Gingko Posted January 24, 2020 Share Posted January 24, 2020 Hello, I have a problem that for about two week, I have two mailbox (hosted by the same operator) which are flooded by spam having weird characteristics : Most of the received messages are already outdated, meaning that if I use Spamcop for reporting them, they are rejected because they are more than 2 days old, despite the fact that I submit them as soon as they are received. If I delete them from the mailbox, it happens quite often that they come back a few hours later, like if I never deleted them. All of these spams originates (apparently of course as these sender address are always fake) for me (it may be different for other users) from only 3 different mailboxes : 1 - Info@taobao.com 2 - mailer-daemon@amazon.com 3 - mailer-daemon@sourceforge.net All of this suggests that the operator itself could be involved in this situation. I'm not the only one having this problem, actually there is a large topic (38 pages so far) from the community forum of this operator where many users are complaining about the same problem :https://forum.sfr.fr/t5/votre-messagerie-sfr-mail/mail-suspect-reçu-de-ma-propre-adresse-mail-et-nombreux-spams/td-p/2164708 The hosting operator is not less than SFR, which is one of the 4 main telephony and Internet operators on the French territory. For me, this lasts since January 9th, and I got about 140 spams that way, so far. But for other users, this seems to be older. I would like to know what you think about that as I fear this is likely to defeat the Spamcop system. Regards, Gingko Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted January 24, 2020 Share Posted January 24, 2020 6 hours ago, Gingko said: Most of the received messages are already outdated, meaning that if I use Spamcop for reporting them, they are rejected because they are more than 2 days old, despite the fact that I submit them as soon as they are received. A tracking URL would be useful. Also if you look at the headers, is your border server putting on an old date? Spammers have been known to put in faked headers with old dates to try to confuse the SpamCop parser. This is why the mailhosts setup now exists is to cause the parser to stop at your border server. This is so that the correct IP and date can be picked up by the parser. Quote Link to comment Share on other sites More sharing options...
Gingko Posted January 24, 2020 Author Share Posted January 24, 2020 Ahem… Of course, yes, but… What are you calling “A tracking URL”, and how could it be useful, especially in this case? Quote Link to comment Share on other sites More sharing options...
petzl Posted January 24, 2020 Share Posted January 24, 2020 (edited) 3 hours ago, Gingko said: Ahem… Of course, yes, but… What are you calling “A tracking URL”, and how could it be useful, especially in this case? When some email server or Botnet starts spewing spam, occasionally they are taken offline. but when started up again it finishes the out of date spew! When you parse spam at top of page before you submit there is a tracking URL posting this, one can look up IP's to see when spam was happening and when it stopped and if it restarts For instance 35.182.184.76 couple of sites I use to check, was a Botnet, but it now seems a malware scan was done and has fixed it.https://talosintelligence.com/reputation_center/lookup?search=35.182.184.76https://www.abuseat.org/lookup.cgi?ip=35.182.184.76 Edited January 24, 2020 by petzl Quote Link to comment Share on other sites More sharing options...
Gingko Posted January 25, 2020 Author Share Posted January 25, 2020 Here is the header's of a typical spam that I received that way : Quote X-Account-Key: account25 X-UIDL: 1340827462.2205 X-Mozilla-Keys: Return-Path: <Info@taobao.com> Received: from msfrf2639.sfr.fr (msfrf2639.sfrmc.priv.atos.fr [10.18.203.123]) by msfrb1402 with LMTPA; Sat, 25 Jan 2020 13:52:04 +0100 X-Cyrus-Session-Id: cyrus-366491-1579956697-1-4726002118533284992 X-Sieve: CMU Sieve 3.0 Received: from filter.sfr.fr (localhost [10.18.203.96]) by msfrf2639.sfr.fr (SMTP Server) with ESMTP id BA1613A844C69 for <x>; Wed, 22 Jan 2020 03:47:55 +0100 (CET) Received: from smtp26.services.sfr.fr (front26-smtp-dirty.sfrmc.priv.atos.fr [10.18.203.96]) by msfrf2639.sfr.fr (SMTP Server) with ESMTP id AE1C449EFFE50 for <x>; Mon, 20 Jan 2020 20:29:00 +0100 (CET) X-mail-filterd: 0.4.0 X-sfr-spamrating: 100 X-sfr-spam: high Authentication-Results: sfrmc.priv.atos.fr 1; spf=fail smtp.mailfrom=Info@taobao.com smtp.helo=moratabich.xyz; dkim=none; dmarc=fail Received: from moratabich.xyz (lebis.disians.com [173.240.15.12]) by msfrf2639.sfr.fr (SMTP Server) with ESMTP id A0E671C051414 for <x>; Mon, 20 Jan 2020 20:29:00 +0100 (CET) Received: from moratabich.xyz (lebis.disians.com [173.240.15.12]) by msfrf2639.sfr.fr (SMTP Server) with ESMTP for <x>; Mon, 20 Jan 2020 20:29:00 +0100 (CET) MIME-Version: 1.0 From: E.Leclerc client special <Info@taobao.com> To: [removed] Date: Mon, 20 Jan 2020 17:55:35 +0100 Subject: Re : 2ème tentative pur [removed] Content-Type: text/html; Message-Id: <2798__________________________1C16@msfrf2635.sfr.fr> You can see that the spam was sent on January 20th at 20:29 CET, but I received it today 13:59 CET. There is a "Received:" line for that, but SpamCop ignore them as the three last "Received:" lines are internal handling from the receiving ISP declared in the mailhosts setup … thus this internal handling is spanning 5 days ! A large part of the spams that I receive on this address has this huge internal handling time property. And this concerns only spam. Regular messages that I send to myself to the same address are delivered in a matter of seconds. Gingko Quote Link to comment Share on other sites More sharing options...
