Jump to content

blank spamcop email


dhanna

Recommended Posts

Posted

dhanna ... if you can "forward as attachment" right from that folder to the address I passed in the PM ... we'll see where that gets us as far what's next ... I was trying to remember why yours were so "special" and am thinking that yours had all the .. best described as alternate character set info . if I recall correctly ... am hoping that kicking me direct from that Folder will at least rule out the possibility that it's something happening on your system ...

the closest I could get to something close to getting corrupted e-mails like your first examples dealt with Outlook folders getting too huge, there is a cap beyond which things start going wrong, but there are usually more symtoms that folks complain about, so suspecting that this isn't your immediate problem ...

Posted
Received: from 56.88.24.48 by 213.54.241.124; Sat, 21 Feb 2004 18:26:37 -0500

That line is a fake. It's a common, poor forgery put in by whatever spamware those guys are using these days.

JT

Posted

After setting my prefs not to forward my messages, and wiating for two days, I finally recieved another blank email. Here it is. Again, any reference to my personal email addresses have been changed to **** :ph34r:

SpamCop version 1.3.4 © SpamCop.net, Inc. 1998-2004 All Rights Reserved

Parsing header:

Received: (qmail 9295 invoked from network); 23 Feb 2004 13:30:08 -0000

Ignored

Received: from unknown (HELO c60.cesmail.net) (192.168.1.105) by blade1.cesmail.net with SMTP; 23 Feb 2004 13:30:08 -0000

192.168.1.105 found

host 192.168.1.105 (getting name) no name

host 192.168.1.105 = Computer2-ATM3-1.2.gw.psu.edu (old cache)

host Computer2-ATM3-1.2.gw.psu.edu (checking ip) = 192.168.1.105

192.168.1.105 discarded

Received: from mailgate.cesmail.net (216.154.195.36) by c60.cesmail.net with SMTP; 23 Feb 2004 08:30:08 -0500

216.154.195.36 found

host 216.154.195.36 = mailgate.cesmail.net (cached)

host mailgate.cesmail.net (checking ip) = 216.154.195.36

Possible spammer: 216.154.195.36

Received line accepted

Relay trusted (cesmail.net)

Received: (qmail 7451 invoked from network); 23 Feb 2004 13:30:08 -0000

Ignored

Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101) by mailgate.cesmail.net with SMTP; 23 Feb 2004 13:30:08 -0000

192.168.1.101 found

host 192.168.1.101 (getting name) no name

192.168.1.101 discarded

Received: from pop.west.cox.net [68.6.19.2] by mailgate.cesmail.net with POP3 (fetchmail-6.2.1) for ****[at]spamcop.net (single-drop); Mon, 23 Feb 2004 08:30:08 -0500 (EST)

68.6.19.2 found

Checking POP client chain:

Chain test:mailgate.cesmail.net =? 216.154.195.36

216.154.195.36 is an MX for cesmail.net

216.154.195.36 is mx

mailgate.cesmail.net and 216.154.195.36 have close IP addresses - chain verified

POP hack, restarting chain.

Received: from genie04-184-244.inter.net.il ([213.8.184.244]) by fed1mtai05.cox.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP id <20040223132500.RAHE204.fed1mtai05.cox.net[at]genie04-184-244.inter.net.il>; Mon, 23 Feb 2004 08:25:00 -0500

213.8.184.244 found

host 213.8.184.244 (getting name) = genie04-184-244.inter.net.il.

host genie04-184-244.inter.net.il (checking ip) = 213.8.184.244

Possible spammer: 213.8.184.244

Received line accepted

Received: from 10.163.28.98 by 213.8.184.244; Mon, 23 Feb 2004 08:21:52 -0500

10.163.28.98 found

host 10.163.28.98 (getting name) no name

213.8.184.244 listed in dnsbl.njabl.org ( 127.0.0.3 )

213.8.184.244 not listed in cbl.abuseat.org

213.8.184.244 listed in dnsbl.sorbs.net ( 127.0.0.10 )

