Mariano Posted January 15, 2022 Share Posted January 15, 2022 Hi: I configured mailhost for all all my email addresses. For one of the addresses I got a waiver from the op because something was not working using the regular way of setting mailhost. Since then, whenever I report a spam from that address I get the message below. Is this normal behaviour? Does it mean that if I receive spam on that address and the spammer forges my own server as sender I can no longer report spam from that address? I believe everything is set up properly, but since the address was added by the op, I am not 100% sure. Is there anything I should check/change? I could not find anything about this in the forum. Thanks Mariano P.S. I replaced the id by XXXXXX... in case spammers read this forum :^) SpamCop v 5.4.0 © 2022 Cisco Systems, Inc. All rights reserved. Here is your TRACKING URL - it may be saved for future reference: https://www.spamcop.net/sc?id=XXXXXXXXXXXXXXXXXXXXXXXXXXX Mailhost configuration problem, identified internal IP as source Mailhost: Please correct this situation - register every email address where you receive spam No source IP address found, cannot proceed. Add/edit your mailhost configuration Finding full email headers Submitting spam via email (may work better) Example: What spam headers should look like Nothing to do. Quote Link to comment Share on other sites More sharing options...
petzl Posted January 15, 2022 Share Posted January 15, 2022 2 hours ago, Mariano said: Hi: I configured mailhost for all all my email addresses. For one of the addresses I got a waiver from the op because something was not working using the regular way of setting mailhost. Since then, whenever I report a spam from that address I get the message below. Is this normal behaviour? Does it mean that if I receive spam on that address and the spammer forges my own server as sender I can no longer report spam from that address? I believe everything is set up properly, but since the address was added by the op, I am not 100% sure. Is there anything I should check/change? I could not find anything about this in the forum. Thanks WHEN did you configure your mailhost today a year ago? You may have to delete the configured mailhost and resend, sometimes your ISP change their IP's (shift servers) Unless you send a SpamCop tracking URL to see what's happening those that can help will be in the dark At TOP of reporting page BEFORE you submit spamSpamCop v 5.4.0 © 2022 Cisco Systems, Inc. All rights reserved.Here is your TRACKING URL - it may be saved for future reference:https://www.spamcop.net/sc?id=z6737190952z0ee93ea546d0bb3941f4c40b660984c7zSkip to Reports Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted January 16, 2022 Share Posted January 16, 2022 18 hours ago, Mariano said: No source IP address found, cannot proceed. Add/edit your mailhost configuration Finding full email headers I would get that if they report comes from my ISP that I have configured on mailhosts. They I would go to my ISP with the abuse and let them know they need to deal with a spammer. 15 hours ago, petzl said: WHEN did you configure your mailhost today a year ago? You may have to delete the configured mailhost and resend, sometimes your ISP change their IP's (shift servers) Unless you send a SpamCop tracking URL to see what's happening those that can help will be in the dark At TOP of reporting page BEFORE you submit spam Now Mariano, if you pull up the tracking URL while being logged out, all the vital parts of the spam should be munged. No personal data should be visible. If you feel comfortable with how it munged, you can post the link here. Quote Link to comment Share on other sites More sharing options...
Mariano Posted January 16, 2022 Author Share Posted January 16, 2022 (edited) Hi Petzl: I configured the mailhost about 3 days ago. As I wrote originally, the procedure through the website would not work. After I feel the email address I get a message that the mailserver does not respond so the procedure cannot be completed. The mail server is up and working. I sent an email to the ops explaining the problem and they issued a waiver and installed the mailhost on my behalf. If I check, the mail servers that are configured are the correct ones. I fear that if I delete the configuration I will have to ask the operators again to set it up for me. (And I prefer not to bother them with this as much as it is not necessary). I will see what I can post here from a Spamcop report after I get the next spam. The reports I was referring to in my post did not get submitted because of the error. If I got to my past reports, they all look like this: Submitted: 15/01/2022, 12:31:04 +0100:The electric hand massager that's cheaper than going to the doctor! No reports filed Edited January 16, 2022 by Mariano Quote Link to comment Share on other sites More sharing options...
