mhollowa Posted February 8, 2005 Share Posted February 8, 2005 Once upon a time, I could use the reporter.pl scri_pt for sending my spam reports to Spamcop from my linux box with a dynamically assigned IP. Now it seems that Spamcop has gotten choosy about who it will accept mail from. I'm guessing it doesn't like my dynamically assigned IP, and that reports will need to be sent from my ISP's smtp server. Fair enough, but how to do this automatically? I've been fiddling with sendmail, and set the SMART_HOST to the ISP's server, but this doesn't satisfy servers blocking dynamic IPs. Pine, for instance, can still send mail to Spamcop, and anywhere else, once it has the smtp server address. Someone else must have solved this. Is there something more that needs to be done with sendmail? I've set the masquarade config for my ISP's domain without any effect. Is there another smtp client that can be used? Can a scri_pt be used with Pine or Mutt that can be made to send a spam attachment for a report? Thanks, Mike Holloway Link to comment Share on other sites More sharing options...
Merlyn Posted February 8, 2005 Share Posted February 8, 2005 I didn't think Spamcop would block spam reports being sent. Are you sending them to a valid reporting account? What kind of error/block message are you receiving? Have you been using it all along and it just quit working? Link to comment Share on other sites More sharing options...
mhollowa Posted February 8, 2005 Author Share Posted February 8, 2005 I didn't think Spamcop would block spam reports being sent. Are you sending them to a valid reporting account? What kind of error/block message are you receiving? Have you been using it all along and it just quit working? 24078[/snapback] Check. A number of servers will now block email that doesn't come from the sending domain's own servers, and they don't always send back error messages. I've been testing with the server at work that will accept almost anything vs. Hotmail. Sendmail can send mail from my linux box directly, and using SMART_HOST with my ISP's server, to the work server, but Hotmail never servers it up. Any MUA though can send just fine using the ISP smtp server. Neither Spamcop or Hotmail send back bounces. Spamcop continues to process reports sent from Pine just fine. Must be some difference in the headers, but I haven't looked closely. Bottom line is: it don't work. I need something that I can use from the command line that connects to the ISP's server the same way that an MUA does. Simple solution: use an MUA. Has anyone done it already? Got a scri_pt? Link to comment Share on other sites More sharing options...
Merlyn Posted February 8, 2005 Share Posted February 8, 2005 Thanks for the explanation Link to comment Share on other sites More sharing options...
StevenUnderwood Posted February 8, 2005 Share Posted February 8, 2005 How about doing some diagnostics for us... If you have an external account you can view the full headers, send the same message using both methods and see what the difference is. If you don't have an external account, or simply do not want to get that involved, I will send you (via PM or email, whichever you prefer) an address to send them to so I can look into the differences. Link to comment Share on other sites More sharing options...
