5280 Guy Posted April 28, 2018 Posted April 28, 2018 I use Gmail and copy the headers when I submit a report. This is spam that I keep getting from Jim Cramer. It doesn't seem like reporting is working. I have stripped out the regular part of the response and have only included the errors. Any suggestions? Thanks. Routing details for 10.157.33.183 I refuse to bother abuse@iana.org. Using abuse#iana.org@devnull.spamcop.net for statistical tracking. Using last resort contacts abuse#iana.org@devnull.spamcop.net Chain error mx.google.com not equal to last sender received line discarded Tracking message source: 2002:a9d:21b7:0:0:0:0:0: Display data: "whois 10.157.33.183@whois.arin.net" (Getting contact from whois.arin.net ) Found AbuseEmail in whois abuse@iana.org 10.0.0.0 - 10.255.255.255:abuse@iana.orgRouting details for 10.157.33.183 I refuse to bother abuse@iana.org. Using abuse#iana.org@devnull.spamcop.net for statistical tracking. Using last resort contacts abuse#iana.org@devnull.spamcop.net Yum, this spam is fresh! Message is 0 hours old 2002:a9d:21b7:0:0:0:0:0 not listed in cbl.abuseat.org 2002:a9d:21b7:0:0:0:0:0 not listed in dnsbl.sorbs.net 2002:a9d:21b7:0:0:0:0:0 not listed in accredit.habeas.com 2002:a9d:21b7:0:0:0:0:0 not listed in plus.bondedsender.org 2002:a9d:21b7:0:0:0:0:0 not listed in iadb.isipp.com Finding links in message body Parsing text part error: couldn't parse head Message body parser requires full, accurate copy of messageMore information on this error.. no links found Please make sure this email IS spam: From: Jim Cramer <offers@thestreet.com> (Here is your limited-time club invitation) ------=_Part_23590669_2119084344.1524930398294 Content-Type: text/plain; charset=utf-8View full message Report Spam to: Re: 2002:a9d:21b7:0:0:0:0:0 (Administrator of network where email originates) To: abuse#iana.org@devnull.spamcop.net (Notes) Re: User Notification (Notes) To: Additional notes (optional - max 2000 characters): ATTENTION: Report only those e-mail addresses and web sites that you think your spammer has used. Avoid checking any boxes left empty unless you know that your spammer has used the addresses or sites thus identified. Each false report that you submit means wasted time for a network administrator, so take care. The last thing SpamCop wants are network administrators so accustomed to false claims that they no longer take these spam reports seriously. Comments for:abuse#iana.org@devnull.spamcop.net (2002:a9d:21b7:0:0:0:0:0) Return to report Comments for:User Notification () Return to report © 2018 Cisco Systems, Inc. All rights reserved. HTML4 / CSS2 Firefox recommended - Policies and Disclaimers
Lking Posted April 28, 2018 Posted April 28, 2018 14 minutes ago, 5280 Guy said: Any suggestions? I suggest that in the future you include the Tracking URL instead of copying part of the report. That way we all could see the header, and other sources of any problem. I this case the Tracking URL is: Quote SpamCop v 4.9.0 © 2018 Cisco Systems, Inc. All rights reserved. Here is your TRACKING URL - it may be saved for future reference: https://www.spamcop.net/sc?id=z6461933973z4767a21d25b34cc44e73745c9fbc6e84z 26 minutes ago, 5280 Guy said: It doesn't seem like reporting is working. Reporting spam to SpamCop does add to the SpamCop Block List (SCBL). Unless your ISP uses the SCBL to filter incoming email you will not see a direct result of your submissions. Gmail does not use the SCBL. Another possibility is that the ISP of the source of the spam will stop providing internet access to the spammer. However, in this case for one of several reasons SpamCop will not send spam reports to the source ISP (" I refuse to bother abuse@iana.org. ") I suggest you also read several other current threads regarding parsing of gmail headers. Use the Search engine in the top right corner of the screen. Search for gmail.
5280 Guy Posted April 29, 2018 Author Posted April 29, 2018 Here is the whole deal. This used to work, but now I get errors every time.SpamCop v 4.9.0 © 2018 Cisco Systems, Inc. All rights reserved.Here is your TRACKING URL - it may be saved for future reference:https://www.spamcop.net/sc?id=z6461933973z4767a21d25b34cc44e73745c9fbc6e84z Header/body/ parser results deleted by moderator.
