Linux SMTP client for Spamcop reporting?

[mhollowa]

Once upon a time, I could use the reporter.pl scri_pt for sending my spam reports to Spamcop from my linux box with a dynamically assigned IP. Now it seems that Spamcop has gotten choosy about who it will accept mail from. I'm guessing it doesn't like my dynamically assigned IP, and that reports will need to be sent from my ISP's smtp server. Fair enough, but how to do this automatically? I've been fiddling with sendmail, and set the SMART_HOST to the ISP's server, but this doesn't satisfy servers blocking dynamic IPs. Pine, for instance, can still send mail to Spamcop, and anywhere else, once it has the smtp server address. Someone else must have solved this. Is there something more that needs to be done with sendmail? I've set the masquarade config for my ISP's domain without any effect. Is there another smtp client that can be used? Can a scri_pt be used with Pine or Mutt that can be made to send a spam attachment for a report?

Thanks,

Mike Holloway

[Merlyn]

I didn't think Spamcop would block spam reports being sent. Are you sending them to a valid reporting account? What kind of error/block message are you receiving?

Have you been using it all along and it just quit working?

[mhollowa]

I didn't think Spamcop would block spam reports being sent.  Are you sending them to a valid reporting account?  What kind of error/block message are you receiving?

Have you been using it all along and it just quit working?

24078[/snapback]

Check. A number of servers will now block email that doesn't come from the sending domain's own servers, and they don't always send back error messages. I've been testing with the server at work that will accept almost anything vs. Hotmail. Sendmail can send mail from my linux box directly, and using SMART_HOST with my ISP's server, to the work server, but Hotmail never servers it up. Any MUA though can send just fine using the ISP smtp server. Neither Spamcop or Hotmail send back bounces. Spamcop continues to process reports sent from Pine just fine. Must be some difference in the headers, but I haven't looked closely. Bottom line is: it don't work. I need something that I can use from the command line that connects to the ISP's server the same way that an MUA does. Simple solution: use an MUA. Has anyone done it already? Got a scri_pt?

[Merlyn]

Thanks for the explanation

[StevenUnderwood]

How about doing some diagnostics for us...

If you have an external account you can view the full headers, send the same message using both methods and see what the difference is. If you don't have an external account, or simply do not want to get that involved, I will send you (via PM or email, whichever you prefer) an address to send them to so I can look into the differences.

[mhollowa]

Alrighty then. I just happen to have headers from the complient work computer here, just haven't bothered looking at them. Seems the difference is all the localhost.localdomain stuff, but there doesn't seem to be any obvious way to configure sendmail so that those lines aren't created. I've already configured sendmail to masquarade as 'columbus.rr.com', which doesn't seem to have any effect. Work server and email address deleted.

With Sendmail:

Microsoft Mail Internet Headers Version 2.0

Received: from chi2k3ms02.<work computer>.net ([10.2.1.118]) by res2k3ms01.CRII.ORG with Microsoft SMTPSVC(6.0.3790.211);

Sun, 6 Feb 2005 22:17:58 -0500

Received: from trend.<work computer>.net ([10.2.1.101]) by chi2k3ms02.<work computer>.net with Microsoft SMTPSVC(6.0.3790.211);

Sun, 6 Feb 2005 22:17:58 -0500

Received: from 192.168.35.57 by trend.<work computer>.net (InterScan E-Mail VirusWall NT); Sun, 06 Feb 2005 22:17:59 -0500

Received: from ([65.24.5.138])

by chiim1.<work computer>.org with SMTP id 4029064.4292977;

Sun, 06 Feb 2005 17:12:50 -0500

Received: from localhost.localdomain (dhcp065-024-054-137.columbus.rr.com [65.24.54.137])

by ms-smtp-04-eri0.ohiordc.rr.com (8.12.10/8.12.7) with ESMTP id j173HdHH015238

for <<my email address>>; Sun, 6 Feb 2005 22:17:39 -0500 (EST)

