rdorsch Posted May 23, 2020 Share Posted May 23, 2020 Hello, I recently had the problem that I received spam, reported spam to spamcop, spamcop informed the hoster and the hoster deactivated *my* server. Looking into the issue, I found that my domain was mentioned in the spam email, that was pretty much the only text string I could read in the (Asian) email. I did not read "Please make sure this email IS spam:" confirmation page carefully enough, which most likely listed my domain, and the process started. I have not seen that int he past 10+ years I have been reporting to spamcop, but since then many times now. Since the domain which is referenced in the spam email and my mail domain are the same, it should be trivial to catch such false positives by spamcop. I am just wondering if anything changed in the spamcop setup or if I can somewhere configure that spamcop never generates reports against my own domain submitted by me. Many thanks Rainer Quote Link to comment Share on other sites More sharing options...
petzl Posted May 24, 2020 Share Posted May 24, 2020 (edited) 16 hours ago, rdorsch said: Since the domain which is referenced in the spam email and my mail domain are the same, it should be trivial to catch such false positives by spamcop. I am just wondering if anything changed in the spamcop setup or if I can somewhere configure that spamcop never generates reports against my own domain submitted by me. Seems strange a provider would shut down a website with one complaint? Make sure it has not been compromised, change password. Run a virus scan on your computer. If you are competing against a similar website you are possibly being attacked, often done for blackmail as well! Your mailhosts are not necessarily the same as a domain. have a look But then SpamCop only stops reporting your email "domain" Contact your provider Edited May 24, 2020 by petzl Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted May 24, 2020 Share Posted May 24, 2020 19 hours ago, rdorsch said: I found that my domain was mentioned in the spam email, I had a similar situation happen to me about two decades ago with an admin from a well known education institution confusing the internal links of the spam as the source of the spam. This is why I prefer to report just the source instead of the links inside. If I see any on my reports that might be valid (innocents caught in the crossfire), I uncheck those. Quote Link to comment Share on other sites More sharing options...
rdorsch Posted May 24, 2020 Author Share Posted May 24, 2020 6 hours ago, petzl said: Seems strange a provider would shut down a website with one complaint? Make sure it has not been compromised, change password. Run a virus scan on your computer. If you are competing against a similar website you are possibly being attacked, often done for blackmail as well! Your mailhosts are not necessarily the same as a domain. have a look But then SpamCop only stops reporting your email "domain" Contact your provider The story with the provider is a separate topic, but long story short: The spamcop reports are processed automatically, normally they disable the host immediately (which does not make sense, but this is at least what they communicated). After calling them, they checked the issue and reenabled the server immediately. I do not understand why I should run a virus scan if my server is not the source of the spam. Mailhost and website are the same domain, even the same host. rd@h370-wlan:~$ dig bokomoko.de ; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> bokomoko.de ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43604 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;bokomoko.de. IN A ;; ANSWER SECTION: bokomoko.de. 214 IN A 37.120.169.230 ;; Query time: 0 msec ;; SERVER: 192.168.4.1#53(192.168.4.1) ;; WHEN: So Mai 24 09:58:43 CEST 2020 ;; MSG SIZE rcvd: 56 rd@h370-wlan:~$ dig www.bokomoko.de ; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> www.bokomoko.de ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49796 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.bokomoko.de. IN A ;; ANSWER SECTION: www.bokomoko.de. 299 IN CNAME netcup.bokomoko.de. netcup.bokomoko.de. 299 IN A 37.120.169.230 ;; Query time: 39 msec ;; SERVER: 192.168.4.1#53(192.168.4.1) ;; WHEN: So Mai 24 09:57:24 CEST 2020 ;; MSG SIZE rcvd: 81 rd@h370-wlan:~$ dig -t MX bokomoko.de ; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> -t MX bokomoko.de ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34232 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;bokomoko.de. IN MX ;; ANSWER SECTION: bokomoko.de. 299 IN MX 10 mail.bokomoko.de. ;; Query time: 132 msec ;; SERVER: 192.168.4.1#53(192.168.4.1) ;; WHEN: So Mai 24 09:57:35 CEST 2020 ;; MSG SIZE rcvd: 61 rd@h370-wlan:~$ dig mail.bokomoko.de ; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> mail.bokomoko.de ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36872 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;mail.bokomoko.de. IN A ;; ANSWER SECTION: mail.bokomoko.de. 294 IN A 37.120.169.230 ;; Query time: 17 msec ;; SERVER: 192.168.4.1#53(192.168.4.1) ;; WHEN: So Mai 24 09:57:47 CEST 2020 ;; MSG SIZE rcvd: 61 rd@h370-wlan:~$ Quote Link to comment Share on other sites More sharing options...
