klappa Posted November 11, 2018 Posted November 11, 2018 I have two different e-mails one is Outlook the other one is Gmail. Every time i get a spam on my Outlook e-mail it in almost all cases reports directly to report_spam@hotmail.com. However sometimes i get the same spam on my Gmail e-mail (the spammer supposedly have both of my e-mail addresses.). But the Gmail one reports to the correct spam contacts wherever the Outlook always reports to the hotmail abuse address which it shouldn't do except the spammer send me spam from one using one of Microsofts services? Only in a few instances does Spamcop report to the right abuse contacts when using Outlook, i have no idea why it works in those cases but oh well. Why does it do this? If i recollect rightly this haven't always been the case and it always used to send to the correct instances or abuse contacts. Here's two Spamcop reports, first one from Outlook and the other one from the Gmail e-mail. https://www.spamcop.net/sc?id=z6499645284z69efc272a2d2f2b47876f5ca99aa42ddz https://www.spamcop.net/sc?id=z6499643222z25c6ac08119c343450665e089fa8cf61z Since Gmail doesn't work with Spamcop without breaking i had to convert the 6to4 address to an ipv4-address. It's a bad joke which Spamcop haven't correted for years now but i leave that for another time. It just shows that it is meaningless to report spam using Outlook since Spamcop can't handle them properly. At least Outlook is using a proper IPV6 address than a 6to4 private address like Gmail does but it doesn't help Spamcop parsing them properly to the right abuse contacts using Outlook either way. Something is broken.
gnarlymarley Posted November 15, 2018 Posted November 15, 2018 from the tracking URLs (thanks for those BTW) it does not appear that you have mail hosts setup. Once I setup mailhosts, my hotmail.com reporting shows as properly and does get reported to the spammer. https://www.spamcop.net/fom-serve/cache/397.html Once you setup mail hosts, previously submited spams will show the correct IP addrress. The hard part is getting all your emails setup with mailhosts. How mailhosts works, is it attempts to track all the handoffs from the ISP border server to the internal servers. This means it will not try to report internal servers as admins moving from IPv4 NAT (who were erroneously told that IPv6 does not support NAT) used public IPs for their private servers. Mailhosts will properly assign that blame to the edge of your email provider's network.
klappa Posted November 21, 2018 Author Posted November 21, 2018 On 11/15/2018 at 3:24 PM, gnarlymarley said: from the tracking URLs (thanks for those BTW) it does not appear that you have mail hosts setup. Once I setup mailhosts, my hotmail.com reporting shows as properly and does get reported to the spammer. https://www.spamcop.net/fom-serve/cache/397.html Once you setup mail hosts, previously submited spams will show the correct IP addrress. The hard part is getting all your emails setup with mailhosts. How mailhosts works, is it attempts to track all the handoffs from the ISP border server to the internal servers. This means it will not try to report internal servers as admins moving from IPv4 NAT (who were erroneously told that IPv6 does not support NAT) used public IPs for their private servers. Mailhosts will properly assign that blame to the edge of your email provider's network. Thank you for the explanation but i only use one e-mail. I do have my Hotmail mailhost setup correctly. Don't quite understand what you mean but the problem i have is that the mailhost didn't properly assign that blame to the edge as you said. I did the mailhost verification again and reported a new spam mail. It doesn't seem to work still. As the original sender is sent from somewhere in Bosnia. It could be fake though. https://www.spamcop.net/sc?id=z6501940819zcc4d6ab64a99582789746cbfa88ebe99z
Lking Posted November 21, 2018 Posted November 21, 2018 Klappa, I don't think your problems are unique to you. With both gmail and Outlook you have created almost a "perfect storm" apposing reporting of spam. Have you looked at the other threads about handling the IPV6 issues? They do include suggestions for handling the headers before reporting. It would be nice if SpamCop could handle the IPV6 problem "today" but it was reported in an other thread that the conversion process opened a security vulnerability that is currently being work. I have no clue about timing for resolution.
