Jump to content

All spams reporting to "abuse#iana.org@devnull.spamcop.net"


goodnerd

Recommended Posts

I started seeing this a couple of months ago, at first I thought it was some sort of statistical collecting address since I was fighting a lot of spams from ocn.ad.jp servers (where I usually ended up having to manually enter their Abuse department address of abuse_support@ocn.ad.jp) but it seems to be appearing all the time now, even when the headers show other sources.

I've been using Spamcop reporting for years and I'm reporting the spams the same way that I have always had but now I'm seeing abuse#iana.org@devnull.spamcop.net (Notes) pop up, even when it has other sources stated in the headers.  On some I've had to manually enter the abuse department addresses since it would not pick up on the originating IP.  I seem to get this 80-90% of the time.

I hope this is what you are looking for as far as Tracking URLs:

 


Submitted: Mon Jul 23 13:58:00 2018 GMT ‎7‎/‎23‎/‎2018‎ ‎9‎:‎58‎:‎00‎ ‎AM -0400:
Do you have any problem you need to solve? A pending court case you want to r...

Submitted:

Sat Jul 21 19:16:17 2018 GMT ‎7‎/‎21‎/‎2018‎ ‎3‎:‎16‎:‎17‎ ‎PM -0400:
PCH-087- 0426-2018-TP
Submitted: Wed Jul 18 01:14:18 2018 GMT ‎7‎/‎17‎/‎2018‎ ‎9‎:‎14‎:‎18‎ ‎PM -0400:  
If I can't afford a down payment, should I still try to buy?

Submitted: Tue Jul 17 01:57:58 2018 GMT ‎7‎/‎16‎/‎2018‎ ‎9‎:‎57‎:‎58‎ ‎PM -0400:
GOODNEWS FOR YOU?
Submitted: Sat Jul 14 19:13:11 2018 GMT ‎7‎/‎14‎/‎2018‎ ‎3‎:‎13‎:‎11‎ ‎PM -0400:
Attn: Sir
Submitted: Thu Jul 12 03:58:38 2018 GMT ‎7‎/‎11‎/‎2018‎ ‎11‎:‎58‎:‎38‎ ‎PM -0400:
Attention: Beneficiary,
Submitted: Wed Jul 11 00:38:16 2018 GMT ‎7‎/‎10‎/‎2018‎ ‎8‎:‎38‎:‎16‎ ‎PM -0400:
My Dear Beloved (Donation)
Submitted: Mon Jul 9 17:55:45 2018 GMT ‎7‎/‎9‎/‎2018‎ ‎1‎:‎55‎:‎45‎ ‎PM -0400:
My Dear Beloved (Donation) Submitted: Sun Jul 8 05:20:10 2018 GMT ‎7‎/‎8‎/‎2018‎ ‎1‎:‎20‎:‎10‎ ‎AM -0400:
Thanks for joining Trulia!
Submitted: Sat Jul 7 13:48:33 2018 GMT ‎7‎/‎7‎/‎2018‎ ‎9‎:‎48‎:‎33‎ ‎AM -0400:
NOTIFICATION OF YOUR PAYMENT VIA ATM VISA CARD
Submitted: Sat Jul 7 13:38:44 2018 GMT ‎7‎/‎7‎/‎2018‎ ‎9‎:‎38‎:‎44‎ ‎AM -0400:
My Dear Beloved (Donation)
Submitted: Sat Jul 7 13:27:51 2018 GMT ‎7‎/‎7‎/‎2018‎ ‎9‎:‎27‎:‎51‎ ‎AM -0400:
I AM REVEREND FATHER TONY JOHNSON SHEDRACK

 

As a test I sent myself several emails and then submitted them to SpamCop by pasting the entire email on the spamcop.net home page.  NOTE: I did not click on "send spam report" - I cancelled the spam report but I wanted to see what addresses would appear as to who it was reporting to.

