Mailhosts with IPv4 shared address space (100.x.x.x)

[mschmitt]

I've noticed that a lot of my spam is ending at a 100.x.x.x address, for example https://www.spamcop.net/sc?id=z6743104032z068b251bb86596b30e7fe37963fd992fz:

 

Quote

 

Tracking message source: 100.106.114.12:

Routing details for 100.106.114.12
[refresh/show] Cached whois for 100.106.114.12 : abuse@iana.org
I refuse to bother abuse@iana.org.

Using abuse#iana.org@devnull.spamcop.net for statistical tracking.

Using last resort contacts abuse#iana.org@devnull.spamcop.net

 

 

The 100.64.0.0/10 address space is "Shared Address Space", intended for ISP internal use, such as in career-grade NAT.

I thought that this was spammer spoofing of the headers, but when I look closer, I see that this is Apple internal iCloud routing. I ran the mail hosts test, and the probes from SpamCop to me have in part:

Received: from mr85p00im-ztdg06021201.me.com (mr85p00im-ztdg06021201.me.com [17.58.23.189])
	by mr85p00im-ztdg06021201.me.com (Postfix) with ESMTPS id CFA8E321282
	for <xxx@xxx>; Tue,  1 Mar 2022 20:51:55 +0000 (UTC)
      
Received: from unknown (unknown [100.108.117.178])
	by mr85p00im-ztdg06021201.me.com (Postfix) with SMTP id AAA47320EB5
	for <xxx@xxx>>; Tue,  1 Mar 2022 20:51:55 +0000 (UTC)
      
Received: from mr11p00im-smtpin012.me.com by p28-mailgateway-smtp-5c9bd88869-2jm44 (mailgateway 2209B259)
	with SMTP id ac8a1f75-aeb2-42f2-ade8-1afa28cf6452 
	for <xxx@xxx>>; Tue, 1 Mar 2022 20:51:55 GMT

Received: from prod-sc-www03.spamcop.net (vmx.spamcop.net [184.94.240.112])
	by mr11p00im-smtpin012.me.com (Postfix) with SMTP id EC87727F9540
	for <xxx@xxx>>; Tue,  1 Mar 2022 20:51:52 +0000 (UTC)

So, we can see that the 100.108.117.178 header is within iCloud, and should be skipped over on the way to finding the real spam source.

I forwarded this through to the mail host configuration, but it isn't showing any 100.x.x.x addresses in the mail host list.

 

[petzl]

4 hours ago, mschmitt said:

I've noticed that a lot of my spam is ending at a 100.x.x.x address, for example https://www.spamcop.net/sc?id=z6743104032z068b251bb86596b30e7fe37963fd992fz:

The 100.64.0.0/10 address space is "Shared Address Space", intended for ISP internal use, such as in career-grade NAT.

I thought that this was spammer spoofing of the headers, but when I look closer, I see that this is Apple internal iCloud routing. I ran the mail hosts test, and the probes from SpamCop to me have in part:

So, we can see that the 100.108.117.178 header is within iCloud, and should be skipped over on the way to finding the real spam source.

I forwarded this through to the mail host configuration, but it isn't showing any 100.x.x.x addresses in the mail host list.

 

Possibly help if you could send a SpamCop Track (at top of page before you submit spam report)
Example
https://www.spamcop.net/sc?id=z6737987188z5348539186d39fd3831b87f1d9ddaee8z

[RobiBue]

9 hours ago, petzl said:

Possibly help if you could send a SpamCop Track (at top of page before you submit spam report)
Example
https://www.spamcop.net/sc?id=z6737987188z5348539186d39fd3831b87f1d9ddaee8z

uhm... OP did... just check what you quoted...

albeit according to DKIM and ARC, the message has been modified and I wouldn't trust most of the received lines...

[gnarlymarley]

14 hours ago, mschmitt said:

So, we can see that the 100.108.117.178 header is within iCloud, and should be skipped over on the way to finding the real spam source.

My understanding is that RFC6598 addresses are supposed to be treated exactly like RFC1918 addresses.  SpamCop probably needs to update their code.

After reading your tracking URL, it seems that there may a disconnect between the two Received lines.  I don't know how it gets from "p28-mailgateway-smtp-5c9bd88869-f6mrw" to "unknown".

Received: from unknown (unknown [100.106.114.12]) by ....
Received: from pv33p00im-smtpin013.me.com by p28-mailgateway-smtp-5c9bd88869-f6mrw (mailgateway 2209B259)

[petzl]

12 hours ago, RobiBue said:

uhm... OP did... just check what you quoted...

albeit according to DKIM and ARC, the message has been modified and I wouldn't trust most of the received lines...

Went through SpamCop's email server "184.94.240.112" always found them set-up to record where it came from
Would like to see a proper track SpamCop Track?
Possibly Apple have their own idea's about what is identified?
 

