klappa Posted February 20, 2018 Share Posted February 20, 2018 Recently i've got several phishing spam e-mails where Spamcop has problem finding the source IP. It has a IPV6 address. Parsing header: host 2002:a17:902:968e:0:0:0:0 (getting name) no name 0: Received: by 2002:a17:902:968e:: with SMTP id n14-v6mr17341432plp.21.1519125092798; Tue, 20 Feb 2018 03:11:32 -0800 (PST) No unique hostname found for source: 2002:a17:902:968e:0:0:0:0 Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust this Received line. Mailhost configuration problem, identified internal IP as source Mailhost:Please correct this situation - register every email address where you receive spam No source IP address found, cannot proceed. Here's the full e-mail header. Delivered-To: x Received: by 10.140.17.166 with SMTP id 35csp5053975qgd; Tue, 20 Feb 2018 03:11:32 -0800 (PST) X-Google-Smtp-Source: AH8x224K8EtTlH91SvD5EnHpHEDVS/HuvBrl3NjoqwAlh53HQcCPMB5F6HAiTiutJMNxFVkMaAD8 X-Received: by 2002:a17:902:968e:: with SMTP id n14-v6mr17341432plp.21.1519125092798; Tue, 20 Feb 2018 03:11:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519125092; cv=none; d=google.com; s=arc-20160816; b=zY8+LATQ6rtkMmZafX3BoHX+x9gLlAgJ0JBI60ZSnh3Wzn4DJp2zfSktOPpi65Yq7n SGFg6QDpIgMut9h6rR5roEu+GChwUzy1R6EC8UGQkhz4aqDUhKcMQbYyo/Pj5Ce8bJLk WktKF6lklIAxippTa5FhwFhQlzFGqvGpHL3lySBtiZVpv9EJ4oBxlqDz8h53bSPEDEzF YaRxniWGNETCO/z7524HW5ztD08HWYEczKbLSDW031FYSPZF3K8cPCvK+Ci0z4snimVi aRaqAUG9tNBTg1s7EoWUAEcfL1G+9hNEtT9YoZStToD6i7P59j59S5Bctbk287jiaRz+ Crzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:subject:message-id:reply-to :from:date:arc-authentication-results; bh=XgHhSVkGXCeZrEbTJfxFlQ+NGi30OMh5lUpaPwhKx/0=; b=NGtXFOsFUxir8lCCaLXCY7k4Tbe6YMhbTGlU7TUD34t++VgyI/KL6Ge/+ZAd4H72yV HGR4TiVpn2y/lHSRtBLOeF9PbxKE+okLkDPw9Zt7l5P/40YJpHelBkgoeC+7DGDtYNCI UdHRUKXxk3midNHI2OZgkz18LYHJ6ZX90BMZMmfaADPfxlxULo1j/mtBzzqV6CzIuRP2 Bd6PIbO9wWp7aCqfyyHCcAvtH13o2Wgn4DK5Znmam0zP56ft5jg+r3Lz9uR4RmdpYF5a I3IyIEKXlHcc32yd2yByMQ1RlWwSr4tFzTfsOJqBNC0ODM46v1lBorXHqalmPtiBWivD s7aA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of www.@royal.ocn.ne.jp designates 153.149.233.27 as permitted sender) smtp.mailfrom=WWW.@royal.ocn.ne.jp Return-Path: <WWW.@royal.ocn.ne.jp> Received: from mbkd0226.ocn.ad.jp (mbkd0226.ocn.ad.jp. [153.149.233.27]) by mx.google.com with ESMTP id f6si7228610pgn.336.2018.02.20.03.11.15; Tue, 20 Feb 2018 03:11:32 -0800 (PST) Received-SPF: pass (google.com: domain of www.@royal.ocn.ne.jp designates 153.149.233.27 as permitted sender) client-ip=153.149.233.27; Authentication-Results: mx.google.com; spf=pass (google.com: domain of www.@royal.ocn.ne.jp designates 153.149.233.27 as permitted sender) smtp.mailfrom=WWW.@royal.ocn.ne.jp Received: from mf-smf-ucb027c3 (mf-smf-ucb027c3.ocn.ad.jp [153.153.66.171]) by mbkd0226.ocn.ad.jp (Postfix) with ESMTP id 532CDD07339; Tue, 20 Feb 2018 20:11:15 +0900 (JST) Received: from ntt.pod01.mv-mta-ucb022 ([153.149.142.85]) by mf-smf-ucb027c3 with ESMTP id o5p9emuQ1jyDio5pKee0FW; Tue, 20 Feb 2018 20:11:15 +0900 Received: from vcwebmail.ocn.ad.jp ([153.149.227.134]) by ntt.pod01.mv-mta-ucb022 with id CzBE1x00F2ud8JZ01zBESa; Tue, 20 Feb 2018 11:11:14 +0000 Received: from mzcstore292.ocn.ad.jp (mz-fcb292p.ocn.ad.jp [180.37.202.229]) by vcwebmail.ocn.ad.jp (Postfix) with ESMTP; Tue, 20 Feb 2018 20:11:14 +0900 (JST) Date: Tue, 20 Feb 2018 20:11:14 +0900 (JST) From: Dr James Wadas <WWW.