Mariano Posted January 16, 2022 Author Share Posted January 16, 2022 Regarding the forging of the email address: I was not correct in my explanation. The spams that I receive come from outside my domain. I checked the full raw email and there is no reference to our domain, except in the parts of the headers where the emails were received by our server from the outside servers. I wonder how Spamcop gets that my IP is the source. I did not keep the emails, so I cannot check them again to be 100% sure. I will do it again next time to see whether I missed something. Thanks! Quote Link to comment Share on other sites More sharing options...
Mariano Posted January 16, 2022 Author Share Posted January 16, 2022 I just got one spam in this account; I forwarded it to my usual Spamcop address and I get again the same message I posted in the first post of this thread. That's all; there is no other report I can send to help track down the issue: SpamCop v 5.4.0 © 2022 Cisco Systems, Inc. All rights reserved. Here is your TRACKING URL - it may be saved for future reference:https://www.spamcop.net/sc?id=z6737268214zc14769c972a1e7911c024300e846b532z Mailhost configuration problem, identified internal IP as source Mailhost: Please correct this situation - register every email address where you receive spam No source IP address found, cannot proceed. Add/edit your mailhost configurationFinding full email headersSubmitting spam via email (may work better)Example: What spam headers should look like Nothing to do. I then forwarded the same spam to a different Spamcop account in which I have not set the mailhost. Here is the report I get in that case. None of the addresses mentioned in the report correspond to my ISP (astro.rug.nl). I wonder why in the other case Spamcop would think that the spam comes from my ISP: SpamCop v 5.4.0 © 2022 Cisco Systems, Inc. All rights reserved. Here is your TRACKING URL - it may be saved for future reference:https://www.spamcop.net/sc?id=z6737268372zcb07d704fa5d85c5e2222fc431c18620zhttp://www.activitymatchdull.finance/Wpfabpo/gSw5ur1BtMgyE6Cxqt5lLgRik8E1nM_KG5kgZlUPq7TG10X2vECy-ubppo6-jhaZHeRwjdTbS4NyweUxQOWvAVpXNakxbp7xfPRN3gIyWYRlRyQLGdDEIe2u9VFRI2LxsJOUmCCsnrieC3ANqbHpcOocSL-zgJKnBr3rYH61vPl9xbbmGvHFAKlsLEnWej-x.IgpWqOx_BYJwTRuVjzNFQtL-aphMjhrPVudmkuszWr4http://www.activitymatchdull.finance/Jehbxsac/bhscd841828rqibea/4rWzsukmduVPrhjMhpa-LtQFNzjVuRTwJYB_xOqWpgI/x-jeWnELslKAFHvGmbbx9lPv16HYr3rBnKJgz-LScoOcpHbqNA3CeirnsCCmUOJsxL2IRFV9u2eIEDdGLQyRlRYWyIg3NRPfx7pbxkaNXpVAvWOQxUewyN4SbTdjwReHZahj-6oppbu-yCEv2X01GT7qPUlZgk5GK_Mn1E8kiRgLl5tqxC6EygMtB1ru5wSg Please make sure this email IS spam: From: "Detox Healthy Patches" <info@activitymatchdull.co> (relief you need! You'll have more energy, feel healthier and generally ) Improve your body and mind with this totally natu ral Japanese remedy=View full message Report spam to: Re: 163.123.141.109 (Administrator of network where email originates)To: abuse@serverion.com (Notes)To: info@serverion.com (Notes) Re: http://www.activitymatchdull.finance/Jehbxsac/b... (Administrator of network hosting website referenced