HN Support Posted April 3, 2018 Share Posted April 3, 2018 (edited) Hi there for a couple weeks now I noticed most reporting was going to report_spam@hotmail.com. I started to get suspicious and so started looking into it. It seems as though there's some Microsoft IPv6 addresses which aren't in our "Hotmail / MSN" drop-down list of the Mailhosts section our account and every time the parser hits on one of those it decides that's the source of the spam instead of continuing through the headers to the actual origin. Case in point: www.spamcop.net/sc?id=z6456858877zb5f21cf2fa16ca99611a32e08c680ae7z As you can see in this case it stopped at 2a01:111:e400:c47c:0:0:0:49 instead of realizing that was not the sender IP and continuing on to the more likely candidate. Here's some more failures of this type: http://www.spamcop.net/sc?id=z6456858879z4145dd35d533293621e90955a03d735bz http://www.spamcop.net/sc?id=z6456858881z5f2552c0a0b58982773dc4351afcbf34z http://www.spamcop.net/sc?id=z6456858882zaf7ea911350a7960e8187700288a3ff8z I tried deleting my Hotmail/ MSN mailhost entry from within our "Mailhosts" section and recreating it didn't help. Also here's a sample of some of the IPv6 addresses that have been incorrectly identified as the source of the spam messages in some of our submissions: 2a01:111:e400:5a6b:0:0:0:40 2a01:111:e400:5a6c:0:0:0:36 2a01:111:e400:5311:0:0:0:11 2a01:111:e400:5311:0:0:0:30 2a01:111:e400:5311:0:0:0:32 2a01:111:e400:5311:0:0:0:42 2a01:111:e400:c47c:0:0:0:49 2a01:111:e400:c47c:0:0:0:52 2603:10b6:300:2c:0:0:0:28 2603:10b6:301:0:0:0:0:27 2603:10b6:403:0:0:0:0:22 2603:10b6:403:0:0:0:0:32 2603:10b6:403:0:0:0:0:33 2603:10b6:404:109:0:0:0:18 2603:10b6:404:109:0:0:0:21 2603:10b6:405:1:0:0:0:11 2603:10b6:406:bc:0:0:0:25 2603:10b6:406:bc:0:0:0:29 2603:10b6:910:3d:0:0:0:39 Also please note that whenever all the Microsoft / MSN IPv6 addresses in the message header ARE listed in the current Microsoft / MSN dropdown those messages are correctly parsed and the source of the spam message positively identified. However this seems to be only 1 out of every 10 submissions which means I'm cancelling the reporting of 9 / 10 submissions at this point. Please advise. Edited April 3, 2018 by HN Support Quote Link to comment Share on other sites More sharing options...
Kewl Posted April 3, 2018 Share Posted April 3, 2018 https://www.spamcop.net/sc?id=z6456935238zc9f4b8319848eaa131eed78bd3aadf85z Wants to erroniously send report to report_spam@hotmail.com Quote Link to comment Share on other sites More sharing options...
petzl Posted April 4, 2018 Share Posted April 4, 2018 4 hours ago, Kewl said: https://www.spamcop.net/sc?id=z6456935238zc9f4b8319848eaa131eed78bd3aadf85z Wants to erroniously send report to report_spam@hotmail.com spam needs submitting report_spam address has been requested by hotmail for SpamCop reports There is a problem that a lot of these are legacy issues and just go to a bit-bin. You can submit spam to "abuse [ at ] microsoft [ dot ] com" from your email account where you actually received that spam Quote Link to comment Share on other sites More sharing options...
HN Support Posted April 4, 2018 Author Share Posted April 4, 2018 (edited) The problem, petzl is not that the parser is generating a report addressed to the report_spam@hotmail.com address but that it is doing so INSTEAD of creating a report addressed to the actual ISP where the reported spam message came from, making the whole exercise relatively pointless. What's Microsoft going to do about a spam that originally came from somewhere not in their control? Nothing. And then at the same time the ISP of the spammer isn't getting the notification it needs to take action. That's the real issue here. For example in the link you put into your reply the origination IP address of that spam message was most likely the 74.202.231.63 IP address listed in the headers. When spamcop is parsing correctly it would most likely have found that it should address the report to security@level3.com, the abuse email address on file for the ISP in charge of that IP address. As you can see at the bottom of that parse job that's NOT where it's addressed to and that's a fail. Microsoft is not in charge of that IP address and therefore has no jurisdiction to correct the issue. Edited April 4, 2018 by HN Support Add supporting information Quote Link to comment Share on other sites More sharing options...
