fliptop Posted November 17, 2004 Share Posted November 17, 2004 hi list - for some time now i've noticed that when i report a spam from hotmail, the abuse address is not included in the report, even though the parser correctly finds it. here's some headers of an example: Return-Path: <melanie_stoppe[at]westlotto.org> Received: from hotmail.com (bay23-f17.bay23.hotmail.com [64.4.22.67]) by xx.xx.xx (8.11.6/8.11.6) with ESMTP id iAHA4vP07518 for <x>; Wed, 17 Nov 2004 05:04:58 -0500 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 17 Nov 2004 02:05:02 -0800 Received: from 67.107.89.20 by by23fd.bay23.hotmail.msn.com with HTTP; Wed, 17 Nov 2004 10:04:45 GMT X-Originating-IP: [67.107.89.20] X-Originating-Email: [melanie_stoppe[at]westlotto.org] X-Sender: melanie_stoppe[at]westlotto.org From: "melanie stoppe" <melanie_stoppe[at]westlotto.org> Bcc: Subject: Congratulations!!! we rejoice with you... Date: Wed, 17 Nov 2004 11:04:45 +0100 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: <BAY2___________________050e[at]hotmail.com> X-OriginalArrivalTime: 17 Nov 2004 10:05:02.0094 (UTC) FILETIME=[E747B2E0:01C4CC8C] the abuse email address is found: Sender relay: 64.4.22.67 Routing details for 64.4.22.67 [refresh/show] Cached whois for 64.4.22.67 : abuse[at]microsoft.com Using best contacts abuse[at]hotmail.com Using rdns to route to correct Microsoft department host 64.4.22.67 = bay23-f17.bay23.hotmail.com (cached) abuse net hotmail.com = abuse[at]hotmail.com but it's never added to the report section. for obvious reasons, i don't want to block all email from hotmail users in my sendmail access, but it doesn't seem like reporting the spam will do any good either. have others experienced this? am i doing something incorrectly here? i get a lot of spam of this nature, and not being able to report it is starting to rub me the wrong way. thanks, paul Link to comment Share on other sites More sharing options...
turetzsr Posted November 17, 2004 Share Posted November 17, 2004 Hi, Paul, ...Would you please post the TRACKING URL? It's hard to tell exactly what the SpamCop parser did without it. Thanks! Link to comment Share on other sites More sharing options...
fliptop Posted November 17, 2004 Author Share Posted November 17, 2004 Hi, Paul, ...Would you please post the TRACKING URL? It's hard to tell exactly what the SpamCop parser did without it. Thanks! 20233[/snapback] my apologies - both for omitting the tracking url, and for taking so long to post it (i've been hunting since this morning and just got back). the tracking url was: http://members.spamcop.net/sc?id=z69305404...a34a4c8351ac48z Link to comment Share on other sites More sharing options...
turetzsr Posted November 17, 2004 Share Posted November 17, 2004 my apologies - both for omitting the tracking url, and for taking so long to post it (i've been hunting since this morning and just got back). 20247[/snapback] ...No problem! <g> the tracking url was: http://members.spamcop.net/sc?id=z69305404...a34a4c8351ac48z 20247[/snapback] ...No good, at least for me, as I am not a paid member. Perhaps someone who is will come along to offer help. ...Sorry! Link to comment Share on other sites More sharing options...
Wazoo Posted November 17, 2004 Share Posted November 17, 2004 Use this one http://www.spamcop.net/sc?id=z693054048zde...a34a4c8351ac48z Also being free all over the place, I can't say I've seen the line; Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC Is this a common line in your incomong e-mail from this account? Tech details show that the HotMail server is "tusted" .. and the above line is basically skipped by the parser due to lack of 'real' data ....So, the reports are headed off to the "source" of the e-mail ... deciding that it was OK to move from one HotMail server to the next .... Though not exactly what this "internal transfer" is all about, I'm willing to agree that the odds on the e-mail actually being henerated on HotMail account/server are pretty slim. Link to comment Share on other sites More sharing options...
fliptop Posted November 18, 2004 Author Share Posted November 18, 2004 Use this one http://www.spamcop.net/sc?id=z693054048zde...a34a4c8351ac48z Also being free all over the place, I can't say I've seen the line; Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC Is this a common line in your incomong e-mail from this account? 20249[/snapback] i'm sorry, i don't understand the question - the only received header that's part of my system is the 1st one, where it was received from bay23-f17.bay23.hotmail.com by my server (eagles.ovtg.com). i don't have a hotmail account, and use fetchmail to pop my email from my server (eagles). when i submit messages to spamcop, i submit them as they were received before they're popped off by fetchmail. Tech details show that the HotMail server is "tusted" .. and the above line is basically skipped by the parser due to lack of 'real' data ....So, the reports are headed off to the "source" of the e-mail ... deciding that it was OK to move from one HotMail server to the next .... 20249[/snapback] right, which is what i don't understand. why is this server 'trusted'? i don't have a hotmail account and don't have one set up in my configuration. Though not exactly what this "internal transfer" is all about, I'm willing to agree that the odds on the e-mail actually being henerated on HotMail account/server are pretty slim. 20249[/snapback] are you suggesting the owner of 64.4.22.67 has a dns server that's answering with phony rdns info? thanks, paul Link to comment Share on other sites More sharing options...
