Spams received already outdated

[Gingko]

Hello,

I have a problem that for about two week, I have two mailbox (hosted by the same operator) which are flooded by spam having weird characteristics :

• Most of the received messages are already outdated, meaning that if I use Spamcop for reporting them, they are rejected because they are more than 2 days old, despite the fact that I submit them as soon as they are received.
• If I delete them from the mailbox, it happens quite often that they come back a few hours later, like if I never deleted them.
• All of these spams originates (apparently of course as these sender address are always fake) for me (it may be different for other users) from only 3 different mailboxes :
  1 - Info@taobao.com
  2 - mailer-daemon@amazon.com
  3 - mailer-daemon@sourceforge.net

All of this suggests that the operator itself could be involved in this situation.

I'm not the only one having this problem, actually there is a large topic (38 pages so far) from the community forum of this operator where many users are complaining about the same problem :
https://forum.sfr.fr/t5/votre-messagerie-sfr-mail/mail-suspect-reçu-de-ma-propre-adresse-mail-et-nombreux-spams/td-p/2164708

The hosting operator is not less than SFR, which is one of the 4 main telephony and Internet operators on the French territory.

For me, this lasts since January 9th, and I got about 140 spams that way, so far. But for other users, this seems to be older.

I would like to know what you think about that as I fear this is likely to defeat the Spamcop system.

Regards,

Gingko

[gnarlymarley]

6 hours ago, Gingko said:

Most of the received messages are already outdated, meaning that if I use Spamcop for reporting them, they are rejected because they are more than 2 days old, despite the fact that I submit them as soon as they are received.

A tracking URL would be useful.  Also if you look at the headers, is your border server putting on an old date?  Spammers have been known to put in faked headers with old dates to try to confuse the SpamCop parser.  This is why the mailhosts setup now exists is to cause the parser to stop at your border server.  This is so that the correct IP and date can be picked up by the parser.

[Gingko]

Ahem… Of course, yes, but…
What are you calling “A tracking URL”, and how could it be useful, especially in this case?

[petzl]

3 hours ago, Gingko said:

Ahem… Of course, yes, but…
What are you calling “A tracking URL”, and how could it be useful, especially in this case?

When some email server or Botnet starts spewing spam, occasionally they are taken offline. but when started up again it finishes the out of date spew!
When you parse spam at top of page before you submit there is a tracking URL posting this, one can look up IP's to see when spam was happening and when it stopped and if it restarts
For instance 35.182.184.76 couple of sites I use to check, was a Botnet, but it now seems a malware scan was done and has fixed it.
https://talosintelligence.com/reputation_center/lookup?search=35.182.184.76
https://www.abuseat.org/lookup.cgi?ip=35.182.184.76

Edited January 24, 2020 by petzl

[Gingko]

Here is the header's of a typical spam that I received that way :
 

Quote

X-Account-Key: account25
X-UIDL: 1340827462.2205
X-Mozilla-Keys:                                                                                 
Return-Path: <Info@taobao.com>
Received: from msfrf2639.sfr.fr (msfrf2639.sfrmc.priv.atos.fr [10.18.203.123])
	 by msfrb1402 with LMTPA;
	 Sat, 25 Jan 2020 13:52:04 +0100
X-Cyrus-Session-Id: cyrus-366491-1579956697-1-4726002118533284992
X-Sieve: CMU Sieve 3.0
Received: from filter.sfr.fr (localhost [10.18.203.96])
	by msfrf2639.sfr.fr (SMTP Server) with ESMTP id BA1613A844C69
	for <x>; Wed, 22 Jan 2020 03:47:55 +0100 (CET)
Received: from smtp26.services.sfr.fr (front26-smtp-dirty.sfrmc.priv.atos.fr [10.18.203.96])
	by msfrf2639.sfr.fr (SMTP Server) with ESMTP id AE1C449EFFE50
	for <x>; Mon, 20 Jan 2020 20:29:00 +0100 (CET)
X-mail-filterd: 0.4.0
X-sfr-spamrating: 100
X-sfr-spam: high
Authentication-Results: sfrmc.priv.atos.fr 1;
	spf=fail smtp.mailfrom=Info@taobao.com smtp.helo=moratabich.xyz;
	dkim=none;
	dmarc=fail
Received: from moratabich.xyz (lebis.disians.com [173.240.15.12])
	by msfrf2639.sfr.fr (SMTP Server) with ESMTP id A0E671C051414
	for <x>; Mon, 20 Jan 2020 20:29:00 +0100 (CET)
Received: from moratabich.xyz (lebis.disians.com [173.240.15.12])
	by msfrf2639.sfr.fr (SMTP Server) with ESMTP
	for <x>; Mon, 20 Jan 2020 20:29:00 +0100 (CET)
MIME-Version: 1.0
From: E.Leclerc  client special <Info@taobao.com>
To: [removed]
Date: Mon, 20 Jan 2020 17:55:35 +0100
Subject: Re : 2ème tentative pur [removed]
Content-Type: text/html;
Message-Id: <2798__________________________1C16@msfrf2635.sfr.fr>