@royal.ocn.ne.jp> Reply-To: Dr James Wadas <janepilot3@gmail.com> Message-ID: <384029775.6673075.1519125074670.JavaMail.root@royal.ocn.ne.jp> Subject: REPLY TO HER QUICK MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-2022-JP Content-Transfer-Encoding: 7bit X-Originating-IP: [197.234.221.176] Urgent Attention This is my second time I am sending you this notification, simply contact jane hillary the pilot with your contact information and your nearest airport to land, so that she can deliver the Package worth ($9.5 Million USD) as she just landed in your country now but misplaced your information, she will give you more details when you re-confirm details. Your personal code to the box is XLA21492014SD. NB indicate this code to the diplomat jane hillary, so that she can know that you are the rightful owner of the box. Contact her with the information listed below Name.... jane hillary Email....(janepilot3@gmail.com) Phone....._(608)7138825 Reconfirm your current information as requested below Beneficiary Name.......... Country................. City..................... Current address........... Nearest airport........... Direct phone number....... I.d copy................ Best regard Dr James Wadas Link to comment Share on other sites More sharing options...
Lking Posted February 20, 2018 Share Posted February 20, 2018 Not to be redundant, but could you provide the Tracking URL? I understand you have included inline in your post, what you feel is the pertinent information. But have you provided all the pertinent information? We don't know for sure. Link to comment Share on other sites More sharing options...
petzl Posted February 20, 2018 Share Posted February 20, 2018 6 hours ago, klappa said: Recently i've got several phishing spam e-mails where Spamcop has problem finding the source IP. It has a IPV6 The spammer is putting in fake headers! To get around this you need to look for "ARC-Authentication" and snip above that copy from there down. In notes add the bit you snip out track URL https://www.spamcop.net/sc?id=z6439116336z607dabe7cb156e8f3743b8d25d345f64z X-Google-Smtp-Source: AH8x224uqG6EmUcfBYgUUgeXFVG8X7M7w5W/y8cGQeu6qelGfT+SEvNeSk l7OwtDDHo5q1hWz5kT X-Received: by 2002:a17:902:7c95:: with SMTP id y21- v6mr18271267pll.243.1517248215276; Mon, 29 Jan 2018 09:50:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517248215; cv=none; d=google.com; s=arc-20160816; b=rEEv75F5u0pdFSKOVadtEjk7uJrCHelc0PyQpdByEDyjWWjuZAdEQzdb Zas46sOavz uq51pjdot+3JquNVN0ArIXIeJJew2WImCbj67CeH8ko2enKHNcnHlQ1EJD dViFjkCSvW h3yeMgOFqQvdv+kwXc+DD2D/1dVJgtV+zRwqNxbf6l3XouOpPm9OAvSBe1 LxCIl4+801 RhuvHrHmUiE/o/4qBrkkG98sZu/st4ucNXuFjBeFuIGOylzcgjk54wbEUR sV6ln/17pW n98BWquLG8kkXQdrvDvlSVhJX/6J7oqN2iar7/rKIoeAnaS0jFjkkBMarB /vhun3z0MW bhVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime- version:subject:message-id:reply-to :from:date:arc-authentication-results; bh=+eTI5hmwWM+vKJlIEYpqSa+SlkHtoDA4l9SsJgC1tGw=; b=hOw+HMMu1x1S7eUFnQM79pTuWFRcJBn4lEk/FyRJpWis8wxd8RSwrd1q qwME2N+mob Hi35I+9CK7jjE3se5bTIjjgs/phnbdSv/5sIymQuFxTOLWPwNK2WR2luHK c0Rf2PpqT3 BepCqTZ7svwzP1ft10n4kUJxpwJDe3ZHRZ/9GsJZfibirT/TT9O+3yEdwn 3+8ZHmWwsp EmhUGPM4kjpNy37Whc8gs+Lzlkgxqs+FfEAe+vBXLCOE5vj50tkwys2YYc 3dnFsluIGy TT25JEqtd1iaFeQcYHuvN2AJkwOQfwgFeXg1hkdPTtRLAzDSElyMbEYK+B 1yCmQ7bLXy pyYA== Link to comment Share on other sites More sharing options...