Kewl Posted April 4, 2018 Share Posted April 4, 2018 HN Support... exactly right. It's a parser error. The parser discarded the most important header...Chain error HE1EUR02FT053.mail.protection.outlook.com not equal to last sender received line discarded Hotmail changed its handling of incoming email about a week or two ago. It is messing up the parser. Now every spam I report goes to report_spam @ hotmail.com. That's worse than useless, it wastes the time of abuse dept at hotmail. Until the parser is fixed, there is no point in me reporting the spam I get in my hotmail account. Quote Link to comment Share on other sites More sharing options...
HN Support Posted April 4, 2018 Author Share Posted April 4, 2018 (edited) Initially I was cancelling these but I've now realized it's possible to uncheck the report_spam@hotmail report, check the 'user report' option under it, then fill in the abuse address for the ISP who's in charge of that particular IP address. You can find this by looking in the headers for the point at which a non-Microsoft server has handed off the messaging to a Microsoft server and running a whois on the IP address of that hand-off server. From your link above this is the relevant section: Received: from mail1.listingbookmail.com (74.202.231.63) by HE1EUR02FT053.mail.protection.outlook.com (10.152.11.109) with Microsoft SMTP Doing a whois 74.202.231.63 | grep Abuse gives us the following results: OrgAbuseHandle: TWTAD-ARIN OrgAbuseName: tw telecom Abuse Desk OrgAbusePhone: +1-800-829-0420OrgAbuseEmail: abuse@level3.com OrgAbuseRef: https://whois.arin.net/rest/poc/TWTAD-ARIN RAbuseHandle: TWTAD-ARIN RAbuseName: tw telecom Abuse Desk RAbusePhone: +1-800-829-0420 RAbuseEmail: abuse@level3.com RAbuseRef: https://whois.arin.net/rest/poc/TWTAD-ARIN network:Abuse-Contact;I:abuse@twtelecom.net So then you fill in abuse@level3.com into the blank 'user' field and submit that, instead. Edited April 4, 2018 by HN Support Correcting capitalisation error from grep abuse to grep Abuse Quote Link to comment Share on other sites More sharing options...
petzl Posted April 5, 2018 Share Posted April 5, 2018 15 hours ago, HN Support said: So then you fill in abuse@level3.com into the blank 'user' field and submit that, instead. 74.202.231.63 seems level3 have been playing games Routing details for 74.202.231.63[refresh/show] Cached whois for 74.202.231.63 : abuse@level3.comUsing best contacts abuse@level3.comI know this ISP's abuse address:level3@admin.spamcop.netReports disabled for level3@admin.spamcop.net Using level3#admin.spamcop.net@devnull.spamcop.net for statistical tracking. Quote Link to comment Share on other sites More sharing options...
Kewl Posted April 5, 2018 Share Posted April 5, 2018 It's open season on Hotmail users until parser gets fixed and can correctly identify source of spam. Here is another example of mis-directed abuse reports...https://www.spamcop.net/sc?id=z6457322955zd3ebaf3de822b24885a674cf2ee4be95z Parser mistakenly discards this crucial header line... Received: from smtp12-iad-sp1.mta.salesforce.com (13.108.238.139) by AM5EUR02FT049.mail.protection.outlook.com (10.152.9.233) with Microsoft SMTP Server Quote Link to comment Share on other sites More sharing options...
Kewl Posted April 5, 2018 Share Posted April 5, 2018 petzl, 10 hours ago, petzl said: 74.202.231.63 seems level3 have been playing games Sometimes reports get sent thru to abuse@level3.com About 25% reports get sent, and 75% reports are disabled. I'm not sure why but definitely games are being played by this ISP. Quote Link to comment Share on other sites More sharing options...
Kewl Posted April 5, 2018 Share Posted April 5, 2018 On 4/4/2018 at 11:52 AM, HN Support said: Initially I was cancelling these but I've now realized it's possible to uncheck the report_spam@hotmail report, check the 'user report' option under it, then fill in the abuse address for the ISP who's in charge of that particular IP address. You can find this by looking in the headers for the point at which a non-Microsoft server has handed off the messaging to a Microsoft server and running a whois on the IP address of that hand-off server. From your link above this is the relevant section: ... So then you fill in abuse@level3.com into the blank 'user' field and submit that, instead. HN Support, Everyone can uncheck report_spam @ hotmail, but not everyone has the option to fill in user field. That's a spamcop premium user option. Also, Filling in the optional user report field with the correct abuse email does not contribute to the blacklist for that spammer. Quote Link to comment Share on other sites More sharing options...