213.8.184.244 is not an MX for fed1mtai05.cox.net

213.8.184.244 is not an MX for genie04-184-244.inter.net.il

213.8.184.244 is not an MX for fed1mtai05.cox.net

213.8.184.244 listed in dnsbl.njabl.org ( 127.0.0.3 )

213.8.184.244 is a dynamic IP, untrusted as relay

Tracking message source: 213.8.184.244:

Routing details for 213.8.184.244

[refresh/show] Cached whois for 213.8.184.244 : abuse[at]inter.net.il

Using abuse net on abuse[at]inter.net.il

abuse net inter.net.il = abuse[at]inter.net.il, abuse[at]internet-zahav.net

Using best contacts abuse[at]inter.net.il abuse[at]internet-zahav.net

Yum, this spam is fresh!

Routing details for 213.8.184.244

abuse[at]tmicha.net has expressed an interest in 213.8.184.244

213.8.184.244 listed in dnsbl.njabl.org ( 127.0.0.3 )

213.8.184.244 listed in dnsbl.njabl.org ( 127.0.0.3 )

213.8.184.244 not listed in cbl.abuseat.org

213.8.184.244 listed in dnsbl.sorbs.net ( 127.0.0.10 )

213.8.184.244 not listed in relays.ordb.org.

213.8.184.244 not listed in plus.bondedsender.org

213.8.184.244 not listed in query.bondedsender.org

Report spam to:

Re: 213.8.184.244 (Administrator of network where email originates)

To: abuse[at]internet-zahav.net (Notes)

To: abuse[at]inter.net.il (Notes)

Re: 213.8.184.244 (Third party interested in email source)

To: abuse[at]tmicha.net (Notes)

Re: 213.8.184.244 (User defined recipient)

To: ****[at]cox.net (Notes)

Re: 213.8.184.244 (Third party interested in email source)

To: Cyveillance spam collection (Notes)

Re:User Notification (Notes)

Also, I sent a copy of this to Wazoo from my held mail folder.

Posted

ok, you partially beat me to the punch! After looking at what you sent me, I was going to ask you to see if you could then;

1. send me what Outlook showed (as an attachment)

2. see if there was a way to add me as a target of your spam reporting program

but from what I see above, it does appear that some of the latest programming changes did result in a complaint going out ... kudo's to Julian on getting around this issue.

The sample sent had some interesting items in there for sure <g>

For instance, I saw the much referenced broken Message-Id string, but this sample went one better ... two ID lines;

Message-ID: <C[20

Message-Id: <20040223132500.RAHE204.fed1mtai05.cox.net[at]genie04-184-244.inter.net.il>

So going with the first one installed via the crappy software that spammy is running, the second inserted by the inter.net.il server, as it didn't see a valid ID line ... just a tidbit that I don't recall seeing in anyone else's sample.

At any rate, yes, this was one of those "blank e-mails", it was a relatively straight shot from injection point to you, and this is one of those that in the past, there'd be the suggestion to simply add a blank line below the header and add a phrase "no message body", and it should have parsed just fine.

So the catch is, did you pick an example that wasn't one of the real troublesome spams, or is it now all behind us due to Julian's latest code trick. I'm feeling a bit bad, because I suspect it's the first scenario <g>

Posted
Received:  from 10.163.28.98 by 213.8.184.244; Mon, 23 Feb 2004 08:21:52 -0500

See the similarity with the line I highlited above? This particular spammer or spam app always puts in this fake Received: line as the first hop. It just puts two IP addresses on that line with the "by" IP address the actual address where it originated.

You

Posted

Yep, saw that ... also noted that the "broken" message-id string matched most of the examples popped up over in the newsgroups

Posted

Wow, two more tonight. One I actually saw in my un-filtered account, and before spamcop could get it from there I was able to switch off forwarding so that it would stay here on the spamcop site. But when when I went to my held mail, I found one there as well that had been blocked by "Blocked xbl.spamhaus.org"

Here is the first one...