rdorsch Posted May 24, 2020 Author Share Posted May 24, 2020 3 hours ago, gnarlymarley said: I had a similar situation happen to me about two decades ago with an admin from a well known education institution confusing the internal links of the spam as the source of the spam. This is why I prefer to report just the source instead of the links inside. If I see any on my reports that might be valid (innocents caught in the crossfire), I uncheck those. That is a good point, my own host might not be the only innocent victim. The longer I think about that the more I come to the conclusion that spamcop should here fix things, since the default is dangerous for the reporter and may trigger false positives. My wifes opinion was please stop reporting spam to spamcop altogether, if the risk is that our email infrastructure gets shutdown over the weekend (in the middle of Corona home schooling). I think spamcop should consider to As default do not report links inside (to reduce false positives altogether) At least protect the reporter and let the reporter configure a whitelist for internal links (or at least support to whitelist the spam recipient domain) I am still puzzled that I have not seen that kind of issue for many years but now very frequent. Quote Link to comment Share on other sites More sharing options...
Lking Posted May 24, 2020 Share Posted May 24, 2020 On 5/23/2020 at 2:49 AM, rdorsch said: Since the domain which is referenced in the spam email and my mail domain are the same, If I understand the issue correctly without a Tracking URL another thing to consider is, if your email and domain are on the same host and IP. As you know spamcop looks at IPs not domain names directly. Having your domain listed in a spam is odd. spam I have received, even those requesting to buy one of my domains, don't include the domain in the body. In any case your point is well taken. If the domain in the body of the spam is the same as a domain in your mailhost configuration, the solution should be relative straight forward. I would suggest a post in New Feature Request with a Tracking URL as an example to illustrate your request/suggestion. Quote Link to comment Share on other sites More sharing options...
rdorsch Posted May 24, 2020 Author Share Posted May 24, 2020 52 minutes ago, Lking said: If I understand the issue correctly without a Tracking URL another thing to consider is, if your email and domain are on the same host and IP. As you know spamcop looks at IPs not domain names directly. Having your domain listed in a spam is odd. spam I have received, even those requesting to buy one of my domains, don't include the domain in the body. In any case your point is well taken. If the domain in the body of the spam is the same as a domain in your mailhost configuration, the solution should be relative straight forward. I would suggest a post in New Feature Request with a Tracking URL as an example to illustrate your request/suggestion. Many thanks for your reply, I opened a new feature request as you suggested. For completeness I include here the tracking URLs: Submitted: 14.5.2020, 17:40:25 +0200: =?UTF-8?B?6L+Q6YCB5bu66K6uIDMwLzUvMjAyMA==?=7058512602 ( http://www.bokomoko.de/ ) To: abuse@netcup.de7058512598 ( 185.222.58.117 ) To: complain@rootlayer.net Here is the new feature request: Quote Link to comment Share on other sites More sharing options...
Lking Posted May 24, 2020 Share Posted May 24, 2020 12 minutes ago, rdorsch said: Many thanks for your reply, I opened a new feature request as you suggested. For completeness I include here the tracking URLs: Submitted: 14.5.2020, 17:40:25 +0200: =?UTF-8?B?6L+Q6YCB5bu66K6uIDMwLzUvMjAyMA==?=7058512602 ( http://www.bokomoko.de/ ) To: abuse@netcup.de7058512598 ( 185.222.58.117 ) To: complain@rootlayer.net "What we have here is a failure to communicate" An example of a tracking URL is https://www.spamcop.net/sc?id=z6634628358z460dafae0c54205ace1fe027dc2ff311z This can be found near the top of the screen after you submit the spam. If you submit by email the tracing URL is the link sent to you to review and complete/submit your spam. In my example above you will see the tracking URL on the third line. IF we had access to the tracking URL someone could cut and past the body of the spam into google translate and see why your domain is in the body. Quote Link to comment Share on other sites More sharing options...
rdorsch Posted May 24, 2020 Author Share Posted May 24, 2020 I submit by email, but after having completet the confirmation mail, I delete it. The data I added are from my report history on spamcop.net. If there is no way to extract it from there, it is gone. What I still have is the spam email itself (attached). spam_mail.mbox Quote Link to comment Share on other sites More sharing options...
