Jump to content

Mailhost configuration problem, identified internal IP as source. Please correct this situation


Recommended Posts

Hi:

I configured mailhost for all all my email addresses. For one of the addresses I got a waiver from the op because something was not working using the regular way of setting mailhost. Since then, whenever I report a spam from that address I get the message below. Is this normal behaviour? Does it mean that if I receive spam on that address and the spammer forges my own server as sender I can no longer report spam from that address?

I believe everything is set up properly, but since the address was added by the op, I am not 100% sure. Is there anything I should check/change? I could not find anything about this in the forum.

 

Thanks

 

Mariano

 

P.S. I replaced the id by XXXXXX... in case spammers read this forum :^)

 

SpamCop v 5.4.0 © 2022 Cisco Systems, Inc. All rights reserved.
Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net/sc?id=XXXXXXXXXXXXXXXXXXXXXXXXXXX
Mailhost configuration problem, identified internal IP as source
Mailhost:
Please correct this situation - register every email address where you receive spam
No source IP address found, cannot proceed.
Add/edit your mailhost configuration
Finding full email headers
Submitting spam via email (may work better)
Example: What spam headers should look like
Nothing to do.

 

Link to comment
Share on other sites

2 hours ago, Mariano said:

Hi:

I configured mailhost for all all my email addresses. For one of the addresses I got a waiver from the op because something was not working using the regular way of setting mailhost. Since then, whenever I report a spam from that address I get the message below. Is this normal behaviour? Does it mean that if I receive spam on that address and the spammer forges my own server as sender I can no longer report spam from that address?

I believe everything is set up properly, but since the address was added by the op, I am not 100% sure. Is there anything I should check/change? I could not find anything about this in the forum.

Thanks

WHEN did you configure your mailhost today a year ago?
You may have to delete the configured mailhost and resend, sometimes your ISP change their IP's (shift servers)
Unless you send a SpamCop tracking URL to see what's happening those that can help will be in the dark

At TOP of reporting page BEFORE you submit spam

SpamCop v 5.4.0 © 2022 Cisco Systems, Inc. All rights reserved.
Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net/sc?id=z6737190952z0ee93ea546d0bb3941f4c40b660984c7z
Skip to Reports

Link to comment
Share on other sites

18 hours ago, Mariano said:

No source IP address found, cannot proceed.
Add/edit your mailhost configuration
Finding full email headers

I would get that if they report comes from my ISP that I have configured on mailhosts.  They I would go to my ISP with the abuse and let them know they need to deal with a spammer.

15 hours ago, petzl said:

WHEN did you configure your mailhost today a year ago?
You may have to delete the configured mailhost and resend, sometimes your ISP change their IP's (shift servers)
Unless you send a SpamCop tracking URL to see what's happening those that can help will be in the dark

At TOP of reporting page BEFORE you submit spam

Now Mariano, if you pull up the tracking URL while being logged out, all the vital parts of the spam should be munged.  No personal data should be visible.  If you feel comfortable with how it munged, you can post the link here.

Link to comment
Share on other sites

Hi Petzl: I configured the mailhost about 3 days ago. As I wrote originally, the procedure through the website would not work. After I feel the email address I get a message that the mailserver does not respond so the procedure cannot be completed. The mail server is up and working. I sent an email to the ops explaining the problem and they issued a waiver and installed the mailhost on my behalf. If I check, the mail servers  that are configured are the correct ones.

I fear that if I delete the configuration I will have to ask the operators again to set it up for me. (And I prefer not to bother them with this as much as it is not necessary).

 

I will see what I can post here from a Spamcop report after I get the next spam. The reports I was referring to in my post did not get submitted because of the error. If I got to my past reports, they all look like this:

 

Submitted: 15/01/2022, 12:31:04 +0100:
The electric hand massager that's cheaper than going to the doctor!
No reports filed
 

 

Edited by Mariano
Link to comment
Share on other sites

Regarding the forging of the email address: I was not correct in my explanation. The spams that I receive come from outside my domain. I checked the full raw email and there is no reference to our domain, except in the parts of the headers where the emails were received by our server from the outside servers. I wonder how Spamcop gets that my IP is the source. I did not keep the emails, so I cannot check them again to be 100% sure. I will do it again next time to see whether I missed something.