petzl Posted November 21, 2018 Posted November 21, 2018 41 minutes ago, Lking said: It would be nice if SpamCop could handle the IPV6 problem SpamCop does handle IPV6? I don't use a Hotmail/Outlook account but read where Microsoft pointyheads obscure the source, pointing abuse back to them which should work with their "superdooper " ARC nonsense. Relying on their own lazy abuse department (the object is to obscure source IP)https://www.spamcop.net/sc?id=z6501740491z127c9ce8f5531c397f9a64f4aa786df9z
RobiBue Posted November 22, 2018 Posted November 22, 2018 6 hours ago, Lking said: Yes petzl, I miss spoke. I do not believe you mis-spoke. It is an IPv6 problem. SpamCop doesn't resolve the 6to4 private addresses, which are in IPv6 format, and that qualifies as an "IPv6 problem" that we all wish SpamCop would be able to handle "today"
Lking Posted November 22, 2018 Posted November 22, 2018 1 hour ago, RobiBue said: I do not believe you mis-spoke. It is an IPv6 problem. There was a time when SC did not handle any IPv6 IPs. Now they do handle IPv6 IPs that are correctly applied. As petzl stated: 9 hours ago, petzl said: {Microsoft} obscure the source, pointing abuse back to them which should work with their "superdooper " ARC nonsense. Which leads back to same old problem, SC can't be expected (at least by me) to maintain a parser that handles ever ISP and spammer variant of the standards whether implemented intentionally to obscure or through incorrect used of the the system.
RobiBue Posted November 22, 2018 Posted November 22, 2018 From what I understand, when Julian Haight designed SpamCop, it looked at every possible correctly chained IP address, where it was sent from, and who received it, making sure that spoofed headers would not confuse the chain. If he were still running this system, he would have correctly implemented the 6to4 IPv6 checks, which apparently Cisco/Talos has no intention to do. For them to claim the implementation would cause a security vulnerability is pure BS in my not so humble opinion. It just shows, that their programmers are not as good as one would expect from a company of such security weight. It's an email header parser/analyzer for heavens' sake. And it's broken (on the IPv6 6to4 address side at least.)
klappa Posted November 23, 2018 Author Posted November 23, 2018 21 hours ago, RobiBue said: From what I understand, when Julian Haight designed SpamCop, it looked at every possible correctly chained IP address, where it was sent from, and who received it, making sure that spoofed headers would not confuse the chain. If he were still running this system, he would have correctly implemented the 6to4 IPv6 checks, which apparently Cisco/Talos has no intention to do. For them to claim the implementation would cause a security vulnerability is pure BS in my not so humble opinion. It just shows, that their programmers are not as good as one would expect from a company of such security weight. It's an email header parser/analyzer for heavens' sake. And it's broken (on the IPv6 6to4 address side at least.) Then what is the point using Spamcop when it's not even compatible with the two biggest e-mail webhosts today? Mailing the Spamcop devs doesn't fix the problem either. Cisco just doesn't care about Spamcop anymore. I give up!
MIG Posted November 23, 2018 Posted November 23, 2018 petzl ( I always go to type pretzel!😁et all - not sure if this information will be of any use..., a SC admin advised: " A couple of years ago Hotmail had to give up two /16 networks they were using (33,554,432 IP addresses) as they were not assigned to them. Microsoft had to quickly reconfigure their network and used IPv6 to do so. Unfortunately when doing so, they did not do it carefully and make sure they had full name resolution through out the network, where the forward and reverse dns on each server matches. This means we can't trust their headers and will often take them as the source of the spam. All is not lost though, as Hotmail's parsing engines when they receive the report does pass through the report to the right party. It also helps Hotmail block new spam from that source. Microsoft is working on resolving the issue, but it is a couple of hundred thousand servers. They have told us though the fix is measured in years, not weeks or months." On that basis I continue to to always "send" any parsed results that are directed to MSOL, if only to "let them know they have work to do. On a completely separate subject & everybody probably knows this, but, for newbies like me, I found adding my email address to [https://www.spamcop.net/mcgi?action=prefmenu] > Preferences > Personal copies of outgoing reports, has saved me mega work, I was always forgetting to take note of TRACKING URL, which made life difficult when I needed to submit an issue to the SCF. Now I get all SC reports, any followup is a breeze. Since starting using SC, spam has gone from 10/20 daily to 1 o 2 every other day... SC
petzl Posted November 23, 2018 Posted November 23, 2018 All one has to do is go to you SpamCop account put a IPV6 number in report box press "submit spam" and SpamCop will give a abuse address for it.
gnarlymarley Posted November 24, 2018 Posted November 24, 2018 11 hours ago, klappa said: Then what is the point using Spamcop when it's not even compatible with the two biggest e-mail webhosts today? Mailing the Spamcop devs doesn't fix the problem either. Cisco just doesn't care about Spamcop anymore. I use hotmail and I do not see any problems with spamcop, if I strip off the top broken piece.
MIG Posted November 24, 2018 Posted November 24, 2018 Thanks Petzl! You've given me another thing to test out, now I just have to wait till I get some spam - never thought I'd be saying that!