Lking Posted April 5, 2018 Share Posted April 5, 2018 25 minutes ago, Kewl said: It's open season on Hotmail users until parser gets fixed and can correctly identify source of spam. Or Hotmail corrects the changes they made On 4/4/2018 at 9:00 AM, Kewl said: Hotmail changed its handling of incoming email about a week or two ago. It is messing up the parser. It is not feasible for SpamCop to adjust the parser to deal with every change made to other's email software. Hotmail, among others, are not really too interested in how they affect other applications. Their interest is in providing (free) email service to their clients, so the client data, usage, networks are available to scrape. Quote Link to comment Share on other sites More sharing options...
lisati Posted April 5, 2018 Share Posted April 5, 2018 #metoo - I sometimes have unwanted email arrive at my outlook email account that apparently arrives from yahoo or google, yet the parser decides to use the MSN reporting address. It's annoying having to do so, but when I spot such an email, I uncheck the report to hotmail, and fill in an appropriate abuse address for user submitted reports. Quote Link to comment Share on other sites More sharing options...
petzl Posted April 6, 2018 Share Posted April 6, 2018 9 hours ago, Kewl said: petzl, Sometimes reports get sent thru to abuse@level3.com About 25% reports get sent, and 75% reports are disabled. I'm not sure why but definitely games are being played by this ISP. possibly different IP's are run by different owners? Quote Link to comment Share on other sites More sharing options...
Kewl Posted April 19, 2018 Share Posted April 19, 2018 It's been a over a month and since I've been able to report spam arriving in my hotmail account. All reports would be sent to report_spam@hotmail.com whether they had anything to do with source of spam or not. I refuse to bother their abuse dept with frivolous reports. Quote Link to comment Share on other sites More sharing options...
HN Support Posted April 20, 2018 Author Share Posted April 20, 2018 Actually the way I'm reading things Microsoft is the cause of the problem in the first place so in addition to manually determining and reporting to the actual source ISPs of the spam messages I'm also leaving the check mark on to submit to the incorrect MS spam reporting address as well. The intention there is for them to notice the error and as a result put some action on to fixing their IPv6 rDNS entries to conform with the standard. Quote Link to comment Share on other sites More sharing options...
klappa Posted April 7, 2019 Share Posted April 7, 2019 Can someone confirm if report_spam@hotmail.com really works? Quote Link to comment Share on other sites More sharing options...
oZoneCapHill Posted May 5, 2019 Share Posted May 5, 2019 Let me start by saying I am having tons of issues with Outlook online / Hotmail and some of the issues may be MSN issues, but someone really needs to look into it since I report all my Hotmail spam here and it no longer works very well. Micro soft is slow to fix issues but they will address them if you write up the issue on the Microsoft feedback forum ( https://answers.microsoft.com/en-us/outlook_com/forum/oemail-osend/emails-headers-have-multple-issues-when-trying-to/7d5c2315-38ae-4dcf-9e29-e1d64932b65e ). Issue 1: I thought maybe my mail config was messed up and I deleted and tried to redo my mail config and all I get now is: Headers mangled It appears that the sample you provided has been altered. Often, extra line-breaks are inserted by your software in an invalid format. Part of the reason for this proceedure is to ensure that you and your software are submitting spam in an error-free format. Please review the relevant FAQ for your software and ensure you are following a proceedure which returns intact spam content to SpamCop. In this sample, the problem was found near the line: via BYAPR05CA0039.NAMPRD05.PROD.OUTLOOK.COM; Sun, 5 May 2019 05:19:37 +0000 Issue 2: Now when I report Outlook online / Hotmail I am getting a chain error: https://www.spamcop.net/sc?id=z6543836809z438812bd7b6c2eaf52d5d36941b1cef2z Chain error AM5EUR02FT025.mail.protection.outlook.com not equal to last sender received line discarded Quote Link to comment Share on other sites More sharing options...
petzl Posted May 6, 2019 Share Posted May 6, 2019 (edited) 7 hours ago, oZoneCapHill said: Now when I report Outlook online / Hotmail I am getting a chain error: https://www.spamcop.net/sc?id=z6543836809z438812bd7b6c2eaf52d5d36941b1cef2z Chain error AM5EUR02FT025.mail.protection.outlook.com not equal to last sender received line discarded just keyword headers " sender IP is " without quotes which in this case is 52.69.50.108 abuse[AT]amazonaws.com country Japan child porn spammer has moved to another free throwaway AWS web account AWS don't accept abuse reports from SpamCop and prove to me they are morons from space. Most countries use monkeys, using morons is one better? AWS will send your report to spammer child porn spammers but they will opt you out of their spam. with hotmail spam you need to either "forward as attachment" put the sender IP in body with abuse address. If "forward as attachment" is not available copy and paste Body and Text into forwarded message AWS require this method. above paste put in source IP then two blank lines SpamCop can no longer decipher Hotmail headers Edited May 6, 2019 by petzl Quote Link to comment Share on other sites More sharing options...