klappa Posted February 28, 2018 Author Share Posted February 28, 2018 On 2018-02-20 at 5:15 PM, Lking said: Not to be redundant, but could you provide the Tracking URL? I understand you have included inline in your post, what you feel is the pertinent information. But have you provided all the pertinent information? We don't know for sure. How do i provide the tracking URL? Spamcop won't even process the spam since it can't find the source IP. Quote host 2002:a17:902:6b8a:0:0:0:0 (getting name) no name 0: Received: by 2002:a17:902:6b8a:: with SMTP id p10-v6mr18425780plk.432.1519838357678; Wed, 28 Feb 2018 09:19:17 -0800 (PST) No unique hostname found for source: 2002:a17:902:6b8a:0:0:0:0 Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust this Received line. Mailhost configuration problem, identified internal IP as source Mailhost:Please correct this situation - register every email address where you receive spam No source IP address found, cannot proceed. Add/edit your mailhost configurationFinding full email headersSubmitting spam via email (may work better)Example: What spam headers should look like Nothing to do. On 2018-02-20 at 8:06 PM, petzl said: The spammer is putting in fake headers! To get around this you need to look for "ARC-Authentication" and snip above that copy from there down. In notes add the bit you snip out track URL https://www.spamcop.net/sc?id=z6439116336z607dabe7cb156e8f3743b8d25d345f64z X-Google-Smtp-Source: AH8x224uqG6EmUcfBYgUUgeXFVG8X7M7w5W/y8cGQeu6qelGfT+SEvNeSk l7OwtDDHo5q1hWz5kT X-Received: by 2002:a17:902:7c95:: with SMTP id y21- v6mr18271267pll.243.1517248215276; Mon, 29 Jan 2018 09:50:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517248215; cv=none; d=google.com; s=arc-20160816; b=rEEv75F5u0pdFSKOVadtEjk7uJrCHelc0PyQpdByEDyjWWjuZAdEQzdb Zas46sOavz uq51pjdot+3JquNVN0ArIXIeJJew2WImCbj67CeH8ko2enKHNcnHlQ1EJD dViFjkCSvW h3yeMgOFqQvdv+kwXc+DD2D/1dVJgtV+zRwqNxbf6l3XouOpPm9OAvSBe1 LxCIl4+801 RhuvHrHmUiE/o/4qBrkkG98sZu/st4ucNXuFjBeFuIGOylzcgjk54wbEUR sV6ln/17pW n98BWquLG8kkXQdrvDvlSVhJX/6J7oqN2iar7/rKIoeAnaS0jFjkkBMarB /vhun3z0MW bhVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime- version:subject:message-id:reply-to :from:date:arc-authentication-results; bh=+eTI5hmwWM+vKJlIEYpqSa+SlkHtoDA4l9SsJgC1tGw=; b=hOw+HMMu1x1S7eUFnQM79pTuWFRcJBn4lEk/FyRJpWis8wxd8RSwrd1q qwME2N+mob Hi35I+9CK7jjE3se5bTIjjgs/phnbdSv/5sIymQuFxTOLWPwNK2WR2luHK c0Rf2PpqT3 BepCqTZ7svwzP1ft10n4kUJxpwJDe3ZHRZ/9GsJZfibirT/TT9O+3yEdwn 3+8ZHmWwsp EmhUGPM4kjpNy37Whc8gs+Lzlkgxqs+FfEAe+vBXLCOE5vj50tkwys2YYc 3dnFsluIGy TT25JEqtd1iaFeQcYHuvN2AJkwOQfwgFeXg1hkdPTtRLAzDSElyMbEYK+B 1yCmQ7bLXy pyYA== Thanks! But since Spamcop won't process the spam, (it won't recognize the Source IP it won't process the spam). I don't know what to do. The spammer have used this IP dozens of times by now. Link to comment Share on other sites More sharing options...
