Spamcop doesn't parse the spam links

[klappa]

I don't know if it's a new problem but lately Spamcop is having problem to parse the links in spam even though there are several of them. Here's an example

https://www.spamcop.net/sc?id=z6490190910z2e032a89ce43df58c2d4299d8e6679c7z

Can somebody explain this?

I do pay for the service and it doesn't seem to work properly when it should.

[RobiBue]

Hi Klappa,

I can try to explain what’s happening here:

In the topmost (last) Received: line 

Received: from CO1NAM04HT207.eop-NAM04.prod.protection.outlook.com
 (2603:10a6:4:2b::32) by DB4PR03MB524.eurprd03.prod.outlook.com with HTTPS via
 DB6PR0801CA0064.EURPRD08.PROD.OUTLOOK.COM; Tue, 2 Oct 2018 00:49:39 +0000

notice the address 2603:10a6:4:2b::32

which is a valid assigned IPv6 address belonging to M$.

The next Received: line

Received: from CO1NAM04FT010.eop-NAM04.prod.protection.outlook.com
 (10.152.90.52) by CO1NAM04HT207.eop-NAM04.prod.protection.outlook.com
 (10.152.91.103) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.1185.13; Tue, 2
 Oct 2018 00:49:37 +0000

appears to come from IP address 10.152.90.52, which is a private network address, so it is not trusted.

The following (preceding) Received: line

Received: from sfac11.wysweb.com.au (101.0.109.195) by
 CO1NAM04FT010.mail.protection.outlook.com (10.152.90.150) with Microsoft SMTP
 Server id 15.20.1185.13 via Frontend Transport; Tue, 2 Oct 2018 00:49:36
 +0000

which actually contains the spamming IP address 101.0.109.195 could already have been forged by the untrusted host mentioned above.

The problem is that M$/Hotmail/Outlook breaks the chain causing SpamCop to report the wrong address.

This is not SpamCop‘s fault, but M$’s.

[Lking]

56 minutes ago, klappa said:

problem but lately Spamcop is having problem to parse the links in spam

The links in the body of spam are the lowest priority task for the parser.  If you look at the "Statistics" tab  you will see thy are processing ~5 spam/second on average.  If you submit spam at times of high load, parsing the links in the body of your spam may not be done to avoid falling behind on the higher priority task.

Its an old reference but reminds me of "Lucy on the candy assembly line" from I Love Lucy ~ years ago (B/W TV) but a classic!

[Schtronck]

Hi,

Same thing here for month, now... ?

I mainly receive spam on my hotmail address, and every time I submit a spam, I now get something similar :

Parsing header:
host 2603:10a6:3:e5:0:0:0:21 (getting name) no name
0: Received: from AM5EUR03HT212.eop-EUR03.prod.protection.outlook.com (2603:10a6:3:e5::21) by HE1P190MB0284.EURP190.PROD.OUTLOOK.COM with HTTPS via HE1PR0902CA0011.EURPRD09.PROD.OUTLOOK.COM; Wed, 3 Oct 2018 09:06:23 +0000
No unique hostname found for source: 2603:10a6:3:e5:0:0:0:21
Hotmail/MSN received mail from sending system 2603:10a6:3:e5:0:0:0:21

1: Received: from AM5EUR03FT042.eop-EUR03.prod.protection.outlook.com (10.152.16.52) by AM5EUR03HT212.eop-EUR03.prod.protection.outlook.com (10.152.17.135) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.1185.13; Wed, 3 Oct 2018 09:06:22 +0000
Internal handoff or trivial forgery

2: Received: from 99h37.org (117.97.128.120) by AM5EUR03FT042.mail.protection.outlook.com (10.152.17.168) with Microsoft SMTP Server id 15.20.1185.13 via Frontend Transport; Wed, 3 Oct 2018 09:06:21 +0000
No unique hostname found for source: 117.97.128.120
Possible forgery. Supposed receiving system not associated with any of your mailhosts
Will not trust this Received line.

So, every report is send to " report_spam@hotmail.com " witch is completely useless.

[RobiBue]

as i mentioned, it's M$'s (microsoft's) fault because they break the chain.

I do agree, that it is pointless to report your own email provider instead of the source, but there's nothing we mere "customers/end-users" can do if the big wigs don't want to play along.

 

[MyNameHere]

Okay, so the proper procedure for Hotmail and other Micro$oft accounts is to uncheck the report about the sending address and just report any spamvertised links?

Or would it be better to flood Micro$oft with as many spam reports as possible? Maybe with a note saying what the problem is?

Also, since this seems to be a universal problem, wouldn't it be a good idea to add it to the MailHosts and Reporting forums' pinned info? (I didn't see it on either one, but I didn't look carefully, either, he said sheepishly.)

 

[lisati]

I suspect that something similar to what others have reported for Gmail is happening. The workaround I generally use is similar to the Gmail workaround, commenting out the first Received line encountered as you scroll down the message source.

[MyNameHere]

Hmmm... in most cases, the first Received line is just the first line, right?

That does seem to work. Interesting.

Thanks!

 

[MyNameHere]

Hmmm... in most cases, the first Received line is just the first line, right?

Thanks!

 

[MyNameHere]

Update: For several weeks, I have been stripping off the first Received line from my Hotmail spam and including it in the "Additional notes" box. It looks like the proper sender is now being reported.

Bonus: My incoming spam count has gone 'way down. Might or might not be related.

[MyNameHere]

Update: For several weeks, I have been stripping off the first Received line from my Hotmail spam and including it in the "Additional notes" box. It looks like the proper sender is now being reported.

Bonus: My incoming spam count has gone 'way down. Might or might not be related.