Received: from localhost.localdomain (redhat [127.0.0.1])

by localhost.localdomain (8.12.8/8.12.8) with ESMTP id j173HarA003221

for <<my email address>>; Sun, 6 Feb 2005 22:17:37 -0500

Received: (from mhollowa[at]localhost)

by localhost.localdomain (8.12.8/8.12.8/Submit) id j173HaPb003219

for <my email address>; Sun, 6 Feb 2005 22:17:36 -0500

Date: Sun, 6 Feb 2005 22:17:36 -0500

From: mhollowa[at]columbus.rr.com

Message-Id: <200502070317.j173HaPb003219[at]localhost.localdomain>

X-Virus-Scanned: Symantec AntiVirus Scan Engine

X-esp: ESP<19>=RBL:<0> RDNS:<0> SHA:<14> UHA:<0> SLS:<0> BAYES:<0> SPF:<-1>

HTML Dictionary (TRU6):<6> NigeriaScam Dictionary (TRU6):<0>

URL Dictionary (TRU6):<0> spam Dictionary (TRU6):<0> CAN-spam

Compliance Dictionary (TRU6):<0> Obscenities Dictionary

(TRU6):<0> Embed HTML Dictionary (TRU6):<0> Porn Dictionary (TRU6):<0>

Bcc:

Return-Path: mhollowa[at]columbus.rr.com

X-OriginalArrivalTime: 07 Feb 2005 03:17:58.0831 (UTC) FILETIME=[9FC103F0:01C50CC3]

With Pine:

Microsoft Mail Internet Headers Version 2.0

Received: from chi2k3ms02.<work computer>.net ([10.2.1.118]) by res2k3ms01.CRII.ORG with Microsoft SMTPSVC(6.0.3790.211);

Sun, 6 Feb 2005 22:16:59 -0500

Received: from trend.<work computer>.net ([10.2.1.101]) by chi2k3ms02.<work computer>.net with Microsoft SMTPSVC(6.0.3790.211);

Sun, 6 Feb 2005 22:16:58 -0500

Received: from 192.168.35.57 by trend.<work computer>.net (InterScan E-Mail VirusWall NT); Sun, 06 Feb 2005 22:16:59 -0500

Received: from ([65.24.5.137])

by chiim1.<work computer>.org with SMTP id 4029064.4292964;

Sun, 06 Feb 2005 17:11:49 -0500

Received: from [192.168.0.7] (dhcp065-024-054-137.columbus.rr.com [65.24.54.137])

by ms-smtp-03-eri0.ohiordc.rr.com (8.12.10/8.12.7) with ESMTP id j173Gcwa023754

for <<my email address>>; Sun, 6 Feb 2005 22:16:38 -0500 (EST)

Date: Sun, 6 Feb 2005 22:16:37 -0500 (EST)

From: mhollowa[at]columbus.rr.com

X-X-Sender: me[at]localhost.localdomain

To: <my email address>

Subject: Pine

Message-ID: <Pine.LNX.4.44.0502062216200.3185-100000[at]localhost.localdomain>

MIME-Version: 1.0

Content-Type: TEXT/PLAIN; charset=US-ASCII

X-Virus-Scanned: Symantec AntiVirus Scan Engine

X-esp: ESP<24>=RBL:<0> RDNS:<0> SHA:<21> UHA:<0> SLS:<0> BAYES:<4> SPF:<-1>

HTML Dictionary (TRU6):<0> NigeriaScam Dictionary (TRU6):<0>

URL Dictionary (TRU6):<0> spam Dictionary (TRU6):<0> CAN-spam

Compliance Dictionary (TRU6):<0> Obscenities Dictionary

(TRU6):<0> Embed HTML Dictionary (TRU6):<0> Porn Dictionary (TRU6):<0>

Return-Path: mhollowa[at]columbus.rr.com

X-OriginalArrivalTime: 07 Feb 2005 03:16:59.0080 (UTC) FILETIME=[7C23BC80:01C50CC3]

[mhollowa]

God bless America. I just stumbled on the answer. What a dope. I had to place the domain name I'm masquarading as in the /etc/hosts file. Hotmail accepts it, so I'm hoping Spamcop will as well.