Thanks!

 

 

Link to comment
Share on other sites

I just got one spam in this account; I forwarded it to my usual Spamcop address and I get again the same message I posted in the first post of this thread. That's all; there is no other report I can send to help track down the issue:

 


SpamCop v 5.4.0 © 2022 Cisco Systems, Inc. All rights reserved.
Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net/sc?id=z6737268214zc14769c972a1e7911c024300e846b532z

Mailhost configuration problem, identified internal IP as source

Mailhost:
Please correct this situation - register every email address where you receive spam

No source IP address found, cannot proceed.

Add/edit your mailhost configuration
Finding full email headers
Submitting spam via email (may work better)
Example: What spam headers should look like

Nothing to do.


I then forwarded the same spam to a different Spamcop account in which I have not set the mailhost. Here is the report I get in that case. None of the addresses mentioned in the report correspond to my ISP (astro.rug.nl). I wonder why in the other case Spamcop would think that the spam comes from my ISP:

 


SpamCop v 5.4.0 © 2022 Cisco Systems, Inc. All rights reserved.

 

 

Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net/sc?id=z6737268372zcb07d704fa5d85c5e2222fc431c18620z
http://www.activitymatchdull.finance/Wpfabpo/gSw5ur1BtMgyE6Cxqt5lLgRik8E1nM_KG5kgZlUPq7TG10X2vECy-ubppo6-jhaZHeRwjdTbS4NyweUxQOWvAVpXNakxbp7xfPRN3gIyWYRlRyQLGdDEIe2u9VFRI2LxsJOUmCCsnrieC3ANqbHpcOocSL-zgJKnBr3rYH61vPl9xbbmGvHFAKlsLEnWej-x.IgpWqOx_BYJwTRuVjzNFQtL-aphMjhrPVudmkuszWr4
http://www.activitymatchdull.finance/Jehbxsac/bhscd841828rqibea/4rWzsukmduVPrhjMhpa-LtQFNzjVuRTwJYB_xOqWpgI/x-jeWnELslKAFHvGmbbx9lPv16HYr3rBnKJgz-LScoOcpHbqNA3CeirnsCCmUOJsxL2IRFV9u2eIEDdGLQyRlRYWyIg3NRPfx7pbxkaNXpVAvWOQxUewyN4SbTdjwReHZahj-6oppbu-yCEv2X01GT7qPUlZgk5GK_Mn1E8kiRgLl5tqxC6EygMtB1ru5wSg

 

Please make sure this email IS spam:
From: "Detox Healthy Patches" <info@activitymatchdull.co> (relief you need! You'll have more energy, feel healthier and generally )
  Improve your body and mind with this totally natu
 ral Japanese remedy=

View full message

 

Report spam to:

Re: 163.123.141.109 (Administrator of network where email originates)
To: abuse@serverion.com (Notes)
To: info@serverion.com (Notes)

Re: http://www.activitymatchdull.finance/Jehbxsac/b... (Administrator of network hosting website referenced in spam)
To: abuse@cloudflare.com (Notes)

Re: http://www.activitymatchdull.finance/Wpfabpo/gS... (Administrator of network hosting website referenced in spam)
To: abuse@cloudflare.com (Notes)


 

Finally, I checked the raw spam and I do not find any reference to my ISP in the body. The name of the mail server and IP of my ISP appear only  in the header as part of the delivery process (see below).

 

Does this help?

If not, I'd be happy to provide more info (but at the moment I am not sure what else I could provide...)