in spam)To: abuse@cloudflare.com (Notes) Re: http://www.activitymatchdull.finance/Wpfabpo/gS... (Administrator of network hosting website referenced in spam)To: abuse@cloudflare.com (Notes) Finally, I checked the raw spam and I do not find any reference to my ISP in the body. The name of the mail server and IP of my ISP appear only in the header as part of the delivery process (see below). Does this help? If not, I'd be happy to provide more info (but at the moment I am not sure what else I could provide...) Thanks Mariano X-Antivirus: avast (VPS 22011604) X-Antivirus-Status: Clean Return-Path: <info@activitymatchdull.co> X-Original-To: USER@astro.rug.nl Delivered-To: USER@astro.rug.nl Received: from localhost (localhost [127.0.0.1]) by mailhost1.astro.rug.nl (Postfix) with ESMTP id 50FED34BCD for <USER@astro.rug.nl>; Sun, 16 Jan 2022 20:13:26 +0100 (CET) X-Virus-Scanned: amavisd-new at astro.rug.nl X-spam-Flag: NO X-spam-Score: 5.513 X-spam-Level: ***** X-spam-Status: No, score=5.513 tagged_above=2 required=6.2 tests=[BAYES_20=-0.001, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_MSPIKE_BL=0.001, RCVD_IN_MSPIKE_L4=0.001, RCVD_IN_SBL_CSS=3.335, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLACK=1.7] autolearn=no autolearn_force=no Received: from mailhost1.astro.rug.nl ([129.125.6.180]) by localhost (mailhost.astro.rug.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rvaq9I2sDGVf for <USER@astro.rug.nl>; Sun, 16 Jan 2022 20:13:25 +0100 (CET) X-Greylist: delayed 632 seconds by postgrey-1.34 at mailserver1.intra.astro.rug.nl; Sun, 16 Jan 2022 20:13:22 CET Received: from activitymatchdull.co (activitymatchdull.co [163.123.141.109]) by mailhost1.astro.rug.nl (Postfix) with ESMTP id E20B11C709 for <USER@astro.rug.nl>; Sun, 16 Jan 2022 20:13:22 +0100 (CET) Date: Sun, 16 Jan 2022 13:50:33 -0500 From: "Detox Healthy Patches" <info@activitymatchdull.co> MIME-Version: 1.0 Precedence: bulk To: <USER@astro.rug.nl> Subject: relief you need! You'll have more energy, feel healthier and generally Message-ID: <ERVC2j_MBduIuAMqMMh2b_q8y639RlfLPJ-oJK7teHM.RScVWl2nZbhah1-uQBdEVfKdyHaQPqYRP_wQDm7hvQQ@activitymatchdull.co> Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Lines: 204 Quote Link to comment Share on other sites More sharing options...
RobiBue Posted January 16, 2022 Share Posted January 16, 2022 @Mariano, if you submitted but canceled the report, you should still have them under the [past reports] tab View recent reports link. it would look something like this: Quote Submitted: 1/5/2022, 12:28:22 AM -0600:McClintock 2021 Congressional Update 7160971044 ( ) ( not sent - stats only ) To: cancelled@devnull.spamcop.net there, if you click on the ID (not the email address) you would be able to see the email (and headers) HTH Quote Link to comment Share on other sites More sharing options...