Received: (qmail 12068 invoked from network); 24 Feb 2004 01:27:45 -0000

Ignored

Received: from unknown (HELO c60.cesmail.net) (192.168.1.105) by blade1.cesmail.net with SMTP; 24 Feb 2004 01:27:45 -0000

192.168.1.105 found

host 192.168.1.105 (getting name) no name

host 192.168.1.105 = Computer2-ATM3-1.2.gw.psu.edu (old cache)

host Computer2-ATM3-1.2.gw.psu.edu (checking ip) = 192.168.1.105

192.168.1.105 discarded

Received: from mailgate.cesmail.net (216.154.195.36) by c60.cesmail.net with SMTP; 23 Feb 2004 20:27:46 -0500

216.154.195.36 found

host 216.154.195.36 = mailgate.cesmail.net (cached)

host mailgate.cesmail.net (checking ip) = 216.154.195.36

Possible spammer: 216.154.195.36

Received line accepted

Relay trusted (cesmail.net)

Received: (qmail 15482 invoked from network); 24 Feb 2004 01:27:45 -0000

Ignored

Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101) by mailgate.cesmail.net with SMTP; 24 Feb 2004 01:27:45 -0000

192.168.1.101 found

host 192.168.1.101 (getting name) no name

192.168.1.101 discarded

Received: from pop.west.cox.net [68.6.19.2] by mailgate.cesmail.net with POP3 (fetchmail-6.2.1) for ****[at]spamcop.net (single-drop); Mon, 23 Feb 2004 20:27:45 -0500 (EST)

68.6.19.2 found

Checking POP client chain:

Chain test:mailgate.cesmail.net =? 216.154.195.36

ips are close enough

216.154.195.36 is close to an MX (216.154.195.44) for cesmail.net

216.154.195.36 is mx

mailgate.cesmail.net and 216.154.195.36 have close IP addresses - chain verified

POP hack, restarting chain.

Received: from [68.6.19.3] ([68.190.244.160]) by fed1mtai03.cox.net (InterMail vM.5.01.06.08 201-253-122-130-108-20031117) with SMTP id <20040224005826.CGAF21343.fed1mtai03.cox.net[at][68.6.19.3]> for <****[at]cox.net>; Mon, 23 Feb 2004 19:58:26 -0500

Masking ip in message-id:

Received: from [68.6.19.3] ([68.190.244.160]) by fed1mtai03.cox.net (InterMail vM.5.01.06.08 201-253-122-130-108-20031117) with SMTP id <20040224005826.CGAF21343.fed1mtai03.cox.net[at][x.x.x.x]> for <****[at]cox.net>; Mon, 23 Feb 2004 19:58:26 -0500

no from

68.190.244.160 found

host 68.190.244.160 (getting name) = 68-190-244-160.riv-mres.charterpipeline.net.

host 68-190-244-160.riv-mres.charterpipeline.net (checking ip) = 68.190.244.160

Possible spammer: 68.190.244.160

Received line accepted

Received: from 157.32.13.62 by 68.190.244.160; Mon, 23 Feb 2004 22:53:22 -0200

157.32.13.62 found

host 157.32.13.62 (getting name) no name

68.190.244.160 not listed in dnsbl.njabl.org

68.190.244.160 listed in cbl.abuseat.org ( 127.0.0.2 )

Open proxies untrusted as relays

Tracking message source: 68.190.244.160:

Routing details for 68.190.244.160

[refresh/show] Cached whois for 68.190.244.160 : abuse[at]charter.net

Using abuse net on abuse[at]charter.net

abuse net charter.net = abuse[at]charter.net

Using best contacts abuse[at]charter.net

Yum, this spam is fresh!

