goodnerd Posted July 23, 2018 Share Posted July 23, 2018 I started seeing this a couple of months ago, at first I thought it was some sort of statistical collecting address since I was fighting a lot of spams from ocn.ad.jp servers (where I usually ended up having to manually enter their Abuse department address of abuse_support@ocn.ad.jp) but it seems to be appearing all the time now, even when the headers show other sources. I've been using Spamcop reporting for years and I'm reporting the spams the same way that I have always had but now I'm seeing abuse#iana.org@devnull.spamcop.net (Notes) pop up, even when it has other sources stated in the headers. On some I've had to manually enter the abuse department addresses since it would not pick up on the originating IP. I seem to get this 80-90% of the time. I hope this is what you are looking for as far as Tracking URLs: Submitted: Mon Jul 23 13:58:00 2018 GMT 7/23/2018 9:58:00 AM -0400:Do you have any problem you need to solve? A pending court case you want to r... 6834492181 ( 2002:aa7:d9c9:0:0:0:0:0 ) To: abuse#iana.org@devnull.spamcop.net Submitted: Sat Jul 21 19:16:17 2018 GMT 7/21/2018 3:16:17 PM -0400:PCH-087- 0426-2018-TP 6834051593 ( 2002:aa7:d9c9:0:0:0:0:0 ) To: abuse#iana.org@devnull.spamcop.net 6830233770 ( 2002:aa7:d9c9:0:0:0:0:0 ) To: abuse#iana.org@devnull.spamcop.net Submitted: Wed Jul 18 01:14:18 2018 GMT 7/17/2018 9:14:18 PM -0400: If I can't afford a down payment, should I still try to buy? 6832940524 ( http://static.trulia-cdn.com/images/email/marke... ) To: abuse@amazonaws.com 6832940523 ( http://links.iterable.com/e/eo?_t=3ea3eb5515744... ) To: abuse@amazonaws.com 6832940522 ( http://click.prop.trulia.com/q/rHVbRMoot0RNs_ax... ) To: abuse@amazonaws.com 6832940521 ( 2002:a02:aa88:0:0:0:0:0 ) To: abuse#iana.org@devnull.spamcop.net Submitted: Tue Jul 17 01:57:58 2018 GMT 7/16/2018 9:57:58 PM -0400:GOODNEWS FOR YOU? 6832609756 ( 2002:aa7:d9c9:0:0:0:0:0 ) To: abuse#iana.org@devnull.spamcop.net Submitted: Sat Jul 14 19:13:11 2018 GMT 7/14/2018 3:13:11 PM -0400:Attn: Sir 6831921278 ( 2002:aa7:d9c9:0:0:0:0:0 ) To: abuse#iana.org@devnull.spamcop.net Submitted: Thu Jul 12 03:58:38 2018 GMT 7/11/2018 11:58:38 PM -0400:Attention: Beneficiary, 6831042063 ( 2002:aa7:d9c9:0:0:0:0:0 ) To: abuse#iana.org@devnull.spamcop.net Submitted: Wed Jul 11 00:38:16 2018 GMT 7/10/2018 8:38:16 PM -0400:My Dear Beloved (Donation) 6830668325 ( 2002:aa7:d9c9:0:0:0:0:0 ) To: abuse#iana.org@devnull.spamcop.net Submitted: Mon Jul 9 17:55:45 2018 GMT 7/9/2018 1:55:45 PM -0400:My Dear Beloved (Donation) Submitted: Sun Jul 8 05:20:10 2018 GMT 7/8/2018 1:20:10 AM -0400:Thanks for joining Trulia! 6829676874 ( 2002:a02:aa88:0:0:0:0:0 ) To: abuse#iana.org@devnull.spamcop.net Submitted: Sat Jul 7 13:48:33 2018 GMT 7/7/2018 9:48:33 AM -0400:NOTIFICATION OF YOUR PAYMENT VIA ATM VISA CARD 6829448770 ( 2002:a50:ec9a:0:0:0:0:0 ) To: abuse#iana.org@devnull.spamcop.net Submitted: Sat Jul 7 13:38:44 2018 GMT 7/7/2018 9:38:44 AM -0400:My Dear Beloved (Donation) 6829446064 ( 2002:a50:ec9a:0:0:0:0:0 ) To: abuse#iana.org@devnull.spamcop.net Submitted: Sat Jul 7 13:27:51 2018 GMT 7/7/2018 9:27:51 AM -0400:I AM REVEREND FATHER TONY JOHNSON SHEDRACK 6829442906 ( 2002:a50:ec9a:0:0:0:0:0 ) To: abuse#iana.org@devnull.spamcop.net As a test I sent myself several emails and then submitted them to SpamCop by pasting the entire email on the spamcop.net home page. NOTE: I did not click on "send spam report" - I cancelled the spam report but I wanted to see what addresses would appear as to who it was reporting to. Test 1: I am located in the US and use AT&T as my internet service provider, I also have a server through GoDaddy/WildWestDomains. I sent an email from one of my server website addresses to my Gmail account. The following report was