mschmitt Posted March 1, 2022 Posted March 1, 2022 I've noticed that a lot of my spam is ending at a 100.x.x.x address, for example https://www.spamcop.net/sc?id=z6743104032z068b251bb86596b30e7fe37963fd992fz: Quote Tracking message source: 100.106.114.12: Routing details for 100.106.114.12[refresh/show] Cached whois for 100.106.114.12 : abuse@iana.orgI refuse to bother abuse@iana.org. Using abuse#iana.org@devnull.spamcop.net for statistical tracking. Using last resort contacts abuse#iana.org@devnull.spamcop.net The 100.64.0.0/10 address space is "Shared Address Space", intended for ISP internal use, such as in career-grade NAT. I thought that this was spammer spoofing of the headers, but when I look closer, I see that this is Apple internal iCloud routing. I ran the mail hosts test, and the probes from SpamCop to me have in part: Received: from mr85p00im-ztdg06021201.me.com (mr85p00im-ztdg06021201.me.com [17.58.23.189]) by mr85p00im-ztdg06021201.me.com (Postfix) with ESMTPS id CFA8E321282 for <xxx@xxx>; Tue, 1 Mar 2022 20:51:55 +0000 (UTC) Received: from unknown (unknown [100.108.117.178]) by mr85p00im-ztdg06021201.me.com (Postfix) with SMTP id AAA47320EB5 for <xxx@xxx>>; Tue, 1 Mar 2022 20:51:55 +0000 (UTC) Received: from mr11p00im-smtpin012.me.com by p28-mailgateway-smtp-5c9bd88869-2jm44 (mailgateway 2209B259) with SMTP id ac8a1f75-aeb2-42f2-ade8-1afa28cf6452 for <xxx@xxx>>; Tue, 1 Mar 2022 20:51:55 GMT Received: from prod-sc-www03.spamcop.net (vmx.spamcop.net [184.94.240.112]) by mr11p00im-smtpin012.me.com (Postfix) with SMTP id EC87727F9540 for <xxx@xxx>>; Tue, 1 Mar 2022 20:51:52 +0000 (UTC) So, we can see that the 100.108.117.178 header is within iCloud, and should be skipped over on the way to finding the real spam source. I forwarded this through to the mail host configuration, but it isn't showing any 100.x.x.x addresses in the mail host list. Quote
petzl Posted March 2, 2022 Posted March 2, 2022 4 hours ago, mschmitt said: I've noticed that a lot of my spam is ending at a 100.x.x.x address, for example https://www.spamcop.net/sc?id=z6743104032z068b251bb86596b30e7fe37963fd992fz: The 100.64.0.0/10 address space is "Shared Address Space", intended for ISP internal use, such as in career-grade NAT. I thought that this was spammer spoofing of the headers, but when I look closer, I see that this is Apple internal iCloud routing. I ran the mail hosts test, and the probes from SpamCop to me have in part: So, we can see that the 100.108.117.178 header is within iCloud, and should be skipped over on the way to finding the real spam source. I forwarded this through to the mail host configuration, but it isn't showing any 100.x.x.x addresses in the mail host list. Possibly help if you could send a SpamCop Track (at top of page before you submit spam report) Examplehttps://www.spamcop.net/sc?id=z6737987188z5348539186d39fd3831b87f1d9ddaee8z Quote
RobiBue Posted March 2, 2022 Posted March 2, 2022 9 hours ago, petzl said: Possibly help if you could send a SpamCop Track (at top of page before you submit spam report) Examplehttps://www.spamcop.net/sc?id=z6737987188z5348539186d39fd3831b87f1d9ddaee8z uhm... OP did... just check what you quoted... albeit according to DKIM and ARC, the message has been modified and I wouldn't trust most of the received lines... Quote
gnarlymarley Posted March 2, 2022 Posted March 2, 2022 14 hours ago, mschmitt said: So, we can see that the 100.108.117.178 header is within iCloud, and should be skipped over on the way to finding the real spam source. My understanding is that RFC6598 addresses are supposed to be treated exactly like RFC1918 addresses. SpamCop probably needs to update their code. After reading your tracking URL, it seems that there may a disconnect between the two Received lines. I don't know how it gets from "p28-mailgateway-smtp-5c9bd88869-f6mrw" to "unknown". Received: from unknown (unknown [100.106.114.12]) by .... Received: from pv33p00im-smtpin013.me.com by p28-mailgateway-smtp-5c9bd88869-f6mrw (mailgateway 2209B259) Quote
petzl Posted March 2, 2022 Posted March 2, 2022 (edited) 12 hours ago, RobiBue said: uhm... OP did... just check what you quoted... albeit according to DKIM and ARC, the message has been modified and I wouldn't trust most of the received lines... Went through SpamCop's email server "184.94.240.112" always found them set-up to record where it came from Would like to see a proper track SpamCop Track? Possibly Apple have their own idea's about what is identified? Received: from vmx.spamcop.net (HELO vmx5.spamcop.net) ([184.94.240.112]) by esa2.spamcop.iphmx.com with ESMTP; 15 Feb 2022 22:36:28 -0800 Received: from m37-188.mailgun.net (m37-188.mailgun.net [69.72.37.188]) by vmx5.spamcop.net (Postfix) with ESMTP id 45DD0AF71F for <petzl@spamcop.net>; Tue, 15 Feb 2022 22:36:28 -0800 (PST) Edited March 2, 2022 by petzl Quote
