpamCop fails because the spam had an "X-Received" line with an (unroutable) address in IPv6 format, just cut that line and any continuatuion (i.e. indented) line(s) following it: the parse will then succeed and you can paste the offending line(s) into the user's comment box at the bottom of the parse, perhaps with a title like "The following line had to be snipped to avoid spamcop malfunction:" or something, before you send the reports. We can hope that someday the parser logic will be slightly modified to take care of this automagically, but AFAIK SpamCop maintenance is a low-priority business, so don't put your hopes too high. Link to comment Share on other sites More sharing options...
Cowboy Bob Posted February 27, 2018 Share Posted February 27, 2018 Thanks A.J.Mecheynck, That worked for me. I use Google's Inbox for Gmail, and this only adds about 2 mouse clicks and less than 5 seconds to the time it takes me to submit a spam to SpamCop. I only paste the X-Received line into the comment box; I don't type anything, and that has never raised any problems. My guess would be that deleting the X-Received line is all that matters, and that the user's comment isn't needed at all. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.