You can see that the spam was sent on January 20th at 20:29 CET, but I received it today 13:59 CET.
There is a "Received:" line for that, but SpamCop ignore them as the three last "Received:" lines are internal handling from the receiving ISP declared in the mailhosts setup … thus this internal handling is spanning 5 days !

A large part of the spams that I receive on this address has this huge internal handling time property.

And this concerns only spam.
Regular messages that I send to myself to the same address are delivered in a matter of seconds.

Gingko

 

[Lking]

Thanks for the information. The tracking URI others suggested would have given others access to the information you provided above AND allowed visibility to the actions by the parser.

I would think that a talk with your email service provider is in order. As you noted the delays reflected by the top three Receive entries is, I think, excessive.  Have you brought this to your ISP's attention?  They may not be aware of the delay, nor the consequences.  It is likely that none of their other customers report spam and care about the delay in receiving spam.  I am amused by the server name: front26-smtp-dirty.sfrmc.priv.atos.fr  Does you other email go through this server? Or only spam?

I would not want to assign motive to the delay in receiving spam. As I said, your provider my not be aware of the delay caused by the spam filtering/ email Authentication process.

For your reference the tracking URL can be found a the top of the reporting screen

Quote

SpamCop v 5.1.0 © 2020 Cisco Systems, Inc. All rights reserved.
Here is your TRACKING URL - it may be saved for future reference:

following the lines above.

[Gingko]

1 hour ago, Lking said:

Thanks for the information. The tracking URI others suggested would have given others access to the information you provided above AND allowed visibility to the actions by the parser.

I would think that a talk with your email service provider is in order. As you noted the delays reflected by the top three Receive entries is, I think, excessive.  Have you brought this to your ISP's attention?  They may not be aware of the delay, nor the consequences.  It is likely that none of their other customers report spam and care about the delay in receiving spam.  I am amused by the server name: front26-smtp-dirty.sfrmc.priv.atos.fr  Does you other email go through this server? Or only spam?

I would not want to assign motive to the delay in receiving spam. As I said, your provider my not be aware of the delay caused by the spam filtering/ email Authentication process.

For your reference the tracking URL can be found a the top of the reporting screen

following the lines above.

The ISP has be contacted by many angry users (not by me yet) for several weeks, and they only give hackneyed answers like "we are working on it" (for weeks !).

About tracking URL, ok, so you are speaking about URLs specifics to a particular spam as it changes for each spam.
For the quoted headers above, the tracking URL is https://www.spamcop.net/sc?id=z6611133626z038eafa006f7aed4232b8a0c6617a97az

And NO, if I look at the headers of some regular mails, they do NOT go through front26-smtp-dirty.sfrmc.priv.atos.fr.

Gingko

Edited January 25, 2020 by Gingko

[petzl]

3 hours ago, Gingko said:

For the quoted headers above, the tracking URL is https://www.spamcop.net/sc?id=z6611133626z038eafa006f7aed4232b8a0c6617a97az

You need to forward from your email account with this preamble at top of report
http://173.240.15.12
Name:   lebis.disians.com
IP:        173.240.15.12
Domain:    disians.com\
Registrar Abuse Contact Email:  mailto:abuse[AT]web.com

EMAIL IP 173.240.15.12   abuse[AT]bigboxhost.com SpamCop has this wrong

http://b.link/E-Leclerc-fr 
IP  18.208.23.249  abuse[AT]amazonaws.com

Then paste headers and text body as you did for SpamCop

[Gingko]

9 hours ago, petzl said:

You need to forward from your email account with this preamble at top of report
http://173.240.15.12
Name:   lebis.disians.com
IP:        173.240.15.12
Domain:    disians.com\
Registrar Abuse Contact Email:  mailto:abuse[AT]web.com

EMAIL IP 173.240.15.12   abuse[AT]bigboxhost.com SpamCop has this wrong

http://b.link/E-Leclerc-fr
IP  18.208.23.249  abuse[AT]amazonaws.com

Then paste headers and text body as you did for SpamCop

I don't understand.