Lking Posted May 24, 2020 Share Posted May 24, 2020 The system obviously does not like your attachment. You can recover the tracking URL by logging into your reporting account and clicking on the <Past Reports> tab This will list "Report Numbers? when you select the correct report the Tracking URL will be part of the next screen. Quote Link to comment Share on other sites More sharing options...
rdorsch Posted May 24, 2020 Author Share Posted May 24, 2020 44 minutes ago, Lking said: The system obviously does not like your attachment. You can recover the tracking URL by logging into your reporting account and clicking on the <Past Reports> tab This will list "Report Numbers? when you select the correct report the Tracking URL will be part of the next screen. Hmm....I think that helped to recover it, I clicked on "Parse" to recover it: https://www.spamcop.net/sc?id=z6633595354za3c7f1c70eca174576d1527014496a1dz Quote Link to comment Share on other sites More sharing options...
petzl Posted May 24, 2020 Share Posted May 24, 2020 14 hours ago, rdorsch said: I do not understand why I should run a virus scan if my server is not the source of the spam Talking about your PC a virus check is a must. Could be you have been compromised. I even use a VPN this encrypts my communications to and from Computer. Even my Skype calls are encrypted. Win!0 here just use Windows defender which right now seems very good. Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted May 25, 2020 Share Posted May 25, 2020 5 hours ago, rdorsch said: Hmm....I think that helped to recover it, I clicked on "Parse" to recover it: https://www.spamcop.net/sc?id=z6633595354za3c7f1c70eca174576d1527014496a1dz Rainer, This appears to be only the URL specified and not coming directly from your server. Running it through google translate, it appears to be the normal whois email address testing. Sounds like they are sending out spam to attempt to send a bill to random domains to try to extort money. Been a while since I got one of those. (I think what petzl is talking about is where I have seen IP cameras and routers get hacked and the spam sent from there, but this does not appear to be coming directly from your server. If it was coming directly from your server, I would check the server and any devices that might be sharing the same IP for possible intrusions.) Quote Link to comment Share on other sites More sharing options...
petzl Posted May 25, 2020 Share Posted May 25, 2020 3 hours ago, gnarlymarley said: (I think what petzl is talking about is where I have seen IP cameras and routers get hacked and the spam sent from there, but this does not appear to be coming directly from your server. If it was coming directly from your server, I would check the server and any devices that might be sharing the same IP for possible intrusions.) Yes smart TV's, Amazon, google devises, mobile phones, baby monitors, security camera's, are now on the list for hackers Internet of Things (LoT) is the new threat. Quote Link to comment Share on other sites More sharing options...
rdorsch Posted May 25, 2020 Author Share Posted May 25, 2020 8 hours ago, petzl said: Talking about your PC a virus check is a must. Could be you have been compromised. I even use a VPN this encrypts my communications to and from Computer. Even my Skype calls are encrypted. Win!0 here just use Windows defender which right now seems very good. I am not doubting that that virus checks are useful in particular if you are running a windows PC (which I do not :-) ). But that is only relevant here, if my systems are the spam source, not the spam destination. Quote Link to comment Share on other sites More sharing options...
petzl Posted May 27, 2020 Share Posted May 27, 2020 On 5/25/2020 at 4:58 PM, rdorsch said: I am not doubting that that virus checks are useful in particular if you are running a windows PC (which I do not 🙂 ). But that is only relevant here, if my systems are the spam source, not the spam destination. Go here to see if your Email address is listed?https://monitor.firefox.com/breaches Quote Link to comment Share on other sites More sharing options...
rdorsch Posted May 28, 2020 Author Share Posted May 28, 2020 Thanks for sharing the useful link. Fortunately, so far my domain did not show in the pwned list :-) The relation to spam here is that one of my smtpauth passwords would show up, correct? Quote Link to comment Share on other sites More sharing options...
petzl Posted May 29, 2020 Share Posted May 29, 2020 (edited) 18 hours ago, rdorsch said: Thanks for sharing the useful link. Fortunately, so far my domain did not show in the pwned list 🙂 The relation to spam here is that one of my smtpauth passwords would show up, correct? "smtpauth passwords would show up, correct?"pwned is the termhttps://monitor.firefox.com/breaches I have a throwaway gmail address for facebook to read newspapers, seems pwned claims it gets breached often? Bit of a pain to change all passwords Facebook, Gmail, cancel the "News account" clickbait I never wanted pwned lists all that show compromised, my passwords are upper/lowercase, alphanumeric with symbols. Put up a FaceBook page with REAL name to see if I could contact "lost friends" before I even used it facebook appears to of sold my info to a Russian spam crime gang, Still get phishing from them but has slowed to so far one a month. Reporting does work Edited May 29, 2020 by petzl Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.