So for the archive: Spamcop is now rejecting email reports sent directly by sendmail on user PCs using dynamic IPs, such as might happen if you are using the reporter.pl scri_pt to automatically report spam filtered with Spamassassin and procmail. If you're using sendmail, you have to reconfigure it to use your ISP's smtp server the same way your email program does. You'll find the line in your sendmail.mc file prefaced by

define ('SMART_HOST'

Then you have to also set the masquarade settings in sendmail.mc to some legal domain name. I use my ISP's. You must also add that domain name to your /etc/hosts file.

[Merlyn]

Nice job, this should be added to the FAQ!

[StevenUnderwood]

I have asked the deputies for a clarification of what exactly is being blocked so that something could be put together. Have not heard back yet.

[julian]

So for the archive: Spamcop is now rejecting email reports sent directly by sendmail on user PCs using dynamic IPs, such as might happen if you are using the reporter.pl scri_pt to automatically report spam filtered with Spamassassin and procmail.

Sorry, wrong. SpamCop (AFAIK - and I oughta know) is not refusing any mail to it's domains from anywhere, anytime, anyhow.

If there's a problem, we'll fix it. It sounds like you *might* be getting blocked by a port-25 or other direct-to-mx blockade internal to your ISP. That would have a similar effect.

-=Julian=-

[mhollowa]

Yes, a thousand pardons. I goofed again. After more experimenting I found that I must not have had the permissions straight on reporter.pl. Wrong assumption that the Hotmail problem was similar to my Spamcop problem.

But now reporter.pl isn't working. The report gets an error that Spamcop can't find the headers. Here is the full report given back from the results page:

CLICK 'BACK' BUTTON TO RETURN TO SPAMCOP

################################################################################

This is a multi-part message in MIME format.

--DeathToSpamDeathToSpamDeathToSpam

Content-Type: text/plain; charset=us-ascii

Content-Transfer-Encoding: 7bit

--DeathToSpamDeathToSpamDeathToSpam

Content-Type: message/rfc822

Content-Disposition: attachment

Return-Path: <fmzvax>

Received: from localhost (redhat [127.0.0.1])

by localhost.localdomain (8.12.8/8.12.8) with ESMTP id

j19Eq9rA006661

for <me[at]localhost>; Wed, 9 Feb 2005 09:52:09 -0500

Received: from pop-server.columbus.rr.com [65.24.7.35]

by localhost with POP3 (fetchmail-6.2.0)

for me[at]localhost (single-drop); Wed, 09 Feb 2005 09:52:09 -0500 (EST)

Received: from ms-mta-01 (ms-mta-01 [10.24.14.215])

by ms-mss-03.columbus.rr.com

(iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003))

with ESMTP id <0IBN00HBFFYJ31[at]ms-mss-03.columbus.rr.com>; Wed,

09 Feb 2005 09:51:55 -0500 (EST)

Received: from ohmx02.mgw.rr.com (ohmx02.mgw.rr.com [65.24.0.110])

by ms-mta-01.columbus.rr.com

(iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003))

with ESMTP id <0IBN00JVCFYJT2[at]ms-mta-01.columbus.rr.com>; Wed,

09 Feb 2005 09:51:55 -0500 (EST)

Received: from 65.24.0.110 ([221.15.180.67])

by ohmx02.mgw.rr.com (8.12.10/8.12.8) with SMTP id j19Eoc6H029089;

