Spamcop unable to resolve the originating IP

[klappa]

Why doesn't Spamcop use the X-originating IP or X-Sender-IP header when it processes the spam? More than I can count i have to manually send a manual report to the HOST of that originating IP in those headers. Every phishing spam now Spamcop only resolves the sender IP as he would sitting on the same DOMAIN i am using my e-mail for. Why does it do that? What can my e-mail HOST do with the spam/phishing e-mail reports when the phisher is using a completely different e-mail provider which should get the Spamcop reports instead.

I don't feel like having to send two different spam/phishing reports. I am using Spamcop to do that for me but it seems it really can't do it's job very well.

Edited September 2, 2018 by klappa

[gnarlymarley]

For one note, those headers can be spoofed.  Long gone are they days of relays, so the person whose IP is showing directly in your logs is the one that needs to deal with the the login on their server.  The spammers sometimes like to add headers so you think they are just a relay and to shift blame.

[klappa]

1 hour ago, gnarlymarley said:

For one note, those headers can be spoofed.  Long gone are they days of relays, so the person whose IP is showing directly in your logs is the one that needs to deal with the the login on their server.  The spammers sometimes like to add headers so you think they are just a relay and to shift blame.

If that was true they would have faked the other Received headers as well. X-Originating-IP headers and similar are set by the last host that receives them.

[lisati]

The only Received header that you can trust with any degree of certainty is one inserted by a server you administer, preferably the server that drops the incoming email into the recipient's inbox.

[klappa]

3 hours ago, lisati said:

The only Received header that you can trust with any degree of certainty is one inserted by a server you administer, preferably the server that drops the incoming email into the recipient's inbox.

What could my third party e-mail host do about it? Is it their duty to anything about it if the spammer or phisher is using another host using a vpn or proxy host?

[lisati]

Apologies for the delay in replying.

As helpful as the "X-Originating-IP" address can be in gathering clues to an email's apparent source, they can be forged.

What some providers do is an analysis of the content of the email, sometimes the headers only, sometimes the complete email.  Depending on the results of the analysis, the options open to the provider  include (1) rejecting the email outright (works best when done BEFORE the complete email has been accepted for delivery), (2) flag the email as spam (possibly by altering the subject), (3) flicking the mail into a spam or Junk folder, or  (4) accept the email unchallenged.

Be extremely wary of solutions based on some kind of challenge-response system. Because the sender address can easily be forged, it's very easy to annoy innocent third parties

[gnarlymarley]

How this should work is once you report the spam to the administrator of the server that sent you the spam, he can verify logs and resubmit his portion of the spam, if they indeed were relaying.  Since relaying is a thing of the past, they then will close any holes the spammer may have used so that it does not happen again.  If there was not relaying involved, the administrator should see who authenticated and deal with that account.

[lisati]

Short answer: you do the best you can with the information at your disposal.

It is possible to develop a sense of which  parts of the information in any given email will be the most useful in figuring out where to send your complaints. Sadly, it's sometimes necessary to stop short of using what would seem intuitive, e.g. doing a deep scan of ALL the received header, flicking off a grumpy response to the alleged sender, etc.

[klappa]

How would for example Google, Microsoft or Yahoo deal with the problem? Any of these will get the spam reports since Spamcop only trust the last destination line more or less? Won't they get tired of getting spamreports from Spamcop all the time which aren't originated from them from the beginning? So there's no way to report the original sender since the spammers or phishers spoof the other Receiver header lines except the last Receive line anyway and the Anti-spam filters?

Edited September 19, 2018 by klappa

[gnarlymarley]

37 minutes ago, klappa said:

How would for example Google, Microsoft or Yahoo deal with the problem? Any of these will get the spam reports since Spamcop only trust the last destination line more or less? Won't they get tired of getting spamreports from Spamcop all the time which aren't originated from them from the beginning? So there's no way to report the original sender since the spammers or phishers spoof the other Receiver header lines except the last Receive line anyway and the Anti-spam filters?

They will look in their logs to verify that the email was not changed.  This will also point them to the source of the email and they will file a new spamcop report and/or else they will disable the user's account.

Now you mentioned that maybe they will get tired of spamcop, and there are some that do.  For those that get tired of spamcop, the rest of us just use the spamcop blacklist.  Once they realize, they can no longer get their spam through, they will either have to deal with the problem or else they will not be able to send email to a small part of the internet.  When they realize they cannot get their scam through, they will deal with the problem and make the spammer move on.

I have noticed that spammers have been adding fake Receive lines for nearly two decades now.  They have been doing that so that spamcop back then would send the report to the wrong person and get the wrong person in trouble.  Spamcop then added the "mail hosts" so that it would report your border.  There also have been folks, who were banned from spamcop, that were changing the headers, which I believe that is why we have it in the FAQ to not change anything but munge a little.

Because anyone can change the text in the headers, the only way I can trust a report I receive is to look it up in my mail server logs to verify that everything is correct.  I also have more information in my logs that does not get sent on with the email, which is why the only way, I can deal with spam that might be sent from my server is to look at the mail server logs.