Mariano Posted January 16, 2022 Author Share Posted January 16, 2022 Thanks RobiBlue: I did not cancel the report. The thing I see when I go to past reports is this: Submitted: 16/01/2022, 21:46:11 +0100:Grow another 3-6" inches in the next 30 days No reports filed To explain a bit more: I do not paste the raw email on the website. I forward the raw email as attachment. I then get an email back from Spamcop (see example below) with a link to finalise the report. When I click on that link I get one of the reports I posted above (e.g., in the original post at the top). I have no option to finalise or cancel the spam report. I had copied the headers of the email from the spammer above. But here is the email I get from Spamcop after I forward the spam to my Spamcop address: X-Antivirus: avast (VPS 22011604) X-Antivirus-Status: Clean Received: from 10.196.241.214 by atlas213.free.mail.bf1.yahoo.com with HTTPS; Sun, 16 Jan 2022 20:43:17 +0000 Return-Path: <spamid.6737270321@bounces.spamcop.net> X-Originating-Ip: [184.94.240.112] Received-SPF: pass (domain of bounces.spamcop.net designates 184.94.240.112 as permitted sender) Authentication-Results: atlas213.free.mail.bf1.yahoo.com; dkim=unknown; spf=pass smtp.mailfrom=bounces.spamcop.net; dmarc=pass(p=NONE,sp=NONE) header.from=devnull.spamcop.net; X-Apparently-To: mendez1960@yahoo.com; Sun, 16 Jan 2022 20:43:17 +0000 X-YMailISG: 25t1ArUWLDtakCh2lyUWbaWVJKJOp39fmygSDPeFzlusDj1D wIV1X7c9Y_gN9fqQxXQr8I.RBWYws6Fy2.bYkai2250ZBT85_hQzEDIzD_OL qotAf0xi.zqJBISU5WhL2JTmcmiNj9XCeo_BA7WM57AagEfeGNvoQ7w3Uj3x JcpV64Vs_cxT3Ep399Rirp783cgcRp.Km0_ev2rtEhjtqqm6YQLQoiSnupnn Yys5L0D9TApqFlm8hR9AigequRxz.44_vx6UwX.Ql6rRz1M63qezPAwcaa3n N7U69BqnAhDq_mFCUbkj4TCHHeTEEzbJt.kyzBcyEHubCLOgityQCN7thSW8 pPtzUfBZUIi3S0E_Z4YKNPzZt53C6lwoIVdwFGGUb4hGkxxYlD5dd69_q3HG 8b1b54U0IzXpIv1v54CzTeZ7kUtU1s4PDo9Qxuf8dcsR6168UEJ7It9D.lDK Lp_tNGk1nANCv6igtwa.IdOo0da4Y6KyC_gVON9CEiymdiWJ669cFf9oetrX 6lNZn3q.z2XrcZMoBSNWfTpPv.5ueofiHROlh2zJNYiZr11uQ2w1rtZI996J X4wbtSjufjEhskVe_HNZOzlkdxX86C9tQFk689sy0TrJvftx5KoXtvPHGbCb leOLsxEaFbbbR2YhcHZZoCbp9SzqAFW.QApVFtyekQsw5aeZtm3pIplKLiTW rHi5U0ipDlzdOkvbw5_FBQbWc1juQK1QX6CcOcJitqZwwXVX.hDxoz0HqtPS kONqf76ciTf4EuWZQbv9HLhyM79wQt0FpKjH9fbMvq_d0d.zaGoJn82IMI82 .uAS9fu_kGel6y2OdZhMMyPFMdXQW8nqzjveOrfvJ0n9PK79ulakN6VIvf9j 3FhMM5uPblgZAebuexSxlHl87lezvRGaAR9126l9mYDVpPSdixPh53kLCMBA y3XH9mckmaJyK4Abwlzt6MD3onRXdeIRhfOFLlkkv.jpCaWSkZ9dZZbMXM5g TeWCkEu5qtlmUZiIwFIVIUwPUfR2YXQ0B2hNP7pEWhTYYnBm2yavqaXS7HlJ ZSjmycz1ce5eNuuZ Received: from 184.94.240.112 (EHLO vmx.spamcop.net) by 10.196.241.214 with SMTPs (version=TLS1_2 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Sun, 16 Jan 2022 20:43:17 +0000 DomainKey-Signature: s=devnull; d=spamcop.net; c=nofws; q=dns; h=IronPort-SDR:X-Corpus-CASE-Score:Received:From:To: Subject:Date:Message-ID:Content-type:In-Reply-To: References; b=EhPQJWu+vLYAg7blRuiF2R7C4bjCWyDlNlRSsCFYyQoVpigqZunlZurO 2STptKPsPD1qip3cx+fFDUh8xjdofoFhVe8qIAzZ8XIMFSnhhk3DZyLfm XXDULZB8pHhzXN4; IronPort-SDR: kaCt7kGrNgN88bvrho2UWRv23L52BhWrNAiXCaJdSjjlg81w4JhVjOhvGACsraMRqkSttPsa7U xvB0pxUOsBPCBBlNOZDwv6vzxlPz9NtCId9XT8Kz2LJcaCZkvMB2BoqNpTGd7wQwtATci9JsYZ GcGNIFFal9Xh2D/ynml3O+HtoiGIOJi6ORAHRlyBEF8/HqnPA97eH+Fhmy2et1xtXU3V+5dTJ5 MFvwGM4/Xw3dWkI9zD9bzAHsB1lulMoV4XNZbk+G/H5ew4we7neBv2fXcpt7roy7muNlj25ixI TeM= X-Corpus-CASE-Score: 0 Received: from prod-sc-app009.sv4.ironport.com (HELO