Wed,

09 Feb 2005 09:50:44 -0500 (EST)

Received: from COXUA-XI02 (221.15.180.67) by 221.15.180.67; Wed,

09 Feb 2005 09:50:40 -0500

Date: Wed, 09 Feb 2005 09:50:40 -0500

From: Shultz Manuel <fmzvamholewin[at]columbus.rr.com>

Subject: Your PC is Infected, Remove the Spyware

To: x

Message-id: <0725_____2126[at]ZCPJFQ>

MIME-version: 1.0

X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1437

X-Mailer: Microsoft Outlook Express 6.00.2800.1437

Content-type: multipart/alternative; boundary=Java.YJMNB.56733708811503325

X-Priority: 3

X-MSMail-priority: Normal

X-Virus-Scanned: Symantec AntiVirus Scan Engine

X-spam-Flag: YES

X-spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on redhat

X-spam-Level: ************

X-spam-Status: Yes, score=12.5 required=5.0 tests=BAYES_50,HTML_IMAGE_ONLY_12,

HTML_MESSAGE,RCVD_BY_IP,RCVD_HELO_IP_MISMATCH,RCVD_NUMERIC_HELO,

URIBL_AB_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_WS_SURBL autolearn=no

version=3.0.2

X-spam-Report:

* 0.1 RCVD_BY_IP Received by mail server with no name

* 2.2 RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but sho

* 1.2 RCVD_NUMERIC_HELO Received: contains an IP address used for

HELO

* 2.9 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of

words

* 0.0 HTML_MESSAGE BODY: HTML included in message

* 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%

* [score: 0.5031]

* 1.0 URIBL_SBL Contains an URL listed in the SBL blocklist

* [uRIs: kazaa-no-spyware.info]

* 0.4 URIBL_AB_SURBL Contains an URL listed in the AB SURBL

blocklist

* [uRIs: kazaa-no-spyware.info]

* 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL

blocklist

* [uRIs: kazaa-no-spyware.info delete-spyware.info]

* 3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL

blocklist

* [uRIs: delete-spyware.info]

Parts/Attachments:

1.1 OK 2 lines Text

1.2 Shown ~28 lines Text

2 OK 38 KB Image

----------------------------------------

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<meta content="MSHTML 6.00.2900.2523" name="GENERATOR">

<style></style>

</head>

<body bgcolor="#ffffff">

<div>

<font face="Arial" size="2"><a

href="http://delete-spyware.info/?aid=16">

<img alt="" hspace="0" src="cid:947457c4d3c0$2180fea0$222aa4c0[at]ZCPJFQ"

align="baseline" border="0"></a></font></div>

<div></div>

<div>

<font face="Arial" color="#eaeaea" size="2">FORT HOOD, Texas (AP) --

The alleged

ringleader of the Abu Ghraib prison scandal went on trial Monday with

witnesses

telling a military court they watched him punch an Iraqi inmate in the

face

and saw him laugh while forcing prisoners to pose naked.</font></div>

<div></div>

<br>

<a href="http://kazaa-no-spyware.info/discon">n0m0re_emailz</a>

</body>

</html>

--DeathToSpamDeathToSpamDeathToSpam--

[Wazoo]

What do you want to hear besides;

1. please use a Tracking URL

2. those headers are unbeleivably screwed.

[mhollowa]

Tracking URLs for the same spam, one submitted with the reporter.pl scri_pt and the other just attached and sent directly. Processes just fine without the additional reporter.pl stuff. Something about Spamcop processing has changed and reporter.pl doesn't seem to be compatible anymore. Can someone suggest a fix?

With reporter.pl:

http://www.spamcop.net/sc?id=z730779220z97...84a730a7370afez

without:

http://www.spamcop.net/sc?id=z730859358z90...c14b16e67b9fcbz

Thanks

[Wazoo]

I can't think of a thing that has changed in th SpamCop parser that would lead to the results you are suggesting. As you have both examples in front of you, please take the time o look at them. As stated in response to the last sample you posted here, the headers are unbelievably screwed ... again, compare the two yourself .... from this side of the screen, it'd be pretty hard to guess at what you've got going on there.