Test 1:  I am located in the US and use AT&T as my internet service provider, I also  have a server through GoDaddy/WildWestDomains.  I sent an email from one of my server website addresses to my Gmail account.  The following report was generated:
From: "[[[removed by me]]]" <[[[removed by me]]]> (test)
 This is a multipart message in MIME format.
 ------=_NextPart_000_0018_01D42272.7B270D40

Report spam to:

Re: 2002:aa7:d9c9:0:0:0:0:0 (Administrator of network where email originates)
To: abuse#iana.org@devnull.spamcop.net (Notes)

 

Test 2:
I tried another legit email - once again I was sure not to submit any spam report but I only wanted to see what it would generate the report as.  I'm a Miitary Veteran so I tried an real email from the VA Administration which was sent to one of my Gmail addresses:
From: "Department of Veterans Affairs" <No_Reply_Allowed@va.gov>

Report spam to:

Re: 2002:a81:288f:0:0:0:0:0 (Administrator of network where email originates)
To: abuse#iana.org@devnull.spamcop.net (Notes)

Test 3:

I tried a few more tests and when I sent a test message from my domain address back to the same address it did pick up on the correct originating IP.  It wanted to send a spam report to AT&T since that is my ISP but not where my domain that the test email was sent from. 

 

What am I doing wrong here?  Thank you for any assistance.

 

 

 

Link to comment
Share on other sites

This may or may not be associated with the issue but I was just researching out the phishing spam I received today and reported through SpamCop, since the header showed who the domain was and who the webmail server was.

The sending address was from edesigngroup.net, which pings out to 160.153.73.73.

When I went to ping.eu to research out things I did a whois on the IP 160.153.73.73 and it came up with the default

Quote

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '160.115.0.0 - 160.179.255.255'

% No abuse contact registered for 160.115.0.0 - 160.179.255.255
 

inetnum 160.115.0.0 - 160.179.255.255
netname NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK
descr IPv4 address block not managed by the RIPE NCC
remarks ------------------------------------------------------

remarks:

remarks You can find the whois server to query, or the
remarks IANA registry to query on this web page:
remarks http://www.iana.org/assignments/ipv4-address-space

remarks:

remarks You can access databases of other RIRs at:

remarks:

remarks AFRINIC (Africa)
remarks http://www.afrinic.net/ whois.afrinic.net

remarks:

remarks APNIC (Asia Pacific)
remarks http://www.apnic.net/ whois.apnic.net

remarks:

remarks ARIN (Northern America)
remarks http://www.arin.net/ whois.arin.net

remarks:

remarks LACNIC (Latin America and the Carribean)
remarks http://www.lacnic.net/ whois.lacnic.net

remarks:

remarks IANA IPV4 Recovered Address Space
remarks http://www.iana.org/assignments/ipv4-recovered-address-space/ipv4-recovered-address-space.xhtml

remarks:

remarks ------------------------------------------------------
country EU # Country is really world wide
admin-c IANA1-RIPE
tech-c IANA1-RIPE
status ALLOCATED UNSPECIFIED
mnt-by RIPE-NCC-HM-MNT
mnt-lower RIPE-NCC-HM-MNT
mnt-routes RIPE-NCC-RPSL-MNT
created 2011-07-11T12:36:03Z
last-modified 2015-10-29T15:14:15Z
source RIPE

I know the IP is GoDaddy's so I ran the same IP on their WHOIS again, this time selecting the "full info" option on ping.eu's lookup service, and it displayed the proper information on the IP in question and not the generic iana.org info:
 