petzl Posted February 28, 2018 Share Posted February 28, 2018 3 hours ago, klappa said: How do i provide the tracking URL? Spamcop won't even process the spam since it can't find the source IP BEFORE you submit a tracking url is provided at top of page This ARC "stamp" is marking a "X-Received" line just remove/cut that line and SpamCop will parse fine . Put/past that line in notesX-Received: by 2002:a17:902:7c95:: with SMTP id y21- v6mr18271267pll.243.1517248215276; Link to comment Share on other sites More sharing options...
klappa Posted February 28, 2018 Author Share Posted February 28, 2018 16 minutes ago, petzl said: BEFORE you submit a tracking url is provided at top of page This ARC "stamp" is marking a "X-Received" line just remove/cut that line and SpamCop will parse fine . Put/past that line in notesX-Received: by 2002:a17:902:7c95:: with SMTP id y21- v6mr18271267pll.243.1517248215276; Thank you! Link to comment Share on other sites More sharing options...
nhraj700 Posted March 1, 2018 Share Posted March 1, 2018 I received this same kind of message today and thanks to PETZL I have successfully submitted it. Thanks PETZL!! Link to comment Share on other sites More sharing options...
klappa Posted March 12, 2018 Author Share Posted March 12, 2018 Yea! Still continuing getting this spam with the fake ipv6 address. Now they even faked it in the Received line. Should i snippet out that too and type it in the comment section? Link to comment Share on other sites More sharing options...
petzl Posted March 12, 2018 Share Posted March 12, 2018 2 hours ago, klappa said: Yea! Still continuing getting this spam with the fake ipv6 address. Now they even faked it in the Received line. Should i snippet out that too and type it in the comment section? Seem a number of variants copy from including this line down ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of www.@vanilla.ocn.ne.jp designates 153.149.236.39 as permitted sender) Then copy and paste the above bit in notes' After SpamCop has parsed it. Link to comment Share on other sites More sharing options...
SpamStoolie Posted April 21, 2018 Share Posted April 21, 2018 I am in the habit of forwarding my spam as attachments to SpamCop. As a result, this workaround does not work for me. It used to be that I was receiving a few messages which would not process, then more, now, it seems almost all of them. I hope that the SpamCop header parser will be fixed to deal with this. Link to comment Share on other sites More sharing options...
petzl Posted April 21, 2018 Share Posted April 21, 2018 7 hours ago, tblake@binghamton.edu said: I am in the habit of forwarding my spam as attachments to SpamCop. As a result, this workaround does not work for me. It used to be that I was receiving a few messages which would not process, then more, now, it seems almost all of them. I hope that the SpamCop header parser will be fixed to deal with this. Send a tracking URL, seemed to of been fixed. The main problem I believe was Gmail setting headers wrong? Link to comment Share on other sites More sharing options...
SpamStoolie Posted April 22, 2018 Share Posted April 22, 2018 http://www.spamcop.net/sc?id=z6460654462z207d82e13360ff2fe7aad599170c37aez http://www.spamcop.net/sc?id=z6460654464z4f25e7054847902a17f453c26cd55a7ez https://www.spamcop.net/sc?id=z6460654632z423218ff03648c628e1a2946b3ae7e16z https://www.spamcop.net/sc?id=z6460654633zdfb796f6890013829ae47a1cda700ef6z http://www.spamcop.net/sc?id=z6460654716zc88fd6e070f8d5478faaa13b43ac54cfz … Link to comment Share on other sites More sharing options...
petzl Posted April 22, 2018 Share Posted April 22, 2018 Afraid the headers are junk (to me) but will work if junk removed, track https://www.spamcop.net/sc?id=z6460699162zdabd939844b7514b24bbbd6395adb11az seems to be Indian spammer using twitter as a relay Claims to be a "unsubsribe" Indian site "They" have your email address anyhow your choice to try it? http://night-mare.org/unsub/?a1b2c3d4e5/682534/0/12859#55711 Or try forwarding spam to "me[at]rescam.org" .Rescam only works for/with a scammers REAL email addresses. If it bounces rescam stops sending. Rescam will only reply to emails that respond. They do use artificial intelligent BOT for replies If your submission is accepted they/it will give you a reply with links to nonsensical conversation. bit like the BOT Lenny for nuisance call Link to comment Share on other sites More sharing options...
petzl Posted April 23, 2018 Share Posted April 23, 2018 On 4/21/2018 at 12:19 PM, SpamStoolie said: It used to be that I was receiving a few messages which would not process, then more, now, it seems almost all of them Check your sent mail there is was a problem with Gmail https://news.google.com/news/story/dU3PtG5ZecqtanM2Dctcba56KqrVM?ned=us&hl=en&gl=US Link to comment Share on other sites More sharing options...