[mhollowa]

Sorry, I don't seem to be making myself understood for some reason. What I have going on here is Spamcop's own reporter.pl scri_pt (available here http://www.spamcop.net/reporter.pl ) doing exactly what it's supposed to do. Whether that is incredibly screwing something or not I'm not able to judge. I do know that it worked not to long ago, and now it doesn't. Doesn't seem possible that it could be an error on my end since the message is obviously going through exactly the way it is supposed to as evidenced by the tracking URLs. One, or all, of the inserted lines (Deathtospam, etc.) that used to be handled by Spamcop, and were placed there by Spamcop in order to be handled by Spamcop, are not being handled anymore, and the header lines aren't found.

A fair number of people had been using the scri_pt at one time. If it is obsolete now, for whatever reason, how might a spam be forwarded by an MTA? Does it have to be an attachment?

[StevenUnderwood]

One, or all, of the inserted lines (Deathtospam, etc.) that used to be handled by Spamcop, and were placed there by Spamcop in order to be handled by Spamcop, are not being handled anymore

Spamcop did tighten the code but that was six months ago or more now. Have you been reporting all this time without monitoring where your reports were going (or weren't as it seems to be the case)?

Also, as far as I know, spamcop did NOT create that scri_pt, but did agree to distribute it for the user that did create it. As I do not use it, I would not have noticed it failing. However, have you checked the version you are using against the one at the link you provided? Specifically, yours seems to have a few spaces at the start of the line: Content-Type: text/plain; charset=us-ascii. I don;t know if this is the only difference, but spaces at the start of a header line indicate it is a continuation of the previous line, which could cause your error.

[Wazoo]

Sorry, I don't seem to be making myself understood for some reason.  What I have going on here is Spamcop's own reporter.pl scri_pt (available here http://www.spamcop.net/reporter.pl )

Edited your post to make the link actually valid ... edited your post to remove the :quoted in full" reply once again ... Please see the "button confusion" entry in the "How to use ... / Forum" section .... As Steven states, that was code offered up by another SpamCop user ...

doing exactly what it's supposed to do.  Whether that is incredibly screwing something or not I'm not able to judge.

Why not? Your last samples make it incredibly clear that these submission are screwed, will not work, etc. ... Why you can't see the difference is beyond me ...

  I do know that it worked not to long ago, and now it doesn't.  Doesn't seem possible that it could be an error on my end since the message is obviously going through exactly the way it is supposed to as evidenced by the tracking URLs.

"Going through" seems a bit strange. All you have shown is that the e-mail made the trip. What you haven't done is analyzed why the specific e-mail arrives in such a bad condition.

  One, or all, of the inserted lines (Deathtospam, etc.) that used to be handled by Spamcop, and were placed there by Spamcop in order to be handled by Spamcop, are not being handled anymore, and the header lines aren't found.

Those lines were placed there by the original coder ... actually, the headers lines are being seen, and that's the problem. There is the first header block, then a blank line ... that's where the processing stops, then pointing out that the first header block contains no real data.

A fair number of people had been using the scri_pt at one time.  If it is obsolete now, for whatever reason, how might a spam be forwarded by an MTA?  Does it have to be an attachment?

If you actually look at the reporter.pl code, making the inserted spam fit the "construct" of an attachment is what it's all about. My suspicions would be that in all your recent mucking about you have changed something that says to hell with all that reporter.pl work and send this e-mail out in a mode usually called "in-line" ... thus the "attachment" no longer exists.

[mhollowa]

Spamcop did tighten the code but that was six months ago or more now.  Have you been reporting all this time without monitoring where your reports were going (or weren't as it seems to be the case)?

Also, as far as I know, spamcop did NOT create that scri_pt, but did agree to distribute it for the user that did create it.  As I do not use it, I would not have noticed it failing.  However, have you checked the version you are using against the one at the link you provided?  Specifically, yours seems to have a few spaces at the start of the line:  Content-Type: text/plain; charset=us-ascii.  I don;t know if this is the only difference, but spaces at the start of a header line indicate it is a continuation of the previous line, which could cause your error.

24231[/snapback]

Amazing. How did you know I had cut and pasted it? Yes, spaces were inadvertantly inserted at the head of some lines. Thank you Thank you Thank you.

What it is: I've been setting up a new system over several months. I'm not doing this again for a long time.