Calion Posted August 7, 2018 Posted August 7, 2018 I get a lot of spam that is apparently sent from Apple servers. However, almost none of it is phishing attempts. Therefore, I have to uncheck “reportphishing@apple.com” on each of the several messages that I report daily that SpamCop identifies as originating at “mac.com” (I find this unlikely; I suspect that they’re just spoofing it to look like it’s from the same domain as my email address, but whatever). Unless SpamCop wants me to report all these messages to "reportphishing@apple.com,” could that option please be unchecked by default? Example: https://www.spamcop.net/sc?id=z6477895008z56a97be36e2c0ea3041c633f01754484z
RobiBue Posted August 7, 2018 Posted August 7, 2018 I actually believe, Apple should look into the configuration of their SMTP server named st11p00im-smtpin002. When it receives the email, it places the host name st11p00im-smtpin002.me.com into the Received: header as "received by", then, when it sends the message on its merry way, the same server is now known as st11p00im-smtpin002.mac.com. me.com is an apple domain, just like the mac.com is. My take is, that some admin forgot to change the domain name on the server... If I were you, I'd get in touch with Apple. They'd more than likely be willing to fix their server mis-configuration...
petzl Posted August 7, 2018 Posted August 7, 2018 6 hours ago, Calion said: I get a lot of spam that is apparently sent from Apple servers. However, almost none of it is phishing attempts. Therefore, I have to uncheck “reportphishing@apple.com” There is a unsubscribe link try using it? Then if it still comes it is legally a phishing scam. They have your email address anyhow
RobiBue Posted August 8, 2018 Posted August 8, 2018 I want to expand on my theory about the mis-configured server... Ok, the topmost (last) Received header Received: from st11p00im-smtpin002.mac.com ([17.172.80.20]) by ms55025.mac.com (Oracle Communications Messaging Server 8.0.1.3.20170906 64bit (built Sep 6 2017)) with ESMTP id <0PD000KG3DK8YJD0@ms55025.mac.com> for x; Sun, 05 Aug 2018 22:09:44 +0000 (GMT) The mail server "ms55025.mac.com" receives the message from server "st11p00im-smtpin002.mac.com" and identifies the IP address [17.172.80.20] which in turn was received in the previous Received header (below) by server "st11p00im-smtpin002.me.com" (notice the coincidental same name, but me.com instead of mac.com domain -- both apple domains nonetheless) from the Russian server "kknd1.ru" and identified to be IP address [84.22.137.8] (rDNS identifies the address as kknd1.ru) Received: from kknd1.ru (kknd1.ru [84.22.137.8]) by st11p00im-smtpin002.me.com (Oracle Communications Messaging Server 8.0.2.2.20180531 64bit (built May 31 2018)) with ESMTP id <0PD0005G5DK5U970@st11p00im-smtpin002.me.com> for x (ORCPT x); Sun, 05 Aug 2018 Of course, sadly enough, at the moment, if I ping either me or mac servers, I get nil... but the Russian server is there...
petzl Posted August 8, 2018 Posted August 8, 2018 5 hours ago, RobiBue said: the Russian server is there... Sound like it's a Russian crime gang? 84.22.137.8 appears clean but https://www.spamcop.net/w3m?action=checkblock&ip=84.22.137.26 System has been listed for 3.8 days.
Calion Posted August 10, 2018 Author Posted August 10, 2018 On 8/7/2018 at 6:17 PM, petzl said: There is a unsubscribe link try using it? Then if it still comes it is legally a phishing scam. They have your email address anyhow I’m confused. It’s a phishing scam for Apple when it in no way purports to come from Apple?
Calion Posted August 10, 2018 Author Posted August 10, 2018 On 8/7/2018 at 8:38 PM, RobiBue said: I want to expand on my theory about the mis-configured server... Ok, the topmost (last) Received header Received: from st11p00im-smtpin002.mac.com ([17.172.80.20]) by ms55025.mac.com (Oracle Communications Messaging Server 8.0.1.3.20170906 64bit (built Sep 6 2017)) with ESMTP id <0PD000KG3DK8YJD0@ms55025.mac.com> for x; Sun, 05 Aug 2018 22:09:44 +0000 (GMT) The mail server "ms55025.mac.com" receives the message from server "st11p00im-smtpin002.mac.com" and identifies the IP address [17.172.80.20] which in turn was received in the previous Received header (below) by server "st11p00im-smtpin002.me.com" (notice the coincidental same name, but me.com instead of mac.com domain -- both apple domains nonetheless) from the Russian server "kknd1.ru" and identified to be IP address [84.22.137.8] (rDNS identifies the address as kknd1.ru) Received: from kknd1.ru (kknd1.ru [84.22.137.8]) by st11p00im-smtpin002.me.com (Oracle Communications Messaging Server 8.0.2.2.20180531 64bit (built May 31 2018)) with ESMTP id <0PD0005G5DK5U970@st11p00im-smtpin002.me.com> for x (ORCPT x); Sun, 05 Aug 2018 Of course, sadly enough, at the moment, if I ping either me or mac servers, I get nil... but the Russian server is there... This sounds to me like SpamCop is misidentifying the offending domain as mac.com when it’s actually (in this case) kknd1.ru.
RobiBue Posted August 10, 2018 Posted August 10, 2018 12 hours ago, Calion said: This sounds to me like SpamCop is misidentifying the offending domain as mac.com when it’s actually (in this case) kknd1.ru. Yes and no... SpamCop can only follow the trail of the received headers, and unfortunately Apple breaks that trail with their server announcing to be from domain me.com in the first header, but then being identified to be from Mac.com. So yes, SpamCop is misidentifying the offending domain... And no, SpamCop identifies Mac.com as the offending domain because Apple has broken the chain, and believes that kknd1.ru is a spoofed header.
petzl Posted August 10, 2018 Posted August 10, 2018 19 hours ago, Calion said: I’m confused. It’s a phishing scam for Apple when it in no way purports to come from Apple? Not sure but it looked to me to be coming through a "chat" group?
Calion Posted August 17, 2018 Author Posted August 17, 2018 Regardless, essentially none of these are phishing schemes for Apple. So should I be sending them to reportphishing@apple.com? Here are some further examples: https://www.spamcop.net/sc?id=z6479695862z1021bf7eed9c5e421ab77e7ed3c68892z https://www.spamcop.net/sc?id=z6479695853z24341f49a2f2ac2e8d7679e8dbd82093z https://www.spamcop.net/sc?id=z6479695831z41ebc038af38bb3d45b0bf68ec49e02ez https://www.spamcop.net/sc?id=z6479695767z562a8a4e3c17e754681a1f9b8001df15z None of them are phishing scams for Apple, though one is a phishing scam for LinkedIn.
Calion Posted August 23, 2018 Author Posted August 23, 2018 So does this need to be changed, or should I leave “reportphishing@apple.com” checked?
Lking Posted August 23, 2018 Posted August 23, 2018 I would suggest that "apple" should be made aware of all spam that is designed to look like it comes from them, phishing or not.
Calion Posted August 24, 2018 Author Posted August 24, 2018 Sure. Every one of these is being sent to “abuse@apple.com.” The question is, should they also be sent to “reportphishing@apple.com”?
petzl Posted August 24, 2018 Posted August 24, 2018 6 hours ago, Calion said: Sure. Every one of these is being sent to “abuse@apple.com.” The question is, should they also be sent to “reportphishing@apple.com”? YES leave it
Recommended Posts
Archived
This topic is now archived and is closed to further replies.