Thanks

 

Mariano

 


X-Antivirus: avast (VPS 22011604)
X-Antivirus-Status: Clean
Return-Path: <info@activitymatchdull.co>
X-Original-To: USER@astro.rug.nl
Delivered-To: USER@astro.rug.nl
Received: from localhost (localhost [127.0.0.1])
    by mailhost1.astro.rug.nl (Postfix) with ESMTP id 50FED34BCD
    for <USER@astro.rug.nl>; Sun, 16 Jan 2022 20:13:26 +0100 (CET)
X-Virus-Scanned: amavisd-new at astro.rug.nl
X-spam-Flag: NO
X-spam-Score: 5.513
X-spam-Level: *****
X-spam-Status: No, score=5.513 tagged_above=2 required=6.2
    tests=[BAYES_20=-0.001, HTML_MESSAGE=0.001,
    HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.1,
    MIME_QP_LONG_LINE=0.001, RCVD_IN_MSPIKE_BL=0.001,
    RCVD_IN_MSPIKE_L4=0.001, RCVD_IN_SBL_CSS=3.335, SPF_HELO_PASS=-0.001,
    SPF_PASS=-0.001, URIBL_BLACK=1.7] autolearn=no autolearn_force=no
Received: from mailhost1.astro.rug.nl ([129.125.6.180])
    by localhost (mailhost.astro.rug.nl [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id rvaq9I2sDGVf for <USER@astro.rug.nl>;
    Sun, 16 Jan 2022 20:13:25 +0100 (CET)
X-Greylist: delayed 632 seconds by postgrey-1.34 at mailserver1.intra.astro.rug.nl; Sun, 16 Jan 2022 20:13:22 CET
Received: from activitymatchdull.co (activitymatchdull.co [163.123.141.109])
    by mailhost1.astro.rug.nl (Postfix) with ESMTP id E20B11C709
    for <USER@astro.rug.nl>; Sun, 16 Jan 2022 20:13:22 +0100 (CET)
Date: Sun, 16 Jan 2022 13:50:33 -0500
From: "Detox Healthy Patches" <info@activitymatchdull.co>
MIME-Version: 1.0
Precedence: bulk
To: <USER@astro.rug.nl>
Subject: relief you need! You'll have more energy, feel healthier and generally
Message-ID: <ERVC2j_MBduIuAMqMMh2b_q8y639RlfLPJ-oJK7teHM.RScVWl2nZbhah1-uQBdEVfKdyHaQPqYRP_wQDm7hvQQ@activitymatchdull.co>
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Lines: 204


Link to comment
Share on other sites

@Mariano, if you submitted but canceled the report, you should still have them under the [past reports] tab View recent reports link.

it would look something like this:

Quote

Submitted: 1/5/2022, 12:28:22 AM -0600:
McClintock 2021 Congressional Update

there, if you click on the ID (not the email address) you would be able to see the email (and headers)

 

HTH

Link to comment
Share on other sites

Thanks RobiBlue: I did not cancel the report. The thing I see when I go to past reports is this:


Submitted: 16/01/2022, 21:46:11 +0100:
Grow another 3-6" inches in the next 30 days
No reports filed
 
To explain a bit more: I do not paste the raw email on the website. I forward the raw email as attachment. I then get an email back from Spamcop (see example below) with a link to finalise the report. When I click on that link I get one of the reports I posted above (e.g., in the original post at the top). I have no option to finalise or cancel the spam report. I had copied the headers of the email from the spammer above. But here is the email I get from Spamcop after I forward the spam to my Spamcop address:
 

