Jump to content

Recommended Posts

Posted

Occasionally I will get an email where the body is not parsed/ignored and I got another today that I did some poking around, and I found that if the Return-Path  header exists and is empty (`Return-Path: <>`), the body is ignored.   Removing or populating it resolve the issue.

Posted
2 hours ago, EkriirkE said:

Occasionally I will get an email where the body is not parsed/ignored and I got another today that I did some poking around, and I found that if the Return-Path  header exists and is empty (`Return-Path: <>`), the body is ignored.   Removing or populating it resolve the issue.

BEFORE you submit a spam at top of page there is a tracking URL  copy this track and past it here, then one can see what is happening.

example
Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net/sc?id=z6690533908ze72fd31a4dff786edaf29eccae16c308z

Posted
20 minutes ago, petzl said:

BEFORE you submit a spam at top of page there is a tracking URL  copy this track and past it here, then one can see what is happening.

example
Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net/sc?id=z6690533908ze72fd31a4dff786edaf29eccae16c308z

What are you going on about?  You can't get a tracking link for a spam you haven't submitted yet.  That's a catch 22.  And I'm not trying to report spamcop report links

Posted
1 hour ago, EkriirkE said:

What are you going on about?  You can't get a tracking link for a spam you haven't submitted yet.  That's a catch 22.  And I'm not trying to report spamcop report links

Unless headers are shown safest way is by a Tracking URL
,Without one or headers have no idea what you are on about either?
If you paste headers replace your email address with a x

Posted

I forward as attachments, been doing so for over a decade.  This is a bug which only affects about 1 spam a year.  I doubt my methods of simply clicking the forward button are randomly "mis pasting" an email of thousands consistently

Posted
On 11/30/2020 at 2:12 PM, EkriirkE said:

Occasionally I will get an email where the body is not parsed/ignored and I got another today that I did some poking around, and I found that if the Return-Path  header exists and is empty (`Return-Path: <>`), the body is ignored.   Removing or populating it resolve the issue.

I have seen this a while ago, but I didn't have time to do any research on it.  I will have to pay attention for the next time I get a spam that has links, but they get ignored.  (I think mine were August or July, so they are probably past the 90 days so I will not be able to get tracking URLs.)

Posted
2 hours ago, gnarlymarley said:

I have seen this a while ago, but I didn't have time to do any research on it.  I will have to pay attention for the next time I get a spam that has links, but they get ignored.  (I think mine were August or July, so they are probably past the 90 days so I will not be able to get tracking URLs.)

This is a failed parse https://www.spamcop.net/sc?id=z6693341449z0778223c9998b219a4bda561ffbc4addz 

this version parsed  https://www.spamcop.net/sc?id=z6693545149z7a985f0f94faa3a5d9a2fa784fd2555bz

 

The only difference is I removed the Return-Path header

Posted
1 hour ago, EkriirkE said:

This is a failed parse https://www.spamcop.net/sc?id=z6693341449z0778223c9998b219a4bda561ffbc4addz 

this version parsed  https://www.spamcop.net/sc?id=z6693545149z7a985f0f94faa3a5d9a2fa784fd2555bz

The only difference is I removed the Return-Path header

194.150.215.174 (Bounce)
so SpamCop does not lookup links
Possibly your email addy is on the reply address

Posted
1 hour ago, petzl said:

194.150.215.174 (Bounce)
so SpamCop does not lookup links
Possibly your email addy is on the reply address

No.  Read the posts.

Posted
On 11/30/2020 at 4:42 PM, EkriirkE said:

Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net/sc?id=z6690533908ze72fd31a4dff786edaf29eccae16c308z

I think this may have caused some confusion as the above tracking URL is missing the body.  See below for verification test.

On 12/1/2020 at 5:09 PM, EkriirkE said:

So I took your link that failed to parse and I added something in the return-path.  The links would parse again.  So I submitted it as is and it fails to parse.  Clearly, it appears you have caught a problem or bug here where SpamCop is broken.

Working (changed return-path): https://www.spamcop.net/sc?id=z6693978467z3560f51112de7e9fcadc539b521ce73bz

Not working: https://www.spamcop.net/sc?id=z6693978389zca5cee5269c5f353471c599d70e7c266z

As you can see by comparing, I submitted the same thing twice, except I added an email in the return path.