prod-sc-app009.spamcop.net) ([10.8.141.29]) by prod-sc-smtp-vip.sv4.ironport.com with SMTP; 16 Jan 2022 12:43:16 -0800 From: SpamCop AutoResponder <spamcop@devnull.spamcop.net> To: mendez1960@yahoo.com Subject: [SpamCop] has accepted 1 email for processing Date: Sun, 16 Jan 2022 20:43:15 GMT Message-ID: <spamid6737270321@msgid.spamcop.net> Content-type: text/plain In-Reply-To: <7A6C0399-2B5B-4B77-8110-B34611A6C4F1@astro.rug.nl> References: <7A6C0399-2B5B-4B77-8110-B34611A6C4F1@astro.rug.nl> Content-Length: 2634 PLEASE HELP SUPPORT THIS SERVICE! SpamCop is free. However, if you like the service please pay for it:https://www.spamcop.net/upgradeaccount.shtml SpamCop is now ready to process your spam. Use links to finish spam reporting (members use cookie-login please!):https://www.spamcop.net/sc?id=z6737270321z1d865d2cdd247325b4a6589df14c7965z The email which triggered this auto-response had the following headers: Return-Path: <USER@astro.rug.nl> Received: from vmx.spamcop.net (prod-sc-smtp15.sv4.ironport.com [10.8.129.235]) by prod-sc-app009.sv4.ironport.com (Postfix) with ESMTP id 3CC94838F6 for <submit.MymButMRJ56SGu6W@spam.spamcop.net>; Sun, 16 Jan 2022 12:41:02 -0800 (PST) Authentication-Results: vmx.spamcop.net; dkim=none (message not signed) header.i=none IronPort-SDR: kIPI6uPHLWcrJ5a3HYyi9JhuBgmxeNdhQh7PX7V1ZItjEGdn7kt+kf7jhKhCDZT7jE+3X0lC2v D7FqvP4yeuQwDHAK6pTFpGxuCA2WJ1UkPyzjOylN7vY1PCxFhIpNe9KhJ0EHew5N6mmycLxIPl epusattPI3bskO1C8cSQE71iedI7R6/U825ssIe8/9hCfot9vrUhlsjGpz+7qRBBsMFsEOs5bO uADOn0Qcr0XMXyA4zkSW2Tm7cGeRcsw+Xcl3ap31dScYuwuG42W9eNu/IoSOqjZHTC/Ml4wPgd NfjSAsUzdHveRPdL76bGrqzh Received: from mailhost1.astro.rug.nl ([129.125.6.180]) by vmx.spamcop.net with ESMTP; 16 Jan 2022 12:41:01 -0800 Received: from localhost (localhost [127.0.0.1]) by mailhost1.astro.rug.nl (Postfix) with ESMTP id 0534E34BCD for <submit.MymButMRJ56SGu6W@spam.spamcop.net>; Sun, 16 Jan 2022 21:41:00 +0100 (CET) X-Virus-Scanned: amavisd-new at astro.rug.nl Received: from mailhost1.astro.rug.nl ([129.125.6.180]) by localhost (mailhost.astro.rug.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xd5c_myTt3ao for <submit.MymButMRJ56SGu6W@spam.spamcop.net>; Sun, 16 Jan 2022 21:40:58 +0100 (CET) Received: from [192.168.178.130] (94-212-125-192.cable.dynamic.v4.ziggo.nl [94.212.125.192]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailhost1.astro.rug.nl (Postfix) with ESMTPSA id D131934A73 for <submit.MymButMRJ56SGu6W@spam.spamcop.net>; Sun, 16 Jan 2022 21:40:58 +0100 (CET) From: USER@astro.rug.nl Content-Type: multipart/alternative; boundary="Apple-Mail=_5098530C-608F-4EA8-B83C-7C6BA1F83316" X-Mao-Original-Outgoing-Id: 664058458.737743-171147d3a152d847ca31ae78c2908bc6 Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\)) Subject: Fwd: be happier - everyone will wonder what your secret is! Message-Id: <7A6C0399-2B5B-4B77-8110-B34611A6C4F1@astro.rug.nl> Date: Sun, 16 Jan 2022 21:40:58 +0100 To: "submit.MymButMRJ56SGu6W@spam.spamcop.net" <submit.MymButMRJ56SGu6W@spam.spamcop.net> X-Mailer: Apple Mail (2.3445.104.21) Thanks! Quote Link to comment Share on other sites More sharing options...