Lking Posted April 29, 2018 Posted April 29, 2018 The advantage of including the Tracking URL in your post is that you DO NOT then need to clutter the thread with the long content of the reported spam. Anyone that wants to can click on the Tracking URL link and see the details.
petzl Posted April 29, 2018 Posted April 29, 2018 9 hours ago, 5280 Guy said: https://www.spamcop.net/sc?id=z6461933973z4767a21d25b34cc44e73745c9fbc6e84z OK Gmail is getting "spoofed" headers you need to only copy from including this line ARC-Authentication-Results: i=1; mx.google.com; Then it will parse correctly https://www.spamcop.net/sc?id=z6462122803z4edf40cea6065e3f021240fc039e11d2z Look at headers of your non-Gmail spam you will see they don't contain these spoofed headers. included spoofed headers in notes and send to abuse at gmail as well
lepa71 Posted May 28, 2018 Posted May 28, 2018 Lately there almost all of my reports is re-directed to abuse#iana.org{AT}devnull.spamcop.net and I don't think it's right.
Lking Posted May 28, 2018 Posted May 28, 2018 1 hour ago, lepa71 said: Lately there almost all of my reports is re-directed to abuse#iana.org{AT}devnull.spamcop.net and I don't think it's right. Which part do you not thing is correct? The "devnull.spamcop.net" part? which indicates that SpamCop does not want to send a spam report to this email address? OR the "abuse{AT}iana.org" part which is where the spam report would be send IF a report was being sent? Again a tracking URL would help the rest of us understand your concern.
lepa71 Posted May 28, 2018 Posted May 28, 2018 Here is one. https://www.spamcop.net/sc?id=z6466736617zb98f035ad2768f5b6da603bd2ae4a034z If you look it try to get the IP4 but them try to get IPv6 host 95.216.150.71 = static.71.150.216.95.clients.your-server.de (cached) static.71.150.216.95.clients.your-server.de is 95.216.150.71 2002:a9f:3d14:0:0:0:0:0 not listed in cbl.abuseat.org 2002:a9f:3d14:0:0:0:0:0 not listed in dnsbl.sorbs.net 2002:a9f:3d14:0:0:0:0:0 is not an MX for mx.google.com At the end. gets here "whois 10.159.61.20@whois.arin.net" (Getting contact from whois.arin.net ) Found AbuseEmail in whois abuse@iana.org 10.0.0.0 - 10.255.255.255:abuse@iana.orgRouting details for 10.159.61.20 And this is not just one example. It started about a month ago. I see more and more of this. It does not look right.
Lking Posted May 28, 2018 Posted May 28, 2018 Based on what you cut/pasted from the report above, are you mixing results from the " Parsing header: " and " Finding links in message body " The " Resolves to 95.216.150.71 " if from the body, and 10.159.61.20 is from the header. Each results in a report being send. 10.159.61.20 and " I refuse to bother abuse@iana.org. " results in the devnull report, and the 95.216.150.70 results in a report being sent to abuse{AT}hetzner.de Or do I not understand what you think is wrong?
RobiBue Posted May 28, 2018 Posted May 28, 2018 13 minutes ago, Lking said: Based on what you cut/pasted from the report above, are you mixing results from the " Parsing header: " and " Finding links in message body " The " Resolves to 95.216.150.71 " if from the body, and 10.159.61.20 is from the header. Each results in a report being send. 10.159.61.20 and " I refuse to bother abuse@iana.org. " results in the devnull report, and the 95.216.150.70 results in a report being sent to abuse{AT}hetzner.de Or do I not understand what you think is wrong? unfortunately, that is exactly what SC does at the moment with gmail's first (topmost) IPv6 (actually 6to4) private address Received: line: Received: by 2002:a9f:3d14:0:0:0:0:0 with SMTP id l20-v6csp1947284uai; Sun, 27 May 2018 17:19:06 -0700 (PDT) This IPv6 address is the 6to4 equivalent to 10.159.61.20 which is a private network address. The next Received: line : Received: from gambashoping.com (static.71.150.216.95.clients.your-server.de. [95.216.150.71]) by mx.google.com with ESMTP id m1-v6si28198295plt.276.2018.05.27.17.19.05 for <x>; Sun, 27 May 2018 17:19:06 -0700 (PDT) shows the actual spammer IP address [95.216.150.71]. This is coincidentally also the IP address that the link in the body of the message returns. SpamCop chokes on Gmail's "private" IPv6 address, and the rest of the Received: lines suffer from it and the real spamming IP does not get reported. Long discussions, explanations and workarounds are listed in the following two threads: http://forum.spamcop.net/topic/25123-address-2002adfaa9100000-gmail-not-associated-with-any-of-your-mailhosts/ http://forum.spamcop.net/topic/23516-spamcop-cannot-find-source-ip/
Lking Posted May 28, 2018 Posted May 28, 2018 RobiBue, please read the contents of the tracking URL more carefully. It can be confusing that gambashoping.com appears in both the header and in the body.