SpamStoolie Posted April 23, 2018 Share Posted April 23, 2018 SpamCop v 4.9.0 © 2018 Cisco Systems, Inc. All rights reserved. Here is your TRACKING URL - it may be saved for future reference:https://www.spamcop.net/sc?id=z6460902591ze58866bb7d3b017ceab1bc1dc060e36az Mailhost configuration problem, identified internal IP as source Mailhost: Please correct this situation - register every email address where you receive spam No source IP address found, cannot proceed. Add/edit your mailhost configurationFinding full email headersSubmitting spam via email (may work better)Example: What spam headers should look like Nothing to do. Link to comment Share on other sites More sharing options...
petzl Posted April 24, 2018 Share Posted April 24, 2018 11 hours ago, SpamStoolie said: SpamCop v 4.9.0 © 2018 Cisco Systems, Inc. All rights reserved. Here is your TRACKING URL - it may be saved for future reference:https://www.spamcop.net/sc?id=z6460902591ze58866bb7d3b017ceab1bc1dc060e36az Check your sent mail there is was a problem with Gmail https://news.google.com/news/story/dU3PtG5ZecqtanM2Dctcba56KqrVM?ned=us&hl=en&gl=US Link to comment Share on other sites More sharing options...
Lking Posted April 24, 2018 Share Posted April 24, 2018 Have you looked at your Mailhost lately? Looks like your ISP may have changed configuration so that the IP 2002:a19:2203:0:0:0:0:0 is now in your received path. Login to spamcop.net and click on the <mailhost> tab Link to comment Share on other sites More sharing options...
SpamStoolie Posted April 24, 2018 Share Posted April 24, 2018 I cannot count the number of times I have “added” all of my addresses. Link to comment Share on other sites More sharing options...
Lking Posted April 24, 2018 Share Posted April 24, 2018 MP sent. Link to comment Share on other sites More sharing options...
petzl Posted April 24, 2018 Share Posted April 24, 2018 7 hours ago, Lking said: Have you looked at your Mailhost lately? Looks like your ISP may have changed configuration so that the IP 2002:a19:2203:0:0:0:0:0 is now in your received path. Login to spamcop.net and click on the <mailhost> tab The headers are faked by spammer Gmail has a problem, the top fake headers need removing Delivered-To: x Received: by 2002:a19:2203:0:0:0:0:0 with SMTP id i3-v6csp3807840lfi; Mon, 23 Apr 2018 05:42:52 -0700 (PDT) X-Google-Smtp-Source: AB8JxZouH9uRREqqQY6Qz0qd656nSgVYRkNeZiYTX86AabWnCx2ioL9i5Pdbw/FTvtjnCec0Ah6G X-Received: by 10.55.65.21 with SMTP id o21mr21204190qka.98.1524487372373; Mon, 23 Apr 2018 05:42:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524487372; cv=none; d=google.com; s=arc-20160816; b=XvpHCp72Wirsv7guEqaJFpG5lGBXH0XQHx5t2Gb3Ajd9DpIFsuknOCSM2Ab2IntAXQ /qTmP76uAW0RvIBrR8ozGB4RvW5uNm4yKxl1DP8EF6jV+hrquvOb3QlbgXxM/78n6VN2 VgCvX+xQoajpB0yVLs7Vpw2WKvUmj31XUgb6Kv3ekRi482Uf74Worx0ayFVOCbH0C741 fvjaK3qt3qgC3rXA9MKqKxp4vThGXdpZ3KpenR5dh4IDWEttOmEGk5/BfYjkL2AsLJcI /Ab/FozgoKH62Vv8cETDvccVGuppvmus5jdPOY+sk65+CeKC3EPlj/jYQoSeJZNtWTwH QXyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:mime-version:subject:message-id:to:reply-to:from :date:dkim-signature:dkim-signature:arc-authentication-results; bh=3XGAO9t72kzYXZEHdxQCEi3LjBUqtSuDzaeNBgzlYXQ=; b=BHg7hIDgobGQ5CqYn9J7c3cd7jlENG6GrHfGZTcNxdZfO5d1iAc63GAQJTQzTUVTsU I/dnjBg3DjaZjKdSEhYSmehaQlBt/xaNZ/SjsP0tBTgpcPFlCC4l4tuB8L+JLB6ucOQT 