X-Antivirus: avast (VPS 22011604)
X-Antivirus-Status: Clean
Received: from 10.196.241.214
 by atlas213.free.mail.bf1.yahoo.com with HTTPS; Sun, 16 Jan 2022 20:43:17 +0000
Return-Path: <spamid.6737270321@bounces.spamcop.net>
X-Originating-Ip: [184.94.240.112]
Received-SPF: pass (domain of bounces.spamcop.net designates 184.94.240.112 as permitted sender)
Authentication-Results: atlas213.free.mail.bf1.yahoo.com;
 dkim=unknown;
 spf=pass smtp.mailfrom=bounces.spamcop.net;
 dmarc=pass(p=NONE,sp=NONE) header.from=devnull.spamcop.net;
X-Apparently-To: mendez1960@yahoo.com; Sun, 16 Jan 2022 20:43:17 +0000
X-YMailISG: 25t1ArUWLDtakCh2lyUWbaWVJKJOp39fmygSDPeFzlusDj1D
 wIV1X7c9Y_gN9fqQxXQr8I.RBWYws6Fy2.bYkai2250ZBT85_hQzEDIzD_OL
 qotAf0xi.zqJBISU5WhL2JTmcmiNj9XCeo_BA7WM57AagEfeGNvoQ7w3Uj3x
 JcpV64Vs_cxT3Ep399Rirp783cgcRp.Km0_ev2rtEhjtqqm6YQLQoiSnupnn
 Yys5L0D9TApqFlm8hR9AigequRxz.44_vx6UwX.Ql6rRz1M63qezPAwcaa3n
 N7U69BqnAhDq_mFCUbkj4TCHHeTEEzbJt.kyzBcyEHubCLOgityQCN7thSW8
 pPtzUfBZUIi3S0E_Z4YKNPzZt53C6lwoIVdwFGGUb4hGkxxYlD5dd69_q3HG
 8b1b54U0IzXpIv1v54CzTeZ7kUtU1s4PDo9Qxuf8dcsR6168UEJ7It9D.lDK
 Lp_tNGk1nANCv6igtwa.IdOo0da4Y6KyC_gVON9CEiymdiWJ669cFf9oetrX
 6lNZn3q.z2XrcZMoBSNWfTpPv.5ueofiHROlh2zJNYiZr11uQ2w1rtZI996J
 X4wbtSjufjEhskVe_HNZOzlkdxX86C9tQFk689sy0TrJvftx5KoXtvPHGbCb
 leOLsxEaFbbbR2YhcHZZoCbp9SzqAFW.QApVFtyekQsw5aeZtm3pIplKLiTW
 rHi5U0ipDlzdOkvbw5_FBQbWc1juQK1QX6CcOcJitqZwwXVX.hDxoz0HqtPS
 kONqf76ciTf4EuWZQbv9HLhyM79wQt0FpKjH9fbMvq_d0d.zaGoJn82IMI82
 .uAS9fu_kGel6y2OdZhMMyPFMdXQW8nqzjveOrfvJ0n9PK79ulakN6VIvf9j
 3FhMM5uPblgZAebuexSxlHl87lezvRGaAR9126l9mYDVpPSdixPh53kLCMBA
 y3XH9mckmaJyK4Abwlzt6MD3onRXdeIRhfOFLlkkv.jpCaWSkZ9dZZbMXM5g
 TeWCkEu5qtlmUZiIwFIVIUwPUfR2YXQ0B2hNP7pEWhTYYnBm2yavqaXS7HlJ
 ZSjmycz1ce5eNuuZ
Received: from 184.94.240.112 (EHLO vmx.spamcop.net)
 by 10.196.241.214 with SMTPs
 (version=TLS1_2 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
 Sun, 16 Jan 2022 20:43:17 +0000
DomainKey-Signature: s=devnull; d=spamcop.net; c=nofws; q=dns;
  h=IronPort-SDR:X-Corpus-CASE-Score:Received:From:To:
   Subject:Date:Message-ID:Content-type:In-Reply-To:
   References;
  b=EhPQJWu+vLYAg7blRuiF2R7C4bjCWyDlNlRSsCFYyQoVpigqZunlZurO
   2STptKPsPD1qip3cx+fFDUh8xjdofoFhVe8qIAzZ8XIMFSnhhk3DZyLfm
   XXDULZB8pHhzXN4;
IronPort-SDR: kaCt7kGrNgN88bvrho2UWRv23L52BhWrNAiXCaJdSjjlg81w4JhVjOhvGACsraMRqkSttPsa7U
 xvB0pxUOsBPCBBlNOZDwv6vzxlPz9NtCId9XT8Kz2LJcaCZkvMB2BoqNpTGd7wQwtATci9JsYZ
 GcGNIFFal9Xh2D/ynml3O+HtoiGIOJi6ORAHRlyBEF8/HqnPA97eH+Fhmy2et1xtXU3V+5dTJ5
 MFvwGM4/Xw3dWkI9zD9bzAHsB1lulMoV4XNZbk+G/H5ew4we7neBv2fXcpt7roy7muNlj25ixI
 TeM=
X-Corpus-CASE-Score: 0
Received: from prod-sc-app009.sv4.ironport.com (HELO prod-sc-app009.spamcop.net) ([10.8.141.29])
  by prod-sc-smtp-vip.sv4.ironport.com with SMTP; 16 Jan 2022 12:43:16 -0800
From: SpamCop AutoResponder <spamcop@devnull.spamcop.net>
To: mendez1960@yahoo.com
Subject: [SpamCop] has accepted 1 email for processing
Date: Sun, 16 Jan 2022 20:43:15 GMT
Message-ID: <spamid6737270321@msgid.spamcop.net>
Content-type: text/plain
In-Reply-To: <7A6C0399-2B5B-4B77-8110-B34611A6C4F1@astro.rug.nl>
References: <7A6C0399-2B5B-4B77-8110-B34611A6C4F1@astro.rug.nl>
Content-Length: 2634