mschmitt Posted March 6, 2022 Author Posted March 6, 2022 On 3/2/2022 at 6:11 AM, gnarlymarley said: My understanding is that RFC6598 addresses are supposed to be treated exactly like RFC1918 addresses. SpamCop probably needs to update their code. After reading your tracking URL, it seems that there may a disconnect between the two Received lines. I don't know how it gets from "p28-mailgateway-smtp-5c9bd88869-f6mrw" to "unknown". Received: from unknown (unknown [100.106.114.12]) by .... Received: from pv33p00im-smtpin013.me.com by p28-mailgateway-smtp-5c9bd88869-f6mrw (mailgateway 2209B259) It was doing the same thing on the Mailhost probe, right? Quote
mschmitt Posted March 6, 2022 Author Posted March 6, 2022 On 3/2/2022 at 5:27 PM, petzl said: Went through SpamCop's email server "184.94.240.112" always found them set-up to record where it came from Would like to see a proper track SpamCop Track? Possibly Apple have their own idea's about what is identified? Received: from vmx.spamcop.net (HELO vmx5.spamcop.net) ([184.94.240.112]) by esa2.spamcop.iphmx.com with ESMTP; 15 Feb 2022 22:36:28 -0800 Received: from m37-188.mailgun.net (m37-188.mailgun.net [69.72.37.188]) by vmx5.spamcop.net (Postfix) with ESMTP id 45DD0AF71F for <petzl@spamcop.net>; Tue, 15 Feb 2022 22:36:28 -0800 (PST) I'm not sure what you're asking for here. ALSO: For some strange reason, even through this problem has been going on for months, it stopped right after I posted this forum thread! I have since received spams that were forwarded through iCloud but they no longer have the 100.x.x.x. address. Here's a recent example: https://www.spamcop.net/sc?id=z6743603637z09712024dfeec0f16cba6093bc954ffdz Now the internal iCloud hand-off is at 10.112.84.233. Quote
petzl Posted March 7, 2022 Posted March 7, 2022 (edited) 13 hours ago, mschmitt said: Here's a recent example: https://www.spamcop.net/sc?id=z6743603637z09712024dfeec0f16cba6093bc954ffdz Now the internal iCloud hand-off is at 10.112.84.233. 40.95.36.165 is from Microsoft email servers they do not record the IP that it was sent from. SpamCop email server does. SpamCop just reports web sites/URL's to the IP assigned, not to the registrar. Reporting URL IP's will have little effect best to report to Registrar Abuse Contact The first URL looks to be a phishing Gambling site (also sent to minors) Name: click.virt.s10.exacttarget.com IP: 13.111.18.12 Aliases: click.marketing.bigfishgames.com Domain: bigfishgames.com needs reporting to Registrar Abuse Contact Email: mailto:abusecomplaints[AT]markmonitor[DOT]com ****************** The next is a bogus unsubscribe URI www.recadoona.com IP: 40.64.96.70 Aliases: www.recadoona.com Domain: recadoona.com needs reporting to Registrar Abuse Contact Email: mailto:abuse[AT]name[DOT]com ************************** I use a freeware windows app to find out registrar abuse addresses.http://www.gena01.com/win32whois/ Edited March 7, 2022 by petzl Quote
gnarlymarley Posted March 8, 2022 Posted March 8, 2022 On 3/1/2022 at 2:18 PM, mschmitt said: example https://www.spamcop.net/sc?id=z6743104032z068b251bb86596b30e7fe37963fd992fz: When I revisit your tracking original tracking URL, I still see the RFC6598 problem. Once the programmers can fix it, revisiting this URL should show properly. On 3/6/2022 at 2:33 PM, mschmitt said: ALSO: For some strange reason, even through this problem has been going on for months, it stopped right after I posted this forum thread! I have since received spams that were forwarded through iCloud but they no longer have the 100.x.x.x. address. My guess is you happened to have hit a different internal address and it just worked. If you get an email with a RFC6598, you may still see the problem. Quote
Stan Crawford Posted May 10, 2022 Posted May 10, 2022 On 3/7/2022 at 3:29 AM, petzl said: 40.95.36.165 is from Microsoft email servers they do not record the IP that it was sent from. SpamCop email server does. SpamCop just reports web sites/URL's to the IP assigned, not to the registrar. Reporting URL IP's will have little effect best to report to Registrar Abuse Contact The first URL looks to be a phishing Gambling site (also sent to minors) Name: click.virt.s10.exacttarget.com IP: 13.111.18.12 Aliases: click.marketing.bigfishgames.com Domain: bigfishgames.com needs reporting to Registrar Abuse Contact Email: mailto:abusecomplaints[AT]markmonitor[DOT]com ****************** The next is a bogus unsubscribe URI www.recadoona.com IP: 40.64.96.70 Aliases: www.recadoona.com Domain: recadoona.com needs reporting to Registrar Abuse Contact Email: mailto:abuse[AT]name[DOT]com ************************** I use a freeware windows app to find out registrar abuse addresses.http://www.gena01.com/win32whois/ Thank you for sharing. Quote
thezizizapiol Posted June 9, 2022 Posted June 9, 2022 (edited) useful information Edited June 9, 2022 by thezizizapiol Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.