2OSHWAWe3UmzZ3lGCUT/Q1+EEF9p17GunwrtNh041niEvnkzGODBE5bE/gSBGmB002Dh UeaVaK9x3LwcVSy8hzWlN4hsmPj+quFINVnjzIdXpHSg8I0ZcOyYKI3Lhil4ZtZpbOcg NzYn6QsmAe7Q8NtneNOPkX+2DlOe4PuYv+Lcz32n1RSWw+4h1fICiWUE+Q7edR0OHuJZ c8KQ== once done it parses OK. the fake headers need to be put in "notes" if reported the spam stops was happening to me also send to gmail abuse https://www.spamcop.net/sc?id=z6461173975zb86c716f56397882d476e60f06009a9dz The network seems operated by criminal black-hat scumbags! https://www.spamcop.net/w3m?action=checkblock&ip=199.15.213.67 Other hosts in this "neighborhood" with spam reports 199.15.212.72 199.15.212.75 199.15.212.136 199.15.212.201 199.15.213.50 199.15.213.51 199.15.213.52 199.15.213.54 199.15.213.55 199.15.213.64 199.15.213.65199.15.213.69 199.15.213.90 199.15.213.92 199.15.213.112 199.15.213.118 199.15.213.121 199.15.213.125 199.15.213.132 199.15.213.139 199.15.213.140 199.15.213.175199.15.213.183 199.15.214.3 199.15.214.37 199.15.214.42 199.15.214.45 199.15.214.46 199.15.214.47 199.15.214.48 199.15.214.49 Link to comment Share on other sites More sharing options...
SpamStoolie Posted April 25, 2018 Share Posted April 25, 2018 While these problems may be related, I have been seeing this behavior for a while, and the spam does not show up as being from me. I don't see how a spammer could insert fake header lines at the top of a mail message. This appears to be a SpamCop parsing problem, caused by a change in how Gmail is handling mail. I have tried another message, trimming the top two header lines off, as you have done, and SpamCop parses it correctly. (Thank you.) However, as an experiment, I tried feeding the unadulterated headers to Google's tool: https://toolbox.googleapps.com/apps/messageheader/ (It did not choke.) Link to comment Share on other sites More sharing options...
petzl Posted April 25, 2018 Share Posted April 25, 2018 1 hour ago, SpamStoolie said: I don't see how a spammer could insert fake header lines at the top of a mail message. Thanks for link (but is rubbish 2002:a19:2203:0:0:0:0:0 is not a routable address) but I were getting these forged headers for a while only by reporting them and to Google abuse did they stop. To insert forged headers you simply rename (My Computer) your computer to ARC-Seal: i=1; a=rsa-sha256; t=1524487372; cv=none; d=google.com; s=arc-20160816; b=XvpHCp72Wirsv7guEqaJFpG5lGBXH0XQHx5t2Gb3Ajd9DpIFsuknOCSM2Ab2IntAXQ /qTmP76uAW0RvIBrR8ozGB4RvW5uNm4yKxl1DP8EF6jV+hrquvOb3QlbgXxM/78n6VN2 VgCvX+xQoajpB0yVLs7Vpw2WKvUmj31XUgb6Kv3ekRi482Uf74Worx0ayFVOCbH0C741 fvjaK3qt3qgC3rXA9MKqKxp4vThGXdpZ3KpenR5dh4IDWEttOmEGk5/BfYjkL2AsLJcI /Ab/FozgoKH62Vv8cETDvccVGuppvmus5jdPOY+sk65+CeKC3EPlj/jYQoSeJZNtWTwH QXyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:mime-version:subject:message-id:to:reply-to:from :date:dkim-signature:dkim-signature:arc-authentication-results; bh=3XGAO9t72kzYXZEHdxQCEi3LjBUqtSuDzaeNBgzlYXQ=; b=BHg7hIDgobGQ5CqYn9J7c3cd7jlENG6GrHfGZTcNxdZfO5d1iAc63GAQJTQzTUVTsU I/dnjBg3DjaZjKdSEhYSmehaQlBt/xaNZ/SjsP0tBTgpcPFlCC4l4tuB8L+JLB6ucOQT 2OSHWAWe3UmzZ3lGCUT/Q1+EEF9p17GunwrtNh041niEvnkzGODBE5bE/gSBGmB002Dh UeaVaK9x3LwcVSy8hzWlN4hsmPj+quFINVnjzIdXpHSg8I0ZcOyYKI3Lhil4ZtZpbOcg NzYn6QsmAe7Q8NtneNOPkX+2DlOe4PuYv+Lcz32n1RSWw+4h1fICiWUE+Q7edR0OHuJZ c8KQ== something like that? Link to comment Share on other sites More sharing options...