mhollowa Posted February 8, 2005 Author Share Posted February 8, 2005 Alrighty then. I just happen to have headers from the complient work computer here, just haven't bothered looking at them. Seems the difference is all the localhost.localdomain stuff, but there doesn't seem to be any obvious way to configure sendmail so that those lines aren't created. I've already configured sendmail to masquarade as 'columbus.rr.com', which doesn't seem to have any effect. Work server and email address deleted. With Sendmail: Microsoft Mail Internet Headers Version 2.0 Received: from chi2k3ms02.<work computer>.net ([10.2.1.118]) by res2k3ms01.CRII.ORG with Microsoft SMTPSVC(6.0.3790.211); Sun, 6 Feb 2005 22:17:58 -0500 Received: from trend.<work computer>.net ([10.2.1.101]) by chi2k3ms02.<work computer>.net with Microsoft SMTPSVC(6.0.3790.211); Sun, 6 Feb 2005 22:17:58 -0500 Received: from 192.168.35.57 by trend.<work computer>.net (InterScan E-Mail VirusWall NT); Sun, 06 Feb 2005 22:17:59 -0500 Received: from ([65.24.5.138]) by chiim1.<work computer>.org with SMTP id 4029064.4292977; Sun, 06 Feb 2005 17:12:50 -0500 Received: from localhost.localdomain (dhcp065-024-054-137.columbus.rr.com [65.24.54.137]) by ms-smtp-04-eri0.ohiordc.rr.com (8.12.10/8.12.7) with ESMTP id j173HdHH015238 for <<my email address>>; Sun, 6 Feb 2005 22:17:39 -0500 (EST) Received: from localhost.localdomain (redhat [127.0.0.1]) by localhost.localdomain (8.12.8/8.12.8) with ESMTP id j173HarA003221 for <<my email address>>; Sun, 6 Feb 2005 22:17:37 -0500 Received: (from mhollowa[at]localhost) by localhost.localdomain (8.12.8/8.12.8/Submit) id j173HaPb003219 for <my email address>; Sun, 6 Feb 2005 22:17:36 -0500 Date: Sun, 6 Feb 2005 22:17:36 -0500 From: mhollowa[at]columbus.rr.com Message-Id: <200502070317.j173HaPb003219[at]localhost.localdomain> X-Virus-Scanned: Symantec AntiVirus Scan Engine X-esp: ESP<19>=RBL:<0> RDNS:<0> SHA:<14> UHA:<0> SLS:<0> BAYES:<0> SPF:<-1> HTML Dictionary (TRU6):<6> NigeriaScam Dictionary (TRU6):<0> URL Dictionary (TRU6):<0> spam Dictionary (TRU6):<0> CAN-spam Compliance Dictionary (TRU6):<0> Obscenities Dictionary (TRU6):<0> Embed HTML Dictionary (TRU6):<0> Porn Dictionary (TRU6):<0> Bcc: Return-Path: mhollowa[at]columbus.rr.com X-OriginalArrivalTime: 07 Feb 2005 03:17:58.0831 (UTC) FILETIME=[9FC103F0:01C50CC3] With Pine: Microsoft Mail Internet Headers Version 2.0 Received: from chi2k3ms02.<work computer>.net ([10.2.1.118]) by res2k3ms01.CRII.ORG with Microsoft SMTPSVC(6.0.3790.211); Sun, 6 Feb 2005 22:16:59 -0500 Received: from trend.<work computer>.net ([10.2.1.101]) by chi2k3ms02.<work computer>.net with Microsoft SMTPSVC(6.0.3790.211); Sun, 6 Feb 2005 22:16:58 -0500 Received: from 192.168.35.57 by trend.<work computer>.net (InterScan E-Mail VirusWall NT); Sun, 06 Feb 2005 22:16:59 -0500 Received: from ([65.24.5.137]) by chiim1.<work computer>.org with SMTP id 4029064.4292964; Sun, 06 Feb 2005 17:11:49 -0500 Received: from [192.168.0.7] (dhcp065-024-054-137.columbus.rr.com [65.24.54.137]) by ms-smtp-03-eri0.ohiordc.rr.com (8.12.10/8.12.7) with ESMTP id j173Gcwa023754 for <<my email address>>; Sun, 6 Feb 2005 22:16:38 -0500 (EST) Date: Sun, 6 Feb 2005 22:16:37 -0500 (EST) From: mhollowa[at]columbus.rr.com X-X-Sender: me[at]localhost.localdomain To: <my email address> Subject: Pine Message-ID: <Pine.LNX.4.44.0502062216200.3185-100000[at]localhost.localdomain> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: Symantec AntiVirus Scan Engine X-esp: ESP<24>=RBL:<0> RDNS:<0> SHA:<21> UHA:<0> SLS:<0> BAYES:<4> SPF:<-1> HTML Dictionary (TRU6):<0> NigeriaScam Dictionary (TRU6):<0> URL Dictionary (TRU6):<0> spam Dictionary (TRU6):<0> CAN-spam Compliance Dictionary (TRU6):<0> Obscenities Dictionary (TRU6):<0> Embed HTML Dictionary (TRU6):<0> Porn Dictionary (TRU6):<0> Return-Path: mhollowa[at]columbus.rr.com X-OriginalArrivalTime: 07 Feb 2005 03:16:59.0080 (UTC) FILETIME=[7C23BC80:01C50CC3] Link to comment Share on other sites More sharing options...