generated:From: "[[[removed by me]]]" <[[[removed by me]]]> (test) This is a multipart message in MIME format. ------=_NextPart_000_0018_01D42272.7B270D40 Report spam to: Re: 2002:aa7:d9c9:0:0:0:0:0 (Administrator of network where email originates)To: abuse#iana.org@devnull.spamcop.net (Notes) Test 2: I tried another legit email - once again I was sure not to submit any spam report but I only wanted to see what it would generate the report as. I'm a Miitary Veteran so I tried an real email from the VA Administration which was sent to one of my Gmail addresses:From: "Department of Veterans Affairs" <No_Reply_Allowed@va.gov> Report spam to: Re: 2002:a81:288f:0:0:0:0:0 (Administrator of network where email originates)To: abuse#iana.org@devnull.spamcop.net (Notes) Test 3: I tried a few more tests and when I sent a test message from my domain address back to the same address it did pick up on the correct originating IP. It wanted to send a spam report to AT&T since that is my ISP but not where my domain that the test email was sent from. What am I doing wrong here? Thank you for any assistance. Link to comment Share on other sites More sharing options...
goodnerd Posted July 23, 2018 Author Share Posted July 23, 2018 This may or may not be associated with the issue but I was just researching out the phishing spam I received today and reported through SpamCop, since the header showed who the domain was and who the webmail server was. The sending address was from edesigngroup.net, which pings out to 160.153.73.73. When I went to ping.eu to research out things I did a whois on the IP 160.153.73.73 and it came up with the default Quote % This is the RIPE Database query service.% The objects are in RPSL format.%% The RIPE Database is subject to Terms and Conditions.% See http://www.ripe.net/db/support/db-terms-conditions.pdf% Note: this output has been filtered.% To receive output for a database update, use the "-B" flag.% Information related to '160.115.0.0 - 160.179.255.255'% No abuse contact registered for 160.115.0.0 - 160.179.255.255 inetnum 160.115.0.0 - 160.179.255.255 netname NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK descr IPv4 address block not managed by the RIPE NCC remarks ------------------------------------------------------ remarks: remarks You can find the whois server to query, or the remarks IANA registry to query on this web page: remarks http://www.iana.org/assignments/ipv4-address-space remarks: remarks You can access databases of other RIRs at: remarks: remarks AFRINIC (Africa) remarks http://www.afrinic.net/ whois.afrinic.net remarks: remarks APNIC (Asia Pacific) remarks http://www.apnic.net/ whois.apnic.net remarks: remarks ARIN (Northern America) remarks http://www.arin.net/ whois.arin.net remarks: remarks LACNIC (Latin America and the Carribean) remarks http://www.lacnic.net/ whois.lacnic.net remarks: remarks IANA IPV4 Recovered Address Space remarks http://www.iana.org/assignments/ipv4-recovered-address-space/ipv4-recovered-address-space.xhtml remarks: remarks ------------------------------------------------------ country EU # Country is really world wide admin-c IANA1-RIPE tech-c IANA1-RIPE status ALLOCATED UNSPECIFIED mnt-by RIPE-NCC-HM-MNT mnt-lower RIPE-NCC-HM-MNT mnt-routes RIPE-NCC-RPSL-MNT created 2011-07-11T12:36:03Z last-modified 2015-10-29T15:14:15Z source RIPE I know the IP is GoDaddy's so I ran the same IP on their WHOIS again, this time selecting the "full info" option on ping.eu's lookup service, and it displayed the proper information on the IP in question and not the generic iana.org info: Quote # # ARIN WHOIS data and services are subject to the Terms of Use # available at https://www.arin.net/whois_tou.html # # If you see inaccuracies in the results, please report at # https //www.arin.net/resources/whois_reporting/index.html # # Copyright 1997-2018, American Registry for Internet Numbers, Ltd. # NetRange 160.153.0.0 - 160.153.255.255 CIDR 160.153.0.0/16 NetName GO-DADDY-COM-LLC NetHandle NET-160-153-0-0-1 Parent NET160 (NET-160-0-0-0-0) NetType Direct Allocation OriginAS AS26496 Organization GoDaddy.com, LLC (GODAD) RegDate 2011-08-31 Updated 2014-02-25 Comment Please send abuse complaints to abuse@godaddy.com Ref https://rdap.arin.net/registry/ip/160.153.0.0 OrgName GoDaddy.com, LLC OrgId GODAD Address 14455 N Hayden Road Address Suite 226 City Scottsdale StateProv AZ PostalCode 85260 Country US RegDate 2007-06-01 Updated 2014-09-10 Comment Please send abuse complaints to abuse@godaddy.com Ref https://rdap.arin.net/registry/entity/GODAD OrgNOCHandle NOC124-ARIN OrgNOCName Network Operations Center OrgNOCPhone +1-480-505-8809 OrgNOCEmail noc@godaddy.com OrgNOCRef https://rdap.arin.net/registry/entity/NOC124-ARIN OrgAbuseHandle ABUSE51-ARIN OrgAbuseName Abuse Department OrgAbusePhone +1-480-624-2505 OrgAbuseEmail abuse@godaddy.com OrgAbuseRef https://rdap.arin.net/registry/entity/ABUSE51-ARIN OrgTechHandle NOC124-ARIN OrgTechName Network Operations Center OrgTechPhone +1-480-505-8809 OrgTechEmail noc@godaddy.com OrgTechRef https://rdap.arin.net/registry/entity/NOC124-ARIN RTechHandle NOC124-ARIN RTechName Network Operations Center RTechPhone +1-480-505-8809 RTechEmail noc@godaddy.com RTechRef https://rdap.arin.net/registry/entity/NOC124-ARIN RAbuseHandle ABUSE51-ARIN RAbuseName Abuse Department RAbusePhone +1-480-624-2505 RAbuseEmail abuse@godaddy.com RAbuseRef https://rdap.arin.net/registry/entity/ABUSE51-ARIN RNOCHandle NOC124-ARIN RNOCName Network Operations Center RNOCPhone +1-480-505-8809 RNOCEmail noc@godaddy.com RNOCRef https://rdap.arin.net/registry/entity/NOC124-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at https://www.arin.net/whois_tou.html # # If you see inaccuracies in the results, please report at # https //www.arin.net/resources/whois_reporting/index.html # # Copyright 1997-2018, American Registry for Internet Numbers, Ltd. # Maybe this is related to the iana.org default reporting address... Link to comment Share on other sites More sharing options...
petzl Posted July 23, 2018 Share Posted July 23, 2018 7 hours ago, goodnerd said: Maybe this is related to the iana.org default reporting address... SpamCop often gets reporting address wrong or can't find them. I use a freeware windows program to check. Direct link for instalation download here http://www.nirsoft.net/utils/ipnetinfo_setup.exe it's hard to find on webpage http://www.nirsoft.net/utils/ipnetinfo.html but it's at the bottom/end of page Link to comment Share on other sites More sharing options...
RobiBue Posted July 24, 2018 Share Posted July 24, 2018 Hello Goodnerd, the problem you're having is unfortunately known to spamcop, and is a problem for us "reporting spam". Gmail is one of the biggest causes of this problem, although I have heard that Yahoo! is doing the same. The reason is, that theses email providers have been inserting a 6to4 IPv6 address for their Received: headers. These 6to4 addresses begin with "2002:a". you can submit the spam by changing the following in the topmost Received: line: if you have Received: by 2002:aa7:d9c9:0:0:0:0:0 with SMTP id h22-v6csp6451088uaf; Tue, 24 Jul 2018 05:25:31 -0700 (PDT) ^^^^^^^^^^^^^^^^^^^^^^^ 6to4 IPv6 address is a problem place the IPv6 address in parentheses and add the equivalent 10.167.217.201 in front like this: Received: by 10.167.217.201 (2002:aa7:d9c9:0:0:0:0:0) with SMTP id h22-v6csp6451088uaf; Tue, 24 Jul 2018 05:25:31 -0700 (PDT) ^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^ add parenthesized That should enable you to report your spam Link to comment Share on other sites More sharing options...
