"Mailhost configuration problem, identified internal IP as source" - can't submit ANY spam!

[lisali]

Hi, 

Since about a month ago, I can't submit ANY spam. All I get, every time, is:

"Mailhost configuration problem, identified internal IP as source"

It seems to be a SpamCop parsing issue, as other online tools parse the same email headers correctly:

https://mxtoolbox.com/EmailHeaders.aspx

https://www.iptrackeronline.com/email-header-analysis.php

What do I do?
Thanks!

[Lking]

Without a Tracking URL as an example of "why/how" processed you submission, anyone would just be guessing as to what to do.

[lisali]

23 hours ago, Lking said:

Without a Tracking URL as an example of "why/how" processed you submission, anyone would just be guessing as to what to do.

Hi!

I was going to add an example, but they all seem to reveal a bit too much data, including the email the spam was sent to (only the final catch-all email seems to be redacted). Is there a way around this?

[Lking]

I believe that if you check your tracking URL when you are not logged into spamcop.net you will see what other will see and that your email will not be revealed. For example:

https://www.spamcop.net/sc?id=z6469367419z07b4227d56dc0803077ec3b56d0aaef8z

[lisali]

4 minutes ago, Lking said:

I believe that if you check your tracking URL when you are not logged into spamcop.net you will see what other will see and that your email will not be revealed. For example:

https://www.spamcop.net/sc?id=z6469367419z07b4227d56dc0803077ec3b56d0aaef8z

Hi!

If you click "view full message", it shows more details. In my case, it shows the full email that the spam was sent to, even if not logged in. As mentioned, only the final destination that the offending email is forwarded to is redacted by SpamCop.

[Lking]

I don't know what your are seeing. In my example above my email is replaced by <x> (red bold below added).  Take a look at you reporting options.

Quote

Received: from localhost (unknown [158.69.21.96])
	by knob.com (Postfix) with ESMTP id 7A62B9B9C58
	for <x>; Sat, 16 Jun 2018 04:59:08 +0000 (UTC)
Received: from knob.com ([158.69.132.42])
 by localhost (maia-mtl.ca.hub.org [158.69.21.96]) (maiad, port 10024)
 with ESMTP id 97784-03 for <x>;
 Sat, 16 Jun 2018 04:59:08 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.8.0
Received: from o29.healthcarereform.businsure.com (o29.healthcarereform.businsure.com [198.37.157.158])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by knob.com (Postfix) with ESMTPS id 022349B9C53
	for <x>; Sat, 16 Jun 2018 04:59:07 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=businsure.com; 
	h=content-transfer-encoding:content-type:from:mime-version:reply-to:to:subject; 
	s=smtpapi; bh=AphJ+LD/k9UDhFzfB0SjruP4rNo=; b=au5R6P57MTuPCWCzyi
	TM20VEycRAHvcYPzcAY1jQJUKW4j2hOnRS+mhLGjGETh2kPQIhDEz2AooIDhSTYl
	b/qF3wYAiT4+jGv5a9ZoyDMplWQ5d7J/+Ojzd2ZGqkNaS3VipZfGi1TdK0GtNAuE
	WDELm8Mzh/JJrDddNBC4rjlqM=
Received: by filter0033p3las1.sendgrid.net with SMTP id filter0033p3las1-16562-5B249919-12
        2018-06-16 04:59:05.671646071 +0000 UTC
Received: from NjQxOTE3 (mail.instantbusinessresources.com [162.250.10.221])
	by ismtpd0041p1mdw1.sendgrid.net (SG) with HTTP id kznZoqaZSGSYTjSL82UfNg
	Sat, 16 Jun 2018 04:59:05.594 +0000 (UTC)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset=UTF-8
Date: Sat, 16 Jun 2018 04:59:05 +0000 (UTC)
From: "Gordon Mumpower" <gordon@businsure.com>
Mime-Version: 1.0
Reply-to: gordon@businsure.com
To: "x" <x>

 

[lisali]

Hi!

That seems to be the case ONLY if the email is NOT forwarded.

In my case, all emails are forwarded to a catch-all address, let's call it EMAIL B. If spam was sent to EMAIL A, then forwarded to EMAIL B, only EMAIL B will be redacted in the report. I can still see the full EMAIL A in SpamCop reports, even when not logged in.

[Lking]

5 hours ago, lisali said:

That seems to be the case ONLY if the email is NOT forwarded.

That is not the case.  I you will check again, now my example has been completed.

[lisali]

20 minutes ago, Lking said:

That is not the case.  I you will check again, now my example has been completed.

Sorry - what do you mean? In my case, I can see the original email in my reports. 