mhollowa Posted February 8, 2005 Author Share Posted February 8, 2005 God bless America. I just stumbled on the answer. What a dope. I had to place the domain name I'm masquarading as in the /etc/hosts file. Hotmail accepts it, so I'm hoping Spamcop will as well. So for the archive: Spamcop is now rejecting email reports sent directly by sendmail on user PCs using dynamic IPs, such as might happen if you are using the reporter.pl scri_pt to automatically report spam filtered with Spamassassin and procmail. If you're using sendmail, you have to reconfigure it to use your ISP's smtp server the same way your email program does. You'll find the line in your sendmail.mc file prefaced by define ('SMART_HOST' Then you have to also set the masquarade settings in sendmail.mc to some legal domain name. I use my ISP's. You must also add that domain name to your /etc/hosts file. Link to comment Share on other sites More sharing options...
Merlyn Posted February 8, 2005 Share Posted February 8, 2005 Nice job, this should be added to the FAQ! Link to comment Share on other sites More sharing options...
StevenUnderwood Posted February 8, 2005 Share Posted February 8, 2005 I have asked the deputies for a clarification of what exactly is being blocked so that something could be put together. Have not heard back yet. Link to comment Share on other sites More sharing options...
julian Posted February 9, 2005 Share Posted February 9, 2005 So for the archive: Spamcop is now rejecting email reports sent directly by sendmail on user PCs using dynamic IPs, such as might happen if you are using the reporter.pl scri_pt to automatically report spam filtered with Spamassassin and procmail. Sorry, wrong. SpamCop (AFAIK - and I oughta know) is not refusing any mail to it's domains from anywhere, anytime, anyhow. If there's a problem, we'll fix it. It sounds like you *might* be getting blocked by a port-25 or other direct-to-mx blockade internal to your ISP. That would have a similar effect. -=Julian=- Link to comment Share on other sites More sharing options...
mhollowa Posted February 9, 2005 Author Share Posted February 9, 2005 Yes, a thousand pardons. I goofed again. After more experimenting I found that I must not have had the permissions straight on reporter.pl. Wrong assumption that the Hotmail problem was similar to my Spamcop problem. But now reporter.pl isn't working. The report gets an error that Spamcop can't find the headers. Here is the full report given back from the results page: CLICK 'BACK' BUTTON TO RETURN TO SPAMCOP ################################################################################ This is a multi-part message in MIME format. --DeathToSpamDeathToSpamDeathToSpam Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit --DeathToSpamDeathToSpamDeathToSpam Content-Type: message/rfc822 Content-Disposition: attachment Return-Path: <fmzvax> Received: from localhost (redhat [127.0.0.1]) by localhost.localdomain (8.12.8/8.12.8) with ESMTP id j19Eq9rA006661 for <me[at]localhost>; Wed, 9 Feb 2005 09:52:09 -0500 Received: from pop-server.columbus.rr.com [65.24.7.35] by localhost with POP3 (fetchmail-6.2.0) for me[at]localhost (single-drop); Wed, 09 Feb 2005 09:52:09 -0500 (EST) Received: from ms-mta-01 (ms-mta-01 [10.24.14.215]) by ms-mss-03.columbus.rr.com (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003)) with ESMTP id <0IBN00HBFFYJ31[at]ms-mss-03.columbus.rr.com>; Wed, 09 Feb 2005 09:51:55 -0500 (EST) Received: from ohmx02.mgw.rr.com (ohmx02.mgw.rr.com [65.24.0.110]) by ms-mta-01.columbus.rr.com (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003)) with ESMTP id <0IBN00JVCFYJT2[at]ms-mta-01.columbus.rr.com>; Wed, 09 Feb 2005 09:51:55 -0500 (EST) Received: from 65.24.0.110 ([221.15.180.67]) by ohmx02.mgw.rr.com (8.12.10/8.12.8) with SMTP id j19Eoc6H029089; Wed, 09 Feb 2005 09:50:44 -0500 (EST) Received: from COXUA-XI02 (221.15.180.67) by 221.15.180.67; Wed, 09 Feb 2005 09:50:40 -0500 Date: Wed, 09 Feb 2005 09:50:40 -0500 From: Shultz Manuel <fmzvamholewin[at]columbus.rr.com> Subject: Your PC is Infected, Remove the Spyware To: x Message-id: <0725_____2126[at]ZCPJFQ> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1437 X-Mailer: Microsoft Outlook Express 6.00.2800.1437 Content-type: multipart/alternative; boundary=Java.YJMNB.56733708811503325 X-Priority: 3 X-MSMail-priority: Normal X-Virus-Scanned: Symantec AntiVirus Scan Engine X-spam-Flag: YES