PLEASE HELP SUPPORT THIS SERVICE!
SpamCop is free.  However, if you like the service please pay for it:
https://www.spamcop.net/upgradeaccount.shtml

SpamCop is now ready to process your spam.

Use links to finish spam reporting (members use cookie-login please!):
https://www.spamcop.net/sc?id=z6737270321z1d865d2cdd247325b4a6589df14c7965z


The email which triggered this auto-response had the following headers:
 Return-Path: <USER@astro.rug.nl>
Received: from vmx.spamcop.net (prod-sc-smtp15.sv4.ironport.com [10.8.129.235])
    by prod-sc-app009.sv4.ironport.com (Postfix) with ESMTP id 3CC94838F6
    for <submit.MymButMRJ56SGu6W@spam.spamcop.net>; Sun, 16 Jan 2022 12:41:02 -0800 (PST)
Authentication-Results: vmx.spamcop.net; dkim=none (message not signed) header.i=none
IronPort-SDR: kIPI6uPHLWcrJ5a3HYyi9JhuBgmxeNdhQh7PX7V1ZItjEGdn7kt+kf7jhKhCDZT7jE+3X0lC2v
 D7FqvP4yeuQwDHAK6pTFpGxuCA2WJ1UkPyzjOylN7vY1PCxFhIpNe9KhJ0EHew5N6mmycLxIPl
 epusattPI3bskO1C8cSQE71iedI7R6/U825ssIe8/9hCfot9vrUhlsjGpz+7qRBBsMFsEOs5bO
 uADOn0Qcr0XMXyA4zkSW2Tm7cGeRcsw+Xcl3ap31dScYuwuG42W9eNu/IoSOqjZHTC/Ml4wPgd
 NfjSAsUzdHveRPdL76bGrqzh
Received: from mailhost1.astro.rug.nl ([129.125.6.180])
  by vmx.spamcop.net with ESMTP; 16 Jan 2022 12:41:01 -0800
Received: from localhost (localhost [127.0.0.1])
    by mailhost1.astro.rug.nl (Postfix) with ESMTP id 0534E34BCD
    for <submit.MymButMRJ56SGu6W@spam.spamcop.net>; Sun, 16 Jan 2022 21:41:00 +0100 (CET)
X-Virus-Scanned: amavisd-new at astro.rug.nl
Received: from mailhost1.astro.rug.nl ([129.125.6.180])
    by localhost (mailhost.astro.rug.nl [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id xd5c_myTt3ao
    for <submit.MymButMRJ56SGu6W@spam.spamcop.net>;
    Sun, 16 Jan 2022 21:40:58 +0100 (CET)
Received: from [192.168.178.130] (94-212-125-192.cable.dynamic.v4.ziggo.nl [94.212.125.192])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by mailhost1.astro.rug.nl (Postfix) with ESMTPSA id D131934A73
    for <submit.MymButMRJ56SGu6W@spam.spamcop.net>; Sun, 16 Jan 2022 21:40:58 +0100 (CET)
From: USER@astro.rug.nl
Content-Type: multipart/alternative;
    boundary="Apple-Mail=_5098530C-608F-4EA8-B83C-7C6BA1F83316"
X-Mao-Original-Outgoing-Id: 664058458.737743-171147d3a152d847ca31ae78c2908bc6
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Subject: Fwd: be happier - everyone will wonder what your secret is!
Message-Id: <7A6C0399-2B5B-4B77-8110-B34611A6C4F1@astro.rug.nl>
Date: Sun, 16 Jan 2022 21:40:58 +0100
To: "submit.MymButMRJ56SGu6W@spam.spamcop.net" <submit.MymButMRJ56SGu6W@spam.spamcop.net>
X-Mailer: Apple Mail (2.3445.104.21)