Posted

I've put this in our developers' queue to have a look at.  The key is here:

Reports regarding this spam have already been sent:
Re: 194.150.215.174 (Bounce)
Reportid: 7097982956 To: noc@galaxydata.ru
 
The spam with the blank RP is treated as a bounce by the system
 
Richard
  • 5 months later...
Posted (edited)
On 12/4/2020 at 10:50 AM, Richard W said:

I've put this in our developers' queue to have a look at.  The key is here:

Reports regarding this spam have already been sent:
Re: 194.150.215.174 (Bounce)
Reportid: 7097982956 To: noc@galaxydata.ru
 
The spam with the blank RP is treated as a bounce by the system
 
Richard

Hey there, thank you for doing this - and it seemed to have been fixed not long after you replied.  But Today I just got another batch of junk with the same issue - Blank return path, and body is not parsed for links

 

https://www.spamcop.net/sc?id=z6712715786z1416bf0f0b6a7ffe450e2a9c97905829z

https://www.spamcop.net/sc?id=z6712715787zb1414092e94d60b523f717f18fdd4839z

https://www.spamcop.net/sc?id=z6712715788z0a2699e6ef9471feb51823978b7eb85fz

https://www.spamcop.net/sc?id=z6712715785zb54e90205f1b3f4b44a5f39ba5e2e2aaz

https://www.spamcop.net/sc?id=z6712715784ze2b85ac6a1e66855cbf667e4afe4c558z

 

Edited by EkriirkE
links-
Posted (edited)
22 hours ago, EkriirkE said:

abuse[AT]civo[DOT]com 74.220.23.10 (SpamCop not correct) reporting looks to be ignored!
https://www.ncsc.gov.uk
Maybe including "incidents[AT]ncsc[DOT]gov[DOT]uk" is needed!
https://www.spamcop.net/w3m?action=checkblock&amp;ip=74.220.23.10

Other hosts in this "neighborhood" with spam reports
74.220.22.16 74.220.22.24 74.220.22.44 74.220.22.112 74.220.22.121 74.220.22.206 74.220.22.238 74.220.23.12 74.220.23.42 74.220.23.56 74.220.23.62 74.220.23.84 74.220.23.95 74.220.23.139 74.220.23.177 74.220.23.185 74.220.23.188 74.220.23.228

https://check.spamhaus.org/listed/?searchterm=74.220.23.10
This IP address has been observed to be involved in at least one of the following activities; sending spam, snowshoe spamming, or hosting botnet command and controllers (C&Cs). It may also be hijacked IP space, or associated with bulletproof hosting.

As a result, this IP address is listed in the Spamhaus Blocklist (SBL)

https://www.civo.com/about seem the site/COMPANY behind attacks?
Registrar Abuse Contact Email:  mail to: abuse[AT]register[DOT]it

Edited by petzl
Posted (edited)

The problem is not where the spam is coming from. the problem for the OP is that whenever a bounce is detected, the links in the spam do not parse.

also, manual reporting is not for everybody, and SC was designed to automate the process, not make it harder.

It's a pity that Julian is not involved anymore... I miss him...

and if @Richard W can look into this again, it would be fantastic ;) wink wink

BTW @EkriirkE I like your interests status ;) it sounds fun to peruse stuff for something it's not meant to be 😄

 

Edited by RobiBue
minor correction
Posted (edited)

for me and for SC it resolves. just paste the link to the parser...

Quote

SpamCop v 5.3.0 © 2021 Cisco Systems, Inc. All rights reserved.

Host d00.nyc3.digitaloceanspaces.com (checking ip) = 162.243.189.2
Routing details for 162.243.189.2
[refresh/show] Cached whois for 162.243.189.2 : abuse@digitalocean.com
Using best contacts abuse@digitalocean.com

Statistics:

162.243.189.2 not listed in bl.spamcop.net
More Information.
162.243.189.2 not listed in cbl.abuseat.org
162.243.189.2 not listed in dnsbl.sorbs.net

Reporting addresses:
abuse@digitalocean.com

it does redirect to a different website though...

Edit:
now, 12 hours later I got the chance to revisit the issue:

<Error>
<Code>UserSuspended</Code>
<BucketName>d00</BucketName>
<RequestId>tx0000000000000348ca477-0060aed878-c814a11-nyc3c</RequestId>
<HostId>c814a11-nyc3c-nyc3-zg03</HostId>
</Error>

digital ocean does seem to act upon reports!

It would just be nice if SC would parse bounces regardless...

Edited by RobiBue
new info

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...