68.190.244.160 not listed in dnsbl.njabl.org

68.190.244.160 not listed in dnsbl.njabl.org

68.190.244.160 listed in cbl.abuseat.org ( 127.0.0.2 )

68.190.244.160 is an open proxy

68.190.244.160 not listed in plus.bondedsender.org

68.190.244.160 not listed in query.bondedsender.org

No body provided, check format of submission

If reported today, reports would be sent to:

Re: 68.190.244.160 (Administrator of network where email originates)

abuse[at]charter.net

Re: 68.190.244.160 (User defined recipient)

****[at]cox.net

Re: 68.190.244.160 (Third party interested in email source)

spamcop[at]imaphost.com

-------------------------------------------------------------

Here is the second...

Parsing header:

Received: (qmail 1081 invoked from network); 24 Feb 2004 01:56:49 -0000

Ignored

Received: from unknown (HELO c60.cesmail.net) (192.168.1.105) by blade6.cesmail.net with SMTP; 24 Feb 2004 01:56:49 -0000

192.168.1.105 found

host 192.168.1.105 (getting name) no name

host 192.168.1.105 = Computer2-ATM3-1.2.gw.psu.edu (old cache)

host Computer2-ATM3-1.2.gw.psu.edu (checking ip) = 192.168.1.105

192.168.1.105 discarded

Received: from mailgate.cesmail.net (216.154.195.36) by c60.cesmail.net with SMTP; 23 Feb 2004 20:56:49 -0500

216.154.195.36 found

host 216.154.195.36 = mailgate.cesmail.net (cached)

host mailgate.cesmail.net (checking ip) = 216.154.195.36

Possible spammer: 216.154.195.36

Received line accepted

Relay trusted (cesmail.net)

Received: (qmail 2510 invoked from network); 24 Feb 2004 01:56:49 -0000

Ignored

Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101) by mailgate.cesmail.net with SMTP; 24 Feb 2004 01:56:49 -0000

192.168.1.101 found

host 192.168.1.101 (getting name) no name

192.168.1.101 discarded

Received: from pop.west.cox.net [68.6.19.2] by mailgate.cesmail.net with POP3 (fetchmail-6.2.1) for ****[at]spamcop.net (single-drop); Mon, 23 Feb 2004 20:56:49 -0500 (EST)

68.6.19.2 found

Checking POP client chain:

Chain test:mailgate.cesmail.net =? 216.154.195.36

ips are close enough

216.154.195.36 is close to an MX (216.154.195.44) for cesmail.net

216.154.195.36 is mx

mailgate.cesmail.net and 216.154.195.36 have close IP addresses - chain verified

POP hack, restarting chain.

Received: from [68.6.19.3] ([68.118.147.187]) by fed1mtai01.cox.net (InterMail vM.5.01.06.08 201-253-122-130-108-20031117) with SMTP id <20040224014704.EDZQ8391.fed1mtai01.cox.net[at][68.6.19.3]>; Mon, 23 Feb 2004 20:47:04 -0500

Masking ip in message-id:

Received: from [68.6.19.3] ([68.118.147.187]) by fed1mtai01.cox.net (InterMail vM.5.01.06.08 201-253-122-130-108-20031117) with SMTP id <20040224014704.EDZQ8391.fed1mtai01.cox.net[at][x.x.x.x]>; Mon, 23 Feb 2004 20:47:04 -0500

no from

68.118.147.187 found

host 68.118.147.187 (getting name) no name

Possible spammer: 68.118.147.187

Received line accepted

Received: from 233.156.96.166 by 68.118.147.187; Mon, 23 Feb 2004 23:40:59 -0200

233.156.96.166 found

host 233.156.96.166 (getting name) no name

68.118.147.187 not listed in dnsbl.njabl.org

68.118.147.187 not listed in cbl.abuseat.org

68.118.147.187 not listed in dnsbl.sorbs.net

68.118.147.187 is not an MX for fed1mtai01.cox.net

68.118.147.187 is not an MX for fed1mtai01.cox.net

68.118.147.187 not listed in dnsbl.njabl.org

Possible spammer: 233.156.96.166

host 68.118.147.187 (checking ip) ip not found ; 68.118.147.187 discarded as fake.