Mariano Posted January 16, 2022 Author Share Posted January 16, 2022 19 minutes ago, Mariano said: X-Antivirus: avast (VPS 22011604) X-Antivirus-Status: Clean Return-Path: <info@activitymatchdull.co> X-Original-To: USER@astro.rug.nl Delivered-To: USER@astro.rug.nl Received: from localhost (localhost [127.0.0.1]) by mailhost1.astro.rug.nl (Postfix) with ESMTP id 50FED34BCD for <USER@astro.rug.nl>; Sun, 16 Jan 2022 20:13:26 +0100 (CET) X-Virus-Scanned: amavisd-new at astro.rug.nl X-spam-Flag: NO X-spam-Score: 5.513 X-spam-Level: ***** X-spam-Status: No, score=5.513 tagged_above=2 required=6.2 tests=[BAYES_20=-0.001, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_MSPIKE_BL=0.001, RCVD_IN_MSPIKE_L4=0.001, RCVD_IN_SBL_CSS=3.335, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLACK=1.7] autolearn=no autolearn_force=no Received: from mailhost1.astro.rug.nl ([129.125.6.180]) by localhost (mailhost.astro.rug.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rvaq9I2sDGVf for <USER@astro.rug.nl>; Sun, 16 Jan 2022 20:13:25 +0100 (CET) X-Greylist: delayed 632 seconds by postgrey-1.34 at mailserver1.intra.astro.rug.nl; Sun, 16 Jan 2022 20:13:22 CET Received: from activitymatchdull.co (activitymatchdull.co [163.123.141.109]) by mailhost1.astro.rug.nl (Postfix) with ESMTP id E20B11C709 for <USER@astro.rug.nl>; Sun, 16 Jan 2022 20:13:22 +0100 (CET) Date: Sun, 16 Jan 2022 13:50:33 -0500 From: "Detox Healthy Patches" <info@activitymatchdull.co> MIME-Version: 1.0 Precedence: bulk To: <USER@astro.rug.nl> Subject: relief you need! You'll have more energy, feel healthier and generally Message-ID: <ERVC2j_MBduIuAMqMMh2b_q8y639RlfLPJ-oJK7teHM.RScVWl2nZbhah1-uQBdEVfKdyHaQPqYRP_wQDm7hvQQ@activitymatchdull.co> Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Lines: 204 Looking at the spam, I see that at the top it says: ################################# Received: from localhost (localhost [127.0.0.1]) by mailhost1.astro.rug.nl (Postfix) with ESMTP id 50FED34BCD ################################# while a few lines below it shows the actual sender: ################################# Received: from activitymatchdull.co (activitymatchdull.co [163.123.141.109]) by mailhost1.astro.rug.nl (Postfix) with ESMTP id E20B11C709 for <USER@astro.rug.nl>; Sun, 16 Jan 2022 20:13:22 +0100 (CET) ################################# Is this standard? (Sorry, I am not familiar with posix conventions). Could it be that this is confusing Spamcop? I can ask my university why they do it this way. Thanks Quote Link to comment Share on other sites More sharing options...