Lking Posted January 25, 2020 Share Posted January 25, 2020 Thanks for the information. The tracking URI others suggested would have given others access to the information you provided above AND allowed visibility to the actions by the parser. I would think that a talk with your email service provider is in order. As you noted the delays reflected by the top three Receive entries is, I think, excessive. Have you brought this to your ISP's attention? They may not be aware of the delay, nor the consequences. It is likely that none of their other customers report spam and care about the delay in receiving spam. I am amused by the server name: front26-smtp-dirty.sfrmc.priv.atos.fr Does you other email go through this server? Or only spam? I would not want to assign motive to the delay in receiving spam. As I said, your provider my not be aware of the delay caused by the spam filtering/ email Authentication process. For your reference the tracking URL can be found a the top of the reporting screen Quote SpamCop v 5.1.0 © 2020 Cisco Systems, Inc. All rights reserved. Here is your TRACKING URL - it may be saved for future reference: following the lines above. Quote Link to comment Share on other sites More sharing options...
Gingko Posted January 25, 2020 Author Share Posted January 25, 2020 (edited) 1 hour ago, Lking said: Thanks for the information. The tracking URI others suggested would have given others access to the information you provided above AND allowed visibility to the actions by the parser. I would think that a talk with your email service provider is in order. As you noted the delays reflected by the top three Receive entries is, I think, excessive. Have you brought this to your ISP's attention? They may not be aware of the delay, nor the consequences. It is likely that none of their other customers report spam and care about the delay in receiving spam. I am amused by the server name: front26-smtp-dirty.sfrmc.priv.atos.fr Does you other email go through this server? Or only spam? I would not want to assign motive to the delay in receiving spam. As I said, your provider my not be aware of the delay caused by the spam filtering/ email Authentication process. For your reference the tracking URL can be found a the top of the reporting screen following the lines above. The ISP has be contacted by many angry users (not by me yet) for several weeks, and they only give hackneyed answers like "we are working on it" (for weeks !). About tracking URL, ok, so you are speaking about URLs specifics to a particular spam as it changes for each spam. For the quoted headers above, the tracking URL is https://www.spamcop.net/sc?id=z6611133626z038eafa006f7aed4232b8a0c6617a97az And NO, if I look at the headers of some regular mails, they do NOT go through front26-smtp-dirty.sfrmc.priv.atos.fr. Gingko Edited January 25, 2020 by Gingko Quote Link to comment Share on other sites More sharing options...
petzl Posted January 25, 2020 Share Posted January 25, 2020 3 hours ago, Gingko said: For the quoted headers above, the tracking URL is https://www.spamcop.net/sc?id=z6611133626z038eafa006f7aed4232b8a0c6617a97az You need to forward from your email account with this preamble at top of report http://173.240.15.12 Name: lebis.disians.com IP: 173.240.15.12 Domain: disians.com\ Registrar Abuse Contact Email: mailto:abuse[AT]web.com EMAIL IP 173.240.15.12 abuse[AT]bigboxhost.com SpamCop has this wronghttp://b.link/E-Leclerc-fr IP 18.208.23.249 abuse[AT]amazonaws.com Then paste headers and text body as you did for SpamCop Quote Link to comment Share on other sites More sharing options...
Gingko Posted January 26, 2020 Author Share Posted January 26, 2020 9 hours ago, petzl said: You need to forward from your email account with this preamble at top of reporthttp://173.240.15.12 Name: lebis.disians.com IP: 173.240.15.12 Domain: disians.com\ Registrar Abuse Contact Email: mailto:abuse[AT]web.com EMAIL IP 173.240.15.12 abuse[AT]bigboxhost.com SpamCop has this wronghttp://b.link/E-Leclerc-fr IP 18.208.23.249 abuse[AT]amazonaws.com Then paste headers and text body as you did for SpamCop I don't understand.Where should I forward this if it is not to Spamcop? I hope you are not telling me to forward directly to the spammer or to some hosting service related to it? Gingko Quote Link to comment Share on other sites More sharing options...