Looks like a forgery

Tracking message source: 68.118.147.187:

Routing details for 68.118.147.187

[refresh/show] Cached whois for 68.118.147.187 : abuse[at]charter.net

Using abuse net on abuse[at]charter.net

abuse net charter.net = abuse[at]charter.net

Using best contacts abuse[at]charter.net

Yum, this spam is fresh!

68.118.147.187 not listed in dnsbl.njabl.org

68.118.147.187 not listed in dnsbl.njabl.org

68.118.147.187 not listed in cbl.abuseat.org

68.118.147.187 not listed in dnsbl.sorbs.net

68.118.147.187 not listed in relays.ordb.org.

68.118.147.187 not listed in plus.bondedsender.org

68.118.147.187 not listed in query.bondedsender.org

No body provided, check format of submission

If reported today, reports would be sent to:

Re: 68.118.147.187 (Administrator of network where email originates)

abuse[at]charter.net

Re: 68.118.147.187 (User defined recipient)

****[at]cox.net

Re: 68.118.147.187 (Third party interested in email source)

Of course, I had to resubmit with the modifications Wazoo mentioned earlier. I am guessing the code modification was not enough to allow me just to submitt these, they kept giving me these errors.

Posted

Maybe I am/was doing something wrong. I was not able to submit these at all. I received the message above every time I tried to submit. I am not familiar enough with spamcop mail to get the header info and sub <_< mit it that way.

Posted

A third while I was trying to submit my last post here...

Parsing header:

Received: (qmail 3092 invoked from network); 24 Feb 2004 02:49:33 -0000

Ignored

Received: from unknown (HELO c60.cesmail.net) (192.168.1.105) by blade1.cesmail.net with SMTP; 24 Feb 2004 02:49:33 -0000

192.168.1.105 found

host 192.168.1.105 (getting name) no name

host 192.168.1.105 = Computer2-ATM3-1.2.gw.psu.edu (old cache)

host Computer2-ATM3-1.2.gw.psu.edu (checking ip) = 192.168.1.105

192.168.1.105 discarded

Received: from mailgate.cesmail.net (216.154.195.36) by c60.cesmail.net with SMTP; 23 Feb 2004 21:49:32 -0500

216.154.195.36 found

host 216.154.195.36 = mailgate.cesmail.net (cached)

host mailgate.cesmail.net (checking ip) = 216.154.195.36

Possible spammer: 216.154.195.36

Received line accepted

Relay trusted (cesmail.net)

Received: (qmail 24008 invoked from network); 24 Feb 2004 02:49:32 -0000

Ignored

Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101) by mailgate.cesmail.net with SMTP; 24 Feb 2004 02:49:32 -0000

192.168.1.101 found

host 192.168.1.101 (getting name) no name

192.168.1.101 discarded

Received: from pop.west.cox.net [68.6.19.2] by mailgate.cesmail.net with POP3 (fetchmail-6.2.1) for ****[at]spamcop.net (single-drop); Mon, 23 Feb 2004 21:49:32 -0500 (EST)

68.6.19.2 found

Checking POP client chain:

Chain test:mailgate.cesmail.net =? 216.154.195.36

ips are close enough

216.154.195.36 is close to an MX (216.154.195.44) for cesmail.net

216.154.195.36 is mx

mailgate.cesmail.net and 216.154.195.36 have close IP addresses - chain verified

POP hack, restarting chain.