Where should I forward this if it is not to Spamcop?
I hope you are not telling me to forward directly to the spammer or to some hosting service related to it?

Gingko

[Gingko]

One more thing about these spams:

Although it is difficult to completely verify, I have some reasons to think that some of these spams, received once by SFR, could have be handled internally by SFR and distributed more than once to the recipient at random intervals.

I receive many of these spams several times with identical contents, like if they would come back after having been completely deleted from the mailbox.
After reporting, they could sometimes have been seen as duplicated reports.

And if I look at my past reports history ( https://members.spamcop.net/mcgi?action=showhistory ), I can see that about half of them have been handled as "No reports filed" by Spamcop, without any more explanation.

Gingko

Edited January 26, 2020 by Gingko

[gnarlymarley]

22 hours ago, Gingko said:

You can see that the spam was sent on January 20th at 20:29 CET, but I received it today 13:59 CET.

Yep, looking at the headers I see a jump from smtp26.services.sfr.fr to filter.sfr.fr for the two days.  It appears that sfr.fr is internally delaying the emails (since they are coming from a 10.x.x.x private address).

7 hours ago, Gingko said:

lthough it is difficult to completely verify, I have some reasons to think that some of these spams, received once by SFR, could have be handled internally by SFR and distributed more than once to the recipient at random intervals.

This appears to be the case.  Looking at the "Received:" lines the border server seems to be catching the spam on time, but for some reason there is a delay going to the next internal server.  It appears to be a problem on the SFR servers.

7 hours ago, Gingko said:

Where should I forward this if it is not to Spamcop?
I hope you are not telling me to forward directly to the spammer or to some hosting service related to it?

I think what petzl is trying to say is currently SpamCop thinks 173.240.15.12 should go to abuse[at]dacentec[dot]com but the whois.arin.net (where people in North America gets their IPs from) says the IP should be reported to abuse[at]bigboxhost.com.  As long as abuse[at]dacentec[dot]com keeps rejecting spamcop reports, manual sending may be required.  Looking at the routing details, it does appear that spamcop does not want to send to abuse[at]bigboxhost[dot]com, but would prefer dacentec even though it bounces.

Edited January 26, 2020 by gnarlymarley

[petzl]

12 hours ago, Gingko said:

I don't understand.

Where should I forward this if it is not to Spamcop?
I hope you are not telling me to forward directly to the spammer or to some hosting service related to it?

Gingko

SpamCop cannot report these spams, but it does tell you the IP address from whence they came.
Also the URL in body of message
With SpamCop, a "BOT", one sometimes need to step in to do spam reports more effectively.
By showing you where I would of sent them, were just letting you see example

[petzl]

4 hours ago, gnarlymarley said:

that spamcop does not want to send to abuse[at]bigboxhost[dot]com, but would prefer dacentec even though it bounces.

 

And it may bounce from there. It's in the "Marshall Islands" so don't get your hopes up?
https://en.wikipedia.org/wiki/Marshall_Islands

[Gingko]

In the meantime, I sorted all the spams that I received from this "spam cluster" (that I identified as part of the same group by several common features).

I have 158 spams so far, starting January 9th, incoming in two mailboxes hosted by the same ISP.

They are coming from 10 different sources, the most active being :

• ncdhost.com (43 spams)
• hopone.net (41 spams)
• dacentec.com (23 spams)
• ni.net.tr (16 spams)

The six others (datashack.net, heymman.com, layer6.net, uaservers.net, vernet.lv, wholesaleinternet.net) have less messages, and sometimes lasted only for a short period, meaning that the spammer can already having been shutted down by this hosting service.

I could eventually forward all of them to their respective senders, but does it worth the attempt?

Gingko

Edited January 26, 2020 by Gingko

[petzl]

4 hours ago, Gingko said:

I could eventually forward all of them to their respective senders, but does it worth the attempt?

Would like some IP numbers a few track urls

But if SpamCop is not working in stopping spam you need to do this yourself

Just pick say five spams or more to report, All probably from same spammer

This should give results on all 158 spams
Learn which is the IP YOUR  email server receives email from then the IP that sent it. 
Just report that IP by forwarding from your email
The best defense is attack!

Edited January 27, 2020 by petzl

[BigBox]

Quote

 

This is regarding spam appeared from 173.240.15.12, we have terminated our user using  our services for spamming purpose. 

Edited January 27, 2020 by BigBox