Quote

#
# ARIN WHOIS data and services are subject to the Terms of Use

# available at https://www.arin.net/whois_tou.html

#
# If you see inaccuracies in the results, please report at

# https //www.arin.net/resources/whois_reporting/index.html

#
# Copyright 1997-2018, American Registry for Internet Numbers, Ltd.
#
 

NetRange 160.153.0.0 - 160.153.255.255
CIDR 160.153.0.0/16
NetName GO-DADDY-COM-LLC
NetHandle NET-160-153-0-0-1
Parent NET160 (NET-160-0-0-0-0)
NetType Direct Allocation
OriginAS AS26496
Organization GoDaddy.com, LLC (GODAD)
RegDate 2011-08-31
Updated 2014-02-25
Comment Please send abuse complaints to abuse@godaddy.com
Ref https://rdap.arin.net/registry/ip/160.153.0.0

 

OrgName GoDaddy.com, LLC
OrgId GODAD
Address 14455 N Hayden Road
Address Suite 226
City Scottsdale
StateProv AZ
PostalCode 85260
Country US
RegDate 2007-06-01
Updated 2014-09-10
Comment Please send abuse complaints to abuse@godaddy.com
Ref https://rdap.arin.net/registry/entity/GODAD

 

OrgNOCHandle NOC124-ARIN
OrgNOCName Network Operations Center
OrgNOCPhone +1-480-505-8809
OrgNOCEmail noc@godaddy.com
OrgNOCRef https://rdap.arin.net/registry/entity/NOC124-ARIN

 

OrgAbuseHandle ABUSE51-ARIN
OrgAbuseName Abuse Department
OrgAbusePhone +1-480-624-2505
OrgAbuseEmail abuse@godaddy.com
OrgAbuseRef https://rdap.arin.net/registry/entity/ABUSE51-ARIN

 

OrgTechHandle NOC124-ARIN
OrgTechName Network Operations Center
OrgTechPhone +1-480-505-8809
OrgTechEmail noc@godaddy.com
OrgTechRef https://rdap.arin.net/registry/entity/NOC124-ARIN

 

RTechHandle NOC124-ARIN
RTechName Network Operations Center
RTechPhone +1-480-505-8809
RTechEmail noc@godaddy.com
RTechRef https://rdap.arin.net/registry/entity/NOC124-ARIN

 

RAbuseHandle ABUSE51-ARIN
RAbuseName Abuse Department
RAbusePhone +1-480-624-2505
RAbuseEmail abuse@godaddy.com
RAbuseRef https://rdap.arin.net/registry/entity/ABUSE51-ARIN

 

RNOCHandle NOC124-ARIN
RNOCName Network Operations Center
RNOCPhone +1-480-505-8809
RNOCEmail noc@godaddy.com
RNOCRef https://rdap.arin.net/registry/entity/NOC124-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use

 

# available at https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at

 

# https //www.arin.net/resources/whois_reporting/index.html

#
# Copyright 1997-2018, American Registry for Internet Numbers, Ltd.
#

Maybe this is related to the iana.org default reporting address...
 

Link to comment
Share on other sites

7 hours ago, goodnerd said:

Maybe this is related to the iana.org default reporting address...

SpamCop often gets reporting address wrong or can't find them. I use a freeware windows program to check.
Direct link for instalation download here  http://www.nirsoft.net/utils/ipnetinfo_setup.exe it's hard to find on webpage

http://www.nirsoft.net/utils/ipnetinfo.html but it's at the bottom/end of page

Link to comment
Share on other sites

Hello Goodnerd,

 

the problem you're having is unfortunately known to spamcop, and is a problem for us "reporting spam".

Gmail is one of the biggest causes of this problem, although I have heard that Yahoo! is doing the same.

The reason is, that theses email providers have been inserting a 6to4 IPv6 address for their Received: headers.

These 6to4 addresses begin with "2002:a".

you can submit the spam by changing the following in the topmost Received: line:

if you have

Received: by 2002:aa7:d9c9:0:0:0:0:0 with SMTP id h22-v6csp6451088uaf; Tue, 24 Jul 2018 05:25:31 -0700 (PDT)
             ^^^^^^^^^^^^^^^^^^^^^^^
             6to4 IPv6 address is a problem

place the IPv6 address in parentheses and add the equivalent 10.167.217.201 in front like this:

Received: by 10.167.217.201 (2002:aa7:d9c9:0:0:0:0:0) with SMTP id h22-v6csp6451088uaf; Tue, 24 Jul 2018 05:25:31 -0700 (PDT)
             ^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^
                   add            parenthesized

That should enable you to report your spam

Link to comment
Share on other sites

Thank you both for very useful information.   