[Lking]

Have you configured you mailhost to include all the forwardeding?

Sorry I did not read you post closely enough.

[lisali]

On 6/17/2018 at 5:46 PM, Lking said:

Have you configured you mailhost to include all the forwardeding?

Sorry I did not read you post closely enough.

Hi! No worries.  Yes, I have configured all my mailhosts. From what I understand, this issue relates to how Gmail shows the sender/relaying IP, which confuses SpamCop. Other online tools, however,  seem to parse these headers just fine.

[lisali]

Hi! Any update on this?

[lisali]

Any fix or an update?

[RobiBue]

does your spam by any chance arrive to a gmail account? (or is delivered by gmail)

[RobiBue]

Ok, just reread the thread and found the following 

On 6/19/2018 at 9:21 AM, lisali said:

Hi! No worries.  Yes, I have configured all my mailhosts. From what I understand, this issue relates to how Gmail shows the sender/relaying IP, which confuses SpamCop. Other online tools, however,  seem to parse these headers just fine.

Yeah, Gmail adds their Received: header with a 6to4 IPv6 address from a private 10.0.0.0/8 network which according to RFC 3056 §2 is not allowed, but them being google, do it anyway regardless of the consequences.

This, in my opinion, is something that google shouldn’t have implemented and should fix. SpamCop should be able to cope with the 6to4 address and see it as an internal private address just as it would be if it was given the original 10.nnn.nnn.nnn address.

Currently it seems that neither SC nor google is about to budge.

All we can do, is either delete the 2nd line Received: header with its faulty IPv6 address and paste it as a comment for the receiving abuse recipients for completeness, or put the IPv6 address in parentheses and place its equivalent IPv4 address in front.

an example of that 2nd line:

Received: by 10.176.75.22 (2002:ab0:4b16:0:0:0:0:0) with SMTP id h22-v6csp5358367uaf;
        Tue, 31 Jul 2018 11:25:32 -0700 (PDT)

 

[Dave_L]

On 6/16/2018 at 10:02 AM, lisali said:

Hi!

I was going to add an example, but they all seem to reveal a bit too much data, including the email the spam was sent to (only the final catch-all email seems to be redacted). Is there a way around this? 

One possibility is to "munge" the information you don't want revealed, before Spamcop parses it.

[lisali]

Yes! This seems to be a Gmail issue. spam not sent to Gmail seems to be parsed fine.

I can't be manually editing lines for SpamCop to accept this. Why can't everyone just work together nicely? ?

Is there a way for SpamCop to work around this in the meantime?

[RobiBue]

I received this from SpamCop:

<quote>
Google has promised to fix the issue but have not provided an ETA of a fix.
We [SpamCop] looked at programming around it but that option was rejected by our CERT board as it would have opened a security hole in our system.

We can just sit and wait for Gmail.
</quote>

[lisali]

17 hours ago, RobiBue said:

I received this from SpamCop:

<quote>
Google has promised to fix the issue but have not provided an ETA of a fix.
We [SpamCop] looked at programming around it but that option was rejected by our CERT board as it would have opened a security hole in our system.

We can just sit and wait for Gmail.
</quote>

Is there anything that we can do? Is there a way to send feedback to Google?

[RobiBue]

8 hours ago, lisali said:

Is there anything that we can do? Is there a way to send feedback to Google?

Well, I guess it wouldn't (or couldn't) hurt if SpamCop users/reporters with gmail accounts send their feedback...

I found the feedback link in gmail by clicking on the settings gear in the "new" gmail (or classic/standard view). Can't find it in the basic HTML view though.

[lisali]

20 hours ago, RobiBue said:

Well, I guess it wouldn't (or couldn't) hurt if SpamCop users/reporters with gmail accounts send their feedback...

I found the feedback link in gmail by clicking on the settings gear in the "new" gmail (or classic/standard view). Can't find it in the basic HTML view though.

Done! Let's hope they fix this. Thank you!

[nhraj700]

I just sent a complaint via that feedback function.  Thanks for that tip.  Tired of modifying headers.

[petzl]

43 minutes ago, nhraj700 said:

I just sent a complaint via that feedback function.  Thanks for that tip.  Tired of modifying headers.

Remember to mark Gmail span as phishing. The pointy heads there have a automated process which they think works?

[klappa]

Just give up! Neither GMail nor Spamcop will fix this in the nearest future. Unfortunately.

[lisali]

7 hours ago, klappa said:

Just give up! Neither GMail nor Spamcop will fix this in the nearest future. Unfortunately.

You may be right. It's unfortunate. We're providing valuable data to Cisco (owners of SpamCop), and they don't seem to want to invest any resources to get this sorted. Sad.