Received: from vmx.spamcop.net (HELO vmx5.spamcop.net) ([184.94.240.112])
  by esa2.spamcop.iphmx.com with ESMTP; 15 Feb 2022 22:36:28 -0800
Received: from m37-188.mailgun.net (m37-188.mailgun.net [69.72.37.188]) by vmx5.spamcop.net (Postfix) with ESMTP id 45DD0AF71F for <petzl@spamcop.net>; Tue, 15 Feb 2022 22:36:28 -0800 (PST)

 

Edited March 2, 2022 by petzl

[mschmitt]

On 3/2/2022 at 6:11 AM, gnarlymarley said:

My understanding is that RFC6598 addresses are supposed to be treated exactly like RFC1918 addresses.  SpamCop probably needs to update their code.

After reading your tracking URL, it seems that there may a disconnect between the two Received lines.  I don't know how it gets from "p28-mailgateway-smtp-5c9bd88869-f6mrw" to "unknown".

Received: from unknown (unknown [100.106.114.12]) by ....
Received: from pv33p00im-smtpin013.me.com by p28-mailgateway-smtp-5c9bd88869-f6mrw (mailgateway 2209B259)

It was doing the same thing on the Mailhost probe, right?

[mschmitt]

On 3/2/2022 at 5:27 PM, petzl said:

Went through SpamCop's email server "184.94.240.112" always found them set-up to record where it came from
Would like to see a proper track SpamCop Track?
Possibly Apple have their own idea's about what is identified?
 

Received: from vmx.spamcop.net (HELO vmx5.spamcop.net) ([184.94.240.112])
  by esa2.spamcop.iphmx.com with ESMTP; 15 Feb 2022 22:36:28 -0800
Received: from m37-188.mailgun.net (m37-188.mailgun.net [69.72.37.188]) by vmx5.spamcop.net (Postfix) with ESMTP id 45DD0AF71F for <petzl@spamcop.net>; Tue, 15 Feb 2022 22:36:28 -0800 (PST)

 

I'm not sure what you're asking for here.

ALSO: For some strange reason, even through this problem has been going on for months, it stopped right after I posted this forum thread! I have since received spams that were forwarded through iCloud but they no longer have the 100.x.x.x. address.

Here's a recent example: https://www.spamcop.net/sc?id=z6743603637z09712024dfeec0f16cba6093bc954ffdz

Now the internal iCloud hand-off is at 10.112.84.233.

[petzl]

13 hours ago, mschmitt said:

Here's a recent example: https://www.spamcop.net/sc?id=z6743603637z09712024dfeec0f16cba6093bc954ffdz

Now the internal iCloud hand-off is at 10.112.84.233.

40.95.36.165 is from Microsoft email servers they do not record the IP that it was sent from. SpamCop email server does.

SpamCop just reports web sites/URL's to the IP assigned, not to the registrar. 

Reporting URL IP's will have little effect best to report to Registrar Abuse Contact
The first URL looks to be a phishing Gambling site (also sent to minors)
Name:        click.virt.s10.exacttarget.com
IP:        13.111.18.12
Aliases:    click.marketing.bigfishgames.com
Domain:    bigfishgames.com

needs reporting to  Registrar Abuse Contact Email:  mailto:abusecomplaints[AT]markmonitor[DOT]com

******************

The next is a bogus unsubscribe URI
www.recadoona.com

IP:        40.64.96.70
Aliases:    www.recadoona.com
Domain:    recadoona.com
needs reporting to Registrar Abuse Contact Email:  mailto:abuse[AT]name[DOT]com
**************************

I use a freeware windows app to find out registrar abuse addresses.
http://www.gena01.com/win32whois/

Edited March 7, 2022 by petzl

[gnarlymarley]

On 3/1/2022 at 2:18 PM, mschmitt said:

example https://www.spamcop.net/sc?id=z6743104032z068b251bb86596b30e7fe37963fd992fz:

When I revisit your tracking original tracking URL, I still see the RFC6598 problem.  Once the programmers can fix it, revisiting this URL should show properly.

On 3/6/2022 at 2:33 PM, mschmitt said:

ALSO: For some strange reason, even through this problem has been going on for months, it stopped right after I posted this forum thread! I have since received spams that were forwarded through iCloud but they no longer have the 100.x.x.x. address.

My guess is you happened to have hit a different internal address and it just worked.  If you get an email with a RFC6598, you may still see the problem.

 

 

 

 

[Stan Crawford]

On 3/7/2022 at 3:29 AM, petzl said:

40.95.36.165 is from Microsoft email servers they do not record the IP that it was sent from. SpamCop email server does.

SpamCop just reports web sites/URL's to the IP assigned, not to the registrar. 

Reporting URL IP's will have little effect best to report to Registrar Abuse Contact
The first URL looks to be a phishing Gambling site (also sent to minors)
Name:        click.virt.s10.exacttarget.com
IP:        13.111.18.12
Aliases:    click.marketing.bigfishgames.com
Domain:    bigfishgames.com

needs reporting to  Registrar Abuse Contact Email:  mailto:abusecomplaints[AT]markmonitor[DOT]com

******************

The next is a bogus unsubscribe URI
www.recadoona.com

IP:        40.64.96.70
Aliases:    www.recadoona.com
Domain:    recadoona.com
needs reporting to Registrar Abuse Contact Email:  mailto:abuse[AT]name[DOT]com
**************************

I use a freeware windows app to find out registrar abuse addresses.
http://www.gena01.com/win32whois/

Thank you for sharing.

[thezizizapiol]

useful information

Edited June 9, 2022 by thezizizapiol