MIG Posted November 24, 2018 Posted November 24, 2018 Hey Petzl, decided to use some existing scummy spam: 2603:10a6:6:43::31 is not a hostnameRouting details for 2603:10a6:6:43::31[refresh/show] Cached whois for 2603:10a6:6:43::31 : abuse@microsoft.com abuse@hotmail.com redirects to report_spam@hotmail.com Using best contacts report_spam@hotmail.com Parsing input: 2603:10a6:6:2b::19 2603:10a6:6:2b::19 is not a hostnameRouting details for 2603:10a6:6:2b::19[refresh/show] Cached whois for 2603:10a6:6:2b::19 : abuse@microsoft.com abuse@hotmail.com redirects to report_spam@hotmail.com Using best contacts report_spam@hotmail.com (Which we already know & we know why MS is so stuffed up with the whole spam issue, & we use the "eliminate 1st "Received: etc..") I've checked another 15 spam emails, none seem to have more than 1 IPV6 - am I using the wrong info?
petzl Posted November 24, 2018 Posted November 24, 2018 1 hour ago, MIG said: 2603:10a6:6:2b::19 is not a hostnameRouting details for 2603:10a6:6:2b::19[refresh/show] Cached whois for 2603:10a6:6:2b::19 : abuse@microsoft.com abuse@hotmail.com redirects to report_spam@hotmail.com Using best contacts report_spam@hotmail.com That's who it belongs to. Abuse should not need detailed info. They can work it out and sort it out (theoretically) and block offending IP's from ever sending to hotmail! Gmail the same. This is a big real weapon against spammers/rouge networks that ignore abuse reports. SendSafe/CisCo just delete emails no spamtrap nothing and from what I have seen works perfectly.
klappa Posted November 29, 2018 Author Posted November 29, 2018 On 11/24/2018 at 1:13 AM, gnarlymarley said: I use hotmail and I do not see any problems with spamcop, if I strip off the top broken piece. But if you have to do that it's broken. Spamcop doesn't work with any IPV6 addresses. Only in a very few instances i got it to work with Outlook never with Gmail. So you're telling me i have to remove the top most Recieve line header to get Spamcop to parse the email spam right? Just like with Gmail?
petzl Posted November 29, 2018 Posted November 29, 2018 18 minutes ago, klappa said: Spamcop doesn't work with any IPV6 addresses. It does but won't report on a IPV6 internal network address. SpamCop won't do this with a IP4 address eitherFor IPV6 look-ups use
klappa Posted November 29, 2018 Author Posted November 29, 2018 3 minutes ago, petzl said: It does but won't report on a IPV6 internal network address. SpamCop won't do this with a IP4 address eitherFor IPV6 look-ups use But then again i have to refer to my original question. Why does all my spam from my Outlook e-mail report to Microsoft when parsing it with Spamcop?
petzl Posted November 29, 2018 Posted November 29, 2018 1 minute ago, klappa said: But then again i have to refer to my original question. Why does all my spam from my Outlook e-mail report to Microsoft when parsing it with Spamcop? Just send email to whatever the abuse address is for your email provider forward as attachment.
lisati Posted November 29, 2018 Posted November 29, 2018 It's a known issue. Some remove the "broken" ipv6 Received header. In the interests of preserving all the information available, I submit the spam manually, editing it read X-Received. A similar approach is sometimes helpful with emails arriving at Gmail accounts
MIG Posted November 29, 2018 Posted November 29, 2018 Hello klappa - re [Why does all my spam from my Outlook e-mail report to Microsoft when parsing it with Spamcop?] I've had the following explained to me: Quote "A couple of years ago Hotmail had to give up two /16 networks they were using (33,554,432 IP addresses) as they were not assigned to them. Microsoft had to quickly reconfigure their network and used IPv6 to do so.Unfortunately when doing so, they did not do it carefully and make sure they had full name resolution through out the network, where the forward and reverse dns on each server matches. This means we can't trust their headers and will often take them as the source of the spam.All is not lost though, as Hotmail's parsing engines when they receive the report does pass through the report to the right party. It also helps Hotmail block new spam from that source.Microsoft is working on resolving the issue, but it is a couple of hundred thousand servers. They have told us though the fix is measured in years, not weeks or months." Unquote This information allowed me to get my head around why the repetitive "report_spam@hotmail.com" was happening. And, to get a more accurate & true report from SpamCop I implemented ( as other SCF members have recommended, & I think the SC help doco also, suggests this method) Remove the first [Received: from blah-blah-blah.prod.protection.outlook.com (2603:xxc6:xx0:xx::36) before submitting to SC for parsing. Re [But if you have to do that it's (SC) broken] Technically, this is my opinion, SC is not broken, given the MS/Outlook/Hotmail Ipv4/Ipv6 mess, I think it's more that MS/OL/HM is broken & there's no point SC fixing their service to accommodate the mess. Also, there's lots of broken things in this world, however, they still work to some degree, that being the case, are better than nothing. I know for myself, after 15 years of faithfully marking all HM phishing emails as [block] & or [phishing] and not seeing any reduction in the emails, in fact, sometimes there was an substantial increase, to the point where I thought someone on the MS/OL/HM inside was a spammer or was facilitating spammers; a month ago, I found SpamCop, started using it and now, hand on heart, today was the first time in 7 days a spam email was received. So for me, using SC & using the workaround, removing the first "received" line is a small price to pay.