It's good to know that SpamCop is aware of the issue and I'm now inserting parentheses from spams received at Gmail.   Both the ipnetinfo and the parentheses fix works like a charm.  Thanks again!

Link to comment
Share on other sites

  • 3 weeks later...
On 7/24/2018 at 4:23 PM, RobiBue said:

Hello Goodnerd,

 

the problem you're having is unfortunately known to spamcop, and is a problem for us "reporting spam".

Gmail is one of the biggest causes of this problem, although I have heard that Yahoo! is doing the same.

The reason is, that theses email providers have been inserting a 6to4 IPv6 address for their Received: headers.

These 6to4 addresses begin with "2002:a".

you can submit the spam by changing the following in the topmost Received: line:

if you have


Received: by 2002:aa7:d9c9:0:0:0:0:0 with SMTP id h22-v6csp6451088uaf; Tue, 24 Jul 2018 05:25:31 -0700 (PDT)
             ^^^^^^^^^^^^^^^^^^^^^^^
             6to4 IPv6 address is a problem

place the IPv6 address in parentheses and add the equivalent 10.167.217.201 in front like this:


Received: by 10.167.217.201 (2002:aa7:d9c9:0:0:0:0:0) with SMTP id h22-v6csp6451088uaf; Tue, 24 Jul 2018 05:25:31 -0700 (PDT)
             ^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^
                   add            parenthesized

That should enable you to report your spam

How can i find out the IPV4 equivalent?

Link to comment
Share on other sites

  • 1 month later...

By any chance do we have a fix scheduled or contemplated for this?  Not only is it Gmail (and possibly Yahoo), but it's coming up in Hotmail as well.  I'm thinking it's spam originating on a mail server from an IPv6 network, that has to traverse a 6to4 conversion to get out onto the rest of the Internet.

Find such a server, and a spammer is effectively anonymized as far as Spamcop is concerned.  Darwinism takes over.

I report as an end user by forwarding spam as an attachment, so submitting each spam manually can only be done if the quantity is fairly small.  

Link to comment
Share on other sites

Unfortunately, no. there is no fix in sight.

some of us are using workarounds (php, apps-scri_pt, ...) or other methods to replace the 6to4 IPv6 address with its IPv4 counterpart.

Spamcop (Cisco) has no desire to fix it, since they claim it opens vulnerabilities (I say that it's already a vulnerability by not fixing it)

and Google (et al.) has, AFAICR, mentioned to spamcop that they are looking into fixing it, but since other big emailers have followed suit into abusing the 6to4 IPv6 addressing with private IPv4 networks, there is a very slim chance that it will be fixed at all.

 

It's sad, but it is what it is. And with that, I believe, Cisco is putting the nail in SpamCop's coffin...

Link to comment
Share on other sites

1 hour ago, RobiBue said:

Unfortunately, no. there is no fix in sight.

some of us are using workarounds (php, apps-scri_pt, ...) or other methods to replace the 6to4 IPv6 address with its IPv4 counterpart.

Spamcop (Cisco) has no desire to fix it, since they claim it opens vulnerabilities (I say that it's already a vulnerability by not fixing it)

and Google (et al.) has, AFAICR, mentioned to spamcop that they are looking into fixing it, but since other big emailers have followed suit into abusing the 6to4 IPv6 addressing with private IPv4 networks, there is a very slim chance that it will be fixed at all.

 

It's sad, but it is what it is. And with that, I believe, Cisco is putting the nail in SpamCop's coffin...

Well that's a shocker. I couldn't agree more.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...