BoZz Posted April 25, 2018 Share Posted April 25, 2018 I am having a similar problem but with my gmail account which incidentally was working fine for several years and now all of a sudden reports as OP. Here are the headers, will appreciate assistance to sort this out. Thank you Delivered-To: XX@gmail.com Received: by 2002:a02:2e2f:0:0:0:0:0 with SMTP id i47-v6csp84720jaa; Tue, 24 Apr 2018 16:45:48 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpitjdypWKbv5qiyeBLlfA6pSCiphuJ43r+gpOMo3FD+9950DsCApz4tnf43t5L6H3e2zmM X-Received: by 2002:ac8:2f3b:: with SMTP id j56-v6mr871886qta.224.1524613548510; Tue, 24 Apr 2018 16:45:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524613548; cv=none; d=google.com; s=arc-20160816; b=WwUUrDt2+12FgTV2wFxSiO7vpR/7Jkt2F/w1JKm6v5FyEeHNoJpQEPxPvYdHnnTFaA jI9fQKWm7/55KFOm3+6SXcDI9Bh8Kb5wdp2faij6bnsERa+CtUPBKfXO0KrFKk7AFthz /9tNRX96KP2EIYeuxfR0m0Px7fDrDDWqCzg0I4lbvpvsLG7g3QjFUd2z29N9+tua2N4y 2iD7pW0MlOIGOjLK40+p/gN5U3Az44XPaWLnlJPWuL9WgCnoYysIvq8Vssy++4+iyF+2 JA4Pfmyx6f3r4xlH9XZK6q7sUBfyUHI4KXg3LBFCkG7dLei8rFdBwKP9DvbBaLHl8xz+ hRyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=message-id:date:to:reply-to:from:subject:dkim-signature :arc-authentication-results; bh=ZjUjCEsWH2aVC2CGWbHn+L+NhQvwmRNQ8aSeGQSqCYw=; b=ahC8mpr/isXkOo/LMEThmAi8JUivnDOe2tOg9FLv5n+Myd1outW2fIpJvGz6EriVYr jdnrEHy1QANczVXlR2hDxwz9tJHTPaJQjBDmmETBoV90q+ja9vQ5XJyl5S1GhhfB9UpH ZFCDVO5YozzpOfAJ/rEYir96Y4cZF7yfTPlAwtrbBM+TghFHOX7sBlZYxO/rG8AXNT/A wmLc0rNhocjTsbe5LtA7RHQkO6R69m0X+B8DrA/EYqcIv4x0VR1n4T+Km+e8g9K6NKh6 a7zYsWZcqcqg2z/yGUHJeTk16jldRwae/7Fuk6GDbFFBqVOgDB7f/azkqlJ34rEHMApF GsWA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sendgrid.net header.s=smtpapi header.b=wlibc3GP; spf=pass (google.com: domain of bounces+7434010-9aaf-XX=gmail.com@sendgrid.net designates 167.89.106.6 as permitted sender) smtp.mailfrom=bounces+7434010-9aaf-XX=gmail.com@sendgrid.net Return-Path: <bounces+7434010-9aaf-XX=gmail.com@sendgrid.net> Received: from o2.0qt.s2shared.sendgrid.net (o2.0qt.s2shared.sendgrid.net. [167.89.106.6]) by mx.google.com with ESMTPS id q13-v6si1098455qtf.88.2018.04.24.16.45.47 for <XX@gmail.com> (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 24 Apr 2018 16:45:48 -0700 (PDT) Received-SPF: pass (google.com: domain of bounces+7434010-9aaf-XX=gmail.com@sendgrid.net designates 167.89.106.6 as permitted sender) client-ip=167.89.106.6; Authentication-Results: mx.google.com; dkim=pass header.i=@sendgrid.net header.s=smtpapi header.b=wlibc3GP; spf=pass (google.com: domain of bounces+7434010-9aaf-XX=gmail.com@sendgrid.net designates 167.89.106.6 as permitted sender) smtp.mailfrom=bounces+7434010-9aaf-XX=gmail.com@sendgrid.net DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=sendgrid.net; h=subject:from:reply-to:to:content-type:x-feedback-id; s=smtpapi; bh=uEUq311FzzjnZ6umg9gpfpfu2Dg=; b=wlibc3GPHVgxZiXFHSuOhxfXNV4P3 muuySr0ZIh87TfI54XjKgIqAf0rduuOtFvbl6wnJfnmXKFZmISK3TiNws1f8APJO nLn58+HTko5VTyAKX7qex6PLexZceOjTluxOUg3RZtXMXVoD1cTCxMYy8Xs3hKCR GOoaP3YZpfha5U= Received: by filter0022p3iad2.sendgrid.net with SMTP id filter0022p3iad2-9528-5ADFC1AA-32 2018-04-24 23:45:46.429937895 +0000 UTC Received: from mailhost.cmla.ens-cachan.fr (31.219.forpsi.net [195.181.219.31]) by ismtpd0001p1lon1.sendgrid.net (SG) with ESMTP id YXxiAkBsTaSGMNy1Kg3aCg for <XX@gmail.com>; Tue, 24 Apr 2018 23:45:46.039 +0000 (UTC) Received: from localhost (127.0.0.1) by inboxpab.com id 5QXRLSF9F64H for <XX@gmail.com>; Wed, 25 Apr 2018 01:45:51 +0200 (envelope-from <return@inboxpab.com>) Subject: Try CBD Gummies for Free! From: "**Healthy Life**" <infos@inboxpab.com> Reply-to: <reply@inboxpab.com> To: XX@gmail.com Date: Tue, 24 Apr 2018 23:45:46 +0000 (UTC) Content-Type: multipart/alternative; boundary="NlnX4eFXH9gn=_?:" Content-Length: 47775 Message-ID: <YXxiAkBsTaSGMNy1Kg3aCg@ismtpd0001p1lon1.sendgrid.net> X-CSA-Complaints: whitelist-complaints@eco.de X-SG-EID: FkxlJR0jYlFrHqvpkIuV3qGpCcN7fYyncIUnqwLukYDG3vQMn/tb2QZRk0VJxezfM2e7LfeRPI3oWo nTHWtq82S3cmoSoo0nnwYiAzjql37ZOzYjJf5jJ8M03ajnxyPrlD4nli/Mg3I5bTbExrJwRJW5vAg0 FpWjVkk3Q+ZSNn387mlJ0/ElhbBjMISnXoCAxJbi0V4RbkjzOheGlRLjtkzxTXrXgc669ztwU2fLQ6 4= X-Feedback-ID: 7434010:8TzWmuLmZR299Hk0OOgPhhVySMtjCGZhA1j7Jtlx/3Y=:8TzWmuLmZR299Hk0OOgPhhVySMtjCGZhA1j7Jtlx/3Y=:SG --NlnX4eFXH9gn=_?: Content-Type: text/plain; charset="utf-8" content-transfer-encoding: quoted-printable Link to comment Share on other sites More sharing options...
petzl Posted April 25, 2018 Share Posted April 25, 2018 9 hours ago, BoZz said: I am having a similar problem but with my gmail account which incidentally was working fine for several years and now all of a sudden reports as OP. Here are the headers, will appreciate assistance to sort this out. Thank you These are genuine Gmail headers https://www.spamcop.net/sc?id=z6461350211z4ef67168cec9b57a466a6e5a240b31c7z when fake headers are removed from your submission it parses OK https://www.spamcop.net/sc?id=z6461352945z1f2e49dc74fc18cb14dba3aa314795ddz Link to comment Share on other sites More sharing options...
SpamStoolie Posted April 25, 2018 Share Posted April 25, 2018 The 2nd header seems to be the only troublemaker. 10 hours ago, BoZz said: Received: by 2002:a02:2e2f:0:0:0:0:0 with SMTP id i47-v6csp84720jaa; Tue, 24 Apr 2018 16:45:48 -0700 (PDT) If this header is removed, the message parses properly. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.