Gingko Posted January 26, 2020 Author Share Posted January 26, 2020 (edited) One more thing about these spams: Although it is difficult to completely verify, I have some reasons to think that some of these spams, received once by SFR, could have be handled internally by SFR and distributed more than once to the recipient at random intervals. I receive many of these spams several times with identical contents, like if they would come back after having been completely deleted from the mailbox. After reporting, they could sometimes have been seen as duplicated reports. And if I look at my past reports history ( https://members.spamcop.net/mcgi?action=showhistory ), I can see that about half of them have been handled as "No reports filed" by Spamcop, without any more explanation. Gingko Edited January 26, 2020 by Gingko Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted January 26, 2020 Share Posted January 26, 2020 (edited) 22 hours ago, Gingko said: You can see that the spam was sent on January 20th at 20:29 CET, but I received it today 13:59 CET. Yep, looking at the headers I see a jump from smtp26.services.sfr.fr to filter.sfr.fr for the two days. It appears that sfr.fr is internally delaying the emails (since they are coming from a 10.x.x.x private address). 7 hours ago, Gingko said: lthough it is difficult to completely verify, I have some reasons to think that some of these spams, received once by SFR, could have be handled internally by SFR and distributed more than once to the recipient at random intervals. This appears to be the case. Looking at the "Received:" lines the border server seems to be catching the spam on time, but for some reason there is a delay going to the next internal server. It appears to be a problem on the SFR servers. 7 hours ago, Gingko said: Where should I forward this if it is not to Spamcop? I hope you are not telling me to forward directly to the spammer or to some hosting service related to it? I think what petzl is trying to say is currently SpamCop thinks 173.240.15.12 should go to abuse[at]dacentec[dot]com but the whois.arin.net (where people in North America gets their IPs from) says the IP should be reported to abuse[at]bigboxhost.com. As long as abuse[at]dacentec[dot]com keeps rejecting spamcop reports, manual sending may be required. Looking at the routing details, it does appear that spamcop does not want to send to abuse[at]bigboxhost[dot]com, but would prefer dacentec even though it bounces. Edited January 26, 2020 by gnarlymarley Quote Link to comment Share on other sites More sharing options...
petzl Posted January 26, 2020 Share Posted January 26, 2020 12 hours ago, Gingko said: I don't understand.Where should I forward this if it is not to Spamcop? I hope you are not telling me to forward directly to the spammer or to some hosting service related to it? Gingko SpamCop cannot report these spams, but it does tell you the IP address from whence they came. Also the URL in body of message With SpamCop, a "BOT", one sometimes need to step in to do spam reports more effectively. By showing you where I would of sent them, were just letting you see example Quote Link to comment Share on other sites More sharing options...
petzl Posted January 26, 2020 Share Posted January 26, 2020 4 hours ago, gnarlymarley said: that spamcop does not want to send to abuse[at]bigboxhost[dot]com, but would prefer dacentec even though it bounces. And it may bounce from there. It's in the "Marshall Islands" so don't get your hopes up?https://en.wikipedia.org/wiki/Marshall_Islands Quote Link to comment Share on other sites More sharing options...
Gingko Posted January 26, 2020 Author Share Posted January 26, 2020 (edited) In the meantime, I sorted all the spams that I received from this "spam cluster" (that I identified as part of the same group by several common features). I have 158 spams so far, starting January 9th, incoming in two mailboxes hosted by the same ISP. They are coming from 10 different sources, the most active being : ncdhost.com (43 spams) hopone.net (41 spams) dacentec.com (23 spams) ni.net.tr (16 spams) The six others (datashack.net, heymman.com, layer6.net, uaservers.net, vernet.lv, wholesaleinternet.net) have less messages, and sometimes lasted only for a short period, meaning that the spammer can already having been shutted down by this hosting service. I could eventually forward all of them to their respective senders, but does it worth the attempt? Gingko Edited January 26, 2020 by Gingko Quote Link to comment Share on other sites More sharing options...
petzl Posted January 27, 2020 Share Posted January 27, 2020 (edited) 4 hours ago, Gingko said: I could eventually forward all of them to their respective senders, but does it worth the attempt? Would like some IP numbers a few track urls But if SpamCop is not working in stopping spam you need to do this yourself Just pick say five spams or more to report, All probably from same spammer This should give results on all 158 spams Learn which is the IP YOUR email server receives email from then the IP that sent it. Just report that IP by forwarding from your email The best defense is attack! Edited January 27, 2020 by petzl Quote Link to comment Share on other sites More sharing options...
BigBox Posted January 27, 2020 Share Posted January 27, 2020 (edited) Quote This is regarding spam appeared from 173.240.15.12, we have terminated our user using our services for spamming purpose. Edited January 27, 2020 by BigBox Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.