klappa Posted November 30, 2018 Author Posted November 30, 2018 On 11/29/2018 at 2:15 AM, petzl said: Just send email to whatever the abuse address is for your email provider forward as attachment. What are you talking about? I don't think you understand my initial question. It always sends to report_spam at hotmail dot com no matter what. On 11/29/2018 at 4:53 AM, lisati said: It's a known issue. Some remove the "broken" ipv6 Received header. In the interests of preserving all the information available, I submit the spam manually, editing it read X-Received. A similar approach is sometimes helpful with emails arriving at Gmail accounts Editing it how? Changing it Receive line to X-Received? For Gmail i just delete the Receive line and Spamcop can parse it otherwise it can't. 23 hours ago, MIG said: Hello klappa - re [Why does all my spam from my Outlook e-mail report to Microsoft when parsing it with Spamcop?] I've had the following explained to me: Quote "A couple of years ago Hotmail had to give up two /16 networks they were using (33,554,432 IP addresses) as they were not assigned to them. Microsoft had to quickly reconfigure their network and used IPv6 to do so.Unfortunately when doing so, they did not do it carefully and make sure they had full name resolution through out the network, where the forward and reverse dns on each server matches. This means we can't trust their headers and will often take them as the source of the spam.All is not lost though, as Hotmail's parsing engines when they receive the report does pass through the report to the right party. It also helps Hotmail block new spam from that source.Microsoft is working on resolving the issue, but it is a couple of hundred thousand servers. They have told us though the fix is measured in years, not weeks or months." Unquote This information allowed me to get my head around why the repetitive "report_spam@hotmail.com" was happening. And, to get a more accurate & true report from SpamCop I implemented ( as other SCF members have recommended, & I think the SC help doco also, suggests this method) Remove the first [Received: from blah-blah-blah.prod.protection.outlook.com (2603:xxc6:xx0:xx::36) before submitting to SC for parsing. Re [But if you have to do that it's (SC) broken] Technically, this is my opinion, SC is not broken, given the MS/Outlook/Hotmail Ipv4/Ipv6 mess, I think it's more that MS/OL/HM is broken & there's no point SC fixing their service to accommodate the mess. Also, there's lots of broken things in this world, however, they still work to some degree, that being the case, are better than nothing. I know for myself, after 15 years of faithfully marking all HM phishing emails as [block] & or [phishing] and not seeing any reduction in the emails, in fact, sometimes there was an substantial increase, to the point where I thought someone on the MS/OL/HM inside was a spammer or was facilitating spammers; a month ago, I found SpamCop, started using it and now, hand on heart, today was the first time in 7 days a spam email was received. So for me, using SC & using the workaround, removing the first "received" line is a small price to pay. Thanks! But no matter how many spam i report to Microsoft directly nothing happens. Send the spam reports to Microsoft is like sending them into a void. You never know for certain they'll care or even do something about it so I don't trust them with any spam-reports unless the spammer is sending from their servers directly.
MIG Posted November 30, 2018 Posted November 30, 2018 Hey klappa, I absolutely agree , I may not have communicated clearly, my experience prior to using SC, years using MS "mark as junk, phishing spam & or blocking" resulted in an increase in spam😬 >> Stumbled upon SC, started using, almost every parsed report resulted in: Report to: abuseATmicrosoft.com🤬, (sorry I previously said abuseAThotmail.com) until the "Quote ... Unquote" process was explained, I refined my submissions, ever since I get "truer" (is that even a word?) results.. If I use your original https://www.spamcop.net/sc?id=z6499645284z69efc272a2d2f2b47876f5ca99aa42ddz & don't remove the first "Received: from DM3NAM03HT165.eop-NAM03.prod.protection.outlook.com.... etc, etc....+0000" I get "Report to: "abuseATmicrosoft.com", however, removing 1st "Received: from..." results in Report to: mail-abuseATcert.br & abuseATlocaweb.com.br
Recommended Posts
Archived
This topic is now archived and is closed to further replies.