Jeff G. Posted November 20, 2004 Share Posted November 20, 2004 It appears that: The sender logged in to Hotmail using her ID melanie_stoppe at her personal domain westlotto.org from IP Address 67.107.89.20 (nameless in XO Communications' space) and sent the message to you using Hotmail Server by23fd.bay23.hotmail.msn.com. Hotmail Server by23fd.bay23.hotmail.msn.com then put the message in its outbound queue Hotmail Server bay23-f17.bay23.hotmail.com [64.4.22.67] then picked it up and sent it to your mailserver eagles.ovtg.com [209.240.4.113]. The message appears to be spam, which should be reported to the Abuse Desks at Hotmail and XO. When the Parser parses the message with current dates as a demo, it states the following: Received: from hotmail.com (bay23-f17.bay23.hotmail.com [64.4.22.67]) by eagles.ovtg.com (8.11.6/8.11.6) with ESMTP id iAHA4vP07518 for <x>; Sat, 20 Nov 2004 05:04:58 -0500 64.4.22.67 found host 64.4.22.67 = bay23-f17.bay23.hotmail.com (cached) bay23-f17.bay23.hotmail.com is 64.4.22.67 Possible spammer: 64.4.22.67 64.4.22.67 is not an MX for bay23-f17.bay23.hotmail.com host bay23-f17.bay23.hotmail.com (checking ip) = 64.4.22.67 Received line accepted Relay trusted (hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 20 Nov 2004 02:05:02 -0800 Ignored Received: from 67.107.89.20 by by23fd.bay23.hotmail.msn.com with HTTP; Wed, 20 Nov 2004 10:04:45 GMT 67.107.89.20 found host 67.107.89.20 (getting name) no name Possible spammer: 67.107.89.20 Possible relay: 64.4.22.67 64.4.22.67 not listed in relays.ordb.org. 64.4.22.67 has already been sent to relay testers Received line accepted Tracking message source: 67.107.89.20: Routing details for 67.107.89.20 [refresh/show] Cached whois for 67.107.89.20 : abuse[at]xo.com Using abuse net on abuse[at]xo.com abuse net xo.com = abuse[at]xo.com Using best contacts abuse[at]xo.com Message is 13 hours old 67.107.89.20 listed in dnsbl.njabl.org ( 127.0.0.9 ) 67.107.89.20 listed in dnsbl.njabl.org ( 127.0.0.9 ) 67.107.89.20 is an open proxy 67.107.89.20 not listed in query.bondedsender.org 67.107.89.20 not listed in iadb.isipp.com ... Re: 67.107.89.20 (Administrator of network where email originates) To: abuse[at]xo.com Link to comment Share on other sites More sharing options...
Miss Betsy Posted November 21, 2004 Share Posted November 21, 2004 The message appears to be spam, which should be reported to the Abuse Desks at Hotmail and XO. However, spamcop does not seem to report to Hotmail. The reason I have gathered from other posts is that the 'free' email services are not entered on the spamcop bl because, in general, they are diligent about preventing spam from being sent from their servers and will eventually catch the spammer. Also, the best way to stop a spammer is to cut off their internet connection which is the IP address from which they submitted it to Hotmail. Web mail services now include the original IP address for this reason. I may have it all wrong as I rarely get spam like that unless it comes from a 419 scammer in which case the contact emails (in the body and in the return path) should be reported and often are sent to the web mail abuse desk anyway. But I thought I would post so that others could clarify my understanding as it seemed to answer the OP's question. Miss Betsy Link to comment Share on other sites More sharing options...
Jeff G. Posted November 21, 2004 Share Posted November 21, 2004 My point is that spamming via MSN Hotmail Webmail is a violation of the MSN Terms Of Use, that the SpamCop Parsing and Reporting Service should be reporting it to abuse[at]hotmail.com, and that if it won't, you can send User Notification (if you're not a free user) or a Manual Report. Link to comment Share on other sites More sharing options...
fliptop Posted November 26, 2004 Author Share Posted November 26, 2004 My point is that spamming via MSN Hotmail Webmail is a violation of the MSN Terms Of Use, that the SpamCop Parsing and Reporting Service should be reporting it to abuse[at]hotmail.com, and that if it won't, you can send User Notification (if you're not a free user) or a Manual Report. 20369[/snapback] thanks to all for their input on this matter. i just received another one: http://members.spamcop.net/sc?id=z69658629...0db9aa178df82cz to make sure i understand correctly, when reporting spam from hotmail users, if the abuse[at]hotmail.com address is not in the list before clicking the 'submit' button, i should add it in the 'user notification' textbox. is that correct? thanks again, paul Link to comment Share on other sites More sharing options...
Jeff G. Posted November 28, 2004 Share Posted November 28, 2004 Yes, if the spam comes through MSN Hotmail, it should be reported to abuse <at> hotmail.com. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.