 

 

Thanks!

Link to comment
Share on other sites

19 minutes ago, Mariano said:

X-Antivirus: avast (VPS 22011604)

X-Antivirus-Status: Clean
Return-Path: <info@activitymatchdull.co>
X-Original-To: USER@astro.rug.nl
Delivered-To: USER@astro.rug.nl
Received: from localhost (localhost [127.0.0.1])
    by mailhost1.astro.rug.nl (Postfix) with ESMTP id 50FED34BCD
    for <USER@astro.rug.nl>; Sun, 16 Jan 2022 20:13:26 +0100 (CET)
X-Virus-Scanned: amavisd-new at astro.rug.nl
X-spam-Flag: NO
X-spam-Score: 5.513
X-spam-Level: *****
X-spam-Status: No, score=5.513 tagged_above=2 required=6.2
    tests=[BAYES_20=-0.001, HTML_MESSAGE=0.001,
    HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.1,
    MIME_QP_LONG_LINE=0.001, RCVD_IN_MSPIKE_BL=0.001,
    RCVD_IN_MSPIKE_L4=0.001, RCVD_IN_SBL_CSS=3.335, SPF_HELO_PASS=-0.001,
    SPF_PASS=-0.001, URIBL_BLACK=1.7] autolearn=no autolearn_force=no
Received: from mailhost1.astro.rug.nl ([129.125.6.180])
    by localhost (mailhost.astro.rug.nl [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id rvaq9I2sDGVf for <USER@astro.rug.nl>;
    Sun, 16 Jan 2022 20:13:25 +0100 (CET)
X-Greylist: delayed 632 seconds by postgrey-1.34 at mailserver1.intra.astro.rug.nl; Sun, 16 Jan 2022 20:13:22 CET
Received: from activitymatchdull.co (activitymatchdull.co [163.123.141.109])
    by mailhost1.astro.rug.nl (Postfix) with ESMTP id E20B11C709
    for <USER@astro.rug.nl>; Sun, 16 Jan 2022 20:13:22 +0100 (CET)
Date: Sun, 16 Jan 2022 13:50:33 -0500
From: "Detox Healthy Patches" <info@activitymatchdull.co>
MIME-Version: 1.0
Precedence: bulk
To: <USER@astro.rug.nl>
Subject: relief you need! You'll have more energy, feel healthier and generally
Message-ID: <ERVC2j_MBduIuAMqMMh2b_q8y639RlfLPJ-oJK7teHM.RScVWl2nZbhah1-uQBdEVfKdyHaQPqYRP_wQDm7hvQQ@activitymatchdull.co>
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Lines: 204


Looking at the spam, I see that at the top it says:

#################################

Received: from localhost (localhost [127.0.0.1])
    by mailhost1.astro.rug.nl (Postfix) with ESMTP id 50FED34BCD

#################################

while a few lines below it shows the actual sender:

#################################

Received: from activitymatchdull.co (activitymatchdull.co [163.123.141.109])
    by mailhost1.astro.rug.nl (Postfix) with ESMTP id E20B11C709
    for <USER@astro.rug.nl>; Sun, 16 Jan 2022 20:13:22 +0100 (CET)
#################################

 

Is this standard? (Sorry, I am not familiar with posix conventions). Could it be that this is confusing Spamcop? I can ask my university why they do it this way.