lepa71 Posted May 28, 2018 Posted May 28, 2018 I don't think it's confusing. It is exactly @RobiBue is saying. Here is another one. https://www.spamcop.net/sc?id=z6466849060zdcafb4e78746831a976de90fabffbf97z Maybe another confusion is. IS the 2002:a9f:3d14:0:0:0:0:0 full IPv6 or google strips it? I don't think those 0:0:0:0:0 should there that way.
RobiBue Posted May 28, 2018 Posted May 28, 2018 26 minutes ago, lepa71 said: I don't think it's confusing. It is exactly @RobiBue is saying. Here is another one. https://www.spamcop.net/sc?id=z6466849060zdcafb4e78746831a976de90fabffbf97z Maybe another confusion is. IS the 2002:a9f:3d14:0:0:0:0:0 full IPv6 or google strips it? I don't think those 0:0:0:0:0 should there that way. @ Lking: I did read the contents carefully but I also noticed the coincidental appearance of the same IP address in both header and body which only means to me, that the spammer is advertising from his own IP address. If I had a mail server and a web server on my network, and I would be sending mail form my mail server with links to the website on my web server, both mail server and web server addresses would have the same IP address. @ lepa71: the IPv6 address 2002:a9f:3d14:0:0:0:0:0 is a correct 6to4 IPv6 address and can be abbreviated as 2002:a9f:3d14:: or expanded to 2002:0a9f:3d14:0000:0000:0000:0000:0000 They all mean the same and all point to the IPv4 IP address [10.159.61.20] (you can try them here and see the result.) I have seen in past reports (besides my own) that google's mx servers utilize various 10.nnn.nnn.nnn IP addresses and it seems that several weeks ago they decided to "6to4" them, but unfortunately, with that move, SC got left behind limping...
lepa71 Posted May 29, 2018 Posted May 29, 2018 Here is another one. It should have been sent to sendgrid abuse team but was sent abuse#iana.org@devnull.spamcop.net I think Google does intercept the header and does something to it. https://www.spamcop.net/sc?id=z6466973866z4e3f37a58787cee22244e7c05fc1a315z
petzl Posted May 30, 2018 Posted May 30, 2018 5 hours ago, lepa71 said: https://www.spamcop.net/sc?id=z6466973866z4e3f37a58787cee22244e7c05fc1a315z Cut this line out and Gmail parsing works fine. Received: by 2002:a9f:3d14:0:0:0:0:0 with SMTP id l20-v6csp3921756uai; https://www.spamcop.net/sc?id=z6466997545zbf99b5f46d259fd01fbd6b2d8ebab0b9z
lepa71 Posted May 30, 2018 Posted May 30, 2018 11 hours ago, petzl said: Cut this line out and Gmail parsing works fine. Received: by 2002:a9f:3d14:0:0:0:0:0 with SMTP id l20-v6csp3921756uai; https://www.spamcop.net/sc?id=z6466997545zbf99b5f46d259fd01fbd6b2d8ebab0b9z That is not really the point. If this is the case then maybe spamcop needs adjustments.
petzl Posted May 31, 2018 Posted May 31, 2018 12 hours ago, lepa71 said: That is not really the point. If this is the case then maybe spamcop needs adjustments. That was only working off and on previously, Google seem to be "um and arring" now with googles update cannot even read spam in spam folder.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.