MIG Posted May 6, 2019 Share Posted May 6, 2019 (edited) On 5/6/2019 at 4:25 AM, oZoneCapHill said: https://www.spamcop.net/sc?id=z6543836809z438812bd7b6c2eaf52d5d36941b1cef2z Chain error AM5EUR02FT025.mail.protection.outlook.com not equal to last sender received line discarded Hey oZoneCapHill, With all Outlook/Hotmail mail, the "original"/Classic or "new", was BETA, now referred to a "production" by MS, always remove the first: Received: from xxx all the way through to +0000 In the example you've submitted it's as follows: Received: from AM5EUR02HT165.eop-EUR02.prod.protection.outlook.com (2603:10b6:a02:a8::18) by BYAPR02MB4678.namprd02.prod.outlook.com with HTTPS via BYAPR03CA0005.NAMPRD03.PROD.OUTLOOK.COM; Sun, 5 May 2019 11:38:40 +0000 The explanation provided by SpamCop Admin (as to why it's optimal to do this), was/is: "A couple of years ago Hotmail had to give up two /16 networks they were using (33,554,432 IP addresses) as they were not assigned to them. Microsoft had to quickly reconfigure their network and used IPv6 to do so. Unfortunately when doing so, they did not do it carefully and make sure they had full name resolution through out the network, where the forward and reverse dns on each server matches. This means we can't trust their headers and will often take them as the source of the spam." Using the SC URL you've submitted I removed the above "Received, etc > +0000", ran it thru SC, using a SC account with MailHosts , this is the result: https://www.spamcop.net/sc?id=z6543932098z889c38dc916f2b763336930b55cf1af9z **** To address the MailHosts issue, (imo) the fastest, most successful & least painful (for you) solution, is to contact SC admin, provide details & ask for their assistance. Many folks have either had trouble setting up the hosts & or, having modified previously setup hosts, find the mods have "buggered" up spam being parsed successfully... **** Back to the SC URL you've provided: The 2nd issue (when the SC generates a result) is "no links detected", irrespective of the fact there are indeed embedded links... There's various good commentary, across SCF, as to why the parser may not detect links & why this is less of an issue than the parser not being able to parse the spam at all. I think from memory, these posts also contain: "try x", "try y", solutions, in some of the posts. With your specific URL, I'm unsure if the reason, is a failing by SC parser, or, the actual formatting in the message body. Again, with your specific URL, the links resolve to: 111.90.150.137, AS 45839 (Shinjiru Technology Sdn Bhd), abuseATshinjiruDOTcomDOTmy Condensing all of the above: with working hosts & modifying the spam, before presenting to SC parser, it would be good to see if there's better results. Cheers! G🦗H Edited May 7, 2019 by MIG Quote Link to comment Share on other sites More sharing options...
Absolute Posted July 15, 2020 Share Posted July 15, 2020 That's the real issue here. Quote Link to comment Share on other sites More sharing options...
unitacx Posted September 26, 2020 Share Posted September 26, 2020 Resolved! One fairly easy work-around for Outlook running through an "Office 365" server, obviously routed through hotmail: On mine, the first 3 headers which include "outlook.com" render spam reporting addresses as "report_spam@hotmail.com". So here's the fix: 1. Set your mailhost on Spamcop (obviously) 2. On Spamcop reporting, copy the headers from a sample email, preferably from a known source. (As expected, Spamcop will show the hotmail.com reporting address) 3. Repeat with sequential "Received:" headers removed. When doing this, remove the headers all the way from the top, so ... - on the initial try, remove the first "Received:" header; - on the next try, remove the first and second "Received:" headers; - on the next try, remove the first, second, and third "Received:" header; - ... etc. Eventually you will get the spam reporting address as the outside server. On mine, there were three outlook.com "Received:" headers, followed by an "Authentication-Results:" header. By removing those first three "Received:" headers, I was able to get to the source of my sample email. Then I carefully read the text of that suspected spam and determined that an email from my home account with the word "test" on the subject line was possibly not spam. So after all that effort, I didn't even report it. On my version of "Outlook 365" running through an office server, it's just a matter of stripping the first three "Received:" headers. Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted September 26, 2020 Share Posted September 26, 2020 6 hours ago, unitacx said: Eventually you will get the spam reporting address as the outside server. On mine, there were three outlook.com "Received:" headers, followed by an "Authentication-Results:" header. By removing those first three "Received:" headers, I was able to get to the source of my sample email. Eventually you should start to recognize the external and internal headers and might be able to shorten step 3. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.