X-spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on redhat X-spam-Level: ************ X-spam-Status: Yes, score=12.5 required=5.0 tests=BAYES_50,HTML_IMAGE_ONLY_12, HTML_MESSAGE,RCVD_BY_IP,RCVD_HELO_IP_MISMATCH,RCVD_NUMERIC_HELO, URIBL_AB_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_WS_SURBL autolearn=no version=3.0.2 X-spam-Report: * 0.1 RCVD_BY_IP Received by mail server with no name * 2.2 RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but sho * 1.2 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO * 2.9 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.5031] * 1.0 URIBL_SBL Contains an URL listed in the SBL blocklist * [uRIs: kazaa-no-spyware.info] * 0.4 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist * [uRIs: kazaa-no-spyware.info] * 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist * [uRIs: kazaa-no-spyware.info delete-spyware.info] * 3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist * [uRIs: delete-spyware.info] Parts/Attachments: 1.1 OK 2 lines Text 1.2 Shown ~28 lines Text 2 OK 38 KB Image ---------------------------------------- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <meta content="MSHTML 6.00.2900.2523" name="GENERATOR"> <style></style> </head> <body bgcolor="#ffffff"> <div> <font face="Arial" size="2"><a href="http://delete-spyware.info/?aid=16"> <img alt="" hspace="0" src="cid:947457c4d3c0$2180fea0$222aa4c0[at]ZCPJFQ" align="baseline" border="0"></a></font></div> <div></div> <div> <font face="Arial" color="#eaeaea" size="2">FORT HOOD, Texas (AP) -- The alleged ringleader of the Abu Ghraib prison scandal went on trial Monday with witnesses telling a military court they watched him punch an Iraqi inmate in the face and saw him laugh while forcing prisoners to pose naked.</font></div> <div></div> <br> <a href="http://kazaa-no-spyware.info/discon">n0m0re_emailz</a> </body> </html> --DeathToSpamDeathToSpamDeathToSpam-- Link to comment Share on other sites More sharing options...
Wazoo Posted February 9, 2005 Share Posted February 9, 2005 What do you want to hear besides; 1. please use a Tracking URL 2. those headers are unbeleivably screwed. Link to comment Share on other sites More sharing options...
mhollowa Posted February 10, 2005 Author Share Posted February 10, 2005 Tracking URLs for the same spam, one submitted with the reporter.pl scri_pt and the other just attached and sent directly. Processes just fine without the additional reporter.pl stuff. Something about Spamcop processing has changed and reporter.pl doesn't seem to be compatible anymore. Can someone suggest a fix? With reporter.pl: http://www.spamcop.net/sc?id=z730779220z97...84a730a7370afez without: http://www.spamcop.net/sc?id=z730859358z90...c14b16e67b9fcbz Thanks Link to comment Share on other sites More sharing options...
Wazoo Posted February 10, 2005 Share Posted February 10, 2005 I can't think of a thing that has changed in th SpamCop parser that would lead to the results you are suggesting. As you have both examples in front of you, please take the time o look at them. As stated in response to the last sample you posted here, the headers are unbelievably screwed ... again, compare the two yourself .... from this side of the screen, it'd be pretty hard to guess at what you've got going on there. Link to comment Share on other sites More sharing options...
mhollowa Posted February 10, 2005 Author Share Posted February 10, 2005 Sorry, I don't seem to be making myself understood for some reason. What I have going on here is Spamcop's own reporter.pl scri_pt (available here http://www.spamcop.net/reporter.pl ) doing exactly what it's supposed to do. Whether that is incredibly screwing something or not I'm not able to judge. I do know that it worked not to long ago, and now it doesn't. Doesn't seem possible that it could be an error on my end since the message is obviously going through exactly the way it is supposed to as evidenced by the tracking URLs. One, or all, of the inserted lines (Deathtospam, etc.) that used to be handled by Spamcop, and were placed there by Spamcop in order to be handled by Spamcop, are not being handled anymore, and the header lines aren't found. A fair number of people had been using the scri_pt at one time. If it is obsolete now, for whatever reason, how might a spam be forwarded by an MTA? Does it have to be an attachment? Link to comment Share on other sites More sharing options...