goodnerd Posted July 30, 2018 Author Share Posted July 30, 2018 Thank you both for very useful information. It's good to know that SpamCop is aware of the issue and I'm now inserting parentheses from spams received at Gmail. Both the ipnetinfo and the parentheses fix works like a charm. Thanks again! Link to comment Share on other sites More sharing options...
klappa Posted August 16, 2018 Share Posted August 16, 2018 On 7/24/2018 at 4:23 PM, RobiBue said: Hello Goodnerd, the problem you're having is unfortunately known to spamcop, and is a problem for us "reporting spam". Gmail is one of the biggest causes of this problem, although I have heard that Yahoo! is doing the same. The reason is, that theses email providers have been inserting a 6to4 IPv6 address for their Received: headers. These 6to4 addresses begin with "2002:a". you can submit the spam by changing the following in the topmost Received: line: if you have Received: by 2002:aa7:d9c9:0:0:0:0:0 with SMTP id h22-v6csp6451088uaf; Tue, 24 Jul 2018 05:25:31 -0700 (PDT) ^^^^^^^^^^^^^^^^^^^^^^^ 6to4 IPv6 address is a problem place the IPv6 address in parentheses and add the equivalent 10.167.217.201 in front like this: Received: by 10.167.217.201 (2002:aa7:d9c9:0:0:0:0:0) with SMTP id h22-v6csp6451088uaf; Tue, 24 Jul 2018 05:25:31 -0700 (PDT) ^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^ add parenthesized That should enable you to report your spam How can i find out the IPV4 equivalent? Link to comment Share on other sites More sharing options...
RobiBue Posted August 16, 2018 Share Posted August 16, 2018 3 hours ago, klappa said: How can i find out the IPV4 equivalent? In this post I provided this link. all you do is place the IPv6 6to4 address in the box. et viola! an IPv4 address (if it is a 6to4 that is...) HTH Link to comment Share on other sites More sharing options...
klappa Posted August 18, 2018 Share Posted August 18, 2018 On 8/16/2018 at 1:53 PM, RobiBue said: In this post I provided this link. all you do is place the IPv6 6to4 address in the box. et viola! an IPv4 address (if it is a 6to4 that is...) HTH Thank you very much! Link to comment Share on other sites More sharing options...
Charles85716 Posted September 20, 2018 Share Posted September 20, 2018 By any chance do we have a fix scheduled or contemplated for this? Not only is it Gmail (and possibly Yahoo), but it's coming up in Hotmail as well. I'm thinking it's spam originating on a mail server from an IPv6 network, that has to traverse a 6to4 conversion to get out onto the rest of the Internet. Find such a server, and a spammer is effectively anonymized as far as Spamcop is concerned. Darwinism takes over. I report as an end user by forwarding spam as an attachment, so submitting each spam manually can only be done if the quantity is fairly small. Link to comment Share on other sites More sharing options...
RobiBue Posted September 20, 2018 Share Posted September 20, 2018 Unfortunately, no. there is no fix in sight. some of us are using workarounds (php, apps-scri_pt, ...) or other methods to replace the 6to4 IPv6 address with its IPv4 counterpart. Spamcop (Cisco) has no desire to fix it, since they claim it opens vulnerabilities (I say that it's already a vulnerability by not fixing it) and Google (et al.) has, AFAICR, mentioned to spamcop that they are looking into fixing it, but since other big emailers have followed suit into abusing the 6to4 IPv6 addressing with private IPv4 networks, there is a very slim chance that it will be fixed at all. It's sad, but it is what it is. And with that, I believe, Cisco is putting the nail in SpamCop's coffin... Link to comment Share on other sites More sharing options...
klappa Posted September 20, 2018 Share Posted September 20, 2018 1 hour ago, RobiBue said: Unfortunately, no. there is no fix in sight. some of us are using workarounds (php, apps-scri_pt, ...) or other methods to replace the 6to4 IPv6 address with its IPv4 counterpart. Spamcop (Cisco) has no desire to fix it, since they claim it opens vulnerabilities (I say that it's already a vulnerability by not fixing it) and Google (et al.) has, AFAICR, mentioned to spamcop that they are looking into fixing it, but since other big emailers have followed suit into abusing the 6to4 IPv6 addressing with private IPv4 networks, there is a very slim chance that it will be fixed at all. It's sad, but it is what it is. And with that, I believe, Cisco is putting the nail in SpamCop's coffin... Well that's a shocker. I couldn't agree more. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.