RobiBue Posted January 16, 2022 Share Posted January 16, 2022 (edited) 1 hour ago, Mariano said: Looking at the spam, I see that at the top it says: ################################# Received: from localhost (localhost [127.0.0.1]) by mailhost1.astro.rug.nl (Postfix) with ESMTP id 50FED34BCD ################################# while a few lines below it shows the actual sender: ################################# Received: from activitymatchdull.co (activitymatchdull.co [163.123.141.109]) by mailhost1.astro.rug.nl (Postfix) with ESMTP id E20B11C709 for <USER@astro.rug.nl>; Sun, 16 Jan 2022 20:13:22 +0100 (CET) ################################# Is this standard? (Sorry, I am not familiar with posix conventions). Could it be that this is confusing Spamcop? I can ask my university why they do it this way. Thanks yes, this is standard. Every email server (MTA or MX) the email passes through, adds a new received line at the top (lately -- that means as of "several years ago" -- with SPF headers and other spoofing detection like DKIM and such), so the topmost received line is yours, then every previous one is the one before that, and somewhere along the line, there is the one the originating email (spam?) came from... now spammers can inject fake received lines, but they all will appear below the originating mail host, and that's what SC tries to discern. since the top one says it received it from localhost by ***.rug.nl, it is expecting the next (previous) received from line, below, to be BY localhost to close the chain but it is again BY ***.rug.nl, so it fails and it does, so why it fails I don't know (but that is probably only because the mailhosts are set up since without them it seems to work fine...) somewhere I see mailhost1 and then mailhost (without the 1) in the chain... I personally do not use mailhosts (all I have is spam in my gmail account which I forward through a gscript I wrote a few years ago to SC) and thus don't have that issue. Albeit some years ago google changed their email system to IPv6 and broke the chain because SC didn't recognize the IPv6 address to be the equivalent of a IPv4 private address... it was later fixed... somehow... Since I don't use mailhosts, I can't really help with how to set them up, but I have heard/read that removing them and reinserting them helps... somehow those localhost lines seem to be the ones causing the problem (second received line from top) Edited January 16, 2022 by RobiBue realized an error in my logic :(.. Quote Link to comment Share on other sites More sharing options...
petzl Posted January 16, 2022 Share Posted January 16, 2022 2 hours ago, Mariano said: I just got one spam in this account; I forwarded it to my usual Spamcop address and I get again the same message I posted in the first post of this thread. That's all; there is no other report I can send to help track down the issue: SpamCop v 5.4.0 © 2022 Cisco Systems, Inc. All rights reserved. Here is your TRACKING URL - it may be saved for future reference:https://www.spamcop.net/sc?id=z6737268214zc14769c972a1e7911c024300e846b532z Try your mailhost again delete the one you have now, then try again. Seems your ISP is virus checking your email and stamping it at top of headers, this is probably confusing SpamCop The spammer is using this IP 163.123.141.109 seems to be a lot of ignored reports, pay to add the USA CERT email to report screenshot of complaints sent by SpamCophttps://ibb.co/yRXnNPP Listed https://check.spamhaus.org/listed/?searchterm=163.123.141.109 Quote Link to comment Share on other sites More sharing options...
Mariano Posted January 17, 2022 Author Share Posted January 17, 2022 Thanks for all the explanations. I was hesitant about resetting my mailhost because that has to be done by hand by the op's (the web-based method appears not to work for the mailserver at my university), and I would prefer not to bug them with extra work. About setting/not setting up mailhost, I did it because noticed that in the past some reports included my ISP in the list of spammers. I was hoping mailhost would resolve that (plus SC says somewhere that this will be obligatory in the near future). This spammer is very annoying. They keep changing the name of the server and that fools the other spam filters I have set up. Thanks to all! Quote Link to comment Share on other sites More sharing options...
Mariano Posted January 17, 2022 Author Share Posted January 17, 2022 BTW: Is any of you part of the SC team? Quote Link to comment Share on other sites More sharing options...
petzl Posted January 17, 2022 Share Posted January 17, 2022 1 hour ago, Mariano said: BTW: Is any of you part of the SC team? Unlikely just SC members who hate spammers Quote Link to comment Share on other sites More sharing options...
Mariano Posted January 17, 2022 Author Share Posted January 17, 2022 Problem solved thanks to Richard from SC! I post here in case this helps others. The problem was that they had to add "localhost" to the list of servers. I'm glad :^) Quote Link to comment Share on other sites More sharing options...
RobiBue Posted January 18, 2022 Share Posted January 18, 2022 That's great you got it solved! 👍 Also, Thanks Richard Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.