Received: from adsl-65-68-249-232.dsl.crchtx.swbell.net ([65.68.249.232]) by fed1mtai03.cox.net (InterMail vM.5.01.06.08 201-253-122-130-108-20031117) with SMTP id <20040224024749.GWLO21343.fed1mtai03.cox.net[at]adsl-65-68-249-232.dsl.crchtx.swbell.net>; Mon, 23 Feb 2004 21:47:49 -0500

65.68.249.232 found

host 65.68.249.232 (getting name) = adsl-65-68-249-232.dsl.crchtx.swbell.net.

host adsl-65-68-249-232.dsl.crchtx.swbell.net (checking ip) = 65.68.249.232

Possible spammer: 65.68.249.232

Received line accepted

Received: from 3.171.96.60 by 65.68.249.232; Tue, 24 Feb 2004 08:44:44 +0600

3.171.96.60 found

host 3.171.96.60 (getting name) no name

65.68.249.232 not listed in dnsbl.njabl.org

65.68.249.232 not listed in cbl.abuseat.org

65.68.249.232 listed in dnsbl.sorbs.net ( 127.0.0.10 )

65.68.249.232 is not an MX for fed1mtai03.cox.net

65.68.249.232 is not an MX for adsl-65-68-249-232.dsl.crchtx.swbell.net

65.68.249.232 is not an MX for fed1mtai03.cox.net

65.68.249.232 not listed in dnsbl.njabl.org

3.171.96.60 discarded

Tracking message source: 65.68.249.232:

Routing details for 65.68.249.232

[refresh/show] Cached whois for 65.68.249.232 : abuse[at]swbell.net

Using abuse net on abuse[at]swbell.net

abuse net swbell.net = abuse[at]swbell.net

Using best contacts abuse[at]swbell.net

Yum, this spam is fresh!

65.68.249.232 not listed in dnsbl.njabl.org

65.68.249.232 not listed in dnsbl.njabl.org

65.68.249.232 not listed in cbl.abuseat.org

65.68.249.232 listed in dnsbl.sorbs.net ( 127.0.0.10 )

65.68.249.232 not listed in relays.ordb.org.

65.68.249.232 not listed in plus.bondedsender.org

65.68.249.232 not listed in query.bondedsender.org

No body provided, check format of submission

If reported today, reports would be sent to:

Re: 65.68.249.232 (Administrator of network where email originates)

abuse[at]swbell.net

Re: 65.68.249.232 (User defined recipient)

****[at]cox.net

Re: 65.68.249.232 (Third party interested in email source)

spamcop[at]imaphost.com

Posted
No body provided, check format of submission

This one is definitely strange, as compared to folks over in the newsgroups rejoicing that Julian's codebase change has allowed their no-body messages to fly right through.

If reported today, reports would be sent to:

I can't recall ever seeing this message before, but probably not critical to the matter at hand.

we may be back to something I mentioned a while back ... see if you can sort out if you can send me the 'raw' spam direct from the SpamCop folder, the Outlook displayed version, and the 'results' your spam-complaint-handling tool ... as it sure seems to be that something is getting mangled in the process

Posted

Just to clairify things...

The reports posted above have never been touched by outlook (on my end anyway). These are directly from the spammer, to my ISPs mail server, to spamcop when it retrieves my email, to the (Queue for reporting and trash) option.

I have already emptied my trash here at spamcop, so I will not be able to send those to you. These are coming in blank from the spammer, but at first, I thought that something was happening here at spamcop and getting sent to me empty.

My original reason for posting here was because I thought I was submitting with the "spamsource" tool in outlook and the report coming from spamcop telling me that (Spamcop has accepted one email for processing" was getting mangled and sent to me "empty". What I didn't know was that the spammers are using cheap spamming software and it is failing to put the data in where it belongs.

One thing that surprised me was that the blank email from earlier was blocked by xbl.spamhaus.org, thinking that with the way it displays to me when I see it, there would not be enough information to processes, making it unscannable without some intervition.

I guess this issue, in my eyes, it resloved for me now that I see it is the spammer that has the problem and not me.

I hope that the codebase is fixed to allow submittion of empty bodies. I also hope that my submitting tool for outlook is updated soon to handle the empty body. I guess I have to copy and paste the headers for any future blank emails I get.

I would setup a rule to catch these here if there was an option to pull email that has an empty subject or body.

Posted

Around that time I got blank messages too (don't use newsgroups or anything else like that either). I open them in Eudora and get no information, no headers, just nothing. They're noted as ?? in Eudora. Just FYI.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...