StevenUnderwood Posted February 10, 2005 Share Posted February 10, 2005 One, or all, of the inserted lines (Deathtospam, etc.) that used to be handled by Spamcop, and were placed there by Spamcop in order to be handled by Spamcop, are not being handled anymore Spamcop did tighten the code but that was six months ago or more now. Have you been reporting all this time without monitoring where your reports were going (or weren't as it seems to be the case)? Also, as far as I know, spamcop did NOT create that scri_pt, but did agree to distribute it for the user that did create it. As I do not use it, I would not have noticed it failing. However, have you checked the version you are using against the one at the link you provided? Specifically, yours seems to have a few spaces at the start of the line: Content-Type: text/plain; charset=us-ascii. I don;t know if this is the only difference, but spaces at the start of a header line indicate it is a continuation of the previous line, which could cause your error. Link to comment Share on other sites More sharing options...
Wazoo Posted February 11, 2005 Share Posted February 11, 2005 Sorry, I don't seem to be making myself understood for some reason. What I have going on here is Spamcop's own reporter.pl scri_pt (available here http://www.spamcop.net/reporter.pl ) Edited your post to make the link actually valid ... edited your post to remove the :quoted in full" reply once again ... Please see the "button confusion" entry in the "How to use ... / Forum" section .... As Steven states, that was code offered up by another SpamCop user ... doing exactly what it's supposed to do. Whether that is incredibly screwing something or not I'm not able to judge. Why not? Your last samples make it incredibly clear that these submission are screwed, will not work, etc. ... Why you can't see the difference is beyond me ... I do know that it worked not to long ago, and now it doesn't. Doesn't seem possible that it could be an error on my end since the message is obviously going through exactly the way it is supposed to as evidenced by the tracking URLs. "Going through" seems a bit strange. All you have shown is that the e-mail made the trip. What you haven't done is analyzed why the specific e-mail arrives in such a bad condition. One, or all, of the inserted lines (Deathtospam, etc.) that used to be handled by Spamcop, and were placed there by Spamcop in order to be handled by Spamcop, are not being handled anymore, and the header lines aren't found. Those lines were placed there by the original coder ... actually, the headers lines are being seen, and that's the problem. There is the first header block, then a blank line ... that's where the processing stops, then pointing out that the first header block contains no real data. A fair number of people had been using the scri_pt at one time. If it is obsolete now, for whatever reason, how might a spam be forwarded by an MTA? Does it have to be an attachment? If you actually look at the reporter.pl code, making the inserted spam fit the "construct" of an attachment is what it's all about. My suspicions would be that in all your recent mucking about you have changed something that says to hell with all that reporter.pl work and send this e-mail out in a mode usually called "in-line" ... thus the "attachment" no longer exists. Link to comment Share on other sites More sharing options...
mhollowa Posted February 11, 2005 Author Share Posted February 11, 2005 Spamcop did tighten the code but that was six months ago or more now. Have you been reporting all this time without monitoring where your reports were going (or weren't as it seems to be the case)? Also, as far as I know, spamcop did NOT create that scri_pt, but did agree to distribute it for the user that did create it. As I do not use it, I would not have noticed it failing. However, have you checked the version you are using against the one at the link you provided? Specifically, yours seems to have a few spaces at the start of the line: Content-Type: text/plain; charset=us-ascii. I don;t know if this is the only difference, but spaces at the start of a header line indicate it is a continuation of the previous line, which could cause your error. 24231[/snapback] Amazing. How did you know I had cut and pasted it? Yes, spaces were inadvertantly inserted at the head of some lines. Thank you Thank you Thank you. What it is: I've been setting up a new system over several months. I'm not doing this again for a long time. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.