 

Thanks

Link to comment
Share on other sites

1 hour ago, Mariano said:

Looking at the spam, I see that at the top it says:

#################################

Received: from localhost (localhost [127.0.0.1])
    by mailhost1.astro.rug.nl (Postfix) with ESMTP id 50FED34BCD

#################################

while a few lines below it shows the actual sender:

#################################

Received: from activitymatchdull.co (activitymatchdull.co [163.123.141.109])
    by mailhost1.astro.rug.nl (Postfix) with ESMTP id E20B11C709
    for <USER@astro.rug.nl>; Sun, 16 Jan 2022 20:13:22 +0100 (CET)
#################################

 

Is this standard? (Sorry, I am not familiar with posix conventions). Could it be that this is confusing Spamcop? I can ask my university why they do it this way.

 

Thanks

yes, this is standard. Every email server (MTA or MX) the email passes through, adds a new received line at the top (lately -- that means as of "several years ago" -- with SPF headers and other spoofing detection like DKIM and such), so the topmost received line is yours, then every previous one is the one before that, and somewhere along the line, there is the one the originating email (spam?) came from... now spammers can inject fake received lines, but they all will appear below the originating mail host, and that's what SC tries to discern.

since the top one says it received it from localhost by ***.rug.nl, it is expecting the next (previous) received from line, below, to be BY localhost to close the chain but it is again BY ***.rug.nl, so it fails  and it does, so why it fails I don't know (but that is probably only because the mailhosts are set up since without them it seems to work fine...) somewhere I see mailhost1 and then mailhost (without the 1) in the chain...

I personally do not use mailhosts (all I have is spam in my gmail account which I forward through a gscript I wrote a few years ago to SC) and thus don't have that issue. Albeit some years ago google changed their email system to IPv6 and broke the chain because SC didn't recognize the IPv6 address to be the equivalent of a IPv4 private address... it was later fixed... somehow...

Since I don't use mailhosts, I can't really help with how to set them up, but I have heard/read that removing them and reinserting them helps... somehow those localhost lines seem to be the ones causing the problem (second received line from top)

Edited by RobiBue
realized an error in my logic :(..
Link to comment
Share on other sites

2 hours ago, Mariano said:

I just got one spam in this account; I forwarded it to my usual Spamcop address and I get again the same message I posted in the first post of this thread. That's all; there is no other report I can send to help track down the issue:

 


SpamCop v 5.4.0 © 2022 Cisco Systems, Inc. All rights reserved.
Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net/sc?id=z6737268214zc14769c972a1e7911c024300e846b532z

Try your mailhost again delete the one you have now, then try again.
Seems your ISP is virus checking your email and stamping it at top of headers, this is probably confusing SpamCop

The spammer is using this IP 163.123.141.109 seems to be a lot of ignored reports,  pay to add the USA CERT email to report
screenshot of complaints sent by SpamCop
https://ibb.co/yRXnNPP

Listed 
https://check.spamhaus.org/listed/?searchterm=163.123.141.109

Link to comment
Share on other sites

Thanks for all the explanations.

I was hesitant about resetting my mailhost because that has to be done by hand by the op's (the web-based method appears not to work for the mailserver at my university), and I would prefer not to bug them with extra work. 

About setting/not setting up mailhost, I did it because noticed that in the past some reports included my ISP in the list of spammers. I was hoping mailhost would resolve that (plus SC says somewhere that this will be obligatory in the near future).

This spammer is very annoying. They keep changing the name of the server and that fools the other spam filters I have set up.

 

Thanks to all!

 

 

Link to comment
Share on other sites

1 hour ago, Mariano said:

BTW: Is any of you part of the SC team?

Unlikely just SC members who hate spammers

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...